ICO R&D* Schedule gets an unwanted review
For a while now I have said that I didn’t like the ICO’s RS because it had so many inaccuracies but I tried to put the worries at the back of my mind that people were using the ICO’s RS as a model to create their own. Now comes the time, I feel I need to write about it. Hang on to your hat, this is going to be a very nerdy ride.
Background – Legislations and Enquiries
We don’t have any law for records management in England and Wales and before anyone says “er I think you forgot the Public Records Act 1958/ Local Government (Records) Act 1962, Local Government Act 1972 or Section 46 FOI Code of Practice”, these only cover so much. The main thing they have in common is (you got that): Public Sector.
Scotland has had Records Management (RM) Legislation for 9 years. It sadly came about because of an inquiry into child sexual abuse but it is progress. England and Wales have the Independent Inquiry into Child Sexual Abuse (IICSA) I hear you cry but no, the Scottish Child Abuse Inquiry had a whole chapter on Record Keeping. I believe in the most recent draft of the IICSA, the record-keeping stretches to no more than 1 page.
Sec 46 Freedom of Information – Records Management Gateway?
The most disappointing thing I’ve read was the foreword at the beginning of the Section 46 Code of Practice
“The Information Commissioner also has a statutory duty to promote good practice by public authorities, including following this Code of Practice. In addition to this Code of Practice, public authorities should also consult the Commissioner’s own guidance regarding best practice which can be found at ico.org.uk.”
So, therefore, the Information Commissioner should be an exemplar, providing the best Records Management advice available (and the same goes for their other areas of focus). Sadly I feel this does not represent as it should.
ICO policy – Time to speak up?
This post is an expression of how poor records management is represented by the ICO. The people that do the do are all very lovely people, but this post is just pointing out the lack of engagement and interest that the senior management, within the ICO, show about Records Management despite it being part of their responsibilities. I haven’t written about every single issue with the retention schedule but picking just a handful of what I saw and why it’s a problem is below.
Page 1 – Thou shall practice good governance
The document I am assessing is V5.0 with the status Published on the 7th April 2020. Its next review date is in 1 year’s time on 7/4/2021. So bear in mind that they believe this version is good enough to publish on their website knowing that other organisations will be looking to them for advice on how to manage records retention.
Also, it’s been signed off by the senior management. No retention schedule should be published and enacted without Senior Management sign off. There are no publicly available (without an FOI request) terms of reference for who is responsible for ICO’s records management. However, Elizabeth Denham used to be a Health Records Manager and so this should be something she understands even if the knowledge might be a little rusty.
One of the obvious things missing from this policy is Version tracking. What has changed since the last edition? How are your employees supposed to know what has changed, do we have to go through the whole document and spot the difference? This doesn’t apply just to the ICO RS, this applies to any of your policy documents. Give people an idea of what has changed so that they can implement it otherwise your colleagues might end up with non-compliance through no fault of their own.
It’s also key that you communicate it through various channels that this has a new version as no one is going to think (except for those like me) “I wonder if it has changed yet” – Share the records management love and tell your colleagues what actions they need to take. This document renewal was uploaded quietly.
Page 3 – Thou shall not put items that are not records on my schedule
The schedule refers to DP items that cannot be returned. The main thing for this is they are not records. They are items that do not belong to the ICO. This should not be in their records retention policy. Don’t put items in your policy that are not records.
Page 4 – Thou shall keep all copies of policies and guidelines.
They only appear to be keeping their policies for 6 years which I feel is pretty interesting given the majority of policies should be kept for a minimum of 20 years. This is specifically relating to the Fraud Act 2006 but also to the Limitations Act 1980. What if someone is acting fraudulently in your organisation and it isn’t noticed? You need to know what policies were in place during the time they may or may not have committed a crime. You need back-history of policies as well as current ones. Moreover, they are using the trigger Last Action – surely if it was 6 years, it should be Policy retired because otherwise you’re getting rid of policy whilst it was still in use? The trigger on your retention is just as important as the number of years.
