6b – Records Management Plan
Purpose of Report
The purpose of this report is to inform the Board of Nestrans obligations under the Public Records (Scotland) Act 2011 and to present the Nestrans Records Management Plan for approval.
Background
Public bodies are now required, under the Public Records (Scotland) Act 2011, to produce a Records Management Plan setting out the arrangements for the management of the organisation’s records. The Records Management Plan must be submitted to The Keeper of Records of Scotland for assessment and approval.
Effective management of records and information is a core element of good governance and assists with meeting the business needs of the organisation, promoting efficiency and providing legal and financial accountability.
Records Management applies to all records, irrespective of how they are created and stored or the type of information they contain. The proposed Records Management Plan sets out a policy approach to records management, data protection, Freedom of Information, business continuity and information security, along with a detailed Records Management Plan (RMP).
Draft Records Management Plan
A Draft Records Management Plan has been developed by Nestrans based on the principles of The Keeper of Records Model Plan and was submitted to The Keeper of Records on2nd February 2017, in line with their required deadlines.
In developing the Draft Records Management Plan, Nestrans consulted with other Regional Transport Partnerships and the relevant departments within the two Councils in order to ensure consistency.
The Keeper of Records will review the submitted Records Management Plan and provide an assessment of it.
The letter from the Keeper of the Records of Scotland setting out the requirements to develop and submit a Records Management Plan is provided in Appendix A. The Nestrans Draft Records Management Plan is provided in Appendix B.
Any feedback received from The Keeper of the Records will be reported to a future meeting of the board.
Recommendations
The Board is recommended to:
- Approve the Draft Records Management Plan.
RD/TH/KC/KW 5 April 2017
Appendix A
Appendix B
North East Scotland Regional Transport Partnership
(Nestrans)
Records Management Plan
Setting out the Partnership’s arrangements for the management of Nestrans public records under Section 1 of The Public Records (Scotland) Act 2011
Contents
- Introduction Page 4
- Records Management Plan Page 4
- Elements Page 5
- List of Appendices and Associated EvidencePage 19
Introduction
Nestrans is required in terms of Section 1 of the Public Records (Scotland) Act 2011 to produce a Records Management Plan setting out proper arrangements for the management of its public records and to submit this to the Keeper of the Records of Scotland forapproval.
Records Management is the systematic control of an organisation’s records (in this document a “record” means anything in which information is recorded in any form including, for example, paper and electronic reports, emails, photographs, etc.) throughout their lifecycle in order to meet operational business needs, statutory and fiscal requirements, and community expectation. It allows fast, accurate and reliable access to records, whilst ensuring the timely destruction of redundant information andtheidentificationandprotectionofvitalandhistoricallyimportantrecords.
Nestrans believes that effective records management will bring substantial benefits, which will result in greater business efficiency and considerable improvements in the use of information as well as financial, human and other resources within theorganisation.
The scope of the plan applies to all records irrespective of the technology used to create and store them or the type of information they contain.
Context
Records Management Plan
Nestrans Records Management Plan is based on the Keeper of the Records ofScotland’spublishedModelRecordsPlanandcomprisesthefollowing14elements:-
1.Senior ManagementResponsibility
2.Records ManagerResponsibility
3.Records Management PolicyStatement
4.BusinessClassification
5.RetentionSchedules
6.DestructionArrangements
7.Archiving and TransferArrangements
8.InformationSecurity
9.DataProtection
10.Business Continuity and VitalRecords
11.AuditTrail
12.Competency Framework for Records ManagementStaff
13.Assessment andReview
14.SharedInformation
14.1The Senior Officer within Nestrans with overall strategic responsibility for records managementis:
Derick Murray
Partnership Director Nestrans
27-29 King Street
Aberdeen
AB24 5AA
Tel: 01224 625524
14.2The Partnership Director fully endorses this plan and will ensure the required improvements to records management procedures are implemented corporately and monitored by the designated officers through the assessment and reviewprocess.
Evidence:
1.Covering letter from the Partnership Director ofNestrans.
2.Records ManagementPolicy.
Future Development:
There are no planned future developments for Element 1. However, if there is a change to the Senior Responsible Officer, this element would require review.
