Records management self-assessment Web viewRecords Management Self-Assessment Tool ... Enterprise Architecture. University . ... Records management self-assessment

CSU RECORDS MANAGEMENT PROGRAMRECORDS MANAGEMENT SELF-ASSESSMENT TOOL1

INTRODUCTION

Purpose: The purpose of self-assessment is to measure how well your business unit is managing its records and to identify areas for improvement which can feed into your Records Management Plan. Additionally, it assists the University Records Manager to identifying common areas for improvement which can be used to develop strategies to help improve records management practices on a University-wide basis.

Responsibility: Business units are required to complete this self-assessment in line with the self-assessment schedule, and incorporate any identified areas for improvement into their Records Management Plan.

INSTRUCTIONS

Step 1: Complete this coversheet.Step 2: Respond to the questions in the following sections. Answers must accurately reflect the situation

in your business unit. This will help identify what is being done well and areas for improvement. Complete all questions. N/A options are only available for some questions.

Step 3: Your response to a question may indicate that action is required. Remedial action should be fed into your Records Management Plan. Proposed remedial actions are listed as part of each question and further advice on suitable actions can also be sought from the University Records Manager.

Step 4: A copy of the completed assessment is to be emailed to the University Records Manager for their information ([email protected]).

BUSINESS UNIT DETAILS

Date of self-assessment

Name of business unit

Name of Faculty (if applicable)

In completing and lodging this assessment, the business unit acknowledges that the assessment is an accurate reflection of the records management practices in their business unit

Head of Area Name: Ext:

Details of person completing the self-assessment

Name: Ext:

Email:

Position:

1 Reproduced and adapted for CSU with permission of University of Technology, Sydney

University Records and Compliance 2015 Page 1 of 19Division of Information Technology – Enterprise Architecture

mailto:[email protected]

Records Management Self-Assessment Tool ENTER SCHOOL/DIVISION NAME

NO. REQUIREMENT QUESTION RESPONSE POSSIBLE REMEDIAL ACTIONS

1 Responsibilities and Delegations

1.1 All staff must be aware of their responsibilities to manage records, your recordkeeping system and recordkeeping procedures, including how to create and manage files, and retention and destruction responsibilities.

Are ALL staff within your business unit aware of their recordkeeping responsibilities, your recordkeeping system, and records procedures?

Yes No (action required)

- Brief staff in local staff meetings and remind them of their responsibilities.

- Ensure all new staff are advised of their records management responsibilities.

- Include records management requirements in local procedures.

- Requirements for staff awareness needs to be included in the Communication Plan component of your business unit’s Records Management Plan (see section 2).

1.2 Records management responsibilities need to be formally assigned to staff to ensure records activities are undertaken.

Have your staff been formally delegated records responsibilities?


- Include delegations in the Work Plans or PD’s of staff.

1.3 Business units are required to review staff responsibilities and provide details of training as part of this self-assessment.

Complete Section A of Attachment One.




2. Planning

2.1 All business units must develop a Records Management Plan (or be covered by a broader Plan at a Faculty or Unit level). This plan includes:- areas for improvement

identified in self-assessments and risk assessments.

- regular actions such as archiving, destruction, training, and self-assessment.

- new records management projects.

Does your business unit have a CURRENT Records Management Plan?


- Create a Records Management Plan by completing this Self-assessment Tool and the Records Storage Risk Assessment Tool (see also section 6).

- Remedial actions included in these tools and the Records Management Plan template can assist in the development of your Records Management Plan.

2.2 To ensure staff awareness of their recordkeeping responsibilities, business units must include a Communication Plan as part of their business unit’s Records Management Plan. This will detail strategies for communicating requirements to staff and maintaining their awareness.

Does your business unit have a CURRENT Communication Plan for records management, either separate or as part of your Records Management Plan?


- Include a Communications Plan as part of your Records Management Plan (see section 2.1).

- The University’s Records Management Plan template can assist in the development of your Records Management Plan.

2.3 Business units are required to identify records that relate to their business processes and provide a summary as part of this self-assessment.

