Information management and governance policy

1. Background

This policy defines the way WRA records and information should be managed to standards which ensure that vital and important records are identified, that the WRA holds records that are necessary, sufficient, timely, reliable and consistent with operational need, and that legal and regulatory obligations are met. It also defines the roles and responsibilities for the creation, safekeeping, access, change and disposition of information.

This policy brings together responsibilities for information, data and records as corporate assets, in all formats, throughout their life cycle from creation or receipt through to disposal (destruction or archiving).

To comply with the Public Records Act 1958 and other information management legislation, the WRA needs to know what information it possesses, how old it is and to ensure that it constitutes reliable evidence. For sensitive information, including that covered by the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and Law Enforcement Directive (LED) 2018, we must be able to allow access to those who need to see this information while preventing others from gaining access. We also need to be able to identify personal information, know who it is shared with, and dispose of information we are no longer entitled to hold.

This policy applies to all personnel carrying out work on behalf of the WRA. This includes permanent and temporary employees, secondees, consultants, suppliers, partners, contractors and subcontractors. Any relevant official as defined in s17 TCMA, must sign a confidentiality agreement as per s19 TCMA.

2. Why do we need an information management and governance policy?

The Civil Service Code requires that Welsh Government staff “keep accurate official records and handle information as openly as possible within the legal framework”. The Civil Service Code applies to all home civil servants who are members of staff of the Welsh Government and the WRA as a non-Ministerial Department of the Welsh Government. As a non-Ministerial Department of the Welsh Government this also applies to WRA staff.

Freedom of Information and Data Protection legislation put great emphasis on the WRA’s ability to make information that is not Protected Taxpayer Information (PTI) available to the public, as well as appropriate processing of PTI, personal and sensitive personal data. These legislative obligations highlight the need for an effective framework for information and records management to be in place throughout the organisation as a mechanism for managing and retrieving information on demand and ensuring the appropriate processing of personal and sensitive personal data.

The key pieces of legislation are:

• Public Records Act 1958 & 1967
• Government of Wales Act 1998 & 2006
• UK GDPR
• Data Protection Act 2018  
• Freedom of Information Act 2000 - including the Lord Chancellor's Code of Practice on the Management of Records issued under Section 46
• Environmental Information Regulations 2004 (EIR)  
• European Directive on the Re-use of Public Sector Information 2003  and the
• Protection of Freedoms Act 2012 (Part 6 Section 102)
• Constitutional Reform and Governance Act 2010 (Part 6 Sections 45 & 46)
• Copyright, Designs and Patents Act 1988
• The Re-use of Public Sector Information Regulations 2015

Managing this information to agreed standards as it is created is essential if those records are to be understood or used in the future. The availability, re-usability and life of the information or record depend on it being managed according to its context and value.

Information and records are also needed to provide an audit trail of evidence. As well as forming evidence of the transactions we undertake, many records actually define the boundaries within which these transactions must occur and dictate the way in which they are carried out. Important decisions are taken against the contents of these records as they exist at the time. It is therefore vital to be able to pinpoint exactly what the record said at any given point in time in order to verify the validity of the decisions made.

Records and information are also kept to maintain the corporate memory. It is essential that WRA officials have timely access to the organisation’s records to deliver evidence based decision making, data analysis and robust compliance activities.

The aim of the policy is to ensure that all parties are aware of their personal obligations regarding the efficient, cost effective and legally compliant creation and management of information and records. This document explains the WRA’s information management principles. 

Information and records created by all personnel remain the property of the WRA under the terms of Crown Copyright.  Re-use of Government information is outlined in the Re-use of Public Sector Information Regulations 2015. See also, the WRA’s Public Task Statement published on the WRA website.

The scope of this policy is all information and records created during the delivery of the WRA’s functions and objectives.

The ISO standard, ISO 15489-1:2016 Information and documentation - Records management defines a record as ‘information created, received, and maintained as evidence and information by an organisation or person, in pursuance of legal obligations or in the transaction of business’. It applies to the creation, capture and management of information and records regardless of structure or form, in all types of business and technological environments, over time.

