This policy defines the way the Welsh Revenue Authority's (WRA) records and information should be managed to standards which ensure that vital and important records are identified, that the WRA holds records that are necessary, sufficient, timely, reliable and consistent with operational need, and that legal and regulatory obligations are met. It also defines the roles and responsibilities for the creation, safekeeping, access, change and disposition of information.
The WRA will document its business activities with records that are complete, authentic, reliable, secure and accessible (where appropriate), and manage those records in accordance with all applicable legislation throughout their lifecycle.
2. Why do we need an information and records management policy?
The Civil Service Code requires that the Welsh Government keeps accurate official records and handles information as openly as possible within the legal framework. As a non-Ministerial Department of the Welsh Government this also applies to WRA staff.
Freedom of Information and Data Protection legislation put great emphasis on the WRA’s ability to make information that is not Protected Taxpayer Information (PTI) available to the public, as well as appropriate processing of PTI, personal and sensitive personal data. These legislative obligations highlight the need for an effective framework for information and records management to be in place throughout the organisation as a mechanism for managing and retrieving information on demand and ensuring the appropriate processing of personal and sensitive personal data.
The key pieces of legislation are:
- Public Records Act 1958 and 1967
- Government of Wales Act 1998 and 2006
- Data Protection Act 2018
- General Data Protection Regulation (GDPR)
- Freedom of Information Act 2000 - including the Lord Chancellor's Code of Practice on the Management of Records issued under Section 46
- Environmental Information Regulations 2004 (EIR)
- European Directive on the Re-use of Public Sector Information 2003 and the Re-use of Public Sector Information Regulations 2015
- Protection of Freedoms Act 2012 (Part 6 Section 102)
- Constitutional Reform and Governance Act 2010 (Part 6 Sections 45 & 46)
- Copyright, Designs and Patents Act 1988
- The Legal Deposit Libraries (Non-Print Works) Regulations 2013
The WRA is legally obliged to provide UK legal deposit libraries with copies of all its publications. By law, a copy of every UK print publication must be given to the British Library by its publishers, and to 5 other major libraries that request it. This system is called legal deposit and has been a part of English law since 1662. As of 6 April 2013, legal deposit also covers material published digitally and online, so that the Legal Deposit Libraries can provide a national archive of the UK's non-print published material, such as websites, blogs, e-journals and CD-ROMs.
The Legal Deposit Libraries are:
- The British Library
- The National Library of Scotland
- The National Library of Wales
- The Bodleian Libraries, Oxford
- The University Library, Cambridge
- The Library of Trinity College, Dublin.
Managing this information to agreed standards as it is created is essential if those records are to be understood or used in the future. The availability, re-usability and life of the record depend on it being managed according to its context and value.
Records are also needed to provide an audit trail of evidence. As well as forming evidence of the transactions we undertake, many records define the boundaries within which these transactions must occur and dictate the way in which they are carried out. Important decisions are taken against the contents of these records as they exist at the time. It is therefore vital to be able to pin-point exactly what the record said at any given point in time to verify the validity of the decisions made.
Records and information are also kept to maintain the corporate memory. It is vital that WRA officials have timely access to the organisation’s records to deliver evidence based decision making, data analysis and robust compliance activities.
3. What is the aim of our information and records management policy?
The aim of the policy is to ensure that all parties are aware of their personal obligations regarding the efficient, cost effective and legally compliant creation and management of information and records. This document explains the WRA’s Information and Records Management principles.
This policy applies to all personnel carrying out work on behalf of the WRA. This includes permanent and temporary staff, loans, secondees, delegatees, consultants, suppliers, partners, contractors and subcontractors. Any relevant official as defined in s17 of the Tax Collection and Management (Wales) Act 2016 (TCMA), must sign a confidentiality agreement as per s19 TCMA.
Information and records created by all personnel remain the property of the WRA under the terms of Crown Copyright. Re-use of Government information is outlined in the Re-use of Public Sector Information Regulations 2015. See also, the WRA’s public task statement.
4. What is the scope of our information and records management policy?
Records management is about managing information from the moment it is received or created, until it is destroyed or transferred to another organisation, e.g. The National Archives (TNA).
5. What constitutes Welsh Revenue Authority information and records?
Records are defined in the relevant British Standard as ‘information created, received, and maintained as evidence and information by an organisation or person, in pursuance of legal obligations or in the transaction of business’.
