In this guide you can find out more about the following:
- What records management means
- Records management best practice
- How to create a records management policy
- What records management systems are
- Tips for choosing a secure records management system
What is records management?
Records management (also known as records and information management, or RIM) is a system used to manage paper records or electronic records from the moment they’re created or received, through to when they’re used, stored and disposed of.
Records contain information you’ve created or received and need to preserve as evidence of business transactions or to comply with the law. This could be anything from meeting minutes and correspondence to financial records and legal contracts.
The records can be in digital or paper format, and need to be kept for a certain amount of time. For example, you should keep official records such as tax returns for at least five years and medical records for up to 25 years.
A document becomes a record once all the work on it is completed. Documents change frequently, whereas records should not change as they are a record of what’s happened.
For example, a document related to an employee’s performance review is likely to change up until the review is complete. Once all the work on the review has been done, the document becomes a record and can be filed.
A records retention schedule tells you how long you should keep records before destroying them, or which ones you should keep as permanent records.
The purpose of records management is to ensure you maintain and have access to records that may need to be retrieved for business processes, legal requirements or audits.
You can find out more about your legal responsibilities concerning records management with our guide—Records management and archiving: what are your legal responsibilities?
Why records management is important
- It ensures that:
- important records are stored correctly and easy to find when needed
- records that are no longer needed are disposed of correctly and in a way that adheres to company and legal guidelines
- your business complies with health and safety legislation—for example, correctly documenting any accidents that happen in the workplace
- It protects your staff and business by providing evidence should legal matters arise
- It reduces costs and inefficiency as rather than store documents unnecessarily you can destroy them, therefore freeing up space in your office
Records management best practice guide
The Information Commissioner’s Office Section 46 Code of Practice covers records management and includes recommendations for how to manage records according to good practice.
Although these guidelines apply to public authorities—such as local government, and other bodies that are subject to the Public Records Act 1958 or the Public Records Act (Northern Ireland) 1923)—they are a useful place to start when implementing best practice guidelines for your company.
Best practice recommendations for records management
- Recognise the importance of records management and have arrangements in place that support this
- Have a records management policy in place
- Ensure this policy covers paper and electronic records
- Make sure you maintain records needed for business, regulatory, legal and accountability purposes
- Keep your records—whether these are paper documents or electronic documents—in an easy-to-navigate archive so you can store and retrieve them when needed
- Know what records you have and where you keep them, and ensure that you store them for as long as they are required
- Guarantee that the methods you use to store and access records are secure
- Define how long you should keep records (known as the retention period) and when and why you should dispose of them
- Ensure records you share with other companies or hold on other company premises are managed correctly and in accordance with your records management policy
- Regularly monitor your compliance with best practice
Download best practice recommendations for records management as a PDF.
How to create a records retention schedule
A records retention schedule outlines:
- how long a record should be retained (the retention period) before it’s disposed of
- how it should be disposed of when it’s no longer needed
Several factors affect the retention period of a document, including:
- company or industry regulations
- agreements with a third party (such as a client)
- business need (documents that people in your business may need to refer to in future)
- legal requirements (such as retaining documents for tax records)
A records retention and disposal schedule should also state who is responsible for determining which documents are retained and for how long. Most people in the company—from board members to administrative staff—will deal with documents and so will need to know which they should save and which sensitive or inactive records they can destroy.
Having a formal schedule for retaining and disposing of documents means staff members know when and how often they can get rid of certain documents. Depending on the size of your company and the number of documents you deal with, you may need to recruit a records manager or a records administration team to carry out this work.
Generally, there are three categories of documents you must retain, but there will be some crossover between them:
- Documents you have to keep for legal reasons
These are documents that the government expects you to keep for a certain amount of time, in case your business is audited. These will include documents relating to finances. The government sets the retention period for this type of document—click here to find out more about what documents you need to retain.
- Documents relating to business needs
These will be different for each business but could include:
- meeting notes
- client communication
- Documents relating to employees
- HR documents
- records of:
- performance evaluations
- pay rises
- disciplinary action
With certain business documents, you’ll need to decide how long you’ll keep them for, but it’s important to remember that GDPR states that you can keep certain documents only for a specific amount of time. You should not keep personal data “for longer than is necessary for the purposes for which it is being processed”.
Applying records management best practice to electronic records
The 10 elements of records management best practice will apply to both electronic and paper records, but the following recommendations apply only to electronic records (which are also known as digital records):
- Security and audit trails—access to electronic records should be password-protected, and you should use software that tracks who accesses these documents.
