Guide 2 Organisational

arrangements to support records

management

This guidance has been produced in support of the good practice recommendations in the Code of Practice on
Records Management issued by the Lord Chancellor under section 46 of the Freedom of Information Act 2000.
A PDF version of the full code can be found here:
www.justice.gov.uk/guidance/docs/foi-section-46-code-of-practice.pdf
Who should read this guide
This guide is written for people who have no background in records and information management but find
themselves responsible for it within their organisation or have some other reason for acquiring a basic
understanding of the subject.

What this guide is about

This guide is the second in a series of guides produced to support the good practice recommendations in the
Code of Practice on Records Management issued by the Lord Chancellor under section 46 of the Freedom of
Information Act 2000 (from now on this Code of Practice will be referred to as ‘the Code’).

This guide covers the first good practice recommendation:

‘Authorities should have in place organisational arrangements that support records management’

Good records and information management requires an organisational infrastructure as well as action by staff
as part of their daily work. Section 6 of the Code identifies nine things that should be in place as part of this
organisational infrastructure. This guide describes each of these things in more detail and explains what they
mean in practice. It is arranged in the following sections:
1 Records management as a corporate function
2 Inclusion of records and information management in the corporate risk management framework
3 Governance framework for records management
4 Instructions to staff and managers on keeping and managing records
5 Identifying and managing the information and business systems that hold records
6 Records management during major organisational and other changes
7 Staff training and awareness
8 Records management programme
9 Resources for the records management programme

At the end there are references to some further guidance and a list of other guides in this series.

Note that these guides do not apply to the management of archives, i.e. the small proportion of records
selected for permanent preservation and transferred to an archives service once they were no longer needed
by the authority for current business or legal purposes.

© Crown copyright 2010

The text in this document (excluding the Royal Arms and departmental or agency logos) may be reproduced free of
charge in any format or medium providing that it is reproduced accurately and not used in a misleading context. The
material must be acknowledged as Crown copyright and the title of the document specified.

Enquiries about any other use of this material, please write to The National Archives, Information Policy Team, Kew,
Richmond, Surrey TW9 4DU or email [email protected].

Last updated 31 August 2010 2

1 Records management as a corporate function
Keeping and managing records is part of everyone’s daily work, usually using the facilities of modern
technology. But although these records are kept by individuals, they are not solely for individual use. They
form part of the organisation’s information resource and are a corporate asset. To work effectively, managing
records needs overall strategic direction and oversight.

The Code recognises this in a number of different ways. One is a recommendation that records management
should be identified as a core corporate function so that it is subject to controls and given resources in the same
way as other functions that involve management of assets, such as human resources and property. However, the
Code also recognises that organisations work in different ways and use different terms, and accepts that records
management might be included in a wider knowledge or information management function.

examples Records management in the organisational structure

 In The National Archives, managing our records is part of a wider
Knowledge and Information Management function.
 In Dorset County Council, the records management function is part of legal
services within Corporate Resources Directorate.

The records management function should be comprehensive in terms of:

● format – it should cover all records, whatever the technology used to create and store them and should
include business systems1 as well as traditional correspondence files and email
● lifetime – it should cover records throughout their life, from planning and creation through to disposal
● location – it should include records wherever they are and should also cover records managed on behalf of
the authority by an external body such as a contractor.

2 Inclusion of records and information management in the corporate risk

management framework
Records and information are one of the organisation’s assets but there are risks associated with them.

examples Records risk

  ecords are not kept.
R
  ecords are not kept securely.
R
 Records cannot be accessed and used because of technological
obsolescence or because they have become unreadable.
 Information that requires particular protection, such as sensitive personal
information, is disclosed inappropriately.

1 Examples of business systems are a finance system which records all of the organisation’s financial transactions and
holds the information required for managing budgets and audit, and a call centre customer management system

Last updated 31 August 2010 3

Risks need managing. Risk management can be a simple or as complicated as you want it to be but essentially
it is a technique to identify, assess and manage risks to the organisation. It is a matter of:
● considering what might go wrong and why
● assessing likelihood and impact – how likely it is to go wrong and how serious the repercussions might be
● identifying preventive measures to reduce the chance of the risk becoming a reality
● deciding what should be done if, despite these preventive measures, the risk does become a reality.

