Briefings & training > Training and communications strategy

Records Management Section Training and Communications Strategy

On this page:

• Purpose
• Objectives
• Overall approach
• Target audience
• Training and communications channels
• Managing data protection risks

In this section:

• Awareness raising checklist (restricted access)
• Publicity plan (restricted access)

Purpose

1. Effective training and communications are core to the work of the University’s Records Management Section. This is recognised in the high level priorities of the Records Management Section.

2. This strategy sets out the objectives underlying the Records Management Section’s use of training and communications channels, the needs of our intended audiences, and the ways we intend to reach them.

3. The Data Protection Act 1998 and the Freedom of Information (Scotland) Act 2002 affect every member of staff of the University by placing obligations upon them and by giving rights to them and to any member of the public. If the University is to fulfil its obligations under these Acts, staff must be aware of these rights and responsibilities. Likewise, records management offers business benefits for the whole University. However, these will not be achieved unless staff are aware of these benefits and what they must do to realise them.

4. Since HM Revenue and Customs lost two CDs containing details of 25 million Child Benefit recipients in November 2007, data protection has become an increasingly high profile issue. The Information Commissioner has taken more enforcement action since 2006 than he had in the previous 22 years of his Office’s existence. In May 2008, the Criminal Justice and Immigration Act gave the Information Commissioner the power to fine organisations that breach the Data Protection Act. From 6 April 2010 the Commissioner will have the power to fine the University up to £500,000 for a serious breach of the data protection principles. In view of the Commissioner’s increased powers, this strategy has been reviewed to reflect the higher priority assigned to data protection issues.

Objectives

5. The objectives of the training and communications strategy are:

1. To ensure that staff are aware of the University’s obligations under the Data Protection Act 1998 and the Freedom of Information (Scotland) Act 2002, and take appropriate measures to meet those obligations.
2. To embed good data handling practice in relation to the University’s use of personal data
3. To support the cultural change necessary for the successful implementation of information legislation.
4. To ensure that staff know what to do to manage their records efficiently and effectively.
5. To leverage the expert resource provided by the Records Management Section so that it covers the whole University.
6. To ensure that the appropriate level of records management, data protection or freedom of information knowledge is available to business units (such as colleges, schools or sections) so that queries can be dealt with as close to the source as possible.

Overall approach

Guidance

6. Data protection, freedom of information and records management affect every part of the University’s operations. Therefore, every member of the University’s staff needs to be able to access advice and guidance easily.

7. To ensure that advice and guidance is directly relevant to individual members of staff, short pieces of customised guidance on particular topics should continue to be developed. This guidance should be integrated into existing frameworks for the topic concerned. For example, guidance on data protection, freedom of information and procurement should be available as part of the University’s procurement procedures and policies. This will help to ensure that data protection and freedom of information are seen as part of the day-to-day operations of the University rather than as add-ons or optional extras.

Structures

8. The University of Edinburgh operates a devolved structure. It would be inappropriate and impractical to impose a centralised records management system across the University. The Records Management Section provides university-wide standards, guidance, co-ordination and support, but it is the responsibility of individual business units (such as schools or sections) to develop and maintain systems and procedures for their areas.

9. There is a two-tier communications structure, covering the strategic and the operational levels.

10. At the strategic level, the University has a group of senior level ‘promoters’, able to engage with the implications of data protection and freedom of information for the University and to take measures to support the necessary cultural change.
    • Promoter's role description

11. The promoters meet twice a year to receive updates on progress, discuss issues of common concern and to highlight areas where support from the Records Management Section is most needed.

12. At an operational level, the University has a network of ‘practitioners’ responsible for day-to-day data protection, freedom of information and records management issues in their business area.
    • Practitioner's role description

13. Practitioners are a vital channel for ensuring that knowledge and awareness of these issues permeates the entire University.

Target audience

14. The work of the Records Management Section affects all staff in the University to some extent, and there is also a need to communicate externally with suppliers, students, members of the public, fellow information professionals and those who may purchase our consultancy services. The latter group is not, however, a current priority whilst we concentrate on data protection risks. Each of these groups can be segmented in a number of different ways, and it is probable that one person will appear in more than one segment.

15. In many cases this contact may not be directly with the Records Management Section, but via forms, publications and other University staff using University guidance and policies.

16. Table one identifies the main segments with which the Records Management Section needs to communicate, and identifies the main information that need to be communicated to these groups.

Training and communications channels

17. The University has an extensive range of pre-existing training and communications channels. In line with the integrative approach outlined above, only when it is strictly necessary will new methods of communication be adopted; for the most part the message will be communicated through existing channels. These channels include: University website, University induction and training programmes, University newsletters and myEd.

18. In most cases the Records Management Section will undertake general awareness raising activities described in the awareness raising checklist. However, in some instances a more specific approach is required and this is covered by the specific publicity plans in annex A.
    • Awareness raising checklist (restricted access)
    • Publicity plan (restricted access)

University website

19. The Records Management Section website covers data protection, freedom of information and records management issues. Content is regularly reviewed, updated and supplemented. The web address can be reached within 3 clicks from the University’s home page.

20. The website has over 700 individual web pages and over 800 further linked files. It has an extensive user base receiving, on average over 10,000 page requests per month from University of Edinburgh computers. In addition, we regularly receive requests from external users to re-use our content.

University induction and training programmes

21. Staff can only consult these web resources if they know they exist and are aware of the need to use them. For this, we take a proactive approach to training and communications.

