Lord Chancellor’s Code of Practice on the management of records issued under section 46 of the Freedom of Information Act 2000

Lord Chancellor’s Code of Practice on the management of records issued under section 46 of the Freedom of Information Act 2000

Presented to Parliament by the Lord Chancellor pursuant to section 46(6) of the Freedom of Information Act 2000

Contents

Foreword 4

Introduction 4Importanceofrecordsmanagement 4RoleoftheInformationCommissioner 6AuthoritiessubjecttothePublicRecordsActs 6RoleoftheLordChancellor’sAdvisoryCouncilonNationalRecordsandArchives 7andtheSensitivityReviewGroupinNorthernIrelandCode of PracticeIntroduction 8

1 AimsoftheCode 82 ScopeoftheCode 93 Interpretation 94 Supplementaryguidance 9

Part 1 Records management 10

5 Summaryofrecommendedgoodpracticeinrecordsmanagement 106 Organisationalarrangementstosupportrecordsmanagement 107 Recordsmanagementpolicy 118 Keepingrecordstomeetcorporaterequirements 129 Recordssystems 1310 Storageandmaintenanceofrecords 1511 Securityandaccess 1712 Disposalofrecords 1813 Recordscreatedinthecourseofcollaborativeworkingorthroughout-sourcing 2014 Monitoringandreportingonrecordsmanagement 21Part 2 Review and transfer of public records 22

15 PurposeofPart2 2216 Selectionofpublicrecordsforpermanentpreservation 2217 Retentionortransferofpublicrecords 2218 Determiningtheaccessstatusofpublicrecordsbeforetransfer 2319 Transmissionofpublicrecords 2520 Accessaftertransferofpublicrecords 25

Annex A Glossary 26Annex B StandardsandguidancesupportingtheCode 27

LordChancellor’sCodeofPracticeonthemanagementofrecords-3

�-LordChancellor’sCodeofPracticeonthemanagementofrecords

Foreword

Introduction

(i) TheCodeofPractice(“theCode”)whichfollowsfulfilsthedutyoftheLordChancellorsetoutinsection46oftheFreedomofInformationAct20001(theAct).ThisforewordprovidesbackgroundbutdoesnotformpartoftheCodeitself.

(ii) TheCodeisintwoparts.InPart1,theCodeprovidesguidancetoallrelevantauthoritiesastothepracticewhichitwould,intheopinionoftheLordChancellor,bedesirableforthemtofollowinconnectionwiththekeeping,managementanddestructionoftheirrecords.ThisappliesnotonlytopublicauthoritiesbutalsotootherbodiesthataresubjecttothePublicRecordsAct1958orthePublicRecords2Act(NorthernIreland)1923.Collectivelytheyarecalledrelevantauthorities.

(iii) TheCodealsodescribes,inPart2,theproceduretobefollowedfortimelyandeffectivereviewandtransferofpublicrecordstoTheNationalArchives3ortoaplaceofdeposit(asdefinedinsection4ofthePublicRecordsAct1958)ortothePublicRecordOfficeofNorthernIrelandunderthePublicRecordsAct1958orthePublicRecordsAct(NorthernIreland)1923.4

Importance of records management

(iv) Freedomofinformationlegislationisonlyasgoodasthequalityoftherecordsandotherinformationtowhichitprovidesaccess.Accessrightsareoflimitedvalueifinformationcannotbefoundwhenrequestedor,whenfound,cannotberelieduponasauthoritative.Goodrecordsandinformationmanagementbenefitsthoserequestinginformationbecauseitprovidessomeassurancethattheinformationprovidedwillbecompleteandreliable.Itbenefitsthoseholdingtherequestedinformationbecauseitenablesthemtolocateandretrieveiteasilywithinthestatutorytimescalesortoexplainwhyitisnotheld.Italsosupportscontrolanddeliveryofinformationpromisedinanauthority’sPublicationSchemeorrequiredtobepublishedbytheEnvironmentalInformationRegulations2004(theEIR).

(v) Recordsmanagementisimportantformanyotherreasons.Recordsandinformationarethelifebloodofanyorganisation.Theyarethebasisonwhichdecisionsaremade,servicesprovidedandpoliciesdevelopedandcommunicated.Effectivemanagementofrecordsandotherinformationbringsthefollowingadditionalbenefits:

1TheActcanbeseenathttp://www.opsi.gov.uk/acts/acts2000/ukpga_20000036_en_1.2PublicrecordsaretherecordsofbodiesthataresubjecttothePublicRecordsAct1958orthePublicRecordsAct(NorthernIreland)1923.Fortheavoidanceofdoubt,theterm‘publicrecords’includesWelshpublicrecordsasdefinedbysection148oftheGovernmentofWalesAct2006.3ThelegalentitytowhichthisprovisionappliesisthePublicRecordOffice.SinceApril2003thePublicRecordOfficehasfunctionedaspartofTheNationalArchivesandisknownbythatname.Forthatreasonthename‘TheNationalArchives’isusedinthisCode.4ThePublicRecordslegislationcanbeseenathttp://www.nationalarchives.gov.uk/documents/public-records-act1958.rtfandhttp://www.proni.gov.uk/public_records_act_1923.pdfrespectively.

LordChancellor’sCodeofPracticeonthemanagementofrecords-5

Itsupportsanauthority’sbusinessanddischargeofitsfunctions,promotesbusinessefficiencyandunderpinsservicedeliverybyensuringthatauthoritativeinformationaboutpastactivitiescanberetrieved,usedandrelieduponincurrentbusiness;

Itsupportscompliancewithotherlegislationwhichrequiresrecordsandinformationtobekept,controlledandaccessible,suchastheDataProtectionAct1998,employmentlegislationandhealthandsafetylegislation;

Itimprovesaccountability,enablingcompliancewithlegislationandotherrulesandrequirementstobedemonstratedtothosewitharighttoauditorotherwiseinvestigatetheorganisationanditsactions;

Itenablesprotectionoftherightsandinterestsofanauthority,itsstaffanditsstakeholders;Itincreasesefficiencyandcost-effectivenessbyensuringthatrecordsaredisposedofwhen

nolongerneeded.Thisenablesmoreeffectiveuseofresources,forexamplespacewithinbuildingsandinformationsystems,andsavesstafftimesearchingforinformationthatmaynotbethere;

Itprovidesinstitutionalmemory.

(vi) Poorrecordsandinformationmanagementcreaterisksfortheauthority,suchas:

Poordecisionsbasedoninaccurateorincompleteinformation;Inconsistentorpoorlevelsofservice;Financialorlegallossifinformationrequiredasevidenceisnotavailableorcannotberelied

upon;Non-compliancewithstatutoryorotherregulatoryrequirements,orwithstandardsthat

applytothesectortowhichitbelongs;Failuretohandleconfidentialinformationwithanappropriatelevelofsecurityandthe

possibilityofunauthorisedaccessordisposaltakingplace;Failuretoprotectinformationthatisvitaltothecontinuedfunctioningoftheorganisation,

leadingtoinadequatebusinesscontinuityplanning;Unnecessarycostscausedbystoringrecordsandotherinformationforlongerthanthey

areneeded;Stafftimewastedsearchingforrecords;Stafftimewastedconsideringissuesthathavepreviouslybeenaddressedandresolved;Lossofreputationasaresultofalloftheabove,withdamagingeffectsonpublictrust.

(vii) TheCodeisasupplementtotheprovisionsintheActanditsadoptionwillhelpauthoritiescomplywiththeirdutiesundertheAct.Consequently,allrelevantauthoritiesarestronglyencouragedtopayheedtotheguidanceintheCode.TheCodeiscomplementedbytheCodeofPracticeundersection45oftheActandtheCodeofPracticeunderRegulation16oftheEIR.

(viii) AuthoritiesshouldnotethatiftheyfailtocomplywiththeCode,theymayalsofailtocomplywithlegislationrelatingtothecreation,management,disposal,useandre-useofrecordsandinformation,forexamplethePublicRecordsAct1958,theDataProtectionAct1998,andtheRe-useofPublicSectorInformationRegulations2005,andtheymayconsequentlybeinbreachoftheirstatutoryobligations.

6-LordChancellor’sCodeofPracticeonthemanagementofrecords

Role of the Information Commissioner

(ix) TheInformationCommissionerhasadutyundersection47oftheActtopromotethefollowingofgoodpracticebypublicauthoritiesandinparticulartopromoteobservanceoftherequirementsoftheActandtheprovisionsofthisCodeofPractice.InordertocarryoutthatdutyspecificallyinrelationtotheCode,theActconfersanumberofpowersontheCommissioner.

Practice recommendations(x) IfitappearstotheInformationCommissionerthatthepracticeofanauthorityinrelationto

theexerciseofitsfunctionsundertheActdoesnotconformtothatsetoutintheCode,theCommissionermayissueapracticerecommendationundersection48oftheAct.ApracticerecommendationwillbeinwritingandwillspecifytheprovisionsoftheCodethathavenotbeenmetandthestepsthatshould,intheCommissioner’sopinion,betakentopromoteconformitywiththeCode.ApracticerecommendationcannotbedirectlyenforcedbytheInformationCommissioner.However,afailuretocomplywithapracticerecommendationmayleadtoafailuretocomplywiththeActorcouldleadtoanadversecommentinareporttoParliamentbytheInformationCommissioner.