Most organisations do this already. The chief executive and other senior managers assess risks to the
organisation as a whole – corporate risks – on a regular basis. Programme and project managers assess risks to
their particular programmes and projects as a matter of course.

Risk registers are the tool used to manage risks and a large organisation is likely to have several risk registers in
use at any one time.

example An entry in a simple risk register

Risk: records are not kept securely.
Likelihood: 2 (this example uses a numerical ranking system of 1-4, with 1 for
low risk and 4 for high risk).
Impact: 3 (similar ranking system).
Preventive measures: clear procedures and instructions, training for all staff,
reminders using usual communications channels, regular checks.
Response measures: apply breach handling procedures.

The Code recommends that records and information management are included in the organisation’s risk
management framework.

Realistically, some records matter more to your organisation than others. This has an impact on risk
management as well as on other aspects of records management, such as storage facilities and disaster
recovery plans. For example, the risks connected with loss or unauthorised disclosure of patient records are
higher than those for records relating to running the hospital canteen. Because of this, hospitals will need to
identify them as high risk records and put arrangements in place to prevent and mitigate the risks.

top tips
  ssess records to identify those presenting particular risks which require
A
particular measures.
 Brief the person with lead responsibility (see section 3) on risks so that
a decision can be made as to which should be added to the corporate
risk register.
 Remember that risks can change over time and should be reviewed
periodically.

Last updated 31 August 2010 4

Information assurance is the discipline that specialises in information risk management. Many organisations
use an information assurance specialist to oversee and report on information risk management processes
and procedures.

3 Governance framework for records management

Governance framework is the term used for formal arrangements about accountability and responsibility.
Effective records management requires strategic direction and oversight as well as the day to day
involvement of all staff whose job includes keeping records of their work. A prerequisite for this is clarity
about responsibility and accountability. The Code recommends that organisations define roles and lines of
responsibility for managing records so that it is clear who is responsible and accountable for what.

This guide identifies five roles and their responsibilities. These are described below:
● Lead responsibility
● Operational responsibility
● Local responsibility
● Managers’ responsibility
● Staff responsibility

Lead responsibility

Responsibility for strategic direction and oversight should be given to someone who is sufficiently senior to
act as the accountable person and a champion for records management. This person should oversee policy
and strategy and ensure that the necessary resources are made available and remedial action is taken when
problems arise.

example Lead responsibility

 In central government the lead person is usually the Chief Information
Officer who is at or near Board level.

In large organisations one person, perhaps a Board member, may be given senior-level responsibility for
records management while someone else at a lower level has operational responsibility. In smaller
organisations the roles may well be combined. This is not because records management is less important in
smaller organisations but because their structure is less likely to lend itself to a division of responsibilities by
level. The Code does not recommend one model over the other. What matters is that:
● roles and responsibilities are clearly allocated
● if more than one person is involved, a working relationship with good lines of communication
is established
● the person or persons concerned are capable of doing the work.

Last updated 31 August 2010 5

Operational responsibility

The person with operational responsibility – the practitioner – develops the records management programme
and then manages its implementation and overall functioning. The practitioner might be called records or
information manager or might have some other job title but taking day to day responsibility for records
management in the organisation should be at least part of their job. It should be included in their job
description and the person should be given both the necessary authority and the time to do the work required.

example Operational responsibility

 In The National Archives the person with operation responsibility is called
Head of Knowledge and Information Management (KIM).

Here are some of the things the practitioner is likely to do:

● develop, implement and maintain the organisation’s records management policy and supporting
procedures and guidance
● work with business units2 to determine what records they should keep of their work and where and how
they should keep them
● develop, implement and maintain disposal policies and schedules, also in collaboration with business units
● advise ICT and other staff on the records management needs of systems used to create and hold records
● identify vital records (i.e. records critical to the continued functioning of the organisation in the event of
an emergency or disaster) and establish procedures to protect and manage them, including assisting in
disaster recovery
● train staff, including new staff, on records management procedures and provide ad hoc advice
when required
● carry out regular reviews of all aspects of the records management programme and make
recommendations for improvement if necessary

How do organisations find a practitioner? They have several options:

● appoint a records manager with relevant qualifications and/or experience
● make an existing staff member responsible for running the records management programme and ensure
they undertake appropriate training – in smaller organisations this new responsibility may be in addition
to other duties
● outsource, e.g. contract a service to develop and implement the records management programme – the
service could include ongoing maintenance, with the necessary organisational input being provided by a
member of staff as contract manager.

