ICT-PL-0015 Records Management and Information Handling Policy

OFFICIAL

ICT-PL-0015 Records Management and Information Handling Policy

______

Records Management and

Information Handling Policy

Owner:Corporate Manager – Information Management and ICT

Document ID:ICT-PL-0015

Version:1.2

Date:May 2018

IT HELPDESK : 01473 265555

Table of Contents

1 / PURPOSE...... / 3
2 / INTRODUCTION...... / 3
3 / SCOPE...... / 3
4 / ROLES AND RESPONSIBILITIES...... / 4
5 / TRAINING AND AWARENESS...... / 4
6 / RECORD CREATION, MAINTENANCE AND DISPOSAL...... / 5
7 / ACCESS AND SECURITY...... / 5
8 / SECURE DOCUMENT PRINTING...... / 5
9 / HANDLINGOF FAXES ……………………………………………… / 6
10 / SECURE DISPOSAL AND DESTRUCTION...... / 7
11 / PERFORMANCE MEASUREMENT...... / 7
12 / BREACHES...... / 7
13 / REVIEW OF THE POLICY...... / 7
14 / FURTHER ADVICE...... / 8
APPENDIX 1 – DOCUMENT CONTROL...... / 9
APPENDIX2 – RESPONSIBILITIES …………………………………… / 10

1. PURPOSE

1.1.1.The purpose of this document is to state the Records Management and Information Handling Policy of Babergh and Mid Suffolk District Council (BMSDC).

1.2.Scope

1.2.1.It is application to BMSDC Councillors, the employees of BMSDC, any partners, voluntary groups, third parties and agents who have been authorised to access the information, including contractors. For the purposes of this Policy all these individuals are referred to as ‘use’ or ‘users’ and they are responsible for taking the appropriate steps, as outlined below whilst working with information.

1.3.Linked/Other useful policies/procedures

1.3.1.This policy should be read in conjunction with the:-

• Acceptable Use of ICT Policy;
• Freedom of Information Policy;
• Data Protection Policy;
• Data Quality Policy;
• E-mail Acceptable Use Policy;
• Protective Marking Policy;
• Document Retention Schedules;
• Password Management Policy.

1. INTRODUCTION

2.1Babergh District Council and Mid Suffolk District Council (the Councils) recognises that its records are an important public and corporate asset, and are a key resource required for effective operation and accountability. Changes in legislation have heightened the need for careful management of records and this policy sets out the Councils’ responsibilities and activities in relation to this. This policy provides the framework for managing the Councils’ records, both electronically and non-electronically-generated, to ensure that the Councils create and capture authentic and reliable records to demonstrate evidence, accountability and information about its decisions and activities.

1. SCOPE

3.1This policy applies to all employees, elected Members, contractors, agents and representatives and temporary staff working for or on behalf of the Councils.

3.2This policy should be read in conjunction with related policies, namely: Information Security Policy, Data Protection Policy, Freedom of Information Policy and any specific Records Management Policies or Data Sharing Agreements.

3.3This policy applies to all records created or held by the Councils, however they are stored, for example IT system/databases and each drive filing structure, email, filing cabinet, shelving and personal filing drawers. A record is any recorded information regardless of medium (including, but not limited to, paper, microform, electronic and audio-visual), which is created, collected, processed, used, stored and/or disposed of by the Councils employees, as well as those acting as its agents in the course of a Councils activities.

1. ROLES AND RESPONSIBILITIES

4.1The Councils have a corporate responsibility to maintain their records and record-keeping systems in accordance with legislative requirements.

4.2The Senior Information Risk Officer (SIRO) has responsibility for approving a framework for managing and overseeing duties in relation to records management as set out in this policy and delegates this authority to the Corporate Manager for ICT and Information Management.

4.3The ICT and Information Management Team shall provide overall direction for records management.

4.4The Corporate Manager for ICT and Information Management will co-ordinate activities with the ICT and Information Management team, such as maintaining the corporate retention schedule.

4.5Each Corporate Manager is responsible for the management of their Directorate’s records in accordance with this policy, and ensuring that all staff are aware of record keeping.

4.6Information Asset Owners. These are Corporate Managers who operationally own the information and records contained in their systems (paper and/or electronic). Their role is to understand what information and records are held, how they are used and transferred, and who has access to them and why, in order for business to be transacted within an acceptable level of risk.

4.7All Councils’ employees will be responsible for creating and maintaining records in relation to their work that are accurate and reliable.

4.8Staff with specific responsibilities for records management will have these clearly defined in their job descriptions.

