Information Governance
Records Management Policy
On this page:
- Introduction and scope
- Why is records management important?
- Roles & Responsibilities
- Training, Awareness & Ownership
- Record Keeping
- Retention & Disposal
- Record of Processing Activities
- Data Quality
- Access Control & Security
- Key Legislation/Further Reading
1. Introduction & Scope
Pembrokeshire County Council (‘the Council’) recognises that its records are an important public and corporate asset, and are a key resource required for effective operation and accountability.
Article 5 of the UK General Data Protection Regulations (UK GDPR) and Part 4 (Chapter 2) of the Data Protection Act 2018 set out the key principles which lie at the heart of the data protection regime:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
Full definitions of the principles (opens in a new tab).
These principles lie at the heart of the UK GDPR and the Data Protection Act 2018. They are set out right at the start of the legislation, and inform everything that follows. They do not give rigid rules, but rather embody the spirit of the data protection regime. Compliance with the spirit of these key principles is therefore a fundamental building block for good data protection practice and records management.
Failure to comply with the principles of the UK GDPR and the Data Protection Act 2018 may leave the Council open to substantial fines. Infringements of the basic principles for processing personal data are subject to the highest tier of administrative fines, which could mean a fine of up to £17.5 million, or 4% of the total worldwide annual turnover, whichever is higher.
This policy sets out the Council’s expectations and activities in relation to these responsibilities. This policy forms part of the framework for managing the Council’s records, to ensure that the Council creates and captures authentic, reliable and timely records and to demonstrate accountability and transparency in decision-making at all levels of Pembrokeshire County Council.
This policy applies to all employees, Members, contractors, agents and representatives, and temporary staff working for or on behalf of the Council. This policy should be read in conjunction with the Data Protection Policy, ICT Security Policy and Home Working Policy.
This policy applies to all the records created or held by the Council, in any format, however they are stored (e.g. IT system/database, cloud storage, electronic file storage, filing cabinet/shelving, Records Management Unit, Office 365 {including e-mail and Teams}).
This policy will be reviewed periodically.
2. Why is records management important?
The International Standards Organisation (ISO) defines ‘records’ as ‘Information created, received, and maintained as evidence and information by an organisation or person, in pursuance of legal obligations or in the transaction of business’. Records can be in any format including, but not limited to, physical, digital and audio-visual.
Records management is an established theory and methodology for ensuring the systematic management of all records and the information they contain throughout their lifecycle. The guiding principle of records management is to ensure that information is available when and where it is needed, in an organised and efficient manner, and in a well-maintained environment. The Public Services Ombudsman for Wales has produced guidance in relation to records management – Good Records Management Matters (opens in a new tab).
Good records management supports good data governance and data protection, and is an essential part of delivering high quality public services. It is also vital to allow the Council to meet its statutory obligations under Data Protection, Freedom of Information and Environmental Information Regulations legislation.
Wider benefits include:
- the ability to locate and retrieve information easily within statutory timescales or to explain why it is not held
- supporting compliance with other legislation and rules (e.g. United Kingdom General Data Protection Regulation {UK GDPR}, Data Protection Act {DPA} 2018, the Freedom of Information Act {FOIA) and the Environmental Information Regulations {EIR})
- enabling the more effective use of resources (e.g. disposing of records that are no longer required frees up space within buildings and information systems and saves staff time searching for information that may no longer be there)
Some of the consequences of poor records management include:
- poor decisions based on inadequate or incomplete information
- failure to handle information securely potentially resulting in non-compliance with legislation which could lead to financial loss and/or reputational damage
- increased costs and inefficiencies (e.g. wasted staff time) because records are being kept for longer than they are required
Taken together, these benefits and risks provide good reasons to ensure that effective records management is in place. This policy will help provide the necessary building blocks for effective records management.
