Following the ICO Records Management for Public Sector webinar, RMGirl has offered to provide some additional information that may assist the Public Sector in complying with information rights law.
Records Management (RM) is not just about compliance with the law and making sure that a filing cabinet isn’t left in a building that’s been emptied, or about reporting yourself to the ICO for a breach; it’s about knowing what you’ve got, why you’ve got it and how long you need to keep it. RM is also about maintaining the corporate memory of an organisation for historical purposes but also for litigation and financial investigations. RM covers the management of your records from creation through to destruction and everything in between. Poor knowledge of the information you hold leads to Information Governance failures which leads to ICO action.
To avoid a sticky mess ending in self-reporting an incident or worse, finding out about your incident from someone else, there are several things you can do to reduce the risk of A) ending up with an incident or B) not being able to learn from it because you have no record of what happened. RMGirl’s top 10 tips of things you can do include:
1. Get Senior Management buy-in
- Engage with your SIRO or your Caldicott Guardian. After all, they are accountable for managing RM risks.
- If you are finding it difficult to demonstrate what and where the risks are; it’s worth considering asking the ICO for help through a voluntary audit.
2. Risk escalation
- Find out where RM strategy and tasks sit within your organisation
- Get RM on your risk register with action plans and action owners
3. Hire a Records Manager
- RM is easier to propel when you have someone who knows how.
4. Make friends with your IT team
- Find out how your EPR / ECM / EDRM / all systems work and where your information is stored.
5. Nominate RM co-ordinators or champions
- In a large organisation 1 Records Manager cannot manage every single service, they will need the help of people who know their service inside out.
- Highlight the people in your organisation who want to make a change
- Invite the Heads of Service to assist
6. Write an Information and Records Management Policy
- Organisations need policies, to make it clear what is expected of people and to provide a way to hold them to account
- Policies should be written in plain English and be as easy as possible to understand and follow
- You need a foundation to build your RM empire on, you can’t build awesome turrets if there is a huge puddle in your basement.
7. Write an up-to-date retention schedule
- NHS Code of Practice has had an overhaul – check your guidance is up to date. If you’re not in the NHS, use the corporate retention periods as a starting point.
- Join professional networking groups, make contacts with other Records Managers who have already forged ahead with retention schedules.
- Bear in mind the IICSA enquiry by Alexis Jay before destruction and review your records before you destroy them. Personal data which falls under the IICSA enquiry has a moratorium on destruction and therefore doesn’t not put you in breach of the DPA until that moratorium is lifted.
8. Offsite Storage / Properties with Lofts and Basements
- Find out what’s in storage! How many boxes of records do you actually have? What valuable information is sitting in those boxes that could be put to use? Or is putting you at risk of breaching the 5th Data Protection principle?
- Find out how many properties you own and when their lease dates are up for renewal along with whether they have any non-standard storage.
- Everyone needs training, even for the basics – it never hurts to have a reminder.
- Utilise your intranet. Populate it with quick guides on specific subjects or with FAQs.
- Get in on your induction programme
- Find out where volunteers or bank/temporary staff enter the organisation so they aren’t missed.
- Put a business case forward for end of year money to back train all staff who’ve been in the organisation for years such as using a staff handbook and delivering it to staff with their payslips (been there, done it, super effective!)
- Become a member of professional body (e.g. www.irms.org.uk) – they offer discounts with training providers, some of which don’t need the staff to leave their desk.
10. Change Management
- Bring staff with you. Lead them into change.
- Train the managers with their secretaries or teams, so they all hear the same message
- Relate the training content back to risks that they are familiar with in their daily environment (e.g. Clinical risk)
- Implement new stuff into the organisation with their involvement – give them a chance to contribute.
- Make their life easier. If it’s quicker and easier to do than what they were doing before, it will have a bigger success rate.
Other than the resource to fulfil the above tips or such as hiring a Records Manager, the above is FREE. That’s not something you hear very often! Yes! FREE and every single one of those top tips can help reduce the risk of non-compliance with DPA and FOI but also assist you in the bigger picture of maintaining and managing your organisations corporate memory and having defensible disposition.
Emily Overton (RMGirl) is currently an Information and Records Manager for Central Government and Director for the Information and Records Management Society with a decade experience in the field, however, the views, opinions and advice are not on behalf of either organisation but that of her own persona and business as RMGirl. Emily can be contacted on firstname.lastname@example.org or via twitter on @rmgirluk