Complete Section B of Attachment One.




3 Creation of Corporate Files

** Note: network / shared drives and email accounts are NOT compliant recordkeeping systems.

Please enter name of system/s used by your business unit:_____________________________________________________________________

3.1 Corporate files must be created to document the business activities:- of your business unit,- you undertake on behalf of

another business unit, and/or- you undertake on behalf of the

University as a whole. Note: Corporate files may not need to be kept by your business unit if they are already created and kept officially by another business unit.

Are corporate files created to hold the documents relating to the activities of your business unit?

Yes No (action required) N/A*

- Identify any records held by your business unit and assess whether they should be corporate files.

- Ensure staff are aware of their responsibilities regarding file creation and that they are trained to facilitate file creation (see section 1).

- Include the requirement for corporate file creation in local procedures as appropriate..

3.2 Files must be created as close to the commencement of an activity as practicable. It is not appropriate to leave file creation until the end of an activity .This prevents the ability to manage and locate records and can result in forgetting to put records into the system.

Are ALL corporate files created at, or closely following, the commencement of a new issue or business activity?


- Ensure staff are aware of their responsibilities regarding file creation and that they are trained to facilitate file creation (see section 1).

- Include the requirement for corporate file creation in local procedures as appropriate.




3.3 To create a corporate file it must be registered in an approved digital recordkeeping system accurately and in a consistent manner. This facilitates file management and retrieval. It assists in identifying a file’s location, who can access it, and future archiving and records destruction activities.

Are ALL corporate files (and individual file parts, where required) registered consistently and accurately?


- Ensure staff are aware of their responsibilities for file creation and that they are trained to facilitate file creation (see section 1).

- Ensure staff are trained in the use of the digital recordkeeping system.

- Include the requirement for corporate file creation in local procedures as appropriate.

- Register any un-registered corporate files




4. Filing Documents

** Note: network / shared drives and email accounts are NOT compliant digital recordkeeping systems.

4.1 Documents that relate to business activities and are required to explain what happened, or provide evidence of decisions, advice, etc, must be filed onto corporate files, and not kept loose in desks, draws or on unofficial files.

Are all relevant corporate documents in your business unit filed onto official file in a consistent and timely manner?


- Ensure staff are aware of their responsibilities for filing documents on corporate files (see section 1).

- Include the requirement for capture of documents onto corporate files in local procedures as appropriate (this may detail what documents are required to be created and captured).

- Ensure corporate files are created in a timely manner (see section 2).

4.2 Not all corporate records are hard-copy/paper documents. Some are “born digital” such as emails, Word and Excel documents etc.Email folders, hard drives, and shared network drives are NOT recordkeeping systems. Any emails and other electronic documents relating to activities and explain what happened, or provide evidence of decisions, advice, etc. must be filed into a compliant recordkeeping system.

Are all relevant official electronic documents, including email, must be captured into a compliant recordkeeping system?


- Ensure staff are aware of their responsibilities for capturing relevant electronic documents and email into compliant recordkeeping systems (see section 1).

- Establish protocols for the use and management of local hard drives and network drives to better manage locally stored information and recordkeeping requirements.




4.3 Areas should be maintaining full and accurate records of their business activities. Sometimes this necessitates the creation of records to document verbal advice and decision making processes. Verbal decisions may be documented through minutes and file notes (hand-written or typed), or via email confirmations

Does your business unit capture all relevant decisions and advice provided or received verbally for capture into a compliant recordkeeping system?


- Ensure staff are aware of their responsibilities for documenting verbal decision-making activities (see section 1).

- Include the requirement for capture of verbal decisions relating to specific business activities and processes in local procedures as appropriate (this may detail what decisions need to be documented).

- Provide staff with file note templates to encourage capture of verbal decisions.




5. Managing Physical Files

* A N/A response to the questions in section 5 can only apply if your business unit uses a compliant digital recordkeeping system to capture and manage ALL official records in a digital environment. If some physical / hard-copy records exist, a Yes or No response is required.Note: network / shared drives and email accounts are NOT compliant digital recordkeeping systems.