This policy relates to information created and held in all formats and media including, but not limited to, the following:
- tax data, both digital and paper, and all associated activities where tax related data is created or received
- documents, presentations and spreadsheets received and stored digitally
- analysis reports
- paper based files
- social media, wikis and blogs
- brochures and reports
- WRA pages on both the intranet and the external internet
- evidence supplied by third parties and delgatees
- information created by third parties and delgatees on our behalf
- mobile tools: e.g. smart phones
- audio and video recordings
- maps and plans
- microfiche and microfilm
6. What are our corporate recordkeeping systems?
6.1 SharePoint - Electronic document and records management system (EDRMS)
The WRA uses SharePoint with third party software additions RecordPoint and Repstor. This combination of products provides the ERDMS platform and is TNA compliant.
The Tax Management System holds tax returns and Microsoft Dynamics 365 is the ERP system for both tax and corporate finances. It also provides the WRA’s HR system. There are also some datasets received for analysis purposes from external sources that are stored in the WRA Cloud infrastructure.
SharePoint is certified to hold records with an OFFICIAL marking. The WRA does not hold any material with SECRET or TOP SECRET security markings at present, and information which falls into these categories would be retained on a physical file for secure storage until its disposal.
6.2 Cloud storage
The WRA is a ‘digital first’ organisation, using a secure cloud infrastructure provided through Microsoft Azure. The infrastructure is hosted in the UK and certified to OFFICIAL level.
The digital first nature of the WRA means most of the records it receives and creates will be managed and stored digitally.
The WRA does expect to receive some hardcopy information, such as paper tax returns, responses to information requests, etc., but these are minimised as far as possible by encouraging the use of digital tools and, where possible, providing resource to assist those who struggle to interact with the WRA digitally. Physical records are scanned and stored on SharePoint (unless their size makes this impractical.)
The WRA will generate and/or receive hardcopy information in relation to enquiries and investigations, some of which will contain sensitive PTI and some of which will sensitive evidence to support investigations.
The WRA will store hardcopy records containing protected taxpayer information in locked cabinets, using formal records management filing standards to identify where the records are kept and other relevant information such as their retention period.
If the WRA should ever need to store official records with SECRET or TOP SECRET security classifications, they must be stored in accordance with the HMG security classification policy.
6.4 Websites, social media and YouTube
The WRA website contains public records that are of archival value. We archive the WRA website to provide continued access to key government documents through links persistence. This is important due to the significance of the internet as an enabler for the WRA to carry out its business. The National Archives has produced an Operational Selection Policy which outlines the requirements for website archiving.
We will develop a separate Social Media policy which sets out rules regarding the acceptable use of social media (e.g. Facebook, blogs, Twitter) within the WRA in a work context and how social media can be used to engage with the public and stakeholders on behalf of the WRA.
6.5 Asset registers
A list of information assets held in the WRA has been compiled to achieve and maintain appropriate protection and identify responsibility for groups of assets. The Information Asset Owner (IAO) and Deputy IAOs are responsible for understanding what information is held, what is added and what is removed, how information is moved, and who has access and why.
6.6 Records in other systems
We also hold information in other systems including, but not exclusively:
- tax management system
- the ERP (tax finance system, corporate finance system and HR)
- case management system
The Lord Chancellor’s Code of Practice on the management of records issued under section 46 of the Freedom of Information Act 2000 applies to all records irrespective of media or the type of information they contain. WRA function areas have to ensure that these systems and the records they hold are managed in compliance with the Code. These systems must be listed in the WRA’s Information Asset Register and meet corporate records management and security requirements (access, retention/disposal, preservation etc.).
6.7 Publications catalogue
To comply with the WRA’s publication scheme, we need to make sure that our research reports and publications are available to the public.
The WRA may undertake and commission research relevant to its functions and produce regular reports which may be published on our corporate website. To ensure that these are available and accessible over time, they should be catalogued so that members of the public can access or request them via the external online publications catalogue.
7. How do we manage our email?
It is not appropriate to store emails which constitute an official record in Outlook folders. If emails form part of a transaction or evidence of business they must be put on record and saved in SharePoint as soon as possible. Emails will be automatically deleted from the Outlook inbox and outbox 1 year after receipt or creation.