Information Notices(xi) IftheInformationCommissionerreasonablyrequiresanyinformationinordertodetermine

whetherthepracticeofanauthorityconformswiththatrecommendedintheCode,hemayserveontheauthorityanotice(knownasan‘informationnotice’)undersection51oftheAct.AninformationnoticewillbeinwritingandwillrequiretheauthoritytoprovidetheInformationCommissionerwithspecifiedinformationrelatingtoconformitywiththeCode.Itwillalsocontainparticularsoftherightsofappealconferredbysection57oftheAct.

Enforcement of information notices(xii) Undersection54oftheAct,ifanauthorityfailstocomplywithaninformationnotice,the

InformationCommissionermaycertifyinwritingtothecourtthattheauthorityhasfailedtocomply.Thecourtmaytheninquireintothematterand,afterhearinganywitnesseswhomaybeproducedagainstoronbehalfoftheauthority,andafterhearinganystatementthatmaybeofferedindefence,dealwiththeauthorityasifithadcommittedacontemptofcourt.

Authorities subject to the Public Records Acts

(xiii) TheCodeshouldbereadinthecontextofexistinglegislationaffectingthemanagementofrecords.Inparticular,thePublicRecordsAct1958(asamended)givesdutiestobodiessubjecttothatActinrespectoftherecordstheycreateorhold.ItalsorequirestheChiefExecutiveofTheNationalArchives5tosupervisethedischargeofthoseduties.

(xiv) ThePublicRecordsAct(NorthernIreland)1923setsoutthedutiesofpublicrecordbodiesinNorthernIrelandinrespectoftherecordstheycreateandrequiresthatrecordsshouldbetransferredto,andpreservedby,thePublicRecordOfficeofNorthernIreland.

5Thetitle‘KeeperofPublicRecords’isusedinthePublicRecordsAct1958andtheFreedomofInformationAct2000.ThisisoneofthetitlesoftheChiefExecutiveofTheNationalArchives.Thetitle‘ChiefExecutiveofTheNationalArchives’isusedinthisCodeinrecognitionofthefactthatitisthetitleusedforoperationalpurposes.

LordChancellor’sCodeofPracticeonthemanagementofrecords-7

(xv) TheInformationCommissionerwillpromotetheobservanceoftheCodeinconsultationwiththeChiefExecutiveofTheNationalArchiveswhendealingwithbodieswhicharesubjecttothePublicRecordsAct1958andwiththeDeputyKeeperoftheRecordsofNorthernIrelandforbodiessubjecttothePublicRecordsAct(NorthernIreland)1923.Beforeissuingapracticerecommendationundersection48oftheActtoabodysubjecttoeitherofthePublicRecordsActs,theInformationCommissionerwillconsulttheChiefExecutiveofTheNationalArchivesortheDeputyKeeperoftheRecordsofNorthernIrelandasappropriate.

Role of the Lord Chancellor’s Advisory Council on National Records and Archives and the Sensitivity Review Group in Northern Ireland

(xvi) TheAdvisoryCouncilonNationalRecordsandArchives6(hereafter‘theAdvisoryCouncil’)hasastatutoryroletoadvisetheLordChancelloronmattersconcerningpublicrecordsingeneralandontheapplicationoftheActtoinformationinpublicrecordsthatarehistoricalrecords.7TheLordChancellor,havingreceivedtheadviceofhisAdvisoryCouncil,mayprepareandissueguidance.TheguidancemayincludeadviceonthereviewofpublicrecordsandontheperiodsoftimeforwhichtheAdvisoryCouncilconsidersitappropriatetowithholdcategoriesofsensitiverecordsaftertheyhavebecomehistoricalrecords.8

(xvii) TheNationalArchivesprovidessupportasappropriatetotheAdvisoryCouncilinitsconsiderationofapplicationsfromauthoritiesrelatingtoretentionoraccesstopublicrecordsandinitspreparationofguidancefortheLordChancellortoissuetoauthorities.

(xviii) InNorthernIrelandtheSensitivityReviewGroup,consistingofrepresentativesofNorthernIrelanddepartments,providesadviceonthereleaseofpublicrecords.ThePublicRecordOfficeofNorthernIrelandprovidessupporttotheGroup.GuidancemaybeissuedbytheDeputyKeeperoftheRecordsofNorthernIrelandfollowingconsultationwiththeDepartmentsresponsiblefortherecordsaffectedbytheguidance.

6ThelegalentitytowhichthisprovisionappliesistheAdvisoryCouncilonPublicRecords.SinceApril2003theCouncilhasfunctionedasTheAdvisoryCouncilonNationalRecordsandArchivesandsothatnameisusedinthisCode.7Inthiscontext,theterm‘publicrecords’appliesonlytotherecordsofbodiesthataresubjecttothePublicRecordsAct1958.8Theterm‘historicalrecord’isdefinedatsection62oftheAct.

8-LordChancellor’sCodeofPracticeonthemanagementofrecords

CODE OF PRACTICE (FreedomofInformationAct2000,section46)

Guidancetorelevantauthoritieson(1)Themanagementoftheirrecordsand

(2)Thereviewandtransferofpublicrecords

TheLordChancellor,havingconsultedtheInformationCommissionerandtheappropriateNorthernIrelandMinister,issuesthefollowingCodeofPracticepursuanttosection46oftheFreedomofInformationAct2000.

LaidbeforeParliamenton16July2009pursuanttosection46(6)oftheFreedomofInformationAct2000.

Introduction

1 Aims of the Code

1.1 TheaimsoftheCodeare:

Tosetoutthepracticeswhichrelevantauthorities9shouldfollowinrelationtothecreation,keeping,managementanddestructionoftheirrecords(Part1oftheCode);and

Todescribethearrangementswhichbodiesresponsibleforpublicrecords10shouldfollowinreviewingpublicrecordsandtransferringthemtoTheNationalArchivesortoaplaceofdepositforpublicrecords,ortothePublicRecordOfficeofNorthernIreland(Part2oftheCode).

1.2. Part1oftheCodeprovidesaframeworkforrelevantauthoritiestomanagetheirrecords.Itsetsoutrecommendedgoodpracticefortheorganisationalarrangements,decisionsandprocessesrequiredforeffectiverecordsandinformationmanagement.

1.3 Part2providesaframeworkforthereviewandtransferofpublicrecordsthathavebeenselectedforpermanentpreservationatTheNationalArchives11,aplaceofdepositforpublicrecordsorthePublicRecordOfficeofNorthernIreland.Itsetsouttheprocessbywhichrecordsduefortransferareassessedtodeterminewhethertheinformationtheycontaincanbedesignatedasopeninformationor,ifthisisnotpossible,toidentifytheexemptions12thatapplyandindicateforhowlongtheyshouldapply.

9RelevantauthoritiesisthecollectivetermusedintheActforbodiesthatarepublicauthoritiesundertheFreedomofInformationActandbodiesthatarenotsubjecttothatActbutaresubjecttothePublicRecordsAct1958orthePublicRecordsAct(NorthernIreland)1923.10PublicrecordsaretherecordsofbodiesthataresubjecttothePublicRecords1958orthePublicRecordsAct(NorthernIreland)1923.Fortheavoidanceofdoubt,theterm‘publicrecords’includesWelshpublicrecordsasdefinedbysection148oftheGovernmentofWalesAct2006.11ThelegalentitytowhichthisprovisionappliesisthePublicRecordOffice.SinceApril2003thePublicRecordOfficehasfunctionedaspartofTheNationalArchivesandisknownbythatname.Forthatreasonthename‘TheNationalArchives’isusedinthisCode.12IntheEnvironmentalInformationRegulations2004(theEIR),exemptionsarecalledexceptions.ForsimplicitythetermexemptionisusedthroughouttheCodeandshouldbetakentoapplyalsotoexceptionsintheEIR.

LordChancellor’sCodeofPracticeonthemanagementofrecords-9

2 Scope of the Code

TheCodeappliestoallrecordsirrespectiveofthetechnologyusedtocreateandstorethemorthetypeofinformationtheycontain.Itincludes,therefore,notonlypaperfilesseriesanddigitalrecordsmanagementsystemsbutalsobusinessandinformationsystems(forexamplecasemanagement,financeandgeographicalinformationsystems)andthecontentsofwebsites.TheCode’sfocusisonrecordsandthesystemsthatcontainthembuttheprinciplesandrecommendedpracticecanbeappliedalsotootherinformationheldbyanauthority.

3 Interpretation

ForthepurposesofthisCode,‘records’aredefinedasintherelevantBritishStandard13,namely‘informationcreated,received,andmaintainedasevidenceandinformationbyanorganizationorperson,inpursuanceoflegalobligationsorinthetransactionofbusiness’.SomespecifictermswhicharenotdefinedintheActhavebeenincludedintheGlossaryatAnnexA.OtherwordsandexpressionsusedinthisCodehavethesamemeaningasthesamewordsandexpressionsusedintheAct.

4 Supplementary guidance

MoredetailedguidanceonbothpartsoftheCodehasbeenpublishedseparately.StandardsandguidancewhichsupporttheobjectivesofthisCodemostdirectlyarelistedatAnnexB.