5.1 It is important that business units know where their official records are located to ensure:- files can be accessed quickly,- files are accessed by the

appropriate people, and- files are not lost.

Are the locations of your files recorded appropriately when they move between staff or storage areas?


- Put in place a local procedure for tracking file locations.

- Ensure file locations are accurate and up-to-date.

5.2 Even where file locations are tracked, care needs to be taken to ensure files are not lost in the process of their use and that they are returned when no longer required.

Are records regularly being lost or misplaced when borrowed by staff?

Yes (action required) No N/A*

- See remedial actions section under 5.1.- Follow up with staff who have borrowed files

and not returned them within an agreed timeframe.

- Check on the location of files on a yearly basis to ensure locations are up-to-date.

- Mark any file that can’t be located as “missing”.

- Where staff are leaving the employment of your business unit, ensure all files are returned before they leave.




5.3 Your records should be considered in relation to any relocation plans. This includes:- file storage in your new

location,- preliminary archive work,- managing the transfer during

the move, and- updating of file locations in the

recordkeeping system where required.

Are parts of, or your entire business unit, moving before your next scheduled self-assessment?

Yes (action required) No

- Plan the management of your records during the move.

- Ensure official records are not thrown out as part of the pre-move cleanup without the appropriate records destruction authorisation.

- Keep a record of which boxes contain official files and check immediately upon relocation that boxes have not been lost.

- Update file location details in the recordkeeping system after a move.




6 Storage of Records

6.1 It is important that locations used for records storage are appropriate for that purpose. As part of the University’s Risk Management and Disaster Recovery Plan for Records and Recordkeeping Systems, business units are required to complete the Records Storage Risk Assessment Tool. Risks can change over time. It is necessary to undertake your risk assessment in line with your self-assessments.

Has your business unit completed a risk assessment on the location used to store your current records in line with your business unit’s self-assessment schedule?Note: this refers to those records which are still in use by your area and which may be kept in your office. A separate question will cover local archival storage.


- Complete the Records Storage Risk Assessment Tool for the area you store your current records (one assessment can be completed to cover your whole office area where files are stored in one larger business unit location).

6.2 Where a business unit uses a local or other storage location for storage of closed / archived files:- a risk assessment of the

location must be completed using the Records Storage Risk Assessment Tool; and

- the location must be approved by the University Records Manager.

Has your business unit completed a records storage risk assessment on each separate local or remote location used to store your archived records?*If you have no such locations, select N/A.Note: this does not include the use of University Archives Centre.


- Complete the Records Storage Risk Assessment Tool for each separate storage location.

6.3 Business units are required to identify the storage areas used to store their records.

If yes to Q.6.3, complete Section C in Attachment One.




7. Security – Access and Confidentiality

7.1 Records held by your business unit must be secure from unauthorised access. This applies to official and unofficial records.

Are all physical / hard-copy records secure from unauthorised access?Note: this applies to corporate records and duplicates/copies.


- If your business unit is open to the public, ensure adequate measures are in place to protect files from unauthorised access or theft. This may be through limiting public access to your office areas or securing files within the areas.

7.2 Confidential records have a higher level of security than standard files and should be stored in locked cabinets when not in use. Confidential records include, but are not limited to, records which are legal or commercial in confidence, or records containing personal information.

Are all physical / hard-copy confidential records stored in a locked drawer / room when not in use?*If you have no confidential records, select N/A. Note: this applies to corporate records and duplicates/copies.


- Keep confidential files in locked and secure areas. Ensure they can only be accessed by authorised staff.

7.3 HP TRIM is the control system for your business unit’s records. Individual HP TRIM users are responsible for ensuring unauthorised staff do not access HP TRIM via their login.

Is access to HP TRIM in your area limited to authorised HP TRIM users?*If you have no HP TRIM users in your area, select N/A.


- Ensure HP TRIM users are appropriately trained.

- Users of HP TRIM should be required to lock their workstations when not at their desks. This is essential if working in an open office or publicly accessible business unit.