1. TRAINING AND AWARENESS

5.1All employees are involved in creating, maintaining and using records and it is important that everyone understands their record management responsibilities.

5.2Managers will ensure that staff responsible for managing records are appropriately trained or experienced.

5.3A training programme exists to ensure that all staff are aware of their obligations in relation to information management policies and procedures.

1. RECORD CREATION, MAINTENANCE AND DISPOSAL

6.1Corporate Manager must ensure that all electronic and paper systems, which contain records, must be able to document activities and can provide quick and easy retrieval of information. The systems must alsotake into account the legal and regulatory environment specific to their area of work.

6.2Electronic and paper systems containing records must be maintained so that the records are properly stored and protected, and can easily be located and retrieved.

6.3It is important that the disposal (either secure destruction or permanent preservation) of records happens as part of a managed process and is adequately documented.

6.4Corporate Managers must have in place clearly defined arrangements for the appraisal and selection of records for disposal, and for documenting the disposal of records.

1. ACCESS AND SECURITY

7.1All Councils’ records will be subject to appropriate security measures as set out in the Councils’ Information Security Policy. The Council needs to ensure that decisions regarding access to the records are documented so that they are consistent, and can be explained and referred to. Directors must ensure that:-

• all staff are aware of the arrangements for allowing access to certain types of information; and

• procedures are in place to document decisions concerning access.

7.2By default, users processing information for and on behalf of the Council should only have access to information that is relevant for the purposes of carrying out their duties.

1. SECURE DOCUMENT PRINTING

8.1It is the responsibility of all users to ensure that any document printed within BMSDC uses a printing solution called FollowMe. FollowMe printing enables users to send documents to print and requires the user to swipe their ID cards at the printer before it will print.

8.2Once a valid ID card is swiped at a printer the user can select individual documents for printing – if you change your mind, you can press ‘delete’ to remove it from the print queue to save wasting paper.

• 8.3 Secure: - is safer, because using your ID card means only you can collect your printouts, nobody can pick them up by mistake. You can collect your printing from any compatible multi-function device (MFD) in Endeavour House,Creeting Road, Constantine House,Gipping Court, and the Touch Down points at Ipswich Street Stowmarket, Chilton Depot Sudbury, Sandringham Court Sudbury, Tacon Close Eye, BlueFlame Hadleigh, and Wenham Depot, Gt Wenham at any time within four days from requesting the print.

1. HANDLING OF FAXES

Note:Fax should only be used if secure email is not available.

9.1Sending Faxes

9.1.1OFFICIAL – Normal use of a fax machine. Consider not using one-touch dialling in case the number has been changed or corrupted. Only send once – either the intended recipient has been telephoned and confirmed the fax can be collected immediately or the receiving fax is known to be in a secure environment. Mark fax header as OFFICIAL.

9.1.2OFFICIAL-SENSITIVE – Normal use of a fax machine. One-touch dialling must not be used in case the number has been changed or corrupted. Only send once – either the intended recipient has been telephoned and confirmed the fax can be collected immediately or the receiving fax is known to be in a secure environment. Mark fax header as OFFICIAL-SENSITIVE.

9.2Receiving Faxes

9.2.1OFFICIAL – Normal use of a fax machine. Ensure that the fax is collected as soon as possible or is known to be in a secure environment. Mark fax header as OFFICIAL (if not already Protectively Marked).

9.2.2OFFICIAL-SENSITIVE – Normal use of a fax machine. If the intended recipient has been telephoned and pre warned of the incoming fax then ensure that the fax can be collected immediately or the received fax is known to be in a secure environment. Mark fax header as OFFICIAL-SENSITIVE (if not already Protectively Marked).

9.3Faxes Converted to Emails

9.3.1Wherever possible faxes received should be converted at source direct to emails and passed to the BMSDC email system in accordance with the relevant protective marking level assigned to them.

1. SECURE DISPOSAL AND DESTRUCTION

10.1Destruction of Paper

10.1.1OFFICIAL – Use secure waste sacks, bins or use any shredder. If information forms part of a public record or is within its retention period please contact the ICT and Information Management Team.

10.1.2OFFICIAL-SENSITIVE – Use secure waste sacks, bins or use any shredder. If information forms part of a public record or is within its retention period please contact the ICT and Information Management Team.

10.2Destruction of Electronic Data

10.2.1OFFICIAL AND OFFICIAL-SENSITIVE–All hard drives to be returned to SCC IT for electronic scrubbing before any possible re-use. Securely destroy removable media when no longer needed. Dismantle floppy disks and cut into quarters (at least); dispose with normal waste. All other media must be destroyed at the magnetic and physical levels – use the internal post to send to SCC, Needham Market and Hadleigh IT.