13BSISO15489-1:2001Informationanddocumentation–Recordsmanagement–Part1:General.

10-LordChancellor’sCodeofPracticeonthemanagementofrecords

Part 1: Records Management

5 Summary of recommended good practice in records management

5.1 Goodpracticeinrecordsmanagementismadeupofanumberofkeyelements.ThefollowinglistsummarisesthegoodpracticerecommendedinPart1oftheCode.Guidanceoneachelementisgiveninsections6-14ofthisPart.

a) Authoritiesshouldhaveinplaceorganisationalarrangementsthatsupportrecordsmanagement(seesection6);

b) Authoritiesshouldhaveinplacearecordsmanagementpolicy,eitherasaseparatepolicyoraspartofawiderinformationorknowledgemanagementpolicy(seesection7);

c) Authoritiesshouldensuretheykeeptherecordstheywillneedforbusiness,regulatory,legalandaccountabilitypurposes(seesection8);

d) Authoritiesshouldkeeptheirrecordsinsystemsthatenablerecordstobestoredandretrievedasnecessary(seesection9);

e) Authoritiesshouldknowwhatrecordstheyholdandwheretheyare,andshouldensurethattheyremainusableforaslongastheyarerequired(seesection10);

f) Authoritiesshouldensurethatrecordsarestoredsecurelyandthataccesstothemiscontrolled(seesection11);

g) Authoritiesshoulddefinehowlongtheyneedtokeepparticularrecords,shoulddisposeofthemwhentheyarenolongerneededandshouldbeabletoexplainwhyrecordsarenolongerheld(seesection12);

h) AuthoritiesshouldensurethatrecordssharedwithotherbodiesorheldontheirbehalfbyotherbodiesaremanagedinaccordancewiththeCode(seesection13);

i) AuthoritiesshouldmonitorcompliancewiththeCodeandassesstheoveralleffectivenessoftheprogramme(seesection14).

6 Organisational arrangements to support records management

Authorities should have in place organisational arrangements that support records management.

6.1 Thesearrangementsshouldinclude:

a) Recognitionofrecordsmanagementasacorecorporatefunction,eitherseparatelyoraspartofawiderinformationorknowledgemanagementfunction.Thefunctionshouldcoverrecordsinallformatsthroughouttheirlifecycle,fromplanningandcreationthroughtodisposalandshouldincluderecordsmanagedonbehalfoftheauthoritybyanexternalbodysuchasacontractor;

b) Inclusionofrecordsandinformationmanagementinthecorporateriskmanagementframework.Informationandrecordsareacorporateassetandlossoftheassetcouldcausedisruptiontobusiness.Thelevelofriskwillvaryaccordingtothestrategicandoperationalvalueoftheassettotheauthorityandriskmanagementshouldreflecttheprobableextentofdisruptionandresultingdamage;

LordChancellor’sCodeofPracticeonthemanagementofrecords-11

c) Agovernanceframeworkthatincludesdefinedrolesandlinesofresponsibility.Thisshouldincludeallocationofleadresponsibilityfortherecordsandinformationmanagementfunctiontoadesignatedmemberofstaffatsufficientlyseniorleveltoactasarecordsmanagementchampion,forexampleaboardmember,andallocationofoperationalresponsibilitytoamemberofstaffwiththenecessaryknowledgeandskills.Insmallauthoritiesitmaybemorepracticabletocombinetheseroles.Ideallythesamepeoplewillberesponsiblealsoforcompliancewithotherinformationlegislation,forexampletheDataProtectionAct1998andtheRe-useofPublicSectorInformationRegulations2005,orwillworkcloselywiththosepeople;

d) Clearlydefinedinstructions,applyingtostaffatalllevelsoftheauthority,tocreate,keepandmanagerecords.Inlargerorganisationstheresponsibilitiesofmanagers,andinparticularheadsofbusinessunits,couldbedifferentiatedfromtheresponsibilitiesofotherstaffbymakingitclearthatmanagersareresponsibleforensuringthatadequaterecordsarekeptoftheactivitiesforwhichtheyareaccountable;

e) Identificationofinformationandbusinesssystemsthatholdrecordsandprovisionoftheresourcesneededtomaintainandprotecttheintegrityofthosesystemsandtheinformationtheycontain;

f) ConsiderationofrecordsmanagementissueswhenplanningorimplementingICTsystems,whenextendingstaffaccesstonewtechnologiesandduringre-structuringormajorchangestotheauthority;

g) Inductionandothertrainingtoensurethatallstaffareawareoftheauthority’srecordsmanagementpolicies,standards,proceduresandguidelinesandunderstandtheirpersonalresponsibilities.Thisshouldbeextendedtotemporarystaff,contractorsandconsultantswhoareundertakingworkthatithasbeendecidedshouldbedocumentedintheauthority’srecords.Iftheorganisationislargeenoughtoemploystaffwhoseworkisprimarilyaboutrecordsandinformationmanagement,theyshouldbegivenopportunitiesforprofessionaldevelopment;

h) AnagreedprogrammeformanagingrecordsinaccordancewiththispartoftheCode;i) Provisionofthefinancialandotherresourcesrequiredtoachieveagreedobjectivesinthe

recordsmanagementprogramme.

7 Records management policy

Authorities should have in place a records management policy, either as a separate policy or as part of a wider information or knowledge management policy.

7.1 Thepolicyshouldbeendorsedbyseniormanagement,forexampleatboardlevel,andshouldbereadilyavailabletostaffatalllevels.

7.2 Thepolicyprovidesamandatefortherecordsandinformationmanagementfunctionandaframeworkforsupportingstandards,proceduresandguidelines.Theprecisecontentswilldependontheparticularneedsandcultureoftheauthoritybutitshouldasaminimum:

a) Setouttheauthority’scommitmenttocreate,keepandmanagerecordswhichdocumentitsprincipalactivities;

12-LordChancellor’sCodeofPracticeonthemanagementofrecords

b) Outlinetheroleofrecordsmanagementanditsrelationshiptotheauthority’soverallbusinessstrategy;

c) Identifyandmakeappropriateconnectionstorelatedpolicies,suchasthosedealingwithemail,informationsecurityanddataprotection;

d) Definerolesandresponsibilities,includingtheresponsibilityofindividualstodocumenttheirworkintheauthority’srecordstotheextentthat,andinthewaythat,theauthorityhasdecidedtheirworkshouldbedocumented,andtousethoserecordsappropriately;

e) Indicatehowcompliancewiththepolicyandthesupportingstandards,proceduresandguidelineswillbemonitored.

7.3 Thepolicyshouldbekeptup-to-datesothatitreflectsthecurrentneedsoftheauthority.Onewayofensuringthisistoreviewitatagreedintervals,forexampleeverythreeorfiveyears,andaftermajororganisationalortechnologicalchanges,inordertoassesswhetheritneedsamendment.

7.4 Theauthorityshouldconsiderpublishingthepolicysothatmembersofthepubliccanseethebasisonwhichitmanagesitsrecords.

8 Keeping records to meet corporate requirements

Authorities should ensure they keep the records they will need for business, regulatory, legal and accountability purposes.

Deciding what records should be kept8.1 Authoritiesshouldconsiderwhatrecordstheyarelikelytoneedabouttheiractivities,andthe

risksofnothavingthoserecords,takingintoaccountthefollowingfactors:

a) Thelegislativeandregulatoryenvironmentwithinwhichtheyoperate.Thiswillbeamixtureofgenerallyapplicablelegislation,suchashealthandsafetylegislationandtheDataProtectionAct1998,andspecificlegislationapplyingtothesectororauthority.Forexample,theCharityCommissionisrequiredbyitslegislationtokeepanaccurateandup-to-dateregisterofcharities.Thisfactoralsoincludesstandardsapplyingtothesectororauthorityortoparticularfunctionssuchasfinance;

b) Theneedtorefertoauthoritativeinformationaboutpastactionsanddecisionsforcurrentbusinesspurposes.Forexample,problemssuchasoutbreaksoffootandmouthdiseasemayrecurandinordertodealwitheachnewoutbreakalocalauthorityneedsreliableinformationaboutwhatitdidduringpreviousoutbreaksandwhowasresponsibleforspecificmeasures,suchasclosingpublicfootpaths;

c) Theneedtoprotectlegalandotherrightsoftheauthority,itsstaffanditsstakeholders.Forexample,alocalauthorityneedstoknowwhatlandandbuildingsitownsinordertoensurepropercontrolofitsassetsandtoprotectitselfifchallenged;

d) Theneedtoexplain,andifnecessaryjustify,pastactionsintheeventofanaudit,publicinquiryorotherinvestigation.Forexample,theAuditCommissionwillexpecttofindaccuraterecordsofexpenditureofpublicfunds.Or,ifanapplicantcomplainstotheInformationCommissioner’sOffice(ICO)aboutthehandlingoroutcomeofanFOIrequest,theICOwill

LordChancellor’sCodeofPracticeonthemanagementofrecords-13

expecttheauthoritytoprovidedetailsofhowtherequestwashandledand,ifapplicable,whyitrefusedtoprovidetheinformation.

