Is guidance available on how to apply Records Management in my area?
Yes. Records retention schedule (RRS) templates have been developed to enable Colleges, Schools/Departments, and RICUs to prepare their own local schedules, while RRS have been agreed and approved for all administrative functional areas of the University. RRS set out what records are held in each area in all formats, grouped by series, and state how long they should be kept (retention), and what should happen to them at the end of that time (disposal).
RRS are supported by Procedures and Guidelines, covering everything from creating and saving records, to destruction/deletion, transfer to archives, and review of records. These documents form part of UCC’s Records Management framework, at the top of which is the Records Management Policy.
Further information and training materials are available on the website. Information sessions and training will be delivered periodically. If you have specific questions or queries, please contact the University Archives: firstname.lastname@example.org; +353 (0)21 490 2753.
Where should I store my records?
IT Services make several platforms available for UCC staff (eg, OneDrive, SharePoint/Teams, Quickminutes) and provide guidance on their use. It is important, however, that the platform used is backed up and supported by IT Services. It is also useful, in the context of records management, that all staff within a unit processing similar records do so using shared folders or libraries within a single shared system. This enables collaboration and cover for operational purposes, and allows structures based on records retention schedules to be built into the design of directories/libraries (see Procedure). Such structures provide a shared master set of records, and facilitate the carrying out of Records Management actions, eg, deletion, review of older records at the end of their retention period.
Records and data held within enterprise systems, eg, Core, Agresso, are managed separately, and individual staff members are not responsible for carrying out records management disposal actions in respect of such data. As UCC’s records management services develop over time, new procedures, and even new platforms, may be developed and applied.
What's wrong with saving to my hard drive?
Saving records to your pc’s hard drive, or to a local server or system not within UCC’s IT Services security infrastructure, creates serious vulnerabilities for records management, data protection, and IT security. Firstly, as only you have access to your hard drive, and as it is unlinked to a network such as Nas, your records and data will not form part of any structure, eg, shared file directories, put in place to enable records management. You will be responsible for performing your own records management actions, and these will be more difficult to verify in the context of an audit. Consistency, transparency, and accountability will all be impaired.
From a data protection perspective, records you save containing personal data will not be protected by IT Services’ security infrastructure. It is a principle and requirement of DP legislation that personal data is processed subject to ‘appropriate security’ using ‘appropriate technical or organisational measures’. These may include appropriate UCC servers or approved external hosting arrangements. By saving to your hard drive you lose the protections which IT Services offer and you expose UCC to risk arising from any security breach affecting your hard drive.
The security of records and data on hard drives may be compromised in several ways, eg,
- loss of or damage to your pc or other device leading to loss of unbacked up data,
- malware attacks or phishing risks arising from e mails or infected files or flash drives,
- impact on operational performance and compliance arising from your absence (eg, records of key decisions, or of relevance to an FOI request, may be inaccessible)
Remember, records relating to University business created in the course of your work are University records. We all have a responsibility for the proper management and protection of University records and data in our care, and we are supported in this by UCC’s Records Management, Data Protection, and IT security services.
Does Records Management have anything to do with Data Protection?
Yes. One of the principles of Data Protection legislation is that identifiable personal data is retained for no longer than is necessary to meet the legitimate purposes for which it was gathered and processed (‘storage limitation’). Records Management enables compliance with this principle, as it sets out, through Records Retention Schedules (RRS), the approved retention periods and disposal actions for University records.
You may check the RRS for your area to see how long records in each records series are to be kept (a series is a grouping of related records with the same retention period). This information may be added to the relevant column in your area’s Register of Data Processing Activities. Where destruction/deletion is the disposal action at the end of the retention period, the related Procedure may be put into effect and documented. Other disposal actions, subject to their own Procedures, are ‘archive’ (for records of ongoing historical/research value) and ‘review’ (where further inspection is needed to assess ongoing value).
