The ICO exists to empower you through information.

26 May 2024

Overall rating

Your overall rating was red.

  • 10: Not yet implemented or planned
  • 5: Partially implemented or planned
  • 0: Successfully implemented
  • 1: Not applicable

RED: not implemented or planned

Your business has defined and allocated records management responsibilities.

Suggested actions

You should:

  • Nominate an appropriately skilled lead to coordinate records management within your business.
  • Ensure they have the authority and resources to fulfil this responsibility effectively.
  • If you are a larger business, appoint 'owners' with day-to-day responsibility for the security, use, accuracy and retention of manual and electronic records.

Guidance

Your business has approved and published an appropriate records management policy. This is subject to a regular review process.

 

Suggested actions

You should:

  • clearly set out in policy your business' approach to records management together with responsibilities for implementing the policy and monitoring compliance;
  • ensure the policy is approved by management, published and communicated to all staff; and
  • review and update the policy at planned intervals or when required to ensure it remains relevant.

Guidance

The National Archive has developed comprehensive guidance on how to create an effective records management policy.

Your business has identified records management risks as part of a wider information risk management process.

 

Suggested actions

You should:

  • undertake a risk assessment of all records held within your organisation; and
  • if you already have a corporate risk register, include risks to records management functions. These might include records not being either updated, destroyed in a timely manner or held securely).

Guidance

Your business has identified where you use manual and electronic records keeping systems and actively maintains a centralised record of those systems.

 

Suggested actions

You should:

  • carry out an information audit or records survey to identify records and data sets you hold; and
  • create a central log or information asset register to record which business functions create certain records, which records are vital to the functioning of the business, where you keep them, how long you keep them for and who needs to use them now and in the future.

Guidance

Your business has appropriate measures in place to transfer electronic records off-site and protect personal data from loss or theft.

 

Suggested actions

You should:

  • always use an appropriate form of transport eg secure courier for sensitive personal data when transferring data off-site;
  • minimise data being transported;
  • log the transfer in and out where appropriate and check to ensure that data is received; and
  • employ security measures to safeguard the data such as tamper evident packaging, encrypted devices or encrypted emails or secure file sharing or transfer software.

Guidance

Your business has a process to assign and manage user accounts to authorised individuals and to remove them when no longer appropriate.

 

Suggested actions

You should:

  • implement a process to ensure that access to systems holding personal data is authorised by management;
  • restrict user permissions to the absolute minimum (or 'least privilege');
  • assign each user with their own username and password to ensure accountability;
  • implement role based user profiles and access levels to ensure that access to systems is only given to those roles that require it in order to complete their work;
  • review all network and application user access lists at least annually;
  • ensure you have robust starter, mover and leaver processes to avoid the risk of unauthorised access or the accrual of unnecessary access levels;
  • enforce strong passwords for both network and systems access;
  • limit the number of failed login attempts; and
  • monitor user activity to detect any anomalous use.

Guidance

Your business has business continuity plans in place in the event of a disaster. This includes identifying records that are critical to the continued functioning or reconstitution of your business. You also routinely back up data that is stored electronically to help restore information if needed.

 

Suggested actions

You should:

  • complete an assessment of the data you hold and its criticality to your business functions;
  • ensure business continuity plans are put in place to prepare for serious disruption;
  • take regular backups of systems and data so that you can restore personal data stored electronically in the event of disaster or hardware failure; and
  • store backups off-site.

Guidance

Your business has a retention and disposal schedule which details how long you will keep manual and electronic records.

 

Suggested actions

You should:

  • have a disposal and retention schedule outlining storage periods for all personal data (this includes manual and electronic records);
  • regularly review the retention anddisposal schedule to ensure it continues to meet business needs and statutory requirements; and
  • assign responsibility to individuals to ensure retention periods are adhered to.

Your business has confidential waste disposal processes to ensure that records are destroyed to an appropriate standard.

 

Suggested actions

You should:

  • ensure your methods of destruction are appropriate to prevent disclosure of personal data during and after disposal eg for paper documents cross shredding or incineration either in-house or by a third party, for electronic documents deletion from systems or “put beyond use” and for hardware degaussing or destruction (shredding);
  • provide facilities for collecting and holding confidential personal data prior to disposal with instructions regarding how and when these should be used; and
  • ensure you have processes in place to allow you to action any requests from individuals for the erasure of their personal data.

Guidance

 

AMBER: partially implemented or planned

Your business incorporates records management within a formal training programme. This comprises mandatory induction training with regular refresher material, and specialist training for those with specific records management functions.

 

Suggested actions

You should:

  • incorporate records management within a formal training programme that comprises mandatory induction training and delivery of regular refresher material for all staff;
  • provide specialist training to those with specific records management functions; and
  • promote records management awareness amongst all staff through promotional materials such as posters, newsletters and intranet articles.

Your business carries out periodic checks on records security and you monitor compliance with records management procedures.

 

Suggested actions

You should:

  • undertake periodic checks on records security and monitor compliance with records management procedures; and
  • measure the outcomes of any records security checks or compliance monitoring against key performance indicators to provide management information on performance to those with overall responsibility for records management.

Your business has set minimum standards for the creation of paper or electronic records.

 

Suggested actions

You should:

  • ensure you have minimum standards for creation of paper or electronic records (including emails) in place;
  • establish procedures and guidelines for staff to ensure that you title and index new records in a way that allows you to efficiently manage, retrieve and dispose of them; and
  • where applicable, ensure you use security classification or marking protocols, such as the Government protective marking scheme, to identify records that contain more sensitive information.

Guidance

Your business stores paper and electronic records securely with appropriate environmental controls and higher levels of security around special categories of personal data.

 

Suggested icons

You should:

  • store paper records in lockable offices, cabinets and drawers with higher levels of security around sensitive personal data;
  • ensure keys to offices, cabinets and drawers are stored securely and records are locked away when staff are absent for extended periods eg overnight;
  • consider appropriate environmental controls to protect paper records from threats such as fire or water ingress;
  • implement a clear screen and clear desk policy with regular checks to ensure compliance; and
  • ensure you have appropriate technological and organisational security measures which are documented within a contract before using any cloud based storage options.

Guidance

Your business restricts access to records storage areas in order to prevent unauthorised access, damage, theft or loss. You should implement role based access and check it regularly.

 

Suggested actions

You should:

  • restrict access to records storage areas in order to prevent unauthorised access, damage, theft or loss; and
  • implement role based access and check access levels regularly.

 

 

Not applicable

Your business has appropriate measures in place to transfer electronic records off-site and protect personal data from loss or theft.


You can download this report as a Word document using the button on the top right corner of the page. If you have a problem downloading the report into a Word document please let us know.

Thank you for completing this checklist. Please complete our short feedback survey to help improve our toolkit.

The survey should take around three minutes to complete.