Records Management Policy
Total Page:16
File Type:pdf, Size:1020Kb
Information Management Toolkit for Early Year Providers
Document Owner Elizabeth Barber – Records Manager Tel: 03000 415812 [email protected] Version April 2015
Contents
1. Introduction 2. Using the Information Management Toolkit 3. Information Security 4. Information Sharing 5. Disposal of Records 6. Retention Guidelines 7. Review of Toolkit 8. Supporting Documentation
NOT PROTECTIVELY MARKED 1 1. Introduction The information management toolkit is designed to assist early years providers to fulfil their obligations under the Statutory Framework for the Early Years Foundation Stage 2014 (EYFS) by keeping their records to the appropriate standards. The EYFS states that: ‘Providers must maintain records and obtain and share information (with parents and carers, other professionals working with the child, the police, social services and Ofsted or the childminder agency with which they are registered, as appropriate) to ensure the needs of all children are met.’
2. Using the records management toolkit The retention guidelines on pages 6 to 11 are intended to be as exhaustive as possible. If settings do not create all of these records there is no need to create additional records. The retention guidelines are only guidelines, if in doubt please take legal advice. The responsibility of maintaining and retaining approporiate records remains with the individual settings. Individual settings may wish to undertake their own business risk assessments if it is considered that the retention periods outlined are not appropriate.
If you have any queries about record retention please contact Elizabeth Barber, Records Manager on 03000 415812 or [email protected] .
3. Information Security Much of the information created, received and managed by settings will contain personal information which is considered ‘sensitive’ under the Data Protection Act 1998. As a data controller, you must ensure that personal and sensitive information is appropriately secured and protected against unauthorised or illegal processing.
What happens when data gets lost?
Information security is probably the most important area for settings to concentrate on. The loss of or unauthorised access to personal information is likely to cause most harm to children, parents or staff and could result in the Information Commissioners Office (ICO) taking action. Individuals have a right to take action for compensation if loss of personal information causes them damage or distress.
The ICO now has the power to impose a monetary penalty of up to £500,000 for serious contraventions of the data protection principles. So not taking security seriously causes a reputational risk and could cost providers money.
NOT PROTECTIVELY MARKED 2 All personal data, whether paper-based or electronic, must be kept secure to prevent accidental loss, damage or destruction. The extent of the security measures required will depend on the sensitivity of the data. Information security within a setting means guaranteeing the confidentiality, integrity and availablility of the information.
Paper-based records
All paper-based records should be kept secure when they are not in use, in lockable desks, filing cabinets or cupboards and the keys should be kept in a safe place.
If paper-records need to be taken off the premises they should be stored in a secured lockable box or briefcase and put in the boot of the vehicle. Records should not be left in a vehicle on open view, left in the boot overnight or for any extended period of time.
Electronic records
Records held on electronic devices (e.g. laptops, computers, smart phones) should be password protected and mobile phones should be encrypted. Information should never be left up on a screen if the device is unattended.
If using electronic devices to process personal information ensure you have up-to- date virus protection software installed. If using a home computer, no other members of the household should have access to the device or the information contained on it. Any documents produced should be stored on external hard drives which should be encrypted where appropriate.
If no alternative, use encrypted datasticks for the transportation of personal information but ensure that the information held on that device is not the principal copy (primary record). Like paper-based records, any devices containing personal information should not be left in a car on open view and not left in the boot of a car overnight or for any extended period of time.
NOT PROTECTIVELY MARKED 3 Emailing
If sending confidential information by email, you need to think about information security issues. Where possible personal information should not be transported using email unless the sender and receipient both have secure email accounts or are using encryption techniques.
Never send personal information in the text of an e-mail. If necessary make sure that the information is in an MS Office document attached to the e-mail and password protected.
REMEMBER
4. Information Sharing Information sharing can take place with a number of organisations and individuals. It is important that information is shared with the right people in the right way.