Nestrans Records Management PlanPage 1
2.1The individual answerable to Senior Management within Nestransandwho has operational responsibility for records management is:
Tricia Howden Office Manager / PA to Director
Nestrans
27-29 King Street
Aberdeen
AB24 5AA
Tel: 01224 625524
Email:
Evidence:
1.Covering letter from the Partnership Director ofNestrans.
2.Records ManagementPolicy.
3.Office Manager - Certificate of Training for attending Public Records (Scotland) Act 2011Training
Future Development:
There are no planned future developments for Element 2. However, if there were to be changes to these designations, this element would require review.
Nestrans Records Management PlanPage 1
3.1The Records Management Policy Statement is provided in Annex B.
3.2This Records Management Plan, including the Records Management Policy Statement will be made available on the Nestrans website and the internal staff network drive.
Evidence:
1.RecordsManagementPolicy.
2.Aberdeen City Council Information SecurityPolicy.
Future Development:
There are no planned future developments for Element 3. However, if there were to be changes to these designations, this element would require review.
4.1Nestrans’ is currently developing a Business Classification Scheme and Retention Schedule.
Evidence:
1.Draft Business Classification and Retention Schedule
Future Development:
Nestrans is currently drafting its Business Classification and Retention Schedule and is in the process of updating the electronic filing structure to be in line with this.
The electronic filing system is in the process of being re-organised to reflect the new business classification scheme and retention schedule and the new structure will be rolled out through 2017.
This is a new framework and will be reviewed in January 2018 and annually thereafter.
5.1Nestrans has drawn up a retention schedule framework, in linewithPartnerAuthorities and EU Project rules. The framework will apply to both electronic and paperrecords.
5.2Nestrans receives the following services from its partner councils:
- IT services (Aberdeen City Council)
- Legal services (Aberdeen City Council)
- HR (Aberdeenshire Council)
- Finance services (Aberdeenshire Council)
- PR and Communications (Aberdeenshire Council)
5.3Each of these are covered by Service Level Agreements and records stored by these organisations will be in line with their own Records Management Plans.
Evidence:
- Draft Business Classification and Retention Schedule
- Aberdeen City Council Records Management Policy
- Aberdeenshire Council Records Management Policy
- Service Level Agreements
Future Development:
Nestrans is currently drafting its Business Classification and Retention Schedule and is in the process of updating the electronic filing structure in line with this.
The electronic filing system is in the process of being re-organised to reflect the new business classification scheme and retention schedule and the new structure will be rolled out through 2017.
This is a new framework and will be reviewed in January 2018 and annually thereafter.
6.1Destruction of records occurs at the end of retention periods as set out in Nestrans Retention Schedules. For the purpose of the Records Management Plan destruction or destroyed means either the destruction of paper records or the deletion of electronicrecords.
6.2Nestrans uses an on-site paper shredderwhich is a Fellows PowerShred, PS-62C and shreds to confetti cut 3.9X50mm.
6.3Nestrans shall engage the external supplier ‘Shred It’ on an ad hoc basis in instances where the destruction of bulk confidential paper records is required.
6.4Nestrans does not utilise off-site storage of records, apart from when the records are held by Aberdeenshire Council or Aberdeen City Council as part of their records management plan and our service level agreements with them.
6.5Disposal of IT equipment is dealt with by Aberdeen City Council who uses an external company to recycle all ICT hardware.
Evidence:
1.Aberdeen City Council Records Management Policy
2.Aberdeen City Council Information Security Policy
Future Development:
There are no planned future developments for element 6.
Nestrans Records Management PlanPage 1
7.1The majority of Nestrans records are held electronically and backed up by Aberdeen City Council.
7.2The arrangements for archiving paper records of enduring value will be dealt with on an ad-hoc basis depending on the nature of therecords.
Evidence:
1.Aberdeen City Council Information Security Policy.
Future Development:
A new electronic spreadsheet for recording files to be destroyed and / or archived will be developed in line with the Business Classification Scheme and Retention Schedule.
7.3The Nestrans ICT function is provided by Aberdeen City Council. Nestrans is subject to the information security function and policies of the Council.
7.4User access is restricted to Nestrans employees.
7.5Nestrans has adopted and is subject to Aberdeen City Council information security policy and procedures. These are available to all colleagues via the Zone intranet site to which all Nestrans employees have access.