3. Roles & Responsibilities
The Council provides statutory services, including regulatory activities, and discretionary services to individuals and organisations. The Council consists of Directorates, which are divided into Services, and these Services are further split into Teams. Each member of a Service/Team will be responsible for particular activities and will generate records of their actions.
Records may be recorded in physical files, on digital systems or in audio-visual format – the Council’s preference is for records to be maintained digitally wherever possible. Recording systems must also take into account the legal and regulatory environment specific to the Services area of work. Records should be referenced and maintained in a manner which facilitates immediate retrieval. All records should be treated with proper regard, and the authenticity and integrity of the record should be maintained at all times. Records which include personal data should be treated with great care as unauthorised disclosure of personal data could have damaging consequences for individuals and the Council.
Specific roles and responsibilities include:
- The Council has a corporate responsibility to maintain its records and record-keeping systems in accordance with legislative requirements with particular emphasis on preventing unauthorised disclosure of personal data.
- Directorates are responsible for establishing processes for the collection of information and the retention of that information relevant to the services it provides.
- Senior Information Risk Owner (SIRO) is the officer who is ultimately accountable for information governance at the Council. The SIRO champions information governance for the organisation.
- Information Asset Owners are Directors/Heads of Service/Corporate Managers and they are responsible for all information processed within their service. They are responsible for the management of their records in accordance with this policy and they need to understand what information and records are held, how they are used and transferred, who has access to them and why, to ensure compliance with legislation and minimise the level of risk. They are responsible for ensuring that all staff in their service are aware of, and practice, good records management.
- Data Protection Officer (DPO) assists the Council to monitor internal compliance with the UK GDPR and other data protection laws (and with the Council’s data protection polices), informs and advises on data protection obligations, provides advice regarding Data Protection Impact Assessments (DPIAs) and acts as a contact point for data subjects and the Information Commissioner’s Office (ICO). Under the UK GDPR, the Council (as a public authority) must appoint a Data Protection Officer.
- Senior Information Governance Officer will co-ordinate activities, such as overseeing maintenance of the corporate retention schedule and the strategic running of the Records Management Unit (RMU) in Withybush.
- Chief Information Security Officer (CISO) and the IT Department are responsible for establishing and maintaining the Authority’s information and data security policies and procedures which are designed to hold records securely, ensure back-ups are taken, and protect data and information from internal and external threats.
- Caldicott Guardian is a senior person responsible for protecting the confidentiality of people’s health and care information and making sure it is used properly. All local authorities which provide social services must have a Caldicott Guardian.
- All Council employees will be responsible for creating clear, concise, accurate records and maintaining those records in relation to their work activities in a manner that facilitates retrieval when required or for sharing with relevant bodies. All Council employees must be aware of their obligations in respect of the filing, retention and disposal of records.
- Records Management Unit (RMU) provides direction for records management. Once the immediate relevance of the record has passed, physical records should be sent to the RMU for storage until the expiry of the retention period. RMU responsibilities include ensuring:
- Records are maintained in a secure environment with good conditions for their physical preservation and storage
- Records are kept securely and protected from accidental or deliberate loss or destruction
- Records are accessible to officers to support them in making informed and proper judgments in the course of their work, and to assist them when responding to requests for information
- Records are kept in accordance with the schedules drawn up for their retention, having regard to legal requirements and recognised good practice, and are safely disposed of after the expiry of their retention period in accordance with legal and regulatory obligations
- Pembrokeshire Archives is the place for the deposit of Public Records in Pembrokeshire, and will take custody of records deemed worthy of permanent preservation.
4. Training, Awareness & Ownership
Managers will ensure that staff responsible for managing records are appropriately trained and that all staff understand the need for records management. To assist with this, the Council offers a wide range of training to employees on records management and data protection, as follows.
All members of staff are required to complete an induction with their line manager on day one of employment. The induction states that in the first week, both the Records Management Policy and Data Protection Policy need to be read and understood.