8.2 Havingconsideredthesefactors,authoritiesshouldsetbusinessrulesidentifying:

a) Whatrecordsshouldbekept,forexamplewhichdecisionsoractionsshouldberecorded;b) Bywhomthisshouldbedone,forexample,bythesenderorrecipientofanemailor

voicemail;c) Atwhatpointintheprocessortransactionthisshouldbedone,forexamplewhendraftsofa

documentshouldbefrozenandkeptasarecord;d) Whatthoserecordsshouldcontain;e) Whereandhowtheyshouldbestored,forexampleinacasefile.

8.3 Aspartofthisprocessauthoritiesshouldconsiderwhetheranyoftheserecordsshouldbesubjecttoparticularcontrolssoastoensuretheirevidentialvaluecandemonstratedifrequiredbyshowingthemto:

a) Beauthentic,thatis,theyarewhattheysaytheyare;b) Bereliable,thatis,theycanbetrustedasafullandaccuraterecord;c) Haveintegrity,thatis,theyhavenotbeenalteredsincetheywerecreatedorfiled;d) Beusable,thatis,theycanberetrieved,readandused.

Ensuring those records are kept8.4 Allstaffshouldbeawareofwhichrecordstheauthorityhasdecidedtokeepandoftheir

personalresponsibilitytofollowtheauthority’sbusinessrulesandkeepaccurateandcompleterecordsaspartoftheirdailywork.Managersofbusinessunits,programmesandprojectsshouldtakeresponsibilityforensuringthattheagreedrecordsoftheunit,programmeorproject’sworkarekeptandareavailableforcorporateuse.

8.5 Authoritiesshouldensurethatstaffcreatingorfilingrecordsareawareoftheneedtogivethoserecordstitlesthatreflecttheirspecificnatureandcontentssoastofacilitateretrieval.

8.6 Staffshouldalsobeawareoftheneedtodisposeofephemeralmaterialonaroutinebasis.Forexample,print-outsofelectronicdocumentsshouldnotbekeptafterthemeetingforwhichtheywereprinted,trivialemailsshouldbedeletedafterbeingread,andkeepingmultipleorpersonalcopiesofdocumentsshouldbediscouraged.

9 Records systems

Authorities should keep their records in systems that enable records to be stored and retrieved as necessary.

Choosing, implementing and using records systems 9.1 Authoritiesshoulddecidetheformatinwhichtheirrecordsaretobestored.Thereisno

requirementinthisCodeforrecordsandinformationtobecreatedandheldelectronically,but

1�-LordChancellor’sCodeofPracticeonthemanagementofrecords

iftheauthorityisoperatingelectronically,forexampleusingemailforinternalandexternalcommunicationsorcreatingdocumentsthroughwordprocessingsoftware,itisgoodpracticetoholdtheresultingrecordselectronically.Inaddition,authoritiesshouldnotethattheEIRrequirethemprogressivelytomakeenvironmentalinformationavailabletothepublicbyelectronicmeans(Regulation4).

9.2 Authoritiesarelikelytoholdrecordsandotherinformationinanumberofdifferentsystems.Thesesystemscouldincludeadedicatedelectronicdocumentandrecordsmanagementsystem,businesssystemssuchasacasemanagement,financeorgeographicalinformationsystem,awebsite,sharedworkspaces,audio-visualmaterialandsetsofpaperfileswithrelatedregisters.Insomecasesrelatedrecordsofthesamebusinessactivitiesmaybeheldindifferentformats,forexampledigitalfilesandsupportingpapermaterial.

9.3 Recordssystemsshouldbedesignedtomeettheauthority’soperationalneedsandusingthemshouldbeanintegralpartofbusinessoperationsandprocesses.Recordssystemsshouldhavethefollowingcharacteristics:

a) Theyshouldbeeasytounderstandandusesoastoreducetheeffortrequiredofthosewhocreateandusetherecordswithinthem.Easeofuseisanimportantconsiderationwhendevelopingorselectingasystem;

b) Theyshouldenablequickandeasyretrievalofinformation.WithdigitalsystemsthisshouldincludethecapacitytosearchforinformationrequestedundertheAct;

c) Theyshouldbesetupinawaythatenablesroutinerecordsmanagementprocessestotakeplace.Forexample,digitalsystemsshouldbeabletodeletespecifiedinformationinaccordancewithagreeddisposaldatesandleavetherestintact;

d) Theyshouldenablethecontextofeachrecordanditsrelationshiptootherrecordstobeunderstood.Inarecordsmanagementsystemthiscanbeachievedbyclassifyingandindexingrecordswithinafileplanorbusinessclassificationschemetobringtogetherrelatedrecordsandenablethesequenceofactionsandcontextofeachdocumenttobeunderstood.Thisapproachhastheaddedbenefitofenablinghandlingdecisions,forexamplerelatingtoaccessordisposal,tobeappliedtogroupsofrecordsinsteadoftoindividualrecords;

e) Theyshouldcontainbothinformationandmetadata.Metadataenablesthesystemtobeunderstoodandoperatedefficiently,therecordswithinthesystemtobemanagedandtheinformationwithintherecordstobeinterpreted;

f) Theyshouldprotectrecordsindigitalsystemsfromaccidentalorunauthorisedalteration,copying,movementordeletion;

g) Theyshouldprovidesecurestoragetothelevelofprotectionrequiredbythenature,contentsandvalueoftheinformationinthem.Fordigitalsystemsthisincludesacapacitytocontrolaccesstoparticularinformationifnecessary,forexamplebylimitingaccesstonamedindividualsorbyrequiringpasswords.Withpaperfilesthisincludesacapacitytolockstoragecupboardsorareasandtologaccesstothemandanywithdrawalofrecordsfromthem;

h) Theyshouldenableanaudittrailtobeproducedofoccasionsonwhichselectedrecordshavebeenseen,used,amendedanddeleted.

9.4 Recordssystemsshouldbedocumentedtofacilitatestafftraining,maintenanceofthesystemanditsreconstructionintheeventofanemergency.

LordChancellor’sCodeofPracticeonthemanagementofrecords-15

Limiting the active life of records within record systems9.5 Folders,filesandsimilarrecordassembliesshouldnotremainliveindefinitelywithacapacityfor

newrecordstobeaddedtothem.Theyshouldbeclosed,thatis,havetheircontentsfrozen,atanappropriatetime.

9.6 Thetriggerforclosurewillvaryaccordingtothenatureandfunctionoftherecords,theextenttowhichtheyreflectongoingbusinessandthetechnologyusedtostorethem.Forexample,completionoftheannualaccountingprocesscouldbeatriggerforclosingfinancialrecords,completionofaprojectcouldbeatriggerforclosingprojectrecords,andcompletionofformalitiesfollowingthedeathofapatientcouldbeatriggerforclosingthatperson’shealthrecord.Sizeisafactorandafoldershouldnotbetoobigtobehandledorscrutinisedeasily.Fordigitalrecordsatriggercouldbemigrationtoanewsystem.Authoritiesshoulddecidetheappropriatetriggerforeachrecordssystemandputarrangementsinplacetoapplythetrigger.

9.7 Newcontinuationorpartfilesshouldbeopenedifnecessary.Itshouldbecleartoanyonelookingatarecordwherethestorycontinues,ifapplicable.

10 Storage and maintenance of records

Authorities should know what records they hold and where they are, and should ensure that they remain usable for as long as they are required.

Knowing what records are held10.1 Theeffectivenessofrecordssystemsdependsonknowledgeofwhatrecordsareheld,

whatinformationtheycontain,inwhatformtheyaremadeaccessible,whatvaluetheyhavetotheorganisationandhowtheyrelatetoorganisationalfunctions.Withoutthisknowledgeanauthoritywillfinditdifficultto:

a) Locateandretrieveinformationrequiredforbusinesspurposesortorespondtoaninformationrequest;

b) ProduceaPublicationSchemeorareliablelistofinformationassetsavailableforre-use;c) Applythecontrolsrequiredtomanagerisksassociatedwiththerecords;d) Ensurerecordsaredisposedofwhennolongerneeded.

10.2 Authoritiesshouldgatherandmaintaindataonrecordsandinformationassets.Thiscanbedoneinvariousways,forexamplethroughsurveysorauditsoftherecordsandinformationheldbytheauthority.Itshouldbeheldinanaccessibleformatandshouldbekeptuptodate.

10.3 AuthoritiesshouldconsiderpublishingdetailsofthetypesofrecordstheyholdtohelpmembersofthepublicplanningtomakearequestforinformationundertheAct.

16-LordChancellor’sCodeofPracticeonthemanagementofrecords

Storing records10.4 Storageshouldprovideprotectiontothelevelrequiredbythenature,contentsandvalueofthe

informationinthem.Recordsandinformationwillvaryintheirstrategicandoperationalvaluetotheauthority,andintheirresidualvalueforhistoricalresearch,andstorageandpreservationarrangementsreflectingtheirvalueshouldbeputinplace.

10.5 Authoritiesshouldbeawareofanyspecificrequirementsforrecordsstoragethatapplytothem.Forexample,theAdoptionNationalMinimumStandardsissuedbytheDepartmentofHealthandtheWelshAssemblyGovernmentin2003requireindexesandcasefilesforchildrentobesecurelystoredtominimisetheriskofdamagefromfireorwater.

