• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 312
  • Last Modified:

Record policy - UK

What are the realistic risks to an organisation who dont have a records management policy and information classifacation policy? And on the flipside what are the benefits to an organisation to have such policies?

In the UK now their is a drive to have such policy for freedom of information legislation, but I dont really see how the 2 link together. FOI is basically where member of public requests informationm about the company and the company has to respond within 20 days. So where does not having a records management policy affect that and hamper the ability to respond in 20 days, and same for information classifacation, what does having such a policy help in the way of FOI, and what does not having such a policy affect in being able to respond in 20 days.
0
pma111
Asked:
pma111
  • 2
2 Solutions
 
Thibault St john Cholmondeley-ffeatherstonehaugh the 2ndCommented:
>FOI is basically where member of public requests informationm about the company
I thought it was that the company has to reply with all the information it holds on that individual, not about itself. For this reason we used, at my old workplace, to have to be very careful with any comments that were entered against a customers record. Records of phone conversations, contacts and interdepartmental comments all could be seen by the customer if they asked.

To qualify for industry standard certification your company needs to pass audits and some of these checks will include proving that these records can be obtained within the time allotted. Not having a policy in place means you won't get the certificate and this may affect your ability to trade as companies you deal with might need to prove compliance of any subcontractors they use.
0
 
pma111Author Commented:
I think you mean data protection subject access requests
0
 
Thibault St john Cholmondeley-ffeatherstonehaugh the 2ndCommented:
It did involve the data protection act, the bit about the comments against customers' records.

The latter  bit about proving compliance might be more relevant to you. It certainly has relevance with health and safety and with liability insurance and so I can imagine soomething similar is in place over records policies. This can include records of staff training and qualifications. All very necessary if you use the services of another company.
0
 
8080_DiverCommented:
"So where does not having a records management policy affect that and hamper the ability to respond in 20 days"

My take on that would be that, without a records management policy:
How do you know whether you even have records that need to be supplied?
Given that you do have records, how long do you ned to retain them?  (For instance, some records in the US have to be maintained for 5, 7, or 10 years, others are in the "forever and always" category, and still others are "only as long as we see fit" category)?
Given that you know that you have had records and that they have been maintained for some period of time, how long do you search for them before declaring that they have previously been destroyed?

As for information classification, I should think that the classifications would largely involve the retention period as well as the "public", "confidential", and "secret" levels of classification.  In other words, is it something you would post on a web site, something you might post on a web site but password protect, or something that you keep locked up somewhere?  

Audits may also include whether or not you classify (or, even more stringently, properly classify) documents.  This, too, can be important in dealing with other companies.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now