Accessibility statement

Information and Records Management Policy

Guidance: policy context

1 Introduction

This guidance document provides associated context and further information to support the implementation of the University Information and Records Management Policy.

The University recognises that the efficient management of its records is necessary in order to support its core functions, to comply with its legal and regulatory obligations and to enable the effective management and operation of the institution. It is committed, through the Information and Records Management Policy, to creating, keeping and maintaining those records which document its principal activities, including teaching, research, the administration of its resources and the protection of the rights and interests of the organisation and its stakeholders.

The Information and Records Management policy follows from the University’s Information and Records Management strategies. Its purpose is to ensure the creation and maintenance of authentic, reliable and useable records, with appropriate evidential characteristics, within the University by establishing a framework and accountabilities for records management. Through this framework best practice can be implemented and audited.

2 Definition of 'records' and 'records management'

Records are defined as recorded information, regardless of format, which facilitate and derive from University activities (e.g. teaching, learning and research) and business and which are thereafter retained (for a set period) to provide evidence of its decisions, transactions or activities. Records are fixed in time and contain content (information), context and structure. The use or reuse of the information that changes any of these three factors results in the creation of a new record of a different transaction. Records may be created, received or maintained in hard copy or electronically and include email and instant messaging, social media, websites and blogs. They may also be considered as ‘Information Assets’.

A record has the following essential qualities:

  • it is present (the information needed to evidence and reconstruct the relevant activity or transactions is recorded).
  • it can be accessed (it is possible to discover, locate and access the information, and present it in a way that is true to the original presentation of the information).
  • it can be interpreted (a context for the information can be established showing how it is related to other information, when, where and who created it, and how it was used).
  • it can be trusted (the information and its representation is fixed and matches that which was actually created and used, and its integrity, authenticity and provenance can be demonstrated beyond reasonable doubt).
  • it can be maintained (the record can be deemed to be present and can be accessed, interpreted and trusted for as long as necessary and on transfer to other agreed locations, systems and technologies).

Records management is defined as a field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use, distribution, storage and disposal of records (ISO 15489). It constitutes a series of integrated systems related to the core processes of the University that ensure that evidence of, and information about, its activities and transactions are captured and maintained as viable records.

3 Objectives

Records contain information that is a unique and invaluable resource and are fundamental to University processes and operations. The objectives of a records management system are as follows:

A systematic approach to the management of the University’s records is essential: 

  • to ensure that the information we rely on has the qualities of a record;
  • to protect and preserve records as evidence of our actions.

Records Management enables and supports the University’s realisation of the corporate objectives described in its Strategy, namely:

  • organisational design that ensures smooth and effective day-to-day operations and empowers us to meet the challenges that arise;
  • attention to the use of [information] resources, to ensure we meet our ambitions;
  • advancement of curiosity-driven and action oriented research;
  • supporting research of the highest academic and ethical standards;
  • unlocking data to shape and enhance the learning experience;
  • driving knowledge exchange for public good. 

Records management is accordingly necessary to:

  • ensure that the University conducts itself in an orderly, efficient and accountable manner;
  • realise best value through improvements in the quality and flow of information and greater coordination of records and storage systems;
  • support core University functions, teaching and research, providing evidence of conduct and the appropriate maintenance of associated tools, resources and outputs;
  • meet legislative, regulatory, funding and ethical requirements;
  • deliver services to staff and stakeholders in a consistent and equitable manner;
  • assist and document policy formation and managerial decision making;
  • provide continuity and protect vital information in the event of a disaster;
  • protect the interests of the organisation and the rights of employees, clients, students, research participants and present and future stakeholders;
  • equip and support researchers to be adaptable and flexible in an increasingly diverse, mobile and global research environment; and
  • establish an institutional and cultural identity and maintain a corporate memory.

4 Responsibilities

The University has a corporate responsibility to maintain its information and records and its record-keeping systems in accordance with the regulatory environment. For this reason the member of the University’s senior management with overall responsibility for the Information and Records Management policy is the Chief Operating Officer.

The University’s Information and Records Manager is responsible for 

  • defining corporate information policy 
  • devising standards and guidance for good information and records management practice
  • managing the records retention schedule and offsite storage solutions
  • information audits and surveys
  • oversight of Information Asset Registers
  • management of the Record of Processing Activities
  • providing advice on data and records management issues, the value, importance and retention of records
  • the selection of records as archives and management of the University Archive.

