King's Printer for Scotland
The King's Printer for Scotland (KPS) is responsible for overseeing the publication of Scottish legislation, and for the management of Crown copyright in information we produce.
Office of the Queen’s Printer for Scotland: Records Management Plan 2014 to 2015
Authors: Simon Lovett (Head of Knowledge and Information Management), Michael Appleby (Information Manager), Kate Jennison (Records Manager)
Document title: Office of the Queen’s Printer for Scotland: Records Management Plan 2014 to 2015
Contents
1 Overview
1.1 Background
1.2 Records management in OQPS
1.3 Records management principles
1.4 Records covered by this plan
1.5 Records Management systems in OQPS
2.0 Elements of the Plan
2.1 Element 1: Senior Management Responsibility
2.2 Element 2: Records Management Responsibility
2.3 Element 3: Records Management Policy Statement
2.4 Element 4: Business Classification
2.5 Element 5: Retention Schedules
2.6 Element 6: Destruction Arrangements
2.7 Element 7: Archiving and Transfer Arrangements
2.8 Element 8: Information Security
2.9 Element 9: Data Protection
2.10 Element 10: Business Continuity and Vital Records
2.11 Element 11: Audit Trail
2.12 Element 12: Competency framework for Records Management Staff
2.13 Element 13: Assessment and Review
2.14 Element 14: Shared Information
1 Overview
1.1 Background
The Public Records (Scotland) Act 2011 (hereafter referred to as ‘the Act’) came fully into force in January 2013. The Act obliges the Office of the Queen’s Printer for Scotland (OQPS) and other public authorities to prepare and implement a records management plan (RMP). The RMP sets out proper arrangements for the management of records within the organisation. The plan is agreed with the Keeper of the Records of Scotland (the Keeper) and reviewed by OQPS on an annual basis.
The OQPS Records Management Plan is based on the Keeper’s published Model Records Plan. The model plan has the following 14 Elements:
1. Senior management responsibility
2. Records manager responsibility
3. Records management policy statement
4. Business classification
5. Retention schedules
6. Destruction arrangements
7. Archiving and transfer arrangements
8. Information security
9. Data protection
10. Business continuity and vital records
11. Audit trail
12. Competency framework for records management staff
13. Assessment and review
14. Shared information
OQPS has provided the Keeper with evidence of policies, procedures, guidance and operational activity on all elements of the plan.
The plan was agreed with the Keeper on 08 April 2014, will be reviewed initially two months after its acceptance by the Keeper, and thereafter on an annual basis. The OQPS Records Management Plan relates to records throughout their lifecycle, from creation and acquisition to archive and destruction. It encompasses all records across all OQPS business areas. The records provide the basis of the Queen's Printer's annual Report to the Scottish Parliament.
1.2 General overview of records management in OQPS
The records of OQPS are vital assets which make it possible to deliver the strategic aims and daily functions of the OQPS, and to protect the interests and rights of staff and members of the public who have dealings with it. The records constitute an auditable account of OQPS activities, providing evidence of our business, actions, decisions and policies, and supporting efficiency, consistency, quality and continuity of service delivery.
To realise these benefits, records need to be managed properly. Records management is essential to enable OQPS to achieve the priority outcomes that are articulated in our annual report. Good records management ensures that the correct information is captured, stored, maintained, retrieved, shared, reused, and destroyed or preserved in accordance with business need, statutory and legislative requirements. OQPS’ Records Management Policy, procedures and practices are based upon the requirements of the Public Records (Scotland) Act 2011, and other significant legal drivers including the Freedom of Information (Scotland) Act 2002, the Data Protection Act 1998, records management best practice, and the principles detailed below.
