1. Introduction
1.1 Purpose
The Records Management Policy (Policy) sets out the key principles as to how the British Business Bank plc (“BBB” “we”, “our”, “us”, “the Company”) will manage its records.
Records are defined as “information created, received, and maintained as evidence and information by an organisation or person, in pursuance of legal obligations or in the transaction of business” (ISO 15489).
Examples of records include meeting minutes, reports and papers, invoices, case files, etc and can come in different forms and formats: electronic and paper files and documents, databases, systems, emails, photographs, images, audio recordings, social media posts, CDs, etc.
The aim of records management and this Policy is to apply controls to ensure the right records are created and held, are relevant, complete and reliable, are easy to find, retrieve and understand, are safe from harm or alteration, are available for as long as the Bank needs them, and disposed of in a confidential, timely and secure manner.
The benefits of effective records management are:
- creating and capturing reliable records to evidence our business activities
- protecting our business critical records and improving business resilience
- making sure our information can be found and retrieved quickly and efficiently
- complying with legal and regulatory requirements
- reducing risk for litigation, audit and investigations
- minimising storage requirements and reducing costs
- processing data in accordance with the expectations of data subjects, as per our Privacy Policy
This Policy is based on the ISO 15489 information management standard and the Lord Chancellor’s Code of Practice on the Management of Records and is supported by the Bank’s Records Retention Standard and Records Retention Schedule.
1.2 Legal and Regulatory Obligations
Records are created as a result of a business activity; thus, the business activity should determine what records are required as information or evidence of the decisions, actions and transactions carried out.
In some cases, legislation or regulation will dictate what records are needed, why and how long they need to be kept, but in the absence of specific legislation or regulations, the Bank will make the decisions based on best practice or advice and record the details in documented procedures or the Bank’s Records Retention Schedule.
In the case of personal data, the Data Protection Act 2018 states that personal data must only be kept for as long as the intended purpose of the processing, but also provides exceptions where personal data may be disposed of earlier (right to erasure) or later (secondary purposes). If in doubt, contact [email protected].
In the case of disposal, the Data Protection Act 2018 and the Freedom of Information Act 2000 include clauses that make it a criminal offence to intentionally alter, amend, conceal, withhold or destroy information that someone has requested and is entitled to (DPA 2018, s173; FOIA 2000, s77).
In addition to meeting its legal obligations, the BBB as an Arm’s Length Body (ALB) is required to meet the Government Functional Standards where applicable. Obligations relating to Government Functional Standards (GFS005) – Digital, Data and Technology and (GFS007) Security activity elements are contained and prescribed through this policy and associated standards.
1.3 Alignment to Risk Appetite
This Policy sits under the Level One Risk – Operational and Resilience Risk.
It aligns to the Level Two Risk Category, Information Management, which is defined as ‘The risk of failing to treat information as a strategic asset, appropriately manage and maintain the organisation’s information across its lifecycle to support its necessary use, resilience, integrity and availability.’
BBB’s risk appetite in relation to Information Management is Medium.
2. Scope
This Policy applies to all BBB entities, operations, subsidiaries and Colleagues and the records that are created, received, stored and disposed of during the course of Bank business.
The records created for or on behalf of the Bank are the property of the Bank.
For the purpose of this policy, the term “colleagues” refers to any persons authorised to create or manage records on behalf of the Bank, including but not exclusive to employees, interns, contractors, Non-Executive Directors.
This policy does not apply to any records which are personal to employees, e.g. personal emails received, copies of tax records, payslips etc and any other records personal to employees; however, if they are on the Bank’s environment, they should be marked as Private.