It is the sender’s responsibility to ensure that emails containing information that must be kept on record are saved into the appropriate file on SharePoint (or equivalent recognised system).
It is the responsibility of the lead recipient of all emails from third parties to ensure that they are captured in SharePoint (or equivalent recognised system). This is to preserve context and to maintain a comprehensive audit trial.
The Cabinet Office has issued guidance to government on dealing with private email use which includes guidance relating to the Freedom of Information Act.
8. What are our naming conventions?
We have established a standardised naming convention for documents and files to be used when creating new records. However, this is not prescriptive and can be adapted to suit different needs, with the onus being on function areas to agree and adopt a suitable naming convention based on these guidelines.
9. How do we manage records created during collaborative working or through out-sourcing?
WRA staff must ensure that records shared with other bodies, or held on our behalf by other bodies, are managed in accordance with this policy.
Contracts with third parties and delegated functions must include reference to records management procedures and responsibilities. The contract should stipulate how records created during collaborative working or through out-sourcing will be managed, shared and protected. Responsibilities must be agreed and the protocol signed by each partner. The protocol must outline who will be responsible for:
- access to Information requests (and who has responsibility for keeping those records)
- information security, records management and data quality
- retention and disposal (requirement for records to be returned to the WRA for medium to long term retention and/or disposal)
When setting up contracts with third party suppliers, assurances must be obtained regarding the way they handle information as part of the legislative framework that applies to the WRA.
10. How do we manage data sharing?
WRA staff must agree data sharing protocols with external organisations prior to data exchange and ensure the legal gateways are in place for the sharing of data and to cover the purpose for which the data is being shared and processed. These protocols must specify:
- who the sharing organisations are
- legal status of the partnership
- information to be shared
- purpose of sharing and how the data will be processed
- confirmation that the appropriate legal basis is in place to allow the data sharing
- management process for the information and what will happen to it once objectives have been met
It is a principle of data protection that the amount and level of shared personal data must be no more than what is needed for processing. This applies equally to other non-personal data. The agreed retention and disposal schedule must state whether it will be returned to the originator, archived, depersonalised or destroyed.
The WRA is legally obliged under the Government of Wales Act 2006 to share Land Transaction Tax (LTT) data with HMRC. An Memorandum of understanding is being developed with HMRC, an annex to which covers the data that is shared with them using a secure accredited link.
11. How do we manage copyright - intellectual property of others?
A document shall not incorporate the intellectual property of others unless the WRA has the relevant rights, i.e. Crown copyright. Staff will not enter documentation (including scanning) into an information system (e.g. SharePoint, shared drives, etc.) unless the WRA owns or has obtained the copyright to do so. Material specifically addressed to the WRA can be entered into an information management system.
Some social media sites, such as Facebook and Twitter, currently state in their Terms of Usage that content remains the intellectual property of the individual or entity that posts the content. This is not, however, the case for all social media sites, such as YouTube, who assert copyright over content posted on their platform.
Records kept in an electronic records and document management system (ERDMS) such as SharePoint, a shared drive or other bespoke system can be simultaneously accessed by multiple users. This constitutes ‘replication’ or in some cases a ‘broadcast’ under copyright legislation, leading to the possibility of an individual claiming compensation for copyright infringement for content published to a social media site being stored in an ERDMS or other system by a government department.
12. How do we manage changes in machinery of government / transfer of functions?
In the event of Machinery of Government changes and/or a Transfer of Functions, the Welsh Government Departmental Records Officer (DRO) must be informed at the earliest opportunity by the project lead to ensure the transfer of vital business records takes place without the loss of information or interruption to business continuity. The DRO must be involved throughout the process to ensure that correct records procedures are followed and legislation met. The Welsh Government’s DRO has agreed to perform the DRO function for the WRA for the length of this Assembly term (until May 2021).
All decisions on the movement, disposal and destruction of records and information must be documented. When records are transferred, they must be accompanied by whatever has been used to identify and retrieve them such as copies of relevant databases used to describe and track digital records.
Arrangements must be made via the WRA’s Head of Digital and Technology and IAO to ensure the handover of computer systems and/or storage media used to create and manage current and inactive digital records of the transferred business.
