Record Management Policy

PURPOSE

The purpose of this policy is to outline the principles and processes for record management at Leaders Institute (LI)

SCOPE

Whole institute

PRINCIPLES

LI is committed to the following principles:

• all LI information and records are appropriately created, managed, maintained, and disposed of in accordance with legislative requirements, policy, and recognised standards of best practice;

• records created as soon as practicable after the event to which they relate. All records created by LI provide a correct reflection of what was done, communicated, or decided;

• levels of responsibility are established regarding record and information keeping pertaining to all functions, processes, activities, and transactions of the Institute. All staff are made aware of their responsibilities to make records;

• recordkeeping systems and storage facilities are designed and implemented to protect records from unauthorised access, alteration, deletion, or loss. Unauthorised access, alteration or destruction of records or information is forbidden by LI. Migration of records from one system to another controlled, documented, and compliant with best practice;

• LI provides appropriate security and access over records;

• Records are to be linked to their business context, which includes records relating to the business activity or transaction. The location and use of records and information is recorded and tracked. Records are to be accessible for as long as they are required and disposed of in accordance with the approved procedures.

DEFINITIONS

Appraisal: evaluation of business activities to determine which records should be retained and the period of retention, to meet legislative requirements, business needs and organisational accountability.

Archive: non-current records, for permanent retention.

Classification Scheme: grouping records according to their functionality.

Disposal: range of activities involved in retention, deletion, or destruction of records.

Disposal Schedule: list of various records and the period of time the record must be retained. It may also indicate the time at which records should be transferred to secondary storage.

Disposal trigger: event such as action completed or superseded, from which the disposal date is calculated.

Destruction: destroying a record, either the physical destruction or permanent deletion of a record or information.

Document: information treated as a unit of information.

ICT: Information Communication Technology, including associated resources, which relate to the capture, storage, retrieval, transfer, communication, or dissemination of information through electronic media. This includes hardware, software, networks, recording equipment, web-based systems, databases, files, software licences, computing-related contracts, network bandwidth, usernames, passwords, documentation, and electronic mail.

Other Entities: External organisations which may provide cloud solutions (e.g. Microsoft, Amazon Web Services) and host services such as Turnitin.

Record: information created or received by LI which provides evidence of relevant activities, irrespective of the technology or medium used to generate, capture, manage, preserve, and access information.

Record Management System: information system used to capture and provide access to records.

Retention: period a record should be retained by the institution before final disposal. It may also indicate when records or information should be transferred to secondary storage or archived.

Sentence: identifying and classifying a record according to the disposal schedule.

User: all staff, students, contractors, visitors, alumni, and all other people who legitimately access and use computing resources, information technologies and networks owned or managed by LI

PRIVACY

LI adheres to the principles and requirements in the Privacy Amendment (Private Sector) Act 2000, Privacy and Personal Information Protection Act 1998 (PPIPA), Health Records and Information Privacy Act 2002 (HRIPA), and Privacy Amendment (Notifiable Data Breaches) Act 2017.  Where relevant LI will also meet its compliance obligations with the EU General Data Protection Regulation 2016/679 (GDPR).

Users are responsible for maintaining appropriate access restrictions for their files, as well as protecting their passwords. Users who knowingly allows another person to use their username or password may be found responsible for any inappropriate use on the part of that person. Distribution of name lists, e-mail addresses, home addresses, or other means of contact will not be provided without the express permission of the persons involved. Neither shall the security codes or passwords of LI users be divulged to others.

Invasion of the privacy of any person using LI’s ICT is prohibited. LI reserves the right to supervise the entire network to preserve the security of LI and all users. LI respects the privacy of users and does not routinely inspect or monitor use of ICT resources. However, LI does not guarantee the security and privacy of data created, stored, or transmitted upon its ICT systems, including any user’s electronic mail and/or electronic files. Information reports will be available to LI which can subsequently be used for matters such as system performance and availability, capacity planning, cost re-distribution, and the identification of areas for personal development.

Authorised LI staff may access information in the following situations:

• legal request for public disclosure of public records;

• LI record retention requirements;

• routine system maintenance;

• investigations of misconduct, consistent with all legal requirements and with the approval of the delegated supervisor. This provision applies to monitoring of employee accounts when the monitoring is done because of suspected illegal activity or policy violations;

• monitoring of LI accounts.

SECURITY INFORMATION

LI may record visits to LI websites and log information for statistical and business purposes. This includes a user’s address, user’s domain name, IP address, date and time of visit, pages accessed, and previous site visited. Identification of the user may also be requested and logged. If the person is not a LI student or staff member, the email address of sent messages will be recorded.

LI websites have security measures in place against the loss, misuse, and alteration of information. Generally, a login and password are required to visit secure areas. This is to ensure that information is displayed only to the intended person. Individuals are responsible to always keep their password secure.

Some LI courses and/or units require the use of forums, on-line teaching environments, message boards and/or news groups. Any information that is disclosed in these areas becomes public information and it is the responsibility of the user to exercise caution when deciding to disclose personal information.

STUDENT RECORDS

LI maintains accurate and up-to-date student records of enrolments, progression, completions, and award of qualifications. Official academic records of the grades achieved by a student in a course are stored permanently by LI in a secure central system. The Registrar is responsible for ensuring the safety, accuracy, privacy, and order of all student records. Electronic storage is password protected and hard copy information is filed securely in a locked facility. The Registrar is also responsible for protecting against the loss of electronic student records by ensuring appropriate backup of data.