1.3 OQPS Records management principles
The following 4 key principles drive OQPS records management policies and procedures:
Information as a corporate asset:
- all information and data in any format created and processed by OQPS are considered to be records
- records are a valuable resource and must be secured, used, shared and managed appropriately
Legal and corporate compliance:
- Records are maintained in accordance with legislation, corporate policies and sound records management principles
- Records management practices will support OQPS values of ‘Integrity, People, Possibilities’, and our duty to make the best use of resources
Securing and exploiting:
- records are stored within the corporate EDRMs and according to the file plan, unless required to be in other specific systems (e.g. HR)
- records are appropriately shared and not duplicated
- records are appropriately secured and protected
- records are accessible, usable and understandable for as long as they are required
- records that are identified as of historical significance are permanently preserved
- records are disposed of in accordance with approved Records Retention Schedules
People
- Records management is a responsibility of all staff
- Records management procedures are understood and embraced by all staff, who are appropriately trained and supported within a corporate governance framework
1.4 Records covered by this plan
In line with the Act, all information created in the carrying out of OQPS functions (whether directly or by third parties) is a public record. Part 1, section 3.1 of the Act states that:
“… “public records”, in relation to an authority, means—
(a) records created by or on behalf of the authority in carrying out its functions,
(b) records created by or on behalf of a contractor in carrying out the authority’s functions,
(c) records created by any other person that have come into the possession of the authority or a contractor in carrying out the authority’s functions.”
1.5 Records Management systems in OQPS
OQPS uses two main types of records management systems:
- acorporate Electronic Documents and Records Management System (EDRMs)
- IT applications and databases that process records for specific functions e.g. HR, legislation amendments
In addition OQPS has a very small quantity of legacy paper files. These are no longer regularly needed for business purposes and are in secure storage.
All records management systems, including the legacy paper files, are subject to the records management policy, procedures, guidelines and elements of this plan.
2.0 Elements of the plan
2.1 Element 1: Senior management responsibility
Senior Management responsibility for the Records Management Plan lies with Carol Tullo, the Queen’s Printer for Scotland and head of OQPS.
2.2 Element 2: Records Management Responsibility
The person with day to day responsibility for the operation of records management within OQPS is Simon Lovett, Head of Knowledge and Information Management. For enquiries relating to the operational aspects of Records Management please contact:
The Queen's Printer for Scotland, The Library, GD Bridge, Victoria Quay, Edinburg, EH6 6QQ
Email: oqps@nationalarchives.gsi.gov.uk
2.3 Element 3: Records Management Policy Statement
OQPS’ commitment to effective records management is set out in our corporate Records Management Policy. We will review our policy on a biannual basis and keep it up to date.
Policies, guidelines and procedures are available to all staff via the intranet.
OQPS has implemented an Electronic Documents and Records Management System (EDRMS) as a central corporate repository. The EDRMs is compliant with the European MoReq1 standard for the collection of information within records management systems.
2.4 Element 4: Business Classification
For our own records OQPS has used the classification system developed by the National Archives1, to ensure that all OQPS business functions are properly reflected in the way that records are arranged in file plans, and in the way those records are managed throughout their lifecycle.
The majority of all current records are managed within the National Archives EDRMS. Part of the EDRMS corporate file plan is reserved for OQPS, whose functions are reflected in files at the top level of the file plan. Each function (e.g. ‘official publications’) has a number of sub-files correlating to specific activities, and each activity file (e.g. ‘enquiries’) contains folders with individual transactions (e.g. emails).
The National Archives business classification scheme is a hybrid structure, with the corporate file plan organised on a departmental (structural) basis, and the retention schedule to which it is connected, organised on a functional basis. Decisions on how to describe information assets, and how long they should be kept, are made by local business teams, while the corporate Knowledge, Information and Assurance (KIMA) team allocate functional retention schedules to each asset.
The structure and naming of the top two levels of the file plan (functions and activities) are negotiated with and controlled by the central Knowledge and Information Management team; below this level OQPS teams have discretion to create and name transactional folders. The balance between central and local control ensures a tightly managed structure but one which remains usable, flexible and relevant to OQPS business groups.
The OQPS file plan, including the creation of new files and folders, is managed by Departmental Information Asset Managers (IAMs) in consultation with Information Asset Owners (IAOs)2 and the corporate Knowledge and Information Management team.
There are a very small number of legacy OQPS paper files, which are stored in a secure location together with National Archives business records and archival records. These paper files also come within the governance remit of the OQPS IAO and IAM. They are subject to a separate, historical classification scheme, which is recorded separately.