Organisations should decide which is the most suitable option for themselves, depending on their size, the
state of their records management, the resources available and the relative costs of the different options.
These may change over time so the arrangement should be kept under review.

2 The term ‘business units’ is used in the Code, but they could also be known by another name, e.g. divisions or sections

Last updated 31 August 2010 6

Local responsibility

Larger organisations and organisations with staff dispersed over several sites will probably find it useful to
have a network of people who take responsibility for managing records in their business unit or on each site.
They should do this work under the general supervision of the person with operational responsibility for
records management.

top tips
If you have such a network, try to make it a working, self-supporting
community.
 Set up discussions groups online.
 Involve them in finding solutions to local problems.

Managers’ responsibility

Managers of business units and projects are responsible for ensuring that their staff keep adequate records of
their work in accordance with agreed procedures and arrangements. Managers are accountable for the work
of their business units and they should ensure that adequate records of that work are kept. (The concept of
‘adequate records’ is outlined in Guide 4.)

Staff responsibility

In the modern government and business environment all staff will be keeping and managing records.
The quality and success of the records management programme will depend on their contributions. Your
organisation cannot meet its legal, regulatory and accountability requirements unless all staff keep complete
and accurate records which adequately document their work.

Ideally, records responsibilities will be included in the job descriptions of those with particular responsibilities
for managing records, with regular monitoring and assessment of performance.

4 Instructions to staff and managers on keeping and managing records

Records are kept as part of, or as a result of, a business activity or process but sometimes individuals must
take active steps to ensure a record is kept, including creating a record if necessary.

example Responsibility for keeping records

 Someone whose job requires them to decide whether an individual is
eligible for a particular social welfare benefit is responsible for keeping a
record of the decision and the action taken as a consequence.

Last updated 31 August 2010 7

The Code recommends that it should be made clear to all staff (including temporary staff) that they are
personally responsible for keeping records of their work in accordance with agreed procedures. There are a
number of ways of doing this. The records management policy (see Guide 3) provides the overall framework
and should include a commitment by the organisation to keep records documenting its principal activities.
However, the policy is unlikely to set out what records should be kept in sufficient detail to serve as
instructions to staff. Supporting documents such as business rules or operational procedures will make it clear
to staff precisely what records should be kept by them and how to do so. (See also Guide 4.)

5 Identifying and managing the information and business systems

that hold records
Unless an organisation knows what systems it is using and exercises control over them, there is a risk that
staff will not be able to find records and use information when needed. For this reason the Code recommends
the essential step of identifying all business and information systems that hold records.

top tip
 Do a stock-take of systems holding records.

The Code also recommends provision of the resources required to maintain and protect the integrity of those
systems and the information they contain. This is a crucial element of the organisational infrastructure for
records management.

(See also Guide 5 for systems holding records and Guide 6 for maintaining those systems.)

6 Records management during major organisational and other changes

Change creates the greatest risks to the keeping of records and to their continued availability. The Code
recommends that records management implications should be considered when changes are planned or are
happening, particularly in the following circumstances:
● Planning or implementing ICT systems
● Extending staff access to new technologies
● Planning and implementing restructuring or major changes to the organisation

Planning or implementing ICT systems

Sometimes Information and Communication Technology (ICT) systems are introduced which are effective
for their intended purpose but lack essential records management capability. For example, it may not be
possible to delete data in accordance with disposal schedules or to use access controls to restrict access to
sensitive information. Considering the records management implications from the start can prevent these
problems arising.

Last updated 31 August 2010 8

 top tips
  eep in close touch with ICT colleagues so that you get early warning of
K
planned work and can press for involvement.
 Brief the person with lead responsibility on the need to ensure the Board
does not approve plans for new systems until records management
implications have been considered.

Extending staff access to new technologies

Similar problems can arise when new technology is extended to staff. For example, if staff use portable
devices such as BlackBerrys, will the emails they send and receive be part of the relevant records system?
Particular attention should be paid to corporate information of value to the organisation that is contributed
by staff to systems outside its control, e.g. on social networking, blogs or micro-blogging sites. Staff who are
allowed to use social media for work purposes should be instructed to ensure that anything they contribute
that is of continuing value to the organisation is added to the organisation’s records.

top tip
 E nsure that emails sent and received using portable devices can be stored
in corporate systems.

