Records Management Policy

Introduction

Recent Government initiatives and forthcoming legislation reinforce the need to be fully accountable and to deliver services in a consistent and equitable manner. They make the setting up of records management procedures important for all organisations and imperative for the NAS, as we will be expected to set a good example in this area.

Forthcoming Freedom of Information legislation will include provision for ministers to issue a code of practice on records management. This is likely to require authorities to have in place an overall policy statement on how to manage its records, endorsed by top management and made readily available to staff at all levels of the organisation. In addition, and in line with the UK Government, the Scottish Government expects all public services which can feasibly be delivered electronically to be online by 2005. In order to meet this target, government departments and agencies must be able to retrieve, appraise and dispose of electronic records efficiently and
effectively.

The following policy sets out the procedures and practices needed to control and manage the NAS's own records in such a way that the above requirements are met efficiently and effectively. The adoption of the policy will also bring the following benefits to staff:

• Efficient access to reliable records.
• A clear and understandable filing system.
• Training in those aspects of the system which have a bearing on individuals' jobs.
• Protection from accusations of unnecessary secrecy under the Data Protection Act and forthcoming Freedom of Information Act.
• A smoother eventual transition into electronic records management, which will allow even faster and more efficient record searching and retrieval.

Keeper of the Records of Scotland
15 October 2001

Scope of records management policy

The records covered by this policy must meet the legal, operational and archival requirements of the NAS. They must also ensure its accountability to present and future stakeholders and customers.

The policy covers:

• the requirements that must be met for the records themselves to be considered as a proper record of the NAS's activity
• the scope of the systems and processes required to ensure the capture, integrity, security, retrievability and correct disposition of the NAS's records
• staff responsibilities
• an implementation strategy across the organisation
• provision for regular review of the records management policy and its implementation

Relevant legislation and regulations

The policy complies with the following acts, regulations and best practice standards:

• Data Protection Act, 1998
• Human Rights Act, 1998
• Electronic Communications Act, 2000
• International Standard on Records Management, BS ISO 15489
• Code of Practice for Legal Admissibility and Evidential Weight of Information Stored Electronically, PD0008: 1999
• Principles for Good Practice for Information Management, PD0010: 1997

In addition, certain records will be subject to other legislation covering their particular subject area. Branches should ensure that they are aware of the legislation governing their work and its bearing on their record keeping.

Definition of a record

Principles of good records management

Authentic
It must be possible to prove that records are what they purport to be and who created them, by keeping a record of their management through time. The record keeping system will operate so that the records derived from it are credible and authoritative. Where information is later added to an existing document within a record, the added information will be signed and dated. With electronic records, changes and additions will be identifiable through audit trails.

Accurate
Records must accurately reflect the transactions that they document.

Accessible
Records must be readily available when needed.

Complete
Records must be sufficient in content, context and structure to reconstruct the relevant activities and transactions.

Comprehensive
Records must document the complete range of the NAS's business.

Compliant
Records must comply with any record keeping requirements resulting from legislation, audit rules and other relevant regulations.

Effective
Records must be maintained for specific purposes and the information contained in them must meet those purposes. Records will be identified and linked to the business process to which they are related.

Secure
Records must be securely maintained to prevent unauthorised access, alteration, damage or removal. They must be stored in a secure environment, the degree of security reflecting the sensitivity and importance of the contents. Where records are migrated across changes in technology, NAS must ensure that the evidence preserved remains authentic and accurate.

Records management processes

To achieve the above, the NAS will implement business processes and records management systems which:

• Comply with standards and best practices
• Capture evidence of all activities required.
• Manage the content, context and structure of records securely and reliably
• Facilitate re-use of information contained within records
• Enable efficient access to records, irrespective of their location
• Provide a single interface to records relating to any particular business activity, regardless of the records' media.
• Retain records for as long as they are needed and in the form required
• Retain electronic records on media that permit reliable data migration and/or system modifications
• Protect records from inappropriate access and usage
• Ensure the security of records vital to the NAS's main functions
• Provide for future system amendments or re-design

This will be done for both paper and electronic records, by:

• Introducing an appropriate registration, classification and indexing scheme for all records. This will include rules on version control.
• Designating secure areas for record storage under the control of trained staff, using a system of one or more registries.
• Developing retention schedules for all of the NAS records, coupled with annual file reviews by designated members of staff.
• Implementing effective back-up procedures for the maintenance and security of electronic records.
• Implementing a vital records plan to ensure the recovery of records essential for the running of the NAS in the event of a disaster, suitable back-up procedures etc.
• Designating to individuals within NAS responsibility for the various activities necessary to maintain such systems
• Providing appropriate training.

Staff responsibilities

Senior Management

• Senior management recognise the importance of maintaining a corporate memory of events and activities and is committed to providing sufficient staffing, technical and organisational resources to ensure that the above requirements for dealing with records can be achieved and maintained.

Senior management will make provision for a regular review of the NAS Records Management Policy and will instigate modifications when necessary.

Line Managers

• Familiarise themselves with, and follow, NAS's records management procedures and practices and ensure that their staff do likewise.
• Ensure that, where necessary, staff have appropriate security clearance to do their jobs effectively.
• Identify staff training needs and arrange for these to be addressed.
• For their own areas, oversee the application of retention schedules and provide input into their development.
• Undertake management and statistical reporting.
• Ensure records are held in appropriately secure conditions, depending on their classification.

Operating staff
File items promptly and accurately.

• Identify final versions.
• Send information to the relevant people.
• Ensure records can be accessed as needed.
• Protect security-designated information.
• Follow closure and disposition procedures.

Records management system managers and administrators

• Support users.
• Issue guidance and provide training.
• Monitor proper functioning of records management systems.
• Create and maintain security rights
• Ensure records management systems stay in line with developments in best practice.
• Administer the records management and registry systems.