7.4 To comply with privacy and confidentiality requirements, confidential documents, including any document containing personal information, must be disposed of securely. Locked security bins or shredders must be used, not garbage bins or recycling bins.

Are all confidential records, whether official or unofficial, physical / hard-copy or digital, disposed of in a confidential manner?*If you have no confidential records, select N/A.


- Ensure staff are aware of their obligations relating to destruction of confidential documents, such as use of shredders or locked security bins.

- If your business unit does not have access to a secure method of destruction, contact the University Records Manager regarding a locked security bin.

- Ensure any electronic media, such as computers, USB, or other digital devices are adequately wiped

- Consult with the University Records Manager regarding the confidential destruction of any other media, such as CDs, video tapes etc.

7.5 Some university staff have access to personal information relating to students and / or other individuals. Staff must be aware of their obligations in relation to privacy and general confidentiality to ensure they manage these records appropriately. All business units will hold some personal information, even if they are not involved in the management of students, such as local staff files, recruitment information etc.

Are staff within your business unit aware of their obligations in relation to privacy and confidentiality of information?


- Include privacy and confidentiality responsibilities in local procedures.

- Ensure staff are reminded regularly of their obligations.




8 Digital Recordkeeping Systems

8.1 Any database or digital system that creates and/or stores official records must be an approved digital recordkeeping system. Such systems have certain requirements for data, security, longevity of the information contained within, and migration practices.

Does your business unit capture records using a digital system in lieu of putting those records into HP TRIM?

Yes (continue at Q8.2) No (go to Q.9)

8.2 Business units who are responsible for digital systems used to store official records are responsible for ensuring they are compliant systems. Systems need to be assessed to identify if they hold official records, and if they do, whether they are compliant.Note: network / shared drives and email accounts are NOT compliant digital recordkeeping systems.

Is your business unit responsible for managing the digital system in question (i.e. the system owner/process owner)?*If you responded No to Q.8.1, select N/a.

Yes (continue at Q.8.3) No (go to Q.9) N/A* (go to Q.9)

8.3 Business units are required to identify digital systems where they are responsible for the content.

If yes to Q.8.2, complete Section D in Attachment One.




9. Archiving and Destruction

9.1 It is important that business units have control of all their records, whether official or unofficial, or whether created by them or inherited from predecessor business units or staff.Areas need to know what records they hold and those records need to be appropriately managed and not dumped in local storage areas.

Does your business unit have any records where:1) the type of records and

their contents are a mystery as they were inherited; AND/OR

2) no-one is responsible for maintaining them, inc. access, archiving, destruction etc.

Yes (action required) No

- A project will need to be established by your business unit to resource the cleanup work. This will involve identifying the records, and identifying whether they are still required and organising their appropriate management, or identifying whether they can be destroyed and organising the appropriate approvals and destruction. The University Records Manager can provide advice on each particular case.

- Include a cleanup project in your business unit’s Records Management Plan.

9.2 When destroying corporate records, there are certain retention requirements that need to be satisfied. As such, destruction of ALL corporate records, whether hard-copy or digital, MUST be authorised through the completion of a Records Destruction Authorisation Form.

Has your business unit destroyed official records in the past?


- Newer areas may not be ready to destroy records. However, if you are simply storing them indefinitely this can be an issue, in particular in relation to space and responsibilities in relation to privacy of personal information. Action may be required to assess how long the records should be retained and organising the appropriate destruction.

9.3 Destruction of corporate records should be an ongoing process. However it must be appropriately authorised to ensure retention requirements, and CSU’s administrative, legal, financial needs are satisfied.

Does your business unit appropriately authorise the destruction of all official records by completing a Records Destruction Authorisation form?*If your response to Q.9.2 was No, select N/A.

Yes No (action required) N/A

- Ensure staff are aware of their responsibilities in relation to the appropriate destruction of records.

- Include the requirement for records destruction and appropriate authorisation in local procedures as appropriate.




