ICP-03 Records management policy

This is a sub-policy of the ICP-01 Information compliance policy.

Summary

This policy sets out the principles and practical considerations for the consistent management of records throughout their life cycle, from creation or receipt through to their operational use, storage and disposal.

Control information Control detail
Owner Information Compliance Manager and Data Protection Officer, Information Compliance
Author Information Governance Manager and Data Protection Officer, Information Compliance
Sponsor Director of Governance and University Secretary, Governance 
Consulted Not applicable
Approved by Information Governance and Security Advisory Board
Responsible area University Secretary’s Office
Version 3
Approval date 02 March 2026
Effective date 02 March 2026
Interim review effective date Not applicable
Full review period 1 year
Date of next full review 02 March 2027
EIA completion date Not applicable
DPIA completion date Not applicable
SIA completion date Not applicable
Reporting requirements Suspected data sharing breaches should be reported to the Information Compliance Team  
Applicable statutory, legal or best practice requirements

  • Data Protection Act 2018
Keywords archival value, data protection, digital records transfer, disposition action, enterprise management systems, freedom of information request, information asset, information governance, information lifecycle, off-site storage, records management

On this page

  1. Updates to this policy
  2. Introduction
  3. Scope
  4. Definitions
  5. Responsibilities
  6. Management of records: information lifecycle
  7. Off-site storage and scanning
  8. Security and access
  9. Business continuity

1. Updates to this policy

1.1. Updates to this policy from the previous (first published version) have been made to clarify roles and responsibilities, permanent preservation and physical records procedures.

1.2. This policy has been updated to align to the University of Bristol policy management framework. 

Back to top

2. Introduction

2.1. Records are how the University of Bristol provides evidence for decision-making and underpins delivery of efficient services. Records also enable the University to understand ‘how we came here’ through contextual information that is accurate and reliable.

2.2. Records can come from any digital or physical platform used to create, manage and store information assets, including enterprise management systems, databases, email, voice and instant messaging, websites and social media applications.

2.3. The University is committed to creating and keeping accurate and reliable records, documents and data to meet its legal and operational obligations and business needs. 

Back to top

3. Scope

3.1. This policy applies to all records created, received, maintained and held, in all formats, by staff of the University while carrying out their business functions.

3.2. The policy covers records concerning the management, governance and administration of research, but specific guidance in relation to the processing and storage of research data is provided by the Research Data Service, including use of the Research Data Storage Facility (RDSF).

3.3. A small percentage (est. <5%) of the University's records will be selected for permanent preservation as part of the University's archive for historical and evidential purposes, and as an enduring record of the conduct and management of the University.

3.4. This policy applies to all staff of the University of Bristol, including honorary staff/associates, contractors, temporary staff and any students who are carrying out work on behalf of the University. It is a contractual obligation to adhere to the requirements of the policy.

Back to top

4. Definitions

4.1. Archival value: Long-term research value for cultural purposes. University records with archival value are those which provide the essential evidence of the University's most significant functions and activities, and also serve legitimate research needs of the University and wider academic and public user community. University records with archival value collectively show how the University was organised and operated, its effect on the wider community and what it did and why.

4.2. Disposal: Processes associated with implementing records retention, destruction or archival transfer decisions which are documented in retention schedules. The disposition action for records that have archival value is 'transfer to archive'; the disposition action for all other records is 'destroy'; and in a select few cases ‘review’.

4.3. Information Security Classification Scheme: The University’s Information Security Classification Scheme identifies information based on the level of harm that would result if the information were lost, stolen, or accidentally disclosed to others. The Scheme provides examples of the main kinds of information used by the University in each category and gives practical advice on how to store the information, communicate the information and securely destroy the information when no longer needed.

4.4. Institutional memory: Understanding why decisions were made, and understanding the sequence of events and what happened so that, as an organisation, the University learns lessons from earlier activities.

4.5. Legal hold: Applied to records that are due for disposition but need to be retained longer for legal reasons. Legal (disposition) holds can be requested by Information Asset Owners or Information Asset Assistants and must be authorised by the Data Protection Officer or the General Counsel and Director of Legal Services. For example, where records are the subject of an FOI request which is within the review or appeal period, or where records are needed for litigation purposes. For details about this process in respect of legal holds on IT user accounts, see the ISP-18 Investigation of computer use policy.

4.6. Record: Recorded information or data (in any format) created, received, or maintained by the University (or someone working or acting on its behalf) in the transaction of university business or conduct of university affairs and kept as evidence of those activities for business, regulatory, legal or accountability purposes. ‘Business purposes’ are any purposes which support the University’s functions and activities. ‘Regulatory purposes’ are any purposes which support or demonstrate the University’s compliance with regulatory requirements. ‘Legal purposes’ are any purposes which support or demonstrate the University’s compliance with any legal obligation. ‘Accountability purposes’ are any purposes whereby the University needs to answer for its conduct.