Other key OQPS records sets outside the EDRMS include the Statutory Instruments database and the Command Paper database. OQPS personnel records are managed within the National Archives HR database. Information about OQPS and our functions is available on the Scottish Government website.
2.5 Element 5: Retention Schedules
OQPS uses the retention schedule developed by the National Archives, to determine how long our records should be kept. This is a functional schedule, derived from a mix of legal requirements and judgements by business units about how long specific types of records should be kept.
These schedules are applied initially by the KIMA team at the level of Information Asset Lists, (also known as 'What to Keep' schedules) and transferred as disposal metadata to the EDRM system; count-down to disposition is enabled following file closure (files are closed by IAMs when superseded or complete).
These retention schedules have not yet been applied to the OQPS legacy paper files. In FY 2013/14 the legacy files were recalled from their remote storage location. Their descriptions are currently being checked and clarified against the National Archives corporate registry paper files database, and disposal schedules will then be applied. Priority will then be given to destruction or archiving of any files which the disposal schedules indicate should now receive those treatments.
2.6 Element 6: Destruction Arrangements
OQPS uses the National Archives' secure on-site destruction facility for the destruction of registered paper files and for any non-registered sensitive paper (e.g. photocopies, or printouts of digital files): this is provided by a contractor. All file destruction is logged.
The KIMA team destroy records in the EDRMS in line with the applied retention schedules. Destruction is total and leaves only a metadata stub. Disposal schedules can only be applied by KIMA team administrators. IAMs carry out the disposal action after retention periods expire.
2.7 Element 7: Archiving and Transfer Arrangements
OQPS uses the system for archiving and transfer operated by the National Archives, and we would normally expect to archive OQPS records to the National Archives in Kew at the appropriate time. Transfer processes are governed by the National Archives' Accessions Team, covering appraisal and selection, sensitivity review (and any associated applications to the Lord Chancellor), cataloguing, physical preparation and transfer. The process is described in more detail here. OQPS has not yet transferred any modern records to the National Archives: the first OQPS records are likely to be transferred in 2015.
OQPS transfers will be managed by the corporate KIMA team, who report bi-annually to the National Archives Accessions team on the planned volume of records to be transferred in the current and next financial year, through a 'records transfer report'. It should be noted that OQPS paper records transferred to the National Archives will thereafter be available for public viewing on-site, while any digital records transferred will be available for viewing online through 'Discovery', the National Archives' digital records web portal. All OQPS records will be clearly tagged as Scottish government records, will be given a distinct series number, and will therefore also be searchable as a collection on that basis.
OQPS remains prepared to revisit this arrangement either as part of any wider constitutional rearrangement, or at the time the Records Management Plan is renewed.
Future developments
The KIMA team have run a pilot project to explore processes for undertaking sensitivity review4 of digital records, and the National Archives are considering this question with the University of Glasgow. OQPS estimates that the first of our digital records will be due for transfer in 2018.
2.8 Element 8: Information Security
OQPS uses the National Archives' policies and procedures to ensure the confidentiality, integrity and availability of our records. As such, OQPS complies with the Government Security Policy Framework, which includes HMG IA Standard No. 6 (Protecting Personal Data and Managing Information Risk). This compliance is reported to the Cabinet Office annually.
Physical security and care of registry paper files containing records is assured to PD5454 standards (http://www.deepstore.com/deepdifference.aspx).
2.9 Element 9: Data Protection
In order to deliver business services, OQPS gathers and processes some personal data, mainly relating to its own staff.
The Data Protection Act 1998 regulates the processing of personal data by OQPS. The Data Protection Act gives individuals the right to be advised of and receive copies of any personal data relating to them which is held by OQPS. The Data Protection Act is enforced and promoted by the Information Commissioner, who provides guidance and advice on complying with the terms of the Act and investigates complaints regarding possible breaches of the obligations contained within the Act. The Information Commissioner maintains a register of Notifications listing all Data Controllers in the UK. Data Controllers are required to register the types of personal data processed by them, the purposes of that processing and the third parties with whom the personal data may be shared. OQPS’ registration (number Z4960393) can be viewed on the Information Commissioner’s website, http://www.ico.gov.uk.
