IG03: Information & Records Management Policy
This policy outlines the principles of efficient and effective management of its records to support its core functions and activities and to comply with its legal and regulatory obligations.
- The University recognises that efficient and effective management of its records is necessary to support its core functions and activities, to comply with its legal and regulatory obligations and to contribute to the effective overall management of the institution.
- This Policy applies to everyone who has a contractual relationship with the University and makes provision for how records (and the data and information they contain) are managed at the University of Warwick. The Policy sets out six principles for the management of information and records at the University throughout their lifecycles: 1. the record is accurate, 2. can be accessed, 3. can be interpreted, 4. can be trusted, 5. can be maintained throughout time, and 6. is valued. It also sets out considerations of content, capture and control of records; their classification, digitisation, preservation and disposal.
- All systems processing digital records must be designed and implemented to ensure that the six Records Management principles and the provisions of the Information Management Framework are adhered to for the entire lifecycle of the record. Those creating and/or storing records must ensure that adequate controls are in place to protect records from unauthorised access, disclosure or alteration. Information Asset Owners (IAOs) are responsible for ensuring that risks to the digital continuity of information assets within their remit are appropriately managed.
- Compliance with this policy will be monitored on an ongoing basis, with a focus on: breaches to this policy, exemption requests and the granting of exemptions. Compliance performance will be reported by Information Asset Owners monthly to the University Information Management Committee. A failure to comply with this policy will be deemed to be a disciplinary offence, and will be subject to the University Information Management Executive Committee escalation process (see link above) and may lead to proceedings being taken through the University Disciplinary Process.
Policy Introduction and Purpose
The University recognises that efficient and effective management of its records is necessary to support its core functions and activities, to comply with its legal and regulatory obligations and to contribute to the effective overall management of the institution.
The University of Warwick Information & Records Management Policy sets out the principles that support the University in discharging its records management obligations. These legal obligations include, but are not limited to, the: Freedom of Information Act 2000, the Environmental Information Regulations 2004, the General Data Protection Regulation 2016, the Data Protection Act 2018 in addition to the University’s own regulations. The policy is supported by the guidance that the University maintains on its Information and Records Management web page.
Scope and Definitions
This Policy applies to everyone who has a contractual relationship with the University including all employees (both full-time and part-time across all grades) and those engaged via the Variable Monthly Staff (VAM) Payroll and Unitemps/other agency contracts. It also includes visiting professors, consultants/self-employed carrying out roles which if carried out by an employee would require disclosure. For purposes of this Policy we will refer to everyone covered as “staff”.
This policy makes provision for how records (and the data and information they contain) are managed at the University of Warwick. The terms data and information have a wide variety of uses and are defined in numerous different ways across society and it is therefore not within the scope of this policy to invent potentially limiting definitions for these areas.
A glossary of the terms used throughout the Policy can be found in Document IM03 – Glossary of Terms for Information Management. This policy sits within the Information Management Policy Framework and should be read in conjunction with the over-arching policies IM01 – Information Management Policy of Policies and IM02 – Information Management Training Policy.
To aid with the management of data and information as records at the University, this policy provides a definition of a record and makes provision for its lifecycle management. The policy adheres to the definition of a record as set out in ISO BS 15489:1 2016 (Information and documentation – Records Management). This standard defines a record as: 'information created, received and maintained as evidence and as an asset by an organisation or person, in pursuit of legal obligations or in the transaction of business'.
ISO BS 15489:1-2016 also sets out that ‘Records, regardless of form or structure, should possess the characteristics of authenticity, reliability, integrity and useability to be considered authoritative evidence of business events or transactions and to fully meet the requirements of the business’. To these ends, this policy sets out six principles that make provision for the management of records throughout their lifecycle with the aim of ensuring that a consistent approach is taken to their administration at the University.
Digital Strategy Group representative
Head of Department
Chief Information and Digital Officer
University Information Management Committee representative
Principles of this Policy
- The University has adopted six principles for the management of records at the University of Warwick, these are:
Principle 1 - The record is accurate: The University has the information that is needed to form a reconstruction of activities or transactions that have taken place.
Principle 2 - The record can be accessed: Information can be located and accessed by those with the authority to do so and the authoritative version is identifiable where multiple versions exist.