22. The University has a well-developed programme of induction and other training programmes, and the Records Management Section makes use of these programmes.

23. On the one-day induction training course, there is a 30-minute slot for data protection, freedom of information and records management. We regularly review and update the content of the session in response to the feedback we receive and as a result, new staff consistently rate the slot as useful to them in their new role.

24. However, approximately only 33% of new staff attend an induction training session. All new staff with computer access are sent a CD, Information for New Employees, and the Records Management Section provides information for inclusion on this CD to reach those staff who do not attend induction training.

25. Approximately 2300 University staff do not have a computer. These are mainly manual, domestic and catering staff, but do include some research staff. Therefore, all new staff also receive the Records Management Section’s leaflet Information Management Matters, which provides an introduction to data protection, freedom of information, records management, and where to obtain further advice and guidance.

26. As well as introducing new staff to this area, the University must also train existing staff. The Records Management Section offers a range of presentations, briefings and training courses designed to meet the needs of different types of staff. These include:

• Senior management briefings, e.g. as a meeting agenda item (10-20 minutes)
• One hour presentation and discussion, drawn from a general presentation on key issues but tailored to the particular needs of the group
• Half-day training sessions designed to meet the needs of a particular business area, including interactive group exercises
• Detailed training for practitioners, or those involved in a specific project. For example all new practitioners receive detailed request handling training as part of their practitioner induction. We provide other training courses when requested, e.g. introductory data protection training, and training on the implications of data protection and freedom of information for committee servicing.

University newsletters

27. University newsletters are used to raise and maintain awareness of the issues. Short articles are prepared on current topics, such as the article on encryption in response to the Information Commissioner’s enforcement action requiring Marks & Spencer to encrypt all laptops and mobile computing devices, or to coincide with the issue of particular pieces of guidance, for example, the model contract clauses for transferring personal data to third parties.

28. Newsletters include the quarterly hard-copy Bulletin magazine, the on-line staff bulletin, Human Resources’ on-line Staff News, and Information Services’ on-line news.
    • Staff Bulletin
    • Staff News
    • IS News

MyEd

29. The Records Management Section has the facility to make announcements via the announcements channel in the University’s staff portal ‘MyEd’. Staff are encouraged to check MyEd on a regular basis and this is the most secure source for staff news and announcements.

Other channels

30. Each month the Records Management Section publishes a newsletter for practitioners drawing to their attention two items of news and any actions they should take.
    • Practitioner's newsletters

Items raise awareness of:

• New guidance and procedures, e.g. the newly revised student records retention schedule
• Relevant University policies and procedures in light of items in the media, e.g. following the HMRC data loss the practitioners’ newsletter reminded practitioners of the University’s guidance on the storage and usage of electronic personal data
• New requirements, e.g. for implementing the new publication scheme

31. All emails to internal audiences sent by Records Management Section staff include an awareness-raising message in the signature. Past signatures have raised awareness of freedom of information requirements and information management.

32. The Records Management Section distributes posters, via the practitioners’ network, to be displayed on staff notice boards in all areas of the University to raise awareness of the key information legislation messages.

33. To meet the requirements of the Data Protection Act, whenever personal data is collected, the data subject must be told what the data will be used for, and to whom it will be disclosed. This means that most University forms contain data protection information.

Managing data protection risks

34. The University must take measures to improve the security of the personal data it uses. To help the University to do so the Information Technology Committee (ITC) has approved a policy on the storage, transmission and use of personal data and sensitive business information out with the University computing environment.
    • Policy on the storage, transmission and use of personal data and sensitive business information out with the University computing environment.

35. The data security policy message will be targeted at areas that hold sensitive data, for example schools holding students’ marks and researchers holding sensitive personal data, such as medical researchers and clinicians, and to areas holding personal information about more than 1,000 people, for example Registry, HR and Finance.

36. The University must ensure that it does not use data processors unless the appropriate contract clauses are in place to protect the data and the University from liability. The Records Management Section will promote the use of the required clauses, published on the Section’s website, through liaison with the Procurement Office to incorporate the requirements into the University’s standard terms and conditions and by reviewing existing significant contracts to ensure the requirements are included.

37. The University must not retain data longer than necessary, doing so increases security risks and is itself a breach of the data protection principles. The Records Management Section will promote the use of existing retention schedules published on the Section’s website, and continue the development of additional retention advice.

38. University staff must not share personal data inappropriately. The Records Management Section will promote the policy on the disclosure of information about students, and finalise the policy on the disclosure of information about staff. Both policy messages will be promoted to targeted audiences so that local operating procedures include clear instructions as to what disclosures are permitted and what requires higher authorisation. The messages will be targeted at those who use student data, such as Registry, school office and teaching staff, and those who use staff data, such as managers, payroll, finance and HR staff.

39. All relevant University staff must be reminded of the need to dispose of data in line with University procedures for the disposal of paper, PCs, tapes etc. The Records Management Section will promote the use of the disposing of records guidance.

40. There is a growing trend in the wider world which expects employees to provide their own IT equipment for work use.  In this context it is important that the Records Management Section makes strategy setters and senior managers aware of the risks of staff using personal IT equipment such as laptops and smart phones to process University data, so that appropriate policies and procedures can be developed.

41. Annex A and tables 2-3 identify the detailed publicity activities the Records Management Section plans to take in the next twelve months.

Page last updated: Wednesday December 14 2011