Records Management Policy

Effective date: 10 December 2025

Last reviewed/updated: 10 December 2025

Next review date: Michaelmas Term 2028

Policy owner: Alice Millea, College Archivist & Records Manager

Approved by: Governing Body on 22 October 2025, updates approved by MET on 10 December 2025

1. Purpose

• Objective:

The purpose of this policy is to provide a framework for records management at St Antony’s College in order to support good governance, efficiency, knowledge management and compliance with its legal, regulatory and ethical obligations. The policy outlines the College’s approach to good recordkeeping and defines responsibilities for the control of records and information within the College.

• Scope:

The policy applies to all records created, received and maintained by College staff and fellows in the course of carrying out their duties, and to the information and data therein. The records may be in any format or medium, including digital (both born-digital and digitised). The policy also applies to records held on behalf of the College and within systems under the management of the College (which may be hosted by third parties and retained outside of the College’s physical estate).

The policy applies to all College departments, centres and programmes which are administered by the College. The policy applies to all College employees, including temporary and casual employees, to contractors and volunteers, and to other stakeholders who may have access to, or interact with College records or information. The policy also applies to College clubs and societies, including the GCR.

The policy does not apply to the College’s archives. Archives are those records which have been identified as being of sufficient historical significance and enduring value to be worthy of permanent preservation.  They are governed by the Archives Collection Management Policy (see 6.  Related Documents).

2. Definitions

• a record is defined as ‘information created, received, and maintained as evidence and as an asset by an organisation or person, in pursuance of legal obligations or in the transaction of business’ (ISO 15489-1:2016).

• vital records are defined as those records identified by the College as being essential for it to continue to operate in the event of a major disaster.

• Records can contain both information and data. Information is defined as processed, organized, and structured data that provides context and meaning. Data is defined as raw, unorganised facts that need to be processed in order to become meaningful. All records are information, but not all information is considered a record.

• Records management is defined as ‘the field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use and disposition of records, including the processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records’ (ISO 15489-1:2016).

• centre (for the purposes of this policy) refers to those centres administered by the College, currently the Asian Studies Centre, the European Studies Centre, the Middle East Centre, and the Russian and Eurasian Studies Centre.

3. Policy statement

3.1 Overview

In order for the College to operate efficiently and be able to sustain growth despite organisational change and staff turnover, it is essential that it has effective control over the records that it creates and uses. The College’s records must meet the needs of the College and its stakeholders.

A proactive, consistent and comprehensive approach to records management is required for the College to be able to cope with current and future demands, support its functions and activities, and assist in supporting the delivery of its purpose, vision and mission.

Good records management supports and enables the following:

• The College’s records will provide accurate and trustworthy evidence and information about its decisions, policies, compliance, transactions and rights and obligations.
• The College’s governance and decision-making will be informed, accountable and transparent.
• The College will work more efficiently as records and information will be more easily identified and quickly retrievable.
• The College’s property, rights, interests and assets will be better protected and defended.
• Records can be fully and lawfully exploited as a corporate resource for the College. Lost records cost the College time and money.
• Storage space, both physical and digital, will be freed up, contributing to the College’s sustainability agenda.
• The College will be better prepared for business continuity and managing business risk.
• Records with continuing historical value will be retained and preserved, protecting the College’s corporate memory and collective identity.
• The College will retain those records required by law and will be able to meet its obligations under the Data Protection Act and the UK General Data Protection Regulations (GDPR), and as a designated public authority under the Freedom of Information Act 2000.

3.2 Recordkeeping principles

The records created and maintained by the College in its recordkeeping systems should possess the following characteristics:

• Authenticity – a record is authentic if it can be proven to be what it claims to be; created or sent by the person purported to have created or sent it; and created and sent at the time purported.
• Reliability – the content of a record should be trusted as a full and accurate representation of the transaction, activities, or facts attested to.
• Integrity – records should be complete and protected against unauthorised annotation, alteration or deletion. Any authorised changes should be explicitly indicated and traceable.
• Usability – a usable record is one that can be located, retrieved, presented, and interpreted within the given time period when required. It should have sufficient content, context and structure to reconstruct the business process and transactions that produced it.

The College’s recordkeeping systems should embed the above principles and be:

• Reliable – they must routinely capture all records within the scope of the business activity they cover and function as the primary source of information regarding the actions documented in the records.
• Secure – they must be securely maintained to prevent unauthorised access, alteration, damage or removal; and provide a secure environment appropriate to the sensitivity and importance of the contents. Where records are migrated across changes in technology, they must remain authentic and accurate.
• Compliant – they must meet all requirements arising from current business and stakeholder expectations and the regulatory environment in which the College operates.
• Comprehensive – they should be capable of managing all required records of the range of business activities to which they relate whilst avoiding unnecessary duplication.
• Systematic – they should be designed to automate records processes as much as is practicable through routine application of authorised policies and procedures.

