Records Management & Information Governance
- Records Management and Information Governance
- Records Management
- Records Management Policy
Information and Records Management Policy
Related pages
- IRM Policy_2023 (PDF
, 6,659kb)
- Policy Guidance
- Research Data Management
- Handling DBS Certificates
The University recognises that the efficient management of its records is necessary in order to support and provide evidence of its core functions, to comply with its legal and regulatory obligations, to meet accountability requirements and stakeholder expectations, to enable the effective management of the institution and to advance its strategic priorities.
The policy sets out how to ensure the creation, maintenance and protection of authentic, reliable and useable data and records, with appropriate evidential characteristics, within the University. It establishes a framework and accountabilities for information and records management, through which best practice can be implemented and audited.
Scope
Scope
This policy applies to all recorded information in digital and hard copy formats that is created, received and maintained by University members as Information Users in the course of carrying out their University functions. Records are those documents, regardless of format, which facilitate University activities (e.g. teaching, learning and research) and operations and which are thereafter retained (for a set period) to provide evidence of its transactions or activities. Records may be created, received or maintained in hard copy or electronically.
This policy applies to records created in the course of research, whether internally or externally-funded, in addition to any contractual and academic record-keeping requirements.
This policy covers all applications and business systems used to create, manage and store University information and records, including content and information management systems, databases, email, voice and instant messaging, websites, and social media applications. The policy covers information created and managed in-house and off-site, including cloud-based platforms.
This policy is binding on all those who create or use University records, i.e. Information Users such as University staff, students, associates, partners, contractors, consultants and visitors, whether accessing records from on or off-campus.
Roles & responsibilities
Roles and responsibilities
All staff, as Information Users, are responsible for creating, maintaining and preserving accurate records that support and document their activities in accordance with this policy and its associated policies, procedures and guidance. They must know what information they hold, where it is held and complete mandatory records management training.
University Officers, Heads of Departments and Professional Services, as Information Owners, are responsible for ensuring that all records in their area are managed in conformance with this policy and associated policies and procedures. Information Owners are responsible for promoting this policy and ensuring their staff complete mandatory records management training and that their departments and units complete information asset registers.
Principal and Co-investigators affiliated to the University are responsible for ensuring that their research projects and their resulting records and data are created, managed and disposed of in compliance with this policy, the University’s Code of Practice on Research Integrity, and any specific legal, ethical and contractual conditions.
Information Champions are responsible for maintaining information asset registers, and for providing a local point of contact for queries, liaising with the Records Manager and University Archivist as required.
The University’s Information and Records Manager is responsible for promoting and supporting compliance with this policy across the University and its wholly-owned subsidiaries, including the development of retention schedules and procedures, drawing up guidance and providing training and support on good information and records management practice.
The University’s Information and Records Manager, as University Archivist, has responsibility for the University Archive and the authority to determine and requisition those University records with historical or enduring evidential value.
The University of York owns all records created by its employees carrying out University-related functions and activities unless otherwise specified under contract or in its Regulations. Unless the originator asserts ownership, records received by the University are also its property.
Staff, students, associates, partners, contractors, consultants and visitors who act in breach of this policy, or who do not act to implement it, may be subject to disciplinary procedures or other appropriate sanctions.
Oversight
Oversight
The Chief Operating Officer, as Senior Information Risk Owner, has overall responsibility for records management within the University. The implementation, oversight and management of information and records management policy on a day-to-day basis is delegated to the Information Security Board.
The Information Security Board, chaired by the Director of IT Services, is responsible for the approval of information and records management policy, for overseeing policy implementation and for regular policy reviews. It monitors the effectiveness of the information and records management policy across the University. It also monitors information risks and compliance through reporting and it commissions and responds to independent audits of records management arrangements.
Policy
Policy
The University will manage records and data efficiently and systematically, in a manner consistent with ISO 15489 and the statutory Code of Practice on Records Management, to support University operations and to meet legislative, regulatory, funding and ethical requirements. All information management practices in the University should align to this policy and its supporting procedures.
Records will be created, maintained and retained in order to provide information about and evidence of the University’s decisions, transactions and activities. Appropriate systems will be in place to record these decisions and activities.