10.6 Storageshouldfollowacceptedstandardsinrespectofthestorageenvironment,fireprecautions,healthandsafetyand,ifapplicable,physicalorganisation.Itshouldalloweasyandefficientretrievalofinformationbutalsominimisetheriskofdamage,lossorunauthorisedaccess.

10.7 Recordsthatarenolongerrequiredforfrequentreferencecanberemovedfromcurrentsystemstooff-lineornearoff-line(fordigitalmedia)ortooff-site(forpaper)storagewherethisisamoreeconomicalandefficientwaytostorethem.Theyshouldcontinuetobesubjecttonormalrecordsmanagementcontrolsandprocedures.

10.8 Thewhereaboutsofrecordsshouldbeknownatalltimesandmovementoffilesandotherphysicalrecordsbetweenstorageareasandofficeareasshouldbelogged.

Ensuring records remain usable10.9 Recordsshouldremainusableforaslongastheyarerequired.Thismeansthatitshould

continuetobepossibletoretrieve,useandrelyonthem.

10.10 Recordsindigitalsystemswillnotremainusableunlessprecautionsaretaken.Authoritiesshouldputinplaceastrategyfortheircontinuedmaintenancedesignedtoensurethatinformationremainsintact,reliableandusableforaslongasitisrequired.Thestrategyshouldprovideforupdatingofthestoragemediaandmigrationofthesoftwareformatwithinwhichtheinformationandmetadataareheld,andforregularmonitoringofintegrityandusability.

10.11 Recordsindigitalsystemsareparticularlyvulnerabletoaccidentalorunauthorisedalteration,copying,movementordeletionwhichcanhappenwithouttrace.Thisputsatriskthereliabilityoftherecordswhichcoulddamagetheauthority’sinterests.Authoritiesshouldassesstheserisksandputappropriatesafeguardsinplace.

10.12 Back-upcopiesofrecordsindigitalsystemsshouldbekeptandstoredsecurelyinaseparatelocation.Theyshouldbecheckedregularlytoensurethatthestoragemediumhasnotdegradedandtheinformationremainsintactandcapableofbeingrestoredtooperationaluse.Back-upsshouldbemanagedinawaythatenablesdisposaldecisionstobeappliedsecurelywithoutcompromisingtheauthority’scapacitytorecoverfromsystemfailuresandmajordisasters.

LordChancellor’sCodeofPracticeonthemanagementofrecords-17

10.13 Physicalrecordssuchaspaperfilesmayalsorequireregularmonitoring.Forexample,formatssuchasearlyphotocopiesmaybeatriskoffading,andregularchecksshouldbemadeofanyinformationinsuchformatsthatisofcontinuingvaluetotheauthority.

10.14 Metadataforrecordsinanyformatshouldbekeptinsuchawaythatitremainsreliableandaccessibleforaslongasitisrequired,whichwillbeatleastforthelifeoftherecords.

Business continuity plans10.15 Businesscontinuityplansshouldidentifyandsafeguardrecordsconsideredvitaltothe

organisation,thatis:

a) Recordsthatwouldbeessentialtothecontinuedfunctioningorreconstitutionoftheorganisationintheeventofadisaster;

b) Recordsthatareessentialtoongoingprotectionoftheorganisation’slegalandfinancialrights.

Theplansshouldincludeactionstoprotectandrecovertheserecordsinparticular.

11 Security and access

Authorities should ensure that records are stored securely and that access to them is controlled.

11.1 Authoritiesshouldensurethattheirstoragearrangements,handlingproceduresandarrangementsfortransmissionofrecordsreflectacceptedstandardsandgoodpracticeininformationsecurity.Itisgoodpracticetohaveaninformationsecuritypolicyaddressingthesepoints.

11.2 Easeofinternalaccesswilldependonthenatureandsensitivityoftherecords.Accessrestrictionsshouldbeappliedwhennecessarytoprotecttheinformationconcernedandshouldbekeptuptodate.Particularcareshouldbetakenwithpersonalinformationaboutlivingindividualsinordertocomplywiththe7thdataprotectionprinciple,whichrequiresprecautionsagainstunauthorisedorunlawfulprocessing,damage,lossordestruction.WithincentralGovernment,particularcareshouldbetakenwithinformationbearingaprotectivemarking.Otherinformation,suchasinformationobtainedonaconfidentialbasis,mayalsorequireparticularprotection.

11.3 Transmissionofrecords,especiallyoutsidetheauthority’spremises,shouldrequireauthorisation.Themethodoftransmissionshouldbesubjecttoriskassessmentbeforeadecisionismade.

11.4 Externalaccessshouldbeprovidedinaccordancewithrelevantlegislation.

11.5 Anaudittrailshouldbekeptofprovisionofaccess,especiallytopeopleoutsidetheimmediateworkarea.

18-LordChancellor’sCodeofPracticeonthemanagementofrecords

12 Disposal of records

Authorities should define how long they need to keep particular records, should dispose of them when they are no longer needed and should be able to explain why records are no longer held.

12.1 ForthepurposeofthisCode,disposalmeansthedecisionastowhethertherecordshouldbedestroyed,transferredtoanarchivesserviceforpermanentpreservationorpresented,14andtheputtingintoeffectofthatdecision.

General principle 12.2 Asageneralprinciple,recordsshouldbekeptforaslongastheyareneededbytheauthority:for

referenceoraccountabilitypurposes,tocomplywithregulatoryrequirementsortoprotectlegalandotherrightsandinterests.Destructionattheendofthisperiodensuresthatofficeandserverspacearenotusedandcostsarenotincurredinmaintainingrecordsthatarenolongerrequired.Forrecordscontainingpersonalinformationitalsoensurescompliancewiththe5thdataprotectionprinciplewhichrequiresthatpersonaldataiskeptonlyforaslongasitisneeded.

12.3 Recordsshouldnotbekeptaftertheyhaveceasedtobeofusetotheauthorityunless:

a) Theyareknowntobethesubjectoflitigationorarequestforinformation.Ifso,destructionshouldbedelayeduntilthelitigationiscompleteor,inthecaseofarequestforinformation,allrelevantcomplaintandappealprovisionshavebeenexhausted;

b) Theyhavelong-termvalueforhistoricalorotherresearchandhavebeenorshouldbeselectedforpermanentpreservation.(Notethatrecordscontainingpersonalinformationcanbekeptindefinitelyforhistoricalresearchpurposesbecausetheytherebybecomeexemptfromthe5thdataprotectionprinciple.)

c) TheycontainorrelatetoinformationrecentlyreleasedinresponsetoarequestundertheAct.Thismayindicatehistoricalvalueanddestructionshouldbedelayedwhilethisisre-assessed.

Making disposal decisions12.4 Disposalofrecordsshouldbeundertakenonlyinaccordancewithclearlyestablishedpolicies

that:

a) Reflecttheauthority’scontinuingneedforaccesstotheinformationorthepotentialvalueoftherecordsforhistoricalorotherresearch;

b) Arebasedonconsultationbetweenrecordsmanagementstaff,staffoftherelevantbusinessunitand,whereappropriate,otherssuchaslegaladvisers,archivistsorexternalexperts;

c) Havebeenformallyadoptedbytheauthority;d) Areappliedbyproperlyauthorisedstaff;e) Takeaccountofsecurityandconfidentialityneeds.

12.5 Thepoliciesshouldtaketheformof:

14Presentationisallowedbysection3(6)ofthePublicRecordsAct1958.IttransfersownershipoftherecordstothereceivingbodyandisundertakenbyTheNationalArchivesinconsultationwiththeauthority.

LordChancellor’sCodeofPracticeonthemanagementofrecords-19

a) Anoverallpolicy,statinginbroadtermsthetypesofrecordslikelytobeselectedforpermanentpreservation.Thepolicycouldbeaseparatepolicy,partoftherecordsmanagementpolicyorapreambletoadisposalschedule;

b) Disposalschedules15whichidentifyanddescriberecordstowhichapre-defineddisposalactioncanbeapplied,forexampledestroyxyearsafter[triggerevent];reviewafteryyears,transfertoarchivesforpermanentpreservationafterzyears.

12.6 Disposalschedulesshouldcontainsufficientdetailsabouttherecordstoenabletherecordstobeeasilyidentifiedandthedisposalactionappliedtothemonaroutineandtimelybasis.Theamountofdetailindisposalscheduleswilldependontheauthority’sneedsbuttheyshouldatleast:

a) Describetherecords,includinganyrelevantreferencenumbers;b) Identifythefunctiontowhichtherecordsrelateandthebusinessunitforthatfunction

(ifthatisnotclear);c) Specifytheretentionperiod,i.e.howlongtheyaretobekept;d) Specifywhatistohappentothemattheendofthatperiod,i.e.thedisposalaction;e) Notethelegal,regulatoryorotherreasonforthedisposalperiodandaction,forexamplea

statutoryprovision.

Disposalschedulesshouldbearrangedinthewaythatbestmeetstheauthority’sneeds.

