The ICO state:
‘If processes for creating records are not controlled and documented clearly, records may be created with inaccurate information or inappropriately communicated. This may breach articles 5(1)(d-f), 5(2), and 32 of the UK GDPR.
If records cannot be located or retrieved accurately due to ineffective indexing, statutory requirements and timeframes may not be met. This may breach articles 12-21 of the UK GDPR or FOI section 10.’
In practical terms what does good record management look like and what are the potential pitfalls if your records are not managed well?
Record Creation
Have you got a robust system in place for the creation of new records, including how to classify and index your new records? This will provide a uniformity of approach and so promote the adoption of consistent, repeatable processes that all Senior Information Risk Owners (SIRO) aim for.
Policy and Procedure
Are your records management policies and procedures up to date and accessible to all staff members to ensure that your expectations are clear? Does everyone within your organisation, including volunteers, Trustees and Non-Executive Directors follow these policies?
Record Storage and Location
Have you carefully considered where your records are stored? For example are your hard copies stored in indexed filing cabinets as opposed to a few Sainsbury’s carrier bags at the back of a store cupboard (other carrier bags are available!).
In relation to electronic records, knowing where your records are is equally as important, including understanding if the servers (both physical and cloud based) are UK based or overseas and if so what additional risks this may bring.
In both cases it is vital to have an accurate and up to date version of your Information Asset Register (IAR) / Record of Processing Activities (RoPA). These ensure you have an accurate and robust understanding at all times of where your data is stored and how secure it is.
Retention Schedule
A retention schedule is imperative to any organisation to ensure that documents and information are only retained for as long as you need them. Organisations must ensure this covers the full range of data held, including emails.
Role Based Access
Ensuring that only authorised individuals have access to sensitive data is imperative to maintain data security. To ensure high standards organisations should carefully consider what access (and when) new starters are granted, how to manage access for agency staff, the process for revoking access to your system in a timely manner when people leave as well as considering how you manage access levels when staff move to new posts in different departments within your company.
Potential Issues
In recent weeks and months we have supported organisations who have experienced two key issues as a result of records management practices:
- Data breaches. If records management processes are not sufficiently robust then this can lead to a range of data breaches including destroying records before they should be and sharing / losing records accidentally.
- Subject Access Requests. It is increasingly common for organisations to receive SARs. As such it is really important to ensure your records management processes are strong as this can have a direct and significant impact on your ability to process a SAR. This is usually due to two factors:
• The time taken to search all records, including emails which are often held for years and used as a filing system.
• Subsequently, the time it takes to read and review all relevant records, including multiple copies of emails.
As such it is imperative that your records management systems and processes are as strong as possible.
How BLS Can Help
BLS Stay Compliant can support organisations through tailored consultancy and training services designed to strengthen records management practices. This includes reviewing and advising on retention schedules, developing and updating policies and procedures, and delivering practical staff training to ensure consistent understanding and application across the organisation. By embedding good practice and building internal capability, BLS helps organisations reduce risk, improve compliance, and respond more effectively to challenges such as data breaches and Subject Access Requests.