Records must be maintained in line with these six Records Management principles to ensure their viability and quality across their lifecycle:
- The record is present: the information the University needs to evidence and reconstruct the relevant activity or transactions is recorded and is accurate.
- The record can be accessed: when it is needed, it is possible to discover, locate and access the information. It is possible to present it in a way that is true to the original presentation of the information. The authoritative version can be identified in cases where multiple versions exist.
- The record can be interpreted: a context for the information can be established, showing when, where and who created it, how it is related to other records, and what process/activity it comes from.
- The record can be trusted: the information and its representation is fixed and matches that which was actually created and used, and its integrity, authenticity and provenance can be demonstrated beyond reasonable doubt.
- The record can be maintained: the record can be accessed, interpreted and trusted for as long as it is needed (in line with the Retention Schedule and in some cases permanently) notwithstanding transfers to other agreed locations, systems, formats and technologies so that it remains present, accurate, trustworthy, interpretable and accessible.
- The record’s value is understood and protected: it is recognised that our records form part of our corporate memory and are an important institutional resource which must be protected across their lifecycle in accordance with the above principles.
Where University departments procure or develop IT and business systems, records management requirements must be considered, documented and addressed from the initial requirements stage. A Business System Lifecycle Management Assessment should be undertaken for new digital systems and services to help assess their ability to function as a recordkeeping system and the Records Manager consulted for advice.
Departments and services must maintain full and accurate records of their records, IT and record-keeping systems and processing of personal data in Information Asset Registers. This includes ensuring that records which are essential to business continuity (‘vital records’) are identified and protected.
Appropriate measures will be employed to safeguard the security and integrity of University records and provisions made (i) to maintain their reliability, integrity and preservation during their lifespans and (ii) to prevent the unauthorised or unlawful use, disclosure or loss of information.
Records must be maintained and stored in such a way that they can be easily identified and located to support business activities and that ensures appropriate accountability, using established procedures for secure access and handling.
Records will be retained and disposed of in accordance with agreed retention schedules in a controlled and compliant manner. Retention schedules will set out the minimum period for which a record should be retained and will be reviewed regularly and amended as necessary. Retention schedules will be agreed by the senior Information Owner(s) for the relevant University function. When the currency of the records and their need to be retained expires, the records will either be destroyed or, if they have lasting historical value, transferred to the University Archive.
Where systems and applications are to be decommissioned or records are scheduled for migration or conversion between business/record systems, including conversion to digital formats, the Records Manager should be consulted. The decommissioning of digital services and digitisation should be carried out in line with IT Services’ and Records Management guidance and the Records Management Principles.
A small percentage of the University’s records will be selected for permanent preservation, in line with the Appraisal Policy for Corporate Records. These records will become part of the University Archive which will maintain the University’s corporate memory by preserving records of enduring evidential and historical significance.
Information and records management awareness and training will be provided for staff as part of the University’s statutory and compliance training programme.
This document, together with its subsidiary policies and implementation documents, defines the framework within which records are managed across the University.
Implementation
Policy implementation documents
This document, together with related records management guidance is available from the records management website.
A policy context document provides further contextual guidance to support the University Information and Records Management Policy.
The Records Retention Schedule defines how long records should be kept for before being deleted/destroyed, reviewed or transferred to the University Archive.
The Selection and appraisal policy (PDF , 3,746kb) for corporate records sets out the process by which the University will distinguish and select those records with the highest value for permanent preservation from those of no enduring value.
The Research data management policy enables the University and its researchers to meet the standards and responsibilities set out in the University's Code of Practice on Research Integrity and to meet funder, ethical, legal and other responsibilities.
Policy review
Policy review
The policy will be reviewed on a three-yearly basis. It is next due for review in April 2026. After this date, policy and procedural documents may become invalid.
Document history
Document history
| 12 December 2012 | Approved by Information Strategy Group |
|---|---|
| 29 January 2016 | Reviewed and approved by Information Security Board |
| 31 July 2019 | Reviewed and approved by Information Security Board |
| 5 April 2023 | Reviewed and approved by Information Security Board |