All employees are required to undertake the mandatory Data Protection Essentials e-learning module on an annual basis to ensure they are aware of their obligations under the statutory right to information (i.e. Data Protection, Freedom of Information and Environment Information Regulations) and records management.
The Council also provides bitesize videos to employees periodically throughout the year in relation to records management, data protection, and cyber security. These videos are provided by an external provider, Metacompliance.
Employees working within the Information Governance teams (Records Management, Data Protection, Subject Access, Freedom of Information) are appropriately qualified/experienced and are subject to regular refresher training.
5. Record Keeping
All Council employees are involved in creating, maintaining and using records and it is important that everyone understands how records are produced and retained in their service area. All records created and received by Pembrokeshire County Council are the property of the Council and must not be used for any activity or purpose other than the Council’s official business. All Council employees should understand their records management responsibilities as set out in this policy.
Records should be named and stored in a consistent manner clearly setting out the year, month, day and title of the document (e.g. 20220401 Records Management Policy).
Records are to be retained securely, and should be maintained and preserved for as long as they are required to provide access to them as necessary to support the Council’s operations, fulfil its statutory obligations and contractual obligations.
Relevant records must be saved to the most appropriate primary record/file structure (e.g. Electronic Document Management {EDM}) and should not be stored in employee’s personal PCC e-mails/folders/drives/hard drives or in their own personal non PCC e-mails/folders/drives/hard drives. This is important to ensure records are accurate, up to date, and always available to all relevant employees. Record keeping includes and incorporates the recording of meetings. All formal meetings of the Council are webcast and minutes are published. Employees are responsible for ensuring all other informal meetings are also documented via minutes/note taking/action points at the time of the event.
The use of e-mail is convenient and allows a large audience to be reached in seconds. However, this brings challenges and employees should bear in mind that e-mail systems are not record keeping systems, and messages should only be stored short-term within the e-mail system.
The vast majority of e-mails (such as internal announcements and newsletters, replies to meeting requests and where the recipient has been copied for information etc) do not need to be kept for the long term and these should be regularly deleted. However, some e-mails serve as Council records and it is important that these are stored accordingly in the appropriate primary record/file structure outside the e-mail system. Retaining important records within personal mailboxes disconnects it from other related information, makes it less accessible to the wider organisation, and makes it more susceptible to being lost. E-mail records need to be managed appropriately just like any other record and should be saved to the appropriate primary record/file structure as soon as possible so that records are accurate and up to date with all information stored in one location.
Whilst managing emails can prove time consuming and may be regarded by many as an imposition, a consistent organisation wide approach is needed to ensure good records management and that corporate e-mail records are not lost. The Data Protection Act also requires that personal data should not be kept for longer than is necessary so e-mails containing personal information should not be retained indefinitely.
Some tips to consider to manage your e-mails more efficiently are included at Appendix A.
Microsoft Teams
Microsoft Teams is a collaboration platform with document sharing, online meetings and chat facility which has seen a significant rise in usage with the shift to more agile ways of working. Any documents shared via Microsoft Teams should be stored accordingly in the appropriate primary record/file structure outside of Microsoft Teams.
Any information or documents stored in Microsoft Teams would be considered as records and as such would need to comply with the guidelines set out in this Records Management Policy. Information or documents stored in Microsoft Teams may be subject to FOI or Subject Access Requests. The volume of personal data or sensitive/confidential information attached in Microsoft Teams should be kept to a minimum.
Some tips to consider when communicating using Microsoft Teams are included at Appendix B.
Non-Corporate Communications Channels
Technological changes (new messaging apps, platforms and channels developing over time) and the shift to more agile ways of working means that the use of non-corporate communications channels (e.g. WhatsApp, Twitter, Facebook messenger, text messages) for official business is an issue that has arisen across a range of sectors. The IT team ensure relevant individuals can access official IT systems and equipment, which should mean that they do not need to use non-corporate channels in order to undertake their roles.