12.7 Disposalschedulesshouldbekeptuptodateandshouldbeamendedifarelevantstatutoryprovisionchanges.However,authoritiesshouldconsiderkeepinginformationaboutpreviousprovisionssothatthebasisonwhichrecordswerepreviouslydestroyedcanbeexplained.

12.8 Ifanyrecordsarenotincludedindisposalschedules,specialarrangementsshouldbemadetoreviewthemanddecidewhethertheycanbedestroyedorshouldbeselectedforpermanentpreservation.Decisionsofthisnatureshouldbedocumentedandkepttoprovideevidenceofwhichrecordshavebeenidentifiedfordestruction,whenthedecisionwasmade,andthereasonsforthedecision,wherethisisnotapparentfromtheoverallpolicy.

Implementing disposal decisions12.9 Disposalschedulesanddisposaldecisionsshouldbeimplementedbyproperlyauthorised

staff.Implementationarrangementsshouldtakeaccountofvariationscausedby,forexample,outstandingrequestsforinformationorlitigation.

12.10 Recordsscheduledfordestructionshouldbedestroyedinassecureamannerasrequiredbythelevelofconfidentialityorsecuritymarkingstheybear.Forexample,recordscontainingpersonalinformationaboutlivingindividualsshouldbedestroyedinawaythatpreventsunauthorisedaccess(thisisrequiredtocomplywiththe7thdataprotectionprinciple).Withdigitalrecordsitmaybenecessarytodomorethanoverwritethedatatoensuretheinformationisdestroyed.

15Someauthoritiesusetheterm‘retentionschedules’.Because‘retention’hasaspecificmeaninginPart2oftheCode,theterm

disposalschedulesisusedthroughouttheCode.

20-LordChancellor’sCodeofPracticeonthemanagementofrecords

12.11 Whendestructioniscarriedoutbyanexternalcontractor,thecontractshouldstipulatethatthesecurityandaccessarrangementsestablishedfortherecordswillcontinuetobeapplieduntildestructionhastakenplace.

12.12 Insomecasestherewillbemorethanonecopyofarecord.Forexample,therearelikelytobeback-upcopiesofdigitalrecords,ortheremaybedigitalcopiesofpaperrecords.Arecordcannotbeconsideredtohavebeencompletelydestroyeduntilallcopies,includingback-upcopies,havebeendestroyed,ifthereisapossibilitythatthedatacouldberecovered.

Documenting the destruction of records12.13 Detailsofdestructionofrecordsshouldbekept,eitheraspartoftheaudittrailmetadata

orseparately.Ideally,someevidenceofdestructionshouldbekeptindefinitelybecausethepreviousexistenceofrecordsmayberelevantinformation.However,thelevelofdetailandforhowlongitshouldbekeptwilldependonanassessmentofthecostsandtheriskstotheauthorityifdetailedinformationcannotbeproducedonrequest.

12.14 Attheveryleastitshouldbepossibletoprovideevidencethataspartofroutinerecordsmanagementprocessesdestructionofaspecifiedtypeofrecordofaspecifiedagerangetookplaceinaccordancewithaspecifiedprovisionofthedisposalschedule.Evidenceofthisnaturewillenableanauthorityanditsstafftoexplainwhyrecordsspecifiedinacourtordercannotbeprovidedortodefendthemselvesagainstachargeundersection77oftheActthatrecordsweredestroyedinordertopreventtheirdisclosureinresponsetoarequestforinformation.

Records for permanent preservation12.15 Recordsselectedforpermanentpreservationandnolongerrequiredbytheauthorityshould

betransferredtoanarchivesservicethathasadequatestorageandpublicaccessfacilities.Transfershouldtakeplaceinanorderlymannerandwithalevelofsecurityappropriatetotheconfidentialityoftherecords.

12.16 Part2oftheCodesetsoutthearrangementsthatapplytothereviewandtransferofpublicrecords.TheapproachsetoutinPart2mayberelevanttothereviewandtransferofothertypesofrecordsalso.

13 Records created in the course of collaborative working or through out-sourcing

Authorities should ensure that records shared with other bodies or held on their behalf by other bodies are managed in accordance with the Code.

13.1 Whenauthoritiesareworkinginpartnershipwithotherorganisations,sharinginformationandcontributingtoajointrecordssystem,theyshouldensurethatallpartiesagreeprotocolsthatspecify:

a) Whatinformationshouldbecontributedandkept,andbywhom;b) Whatlevelofinformationsecurityshouldbeapplied;c) Whoshouldhaveaccesstotherecords;

LordChancellor’sCodeofPracticeonthemanagementofrecords-21

d) Whatdisposalarrangementsshouldbeinplace;e) WhichbodyholdstheinformationforthepurposesoftheAct.

13.2 Instructionsandtrainingshouldbeprovidedtostaffinvolvedinsuchcollaborativeworking.

13.3 Recordsmanagementcontrolsshouldbeappliedtoinformationbeingsharedwithorpassedtootherbodies.Particularprotectionshouldbegiventoconfidentialorpersonalinformation.Protocolsshouldspecifywhen,andunderwhatconditions,informationwillbesharedorpassed,anddetailsshouldbekeptofwhenthisinformationhasbeensharedorpassed.Detailsshouldbekeptalsoofhowundertakingsgiventotheoriginalsourceoftheinformationhavebeenrespected.

13.4 Someofanauthority’srecordsmaybeheldonitsbehalfbyanotherbody,forexampleabodycarryingoutworkfortheauthorityundercontract.TheauthorityonwhosebehalftherecordsareheldisresponsibleforensuringthattheprovisionsoftheCodeareappliedtothoserecords.

14 Monitoring and reporting on records and information management

Authorities should monitor compliance with the Code and assess the overall effectiveness of the programme.

14.1 Authoritiesshouldidentifyperformancemeasuresthatreflecttheirinformationmanagementneedsandarrangementsandtherisksthatnon-compliancewiththeCodewouldpresenttotheauthority,includingtheimpactonrisksidentifiedintheoverallriskmanagementframework.

14.2 Theperformancemeasurescouldbegeneralinnature,forexamplethatapolicyhasbeenissued,orcouldrefertoprocesses,suchastheapplicationofdisposalschedulestorelevantrecordswithdueauthorisationofdestruction,orcouldusemetricssuchasretrievaltimesforpaperrecordsheldoff-sitethathavebeenrequestedundertheAct.

14.3 Authoritiesshouldputinplacethemeansbywhichperformancecanbemeasured.Forexample,ifmetricsaretobeused,thedatafromwhichstatisticswillbegeneratedmustbekept.Qualitativeindicators,forexamplewhetherguidanceisbeingfollowed,canbemeasuredbyspotchecksorbyinterviews.

14.4 Monitoringshouldbeundertakenonaregularbasisandtheresultsreportedtothepersonwithleadresponsibilityforrecordsmanagementsothatriskscanbeassessedandappropriateactiontaken.

14.5 Assessingwhethertherecordsmanagementprogrammemeetstheneedsoftheorganisationisamorecomplextaskandrequiresconsiderationofwhattheprogrammeisintendedtoachieveandhowsuccessfulitisbeing.Thisrequiresconsiderationofbusinessbenefitsinrelationtocorporateobjectivesaswellasrisksandshouldincludeconsultationthroughouttheauthority.

22-LordChancellor’sCodeofPracticeonthemanagementofrecords

Part 2: Review and Transfer of Public Records

15 Purpose of Part 2

15.1 ThispartoftheCodeappliesonlytoauthoritieswhicharesubjecttothePublicRecordsAct1958orthePublicRecordsAct(NorthernIreland)1923.UnderthoseActs,authoritiesarerequiredtoidentifyrecordsworthyofpermanentpreservationandtransferthemtoTheNationalArchives16,aplaceofdepositforpublicrecordsorthePublicRecordOfficeofNorthernIrelandasappropriate.ThispartoftheCodesetsoutthearrangementswhichthoseauthoritiesshouldfollowtoensurethetimelyandeffectivereviewandtransferofpublicrecords.ArrangementsshouldbeestablishedandoperatedunderthesupervisionofTheNationalArchivesor,inNorthernIreland,inconjunctionwiththePublicRecordOfficeofNorthernIreland.

15.2 ThegeneralpurposeofthispartoftheCodeistofacilitatetheperformancebytheauthorities,TheNationalArchives,thePublicRecordOfficeofNorthernIrelandandplacesofdepositoftheirfunctionsundertheAct.Inreviewingrecordsforpublicaccess,authoritiesshouldensurethatpublicrecordsbecomeavailableattheearliestpossibletimeinaccordancewiththeActandtheEIR.

16 Selection of public records for permanent preservation

16.1 Section12oftheCodedescribesthearrangementsthatauthoritiesshouldfollowforthedisposalofrecords.Inthiscontext,disposalmeansthedecisionastowhethertherecordshouldbedestroyed,transferredtoanarchivesserviceforpermanentpreservationorpresented17andtheputtingintoeffectofthatdecision.

16.2 Authoritiesthathavecreatedorareotherwiseresponsibleforpublicrecordsshouldensurethattheyoperateeffectivearrangementstodeterminewhichrecordsshouldbeselectedforpermanentpreservationinaccordancewiththeguidanceinsection12.