By applying and documenting disposal in line with RRS, you are demonstrating compliance, not only with the GDPR principle of storage limitation, but also those of transparency and accountability.
What is a Master Record?
The master copy of a record is the official version of that record for records management purposes.
The master record exists from the point of creation, not just once the record is no longer edited.
When a record is superseded by an updated version it may still be a master record, eg, where academic or other regulations are updated annually, the previous year’s regulations will remain the master record for that year. Similarly, earlier versions of a policy which came into effect will remain the master record for the period in which they were in force, notwithstanding that they may have been superceded by a new approved version over time.
There can only be one master copy of each record. All other copies are simply that: copies.
Copies are created for operational and collaborative purposes, but are not subject to the same retention period and disposal requirements as the master copy. Unless otherwise specified in retention schedules, copies and other non-master records (eg, superceded drafts) may be destroyed/deleted once of no further operational or reference value, and, at a maximum, should not be kept for any longer than the corresponding master record.
Some copy records, eg, local copies of invoices and purchase orders, are specified in retention schedules to be retained three years, despite the master record being held by Finance on the Agresso system. This is in response to feedback from many areas regarding the usefulness of keeping local copies for a limited period for reference and internal audit purposes. Similarly, assessment records are held within schools etc for a period of 13 months after the end of the relevant appeals period, after which the formal records captured in Student Records and Examinations (on ITS, DMIS, and broadsheets) become the master records (retained permanently as archives).
Copy records or other records which are superceded by a master record, as in the examples above, are included as series in the records retention schedules.
Remember, the master copy of a record exists for all stages of its development, and in its early stage a draft maybe the master copy.
What should I do with older records in my area and in storage?
Older, or legacy, records, created before the publication of the new Records Retention Schedules (RRS) are also subject to the retention periods and disposal actions set out in them. It is recognised, however, that reviewing legacy records against the new RRS may be difficult and time-consuming. It is recommended that areas focus at first on records created from here on out, creating digital and hard copy filing structures that reflect the series in the RRS and facilitate performance of disposal actions.
Legacy records, in hard copy (eg, paper files) and digital (eg, network folder) formats, may be addressed over time. Once records management practices for newer records are up and running, it should be easier to apply them to older records, including digital network folders. For example, lists of records in commercial off-site storage may be reviewed, the series to which records in each box belongs identified, and the disposal date calculated. Controlled destruction of such records, in line with Procedure, can lead to considerable cost savings. Similarly, extra space may be freed up in work areas, and network folders may become much less cluttered. Importantly, recordkeeping in your area will become more compliant, based on a phased and documented approach.
It is recommended that after disposal actions have been successfully performed for newer records for the first time, and staff have become more familiar with the procedures and processes involved, that legacy records be included when disposal actions next take place.
Are e-mails covered by Records Management, and how do I manage them?
Yes, e mails are records for the purposes of records management, where they relate to University business and are created in the course of your work. Ideally, all work e mails should be saved with related records, eg, in a folder or library on that topic, but it is accepted that this is not always practical. Advice is included on reviewing and mass deleting older e mails of no further value.
We are working with IT Services and other stakeholders to ensure that technical solutions developed over time to support records management will make it easier to manage e mails through built-in functionality, eg, by ‘drag and dropping’ them to relevant folders or tagging to allow them to be identified and disposed of as required, in line with related records.
How does Records Management help me?
Records management delivers consistent, transparent, and accountable recordkeeping. It helps you achieve compliance with legislation (eg, GDPR), University policies, and best practice. It makes clear staff and management responsibilities regarding records and data. It provides a structure for arranging records which supports not only records management, but also consistent and clear work processes. It facilitates the controlled destruction and deletion of records of no further value, freeing up space, reducing storage costs, and addressing clutter within digital folder directories and libraries. It ensures those records which are of permanent historical value are preserved as archives, preserving the heritage of the University and the legacy of your work. Altogether, records management promotes and supports greater organisational efficiency and effectiveness, while protecting what’s important.