The ICO exists to empower you through information.

Control measure: Records management responsibilities are allocated and the records management function and processes are subject to effective oversight at a senior level.

Risk: Without effective governance in place, there may be inadequate oversight of records management strategy and risks.

Ways to meet our expectations:

  • Assign strategic responsibility and oversight of records management to an appropriate executive board member (eg Senior Information Risk Owner (SIRO) or equivalent).
  • Assign operational responsibility and development of records management to an appropriate manager.
  • Assign responsibility for implementing records management processes to local business areas (eg Information Asset Owners (IAOs), Information Asset Administrators (IAAs) and department managers).
  • Have a regular steering group or meeting that monitors records management processes and functions and includes or reports to senior management.

Options to consider:

  • Document information asset responsibilities in job descriptions.
  • Add records management as a standing agenda item on relevant team and senior management meetings.
  • Record minutes of meetings where records management performance is discussed.

 

Control measure: Records management processes are documented in policies, approved by senior management, and reviewed periodically to align to latest guidelines.

Risk: If processes are not documented clearly, agreed processes may not be followed or may be applied differently. This may breach UK GDPR article 5(2).

Ways to meet our expectations:

  • Document each records management process in sufficient detail in policies, including who oversees processes and how.
  • Ensure policies have appropriate document and version control.
  • Ensure policies follow a standard format.
  • Ensure policies are approved by senior management.
  • Communicate these policies to staff who create or manage records, and make policies readily available for them to refer to.
  • Keep policies up-to-date, particularly with any changes to data protection law.

Options to consider:

  • Document clear step-by-step instructions or a process flow chart for each records management activity.
  • Include a link to records management policies and other staff guidance in other relevant policies, such as the data protection policy.

 

Control measure: Staff receive formal records management training, and good records management practices are promoted.

Risk: If staff are not trained and aware of good practices, agreed process may not be followed or fully in place. This may breach UK GDPR articles 5(1)(f) and 32.

Ways to meet our expectations:

  • Train new staff on records management at induction.
  • Provide refresher training on records management processes to all staff periodically.
  • Track training completion and report it to senior management.
  • Get input into training content from records management managers and subject matter experts.

Options to consider:

  • Review training content regularly to keep it up-to-date.
  • Record training requirements in a training needs analysis or training programme.
  • Allow staff to access records only once they’ve completed or refreshed their records management training.
  • Provide specialised training for staff who complete key records management processes (eg finding and retrieving information).
  • Train additional staff to support in the event of high volumes of work or key staff absences.