17 Retention or transfer of public records

Records subject to the Public Records Act 195817.1 UnderthePublicRecordsAct1958,recordsselectedforpreservationmustbetransferredby

thetimetheyare30yearsold18unlesstheLordChancellorgivesauthorisationforthemtoberetainedinthedepartmentforafurtherperiodundersection3(4)ofthePublicRecordsAct1958.Recordsmaybetransferredearlierbyagreementbetweenthepartiesinvolved.

16SeeFootnote11foranexplanationofwhythisnamehasbeenusedintheCode17Seefootnote14.18Thedatebywhichrecordsmustbetransferrediscalculatedfromtheyearafterthelastdateonthefile.Itwasthesubjectofanindependentreviewin2008andtheCodewillbeamendedtoreflectanychangesintroducedasaconsequence.

LordChancellor’sCodeofPracticeonthemanagementofrecords-23

17.2 PublicrecordsmaybetransferredeithertoTheNationalArchivesortoaplaceofdepositforpublicrecordsappointedbytheLordChancellor19undersection4ofthatAct.Forguidanceonwhichrecordsmaybetransferredtowhicharchivesservice,andonthetransferofUKpublicrecordsrelatingtoNorthernIreland,seeAnnexB.Fortheavoidanceofdoubt,Part2oftheCodeappliestoallsuchtransfers.

17.3 AuthoritiesshouldsubmitapplicationstoretainrecordsforafurtherperiodtoTheNationalArchivesforreviewandadvice.TheLordChancellor’sAdvisoryCouncilwillthenconsiderthecaseinfavourofretentionforafurtherperiod.TheAdvisoryCouncilwillconsiderthecaseforretainingindividualrecords,orcoherentbatchesofrecords,onthebasisoftheguidanceinchapter9oftheWhitePaperOpenGovernment(Cm2290,1993)orsubsequentrevisionsofGovernmentpolicy.SomecategoriesofrecordsarecoveredbyastandardauthorisationbytheLordChancellor(knownas‘blanketretentions’)whicharereviewedevery10years.

Records subject to the Public Records Act (Northern Ireland) 192317.4 InNorthernIreland,transferunderthePublicRecordsAct(NorthernIreland)1923tothePublic

RecordOfficeofNorthernIrelandtakesplacenormallyat20years.Undersection3ofthatAct,recordsmayberetainedforafurtherperiodiftheprincipalofficerofthedepartment,orajudgeifcourtrecordsareinvolved,certifiestotheMinisterresponsibleforNorthernIrelandpublicrecordsthattheyshouldberetained.

18 Determining the access status of public records before transfer

The access review18.1 AuthoritiespreparingpublicrecordsfortransfertoTheNationalArchives,aplaceofdepositfor

publicrecordsorthePublicRecordOfficeofNorthernIrelandshouldreviewtheaccessstatusofthoserecords.Thepurposeofthisreviewisto:

a) ConsiderwhichinformationmustbeavailabletothepublicontransferbecausenoexemptionsundertheActortheEIRapply;

b) Considerwhethertheinformationmustbereleasedinthepublicinterest,notwithstandingtheapplicationofanexemptionundertheActortheEIR;

c) Considerwhichinformationmustbeavailabletothepublicat30yearsbecauserelevantexemptionsintheActhaveceasedtoapply;20

d) ConsiderwhichinformationshouldbewithheldfrompublicaccessthroughtheapplicationofanexemptionundertheActortheEIR.

18.2 Thoseundertakingthereviewshouldensurethatadequateconsultationtakesplace,bothwithintheauthorityandwithotherauthoritiesthatmightbeaffectedbythedecision,forexampleauthoritiesthatoriginallysuppliedtheinformation.Thisisparticularlyadvisableforrecordsbeingtransferredearlierthanrequired.

19TheLordChancellorhasdelegatedthepowertoappointplacesofdeposittotheChiefExecutiveofTheNationalArchivesoranotherofficerofappropriateseniority.20AtpresentsomeexemptionsintheActfallawayafter30years.Theirdurationwasthesubjectofanindependentreviewin2008andtheCodewillbeamendedtoreflectanychangesintroducedasaconsequence.

2�-LordChancellor’sCodeofPracticeonthemanagementofrecords

Public records to be transferred as open18.3 Iftheoutcomeofthereviewisthatrecordsaretobetransferredasopen,thetransferring

departmentshoulddesignatetherecordsasopen.TherewillbenoformalreviewofthisdesignationbyTheNationalArchives,placesofdepositorthePublicRecordOfficeofNorthernIreland.

Public records to be transferred as subject to an exemption - general18.4 Iftheoutcomeofthereviewisidentificationofspecifiedinformationwhichtheauthority

considersoughtnottobereleasedunderthetermsoftheActortheEIR,theauthorityshouldprepareaschedulethat:

a) Identifiestheinformationprecisely;b) Citestherelevantexemption(s);c) Explainswhytheinformationmaynotbereleased;d) Identifiesadateatwhicheitherreleasewouldbeappropriateorthecaseforreleaseshould

bereconsidered.

18.5 Authoritiesshouldconsiderwhetherpartsofrecordsmightbereleasedifthesensitiveinformationwereredacted,i.e.renderedinvisibleorblankedout.Informationthathasbeenredactedshouldbestoredsecurelyandshouldbereturnedtotheparentrecordwhentheexemptionhasceasedtoapply.

Public records to be transferred as subject to an exemption - The National Archives18.6 ThescheduledescribedaboveshouldbesubmittedtoTheNationalArchivesforreviewand

advicepriortotransfer.Iftheoutcomeofthereviewisthatsomeoralloftheinformationintherecordsshouldbeclosedafteritis30yearsold,theschedulewillbeconsideredbytheAdvisoryCouncil.TheAdvisoryCouncilmayrespondasfollows

a) Byacceptingthattheinformationmaybewithheldforlongerthan30yearsandearmarkingtherecordsforreleaseorre-reviewatthedateidentifiedbytheauthority;

b) Byacceptingthattheinformationmaybewithheldforlongerthan30yearsbutaskingtheauthoritytoreconsiderthelaterdatedesignatedforreleaseorre-review;

c) Byquestioningthebasisonwhichitisconsideredthattheinformationmaybewithheldforlongerthan30yearsandaskingtheauthoritytoreconsiderthecase;

18.7 IftheAdvisoryCouncilacceptsthattheinformationshouldbewithheld,therecordswillbetransferredasclosed(inwholeorinpartasappropriate)andtherelevantclosureperiodapplied.

Public records to be transferred as subject to an exemption - the Public Record Office of Northern Ireland 18.8 Thescheduledescribedatparagraph18.4shouldbesubmittedtothePublicRecord

OfficeofNorthernIrelandforreviewandadvice.

18.9 Iftheoutcomeofthereviewisthattherecordsshouldbeclosedaftertransfer,theschedulewillbeconsideredbytheSensitivityReviewGroup.TheSensitivityReviewGroupmayrespondasfollows:

LordChancellor’sCodeofPracticeonthemanagementofrecords-25

a) Byacceptingthattheinformationshouldbewithheldforlongerthan30yearsandearmarkingtherecordsforreleaseorre-reviewatthedateidentifiedontheschedule;

b) Byquestioningthebasisonwhichitisconsideredthattheinformationmaybewithheldforlongerthan30yearsandaskingtheresponsibleauthoritytoreconsiderthecase.

18.10 IftheSensitivityReviewGroupacceptsthattheinformationshouldbewithheld,therecordswillbetransferredasclosed(inwholeorinpartasappropriate)andtherelevantclosureperiodapplied.

Public records to be transferred as subject to an exemption - places of deposit for public records18.11 Placesofdepositshouldbeinformedwhichrecordscannotbemadepubliclyavailableon

transfer,whichexemptionsapplytotheinformationtheycontainandforwhatreason,andforhowlongthoseexemptionsshouldbeapplied.

19 Transmission of public records

19.1 Itistheresponsibilityofauthoritiestransferringrecordstoensurethatthoserecordsareadequatelypreparedandaretransferredwiththelevelofsecurityappropriatetotheconfidentialityoftheinformationtheycontain.

20 Access after transfer of public records

Freedom of Information requests after transfer20.1 Fortheavoidanceofdoubt,noneoftheactionsdescribedinthisCodeaffectsthestatutory

rightsofaccessestablishedundertheActortheEIR.RequestsforexemptinformationinpublicrecordstransferredtoTheNationalArchives,aplaceofdepositforpublicrecordsorthePublicRecordOfficeofNorthernIrelandwillbedealtwithonacasebycasebasisinaccordancewiththeprovisionsoftheActortheEIR.

Expiry of closure periods 20.2 Whenanexemptionhasceasedtoapplyundersection63oftheActtherecordswillbecome

automaticallyavailabletomembersofthepublicatthedatespecifiedinthefinalisedschedule(i.e.thescheduleafterithasbeenreviewedbytheAdvisoryCouncilortheSensitivityReviewGroupasappropriate).

20.3 Inothercases,iftheauthorityconcernedwishestoextendtheperiodduringwhichtheinformationistobewithheld,itshouldsubmitafurtherscheduleexplainingthesensitivityoftheinformation.Thisistobedonebeforetheexpiryoftheperiodstatedintheearlierschedule.Theprocessoutlinedatparagraphs18.6-18.10willthenbeapplied.InNorthernIreland,MinisterialagreementisrequiredforanyfurtherextensionoftheclosureperiodandreferraltotheMinisterwillbeanadditionalstageintheprocess.

