1. Purpose and Scope

This document describes how employees of the Ethical Standards Commissioner (ESC) should manage the documents and records generated as a result of their work.

This policy applies to all employees regardless of working pattern or nature of employment contract. It also applies to anyone working with ESC records and within ESC systems (for example contractors, consultants, secondees from another organisation or agency staff). The word employee(s) in the context of this policy should be taken to mean all such individuals, unless specifically referred to as being directly employed by ESC.

2. Policy Statement 

The Commissioner fully recognises the value of records and has established records management as a key corporate function. 

In view of the scale of this office’s operations, individual employees are largely responsible for the proper and effective management of the records they generate and receive. However, the Commissioner accepts strategic responsibility for these records and has allocated a co-ordinating, operational role to the Head of Corporate Services. 

Given the importance of records for day-to-day operations, and as the corporate memory of the office, the Commissioner is committed to ensuring that policies, procedures and practices are effective and are regularly reviewed and developed to ensure that they continue to meet our needs and obligations.

3. Implementation, monitoring and review of the policy 

The ESC is required, under the Public Records (Scotland) Act 2011 (PRSA), to prepare and implement a records management plan which sets out how we manage our records. This records management policy forms a key part of our records management plan. More information about our duties under the Act are available at Public Records (Scotland) Act - National Records of Scotland (NRS).

Overall responsibility for policy implementation, monitoring and review lies with ESC. Everyone covered by the scope of the policy is obliged to adhere to and facilitate implementation of the policy. Appropriate action will be taken to inform all new and existing employees and others covered by the scope of the existence of the policy and their role in adhering to it. The policy will be reviewed at such times as legislation or a change to ESC policy position requires it and at least every five years. The policy will be made available to the general public.

4. What is a record?

In records management it is important to be clear about the difference between a document and a record. 

A document is any piece of information in any form, produced or received by an organisation or person. It can include databases, websites, email messages, word and excel files, letters, memos, social media posts, instant messages and audio and video recordings. 

Some of these documents will be ephemeral or of very short-term value and should never end up in a records management system. Some documents will need to be kept as evidence of business transactions, routine activities or as a result of legal obligations, such as policy documents. These should be placed into an official filing system and at this point, they become official records. In other words, all records start off as documents, but not all documents will ultimately become records.

Records are an important constituent of the corporate memory of an organisation.

5. The principles of good records management 

The guiding principle of records management is to ensure that information is available when and where it is needed, in an organised and efficient manner, and in a well maintained environment.

Records should be:

• Authentic 
  Records must be created and maintained in a manner that ensures they are demonstrably authentic and reliable. Changes to records should be appropriately recorded.
• Accurate
  Records must be accurate and complete, allowing the full picture to be ascertained. They must cover all aspects of ESC’s work.
• Accessible
  Records must be maintained in a way that allows for timely and efficient retrieval.
• Compliant
  Records must be held in compliance with any legislative, regulatory and contractual requirements. They must not be held for any longer than required.
• Secure
  Records must be securely maintained to prevent unauthorised access, alteration, damage or removal. They must be stored in a secure environment, the degree of security reflecting the sensitivity and importance of the contents.

6. Our records management system

ESC does not retain paper records. Paper records are only generated to assist with work in progress and are securely destroyed on the completion of tasks. Any records generated in paper format must be converted to a digital format and stored electronically. 

ESC stores its records in two main locations. 

SharePoint:

Currently all records related to public appointments and corporate services, and a selection of records related to standards, including prospective complaints, are stored on SharePoint.

The case management system (CMS):

Currently all records relating to complaints about the conduct of MSPs, councillors and the board members of public bodies and lobbying are stored here. Records relating to prospective complaints are stored in SharePoint.

The CMS is built using Salesforce software and supported by Arcus Global. It is a cloud-based case management system. All records associated with individual complaints and cases are uploaded to the system, stored in Salesforce data centres and accessed via the internet.

Due to the size of the organisation and the costs involved, the Commissioner does not operate an Electronic Records Management System (ERMS). 
Without an ERMS creating, moving and deleting records can be done without any audit trail. This means records could be misfiled and deleted without trace.

In order to minimise this risk, we manage our records using a defined file plan and records management procedures. These are designed to ensure that records are stored in a consistent manner, thereby making it easy for staff to quickly retrieve information, work effectively and efficiently and meet our statutory obligations.

The creation, movement and deletion of records held in both locations is recorded in an audit trail. Deletion of records is not an automated process. Identification and deletion of records and producing the audit trail must be carried out manually.
 

7. Employee responsibilities

The Commissioner has overall strategic accountability for records management and the Head of Corporate Services has day-to-day operational responsibility. Each employee is responsible for ensuring the records generated or received by them are stored correctly. 

Specifically, each employee is responsible for correctly storing records:

• they send to or receive from external parties or the Commissioner
• they create 
• they send to internal recipients. In most circumstances:
  • Those requesting a response from a team member will be responsible for managing the document chain.
  • Those responding to a team member will not be responsible for filing the resulting document chain. This sits with the requester.

If it is not clear who is saving the information, the employee should clarify this to ensure that important records are not lost. 

Responsibility for filing records may be delegated to other team members in specific or all instances. The delegation must be clear and documented. 

In addition to the above, members of the Senior Management Team are also responsible for monitoring the records within their assigned locations and folders to:

• ensure records are stored in line with the file plan and these records management procedures.
• identify staff training needs
• correct any misfiling 
• ensure that retention and disposal schedules are met.

A review of the assigned folders should be carried out annually. 

Responsibility for these management tasks may be delegated to other team members in specific or all instances. The delegation must be clear and documented. 

It is essential that the records management system works smoothly and effectively. It must also be flexible enough to change when business needs require it. However, changes must be undertaken in a methodical way. 

If an employee considers a records management procedure or an element of the file plan is inappropriate or if they have any other concerns these should be reported to their line manager or the Corporate Services Team.

Equality Impact Assessment
Does this policy comply with the general Public Sector Equality Duty (s149 Equality Act 2010)?
This policy applies to all employees. Its impact was considered when drafting. Where a disability affects an employee’s ability to adhere to this policy the appropriate reasonable adjustments will be made. We consulted with all employees prior to publication to identify and address any issues.

Data Protection Impact Assessment
Have we considered any effect the policy may have on the collecting, processing, and storing of personal data? 
The records generated by this policy will contain personal data. Suitable retention and destruction policies are in place to manage this material.

Information Security Impact Assessment
Have we considered the impact any policy may have on our cyber-resilience? 
This policy should have no impact on our cyber-resilience.

Records Management Impact Assessment
Have we considered the impact any policy may have on our ability to manage our records? 
This policy underpins our ability to manage our records.