Principle 3 - The record can be interpreted: The context of the record can be established: who created the document and when, during which business process, and how the record is related to other records.
Principle 4: The record can be trusted: the record reliably represents the information that was actually used in or created by the business process, and its integrity and authenticity can be demonstrated.
Principle 5 - The record can be maintained through time: the structural integrity of the record can be maintained for as long as the record is needed, perhaps permanently (and in line with the provisions of the University Records Retention Schedule despite changes of format.
Principle 6 - The record is valued: the record is understood to be an information asset and provision is made to ensure that the principles of accuracy, accessibility, interpretation, trustworthiness and (physical/digital) continuity are upheld throughout its lifecycle.
- The University must maintain an Information & Records Management Policy that enables it to adhere to a number of legal requirements around the public’s right of access to:
- The recorded information held by the University under the Freedom of Information Act 2000.
- Environmental Information under the Environmental Information Regulations 2004.
- A data subject’s own personal data under the General Data Protection Regulations 2016 and the Data Protection Act 2018.
- Access in line with the provisions of any other legislation that provides a right of access to information.
(In each case access is granted unless an exemption applies under each of these access regimes.)
This means that: email correspondence, physical documents, electronic documents (digitised/born digital), microfiche, sound and audio visual records (this list is not exhaustive) could be in scope of an information access regime (each access regime has specific requirements of what is in scope of its provisions).
- All data, information and records created, or held at the University must be managed in line with the provisions of the Information Management Framework of which the policy forms a part.
- The information you create is representing the University and therefore its content must be in line with the University’s vision and values.
Capture and control of records
- All digital records created or received during the course of University business must be adequately maintained during their lifecycles at the University within established and approved University information systems. (If there is uncertainty about the use of any information system then ensure this is clarified before its use with University IT Services.
- Digital records must be captured within a University information system as soon as possible after creation so that they are readily available to support the University's business.
- If digital records are taken out of record-keeping systems (e.g. printed) they must be managed in accordance with the Information Classification Policy (IG05).
- All systems processing digital records must be designed and implemented to ensure that the six Records Management principles and the provisions of the Information Management Framework are adhered to for the entire lifecycle of the record. Where a records system is being replaced or superseded by another system the records management principles and the wider information management framework must be adhered to. Where a records system is to be decommissioned, provision must be made for maintenance or transfer of the records so that they remain accessible for the required retention period.
- All physical records created or received during the course of University business must be maintained in accordance with the Information Classification Policy (IG05) and Information Handling Policy (IS04).
- Guidance on the storage of physical records is set out on the University’s Information and Records Management web page.
- Emails may contain actions and decisions and must be managed as effectively as other digital information. Email messages that need to be seen by others for business reasons should be stored in a shared University Information system with the appropriate access controls in place to ensure that only those who are authorised to see them have access. This process helps ensure that the information emails contain can be located and retrieved and regularly reviewed and deleted when that is the appropriate action.
- Email retention considerations should be determined by the subject matter the email contains and with reference to the University Records Retention Schedule.
- Vital records are records which are essential to the University in order to continue with its business-critical functions both during, and after a disaster.
- Vital records must be stored on a University managed server, so that they are protected by appropriate back-up and disaster recovery procedures. Vital records that are only available in physical format should be digitised (where possible) or duplicated and the originals and copies stored in separate locations. (The duplicates should be clearly marked as a copy of an original record.) If, however, duplication is impracticable or legally unacceptable, fire protection safes must be used to protect the documents.
- Vital records must be identified by Information Asset Owners, and it is their responsibility to ensure appropriate action is taken to comply with paragraph (9) of this policy
Classification, storage and handling of records
- To ensure that the core principles of records management are adhered to, all University information must be classified, stored and handled in accordance with the University’s Information Classification Policy (IG05).
- All records require storage conditions and handling processes that take into account their specific properties. The University will produce and maintain guidance on the storage of records on its Information and Records Management web pages.
- In instances where digitisation is considered by the University then all processes associated with this activity must adhere to the Information Handling Policy (IS04) and Information Classification Policy (IG05) and the provisions of the University’s guidance in relation to the digitisation of records.
- If the original physical record is to be destroyed post-digitisation then the digitised rendering needs to be able to be managed as the authoritative record throughout its lifecycle and disposed of, or preserved, in line with the provisions of the University’s Records Retention Schedule.