3. Requirements
3.1 Records Management Principles
Records management aims to apply consistent rules to control the way records are created, maintained, stored and disposed of, so they are:
- Relevant (to the business activity)
- Trusted (accurate, reliable and complete)
- Accessible (structured, easy to find, retrieve, and understand)
- Secure (from unauthorised access, alteration or disposal, loss, damage and theft)
- Destroyed (when no longer needed)
3.2 Records Management Requirements
To comply with the records management principles, we aim to
- Identify the records the Bank needs to meet its legal, fiscal and operational requirements
- Design record keeping systems to maintain relevant, reliable and trusted records
- Identify the Bank’s vital records to support business continuity and recovery
- Define a business classification (file plans) and business rules to organise records by series, for example HR records, that are linked to their business activity
- Ensure records series are owned throughout their lifecycle from creation to disposal
- Use rules file naming conventions to label records consistently
- Use, where possible, standard forms and templates to capture information consistently
- Utilise shared secure storage areas to create master versions of records to support collaborative working and reduce silo working and duplication
- Carry out quality assurance to ensure records are complete
- Implement security measures to protect the records’ confidentiality, integrity and availability
- Where systems allow, apply audit controls to monitor access to records and key actions taken, for example record retrieval, modification, deletion
- Preserve the integrity and continued availability of records (and accompanying metadata) that are migrated to new systems or converted into different formats (paper to digital, for example)
- Where systems allow, automate records management processes to reduce the administrative burden on colleagues, for example record classification, retention and disposal
- Maintain a records retention schedule to list the key record types and the minimum length of time they will be kept for, when the retention period starts from and reason for keeping the records for that time
- Maintain an inventory of the Bank’s physical records and / or electronic systems that are held on our behalf by third parties
- Dispose of records in a routine, timely and secure manner – at least once a year – in accordance with the Bank’s record retention schedule
- Where possible, to permanently destroy records, so they cannot be recovered. Where that is not possible, to remove the record from daily use or mark it as dormant or anonymise any key identifiers
- Where third parties are asked to dispose of Bank records on our behalf, to obtain written confirmation of the type of records destroyed, the method of disposal and the disposal date
- Provide colleagues with relevant training so they understand and can fulfil their records management responsibilities
- Report incidents through the Bank’s incident reporting procedure, as quickly as possible, where the confidentiality, integrity and availability of records may have been impacted, for example records have been lost, stolen, or damaged, subject to inappropriate or unauthorised access, alteration, or disposal. Where personal data has been affected, a decision must be made within 72 hours of the Bank being aware of the incident, whether to notify the Information Commissioner’s Office.
3.3 Records Disposal Exceptions
There are exceptions to the disposal of records when the retention period is reached, for example:
- A legal hold has been applied, e.g. investigations, legal disputes, disciplinaries, Inquiry, etc
- Specific terms of agreement or contract
- Specific business needs to retain the Records for longer periods
- A request has been made for information, e.g. Freedom of Information Act 2000, UK.
Where an exception applies, it must be documented on the Retention Schedule and / or an exception recorded (e.g. in the case of a focused investigation).
4. Roles and Responsibilities
4.1 Business Units
Each Business Unit is responsible for establishing what records their business activities need to have and to ensure the appropriate procedures are in place and communicated to colleagues to enable them to create and manage records to meet the Bank’s legal, fiscal, and operational needs.
4.2 Colleagues
Colleagues (as defined in the Scope) are responsible for the records they handle and complying with the relevant operating procedures to ensure the right records are kept and managed in line with the principles of this Policy.
Colleagues need to be able to distinguish between records that BBB wants to, or is required to, retain for business, legal or regulatory purposes and disposable information that should be discarded once it has served its purpose.
4.3 Data Owners
Data Owners will take a lead to ensure processes, systems and procedures are in place for their respective areas and communicated to colleagues. Where appropriate, the Data Owner will assign specific record keeping responsibilities to ‘nominated’ colleagues to help ensure record keeping procedures are followed, for example Risk Champions, Data Stewards, Data Custodians.
4.4 Operational Control
Responsible for providing advice and guidance on records management and to work with colleagues to maintain the records retention schedule and to monitor the compliance with this Policy and the policy controls.