Page 5 – Thou shall practice accountability
First Line Advice Services – I think this may be the evilest retention period of the whole document. An example is that a private limited company asks the ICO for advice. They implement that advice and later down the line, the advice they were given ends up being a problem. The ICO no longer has evidence that they gave that advice. Claims can be made against the ICO and also the organisation they gave advice to from the point at which the person knew it was wrong up to 6 years for an adult. This is from the lengthy document that is the Limitations Act 1980 This leaves the businesses that they give advice to out in the cold as they don’t suspect they will ever be sued and there’s no official record that they ever gave that advice. Outrageous.
Page 10 – Thou shall not reference legislation that doesn’t apply to me
As we know the ICO is an independent public body and the Department for Digital, Culture Media and Sport is the ICO’s sponsoring department within Government. They have never been a Limited or Partnership Company, yes? Yes. So why are they writing down legislation source as Companies Act 2006? You should not be listing
Moreover, in their first-ever CCTV guidance, they originally stated that you only needed to keep CCTV images for 7 days or as little time as possible. Hello Nest doorbells, can be set as low as 5 days. Their new set of guidance goes on to say that you shouldn’t just keep the recordings for the time set by the manufacturer, so why are they now keeping their CCTV for 30 days?
Page 17 onwards
Why would you publish a retention schedule without retentions in it? See the last few pages. At what point should staff be arranging for records to be transferred to the National Archives – we know this will be anywhere up to 20 years under the Public Records Act 1958 but you don’t have to wait up to 20 years for everything.
- On the whole, I really like the layout. It’s got good column headers and a decent amount of information given.
- That said, the header needs to be on every page so that people don’t need to flick back and forth.
- Having the Information Asset Owner’s Job title is a good thing. That said, IAO’s tend to be a pretty high-level job and without further information. It’s difficult to know whether this has been rolled out within the ICO.
- Having the source of the retention is a good thing, it identifies for anyone reading ‘why’ it’s that length of time. Especially if it’s referring to the legislation as that helps people understand the retention.
- The business need should not be overused – otherwise, it strikes as keeping everything because you can with no regard for anything else.
- If you are going to publish a document, do not use acronyms. In fact, don’t use acronyms within your organisation full stop. If you must, providing a policy that states the only acronyms will help prevent any issues in the future. Acronyms are often subject to misinterpretation.
- Small and Large numbers are referred to with no quantifier. If you’re expecting your audience to know what this means, it’s likely they won’t. You need to detail on your retention schedule, especially if that is a dividing factor between 1 retention and another.
- Do not put multiple retentions within 1 box. Are you asking your staff to make a decision? What if they choose the wrong one?
- Do not put ambiguous retentions such as 1 month, is that 28, 29, 30 or 31 days? Small things make a huge difference
ICO Risk Appetite and Personalisation
One of my bugbears about this whole document is that there is no guidance or warning on the schedule. You need to give some type of warning when you are in the position that the ICO is in, you need to warn your readers that it’s what you follow internally. Also, Organisations must not copy the ICO’s retention policy because it reflects their risk appetite. Organisations will take this document and assume that it’s okay for them to do it this way. Those organisations will land themselves in hot water, especially if they get sued.
Where do we go from here?
Given we’ve hardly seen any decent fines from the ICO, BA & Marriott is delayed until at least August and Doorstep Dispensaree Ltd are still appealing, I don’t expect Records Management to go anywhere fast. However, the first thing they could do is unpublish the current document and re-evaluate every page if only for their own internal requirements rather than the public. I’d suggest they seek some professional advice and really rethought their records management offerings. When you type records management into the ICO website you get very few results:
As a Records Management Professional, I would advise that you take the ICO retention schedule (v5.0 or before) with a pinch of salt and do not look to copy their practices unless you have actively weighed up the risks to your organisation in doing so.
There are much better-published retention schedules out there like Kent County Council, JISC and the IRMS Schools Retention Schedule. Admittedly, you may not have the same service as them, but all organisations have a lot of the same corporate services which is mostly where varying records are created.
If you like this blog post, please see other posts here.
If you enjoyed my content, please consider buying me a virtual coffee here.
Organisations can contact me for a reasonably priced non-public review of your own retention schedules, then please contact me.