The Data Protection Act 1998 sets out 8 data protection principles which must be complied with when OQPS is processing personal data. The 8 principles require that personal data:
- must be processed fairly and lawfully
- must be processed for specified and lawful purposes
- must be adequate, relevant and not excessive
- must be accurate and up to date
- must not be kept longer than necessary
- must be processed in accordance with the data subject’s rights
- be held and processed securely
- must not be transferred to countries outwith the EEA without suitable safeguards.
OQPS’ Data Protection Officer has responsibility for monitoring data protection compliance throughout the organisation. OQPS has a Data Protection Policy to ensure that it complies with the requirements of the Data Protection Act. The Policy is regularly reviewed by the Data Protection Officer. All OQPS staff are required to undertake data protection and information security training to ensure that personal data is processed lawfully and in accordance with the data protection principles.
OQPS does not currently share personal data with third parties in the course of our business. However it will enter into a Data Processing Agreement if a third party requires to be provided with personal data to allow it to deliver a service on behalf of the organisation. OQPS will also ensure that Information Sharing Protocols are entered into if we are proposing to share personal data in circumstances which are permitted in terms of the data protection principles.
2.10 Element 10: Business Continuity and Vital Records
OQPS has identified our vital records through ‘what to keep’ schedules, which form part of the National Archives' corporate Information Asset Profile. This informs the Business Continuity and Disaster Recovery planning process. All physical records, both current records and archived records, are held securely in archival or storage repositories where the air quality is controlled and constantly monitored, and which have detailed and tested plans for disaster recovery. All electronic records are fully backed up and back-ups held in remote locations.
2.11 Element 11: Audit Trail
The EDRMs (Electronic Documents and Records Management System) provides comprehensive audit trails recording each primary user action, including evidence of creating, opening, viewing, modifying and deleting records. IT systems and databases provide audit logs that record user access to systems and movement of data.
Legacy paper records, contained in registry files, are held in a secure storage and ordered on-line, with movement to users and back to storage being tracked through the registry database.
2.12 Element 12: Competency framework for Records Management Staff
OQPS uses the services of the National Archives' central Knowledge and Information Management and Assurance (KIMA) team, which includes a full time records manager with ARA accredited qualifications and at the level of 'manager' in the government KIM professional framework. The KIMA team work to the Knowledge Council professional framework. As part of the corporate National Archives structure, OQPS will be party to a departmental vision and action plan currently being developed in response to the Knowledge Council 5 year vision for the KIM profession in government.
OQPS policy is that all staff are responsible for records. All staff on entry must therefore complete mandatory face to face training in Information Management, Data Protection, Freedom of Information, use of the corporate EDRMS and use of email. They must also complete mandatory on-line training on information security, and annual refresher training. Access to OQPS systems is denied for staff who do not complete mandatory starter training. All staff have intranet access to IM policies and guidance, including regular 'top tips' on the corporate intranet.
Separate additional guidance is provided for privileged users (e.g. those with administrator rights).
2.13 Element 13: Assessment and Review
The Records Management Plan and Records Management Policy are subject to OQPS’ standard governance, monitoring and review process. The plan will be reviewed by the head of KIMA two months after its acceptance by the Keeper, to ensure it is functioning as intended, and a report made to the Queen's Printer with any appropriate recommendations for further actions. The head of KIMA will then keep the plan under continuous review going forward, and will report back again to the Queen's Printer one year later to ensure that it remains appropriate to OQPS' business needs and that it has properly responded to any significant changes in circumstance that might occur. The report will also identify any other steps that have been taken to improve records management in OQPS and to mitigate any associated risks.
The plan is also subject to separate audit by the National Archives' internal audit process, which adopts a risk based approach.
2.14 Element 14: Shared Information
Any instances of information sharing between OQPS and third parties are governed by OQPS’ Data Protection Procedures and in contractual agreements with third parties.
Office of the Queen's Printer for Scotland
January 2014
Contact
Email: okps@nationalarchives.gov.uk
Post:
The King's Printer for Scotland
The Library
GD Bridge
Victoria Quay
Edinburgh
EH6 6QQ
There is a problem
Thanks for your feedback