Equipping your business with a records management policy means having a structure ready when you need it. By having a strong policy in place, it means that you are prepared to keep records to a high standard, and benefit as a result.
A policy should clearly set out your approach to records management and address your overall commitment, the role of records management, links to relevant policies and documents, staff roles and responsibilities, and monitoring of compliance.
Steps you can Take Towards a Good Policy…
Records management organisation: Your business has allocated records management responsibilities.
Records management risk: Your business has identified records management risks as part of a wider information risk management process.
Records management training: Your business incorporates records management with a formal training programme. This includes mandatory induction training with regular refresher material, and specialist training for those with specific records management functions.
Monitoring and reporting: Your business carries out regular checks on record security and monitors the compliance with records management procedures.
Record creation: Your business has set minimum standards for the creation of paper or electronic records.
Information you hold: Your business has identified where you use manual and electronic records keeping systems and actively maintains a centralised record of those systems.
Information standards: Your business has processes in place to ensure that the personal data you collect is accurate, adequate, relevant and not excessive. Additionally, regular reviews are carried out to remove any records that are out of date or no longer relevant.
Tracking of paper records: Your business has tracking mechanisms to record the movement of manual records.
Offsite transfer of electronic record: Your business has appropriate measures in place to transfer electronic records off-site and protect personal data from loss or theft.
Secure storage of records: Your business stores paper and electronic records securely with appropriate environmental controls and high levels of security around special categories of personal data.
Access to records: Your business restricts access to records storage areas in order to prevent unauthorised access, damage, theft or loss. This can be done by implementing role-based access and checking it regularly.
Business continuity: Your business has business continuity plans in place in the event of a disaster. This includes identifying records that are critical to the continued functioning or reconstitution of your business, also known as vital records.
Disposal of data: Your business has a retention and disposal schedule which details how long you will keep manual and electronic records. Your business has confidential waste disposal processes to ensure that records are destroyed to an appropriate standard.
The BBC
The BBC’s records management policy incorporates the freedom of information requirements as well as all information held in the former Core Records Policy and the Records Management Standards. The policy defines how the BBC records information and how it should be managed to standards which ensure that vital and important records are identified.
Additionally, their policy makes sure that the corporation holds records that meet the expected standards. This means that they are relevant, sufficient, timely, reliable and consistent with operational need, and that legal and regulatory obligations are met. It also defines the roles and responsibilities for the creation, safekeeping, access, change and disposition of the information.
They comply by having the policy in the first place, and it is subject to a regular review process too, to keep it efficient.