4.7. Record series: Records maintained as a unit because they result from the same business process or activity and/or have a particular format. Examples include:

  1. committee papers and minutes

  2. student complaint files

  3. information request case files

4.8. Records Storage & Retrieval Service (RSRS): The Records Storage & Retrieval Services (RSRS) provides secure off-site storage for physical records. The service is provided under contract by a third-party supplier. Some schools and professional services have an account and at least one ‘authorised user’. Authorised users are responsible for monitoring the expiry dates of boxes in their account and requesting the timely disposition of boxes by informing Records Management at the point of transfer or if stored boxes have no disposal/review dates.

4.9. Records of Processing Activity (RoPA): A record of all the personal data processing activities carried out by the University.

4.10. Transitory information: Has only temporary value. It is produced:

  1. In the completion of routine actions (ephemeral records).

  2. In the preparation of other records which supersede them (temporary records).

  3. For convenience of reference.

Transitory information has no significant informational or evidential value after it has served its primary purpose. It can usually be disposed of within no more than 6 months.

Back to top

5. Responsibilities

5.1. Senior Information Risk Owner (SIRO): Assumes executive responsibility for information risk management.

5.2. Data Protection Officer (DPO): A mandated statutory role to ensure the University meets legal compliance.

5.3. Information Compliance Team: The University's central information compliance function and subject matter experts, providing day-to-day advice and guidance on information compliance while overseeing relevant procedures

5.4. Information Asset Owners (IAO): Senior staff responsible for managing information assets, risks, and assurance.

5.5. Information Asset Assistants (IAA): Support IAOs with operational management of information assets.

5.6. All staff: Follow policies and procedures, complete training, handle data responsibly, and report incidents and breaches.

Back to top

6. Management of records: the information lifecycle

6.1. Information must be managed throughout its lifecycle: beginning when the record is created or received; then, when it is classified; through its usage and storage; and finally, through its destruction or permanent retention.

Create/receive

6.2. Schools and Professional Services at the University must have in place adequate systems for documenting the University’s activities. Wherever possible, records should be created in the repository where they will be maintained.

6.3. The Information Asset Register (IAR) (staff access only) is a systematic way of formally capturing the University’s most valuable and sensitive information, to assist with audit, legal, regulatory, and business-as-usual actions. Records processed by the University containing personal data, or that are of significant value, must be captured in the IAR at the point of creation, or through a regular assessment.

6.4. Records must be accurate so that it is possible to establish what has been done and why. The quality of the records must be sufficient to allow staff to carry out their work efficiently, demonstrate compliance with statutory and regulatory requirements, and ensure accountability and transparency expectations are met. The integrity of the information contained in records must be beyond doubt; it should be compiled at the time of the activities to which it relates, or as soon as possible afterwards, and be protected from unauthorised alteration or deletion.

6.5. Where possible, both paper and electronic records systems should contain metadata (information about the structure of the records system or series) to enable the system and the records to be understood and operated efficiently, providing an administrative context for effective management of the records, and to enable individual records to be identified and accessed efficiently.

6.6. Records should be created in a way that enables accessibility by those with disabilities.

Classify

6.7. Keeping diverse records together in an unstructured manner makes it more difficult to identify and retrieve them, and to apply responsible retention policies.  A functional approach to records management focuses on managing records according to their business context (why they exist) rather than their content (what they are about) or their location (which business unit or person holds them). See guidance on reducing redundant, obsolete and trivial (ROT) information (staff access only).

6.8. A Business Classification Scheme (BCS) (staff access only) has been developed to assist the University in grouping its records at a management and local level which are captured in the Information Asset Register

6.9. Records should be classified in accordance with the BCS, and held in a functional filing scheme, to enable suitable retention periods to be assigned.

Maintain/use

6.10. Files should be organised to avoid ‘information sprawl’ (nested folders, duplication, relative file/folder names).

6.11. Naming conventions assist with using consistent terminology to improve efficiency.  Standardised referencing and titling must be employed, so information can be readily identified and retrieved. Titles given to digital and hard copy records and files should describe the content or subject matter accurately and helpfully.  

Retain and appraise

6.12. Records must only be kept for as long as is required to meet operational, business and legal needs. UK Data Protection legislation requires organisations to only retain records containing personal data for as long as is strictly necessary, and organisations can be subject to enforcement action, including fines, for failing to comply.

6.13. The University’s Records retention schedule provides the standard for all sections of the institution regarding appropriate retention periods for different categories of record. It applies to all record formats. It promotes consistency and the retention of the minimum volume of records, and accounts for legislative and regulatory compliance requirements.

6.14. Information Asset Owners must agree retention periods for the information assets which they are responsible for, using the Records Retention Schedule, and these must be set out in the Information Asset Register. With assistance from the Information Compliance Manager and other resources, Information Asset Owners are responsible for ensuring that the retention periods are regularly reviewed (at least annually) to determine whether any retention periods applying to information within their Division or School have expired. 

