Information and Records Management Policy

Roles & responsibilities

Roles and responsibilities

All staff, as Information Users, are responsible for creating, maintaining and preserving accurate records that support and document their activities in accordance with this policy and its associated policies, procedures and guidance. They must know what information they hold, where it is held and complete mandatory records management training.

University Officers, Heads of Departments and Professional Services, as Information Owners, are responsible for ensuring that all records in their area are managed in conformance with this policy and associated policies and procedures. Information Owners are responsible for promoting this policy and ensuring their staff complete mandatory records management training and that their departments and units complete information asset registers.

Principal and Co-investigators affiliated to the University are responsible for ensuring that their research projects and their resulting records and data are created, managed and disposed of in compliance with this policy, the University’s Code of Practice on Research Integrity, and any specific legal, ethical and contractual conditions.

Information Champions are responsible for maintaining information asset registers, and for providing a local point of contact for queries, liaising with the Records Manager and University Archivist as required.

The University’s Information and Records Manager is responsible for promoting and supporting compliance with this policy across the University and its wholly-owned subsidiaries, including the development of retention schedules and procedures, drawing up guidance and providing training and support on good information and records management practice.

The University’s Information and Records Manager, as University Archivist, has responsibility for the University Archive and the authority to determine and requisition those University records with historical or enduring evidential value.

The University of York owns all records created by its employees carrying out University-related functions and activities unless otherwise specified under contract or in its Regulations. Unless the originator asserts ownership, records received by the University are also its property.

Staff, students, associates, partners, contractors, consultants and visitors who act in breach of this policy, or who do not act to implement it, may be subject to disciplinary procedures or other appropriate sanctions.

Oversight

Oversight

The Chief Financial and Operating Officer, as Senior Information Risk Owner, has overall responsibility for records management within the University. The implementation, oversight and management of information and records management policy on a day-to-day basis is delegated to the Information Security Board.

The Information Security Board, chaired by the Chief Financial and Operating Officer, is responsible for the approval of information and records management policy, for overseeing policy implementation and for regular policy reviews. It monitors the effectiveness of the information and records management policy across the University. It also monitors information risks and compliance through reporting and it commissions and responds to independent audits of records management arrangements.

Policy

Policy

The University will manage records and data efficiently and systematically, in a manner consistent with ISO 15489 and the statutory Code of Practice on Records Management, to support University operations and to meet legislative, regulatory, funding and ethical requirements. All information management practices in the University should align to this policy and its supporting procedures.

Records will be created, maintained and retained in order to provide information about and evidence of the University’s decisions, transactions and activities. Appropriate systems will be in place to record these decisions and activities.

Records must be maintained in line with these six Records Management principles to ensure their viability and quality across their lifecycle:

1. The record is present: the information the University needs to evidence and reconstruct the relevant activity or transactions is recorded and is accurate.
2. The record can be accessed: when it is needed, it is possible to discover, locate and access the information. It is possible to present it in a way that is true to the original presentation of the information. The authoritative version can be identified in cases where multiple versions exist.
3. The record can be interpreted: a context for the information can be established, showing when, where and who created it, how it is related to other records, and what process/activity it comes from.
4. The record can be trusted: the information and its representation is fixed and matches that which was actually created and used, and its integrity, authenticity and provenance can be demonstrated beyond reasonable doubt.
5. The record can be maintained: the record can be accessed, interpreted and trusted for as long as it is needed (in line with the Retention Schedule and in some cases permanently) notwithstanding transfers to other agreed locations, systems, formats and technologies so that it remains present, accurate, trustworthy, interpretable and accessible.
6. The record’s value is understood and protected: it is recognised that our records form part of our corporate memory and are an important institutional resource which must be protected across their lifecycle in accordance with the above principles.  

Where University departments procure or develop IT and business systems, records management requirements must be considered, documented and addressed from the initial requirements stage. A Business System Lifecycle Management Assessment should be undertaken for new digital systems and services to help assess their ability to function as a recordkeeping system and the Records Manager consulted for advice.

Departments and services must maintain full and accurate records of their records, IT and record-keeping systems and processing of personal data in Information Asset Registers. This includes ensuring that records which are essential to business continuity (‘vital records’) are identified and protected.

Appropriate measures will be employed to safeguard the security and integrity of University records and provisions made (i) to maintain their reliability, integrity and preservation during their lifespans and (ii) to prevent the unauthorised or unlawful use, disclosure or loss of information.

Records must be maintained and stored in such a way that they can be easily identified and located to support business activities and that ensures appropriate accountability, using established procedures for secure access and handling.

Records will be retained and disposed of in accordance with agreed retention schedules in a controlled and compliant manner. Retention schedules will set out the minimum period for which a record should be retained and will be reviewed regularly and amended as necessary. Retention schedules will be agreed by the senior Information Owner(s) for the relevant University function. When the currency of the records and their need to be retained expires, the records will either be destroyed or, if they have lasting historical value, transferred to the University Archive.

Where systems and applications are to be decommissioned or records are scheduled for migration or conversion between business/record systems, including conversion to digital formats, the Records Manager should be consulted. The decommissioning of digital services and digitisation should be carried out in line with IT Services’ and Records Management guidance and the Records Management Principles. 

A small percentage of the University’s records will be selected for permanent preservation, in line with the Appraisal Policy for Corporate Records.  These records will become part of the University Archive which will maintain the University’s corporate memory by preserving records of enduring evidential and historical significance.

Information and records management awareness and training will be provided for staff as part of the University’s statutory and compliance training programme.

This document, together with its subsidiary policies and implementation documents, defines the framework within which records are managed across the University.

Implementation

Policy implementation documents

This document, together with related records management guidance is available from the records management website.

A policy context document provides further contextual guidance to support the University Information and Records Management Policy.

The Records Retention Schedule defines how long records should be kept for before being deleted/destroyed, reviewed or transferred to the University Archive.

The Selection and appraisal policy (PDF , 126kb) for corporate records sets out the process by which the University will distinguish and select those records with the highest value for permanent preservation from those of no enduring value.

The Research data management policy enables the University and its researchers to meet the standards and responsibilities set out in the University's Code of Practice on Research Integrity and to meet funder, ethical, legal and other responsibilities.

Policy review

Policy review

The policy will be reviewed on a three-yearly basis. It is next due for review in April 2026. After this date, policy and procedural documents may become invalid.

Document history

Document history