4.5 Legal Team
The Legal team will provide advice and guidance to Business Units when a legal hold of a record is required and support Operational Control in its review of the Retention Schedule. The Legal team will also provide ad-hoc advice as and when required on records management related matters.
5. Non-Compliance
Records are vital to the efficient and lawful running of the Bank and this Policy sets out what we expect from you to ensure that BBB complies with applicable law and good practice. Your compliance with this Policy is mandatory and any breach of this Policy must be reported via the Risk Incident Portal and assessed to determine if further action is required, which may include disciplinary action.
6. Aligned Standards and Procedures
- Operational Risk Management Framework
- Data Protection Policy
- Records Retention Standard
- Records Retention Schedule
- Information Classification and Handling Standard
- Data Management Policy and accompanying standards
- Anonymisation and Pseudonymisation Standard
- Information Security Policies
7. Policy Controls
The Policy controls are visible here: Records Management Controls - Power BI.
8. Definitions
Anonymisation | the process of turning data into a form which does not identify individuals. It is a type of information sanitisation whose intent is privacy protection. |
---|---|
Archiving | the process of moving data which is no longer actively used to a separate storage device for long-term retention. Archival data consists of older data that is still important to the organisation and may be needed for future reference and data that must be retained for legal or regulatory compliance. |
Destruction | the physical or technical destruction sufficient to render the information contained in the document irretrievable by ordinary commercially available means. |
Legal Hold | request by the Legal Team, or other team, to preserve Records beyond their standard Retention Period or suspend the ordinary destruction and disposal of Records and override the Retention Schedule in relation to the Records which are intended to be used for legal proceedings, litigation, audit or investigations. |
Nominated Business Leads | colleagues that are assigned record keeping responsibilities to help the Business Area to embed records management practice into routine operations and ensure records are managed during their lifecycle, from creation to disposal. |
Personal Data | information relating to an identified or identifiable natural person (the data subject). An identifiable person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an ID number, location data, an online identifier to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person |
Pseudonymisation | the process of partially anonymising data by splitting the information over multiple locations so that a single document cannot identify individuals. It is a type of information sanitization whose intent is privacy protection, but the data is retained so that the original information can be recompiled if necessary. |
Records of Processing Activity | refers to the BBB ROPA that records all the processes inside BBB Group in which personal data is captured, accessed or otherwise processed. It was previously known as the Inventory. Retention and disposal actions included in the ROPA to help ensure personal data is not processed for longer than necessary |
Record Authenticity | a record is what it purports (claims) to be; to have been created or sent by the person purported to have created or sent it; to have been created or sent at the time purported |
Record Availability | a record can be located, retrieved, presented and interpreted and its business context can be established |
Record Reliability | a full and accurate record of the transaction or activity or fact; created close to the time of transaction or activity; created by individuals with direct knowledge of the facts or by instruments routinely involved in the transaction or activity |
Record Integrity | complete and unaltered; protected against unauthorised alteration; alterations after creation can be identified as can the person making the changes |
Retention | the maintenance of documents in a production or live environment which can be accessed by an authorised user in the ordinary course of business. |
Retention Period | the minimum and/ or maximum length of time as set out in the Retention Schedule that the BBB must retain the relevant Record in order to comply with its legal, regulatory and business obligations. Retention periods are independent of format and can be applied to any record (paper or electronic). |
Retention Schedule | an operational document to list the types or groups of Records held for which pre-determined retention and disposal rules have been established in accordance with legal, regulatory, fiscal or administrative requirements. |
Structured Data | data that is organised in a format that is easily used by a database or other technology, such as a database in a form of tables with rows and columns (e.g. a spreadsheet, database tables and data fields) that is used for analytical purposes and deemed material for the functioning of the business and regulatory demands. |
Unstructured Data | digital information which does not have a data structure that cannot be easily used for analytical purposes, including but not limited to audio, video, and unstructured text such as the body of a word-processed documents or communications. (e.g., instant messages, emails, Word documents, pdf files, PowerPoint presentations). |