Planning and implementing restructuring or major changes to the organisation

Organisational changes happen in the public and private sectors alike, e.g. to restructure the organisation, to
take on new functions or shed existing ones, or to contract-out functions.

examples Organisational change

 In central government, machinery of government changes in 2007 led to
responsibility for prisons and the probation service moving from the Home
Office to the Ministry of Justice.
 Local government has undergone several significant structural changes,
e.g. the creation of new unitary authorities in non-metropolitan areas in
the 1990s.

Last updated 31 August 2010 9

Bodies acquiring new responsibilities need access to records about those responsibilities. This requires:
● liaison between the bodies losing and gaining responsibilities
● planning to ensure a smooth transition and reduce the risk of things going wrong in terms of records
management.

Failure to manage organisational change can put at risk continued access to records needed for the daily work
of staff and can lead to loss of information or failure to comply with information legislation.

top tips
  ecide what should happen to records held by the body losing the function
D
or being abolished.
 Document any transfer of records.
 Agree how to manage future Freedom of Information (FOI) requests
relating to those records.

7 Staff training and awareness

Staff awareness is critical to the success of records management in an organisation. The Code recognises this
and recommends that all staff should receive the training they need to meet the organisation’s expectations
of them with regards to records. Below is an explanation of the training and awareness required for:
● All staff
● The practitioner (the person with operational responsibility)
● The senior management lead

All staff

All staff, including temporary staff, contractors and others working for the organisation, should receive
induction training that outlines the organisation’s records management policies, standards, procedures and
guidelines and makes clear their personal responsibilities. The records manager should work with human
resources, in-house training and communications colleagues to plan records management awareness raising
and training.

Some possible training methods are:

● inclusion of records management in the organisation’s employee induction programme
● formal technical training for employees new to particular system responsibilities or at times of
system change
● formal or informal in-service training and coaching
● training courses provided by external training providers either as part of their general syllabus or
customised to meet the organisation’s requirements.

The selection of training approaches will depend on the roles and responsibilities of the staff concerned and
on your organisation’s approach to training and development.

Last updated 31 August 2010 10

 top tips
 F ollow up initial training – offer refresher training and surgeries.
 Keep records management visible within your organisation by publishing
news items in newsletters and on internal websites.

The practitioner (the person with operational responsibility)

The records manager needs a full understanding of records management principles and practices. He or she
also needs to be aware of the organisation’s obligations under the Freedom of Information Act (FOIA) and
other relevant legislation so that the records management policies and procedures will support compliance
with those obligations. The practitioner also needs to understand how records management fits in with related
responsibilities, such as for information security.

Some of this is a matter of applying common sense but specialist knowledge is required also, especially in the
early stages of developing a records management programme in the organisation and when implementing
new systems or arrangements. The skills and knowledge required will depend on the scope of the job and the
work required of the person. They may vary over time, depending on what needs to be done to get records
management on a proper footing in the organisation and keep it there.

example The skills and knowledge required for records

management
In central government, a professional skills framework has been developed
for knowledge and information management (which includes records
management). See: gkimn.nationalarchives.gov.uk/framework.htm.
This identifies four levels: strategist, leader, manager and practitioner and lists
relevant skills for each level under four headings:
● strategic planning for knowledge and information management
(business focus)
● using and exploiting knowledge and information (user focus)
● managing and organising information (process focus)
● information governance (compliance focus).

This framework provides a basis for developing job or role descriptions and
describing the knowledge and skills expected of the records manager within
central government.

Last updated 31 August 2010 11

A new practitioner without relevant qualifications or experience should be provided with opportunities to
acquire the necessary knowledge and skills through training courses and other means such as mentoring by
an experienced record manager or formal study for a relevant qualification. The Code also recommends that
staff who work primarily in records and information management should be given opportunities to undertake
continuing professional development by attending training courses, conferences, etc.

The senior management lead

The person with lead responsibility needs a general understanding of what the records manager is trying to
achieve but does not need to be a records specialist themselves. For training purposes this person will count as
a general staff member.

8 Records management programme

Organisations vary in their records management capability and the extent to which their practices conform
to part 1 of the Code. Where they are now and what is required to get them to where they need to be will
determine the scale of the records management programme and what is included in the annual plan of activity.