This policy relates to information created and held in all formats and media including, but not limited to, the following:

• tax data, both digital and paper, and all associated activities where tax related data is created or received
• documents, presentations and spreadsheets received and stored digitally
• paper based files
• social media, wikis and blogs
• emails
• diaries
• faxes
• brochures and reports
• WRA pages on both the intranet and the external internet 
• forms
• evidence supplied by third parties and delegatees
• information created by third parties and delegatees on our behalf
• mobile tools (smartphones)
• audio and video recordings
• maps and plans
• images & photographs
• microfiche and microfilm
• websites
• text messages
• instant messaging

The Lord Chancellor’s Code of Practice on the management of records issued under section 46 of the Freedom of Information Act 2000 applies to all records irrespective of media or the type of information they contain. WRA business function areas have to ensure that these systems and the records they hold are managed in compliance with the Code. These systems must be listed in the information asset registers and meet corporate records management and security requirements (access, retention / disposal, preservation, etc.). Information Asset Owners should ensure that records held on these systems with long term business value are managed in accordance with the WRA’s Retention and Disposal Schedule

• security policy
• backup policy
• social and digital media Policy
• procurement checklist    
• SIRO risk appetite statement
• open data plan
• data breach guidance
• privacy notice

7.1 Hardware & IT equipment (laptops, iPads, iPhones)

You will be provided with WRA IT equipment. The equipment will be connected to the WRA network with access to the internet, email and SharePoint. If you require additional software for a specific purpose, please discuss this with your line manager.

You are responsible for the security and safety of the hardware and any information created and stored on these systems

7.2 Approved corporate information management systems & software

The following systems are approved for the storage of corporate records and information. They may be used to store OFFICIAL and OFFICIAL-SENSITIVE information. SECRET and TOP SECRET information should be stored in accordance with the Information Security Policy.

Exceptionally, there may be justification for holding records on a network drive location.

The WRA uses SharePoint with third party software additions Records365 and Repstor. This combination of products provides the ERDMS platform and is TNA compliant.

The Tax Management System holds tax returns and Microsoft Dynamics 365 is the ERP system for both tax and corporate finances. It also provides the WRA’s HR system. There are also some datasets received for analysis purposes from external sources that are stored in the WRA Cloud infrastructure.

SharePoint is certified to hold records with an OFFICIAL marking. The WRA does not hold any material with SECRET or TOP SECRET security markings at present, and information which falls into these categories would have to be retained on a physical file for secure storage until its disposal. 

7.3 Cloud storage

The WRA is a ‘digital first’ organisation, using a secure Cloud infrastructure provided through Microsoft Azure. The infrastructure is hosted in the UK and certified to OFFICIAL level.

7.4 Other systems

We also hold information in a number of other systems including, but not exclusively:

• Tax Management System
• The ERP (Tax Finance System, Corporate Finance System and HR)
• Case management system

7.5 Hardcopy

The digital first nature of the WRA means the majority of the records it receives and creates will be managed and stored digitally.

The WRA does expect to receive some hardcopy information, such as paper tax returns, responses to information requests, etc., but these are minimised as far as possible by encouraging the use of digital tools and, where possible, providing resource to assist those who struggle to interact with the WRA digitally. Physical records are scanned and stored on SharePoint (unless their size makes this impractical.)

The WRA will generate and/or receive hardcopy information in relation to enquiries and investigations, some of which will contain sensitive PTI and some of which will be sensitive evidence to support investigations.

The WRA will store hardcopy records containing PTI in locked cabinets, using formal records management filing standards to identify where the records are kept and other relevant information such as their retention period.

If the WRA should ever need to store official records with SECRET or TOP SECRET security classifications, they must be stored in accordance with the HMG Security Classification Policy.

7.6 Websites, social media and YouTube

The WRA website contains public records that are of archival value. We archive the WRA website to provide continued access to key government documents through links persistence. This is important due to the significance of the internet as an enabler for the WRA to carry out its business.

We will develop a separate Social Media policy which sets out rules regarding the acceptable use of social media (such as Facebook, blogs, Twitter) within the WRA in a work context and how social media can be used to engage with the public and stakeholders on behalf of the WRA.

It is important to remember that social media content is also a public record.

7.7 Text messaging

Text messages are used for the purposes of communication between individuals. Staff should be aware that when using their WRA phones in this way they are in fact creating “public records”. Staff using private phones for WRA business may also be creating public records. The ephemeral nature of text messages heightens the need for users to be aware that they may be creating records using this application, and to properly manage and preserve record content.

There are some records management challenges associated with text messages:

• these systems are not designed with a records management functionality, such as the ability to identify, capture, and preserve messages
• the use of multiple electronic messaging systems, types of devices to communicate, and service providers adds complexity to recordkeeping
• limited search capabilities to manage access and retrieval
• difficulty in associating messages with individual accounts or case files
• identification of appropriate retention periods within large volumes of electronic messages
• capture of complete records, including metadata and any attachments, in a manner that ensures their authenticity and availability
• development and implementation of records schedules, including the ability to transfer or delete records, apply legal holds on one or several accounts, or perform other records management functions
• public expectation that all electronic messages are both permanently valuable and immediately accessible

Microsoft Teams is part of Office 365 and will be replacing Skype and Yammer. The contents of chats will be hosted by the WRA but will not be retained. Microsoft Teams must not be used to make business, finance or policy decisions.