3.3 Implementation and specific provisions

To ensure compliance with the principles, standards and guidance referenced in this policy, the College aims to:

• Create and maintain authentic, reliable and useable records which give an accurate and complete account of the College’s activities and transactions and which meet the College’s legal, regulatory and business requirements.
• Store records of any format (hardcopy and digital) appropriately within suitable filing systems to enable easy and timely retrieval and avoid unnecessary duplication.
• Control access to records in accordance with their level of confidentiality and importance and protect records from accidental, unauthorised or unlawful access, disclosure, alteration, copying, theft, loss or destruction.
• Retain records for the appropriate length of time and dispose of them securely and in an auditable and environmentally-responsible manner in line with College retention policies
• Safeguard personal and other data and meet its obligations under UK Data Protection legislation, the Freedom of Information Act, and other legislation.
• Comply with relevant statutory and legal obligations relating to financial and environmental concerns, health and safety and contractual agreements.
• Identify and establish systems to manage and protect its vital records in order to support business continuity and disaster planning.
• Assess records risks and report and investigate data breaches promptly and thoroughly through appropriate management channels.
• Establish systems for the management and preservation of digital records.
• Identify, protect and preserve records of historic value for the College Archive in consultation with the College Archivist & Records Manager where appropriate.
• Monitor and report on the management of records, measuring performance and assessing the overall effectiveness of the management of the College’s records.
• Incorporate records management requirements into agreements with any third-party suppliers or partner organisations and monitor compliance.
• Train College staff as appropriate to ensure they are familiar with College policies and procedures relating to recordkeeping and the management and disclosure of information.

3.4 Governance and responsibilities framework

The College will ensure direction and support for the management of records from senior management. Specific responsibilities will be as follows:

• The Management Executive Team has oversight of, andis accountable for, the policy and for assuring itself as to its effective implementation, on behalf of the College trustees.
• Senior Administrative Officers have executive responsibility for implementing records management within the College.
• The IT Office is responsible for implementing and managing the IT technical controls and ensuring that appropriate agreements are in place with third parties managing records on behalf of the College. 
• The Data Protection Officer (DPO) provides independent advice and monitoring on the College’s compliance with data protection legislation and is responsible for advising on personal data handling, monitoring policies and training. Operational responsibility for managing personal data lies with relevant departments and staff in line with the College’s Data Protection Policy.
• Heads of department and directors of College centres are responsible for ensuring that recordkeeping practices within their department or centre conform to the requirements of this policy so that all staff within their department or centre are aware of, understand and comply with the policy. They should ensure that all staff receive appropriate recordkeeping training and should review and update recordkeeping procedures as required.
• The College Archivist & Records Manager is responsible for defining records management principles and processes, and developing and implementing ancillary documentation that will support implementation of this policy, including an Information Asset Register, records retention schedules, staff training materials and guidance.
• All College staff and fellows are responsible for following this policy and for ensuring that they create accurate records that document the actions and decisions for which they are responsible, and that they maintain those records in accordance with the standards set out in this policy.

4. Compliance and Monitoring

• Compliance and monitoring: Heads of Departments and Centre directors will be expected to monitor compliance with the principles set out in this policy and with the supporting procedures to be developed in due course. The Archivist & Records Manager will work with departments and centres to assess activities and provide assistance and support.

• Consequences: Should significant non-compliance issues arise, the Archivist & Records Manager will be able to escalate as appropriate to the MET. The College regards any breach of, or non-compliance with, this policy as a serious matter which may result in disciplinary action.

5. Review and Revision

• Review Cycle: this policy will be reviewed every three years

• Revision History: Created June 2025

6. Related Documents

• Legislation, regulations and standards: This policy is underpinned by a range of legislation, statutory, regulatory or administrative codes of practice and internationally recognised standards. The most important of these are:
  • The Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR)
  • Freedom of Information Act 2000
  • Code of Practice on the Management of Records issued under section 46 the Freedom of Information Act 2000 Code of Practice on the management of records issued under section 46 of the Freedom of Information Act 2000
  • ISO BS 15489-1: 2016 – Information and documentation — Records management Part 1: Concepts and principles
  • BS 10025:2021 – Management of records – code of practice
  • BS 10008-1:2020 Evidential weight and legal admissibility of electronically stored information.
  • Higher Education (Freedom of Speech) Act 2023
• College policies: This policy exists within a wider framework of other functions that support information management within the College. These include data protection, information security and compliance, archive management and digital preservation. There are often complementary and interdependent areas of activity between these functions:
  • Data Handling Guide for Staff and Fellows: Data Handling Guide for Staff and Fellows.pdf
  • Data Protection Policy: Data Protection Policy.pdf
  • Information Security Policy: Information Security Policy.pdf
  • Data Breach Incident and Notification Policy: Data Breach Incident and Notification Policy.pdf
  • Archive Collection Management Policy: Archive-Collection-Management-Policy2025.pdf

7. Contact Information

• Policy Owner: College Archivist & Records Manager college.archives@sant.ox.ac.uk

• Support: Further information about this policy can be obtained from the College Archivist & Records Manager.