Records management policy
|Last review date||August 2021|
|Review changes||August 2021|
(also replaces previous GDPR Policy - see also Data Protection Policy)
This policy will be reviewed within three years and earlier if appropriate. This policy will be made readily available on the Council's intranet service to ensure that it is easily accessible.
This Records Management Policy sets out Great Yarmouth Borough Council's commitment to ensuring a systematic, lawful and authorised way of maintaining, storing, sharing, disposing and otherwise processing all its records.
This policy is in place in accordance with recommendations in the Information Commissioner's Section 46 Records Management Code of Practice which sets out Guidance for public authorities. This policy recognises that Council information and records are key corporate assets.
Retention guidelines are an important part of records management based on relevant legislation (including the Limitation Act 1980 and subject specific statutes, e.g. Health and Safety at Work Act 1974), good practice and business need. Great Yarmouth Borough Council regularly reviews its retention guidelines in consideration of the Records Management Society of Great Britain.
Adherence to this policy will ensure that records are accurate, reliable and accessible and will further ensure that the necessary processes are in place to:
- ensure we operate effectively as a local council
- ensure we are compliant with data protection legislation (defined at paragraph 3) and all other applicable legislation
- provide an open and transparent service
- carry out our business in a systematic, consistent and organised manner
- ensure data is stored securely and kept for no longer than is necessary
- carry out disposal in an authorised and appropriate manner
- ensure cost effectiveness is considered
- provide an audit trail to meet business, regulatory and legal requirements
This Records Management Policy has been produced to assist officers within Great Yarmouth Borough Council with the management, retention, storage, sharing and disposal of Council records.
This policy applies to Council records in all formats, including online, paper, microfiche and any historically created record format (e.g. card or register).
This policy applies to:
- all staff (including temporary and permanent employees, agency and casual staff)
- elected members
- third parties processing data on behalf of the Council, including contracted suppliers or partners
Statutory and regulatory environment
- Data protection legislation: UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and all implementing/updating legislation
- Freedom of Information Act 2000
- The Privacy and Electronic Communications (EC Directive) Regulations 2003
- Section 46 Code of Practice - The Information Commissioner's Office
- The Environmental Information Regulations 2004
- Planning Advisory Service guide to planning and GDPR June 2021
Personal data means 'any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person'.
Sensitive personal data
Sensitive personal data means 'personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited'.
Non-personal data means data from which an individual is not identified or identifiable. Fully anonymised data which fulfils this description will also be non-personal data.
Records and documents apply to Council records in all formats, including electronic, online, paper, microfiche, photographic and any historically created record format (e.g. card or register). This applies to personal data, sensitive personal data and non-personal data.
Data protection legislation
Data protection legislation means the Data Protection Act 2018, the UK General Data Protection Regulation and any national implementing laws and secondary legislation, as amended or updated from time to time, in the United Kingdom, and any other successor legislation and all other applicable data protection law.
Record management responsibilities are provided across the Council as set out below:
|Senior Information Risk Officer (SIRO)||The SIRO is responsible for overall risk management of records.|
|Data Protection Officer|
The DPO liaises with the ICO, as required, and oversees compliance of data protection legislation.
Where the DPO is not available/not working, refer to the Corporate Services Manager.
|Heads of Services - Information Asset Owners||The Directors/Heads of Service are the Information Asset Owners (IAOs) for their services. They oversee delegated responsibilities.|
All employees, contractors, third parties and partners who process Council records have a role in ensuring good records management of Council data, and in complying with this policy.
In compliance with data protection legislation, personal data will be retained for 'no longer than is necessary for the purposes for which the personal data are processed'. To determine what has been deemed as necessary please refer to the Retention Guidelines that are an appendices to this policy. The Retention Guidelines provide details of all the Council's records, both personal and non-personal data.
Retention periods have been set in accordance with primary or secondary legislation or, where there is not a legal requirement, they have been set in accordance with business need or good practice.
As a local authority we may also identify a need to retain documents of historical value.
Where records are authorised for destruction they should be destroyed in accordance with paragraph nine.
Standard operating procedure
Standard operating records do not ordinarily need to be kept and can be destroyed in line with the disposal guidelines below.
Standard operating procedure records can include:
- working papers leading to a final report
- out of date distribution lists
- telephone message slips
- trivial emails
- compliment slips
- telephone message slips
This is a non-exhaustive list.
Council documents, which are not standard operating procedure records, will be retained in accordance with the Council's retention schedules.
Where you have scanned original copies of documents and we do not need to keep an original copy you must ensure that the scanned copy is clear and legible prior to disposal. In some circumstances, an original copy will need to be safely and securely stored. The Inland Revenue and Customs and Revenues prescribe the retention of original paperwork in some circumstances. Law Society guidance also provides information on the retention of some original documentation, such as deeds or guarantees.
Service managers are responsible for:
- ensuring that scanned documents are legible and provide a true copy of the original
- ensuring that scanned documents are retained in accordance with the document retention schedules
- ensuring that scanned documents can be located and retrieved promptly when required for:
- operational purposes
- a subject access request or other exercise of a data subject's rights under data protection legislation
- a request under the Freedom of Information Act 2000
- legal proceedings
Document retention and disposal protocol
Each Head of Service is the assigned Information Asset Owner. They must ensure that they have in place an adequate system for documenting the retention of records within their service. This system should take into account the legislative and regulatory environment in which they work.
