1 December 2023
Your overall rating was red.
- 16: Not yet implemented or planned
- 0: Partially implemented or planned
- 0: Successfully implemented
- 0: Not applicable
RED: not implemented or planned
Your business has defined and allocated records management responsibilities.
- Nominate an appropriately skilled lead to coordinate records management within your business.
- Ensure they have the authority and resources to fulfil this responsibility effectively.
- If you are a larger business, appoint 'owners' with day-to-day responsibility for the security, use, accuracy and retention of manual and electronic records.
- Organisational arrangements to support records management, in National Archives records management guide 2
Your business has approved and published an appropriate records management policy. This is subject to a regular review process.
- clearly set out in policy your business' approach to records management together with responsibilities for implementing the policy and monitoring compliance;
- ensure the policy is approved by management, published and communicated to all staff; and
- review and update the policy at planned intervals or when required to ensure it remains relevant.
The National Archive has developed comprehensive guidance on how to create an effective records management policy.
- Records management policy, National Archives
Your business has identified records management risks as part of a wider information risk management process.
- undertake a risk assessment of all records held within your organisation; and
- if you already have a corporate risk register, include risks to records management functions. These might include records not being either updated, destroyed in a timely manner or held securely).
- Inclusion of records management and information management in the corporate risk management framework, in National Archives records management guide 2
- Assessing and Managing Risk, National Archives
Your business incorporates records management within a formal training programme. This comprises mandatory induction training with regular refresher material, and specialist training for those with specific records management functions.
- incorporate records management within a formal training programme that comprises mandatory induction training and delivery of regular refresher material for all staff;
- provide specialist training to those with specific records management functions; and
- promote records management awareness amongst all staff through promotional materials such as posters, newsletters and intranet articles.
Your business carries out periodic checks on records security and you monitor compliance with records management procedures.
- undertake periodic checks on records security and monitor compliance with records management procedures; and
- measure the outcomes of any records security checks or compliance monitoring against key performance indicators to provide management information on performance to those with overall responsibility for records management.
Your business has set minimum standards for the creation of paper or electronic records.
- ensure you have minimum standards for creation of paper or electronic records (including emails) in place;
- establish procedures and guidelines for staff to ensure that you title and index new records in a way that allows you to efficiently manage, retrieve and dispose of them; and
- where applicable, ensure you use security classification or marking protocols, such as the Government protective marking scheme, to identify records that contain more sensitive information.
- Keeping records to meet corporate requirements, National Archives
- Managing digital records without an electronic record management system, National Archives
- Managing emails, National Archives
- Guide to the UK GDPR – Documentation, ICO website
Your business has identified where you use manual and electronic records keeping systems and actively maintains a centralised record of those systems.
- carry out an information audit or records survey to identify records and data sets you hold; and
- create a central log or information asset register to record which business functions create certain records, which records are vital to the functioning of the business, where you keep them, how long you keep them for and who needs to use them now and in the future.
Your business has processes in place to ensure that the personal data you collect is accurate, adequate, relevant and not excessive. You carry out regular reviews to remove any personal data or records that are out of date or no longer relevant.
- ensure you take appropriate steps to confirm the accuracy of new personal data, or data that you have recorded and retained over a period of time;
- implement procedures to allow individuals to challenge the accuracy of information you hold about them and correct it if necessary, or add a supplementary statement;
- establish initial and then periodic reviews to check that the data you collect is not excessive for the purpose or processing requirements; and remove data that you have identified as being out of date or inaccurate, or no longer relevant for your purposes.
- Guide to the UK GDPR - Right to rectification, ICO website
Your business has tracking mechanisms to record the movement of manual records and ensure their security between office and storage areas and also in instances where you take records off-site.
- implement tracking mechanisms to record the movement and ensure the security of manual records between office and storage areas and also in instances where records are taken off-site;
- minimise data wherever possible when transferring data off-site;
- use an appropriate form of transport eg secure courier for sensitive personal data;
- log the transfer in and out where appropriate and put checks in place to ensure that data is received; and
- employ security measures such as lockable containers, tamper evident packaging or removal from public view and accessibility.
