Records Management and Compliance: The bigger picture & the risk mitigation.
Compliance can be a trick subject depending on who you ask. Following the ICO ‘Records Management for Public Sector’ webinar, here is some additional information to assist public sector businesses in complying with information rights law.
Records Management (RM) is not just about compliance with the law and making sure that a filing cabinet isn’t left in an empty building! It’s not about reporting yourself to the ICO for a breach either. It’s simply about knowing what you’ve got, why you’ve got it and how long you need to keep it for. RM is also about maintaining the corporate memory of an organisation; for historical purposes and also for litigation and financial investigations. RM covers the management of your records from creation through to destruction. Poor knowledge of the information you hold leads to Information Governance failures, which leads to ICO action.
Our Top 10 Tips
There are several things you can do to reduce the risk of a) ending up with an incident or b) not learning from it because you have no record of what happened.
Here are RM Girl’s top 10 tips:
1. Get senior management buy-in
- Engage with your SIRO or your Caldicott Guardian. After all, they are accountable for managing RM risks.
- If you are finding it difficult to demonstrate what and where the risks are, it’s worth considering asking the ICO for help through a voluntary audit.
2. Compliance risk escalation
- Find out where RM strategy and tasks sit within your organisation
- Get RM on your risk register with action plans and action owners
3. Hire a Records Manager
- RM is easier to propel when you have someone who knows how do it.
4. Make friends with your IT team
- Find out how your systems work and where your information is stored.
5. Nominate RM co-ordinators or champions
- In a large organisation, one records manager cannot manage every single service They will need the help of people who know their service inside out.
- Highlight the people in your organisation who want to make a change
- Invite the Heads of Service to assist
6. Write an Information and Records Management Policy
- Organisations need policies to make it clear what is expected of people and to provide a way to hold them to account
- Policies should be written in plain English and be as easy as possible to understand and follow
- You need a foundation to build your RM empire on, you can’t build awesome turrets if there is a huge puddle in your basement.
7. Write an up-to-date retention schedule
- The NHS Code of Practice has been overhauled, so check your guidance is up to date. If you’re not in the NHS, use the corporate retention periods as a starting point.
- Join professional networking groups and make contact with other Records Managers who have already forged ahead with retention schedules.
- Review your records before you destroy them. Personal data which falls under the IICSA enquiry has a moratorium on destruction and therefore doesn’t put you in breach of the DPA until that moratorium is lifted.
8. Offsite Storage / Properties with Lofts and Basements
- Find out what’s in storage! How many boxes of records do you actually have? What valuable information is sitting in those boxes that could be put to use? Or is putting you at risk of breaching the fifth Data Protection principle?
- Find out how many properties you own and when their leases are up for renewal. Do they have any non-standard storage?
9. Compliance Training
- Everyone needs training, even for the basics and it never hurts to have a reminder.
- Utilise your intranet. Populate it with quick guides on specific subjects or with FAQs.
- Include records management in your induction programme
- Find out how volunteers or temporary staff enter the organisation so they aren’t missed.
- Put a business case forward for a budget to back train all staff who’ve been in the organisation for years. One very effective way is to produce a staff handbook and deliver this to staff along with their payslips
- Become a member of a professional body (e.g. The IRMS). They often offer discounted training.
10. Change Management for Compliance
- Bring staff with you. Lead them into change.
- Train the managers alongside their secretaries or teams, so they all hear the same message
- Relate the training content back to risks that they are familiar with in their daily environment (e.g. clinical risk)
- Implement new procedures into the organisation with management involvement – give them a chance to contribute.
- Make their life easier. If it’s a quicker and easier process than before, people will embrace it.
The majority of these tips can be implemented at no code to your organisation (and we all love FREE!). They will help to reduce the risk of non-compliance with DPA and FOI, and assist you as you maintain and manage your organisation’s corporate memory.
Enjoyed this blog post? Read more posts here. You can also buy me a virtual rum and coke if you like it by sending some here.