Before sharing information with agencies or partners outside of the setting, you must check that you have their permission, and in the case of sensitive personal information, the explicit consent of the data subject (other than when such sharing is a statutory requirement).
NOT PROTECTIVELY MARKED 4 Where parents or individuals request access to information this should be dealt with in accordance with providers obligations under the Data Protection Act 1998 and where relevant Freedom of Information Act 2000. For further guidance on the responsibilities of providers, please visit the ICO’s website at the following link: https://ico.org.uk/ .
5. Disposal of Records Records which have been identified for disposal must be destroyed in a way which reflects the sensitivity or confidentiality of the information which the record contains.
Inappropriate disposal of information could lead to an information security breach. This could result in a fine from the ICO and serious reputational damage.
Any records containing sensitive personal information should be shredded or if they are held electronically deleted from the storage media and the recycle bin (if electronic records are stored on CD/DVD then these should also be shredded). You must keep a record of when and which records have been destroyed. Please see sample disposal schedule below:
Sample Disposal Schedule
The following records were destroyed according to the retention period laid down in the early year provider’s retention schedule or on the authorisation of the officer named below*
*delete as appropriate
File Reference Brief description On whose authority Method of disposal
NOT PROTECTIVELY MARKED 5 6. Records Guidelines IMTKE1 Records to be kept by Registered Persons - All Cases
Basic file description Data Statutory Retention Period KCC Prot Provisions [operational] Retention Issues Schedule Reference Number IMTKE1.1 The name, home address and date Y Statutory Closure of setting + 50 years CS1.7.1 of birth of each child who is looked Framework for [These could be required to show after on the premises the Early Years whether or not an individual child Foundation attended the setting in a child Stage September protection investigation] 2014 - Page 30 IMTKE1.2 The name, home address and Y Statutory If this information is kept in the CS1.7.2 telephone number of a parent of Framework for same book or on the same form as each child who is looked after on the Early Years in IMTKE1.1 then the same premises Foundation retention period should be used as Stage September in IMTKE1.1 2014 – Page 30 If the information is stored separately, then destroy once the child has left the setting (unless the information is collected for anything other than emergency contact) IMTKE1.3 The name, address and telephone Y See CS33.4.5 below CS1.7.3 number of any person who will be looking after children on the premises
NOT PROTECTIVELY MARKED 6 IMTKE1 Records to be kept by Registered Persons - All Cases
Basic file description Data Statutory Retention Period KCC Prot Provisions [operational] Retention Issues Schedule Reference Number IMTKE1.4 A daily record of the names of Y The regulations say that these CS1.7.4 children looked after on the records should be kept for a premises, their hours of attendance reasonable period from when the and the names of the persons who child leaves. (for example 3 looked after them years)If these records are likely to be needed in a child protection setting (see CS1.7.1 above) then the records should be retained for closure of setting + 50 years IMTKE1.5 A record of accidents occurring on Y Statutory DOB of the child involved in the CS1.7.5 the premises and incident books Framework for accident or the incident + 25 years relating to other incidents Early Years If an adult is injured then the Foundation accident book must be kept for 7 Stage September years from the date of the incident 2014 – Page 26 IMTKE1.6 A record of any medicinal product Y Statutory DOB of the child being given/taking CS1.7.6 administered to any child on the Framework for the medicine + 25 years premises, including the date and Early Years circumstances of its administration, Foundation by whom it was administered, Stage September including medicinal products which 2014 – Page 25 the child is permitted to administer to himself, together with a record of parent’s consent
NOT PROTECTIVELY MARKED 7 IMTKE1 Records to be kept by Registered Persons - All Cases
Basic file description Data Statutory Retention Period KCC Prot Provisions [operational] Retention Issues Schedule Reference Number IMTKE1.7 Records of transfer Y One copy is to be given to the CS1.7.7 parents, one copy transferred to the Primary School where the child is going IMTKE1.8 Portfolio of work, observations and Y To be sent home with the child CS1.7.8 so on IMTKE1.9 Birth certificates Y Once the setting has had sight of CS1.7.9 the birth certificate and recorded the necessary information the original can be returned to the parents. There is no requirement to keep a copy of the birth certificate.