Your business has appropriate measures in place to transfer electronic records off-site and protect personal data from loss or theft.
- always use an appropriate form of transport eg secure courier for sensitive personal data when transferring data off-site;
- minimise data being transported;
- log the transfer in and out where appropriate and check to ensure that data is received; and
- employ security measures to safeguard the data such as tamper evident packaging, encrypted devices or encrypted emails or secure file sharing or transfer software.
Your business stores paper and electronic records securely with appropriate environmental controls and higher levels of security around special categories of personal data.
- store paper records in lockable offices, cabinets and drawers with higher levels of security around sensitive personal data;
- ensure keys to offices, cabinets and drawers are stored securely and records are locked away when staff are absent for extended periods eg overnight;
- consider appropriate environmental controls to protect paper records from threats such as fire or water ingress;
- implement a clear screen and clear desk policy with regular checks to ensure compliance; and
- ensure you have appropriate technological and organisational security measures which are documented within a contract before using any cloud based storage options.
- Helpful guidance on creating a clear desk policy, Privacy Sense
- Toolkit for managing paper records, Records Management Society
- Protecting archives and manuscripts against disasters, National Archives
Your business restricts access to records storage areas in order to prevent unauthorised access, damage, theft or loss. You should implement role based access and check it regularly.
- restrict access to records storage areas in order to prevent unauthorised access, damage, theft or loss; and
- implement role based access and check access levels regularly.
Your business has a process to assign and manage user accounts to authorised individuals and to remove them when no longer appropriate.
- implement a process to ensure that access to systems holding personal data is authorised by management;
- restrict user permissions to the absolute minimum (or 'least privilege');
- assign each user with their own username and password to ensure accountability;
- implement role based user profiles and access levels to ensure that access to systems is only given to those roles that require it in order to complete their work;
- review all network and application user access lists at least annually;
- ensure you have robust starter, mover and leaver processes to avoid the risk of unauthorised access or the accrual of unnecessary access levels;
- enforce strong passwords for both network and systems access;
- limit the number of failed login attempts; and
- monitor user activity to detect any anomalous use.
Your business has business continuity plans in place in the event of a disaster. This includes identifying records that are critical to the continued functioning or reconstitution of your business. You also routinely back up data that is stored electronically to help restore information if needed.
- complete an assessment of the data you hold and its criticality to your business functions;
- ensure business continuity plans are put in place to prepare for serious disruption;
- take regular backups of systems and data so that you can restore personal data stored electronically in the event of disaster or hardware failure; and
- store backups off-site.
- Business continuity management toolkit, National Archives
Your business has a retention and disposal schedule which details how long you will keep manual and electronic records.
- have a disposal and retention schedule outlining storage periods for all personal data (this includes manual and electronic records);
- regularly review the retention anddisposal schedule to ensure it continues to meet business needs and statutory requirements; and
- assign responsibility to individuals to ensure retention periods are adhered to.
Your business has confidential waste disposal processes to ensure that records are destroyed to an appropriate standard.
- ensure your methods of destruction are appropriate to prevent disclosure of personal data during and after disposal eg for paper documents cross shredding or incineration either in-house or by a third party, for electronic documents deletion from systems or “put beyond use” and for hardware degaussing or destruction (shredding);
- provide facilities for collecting and holding confidential personal data prior to disposal with instructions regarding how and when these should be used; and
- ensure you have processes in place to allow you to action any requests from individuals for the erasure of their personal data.
- Disposal of records, National Archives
- Dispose of information you no longer need, National Archives
- Disposing of records, National Archives
- Guide to UK GDPR – Individuals rights – The Right to Erasure, ICO website
You can download this report as a Word document using the button on the top right corner of the page. If you have an problem downloading the report into a word document please let us know.
Thank you for completing this checklist. Please complete our short feedback survey to help improve our toolkit.
The survey should take around three minutes to complete.