6.15. Research data can be retained for a minimum of ten years. A shorter or longer retention period may be appropriate, depending on the discipline and characteristics of the project, or may be required by research sponsors and data custodians

6.16. Physical and digital files should be weeded regularly to ensure records are not kept for longer than required.

Dispose (destroy/archive)

6.17. When a record reaches the end of its retention period a decision must be taken on its disposal, with the three possible outcomes:

   1. Cleanse:

  1. Information Asset Owners should complete regular DPIA Assessments to determine which record series they own are in scope of permanent preservation.

  2. Records Management will cleanse the records, in accordance with the DPIA determinations, prior to consideration for transfer to archive.

   2. Appraise:

  1. The University Archives team will appraise records for their historical significance and advise on the required steps for transfer to the University Archive.

  2. Contact the University Archives at: special-collections@bristol.ac.uk.

   3. Dispose:

  1. The Information Asset Owner is responsible for ensuring that records are destroyed in a timely and secure manner, and that senior staff within the relevant department are made aware that the destruction is taking place. All copies, including security copies, preservation copies and where possible backup copies, held in any format must be destroyed at the same time.

  2. Destruction must be carried out in a way that takes full account of the confidentiality of the record using the Information Classification Scheme.

  3. For hard copy records the following requirements apply:

    • Use of secure disposal methods for sensitive records such as confidential waste bins and sacks, with use of the contracted shredding service for confidential waste. Internal guidance on confidential waste is available here (staff access only).

    • When an entire file or archive box is to be destroyed the whole file or box must be destroyed in line with the requirements of the most sensitive documents it contains.

  4. Duplicates are identical copies of digital information. Therefore, when disposing of digital records, it is vital that all the various locations that a file could be stored have been considered. These include information that may be stored in:

    • University shared filestores (e.g. H: drive or similar).

    • Cloud suppliers whose services are provided by the University (M365) – Teams, SharePoint, etc.

    • Emails and email attachments.

    • Individual devices such as laptops, hard drives and USB sticks, whether University-owned or personally-owned.

6.21. System backups will continue to hold copies of deleted digital records until such time that the backup is deleted. The Records Retention Schedule details the retention of back-ups. While the requirements of the Data Protection and Freedom of Information Acts technically still apply to such records, the Information Commissioner’s Office recognise that it is possible to put it ‘beyond use’ while still held, so rendering it out of scope. This will only apply if there is no intention to access or use it again, and it would require disproportionate effort to retrieve. However, such records could still need to be retrieved if subject to a court order.

Records of disposal

6.22. For potentially significant information a record should be kept of what has been disposed of, why it was disposed of and who authorised it (i.e. the Information Asset Owner), covering both destruction and transfer to archive. This will ensure there is a transparent audit trail, detailing evidence of records that have been destroyed in line with the University’s stated procedures.

6.23. A Records Disposal Form must be completed and retained by the relevant IAO when records are disposed of. Completed forms will be retained for a minimum period of 10 years for evidential purposes, and more for higher-value assets. Forms will be sent to IAOs from the IC Team during the Records of Processing Activity (RoPA) assessment process (staff access only).

Back to top

7. Off-site storage and scanning

7.1. A storage service (staff access only) is available. When storage space for hard-copy records is an issue, the University uses a contracted off-site storage provider. Physical records that are to be stored off-site must first be indexed and assured by contacting Records Management. File items should have:

  1. Meaningful titles so they can be retrieved and decisions made on their retention requirements.

  2. A disposal date.

7.2. A scanning service (staff access only) is also available which can assist to make records more accessible digitally and reduce physical off-/on-site storage. If it is unclear whether physical copies need to be retained, Records Management should be contacted for advice.

Back to top

8. Security and access

8.1. Appropriate levels of security must be in place to prevent the unauthorised or unlawful use and disclosure of information. All records in any format must be held in accordance with the University’s Information security policy and data protection guidance. Records must be stored in a safe and secure physical and digital environment taking account of the need to preserve important information in a useable format enabling access commensurate with frequency of use.

8.2. The University’s Information Classification Scheme states five categories of confidentiality which should be used to classify information and records held by the University. It will assist with determining appropriate practice regarding storage, access, handling and disposal of records.

Back to top

9. Business continuity

9.1. Business Continuity supports the University in its responses to major incidents. Records that would be vital to the continued functioning of the University in the event of a disaster must be identified and protected. These include records that would recreate the University’s legal and financial status, preserve its rights, and ensure that it continues to fulfil its obligations to its stakeholders.

9.2. All critical business data must be protected by appropriate preservation, backup and disaster recovery policies These must be captured in the Information Asset Register (staff access only) and updated annually. 

Back to top

Request this policy in an alternative format

If you need this policy in a different format, email uob-policymanager@bristol.ac.uk. In your message, include the format you need, for example: plain text, braille, BSL, large print or audio.

Back to top