Information and records management policy development

1. Introduction

An information and records management policy is a statement of intent for managing corporate information and records appropriately. It shows that the organisation is committed to a successful information and records management programme – one that complies and is reliable, systematic and well managed.

The policy demonstrates to employees and stakeholders the value of business information: that managing information and records well is crucial to helping the organisation achieve its core objectives. It acknowledges that information and records are key assets, and that information and records management is a fundamental corporate function.

The policy states the core principles for effectively managing the organisation’s business information and records. It gives a clear directive from the senior management to all staff, describing acceptable information and records management behaviour. It highlights that information and records management is the responsibility of all staff and assigns roles and responsibilities at all levels of the organisation.

An information and records management policy supports the organisation’s information and records management strategy. Together, the policy and strategy establish an overall governance framework for information and records.

2. Benefits of an information and records management policy

An information and records management policy:

• helps the organisation to meet its evidentiary, accountability and regulatory requirements, and the expectations of government and the public

• ensures compliance with information and records management standards and other relevant legislation

• formalises intentions for information and records management

• promotes efficiency of business processes, practices and service delivery

• encourages ethical, responsible and professional behaviour at all levels

• influences the organisation’s culture and practice

• supports internal monitoring for compliance.

3. How to set an effective policy

An information and records management policy should be developed in light of full understanding of the organisation’s needs.

3.1 Set the policy

• Align it with the organisation’s operating environment and strategic directions, and with the ongoing needs and overall objectives of the organisation.

• Link it to related business policies and programmes.

• Specify how to comply with legislative requirements and standards relevant to the organisation, and how to demonstrate compliance.

• Cover all systems that contain information and records, and all associated practices.

• Identify information and records management standards to be used by the organisation.

• Show how staff can be consistent with codes of conduct and ethical standards when managing information and records.

• Outline briefly how information and records should be made and kept, including requirements for authorised disposal or intentions to seek authorisation.

• Write the policy in plain English and keep it brief so that all staff can understand it.

3.2 Communicate and implement the policy

• Have the senior management actively and visibly endorse and support the policy, and resource its implementation.

• Support the policy with effective sets of procedures, guidance and tools for information and records management.

• Communicate the policy regularly across the whole organisation, and promote it to all staff and contractors.

• Keep the policy current by reviewing and updating regularly, taking into account any changes in business objectives, priorities and activities.

4. Main components of an information and records management policy

Explanation of the role of information and records management

Explain the relationship of information and records management to the overall business strategy. Explain that information and records management is critical to the work of the organisation because it supports business and better service delivery, including outsourced activities. The policy must point out the paramount importance of effective information and records management in achieving organisational outcomes. The policy must state how the organisation will meet the requirement to create full and accurate information and records.

Statement of the ownership of information and records

The policy must emphasise the corporate ownership of information and records, and stress that all such information and records are corporate assets that do not belong to individual employees. Information and records are regarded and handled as corporate assets, and this extends to those created by contractors.

Overall commitment by senior management to manage information and records as assets

The policy must outline the responsibility of senior management to support the policy in line with the information governance framework and strategy and, to resource and monitor appropriately its implementation. The Executive Sponsor’s role and responsibilities must be clearly stated including its position in relation to other executive and regulatory roles and responsibilities.

Legislation and standards

The policy must include a commitment by the organisation to adhere to any relevant legislation and standards. These include the Public Records Act 2005, and the minimum compliance requirements of the associated Information and records management standard.

References to other corporate policies – An information and records management policy does not exist in isolation. It is part of the organisation’s overall policy framework (including policies related to security, privacy, ICT, risk management, and the code of conduct) and should outline clearly how it relates to the organisation’s other policies and programmes.

Responsibilities

The roles and responsibilities for managing information and records should be identified for all staff at every level of the organisation. Staff should be in no doubt that their work falls within the scope of the policy.

References to supporting documents – List any specific business rules, procedures and processes, guidance and tools that support how the organisation will implement the policy.

Monitoring of achievement and compliance – The policy should explain briefly how the organisation will carry out reporting, internal audits and self-monitoring, and mandate an appropriate person or role in charge of monitoring and preparing reports.

Organisation specific components

The policy should specify how the Public Records Act 2005 requirements are aligned in practice with other frameworks that govern information and records. It may also note the organisation’s approach to the management of any special collections and academic records that are not included in the definition of a public record.

Date of publication and review

A publication date and a review cycle should be included to ensure the continued relevance of the policy.

5. Other considerations

The following principles are useful to consider when developing and implementing information and records management policies, procedures and tools.

• Policies, processes and supporting technology must be user-focused to eliminate barriers to use.

• Information and record assets, the technology that supports them, and the business requirements, policies and processes that govern them, must have identified, defined and accountable owners.

• The time, resource and effort expended on managing information and records must be proportionate to its value.

• Applications used to store and manage high value and high risk information and record assets should operate in a reliable and consistent way.

• The value of information and records can only be fully realised if each asset, regardless of format, has the attributes of availability, completeness and usability.

• Applications used to store and manage high value information and record assets must enable the transfer of the content and context of the information and records.

• Information and record assets are evidence of actions, decisions and processes, and may be subject to requests for access or to official scrutiny.