Other factors that will affect annual plans are restructuring, office moves and introduction of new technology
or systems. The priority should be the essential building blocks of good records management – the policy,
the procedures, the disposal schedules, secure storage, training and so on, as described elsewhere in this
guide and in the other guides in this series. Once these building blocks are in place the plan should include
recurring elements such as disposal of records in accordance with disposal schedules, training of new staff, and
monitoring of compliance with procedures issued by the records manager.

top tips
  sk heads of business units and other colleagues if there is anything they
A
would like included in the records management programme.
 Get agreement by heads of business units to anything in annual plans that
will require contributions from them or their staff.

9 Resources for the records management programme

The Code recommends that organisations provide the financial and other resources needed to achieve the
objectives agreed in the records management programme. Budget provision, either within the budget for the
records management function or elsewhere, will be needed for:
● staff including all costs associated with recruiting and employing staff
● secure storage facilities
● equipment and materials
● specialist software if used, including purchase, installation and licences
● training and communications
● travel, transport and couriering if the organisation has more than one site
● destruction of records.

Last updated 31 August 2010 12

Securing resources beyond the necessary minimum can be difficult and support from the person with lead
responsibility will be critical.

top tips
 Identify benefits that will result from providing resources and the risks
resulting from not providing them.
 Build up alliances with colleagues working in ICT, audit, information
assurance, information security etc. whose interests overlap with yours.

Further guidance
● Lord Chancellor’s Code of Practice on the management of records issues under section 46 of the Freedom of
Information Act 2000:
www.justice.gov.uk/guidance/docs/foi-section-46-code-of-practice.pdf

Standards

● ISO 15489-1:2001 Information and documentation – Records Management (Part 1 General)

● PD ISO/TR 15489-2:2001 Information and documentation – Records Management (Part 2: Guidelines)

These can be purchased from the British Standards Institution, together with supporting guidance. For details
of what is available search under ‘information governance’ at shop.bsigroup.com.

Guidance from The National Archives

● Information matters: building government’s capability in managing knowledge and information:

gkimn.nationalarchives.gov.uk/documents/information-matters-strategy.pdf

● Professional skills framework for government KIM (Knowledge and Information Management) professionals:

gkimn.nationalarchives.gov.uk/framework.htm

● Information risk:

nationalarchives.gov.uk/services/publications/information-risk.pdf

● Machinery of government changes: guidance on transfer of records, information and knowledge:

nationalarchives.gov.uk/documents/mog.pdf

● Assessing records management in public authorities – self assessment tool:

nationalarchives.gov.uk/information-management/projects-and-work/assessing-rm-public-
authorities.htm

Last updated 31 August 2010 13

Guidance from the Information Commissioner’s Office

● FOI Awareness Guidance Number 8, Records Management FAQs:

www.ico.gov.uk/upload/documents/library/freedom_of_information/detailed_specialist_guides/
awareness_guidance_8_-_records_management_faqs_v2.pdf

Other relevant guidance

● Information assurance – central government framework:

www.cesg.gov.uk/products_services/iacs/iamm/index.shtml

Training

Training is provided at various levels. Some universities run dedicated graduate and post-graduate programmes
in records and information management – for details of these universities see digicult.info/farmer. Other
universities provide a records and information management module as part of a wider course, e.g. the
Information Rights Law and Practice LLM offered by the University of Northumbria.

Many organisations provide short courses on records management – law firms, consultancy companies
and membership bodies such as ASLIB and the Records Management Society. They are advertised on
their websites and through mailing lists. The main mailing lists are hosted by JISC and can be found at
jiscmail.ac.uk. See in particular records-management-uk, archives-nra, freedom-of-information and
data-protection.

Other guides in this series

Guide 1 What is records management?
Guide 3 Records management policy
Guide 4 Keeping records to meet corporate requirements
Guide 5 Records systems
Guide 6 Storage and maintenance of records
Guide 7 Security and access
Guide 8 Disposal of records
Guide 9 Records created in the course of collaborative working or through out-sourcing
Guide 10 Monitoring and reporting on records management

These guides can be found on our website:

nationalarchives.gov.uk/information-management/projects-and-work/implementation-guides.htm

Last updated 31 August 2010 14