An information asset is a body of information, defined and managed as a single unit so it can be understood, shared, protected and exploited effectively. Information assets have recognisable and manageable value, risk, content and lifecycle. [Cabinet Office definition]

A list of information assets across the WRA function areas has been compiled in order to achieve and maintain appropriate protection and identify responsibility for groups of assets. Information Asset Owners (IAOs) are responsible for understanding what information is held, what is added and what is removed, how information is moved, and who has access and why.

In any ICT enabled project, it is essential that all recordkeeping requirements around information created or held within a newly developed and/or implemented system are considered.  As well as business needs, this is to ensure that legal and other requirements are met. These will include requirements under the UK GDPR/Data Protection Act, the Freedom of Information Act and associated Code of Practice on Records Management, Public Records Act 1958, the Statute of Limitation and the Regulatory and Investigatory Powers Act, and will involve:

• access and security – to ensure that appropriate protection and permissions are set
• retention and disposal, digital continuity and archiving – to ensure that information is retained for as long as it is needed and then disposed of at the appropriate time
• audit requirements – particularly where EU funding is involved
• legal admissibility – to ensure that the information held is acceptable as evidence for audit purposes and in case of inquiry or legal proceedings. This will require compliance with BS10008.

The Head of Design Office will be informed of new/change project areas via the change request process and will advise the appropriate persons, for example, IT Security Officer, IAO, Information Manager, to ensure that the project’s information requirements are met. 

The WRA adopted the HMG Security Classification Policy for all records created since its inception.

NB - ‘Lock down’ or password protection of Word documents. No WRA documents should be locked down or password protected. It restricts the document’s ongoing accessibility and readability. Information that requires access restriction or special protection must be filed in a SharePoint file/folder in a Private group.

We have established a standardised Naming Convention for documents and files to be used when creating new records. However, this is not prescriptive and can be adapted to suit different needs, with the onus being on Function areas to agree and adopt a suitable naming convention based on these guidelines.

When a project is formally disbanded or when a piece of work has been completed and the files are ready to be closed, staff must contact the Information Manager to officially close the files on SharePoint.

For the purposes of Access to Information requests involving project documentation, responsibility for responding to individual requests rests with the owner of the document at the time of the request – i.e. project, programme office or business owner within an inheriting function as appropriate. Duplicate documents and supplementary information of no further use (in all formats) should be deleted/destroyed.

In the case of both stand-alone projects and those within programmes, the teams who will provide ongoing support or will have ongoing policy responsibility must formally accept handover of the relevant information and ensure that the procedure is documented. It is therefore vital that these documents are included as project products at the relevant stages. Prepared handover notes must include a list of all files, their title or subject matter, covering dates, location and security classification, and media format of any duplicates.

It is not appropriate to store emails which constitute an official record in Outlook folders. If emails form part of a transaction or evidence of business they must be put on record and saved in SharePoint as soon as possible. Emails will be automatically deleted from the Outlook inbox and outbox 12 months after receipt or creation.

It is the sender’s responsibility to ensure that emails containing information that must be kept on record are saved into the appropriate file on SharePoint (or equivalent recognised system).

It is the responsibility of the lead recipient of all emails from third parties to ensure that they are captured in SharePoint (or equivalent recognised system). This is to preserve context and to maintain a comprehensive audit trail.

Ensure that sensitive information is only included in encrypted emails or those sent to a secure email address.

The Cabinet Office has issued guidance to government on dealing with private email use which includes guidance relating to the Freedom of Information Act.

WRA staff must agree data sharing protocols with external organisations prior to data exchange. If data sharing contains personal data, a link to the relevant policy must be provided so that staff are aware of the process and the need to gain approval before sharing. These protocols must specify:

• Who the sharing organisations are
• Legal status of the partnership
• Information to be shared
• Management process for the information and what will happen to it once objectives have been met
• Principles for storage and access to Welsh Revenue Authority information

It is a principle of data protection legislation that the amount and level of shared personal data must be no more than what is needed for processing. This applies equally to other non-personal data. The agreed retention and disposal schedule must state whether it will be returned to the originator, archived, depersonalised or destroyed.

The WRA is legally obliged under the Government of Wales Act 2006 to share Land Transaction Tax (LTT) data with HMRC. An MOU has been developed with HMRC, an annex to which covers the data that is shared with them using a secure accredited link.

