Record Keeping Policy - GDPR

This policy details the arrangements in place to manage own and externally supplied documents, files and records.

Scope

All company activities at all locations.

Applicability

This policy applies to all personnel involved with any activities covered by the above scope.

Unless otherwise stated the processes, procedures and instructions outlined in this policy must be followed and failure to follow this policy could lead to disciplinary action.

Sections marked 'Guidance' are included as guidance and strict adherence is not required.

Policy

a.     Statement of Intent

Correct management of files and records is essential for the efficient functioning of the business and underpins all operational activities. It is important that all relevant personnel are able to access the files, documents and records they require for their operational activities, that the integrity of the files is maintained and that the files are protected from unauthorised access and alteration.

To ensure this can be achieved there are various systems in place to ensure file templates and files generated by the business are controlled and that effective system are in place to manage any records generated or documents received from external providers.

b.     Management of Files and Folders

Key documentation

All key documentation is controlled and files are held electronically on the company file server and controlled or uncontrolled paper copies of the manual may be prepared for reference when required and will be marked accordingly.

Master electronic copies of files are managed and updated by the person named as the controller of this procedure and key files such as this procedure document are password protected / read-only to ensure only those authorised are able to update / amend.

All documentation will be legible and readable.

Management of Changes and Review

Significant changes to this and other controlled documents are logged on the Update Log and agreed by the person in charge of the area where the change will occur.

Management system documents will be formally reviewed at least annually during the management review to ensure documented procedures accurately reflect good practice within the organisation and that all key processes and procedures are appropriately documented and continuing to meet the requirements of all applicable standards.

Document Approval, Removal and Review

Any new procedures, policies, registers or other key documents should be approved prior to use. Old versions are archived / removed from use.

Management of Company Forms, Key Files and Other Documentation

Key forms will be numbered, issue controlled and saved in the forms 

folder to ensure all workers are aware of and have access to key forms.

It is important that all company generated forms and documents are issue controlled to ensure that all users are using the correct and current version. All company forms should have issue number clearly marked on the form or in the document properties. When a form template is updated / reissued the issue number should be incremented by 1. Users of the form template should also be advised of the change and if significant details logged on Update log. Any old versions of the file should be located and deleted / archived to ensure no longer in use.

Where there is only 1 controlled copy of a file, such as a register, it may only be necessary to only indicate issue number in the document file name.

Data Protection Classification

Where possible company-controlled documents should be labelled with data protection classification and any documents that include sensitive or confidential information will be marked 'Confidential' in the document footer and stored securely. Documents for business use will be marked 'Business Use' and public documents marked 'Public'.

The information classification has Implications on how the completed records should be treated and the following information classification treatment plan should be followed;

Classification

Treatment

Public

No protection is required - these files may be shared openly within or out with the organisation with impunity.

Business Use

These documents should be protected and only used for the purpose intended and in the legitimate interests of the organisation.

Some protection may be required and when no longer required secure destruction may be required.

Appropriate security should be used when saving to removable media, mobile devices or transferring Business Use information.

Confidential

These files must be protected - electronic files and paper copies should be stored securely and controls put in place to control access. Confidential files should not be left unattended as detailed in d. Information Security (Guidance - Security : Clear Desks / Clear Screen)

Confidential information should not be sent by email to an internal or external source or saved to removable media or mobile devices without additional security. When no longer required confidential files must be securely destroyed.

Data Protection - all workers will be aware of data protection regulations and data protection procedures / policies.

Key Company Records - key records including paperwork supplied by 3rd parties will retained as required and will be collated, filed, and kept in a suitable environment.

Documents of external origin will be identified and controlled.

Key documents required as evidence of conformity should be protected from unintended change (e.g. PDF format).

Data Backup - Management of Electronic Information

Computer information will be backed-up and IT equipment and Information Security will be checked and maintained

Electronic Filing and Management of Network Folders

It is important that all personnel understand and follow this procedure for management of electronic files and use of shared network folders.

Care should be taken to ensure files are saved to the correct folder and not saved to computer desktop or other personal folder which may not be accessible to other personnel or included in the file backup process.

The file naming conventions and filing structure should be followed when creating, saving or moving any files.

Paper Filing and Management of Filing Cabinets and Storage

Care should be taken with management of paper files to ensure files are stored and organised correctly. Filing cabinets should be clearly labelled with index / overview of filing system or this should be documented and made available to all relevant personnel. Filing should only be completed by competent staff who fully understand the filing system.

Confidential documents should be physically protected by using a lockable filing solution or storing in a secure area with controlled access.

Scanning

Where records are to be scanned the scanning procedures must be followed to ensure scan is completed using the appropriate resolution, colour and file format settings. The scanner may have scan presets saved and the appropriate preset for the document type should be used. Incorrect scanner settings may lead to scan problems such as files being excessively large or insufficient detail in the scanned document for the scanned file to be usable. Procedures for filing and destruction, where applicable, of documents after scanning should also be followed.

Archiving / Deleting Records

Older records that are not required for operational purposes but are required to be retained should be moved to archive storage ensuring labels and indexes are retained and correct.

Files no longer required should be disposed of in the appropriate manner either by recycling or secure shredding / destruction where required.

Electronic Records

Electronic records can be held within files and software and care should be taken to ensure all electronic records are adequately protected and managed in accordance with information security procedures.

c.     Information Security

Information is a critical business asset and protecting the confidentiality, integrity and availability of information assets from all threats whether internal, external, deliberate or accidental is a business priority. We will ensure we have implemented appropriate controls to secure our information assets, and those we are responsible for, using physical, procedural, staff and technical security measures.

All company information security policies and procedures should be followed to ensure appropriate protection is in place for all information assets.

Guidance - Security

As well as physical security of IT systems it is also important to consider physical security to protect information. Personal or commercially sensitive information should not be posted to notice boards or office wall and should not be visible from outside the premises or from any reception or entrance areas. Doors, windows server rooms and network cabinets should be locked as required and any visitors to site escorted at all times. Any workstations that are used for processing confidential information must be sited in a location to ensure they are not overlooked or near windows and site visitors should be advised that they cannot use mobile phones with cameras within the premises.

Clear Desks - When away from desk for any extended period confidential paperwork must be placed in a locked drawer or stored securely. At the end of the working day desks must be cleared of all confidential or sensitive data.

Public areas - If working in a public area confidential papers must be kept secure at all times

Clear Screen - when left unattended all devices should be locked. No confidential information should be viewed if working in a public place.

Information Transfer

When transferring information internally or externally consideration should be given to the security of the transfer to ensure adequate protection of the information is in place. Where required a formal data transfer and processing agreement will be prepared covering the secure transfer of information with approved 3rd parties. Confidential information should not be sent by email to an internal or external source or saved to removable media without additional security. Company information should never be stored to personal cloud storage or sent to a personal email account.

The confidentiality of information being transferred on portable media or across networks, must be protected by use of appropriate encryption techniques.

Mobile Devices and Remote Access

Information assets must not be stored on any mobile devices that have not been checked and approved by the company. Any mobile devices used to store information assets must be secured using technical and physical means at all times. Any remote access to information assets must be approved by the company following an appraisal of the security in place and once approved will be subject to ongoing monitoring. If remote access is no longer required any equipment issued should be returned and access accounts closed.