Solved

Record policy - UK

Posted on 2011-03-08
4
305 Views
Last Modified: 2012-08-14
What are the realistic risks to an organisation who dont have a records management policy and information classifacation policy? And on the flipside what are the benefits to an organisation to have such policies?

In the UK now their is a drive to have such policy for freedom of information legislation, but I dont really see how the 2 link together. FOI is basically where member of public requests informationm about the company and the company has to respond within 20 days. So where does not having a records management policy affect that and hamper the ability to respond in 20 days, and same for information classifacation, what does having such a policy help in the way of FOI, and what does not having such a policy affect in being able to respond in 20 days.
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 17

Accepted Solution

by:
Thibault St john Cholmondeley-ffeatherstonehaugh the 2nd earned 125 total points
ID: 35075396
>FOI is basically where member of public requests informationm about the company
I thought it was that the company has to reply with all the information it holds on that individual, not about itself. For this reason we used, at my old workplace, to have to be very careful with any comments that were entered against a customers record. Records of phone conversations, contacts and interdepartmental comments all could be seen by the customer if they asked.

To qualify for industry standard certification your company needs to pass audits and some of these checks will include proving that these records can be obtained within the time allotted. Not having a policy in place means you won't get the certificate and this may affect your ability to trade as companies you deal with might need to prove compliance of any subcontractors they use.
0
 
LVL 3

Author Comment

by:pma111
ID: 35080679
I think you mean data protection subject access requests
0
 
LVL 17
ID: 35086057
It did involve the data protection act, the bit about the comments against customers' records.

The latter  bit about proving compliance might be more relevant to you. It certainly has relevance with health and safety and with liability insurance and so I can imagine soomething similar is in place over records policies. This can include records of staff training and qualifications. All very necessary if you use the services of another company.
0
 
LVL 22

Assisted Solution

by:8080_Diver
8080_Diver earned 125 total points
ID: 35086069
"So where does not having a records management policy affect that and hamper the ability to respond in 20 days"

My take on that would be that, without a records management policy:
How do you know whether you even have records that need to be supplied?
Given that you do have records, how long do you ned to retain them?  (For instance, some records in the US have to be maintained for 5, 7, or 10 years, others are in the "forever and always" category, and still others are "only as long as we see fit" category)?
Given that you know that you have had records and that they have been maintained for some period of time, how long do you search for them before declaring that they have previously been destroyed?

As for information classification, I should think that the classifications would largely involve the retention period as well as the "public", "confidential", and "secret" levels of classification.  In other words, is it something you would post on a web site, something you might post on a web site but password protect, or something that you keep locked up somewhere?  

Audits may also include whether or not you classify (or, even more stringently, properly classify) documents.  This, too, can be important in dealing with other companies.
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question