Records management policy

1. Records management principles

In line with the Information Security Classification and Handling Policy, and Cardiff’s Data Strategy we will:

1.1 Work collaboratively and exchange knowledge by ensuring our records are available to all who need them.

1.2 Consider the information and evidence that we need to capture when implementing a new system or changing a process so that our records are authoritative sources of truth.

1.3 Ensure that our records are authentic, trustworthy, and of good quality, containing sufficient, accurate, and reliable information to meet our needs.

1.4 Ensure our records are kept securely to best serve our applicants, students, staff, and research participants.

1.5 Ensure that the integrity of our records is properly maintained and accessible for as long as we need them.

1.6 Purge our systems in line with the University’s retention schedules.

1.7 Manage our records in the most efficient and cost-effective manner.

2. Record capture and creation

• Records must be captured or created, with relevant content, sufficient contextual information, integrity and authenticity to meet the University’s needs for evidence and information, particularly where there are external legal or regulatory requirements.
• Records must be created or captured in a durable form that will enable their accessibility to the University for the full length of their retention period.
• Where records created or captured contain personal information this information must be relevant to their purpose and not excessive.
• Where the University’s processes are changed, or new processes established, due consideration must be given to the University’s evidential and informational requirements. Records must be created or captured and maintained accordingly.
• All persons engaged in University business are strongly encouraged to follow the University’s file naming principles and version control procedures.

3. Records maintenance

Whilst complying with the University Information Security Classification and Handling Policy and Cardiff’s Data Strategy:

• Records must be categorised, handled and stored appropriately.
• Suitable controls or record systems should be in place to protect the authenticity, reliability, integrity, and usability of records to ensure that the University’s evidential and information needs are met. These controls may include protection from unauthorised access or alteration; back up regimes and business classification schemes.
• To enable knowledge sharing, business continuity and collaboration, records should be accessible to those who require access (whilst complying with the information classification and handling policy).
• Storage locations for C1 and C2 records must be in line with the Information Classification and Handling Policy and protect records from unauthorised access, change, loss or destruction.
• Records must be maintained to ensure accessibility and usability for as long as required, this may require the migration of records to newer formats or systems. Where migration is carried out, sufficient safeguards must be taken and documented to ensure authenticity, reliability and integrity of the records are maintained.

4. Records retention

• Records must be retained in line with the University records retention schedule including information contained within ‘line of business’ systems.
• The University’s records retention schedule ensures that records are retained for no longer than is necessary for the University’s business needs, except where records are selected for permanent preservation and transferred in line with the Institutional Archive Acquisition Policy.
• Personal information must not be kept for longer than necessary, unless relevant exemptions have been identified and applied (e.g. scientific or historical research purposes, statistical purposes, or for archiving in the public interest).

5. Records disposition

• Records must be destroyed in line with the with the University records retention schedule.
  • C1 and C2 records must be destroyed confidentially and in line with the University Information Classification and Handling Policy.
• As good practice destruction of records should be authorised by the appropriate manager and documented.
• Where records are scheduled for destruction but are subject to a Freedom of Information or Environmental Information request destruction will be delayed until the request has been concluded.

6. Roles and responsibilities

6.1 All persons engaged in University business

All persons engaged in university business - including all staff, casual staff, postgraduate researchers, secondees, agency workers, contractors, suppliers, partners, external researchers, visitors, honorary staff, students on placements at the University and individuals undertaking volunteering or work experience – are required to adhere to this policy when creating, maintaining, using or disposing of records. In particular, all individuals are required to have due regard for the records management principles when approaching university recordkeeping practices.

Breaches of this policy shall be reported to the IT Services Desk and dealt with under the Information Security Incident Management Procedure. A breach of this policy may be considered a disciplinary matter and addressed under the relevant disciplinary code.

Compliance with this policy should form part of any contract with a third party that may involve access to University’s records. Failure by contractors to comply with this policy may constitute an actionable breach of contract.

6.2 Senior Business Owner (Professional Services Directors or College Registrars or Heads of School)

Senior Business Owners, as defined in the Information Security Policy are responsible for ensuring that records created, captured and maintained by their domain are fit for purpose, of sufficient quality and have sufficient integrity to meet the University’s operational and strategic needs.

6.3 Business Owners

Business owners, as defined in the Information Security Policy, are responsible for ensuring that systems are designed and maintained to manage records captured, created or maintained within the system in line with university policy and continue to meet the University’s requirements for evidence and information.

System owners are required to provide appropriate guidance and training for system users to enable use that adheres to this policy.

6.4 Heads of School/Research Institute/Department/College Registrars

Heads of School/Research Institute/Department/College Registrars are responsible for ensuring that records management within their area is in line with University policy, guidelines and procedures and that all persons engaged in University business receive training and guidance as appropriate.

6.5 University

The University has corporate responsibility for maintaining its records and recordkeeping systems in accordance with its business, legal and regulatory requirements.

6.6 Senior Information Risk Owner (SIRO)

The SIRO has overall responsibility for ensuring that the University meets its responsibilities under this policy and in relation to legal and regulatory recordkeeping requirements. The SIRO owns any risks associated with the University’s recordkeeping practices.

On behalf of the SIRO, the Data Protection Officer is responsible for:

• Ensuring that the University has a records management policy and strategy and that these are regularly reviewed, and compliance monitored.
• Overseeing the university’s procedures for management of university records, including records retention schedule.
• Promoting compliance with records management policy and procedures; and
• Providing advice, training and guidance concerning their implementation including advice on the establishment of records systems or controls.

6.7 Clinical trials

The appointment and or delegation of an individual(s) responsible for archiving records of clinical trials of investigational medicinal products will be conducted in line with the University’s (and where relevant a research centre’s) standard operating procedure.

7. Monitoring and review

• Everyone covered by the scope of the policy is obliged to adhere to and facilitate implementation of the policy. Appropriate action will be taken to inform all new and existing employees and others covered by the scope of the existence of the policy and their role in adhering to it.
• Arrangement should be made within individual services for regular reviews of procedure and practice in relation to ensure records management compliance with this policy.
• Compliance with this policy and related standards and guidance will be supported by the Compliance and Risk Team in the University Secretary’s Office on behalf of the SIRO.
• Assurance for compliance with this policy will now be included within the annual Information Governance report to Governance Committee.
• Reviews of the policy will take place at least every three years or at such time that a significant change is made to legislation, regulations, or business practices.
• The policy will be made available to the general public via the University website.

8. Related policies and procedures

This policy forms part of the Information Security Management Framework. It should be read in conjunction with:

• Information Security Policy
• Information Classification and Handling Policy.

It also has a relationship with other University policies specifically:

• Data Protection Policy
• Confidentiality Policy
• Intellectual Property Policy
• Research Integrity and Governance Code of Practice
• Institutional Archive Acquisition Policy
• F-SOP for Archiving records from Clinical Trials of Investigational Medicinal Products.

It should also be read in conjunction with the following procedures:

• The Business Intelligence Data Publication Procedure (Internal Only)