Records of each activity should be complete and accurate enough to allow employees and their successors to undertake appropriate actions in the context of their responsibilities to:
- facilitate an audit or examination to those authorised to do so
- protect the rights of the Council, its residents, contractors and clients and any other persons affected by its actions
- provide authenticity of the records so that the evidence derived from them is shown to be credible and authoritative
To facilitate the above, the following principles should be adopted:
- Records created and maintained should be arranged in a record keeping system ensuring ownership of these records that will enable the Council to obtain the benefit from the quick and easy retrieval of information.
- Record systems utilised within services, whether paper or electronic, should include a set of rules for referencing, titling, indexing, and if appropriate, security marking documents and records. These should be easily understood and enable the efficient retrieval of information.
- The movement and location of records should be controlled to ensure that a record can easily be retrieved at any time and that any outstanding issues can be dealt with, and that there is an auditable trail of record transactions.
- Storage accommodation for current records should be clean and systematic, to prevent damage to the records and to ensure accessibility. Equipment used for current records should provide storage, which is safe from unauthorised access, meets fire regulations, but allowing maximum accessibility to authorised officers when required.
- Documents that are no longer required for operational purposes but still require retention should preferably be placed in a designated records centre.
- Services should ensure that a contingency or recovery plan is in place to provide protection for records, which are vital to the continued functioning of the Council.
- A system should be in place to ensure that where a member of staff leaves, changes role, or is absent, that records remain accessible to those who will require access. Information Asset Owners should ensure that a suitable system is in place.
The Council holds records in a variety of formats, including electronic, paper, microfiche and video recording formats, all of which will be stored in a suitable manner taking account of the type of record.
Paper documentation will be stored appropriately according to the level of security required. The Council office has controlled access, which provides security for all on-site Council documentation. Furthermore, the Council runs a Clear Desk Policy.
Risks will be considered and personal or sensitive data will have the appropriate additional security measures, which may include storing personal data in a lockable cabinet, in a lockable drawer or in a secure archiving storage facility.
A back-up of all electronic Council data is kept in accordance with the Council's IT Back-up Policy. The Council has robust electronic information security and technical measures in place which are regularly reviewed and updated.
The following issues must be considered when storing documents electronically:
Steps to consider
Who has access to the personal data, sensitive personal data or confidential documentation?
Ensure that access is controlled and limited to only those who need access.
Ensure that should you be absent or leave your role that the records do not become inaccessible.
What technical and security measures are in place?
Ensure that there are sufficient technical and security measures in place to prevent a breach.
Where data is transferred to another organisation, we must take steps to ensure the safety of the records during the transportation or transmission process. This should include:
- password protection - the password should, wherever possible, be conveyed via a different medium; for example, do not email password details and then also email the password protected data
- the use of secure email servers
- minimisation of personal/sensitive personal data to what is needed only
- sending data by secure online portals with limited access
Where the Council has contracted a third-party supplier to process Council data on its behalf, we must take steps to ensure that the data processor complies with security and technical measures to protect this document in line with data protection legislation. These steps include relevant clauses being inserted into our contracts as required under Article 28 UK General Data Protection Regulation. You will also need to undertake due diligence by asking appropriate questions regarding security and technical measures taken where suppliers will be processing Council personal data.
An example of data processors may be where we contract a third party to provide and administer an IT system to our instruction on which we store our customers' personal data.
Systematic data sharing with data controllers
Where we share personal data systematically with other data controllers, we should have a data sharing agreement in place which sets out the details of the data sharing. Where we share personal data, we will ensure we are compliant with data protection legislation.
Some examples of where we may require a data sharing agreement include where we share personal data with another local authority for election purposes, where we share data with a housing association, or where we share data to deliver the Neighbourhoods that Work project.
Where records have come to the end of their retention period and are to be destroyed, they must be destroyed appropriately.
Disposal should be authorised and systematic. This will involve ensuring that your team has a system in place for the regular review of documents which is authorised by a relevant manager or Head of Service. Where personal data or other non-personal but commercially sensitive personal data is destroyed, it will be safely and securely disposed of using confidential waste units.
Furthermore, in some cases, a record of this destruction should be made. To decide whether to record evidence of its destruction, there should be a consideration of:
- whether there is a business need to record the presence of those previous records
- an assessment of the risk should destruction of that particular record be questioned
The record could include the disposal class, a date range and confirmation that this disposal was authorised, evidence/details of how the disposal occurred. The record of destruction should provide enough detail to identify which records have been destroyed but will not ordinarily contain personal data.
These measures are to safeguard against a proposition that records were eliminated to avoid disclosing them. Therefore, when appropriate, destruction should be documented in line with legislation and appropriate authorisation.
As a local authority, we have an obligation to have a robust back-up system to ensure electronic data which we need to retain is not lost. Please see the IT Back-up Policy for more details.
Disposal of records
When disposing of records the following steps must be considered:
Has disposal been authorised?
Ensure that the disposal has been authorised and that it is done in compliance with the Retention Guidelines, and that an exception does not apply (e.g. there is a legal case or complaint pending).
Is retention required to fulfil legislation or regulatory requirements?
Consider primary and secondary legislation and good practice guidance.
Is there a current, or potential, dispute or legal challenge?
Our decisions regarding retention will ordinarily take account of the Limitation Act. If there is any ongoing legal case or other dispute, or a potential for one, then we should ensure this data is retained.
Do the records contain any personal data, sensitive personal data or confidential data?
If yes, ensure safe destruction by shredding or in confidential waste bins. Failure to adhere to this will breach data protection legislation.
We must ensure that destroyed data is 'virtually impossible to retrieve'.
Do we need to keep a record of the documentation destroyed?
Consider this in line with Appropriate disposal above.
 Code of Practice on Records Management issued under s46 Freedom of Information Act 2000; The National Archives, Record Management Policy - Guide