26-LordChancellor’sCodeofPracticeonthemanagementofrecords

Annex A Glossary

Disposal –thedecisionastowhethertherecordshouldbedestroyed,transferredtoanarchivesserviceforpermanentpreservationorpresentedandtheputtingintoeffectofthatdecision.

Disposal schedules –schedulesthatidentifytypesofrecordsandspecifyforhowlongtheywillbekeptbeforetheyaredestroyed,designatedforpermanentpreservationorsubjectedtoafurtherreview.

Keeping records –inthecontextofthisCode,keepingrecordsincludesrecordingtheauthority’sactivitiesbycreatingdocumentsandothertypesofrecordsaswellashandlingmaterialreceived.

Metadata – informationaboutthecontextwithinwhichrecordswerecreated,theirstructureandhowtheyhavebeenmanagedovertime.Metadatacanrefertorecordswithindigitalsystems,forexampleeventlogdata.Itcanalsorefertosystemssuchaspaperfilesthatarecontrolledeitherfromadigitalsystemorbyaregisterorcardindex,forexamplethetitleandlocation.

Place of deposit –anarchivesofficeappointedtoreceive,preserveandprovideaccesstopublicrecordsthathavebeenselectedforpreservationbutarenottobetransferredtoTheNationalArchives.ThepowerofappointmenthasbeendelegatedbytheLordChancellortotheChiefExecutiveofTheNationalArchivesoranofficerofappropriateseniority.

Presentation –anarrangementunderthePublicRecordsAct1958wherebyrecordsthathavenotbeenselectedforpermanentpreservationarepresentedtoanappropriatebodybyTheNationalArchives.

Public records –recordsthataresubjecttothePublicRecordsAct1958orthePublicRecordsAct(NorthernIreland)1923.Therecordsofgovernmentdepartmentsandtheirexecutiveagencies,somenon-departmentalpublicbodies,thecourts,theNHSandthearmedforcesarepublicrecords.LocalgovernmentrecordsarenotpublicrecordsinEnglandandWalesbutthoseinNorthernIrelandare.

Records – informationcreated,received,andmaintainedasevidenceandinformationbyanorganizationorperson,inpursuanceoflegalobligationsorinthetransactionofbusiness.21

Retention –anarrangementunderthePublicRecordsAct1958wherebyauthoritiesarepermittedtodelaythetransferofspecifiedpublicrecordsforanagreedperiodandtoretainthemuntiltheendofthatperiod.

Records system –thetermusedforaninformationorprocesssystemthatcontainsrecordsandotherinformation.Itcanbeeitherapaper-basedsystemoradigitalsystem.Examplesarecorrespondencefileseries,digitalrecordsmanagementsystems,casemanagementsystems,function-specificsystemssuchasfinancesystems,etc.

21ThisdefinitionistakenfromBSISO15489-1:2001Informationanddocumentation–Recordsmanagement–Part1:General.

Lord Chancellor’s Code of Practice on the management of records - 27

Annex B Standards and guidance supporting the Code

Part 1 of the Code

1. British Standards (BSI)

Relevant Standards issued by the British Standards Institution include:

BS ISO 15489-1, Information and documentation – Records management – Part 1: General

BS ISO/IEC 27001: 2005, Information technology. Security techniques. Information security management systems. Requirements

BS ISO/IEC 27002: 2005, Information technology. Security techniques. Information security management systems. Code of Practice

BS 10008 Evidential weight and legal admissibility of electronic information - Specification

BS 8470:2006, Secure destruction of confidential material. Code of practice

BS 4783, Storage, transportation and maintenance of media for use in data processing and information storage

2. Standards and guidance produced by The National Archives for the management of public sector records

The Chief Executive of The National Archives, as head of profession for the knowledge and information function across Government, sets standards for the management of records in all formats, covering their entire life cycle. The standards are supported by guidance and toolkits. Advice for government departments can also be applied by other parts of the public sector. They are available on The National Archives website - see http://www.nationalarchives.gov.uk/services/default.htm?source=services In addition, a standard on metadata for records management is available through Govtalk – see http://www.govtalk.gov.uk/documents/Records_management_metadata_standard_2002.pdf

28-LordChancellor’sCodeofPracticeonthemanagementofrecords

3. Sector-specific guidance

Guidanceisavailableforspecificsectorsasfollows:

Central government InadditiontostandardsandguidanceissuedbyTheNationalArchivesreferredtoabove,protectedrecords22aresubjecttodatahandlingguidanceissuedbytheCabinetOffice-seehttp://www.cabinetoffice.gov.uk/mediacabinetoffice/csia/assets/dhr/cross_gov080625.pdf

Local government TheRecordsManagementSocietyhasissuedguidelinesondisposalandinformationauditsforlocalgovernment–seehttp://www.rms-gb.org.uk/resources.TheLocalGovernmentAssociationandWelshLocalGovernmentAssociationhaveissueddatahandlingguidanceforprotectedrecords–seehttp://www.idea.gov.uk/idk/aio/9048091

Further and higher educationJISC(JointInformationSystemsCommittee)InfonethasproducedaninformationmanagementInfokit–seehttp://www.jiscinfonet.ac.uk/information-management

Schools TheRecordsManagementSocietyhasissuedarecordsmanagementtoolkitforschools–see

http://www.rms-gb.org.uk/resources/848

The policeTheHomeSecretaryhasissuedacodeofpracticeonthemanagementofpoliceinformation–seehttp://police.homeoffice.gov.uk/news-and-publications/publication/operational-policing/CodeofPracticeFinal12073.pdf?view=Standard&pubID=224859

ItissupportedbyguidanceproducedbytheNationalCentreofPolicingExcellenceonbehalfoftheAssociationofChiefPoliceOfficers–seehttp://www.npia.police.uk/en/8492.htmhttp://www.crimereduction.homeoffice.gov.uk/policing21.htm

22Thescopeoftheterm‘protectedrecords’isexplainedwithinthedocument.

LordChancellor’sCodeofPracticeonthemanagementofrecords-29

The National Health ServiceTheDepartmentofHealthhasissuedacodeofpracticefortheNHS-seehttp://www.dh.gov.uk/enPublicationsandstatistics/Publications/PublicationsPolicyAndGuidance/DH_4131747

Part 2 of the Code

4. Transfer of records to the National Archives or a place of deposit

TheNationalArchiveshaspublishedguidanceondeterminingwhetherrecordsshouldbetransferredtoTheNationalArchivesoraplaceofdepositforpublicrecords–seetheAcquisition and Disposition Strategyandsupportingguidanceathttp://www.nationalarchives.gov.uk/documents/acquisition_strategy.pdfandhttp://www.nationalarchives.gov.uk/recordsmanagement/disposition/faq.htm

ForguidanceonthepreparationofrecordsfortransfertotheNationalArchives,includingcataloguing,seehttp://www.nationalarchives.gov.uk/recordsmanagement/advice/standards.htmandhttp://www.nationalarchives.gov.uk/recordsmanagement/advice/cataloguing.htm

Forguidanceonthetransferofrecordstoplacesofdepositsee

http://www.nationalarchives.gov.uk/documents/foi_guide.pdf

5. Transfer of records to the Public Record Office of Northern Ireland

ThePublicRecordOfficeofNorthernIrelandhaspublishedguidanceontransferringrecords–seehttp://www.proni.gov.uk/index/professional_information/records_and_information_management.htm

6. Determining whether exemptions apply

GuidanceonFOIexemptionshasbeenissuedbytheInformationCommissioner’sOffice,theregulatorofboththeActandtheEIR–seehttp://www.ico.gov.uk/tools_and_resources/document_library/freedom_of_information.aspxGuidancehasalsobeenissuedbytheMinistryofJustice–seehttp://www.justice.gov.uk/guidance/foi-exemptions-guidance.htm

30-LordChancellor’sCodeofPracticeonthemanagementofrecords

GuidanceonEIRexceptionshasbeenissuedbytheDepartmentoftheEnvironment,FoodandRuralAffairs–seehttp://www.defra.gov.uk/corporate/opengov/eir/guidance/full-guidance/pdf/guidance-7.pdf

GuidancehasalsobeenissuedbyTheNationalArchives:AccesstoPublicRecords-seehttp://www.nationalarchives.gov.uk/documents/access_manual.pdfand

Redaction:guidelinesfortheeditingofexemptinformationfrompaperandelectronicdocumentspriortorelease-seehttp://www.nationalarchives.gov.uk/documents/redaction_toolkit.pdf

© Crown copyright 2009

The text in this document (excluding the Royal Arms and other departmental or agency logos) may be reproduced

free of charge in any format or medium providing it is reproduced accurately and not used in a misleading context.

The material must be acknowledged as Crown copyright and the title of the document specified.

Where we have identified any third party copyright material you will need to obtain permission from the copyright

holders concerned.

For any other use of this material please write to Office of Public Sector Information , Information Policy Team,

Kew, Richmond, Surrey TW9 4DU or email: licensing@opsi.gov.uk