NOT PROTECTIVELY MARKED 8 IMTKE2 Records to be kept by Registered Persons - Day Care
Basic file description Data Statutory Retention Period KCC Prot Provisions [operational] Retention Issues Schedule Reference Number IMTKE2.1 The name and address and telephone Y Statutory Framework See IMTKE2 below CS1.7.10 number of the registered person and for Early Years every other person living or employed Foundation Stage on the premises September 2014 – Page 31 IMTKE2.2 A statement of the procedure to be N Statutory Framework Procedure superseded + 7 CS1.7.11 followed in the event of a fire or for Early Years years accident Foundation Stage September 2014 – Page 27 IMTKE2.3 A statement of the procedure to be N Statutory Framework Procedure superseded + 7 CS1.7.12 followed in the event of a child being for Early Years years lost or not collected Foundation Stage September 2014 – Page 30 IMTKE2.4 A statement of the procedure to be N Statutory Framework Until superseded CS1.7.13 followed where a parent has a for Early Years complaint about the service being Foundation Stage provided by the registered person September 2014 – Page 30 to 31
NOT PROTECTIVELY MARKED 9 IMTKE2 Records to be kept by Registered Persons - Day Care
Basic file description Data Statutory Retention Period KCC Prot Provisions [operational] Retention Issues Schedule Reference Number IMTKE2.5 A statement of the arrangements in N Statutory Framework Closure of setting + 50 CS1.7.14 place for the protection of children, for Early Years years including arrangements to safeguard Foundation Stage [These could be required the children from abuse or neglect and September 2014 – to show whether or not an procedures to be followed in the event Page 16-17 individual child attended of allegations of abuse or neglect the setting in a child protection investigation]
IMTKE3 Other Records - Administration
Basic file description Data Statutory Retention Period KCC Retention Prot Provisions [operational] Schedule Issues Reference Number IMTKE3.1 Financial records – N Current year + 6 years accounts, statements, invoices, petty cash etc IMTKE3.2 Insurance policies – N Employers The policies are kept for a minimum of Employers Liability Liability 6 years and a maximum of 40 years Financial depending on the type of policy Regulations IMTKE3.3 Claims made against Y Case concluded + 3 years insurance policies – damage to property
NOT PROTECTIVELY MARKED 10 IMTKE3 Other Records - Administration
Basic file description Data Statutory Retention Period KCC Retention Prot Provisions [operational] Schedule Issues Reference Number IMTKE3.4 Claims made against Y Case concluded + 6 years insurance policies – personal injury IMTKE3.5 Personal Files - records Y Termination + 6 years then review relating to an individual’s employment history IMTKE3.6 Pre-employment vetting N DBS Date of check + 6 months information (including CRB guidelines checks) IMTKE3.7 Staff training records – Y Current year + 2 years general IMTKE3.8 Training (proof of completion Y Last action + 7 years such as certificates, awards, exam results) IMTKE3.9 Premises files (relating to N Cessation of use of building + 7 years maintenance) then review IMTKE3.10 Risk Assessments N Current year + 3 years
NOT PROTECTIVELY MARKED 11 7. Review of Toolkit This toolkit will be reviewed when required. 8. Information, Advice and Guidance Further information relating to records management, information security and information sharing can be found via the following links: http://www.kelsi.org.uk/school_management/day-to- day_administration/access_to_information/records_management.aspx .
Useful Contacts
Advice on records management, please contact 03000 415812 Elizabeth Barber - Records Manager [email protected]
Advice on information security and sharing, please 03000 416286 contact Michelle Hunt - Information Governance [email protected] Specialist
.
NOT PROTECTIVELY MARKED 12