As far as reasonably practicable corporate channels should always be used for official business. Where this is not possible for whatever reason, arrangements to store official Council related business on the corporate systems should be made as quickly as possible.
The use of non-corporate communication channels creates a number of risks and potential challenges for records management. For example:
- Such channels often have limited search functionality.
- The retention and deletion periods on such channels are unlikely to align with those of official systems. In particular, there is a risk of information on non-corporate channels only being held for a limited time or messages being auto deleted.
- Such channels often have limited ability to export information to official systems or to create records which can be transferred onto official systems.
- Access to the information may be limited to one individual or a small group, but there could be a business need for such information to be more widely available.
- If an individual leaves the organisation or moves roles, access to official information held in non-corporate communications channels can be lost.
- The use of such channels for communicating official information may make it more difficult for the Council to meet its obligations under data protection law.
Non-corporate communications channels may sometimes be used to exchange information about emergency or fast-developing, high-profile events. However, the Council’s role in such events may subsequently be subject to external scrutiny, such as an inquiry, inquest or investigation. It is therefore important to be aware of the importance of capturing official information contained on non-corporate channels about such events for the purposes of future scrutiny. In the rare circumstances where non-corporate communications channels are used for official business the mitigating measures below should be implemented.
- If a private e-mail is used for public authority business then a Council e-mail address should be copied in to ensure the completeness of the Council’s records.
- Anyone using non-corporate communications channels needs to understand how to transfer or export information from the messaging app or platform onto official systems.
It is important that such transfers or exports of information take place frequently. The frequency of the transfer depends upon the content and context of information,
- including how often an individual is using a particular non-corporate channel. However, transfers should certainly take place when key decisions are taken, or when an individual moves roles.
- Transferred or exported information should be placed on an official system with an appropriate retention period.
- Individuals should be aware of the potential for a private conversation on non-corporate channels ‘drifting’ into a discussion about official matters. For example, a discussion about a social event drifting into a discussion about a work meeting. At the point that the discussion becomes about official business, official communication channels should be used (or at the very minimum, the official part of the conversation should be forwarded to an official system).
- If instant messaging services are used, then auto-delete options should be in line with the retention policies of official systems.
- When an individual leaves the Council, any official information they hold on non-corporate channels must be transferred to an official system.
Recorded information individuals hold in non-corporate communications channels which relates to the business of the Council, is likely to be held on behalf of the Council and so is also subject to FOI. Individuals may be asked to search their accounts and/or devices, if it is determined that their personal email account, messaging accounts or personal mobile device may include information which falls within the scope of a FOI request.
Erasing, destroying or concealing information with the intention of preventing its disclosure following receipt of a FOI request is a criminal offence. This offence can apply to both a public authority and to any person who is employed by, is an officer of, or is subject to the direction of the Council. For example, where information that a request covers is knowingly treated as not held because it is in a non-corporate communications channel, this may count as concealment intended to prevent the disclosure of information. The person concealing the information may be liable to prosecution.
6. Retention & Disposal
Retention of Records
Records should not be retained for longer than is necessary. Ensuring records are disposed of when they are no longer required will reduce the risk of them becoming irrelevant, excessive, inaccurate or out of date. It is inefficient to hold records for longer than is needed, and there may be unnecessary costs associated with storage and security. The risk of data breaches increases where more data is held than is necessary (e.g. records linked to incorrect files/data subjects or shared with another body/party in error). The Council must also respond to Subject Access Requests, Freedom of Information requests, and Environmental Information Regulations requests and this will be more difficult if records are held for longer than needed. It is therefore important that the Council has good practice around storage limitation with clear policies on retention periods and erasure.
Information Asset Owners are responsible for setting retention schedules for their service areas setting out how long different types of information need to be kept (physical, digital and audio-visual), when they should be disposed of, and ensuring these are complied with. This should provide sufficient information to identify all records. When setting retention periods, Information Asset Owners should consider:
- the stated purposes for processing the records. Records can be kept as long as the purpose still applies, but should not keep records indefinitely, ‘just in case’, or if there is only a small possibility that it will be used. Information Asset Owners should be able to justify how long they keep records.