Heads of Departments, Principal and Co-Investigators at the University, and all those who lead a team of staff in an organisational unit, programme or project, have overall responsibility, as Information Owners, for supporting the management of records generated by their department’s/team’s activities, and should ensure that:

  • adequate records are kept of the activities in their functional area of responsibility, for which they are accountable
  • the records created, received and controlled within the purview of their department, unit or project, and the systems (electronic or otherwise) and procedures they adopt, are selected and managed in a way which meets the aims of the University’s records management policy and any other relevant contractual requirements
  • they promote this policy and enable good records management practice within their area
  • staff inductions cover local and corporate policies and procedures and staff and students have access to relevant training opportunities
  • staff exit interviews/procedures cover the appropriate transfer and return of records, permissions (e.g. transfer of ownership in Google My Drive), equipment and  other information assets
  • they liaise with the Records Manager where necessary regarding issues or incidents of concern.

Staff designated as Information Champions, a role held by a member of staff within a University department, provide a key point of contact between departments and the Records Manager in the implementation of records management and compliance policies. Designated by their Head of Department, they will liaise with the Records Manager on behalf of their departments, promote central guidance to colleagues and assist in the local implementation of data management and compliance procedures and best practice.

All staff and contractors are responsible for creating, maintaining and preserving accurate records that support and document their employment/contracted activities in accordance with this policy and its associated policies, procedures and guidance. They must know what information they hold, where it is held and University staff should complete mandatory records management training.

Other staff may have specific responsibilities for records as part of their role e.g. Committee Secretaries and should follow relevant University policy and guidance for the specific types of records that they manage.

5 Legislative, regulatory and best practice framework

University records and its processing of data are governed by a variety of legislation (including employment, contract, charity and financial laws), common law duties (of confidentiality and care), and regulated practice. The Information and Records Management policy framework has been formulated in the context of University policies and guidelines, national legislation and sectoral/professional standards. It is intended to support standards and practice and to promote easier compliance with legislative and regulatory environments. Key policies and legislation related to this policy are cited below.

University policy

Legislation

  • Charities Act 2011
  • Civil Evidence Act 1995
  • Consumer Rights Act 2015
  • Copyright, Design and Patents Act 1988
  • Data Protection Act 2018 and UK General Data Protection Regulation
  • Environmental Information Regulations 2004
  • Equality Act 2010
  • Finance Act 2008
  • Freedom of Information Act 2000
  • Human Rights Act 1998
  • Limitations Act 1980
  • Privacy and Electronic Communications (EC Directive) Regulations 2003
  • Regulation of Investigatory Powers Act 2000

A fuller survey of legislative and regulatory provisions concerning record-keeping and the processing of University data is maintained by the Records Manager.

Standards

  • Code of Practice on the Management of Records: issued under Section 46 of the Freedom of Information Act 2000 by the Secretary of State for Digital, Culture, Media and Sport providing guidance to public authorities on the keeping, management and destruction of records (DCMS, 2021)
  • ISO 15489:2016 Information and Documentation – Records Management
  • ISO 27001 Information Security Management Systems – Requirements
  • BS 10008-1:2020 Evidential weight and legal admissibility of electronically stored information 
  • BSI DSC PD5000:2002 Legal admissibility: an international code of practice for electronic documents and e-business transactions for evidence, audit, long-term duty of care
  • BS PD 5454:2012 Guidance for the storage and exhibition of archival documents
  • Records retention management (Jisc, 2019)
  • UKRI Policy and Guidelines on Governance of Good Research Conduct (UKRI, 2013)
  • OfS Regulatory Framework issued under section 75 of the Higher Education and Research Act 2017 (2022)

6 Further information

A suite of Information and Records Management guidance has been produced on the following areas and will continue to be developed. 

Selection and appraisal policy (PDF , 3,746kb)

Assessing your RM maturity

Boxes and supplies

Committee records

Creating records

Data mapping

DBS certificates

Disposal form

Dispose of IT equipment

Disposing of information 

External records store: inventorying

External records store: transfer to

External records store: recall from

External records store: destruction

File plan

Glossary

Managing workspaces

Metadata

Naming files and folders 

Non records

Office moves

Record 'holds'

References

Remote working

Research data

Retention schedules

Security classification & handling scheme 

Temporary records

Transferring archival records 

Version control

Video conferencing

Vital records

What are records?

What is Records Management?

Online induction training and awareness material is provided through the University’s statutory compliance training programme, the University’s general Staff Induction sessions, and Records Management website.

7 Contacts

Records Management and the University Archive Charles Fonge
Borthwick Institute
records-manager@york.ac.uk
  Graham Hughes
Borthwick Institute

Document history and status

13 December 2012 Approved by Information Strategy Group
29 January 2016 Reviewed and approved by Information Security Board
31 July 2019 Reviewed and approved by Information Security Board
5 April 2023 Reviewed and approved by Information Security Board

Review cycle: Three yearly

Date of next review: April 2026