- If you have any doubt if any original physical document may have historical or preservation value you must consult with archivists at the Modern Records Centre to determine whether or not the physical record is considered to have historical or preservation value before it is destroyed. (Whilst in certain instances digitisation might help reduce physical storage space requirements through the disposal of the hard copy record, on other occasions it may not be appropriate to destroy the original post digitisation. An example of this might be where the record has intrinsic value (e.g. historical) in its original physical format or the digitised image is not able to be relied on as the authoritative records.
- The University has a specific policy related to Digital Preservation – Digital Preservation Policy (IG04).
Access to records
- The Content Considerations section of this policy sets out the main access regimes that apply to University records. In terms of internal access to records then in each case it must be for a valid and authorised business reason.
- Those creating and or storing records must ensure that adequate controls are in place to protect records from unauthorised access, disclosure, alteration and destruction and that they are managed in line with the Information Management Framework.
- Digital Continuity is the ability to use digital information in the way that the University needs, for as long as needed in line with the University Record Retention Schedule (RRS). If the University does not actively work to ensure Digital Continuity, information can easily become unusable. Digital Continuity is about making sure that information is complete, available and therefore usable for business needs.
- Defining Digital Continuity requirements means establishing what digital information an Information Asset Owner (IAO) is responsible for, what needs to be retained and how the organisation will need to use it, over time and through change.
- Information Asset Owners (IAOs) are responsible for ensuring that risks to the Digital Continuity of information assets within their remit are appropriately managed.
- Once an IAO understands how the University needs to use a digital information asset, they need to ensure that the technical environment and the way information is managed continues to support this use. Digital Continuity supports the six records management principles this policy establishes and is achieved when business requirements, technical environments and information assets support one another.
Disposal of records
When a record reaches the end of its retention period, a decision must be taken on its disposal, with the three possible outcomes:
- Preservation / Transfer to University Modern Records Centre
- The University manages the lifecycle of its records in line with its University’s Records Retention Schedule (RRS). The RRS is a tool that transparently demonstrates to third parties (e.g. via the publication of the RRS on the internet) how the organisation complies with some of its data protection obligations by making provision for the time periods for which common types of records are retained by the University.
- The IAO is responsible for ensuring that records are destroyed or preserved in a timely and secure manner, and that senior staff within the relevant department are aware that the destruction or preservation is taking place. In the case of destruction being the course of action, all copies held in any format must be destroyed at the same time.
- The RRS is a living document and is subject to ongoing review and development at the University. If on accessing the RRS it is found that the schedule does not make provision for a type of record, then this should be brought to the attention of the University's Records Management Advisor to consider its potential inclusion in the RRS.
- The act of disposing of a record must be carried out in line with the provisions of the University's Information Classification Policy (IG05) and the Information Handling Policy (IS04) with special consideration given to records that contain sensitive information or personal data, or are marked as Protected or Restricted. Disposal of records without due care and attention to these procedures’ risks causing harm and distress to individuals and reputational damage and significant fines to the University, and maybe deemed to be a breach of this policy.
Preservation of records
- The RRS also makes provision for the selection and preservation for certain categories of record created in any format at the University to be transferred to the Modern Records Centre and therein preserved. These records form part of the University's archive for historical research purposes and are the enduring record of its functions and activities. The University has a specific policy related to Digital Preservation (IG04).
‘Exemption requests’ under this policy must be submitted to the CIDO or their designate. Exemptions to this policy may only be granted by the CIDO or their designate. Activities that have received prior approval by the Research Ethics Committee will be exempt, but the CIDO must be notified.
This policy may have an impact on users of assistive technology or assistive software due to their disability. These individual cases will be considered on a case by case basis.
Compliance to this policy will be monitored on an ongoing basis. The compliance focus will be on:
- Breaches to this policy
- Exemption requests and granting of exemptions
Compliance performance will be reported by Information Asset Owners monthly to the University Information Management Committee
A failure to comply with this policy will be deemed to be a disciplinary offence, and will be subject to the University Information Management Executive Committee escalation process (see link above) and may lead to proceedings being taken through the University Disciplinary Process.
Data Protection Officerinfocompliance@warwick.ac.uk
The University of Warwick
Coventry CV4 8UW