Records Management Policy

Scope of the Policy

The University recognises that efficient and effective management of its records is necessary to support its core functions and activities, to comply with its legal and regulatory obligations and to contribute to the effective overall management of the institution. This document provides the policy framework through which this effective management can be achieved and audited.

This policy is based upon the international standard for records management, ISO 15489 and the Lord Chancellor´s code of practice on the management of records under Section 46 of the Freedom of Information Act 2000. It is also draws on best practice guidance and principles from organisations such as JISC and the UK National Archives.

What does the Policy apply to?

The policy applies to all records regardless of physical media or format, created, received or held as a result of carrying out the functions, activities and transactions of the University of Sheffield.

Records can include, but are not limited to, paper based documents and files, electronic content such as email, word processed documents, spreadsheets, presentations, databases, photographs in either electronic or hard copy format.

The main functions and activities include, but are not limited to, teaching and learning, research, academic administration and all supporting activities. For a fuller range of University functions and activities, refer to JISC Function and Activity Model(FAM) 3rd iteration.

Who does the Policy apply to?

The policy applies to all staff employed by the University of Sheffield. This includes all permanent and temporary employees, and contractors, consultants and secondees.

Regulatory environment

The University operates in a complex statutory and regulatory environment. The University aims to adhere to record keeping and information management requirements that are set out in legislation, statutory and regulatory codes of practice, voluntary codes of practice, sector specific regulations, and guidance as well as the University´s own frameworks of statutes and regulations. Whilst there are specific pieces of legislation relating to records in particular such as the Freedom of Information Act 2000, and the Data Protection Act 1998, there are also numerous other pieces of legislation and regulatory guidance that affect how the University manages its records.

Roles and responsibilities

Whilst University employees do not `own´ records relating to University functions and activities they do have responsibilities for managing them.

The Registrar and Secretary, as senior administrative officer, has overall executive responsibility for records management policy and standards, and for supporting their application throughout the University.

Individual Heads of Departments have responsibility for ensuring that local procedures are in place and that records management is carried out in accordance with those procedures.

The Records Management Service (RMS) is responsible for setting and implementing the records management agenda. It aims to raise standards of record keeping and information management within the University. It will do this by:

  • Ensuring that records management policies and standards are kept up to date and that they are relevant to the needs and obligations of the University.
  • Developing appropriate procedures and guidance to underpin the policies and standards.
  • Communicating procedures and guidance on record keeping and information management within the University.

Individual managers within the University are responsible for the following:

  • Ensuring current operating procedures are efficient and fit for purpose.
  • Identifying and communicating deficiencies in current practices to the RMS.
  • Ensuring compliance with University record keeping policy and standards.
  • Ensuring adequate resources for records management activities.

Standards

Definition of a record

Records are defined as "information created, received, and maintained as evidence and information by an organisation or person, in pursuance of legal obligations or in the transaction of business."

Qualities inherent in University of Sheffield´s records

Authenticity

An authentic record is one that can be proven to be what it purports to be, to have been created or sent by the person purported to have created or sent them, and to have been created or sent at the time purported.

Reliability

The contents of a record should be trusted as a full and accurate representation of the activities or transactions to which they relate. Records must be sufficient in content, context and structure to reconstruct the relevant activities and transactions that produced it.

Integrity

The integrity refers to it being complete and unaltered. A record should be protected against unauthorised alteration. Any authorised annotation, addition or deletion to a record should be explicitly indicated and traceable.

Useability

A useable record is one that can be located, retrieved, presented and interpreted.

Secure

Records must be securely maintained to prevent unauthorised access, alteration, damage or removal. They must be stored in a secure environment, the degree of security reflecting the sensitivity and importance of the contents. Where records are migrated across changes in technology, the University must ensure that the evidence preserved remains authentic and accurate.

Processes and procedures

Capture and control of records

All records created or received by staff during the course of University business are to be captured into appropriate recordkeeping systems. Records should be captured as soon as possible after creation so that they are readily available to support the University´s business.
All business applications that store records must be designed to ensure that the integrity of the records and the qualities highlighted above and their associated metadata is managed and retained for the retention period of the records contained in the business application. Where a business application is being replaced or superseded by another business application the process of migrating records and all associated metadata from one application to the other must be fully documented to ensure the integrity of the records. Where a business application is to be decommissioned provision must be made for maintenance or transfer of the records so that they remain accessible for the required retention period. Such applications must ensure the qualities inherent in records outlined above.

Storage and handling of records

Records should be stored on media that ensures the above qualities set out for University records for as long as they are required. Appropriate procedures and processes should be put in place to ensure the physical and intellectual security of University records. Records require storage conditions and handling processes that take into account their specific physical properties. Storage conditions and handling processes should be designed to protect records from unauthorised access, loss or destruction and from theft and disaster.

Access to records

Access to records is governed by the nature of the content, the statutory and regulatory framework within which the University operates and the business needs and requirements of the University. The University must take into account these three elements and develop an appropriate framework that will protect records from unauthorised access, disclosure, deletion, alteration and destruction.

Tracking of records

Tracking is required to ensure retrieval, prevent the loss of records, monitor use, maintain security and audit transactions. Systems should be set up and in place to ensure such an audit trail.

Disposal of records

Disposition is the process of deciding whether to keep, move or destroy records. The authority to do this is set out within the retention and disposal schedules. Local working practices must adhere to retention schedules that clearly indicate the type of record, how long they should be retained for, and the trigger mechanisms for determining the start and finish of the retention period. Destruction must always be appropriately authorised and recorded.

Links to other University Information Management Policies.

The University has developed policies that cover other aspects of information management, and these complement the Records Management Policy. The Records Management Policy should also be taken into account when referring to and complying with these other policies.

Standards and Best Practice

The University aims to adhere to the following guidance and best practice when managing University records and when providing advice and guidance to University record holders.

  • International Organisation for Standardisation (ISO). Information and Documentation – Records Management. ISO 15489 (2000)
  • Lord Chancellor’s Code of Practice on the Management of Records under Section 46 of the Freedom of Information Act 2000. November 2002
  • The National Archives. Complying with the Records Management Code: Evaluation Workbook and Methodology. 2006
  • Joint Information Systems Committee (JISC) JISC InfoNet Information and Records Management Accessed September 2008
  • Joint Information Systems Committee (JISC) HE Business Classification Scheme and Retention Schedule. 2007 Accessed September 2008