Evidence:
1.Nestrans Information Security Policy
2.Aberdeen City Council Information Security Policy
Future Development:
The ICT Service Level Agreement with Aberdeen City Council will be renewed in 2018.
9.1Under the Data Protection Act 1998, Nestrans is a data controller and is registered as such with the Information Commissioner’s office (ICO).
9.2Nestrans has a data protection policy in place as well as a policy on informationsecurity.
Evidence:
1.Data Protection Public Registration –
Ref: Z966516X
2.Data ProtectionPolicy
3.Aberdeen City Council IT and Information Security Policy
Future Development:
There are no planned future developments for Element 9. However, this policy will beregularlyreviewedtoensureitremainsfitforpurpose.
The data protection public registration will be renewed annually.
10.1 Nestrans has in place a business continuity plan in the event of any disaster. Reference to records management arrangements, in particular vital IT applications and systems, has been included in the plan.
Evidence:
1.Business ContinuityPlan.
2.Aberdeen City Council Information Security Policy
Future Development:
The Business Continuity Plan will be subject to review and testing to ensure it remains fit for purpose.
Nestrans Records Management PlanPage 1
11.1All Nestrans records are held on the shared drive hosted by Aberdeen City Council. As the file share is only available to the eight Nestrans staff, the risk of inappropriate access to or tampering with records is judged to be very low. Records are converted to PDF once finalised and published online.
11.2Staff are made aware of their obligations to maintain appropriate records and not to make unauthorized additions to Nestrans records.
11.3Electronic files are maintained and will be archived in accordance with relevant filing hierarchy.
11.4Paper records are referenced and maintained in the filing index and the status of each file isrecorded.
Evidence:
1.Nestrans file structure
Future Development:
Audit processes will be subject to regular review.
A new electronic spreadsheet for recording files to be destroyed and / or archived will be developed in line with the Business Classification Scheme and Retention Schedule.
12.1Nestrans will provide appropriate training and development supporttoensure all staff are aware of their records managementresponsibilities.
12.2As designated Records Manager, Tricia Howden has engaged with available learning opportunities on PRSA and will continue to do so. This has included:
- Meeting with Pete Wadley of NRS PRSA Team, Sep 2015
- Participation in Transport Partnerships PRSA workshop, Jan 2016
12.3Tricia also seeks advice from the Information Manager at Aberdeen City Council, as appropriate.
Evidence:
1.Records ManagementPolicy.
2.Certificate: Transport Partnerships PRSA Training Session January 2016
Future Development:
All staff responsible for operational records management will be afforded the opportunity to attend any relevant courses, seminars or conferences as and whenrequired.
13.1ThePartnershipDirectorandOffice ManagerwillformallyreviewNestrans’ Record Management Plan annually (commencing January 2018) and report to the Nestrans Board.
Evidence:
1.Nestrans Board Meetings -
Future Development:
Assessment and review of the Records Management Plan will be reported to the Nestrans Board.
14.1 Information shared with and by Nestrans is characteristically open and non-sensitive.
14.2In instances where information is sensitive or confidential we will comply with the reasonable confidentiality requirements of the relevant third parties and any such information will be subject to strict access controls.
14.3Our core records and information are publicly shared as a statutory requirement
Evidence:
1.Data ProtectionPolicy.
2.Records ManagementPolicy
3.Aberdeen City Council Information SecurityPolicy
Future Development:
There are no planned future developments for Element 14. However, this policy will be regularly reviewed to ensure it remains fit for purpose.
Nestrans Records Management PlanPage 1
Element 1 / Covering letter from the Partnership Director ofNestrans (Annex A)Records Management Policy (Annex B)
Element 2 / Covering letter from the Partnership Director of Nestrans.