- any legal or regulatory requirements. There are various legal requirements and professional guidelines about keeping certain types of records, such as information needed for income tax and audit purposes, or information on aspects of health and safety.
- any relevant industry standards or guidelines are considered. However, these do not guarantee compliance and Information Asset Owners must still be able to explain why those periods are justified, and keep them under review.
- whether there is a need to keep a record of a relationship with an individual once that relationship ends. There may need to be confirmation that the relationship existed, and that it has ended. If there is no need to identify individuals, then records could be anonymised so that identification is no longer possible.
The important thing to remember is that all retention deadlines should be justified.
Information Asset Owners will need to ensure retention schedules are documented, updated regularly, and made available to all members of staff within their service. All employees have responsibilities to make sure they adhere to the schedules and review records regularly. All records should be reviewed at the end of the set retention period, and should be disposed of or anonymised unless there is clear justification for keeping it longer.
For records held at the Records Management Unit, Information Asset Owners will be sent reminders when retention deadlines are imminent and the Information Asset Owner should give confirmation of their approval for these records to be disposed of, or advise what the next stage is. Non-compliance with this process will be escalated to the relevant Director, Chief Executive and/or the Senior Information Risk Owner (SIRO).
Individual service retention schedules are collated into an overarching Council Retention & Disposal Schedule.
Disposal of Records
When records are no longer required by the Council they should be securely destroyed. Destruction of records should not proceed without approval from the relevant Information Asset Owner. A record containing what has been destroyed, when it was destroyed, and the individual who authorised the destruction should be created.
Records should be destroyed securely. Physical records should be shredded and placed into confidential waste. Records stored digitally should be irretrievably deleted (not overwritten), including any back-ups, and deletions should be carried out by an officer with appropriate access to the system/drive from which the records are being deleted. When information is destroyed, all copies of the information should be destroyed at the same time (both digital and physical). Information cannot be considered to have been completely destroyed unless all copies have been destroyed.
7. Record of Processing Activities
Article 30 of the UK General Data Protection Regulation (UK GDPR) sets out the requirements for data controllers to maintain a record of processing activities (ROPA). The Council has a formal, documented, comprehensive and accurate ROPA based on a data mapping exercise. The ROPA is recorded on the Pentana Audit system.
The ROPA documents each of the Council’s processing activities along with key information, including:
- the purpose/nature of the processing
- whether the Council is a data controller, joint controller, or data processor
- a description of the categories of individuals and of personal data
- the categories of recipients of personal data
- details of transfers to third countries, and the relevant safeguards in place
- retention schedules
- a description of the technical and organisational security measures in place
- the location of the personal data
- the lawful basis for processing
Information Asset Owners will be asked to review the ROPA for their service on an annual basis to confirm it remains accurate and up to date.
Data controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Pembrokeshire County Council is a data controller.
Data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. For example, iTrent (who provide the Authority’s payroll system) would be a data processor for the Council.
8. Data Quality
Information Asset Owners should ensure procedures are in place within their service to make sure that records are accurate and up to date, adequate, and not excessive. This includes ensuring staff understand their responsibilities regarding data quality and ensuring records are accurate and up to date. Records should be reviewed and ‘weeded’ periodically (at least every 6 months) to reduce the risk of inaccuracies, duplication, and excessive retention.
9. Access Control & Security
The Council has an ICT Security Policy, Home Working Policy and Data Protection Policy which specifies the organisational practices that employees must follow.
Information Asset Owners are responsible for ensuring employees within their service abide by these policies, and that access to any records, be that as part of service systems or shared drives, are in accordance with these policies.