Full lists of files to be transferred (regardless of format), plus details of any outstanding FoI requests or sensitivity issues, must be documented in the official transfer agreement (to be drawn up by the Departmental Records Officer in collaboration with the transferring department). This agreement must then be signed by both the transferring and receiving organisation. The transfer of records must be included in any legal steps required to implement the change in machinery of government process.
13. What measures need to be put in place when using new systems?
In any ICT enabled project, it is essential that all recordkeeping requirements around information created or held within a newly developed and/or implemented system are considered. As well as business needs, this is to ensure that legal and other requirements are met and will involve:
- access and security – to ensure that appropriate protection and permissions are set
- retention and disposal, digital continuity and archiving – to ensure that information is retained for as long as it is needed and then disposed of at the appropriate time
- audit requirements
- legal admissibility – to ensure that the information held is acceptable as evidence for audit purposes and in case of inquiry or legal proceedings. this will require compliance with bs10008.
The Head of Design Office will be informed of new/change project areas via the change request process and will advise the appropriate persons, e.g. IAO, Information Manager, to ensure that the project’s information requirements are met.
14. How do we manage file closures?
When a project is formally disbanded or when a piece of work has been completed and the files are ready to be closed, staff must contact the Information Manager to officially close the files on SharePoint.
For the purposes of Access to Information requests involving project documentation, responsibility for responding to individual requests rests with the owner of the document at the time of the request – i.e. project, programme office or business owner within an inheriting function as appropriate. Duplicate documents and supplementary information of no further use (in all formats) should be deleted / destroyed.
In the case of both stand alone projects and those within programmes, the teams who will provide on going support to the project's products or to policy responsibility must formally accept handover of the relevant information and ensure that the procedure is documented. It is therefore vital that these documents are included as project products at the relevant stages. Prepared handover notes must include a list of all files, their title or subject matter, covering dates, location and security classification, and media format of any duplicates.
15. How do we manage retention and disposal?
Information and records will only be retained for as long as they are needed to support the WRA’s business requirements and legal obligations. At the end of that time, the records will either be destroyed or, if they are historically valuable, transferred to a Place of Deposit for permanent preservation.
The WRA’s retention and disposal schedule is the key to effective records management: it sets out the recommended periods for which particular classes of records must be retained in accordance with legal, audit and operational requirements. It provides a formalised, accountable system for the retention and disposal of records and can help to save time, money and space by ensuring that information is not kept unnecessarily.
16. How do we select records for transfer to TNA or other place of deposit?
In line with the Public Records Act 1958, the Freedom of Information Act 2000 (Section 46), and the changes brought in by the Constitutional Reform and Governance Act (CRAGA) 2010, the WRA is required to dispose of or transfer all public records to a Place of Deposit by the time they reach 20 years old so that they can be made available to the public.
Wales does not currently have its own national archive comparable to the National Archives, the National Archives of Scotland or the Public Record Office of Northern Ireland. The cost implications of establishing such an archive for Wales are prohibitive and so the National Archives remains the recognised repository for Wales as well as the UK government. The WRA is included in this by means of its agreement with the Welsh Government’s DRO.
A review is conducted of all records as they reach the end of their retention period and the relevant function heads are consulted to decide which records are of no further use and can be destroyed; which records need to be retained by the department for on-going business use; and which records have historical value and should be transferred to the National Archives.
17. How can the public gain access to our records?
17.1 By placing a Freedom of Information request
Requests for WRA records/information less than 20 years old must be handled in accordance with the Freedom of Information Act 2000. At this point in time, the WRA is new enough not to have any records that fall into the TNA catalogue. Advice on requesting information can be found under How to make a freedom of information request to the Welsh Revenue Authority on the WRA external website.
17.2 By placing a Subject Access request
Please follow the guidance for placing an FoI request above.
18. What do we do with our records when leaving the Welsh Revenue Authority?
People leaving the WRA’s employment are responsible for ensuring that they deal with any records they have been working on before departure to ensure that:
- work can be carried on by a successor, without delay
- the WRA can be accountable for their work after they have left
- the WRA complies with the Data Protection Act 2018 and GDPR
- the WRA can respond to Freedom of Information and Subject Access Requests accurately and within the legal response times
- the WRA does not incur unnecessary expenditure on records storage and staff time sorting out others’ records
No WRA records should be retained by the leaver, including information held on personal devices or emails.
When a relevant official (as defined by the TCMA) leaves the WRA, they remain bound by the confidentiality agreement they signed.