Records Management Policy
Office Manager - Certificates of Training for attending Public Records (Scotland) Act 2011 Training (Annex C)
Element 3 / RecordsManagementPolicy
Aberdeen City Council Information SecurityPolicy
Element 4 / Draft Business Classification and Retention Schedule (see Annex D)
Element 5 / Draft Business Classification and Retention Schedule
Aberdeen City Council Records Management Policy http://www.aberdeencity.gov.uk/nmsruntime/saveasdialog.asp?lID=63114&sID=25754
Aberdeenshire Council Records Management Policy
https://www.aberdeenshire.gov.uk/council-and-democracy/info-and-records-mgmt/records-management-plan/
Service Level Agreements
Element 6 / Aberdeen City Council Records Management Policy
Aberdeen City Council Information Security Policy
Element 7 / Aberdeen City Council Information Security Policy
Element 8 / Nestrans Information Security Policy (see Annex E)
Aberdeen City Council Information Security Policy
Element 9 / Data Protection Policy (see Annex F)
Aberdeen City Council Information Security Policy
Element 10 / Business Continuity Plan (Annex G)
Aberdeen City Council Information Security Policy
Element 11 / Nestrans Full FileIndex (Annex H)
Element 12 / Records Management Policy
Certificate: Transport Partnerships PRSA Training Session January 2016
Element 13 / Nestrans Board Meetings -
Element 14 / Data Protection Policy
Records Management Policy
Aberdeen City Council Information Security Policy
Annex A
Annex B
Records Management Policy Statement
Effective records management is core to the transparent and robust delivery of services and all staff share responsibility for appropriately managing the Nestrans documents and information with which they work. Nestrans takes seriously our obligations under the Public Records (Scotland) Act 2011 and will implement improvements as identified in our Records Management Plan.
The Partnership Director has strategic responsibility for records management. Day-to-day implementation of effective records management is delegated to the Office Manager.
No staff member or contractor may alter, delete or edit a document which is not within their area of responsibility and for which they are authorised. No existing document may be altered without appropriate authority and just cause. Inappropriate or malicious alteration or deletion of Nestrans data or documents may be considered as misconduct and therefore subject to disciplinary action.
All Nestrans records will be stored on the appropriate folders in the networked shared drive. The folders will be structured in line with the Business Classification Scheme in Annex D. No documents or records should be held on PC or laptop hard drives (C: drives) other than working copies of documents temporarily held on laptops. These must be synchronised back to the network at the earliest opportunity.
The network shared drive is managed on our behalf by Aberdeen City Council. Only Nestrans staff will have access to the shared drive, and network accounts will be deleted as soon as a member of staff or contractor leaves Nestrans.
In order to ensure the integrity of records, key document types will be converted from MS Word to PDF when they are finalised as follows:
Document type / Rendered as PDFOutward correspondence / Final version as sent
Strategy, Plan and Policy documents / Agreed and implemented version
Reports / Final version as presented
Partnership Board and committee records / Minutes as approved by chair
Papers as issued to committee members
Where appropriate versioning will be appended to document titles as follows: “<Title<Vn_n>.doc”. For example, “Information Governance Policy V 0_2.doc”
Where dates are included in document titles these shall be rendered in the international standard form YYYYMMDD.
Records will be deleted from the network at the end of their retention periods as set out in the Business Classification Scheme.
Convenience hard copies of documents are not considered as records. They should be securely shredded and recycled when no longer required.
Nestrans records identified as being of enduring historical value will be deposited with the Aberdeen City and Aberdeenshire archives for preservation.
For regulatory information, see the National Records of Scotland.
Annex C
Training Certificate
Annex D
Draft Business Classification and Retention Schedule
Annex E
Information Security
Nestrans is committed to protecting the Confidentiality, Integrity and Availability of our information assets. We source our ICT services (including network, data storage, software and hardware) through Aberdeen City Council who manage our IT security and have Public Services Network accreditation.
The Council provides security controls including firewalls, anti-malware, software and server patching, back-up and PSN connectivity.
In addition, the Council publishes regular Information Security Advisories for staff on their intranet pages to disseminate good practice, promote awareness, and highlight key areas of information security risk.
We have adopted and apply the information security policy.
In particular, Nestrans staff must:
- Select hard to guess network passwords which are never shared or written down;
- Never download or install software without the permission of ACC IT;
- Not attempt to connect non-ACC issued devices to the network;
- Ensure that confidential documents are locked away when not in use;
- Be wary of emails from unknown sources which may carry malware or “phishing” attacks
- Always use the shredder for disposal of documents.
- Staff have access to OIL Course, For Your Eyes Only, which provides further training and information on IT security awareness.
For more information or advice see Aberdeen City Councils Intranet information security page:-