The Council has appropriate security measures in place to protect records that are in transit, records it receives, and records that are transferred to another organisation. Personal or confidential records transferred off site to another organisation should be kept to a minimum and where this does occur these records should be kept secure in transit. An appropriate form of transport/protection should be used such as encryption, password protection, or use of the Transfer 2 portal (more information on this can be obtained from the IT service).
10. Key Legislation/Further Reading
- Good Records Management Matters (opens in a new tab)
- United Kingdom General Data Protection Regulation (UK GDPR)
- Data Protection Act 2018 (opens in a new tab)
- ICO – Records Management and Security (opens in a new tab)
- Local Public Services Data Handling Guidelines (opens in a new tab)
- Records Management Society of Great Britain – Retention Guidelines for Local Authorities (opens in a new tab)
Appendix A – Tips to Manage E-mail Efficiently
- Saving emails that are records to the primary record/file structure
- If you have an email with an attachment, consider if you only need the accompanying document to be saved or if the email message is important to understand the context of the attachment. If you only need the attachment, save that document on its own to the primary record/file structure.
- If you need to save an email or an email with an attachment drag and drop the message to the primary record or open the message and click on File>Save As, ensuring the record is saved/named in accordance with this policy setting out the year, month, day and title of the document (e.g. 20220401 Records Management Policy). This way you ensure that the information is protected (IT Services regularly back up these locations) and you are maintaining the original format of the email, that is .msg. Once the email record has been safely saved to the primary record/file structure you can delete it from your inbox.
- Delete e-mails when no longer required – you should delete emails when they are no longer required for operational purposes and are not the primary or only version of a record that we are required to retain in line with the retention schedule. Users are able to restore deleted e-mails for 14 days after deletion via ‘Recover Deleted Items from Server’.
- Encrypt any confidential e-mails or e-mails containing personal data when sending them to a recipient external to PCC.
- Do not treat email as the default communication – a conversation in person, by telephone, or Teams may be more appropriate.
- Regularly clean out Sent & Deleted items folders – your Sent Items and Deleted Items folders contribute to your email account size. It is a good idea to regularly clean out your Sent Items of emails that are taking up valuable storage space by deleting or saving to the primary record/file structure. To empty your Deleted Items go to File>Cleanup Tools>Empty Deleted Items Folder. Even better, have your Deleted Items folder automatically empty every time that you exit your email account: go to File>Options>Advanced and under ‘Outlook start and exit’ check the box to Empty Deleted items folders when exiting Outlook.
- Limit use of .pst (Personal Folders) files – a .pst (Personal Folders) file is an Outlook data file used to store local copies of e-mails. Users sometimes archive e-mails in .pst files but while it may be convenient for the individual user, this does not support information sharing throughout the organisation or effective records management and may result in emails containing personal data being retained for longer than is appropriate. .Pst emails are also stored on the device, and loss of the device or corruption of the file will lead to loss of those emails.
Appendix B – Tips to Consider when Communicating Using Microsoft Teams
- External access to Teams should only be granted where required and once it has been approved by the Information Asset Owner.
- Don’t upload files to teams unless they need to be there.
- Access to any documents shared in Teams should be restricted to the least number of individuals possible.
- Don’t upload a file to Teams and then also e-mail everyone with the same document attached to let them know it has been uploaded to Teams.
- The volume of personal data and sensitive/confidential information attached in Teams should be kept to a minimum.
- Personal data should only be shared with other persons if there is a lawful basis to do so. If personal data is being shared on a regular basis a data sharing/data processing agreement should be put in place.
- Information recorded on Microsoft Teams is subject to FOI and SARs, and may have to be disclosed under this legislation. Always be mindful of what you record on Microsoft Teams. At all times be accurate in your recording, respectful of others, and record only what is necessary.
- When sending any communication via Microsoft Teams, make sure you select the correct recipient(s) to avoid any potential data breaches.
- Microsoft Teams posts and chats are retained permanently unless you take action to delete them.
- Teams related guides are available on the IT Self Service Portal.