- Track and monitor the movement of records—an electronic records management system will help you to track, record and monitor where records have been moved to and when they were moved.
- Label files clearly—electronic records should be labelled clearly and logically. Ideally the entire company should use the same labelling system so staff across different departments can locate files easily.
- Portable devices—it’s likely you store data on a range of devices such as USB drives, CDs, DVDs and individuals’ laptops or mobile phones. If you’re destroying certain documents, you must check for copies of these documents on portable devices and ensure you delete these too.
How to create a records management policy
A records management policy outlines exactly what your company will need to do to adhere to best practice guidelines and will ensure that everyone in your company can easily follow your records management procedures.
Although there are overarching sections that will appear in most companies’ policies (such as the scope of the policy and the responsibilities of staff), the actual processes for dealing with records and documents will vary from company to company.
A records management policy serves several purposes:
Employees and stakeholders can see your company values proper record management.
Outlines the purpose of your company’s record management policy.
Outlines staff responsibilities
Shows what you expect of your staff when dealing with records and documents. Defines who can have access to which documents and records and who is responsible for records management in the organisation.
Clearly describes who will deal with records throughout their lifecycle—from receipt or creation to storage and disposal.
By identifying and making connections to related policies (such as your data protection policy), your staff and stakeholders will have a clear picture of what your company’s policies cover and how the policies relate to each other.
How to write a records management policy
The National Archives website has detailed advice on creating a records management policy. Below is an overview of what you’ll need to do before you create your policy:
- Gain support from senior management for creating a policy
- Review the current records management policy
- Speak to staff about how they currently deal with records management and discuss concerns and suggestions
- Find out which records management laws and regulations your company must comply with
- Review existing policies from other areas of your business—such as data protection, health and safety, and risk management—to see how the records management policy will relate to these
Once you’ve created your policy, you’ll need to review and update it regularly.
Records management disposal policy
Part of your records management policy should include information on document destruction—that is, once you no longer need a record, how you’ll dispose of it and who will have authority to do this.
Your records management disposal policy should include information on how staff in your company should destroy records. For paper records, this will usually mean shredding the document, either in-house or via a professional shredding company. Whatever means of disposal you choose, you’ll need to ensure you dispose of the records securely, ideally with proof of destruction.
The timeframe for which you store records before destroying them will either be defined by an external body (such as the government, for documents related to tax and finances) or something you’ll need to decide internally.
What is a records management system?
A records management system is a way of managing and storing records securely and often off-site. It allows you to easily retrieve records from an archive and leaves an audit trail of which users have accessed a record and when, and whether they’ve made any changes to it.
These systems also enable you to destroy records you no longer need, or request the retrieval of records you do need.
There are two types of record management systems:
- Fully digitalised systems—where paper documents are scanned and stored digitally and the physical copies are then disposed of
- Partly digitalised systems—where paper documents are scanned but the physical documents are archived
Both of these options use software to keep track of the archived records.
Offsite records storage is a common feature of records management systems and you might decide to choose this option if you want to free up space in your office.
What’s the difference between a records management system and a document management system?
- A records management and storage system deals with records that are completed and no longer being updated or worked on.
- A document management and storage system deals with active documents that people are still working on.
Although there are key differences between the two, the terms ‘document management system’ and ‘records management system’ are often used interchangeably. You can find out more about record and document archiving here.
Tips for choosing a secure records management system
A records management policy is only part of the management process. The next step is to choose how:
- you’ll store the documents you need to keep—will this be in your office or off-site? Will you store your records as they are or digitalise them so they become electronic records?
- people will access the documents
- you’ll securely dispose of documents you no longer need
Best practice states that “Authorities should keep their records in systems that enable records to be stored and retrieved as necessary” but the system you choose is down to the requirements of your business.
As a minimum, for records you use regularly, a system should:
Records management checklist
Be easy to understand
Make it quick and easy to retrieve information
Make records management processes routine
Be classified and indexed to bring together related records
Contain metadata that accurately describes the records
Protect records from unauthorised copying, moving or deleting
Have secure access
Enable a clear audit trail to be produced when records have been used, altered or destroyed
With records you no longer use regularly, you can move them from your day-to-day system to secure, off-site locations. This is often a more economical choice, in terms of costs and space, than storing these documents on-site.
Your records management policy should contain information about how and when you’ll transfer documents to off-site storage, or destroy them.
Once you’ve defined what you need from a records management system, you could consider using an external records management and storage agency to store and manage your records for you.
Companies such as Russell Richardson specialise in secure document archiving, storage and records management. Customers have access to a secure portal that gives them complete control over records, including methods for tracking, retrieving and destroying them.