Records Management Policy

Introduction

There are legal and regulatory requirements for Mole Valley District Council (“MVDC”) to retain certain records for specified amounts of time. We retain records to enable our business to operate and to have relevant information available when we need it so that we can discharge our statutory functions. However, unless there is a legal pathway permitting us to do so we cannot retain any data indefinitely.

This Records Management Policy explains our requirements to retain and dispose of records and provides guidance on appropriate record handling and disposal.

Failure to comply with this policy can increase the risks of us upsetting or otherwise harming our residents, and it may also expose us to fines and penalties, adverse publicity, difficulties in both providing evidence when we need it and in running our business.

This policy has been agreed and implemented following consultation with the Strategic Leadership Team (SLT). It does not form part of any employee’s contract of employment and we may amend it at any time.

Scope

This policy covers all records that we hold or have control over. This includes physical records such as hard copy documents, contracts, notebooks, letters and invoices. It also includes electronic records such as emails, electronic documents, audio and video recordings and CCTV recordings. It applies to both personal data and non-personal data. In this policy we refer to this information collectively as “records”.

This policy covers records that are held by third parties on our behalf, for example cloud storage providers or offsite records storage.

This policy needs to be used in conjunction with other policies and legislation relating to our information function including but not limited to the following:

  • Data Protection Policy
  • Freedom of Information Act (FOIA) 2000 and Environmental Information Regulations (EIR) 2004
  • ICT Security Policy including social media, internet and email policy.

This policy applies to all business units and functions of MVDC and explains the differences between our formal or official records, disposable information, personal data and non-personal data. It also gives guidance on how we classify our data.

Guiding Principles

Through this policy and our records retention practices, we aim to meet the following commitments:

  • We comply with legal and regulatory requirements to retain records.
  • We comply with our data protection obligations, in particular to keep personal data contained within our records for no longer than is necessary for the purposes for which it is processed (storage limitation principles).
  • We handle, store and dispose of records responsibly and securely.
  • We create and retain records where needed to operate our business units and functions effectively.
  • We regularly remind employees of their records retention responsibilities.
  • We adopt the principles of the FOIA code of practice relating to records management and we document our processing activities to demonstrate compliance with the UK GDPR to embody good practice. However we recognise that methods of storing and managing records vary throughout MVDC according to the systems that each service uses and any statutory requirements.
  • In the case of personal data contained within records we maintain an Information Asset Register (IAR) for each business unit which is reviewed by relevant Business Mangers also known as Information Asset Owners (IAOs) regularly.

Roles and Responsibilities

Lead responsibility for the records and information management function has been allocated to MVDC’s Senior Information Risk Owner (“SIRO”).

The Strategic Leadership Team and relevant Business Unit Managers (Information Asset Owners) are responsible for:

  • Ensuring local procedures are implemented to comply with this policy
  • Ensuring staff understand their record keeping responsibilities and have adequate time and resources to properly undertake these activities.
  • Ensuring record keeping systems enable identification of records due for disposal.
  • Contributing and enforcing compliance with business retention and disposal requirements set out in the Records Retention and Disposal Schedule.
  • Identifying vital business records and records suitable for historical permanent preservation.
  • Identifying whether semi-active physical records should be located (off or on site) in secure storage.
  • Ensuring that appropriate access restrictions and password protections are used for confidential information stored on shared drives.
  • Highlighting any concerns in terms of records and information management with the SIRO.

All staff are responsible for:

  • Managing the records they create and use on a day to day basis.
  • Retaining all records in line with identified business requirements and as outlined in the Records Retention and Disposal Schedule.
  • Ensuring records are saved and filed in such a way that is meaningful and facilitates timely retrieval by those with similar access privileges.
  • Disposing of records in accordance with the requirements of the Records Retention and Disposal Schedule.
  • Bringing any issues in relation to information and records management to the attention of their manager as soon as possible.

Types of data contained within our records

Each entry in the Records Retention and Disposal Schedule details the specific legislation, regulations, guidelines or codes of practice that stipulate or recommend how long records must be kept before they are disposed of. Where no such guidance or legislation exists MVDC Information Asset Owners will determine the retention requirements that best suit their business activities.

The Records Retention and Disposal Schedule does not set out retention periods for disposable information. This type of data shall only be retained for as long as it is needed for business purposes. Once it no longer has any business purpose or value it should be securely disposed of.

Emails held in individual mailboxes are automatically deleted after two years*. Staff are required to store all necessary business related correspondence, which they wish to keep for longer than two years, in an appropriate application or storage system which should be reviewed regularly and deleted as soon as is appropriate.

Documents that are held in OneDrive/SharePoint are regularly reviewed and disposed of in line with the Records Retention and Disposal Schedule, or more often if they are classed as disposable information (see para 5.2).

Under Article 5(1)(e) of the UK General Data Protection Regulations (UK GDPR) personal data should be retained for no longer than is necessary for the purpose for which it is processed (storage limitation principle). Where data is listed on the Records Retention and Disposal Schedule we have taken into account the storage limitation principle and balanced this against our requirements to retain the data.

*as part of the national public inquiry into the handling of the Covid 19 pandemic, any organisation may be required to produce documents, information, emails etc. relating to the actions taken in response to the pandemic. Therefore the automated deletion of emails after 2 years is currently suspended.

Storage

Our records are stored in a safe, secure and accessible manner. Any electronic records that are essential to our business operations during an emergency are backed up and maintained in line with our business continuity plan.

Anybody working from home under the Hybrid Policy is responsible for keeping records associated with MVDC or client partners secure at all times in line with existing obligations or policies. Unless authorised otherwise, staff are required to audit any work related records created or stored at home, or transported between home and the office, at least once every six months, and to identify information for confidential destruction (in the office) at least once a quarter.

Business Unit Managers/Information Asset Owners are responsible for the continuing process of identifying the data that has met its required retention period and ensuring its destruction. The destruction of confidential hard copy data must be conducted by confidential shredding. The destruction of electronic data (or applicable process governing such destruction) must be co-ordinated with the ICT department.

The destruction of data must stop immediately upon notification by the relevant SLT lead that preservation of records for contemplation of litigation is required. This is because we may be involved in a legal claim or an official investigation.

Preservation of documents for contemplated litigation and other special situations

We require all employees to comply fully with our Records Retention and Disposal Schedule. All employees should note the following general exception to any stated destruction schedule: should you believe that certain records are relevant to current litigation or contemplated litigation (that is a dispute that in your view could reasonably result in litigation), government investigation, audit, information request or other event you must preserve and not delete, destroy or change those records, including emails and other electronic records until it is determined that those records are no longer needed. Preserving records includes suspending any requirements of the Records and Retention Schedule and preserving the integrity of the electronic files or other format in which the records are kept.

Review of policy

This records management policy will be reviewed every three years. This version was agreed in 2023/2024 and therefore will be reviewed in 2026/27.
S1R1C1