Student files are kept in a secure location and can only be accessed by authorised LI personnel. Students can access their personal information by making this request to the Registrar. Students may request to have incorrect personal information corrected by contacting the Registrar and providing documentation to support the change.

Student files are kept in a secure location and can only be accessed by authorised LI personnel. LI retains records of all written agreements, as well as receipts of payment made under the written agreement, for at least two years after the student ceases to be an accepted student.

Students are provided with accurate information about the use and disclosure of their student records, which includes the disclosure of information to external parties.

RESEARCH RECORDS

In accordance with the Australian Code for the Responsible Conduct of Research, LI implements risk-based protections for research data (progressive or final data/information gathered for research by LI academic staff and students) to guard from accidental or malicious manipulation or loss. This includes regular testing of retrieval and retention for at least five years.

PROCEDURES

TRAINING

All staff receive record management training as part of their orientation.

AUDITING

Regular auditing of record management ensures that records are being created and maintained correctly and an accurate record of LI’s business activities and affairs is being captured in the record management system.

CREATION OF RECORDS

• Records are added to the recordkeeping system at the time of creation or receipt of a document;

• Wherever possible records are held in electronic format;

• All records are classified according to the appropriate record keeping naming conventions. The record classification scheme is used to classify all LI’s records;

• Where possible, records are sentenced at the time of creation in accordance with the appropriate disposal schedule.

RECORD MAINTENANCE

• All records are stored for their period of retention;

• All records are accessible;

• All records (electronic and hard copy) are maintained in good condition.

Records are retained in a useable and accessible form for at least the minimum retention period contained within the applicable Retention & Disposal Schedule as approved by the Queensland State Archivist. Electronic records will be sentenced in accordance with an approved Retention and Disposal Schedule and appraised prior to their transition to inactive storage, permanent retention, or their disposal. Only delegated record management officers are authorised for record removals.

RETENTION AND DISPOSAL OF RECORDS

1.    All records are disposed of according to the appropriate disposal schedule.

2.    All records are sentenced according to the appropriate disposal schedule.

3.    Disposal date is set according to the disposal trigger.

4.    No records are destroyed of without the permission of the Registrar.

5.    All records that are destroyed are recorded in a register of “Destroyed Records”.

6.    The destruction process is secure to ensure confidentiality.

LI ensures that high-risk, high-value, and permanent records are kept in an approved record keeping system to ensure the record is discoverable, accessible, and managed throughout their lifecycle.

Records retention requirements vary to support accountability, and for legal, knowledge and historical reasons. Management of records within a business context and/or system, and the resources needed for their retention, needs to be prioritised based on risks to LI if the record was unable to be located or authenticated as accurate.

Before any record is stored with an external storage provider, the Registrar is provided with a catalogue of the records to be stored with the provider. LI is responsible for any costs associated with records storage with external storage providers.

Disposal authority adheres to the LI delegations schedule.

Archiving Records

1.    Inactive records are archived with the approval of the Registrar.

2.    The archive includes records that must be held indefinitely and inactive records during their retention period.

Record Security

1.    Records must not be altered and all care must be taken not to damage records.

2.    Access to records is limited by a password hierarchy.

3.    All records are kept in a secure environment.

4.    LI’s Critical Incident Management Policy is in place to minimise the potential loss of records.

Records handling

1.    Section procedures may only be prepared and used with the approval of the Registrar.

2.    Current Section Procedures:

3.    Student Records Management Procedure

4.    Finance Management Procedure

NOTIFYING AND HANDLING OF BREACHES

Users are responsible for reporting possible breaches of this policy to the Registrar who is responsible for handling potential breaches for users in accordance with the Code of Conduct Policy. Penalties for misuse of ICT resources may range from loss of access to accounts, to formal disciplinary action up to and including dismissal, or in some more serious instances criminal or civil proceedings.

RECORDS TO KEEP

Common records kept and managed by LI include, but are not limited to:

Academic programs: development, approvals, management, and review

Assets: infrastructure and equipment controls, registers, maintenance, warranties, security

Audits: process, internal due diligence, or as required

Disaster management and business continuity – plans, manuals, debriefs

Facilities: buildings, infrastructure; library, maintenance

Financial: data, audits, fraud prevention

Governance records: agendas, attachments, minutes, delegations, polices.

Grants and scholarships: case files and arrangements

Insurance: materials

Learning and Teaching: content, exams, assessment

Marketing: campaigns and materials

Research: ethical clearance, data/information, patents

Staff: CVs, scholarship, induction, training, misconduct issues

Student records: enrolments, orientation, progression, completions, award of qualifications, academic transcripts, academic integrity matters, student support, safety, and security

Vital Records: essential for the ongoing business of LI. These include, but are not limited to, contracts, deeds, memoranda of understanding, licenses, evidence of ownership of physical and intellectual property, and other records documenting legal authority

Work health and safety: administration, training, incidents, reporting, wellbeing

DISASTER MANAGEMENT PLAN

Risk prevention, response, and recovery strategies for protecting and recovering LI records in the event of a disaster are implemented through a Disaster Management Plan. The plan ensures that vital records receive the highest salvage priority.