 |
 |
|
IT Systems ChecklistOn this page:
AudienceThis document is intended for those involved in the feasibility and design stages of the development of an in-house IT system, staff setting down a statement of requirements for a bought-in system, business owners of already extant IT systems, and freedom of information practitioners charged with introducing and maintaining records management systems and procedures in their section. The guidance is not intended for those who only use centrally provided systems unless that section is the business owner of the system. PurposePractitioners can use this document to ensure that their business area manages fully the data it holds in IT systems. It can also be used for proposed IT systems to ensure that records management requirements are incorporated from the outset. Compliance with the requirements set out in this document will also ensure that IT systems owned by their section meet the requirements of the Data Protection Act 1998 and the Freedom of Information (Scotland) Act 2002. ScopeThis guidance applies to all information held in IT systems. Examples of IT systems include the HR recruitment system, a research database, or a local database holding staff information. IT systems and records management checklistThe checklist is available in both PDF and RTF format. How should I use this checklist?A copy of this checklist should be completed for each IT system your section currently ‘owns’ or is planning to introduce. If your section is developing a new IT system, you should use this checklist to decide what measures are required for good records management and data protection compliance. It should be completed as part of the system design process and kept for future reference as part of the design documentation. If your section is the business owner of an already extant IT system, you can use this guidance to propose future amendments to the system. Why do I need to manage the data we hold in IT systems?Following this guidance helps you to make sure that the data you need remains accessible, while also ensuring that you no longer maintain the data you don’t need. It also helps ensure that you meet the requirements of data protection and freedom of information legislation. IT systems often focus on the immediate business need and can overlook the need to manage the data in the medium to long term. For example, it is common for IT systems to omit functionality to delete data. In the short term this will have no impact on the operation of the system. However, this can cause difficulties with retrieving data or compliance with the Data Protection Act in the medium or longer term. It will be more expensive, difficult and time-consuming to introduce records management functions when the system is in place, than to ensure they are in place from the start. Why do data protection and freedom of information legislation affect IT systems?The Data Protection Act 1998 and the Freedom of Information (Scotland) Act 2002 affect the way that the University manages and allows access to the information it holds, including data in IT systems. The Data Protection Act sets out how the University can handle personal data and gives an individual the right to access information held about them. The definition of personal data is highly complex and for day to day purposes it is best to assume that all information about a living, identifiable individual is personal data. The Freedom of Information (Scotland) Act gives people the right to access any other recorded information that the University holds. Responding to these requests for information can be time consuming, so it is in our interests to ensure that we only hold information that we need to reduce the effort involved in responding to these types of request. The Data Protection Act contains a set of core principles that set out how we should manage personal data. The most relevant of these principles for IT systems state that:
The Freedom of Information (Scotland) Act includes provision for a statutory code of practice on records management which sets out how we should manage our information. These include procedures to destroy information when it is no longer required for business or research purposes. Although compliance with this code is not mandatory, failure to comply will be interpreted by the Scottish Information Commissioner as indicative of a probable failure to comply with other aspects of the Act. Why do I need to be aware of the data protection and freedom of information implications for IT systems?A failure to comply with these pieces of legislation can lead to the University being fined up to £500,000 or sued. It could also expose the University, its staff, students, research subjects and other members of the public to risks including fraud, identity theft and distress. A breach of either Act could also cause significant reputational damage to the University, which would impact on a range of its interests, activities and relationships. What help is available?The University Records Management Section provides advice, guidance and training on freedom of information, data protection and records management issues. If you require any assistance or would like clarification on any issues mentioned in this guidance, contact us at recordsmanagement@ed.ac.uk. For advice on IT issues, please contact your local IT support service.
If you have any comments or suggestions regarding these pages please e-mail them
to us at recordsmanagement@ed.ac.uk The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336 Page last updated: Monday November 21 2011 |