10 Risk Management and Disaster Prevention

10.1 Business units are required to create and maintain a “Records Recovery Priority List” for their business unit to assist in prioritising the recovering of records in the event of a disaster.This is part of the University’s Risk Management and Disaster Recovery Plan for Records and Recordkeeping Systems.

Does your business unit have a Records Recovery Priority List?


- Assess the types of records your business unit holds, where they are located, and create a brief priority list. It is best this list be retained off-site with key personnel and kept up to date (these details were requested under Q.2.2).

End of the assessment. Please complete the sections in Attachment One where directed in the above assessment.


Records Management Self-Assessment Tool – Attachment One

A. Records Contact Details (referred to in section 1.3) Attachment One

Please specify your business unit’s Records Contacts and the level of records training undertaken.

Records Contact role Contact Details Mandatory Training * Additional Training

Secondary Records DelegateDefinition: The senior staff member in your business unit responsible overall for records management.

1. Name: Records Awareness Session Records Delegate training session or refresher training session within the past 3 years.Archiving and Disposal Workshop HP TRIM Training

Position:

Phone:

Email address:

Local Records Delegate/sDefinition: The staff in your business unit delegated responsibility for file creation, registration, archiving, & destruction activities. [List all Local Records Contacts. Add more rows if required].

1. Name: Records Awareness Session Records Delegate training session or refresher training session within the past 3 years.

HP TRIM Training

Archiving and Disposal Workshop

Position:

Phone:

Email address:

2. Name: Records Awareness SessionRecords Delegate training session or refresher training session within the past 3 years.HP TRIM Training

Archiving and Disposal Workshop

Position:

Phone:

Email address:

* Remedial Actions Where Mandatory Training Has Not Been UndertakenIf Records Delegates have NOT completed the required mandatory training required for their role, liaise with the University Records Manager to book the required training.



B. Activities of your business unit and records generated (referred to in section 2.3) Attachment One

Please specify the type of activities your area undertake, and provide information relating to the records generated and recovery priorities*. Add additional rows if required.

Activity Summary of Records Generated Where is the Official Record Kept?

Only For Records Held By Your Business Unit

Priority For Disaster RecoverySpecify On A Scale From

1=High to 3=Low

1 1 2 3

2 1 2 3

3 1 2 3

4 1 2 3

5 1 2 3

6 1 2 3

7 1 2 3

8 1 2 3

9 1 2 3

10 1 2 3

* A Records Recovery Priority List is a list prioritising records from the most important to less important, and where they are kept. This list will assist in planning an effective and efficient response to a disaster situation. A Records Recovery Priority list can be developed separately from this self-assessment. This may be required by business units with complex records, or where business units store records on the behalf of others.



C. Archival Storage Locations (Complete only if you answered Yes to question 6.2) Attachment One

Provide details of storage locations used by your business unit to store records. Add additional rows if required.

Campus / Building / Room Number Owner / Responsible Area For The Location Question Response

1. Has the location been approved for records storage?

Yes No*


Yes No*


Yes No*

* Remedial Actions for a No ResponsesIf your records storage areas have not been approved:- Include remedial actions arising from the Records Storage Risk Assessment Tool in your business unit’s Records Management Plan.- Contact the Records Manager to discuss records storage issues and alternate storage options.



D. Digital Recordkeeping Systems (Complete only if you answered Yes to question 8.2) Attachment One

Provide details for all information systems used to store official records that are the responsibility of / owner by your business unit. Add additional rows if required.

System Name Summary of Purpose of the System/Records Held Question Response

1. Has the system been assessed for digital recordkeeping compliance?

Yes No*

Has the system been approved as a compliant digital recordkeeping system?

Yes No*

2. Has the system been assessed for digital recordkeeping compliance?

Yes No*

Has the system been approved as a compliant digital recordkeeping system?

Yes No*

* Remedial Actions for a No ResponsesIf your system has not been assessed for digital recordkeeping compliance:- Complete the Digital Recordkeeping Identification Tool.

If your system is not a compliant digital recordkeeping system:- Undertake action to comply with the digital recordkeeping system requirements specified in the Digital Recordkeeping Identification Tool.
