Records management checklist report

• 16: Not yet implemented or planned
• 0: Partially implemented or planned
• 0: Successfully implemented
• 0: Not applicable

RED: not implemented or planned

Suggested actions

You should:

• Nominate an appropriately skilled lead to coordinate records management within your business.
• Ensure they have the authority and resources to fulfil this responsibility effectively.
• If you are a larger business, appoint 'owners' with day-to-day responsibility for the security, use, accuracy and retention of manual and electronic records.

Guidance

• Organisational arrangements to support records management, in National Archives records management guide 2

Suggested actions

You should:

• clearly set out in policy your business' approach to records management together with responsibilities for implementing the policy and monitoring compliance;
• ensure the policy is approved by management, published and communicated to all staff; and
• review and update the policy at planned intervals or when required to ensure it remains relevant.

Guidance

The National Archive has developed comprehensive guidance on how to create an effective records management policy.

• Records management policy, National Archives

Suggested actions

You should:

• undertake a risk assessment of all records held within your organisation; and
• if you already have a corporate risk register, include risks to records management functions. These might include records not being either updated, destroyed in a timely manner or held securely).

Guidance

• Inclusion of records management and information management in the corporate risk management framework, in National Archives records management guide 2
• Assessing and Managing Risk, National Archives

Suggested actions

You should:

• incorporate records management within a formal training programme that comprises mandatory induction training and delivery of regular refresher material for all staff;
• provide specialist training to those with specific records management functions; and
• promote records management awareness amongst all staff through promotional materials such as posters, newsletters and intranet articles.

Suggested actions

You should:

• undertake periodic checks on records security and monitor compliance with records management procedures; and
• measure the outcomes of any records security checks or compliance monitoring against key performance indicators to provide management information on performance to those with overall responsibility for records management.

Suggested actions

You should:

• ensure you have minimum standards for creation of paper or electronic records (including emails) in place;
• establish procedures and guidelines for staff to ensure that you title and index new records in a way that allows you to efficiently manage, retrieve and dispose of them; and
• where applicable, ensure you use security classification or marking protocols, such as the Government protective marking scheme, to identify records that contain more sensitive information.

Guidance

• Keeping records to meet corporate requirements, National Archives
• Managing digital records without an electronic record management system, National Archives
• Managing emails, National Archives
• Guide to the UK GDPR – Documentation, ICO website

Suggested actions

You should:

• carry out an information audit or records survey to identify records and data sets you hold; and
• create a central log or information asset register to record which business functions create certain records, which records are vital to the functioning of the business, where you keep them, how long you keep them for and who needs to use them now and in the future.

Guidance

• Guide to UK GDPR – Documentation, ICO website
• Find out what information you have, National Archives

Suggested actions

You should:

• ensure you take appropriate steps to confirm the accuracy of new personal data, or data that you have recorded and retained over a period of time;
• implement procedures to allow individuals to challenge the accuracy of information you hold about them and correct it if necessary, or add a supplementary statement;
• establish initial and then periodic reviews to check that the data you collect is not excessive for the purpose or processing requirements; and remove data that you have identified as being out of date or inaccurate, or no longer relevant for your purposes.

 Guidance

• Guide to the UK GDPR - Right to rectification, ICO website

Suggested actions

You should:

• implement tracking mechanisms to record the movement and ensure the security of manual records between office and storage areas and also in instances where records are taken off-site;
• minimise data wherever possible when transferring data off-site;
• use an appropriate form of transport eg secure courier for sensitive personal data;
• log the transfer in and out where appropriate and put checks in place to ensure that data is received; and
• employ security measures such as lockable containers, tamper evident packaging or removal from public view and accessibility.

Guidance

• Tracking Records, National Archives
• Guide to the UK GDPR – Documentation, ICO website

Suggested actions

You should:

• always use an appropriate form of transport eg secure courier for sensitive personal data when transferring data off-site;
• minimise data being transported;
• log the transfer in and out where appropriate and check to ensure that data is received; and
• employ security measures to safeguard the data such as tamper evident packaging, encrypted devices or encrypted emails or secure file sharing or transfer software.

Guidance

• Exporting and transferring electronic data, National Archives
• Encryption Guidance, ICO website

Suggested icons

You should:

• store paper records in lockable offices, cabinets and drawers with higher levels of security around sensitive personal data;
• ensure keys to offices, cabinets and drawers are stored securely and records are locked away when staff are absent for extended periods eg overnight;
• consider appropriate environmental controls to protect paper records from threats such as fire or water ingress;
• implement a clear screen and clear desk policy with regular checks to ensure compliance; and
• ensure you have appropriate technological and organisational security measures which are documented within a contract before using any cloud based storage options.

Guidance

• Helpful guidance on creating a clear desk policy, Privacy Sense
• Toolkit for managing paper records, Records Management Society
• Protecting archives and manuscripts against disasters, National Archives

Suggested actions

You should:

• restrict access to records storage areas in order to prevent unauthorised access, damage, theft or loss; and
• implement role based access and check access levels regularly.

Suggested actions

You should:

• implement a process to ensure that access to systems holding personal data is authorised by management;
• restrict user permissions to the absolute minimum (or 'least privilege');
• assign each user with their own username and password to ensure accountability;
• implement role based user profiles and access levels to ensure that access to systems is only given to those roles that require it in order to complete their work;
• review all network and application user access lists at least annually;
• ensure you have robust starter, mover and leaver processes to avoid the risk of unauthorised access or the accrual of unnecessary access levels;
• enforce strong passwords for both network and systems access;
• limit the number of failed login attempts; and
• monitor user activity to detect any anomalous use.

Guidance

• User access control, Cyber Essentials
• Managing user privileges, National Cyber Security Centre

Suggested actions

You should:

• complete an assessment of the data you hold and its criticality to your business functions;
• ensure business continuity plans are put in place to prepare for serious disruption;
• take regular backups of systems and data so that you can restore personal data stored electronically in the event of disaster or hardware failure; and
• store backups off-site.

Guidance

• Business continuity management toolkit, National Archives

Suggested actions

You should:

• have a disposal and retention schedule outlining storage periods for all personal data (this includes manual and electronic records);
• regularly review the retention anddisposal schedule to ensure it continues to meet business needs and statutory requirements; and
• assign responsibility to individuals to ensure retention periods are adhered to.

Suggested actions

You should:

• ensure your methods of destruction are appropriate to prevent disclosure of personal data during and after disposal eg for paper documents cross shredding or incineration either in-house or by a third party, for electronic documents deletion from systems or “put beyond use” and for hardware degaussing or destruction (shredding);
• provide facilities for collecting and holding confidential personal data prior to disposal with instructions regarding how and when these should be used; and
• ensure you have processes in place to allow you to action any requests from individuals for the erasure of their personal data.

Guidance

• Disposal of records, National Archives
• Dispose of information you no longer need, National Archives
• Disposing of records, National Archives
• Guide to UK GDPR – Individuals rights – The Right to Erasure, ICO website