1. PERFORMANCE MEASUREMENT

11.1The Corporate Manager for Internal Audit will monitor performance with regard to the storage, retention and retrieval of records.

1. BREACHES

12.1Non-compliance with this policy could potentially leave the Councils vulnerable to legal action, reputational damage and other sanctions, for example, fines levied by the Information Commissioner of up to 20,000,000 Euros Breaches will be considered on a case-by-case basis by the Corporate Manager for Internal Audit and referred to other relevant Officers as appropriate.

1. REVIEW OF THE POLICY

13.1This policy will be reviewed every two years or when any other significant change impacts upon the policy. Comments on the policy, from both employees and members of the public, are therefore welcome and can be addressed to:-

Information Management and ICT

Babergh and Mid Suffolk District Council

Endeavour House

8 Russel Road

IPSWICH

IP1 2BX

1. FURTHER ADVICE

For further advice on this policy, please contact:-

Information Management Team

APPENDIX 1

DOCUMENT CONTROL

Changes History

Issue No. / Date / Amended By / Summary of Changes
1.0 / March 2015 / Neal Scarff
Philip Barbrook
Duncan Farley / Version 1.0
1.0 / April 2015 / Carl Reeder / Convert for Babergh and Mid Suffolk use
1.1 / September 2015 / Review and update
1.2 / May 2018 / Carl Reeder / Review and Update for GDPR

Authorisation (Responsible Owner)

Role / Name / Approval Date
Corporate Manager for ICT and Information Management / Carl Reeder / January 2016
Head of Corporate Resources / Katherine Steel / January 2016
Corporate Manager – Internal Audit / John Snell / January 2015

Approval (Accountable Owner)

Role / Name / Approval Date
Senior Information Risk Owner / Katherine Steel / January 2016

Reviewers (Consulted)

Role and Review Responsibilities / Name / Approval Date
Corporate Manager for Internal Audit / John Snell / January 2016
Information Management Specialist (Legal Obligation) / Karen Smith / January 2016
SCC Policy and Compliance Officer / Neal Scarff / January 2016
BMSDC Information Governance Board

Distribution List – Once authorised (Informed)

Name / Organisation
All Users / See Section 1.2.1 of Policy

Review Period

Date Document to be Reviewed / By whom
April 2019 / Corporate Manager for ICT and Information Management

APPENDIX 2

RESPONSIBILITIES

1.Babergh District Council and Mid Suffolk District Council

• Training – BMSDC will train users with regard to this policy.

• Training for Councillors will be provided as part of the Councillors’ Support Programme.

2.ICT and Information Management Team

• Implementation of Policy – The ICT and Information Management Team has been tasked to implement this policy.

3.Internal Audit Team

• Monitoring of Policy – The Internal Audit Team has been tasked to monitor its effectiveness.

4.Corporate Managers

• Induction, Training and Support – Corporate Managers are responsible for ensuring that adequate induction and training is undertaken by staff and that support is provided to them so as to implement this policy (see 2.4.1).

The Corporate Manager - Governance is responsible for ensuring that adequate induction and training is undertaken by Councillors and that support is provided to them so as to implement this policy.

5.Users

• User Awareness and Training – All users should attend the appropriate training courses. BMSDC together with Suffolk County Council delivers modular training to all users who have access to the Councils’ data and network. These training modules inform users of the requirements of the ICT Security Policies. All users must engage with this training and complete all mandatory modules. Corporate Managers have a responsibility to support this training, and must raise with HR if any staff member does not, or cannot complete the training.

• Breach of this Policy – Staff found to be in breach of this policy may be disciplined in accordance with the Code of Conduct for all employees and Disciplinary Procedure. In certain circumstances, breach of this policy may be considered gross misconduct resulting in dismissal. It should be noted that breach of the policy could also lead to criminal or civil action if illegal material is involved or legislation is contravened. The Councils will not hesitate to bring to the attention of the appropriate Authorities any use of its systems which is believes might be illegal.

Councillors found to be in breach of this policy may be deemed to be a breach of the Members’ Code of Conduct leading to action by the Corporate Manager – Governance.

• Breach of Information Security – Users must report all suspected breaches of information security using the Information Security Incident report form as soon as they are identified, BMSDC must verify and report incidents to the Information Commissioners Office within 72 hours of being identified to comply with the General Data Protection Regulations.

1