The WRA processes a high proportion of personal and special category data and has decided its data is not acceptable for storage outside the UK. If, in exceptional circumstances, you need to send data outside the UK you must obtain agreement and permission from the IT Security Officer and the Lead IAO.

WRA staff must ensure that information shared with other bodies, or held on our behalf by other bodies, is managed in accordance with this policy. and where applicable, the data protection legislation.

Contracts with third parties must include reference to information management procedures and responsibilities. The contract should stipulate how records created in the course of collaborative working or through out-sourcing will be managed, shared and protected. Responsibilities must be agreed and the protocol signed by each partner. The protocol must outline who will be responsible for:

• access to Information requests (and who has responsibility for keeping those records)
• information security, information management and data quality
• retention and disposal (requirement for records to be returned to the WRA for medium to long term retention and/or disposal)

When setting up contracts with third party suppliers, assurances must be obtained regarding the way they handle information as part of the legislative framework that applies to the WRA. A minimum requirement is that Cyber Essentials has been attained by the company where personal or OFFICIAL-SENSITIVE information is processed.  Specific requirements will be included in the accompanying Security Aspects Letter.

We contribute to the Welsh Government Open Data Plan and work in a similar way in terms of publishing data, using the OG Licence.

The Open Government Licence (OGL) is a simple set of terms and conditions that facilitates the re-use of a wide range of public sector information free of charge. The OGL is also available in Welsh.

We use the UK Government Licensing Framework (UKGLF) and Open Government Licence (OGL). The OGL does not cover the use of personal data. Re-use of personal data must comply with the Data Protection legislation.

In the event of Machinery of Government changes and/or a Transfer of Functions, the Departmental Records Officer must be informed at the earliest opportunity by the project lead to ensure the transfer of vital business records takes place without the loss of information or interruption to business continuity. The Departmental Records Officer must be involved throughout the process to ensure that correct information and records procedures are followed and legislation met. 

All decisions on the legal status, movement, disposal and destruction of information must be documented. When records are transferred, they must be accompanied by whatever has been used to identify and retrieve them - such as copies of relevant databases used to describe and track digital records. 

Transfer of information must be done formally as it is a transfer of information between two separate legal entities. This is not as straight forward as simply copying data.

Arrangements must be made via the WRA’s Head of Digital and Technology and relevant IAO to ensure the handover of computer systems and/or storage media used to create and manage current and inactive digital records of the transferred business. 

Full lists of files to be transferred (regardless of format), plus details of any outstanding FoI requests or sensitivity issues, must be documented in the official Transfer Agreement (to be drawn up by the Departmental Records Officer in collaboration with the transferring department). This Agreement must then be signed by both the transferring and receiving organisation. The transfer of information and records must be included in any legal steps required to implement the change in Machinery of Government process.

Tribunal records are the responsibility of the Tribunal and not the WRA. The Tribunal Chair and Secretary must ensure that the Tribunal record is comprehensive and well-ordered and that the relevant policies and procedures are in place.

Information (or documents) may be required as evidence for legal purposes in several contexts. They may be required to obtain legal advice on behalf of the WRA, for the purposes of “discovery” to other parties involved in litigation in which the WRA is a party, or for production in court by an agency whether or not the WRA is a party to the proceeding.

In proceedings in the Tax Tribunals the WRA will generally only be required to disclose the documents that it intends to rely on in its case. WRA may however be required to disclose more documents that are in its possession or control if it is ordered to do so by the Tribunal.

Where the WRA is involved in a Judicial review or other Court proceedings it is likely that a higher standard of disclosure will apply.

Any legal proceedings that are instigated against WRA should be referred to the Legal and Policy Office and if necessary, they will issue an instruction directing employees to preserve, and refrain from destroying or modifying, records and information (both paper and digital, including email, mobile phone messages and social media) that may be relevant to the subject matter of a pending or anticipated lawsuit or investigation. A litigation hold helps to ensure that the WRA complies with its duty to preserve information, including electronically stored information (ESI), in litigation or in connection with an investigation.

A Data Protection Impact Assessment (DPIA) should be undertaken before releasing information to ensure that sensitive personal information not relevant to the legal proceedings is redacted in compliance with UK GDPR/DPA.

21.1 Legal Discovery

If WRA is required to carry out a discovery exercise we will carry this out primarily by searching the information held on our cloud systems, including SharePoint, Dynamics365 and TMS.

21.2 Candour

As a public authority, the WRA has a “duty of candour”. This requires that we give a "true and comprehensive" account of the WRA’s decision-making processes in Judicial Review proceedings. It requires us to set out, fully and fairly, all matters that are needed for the fair determination of a particular issue. The duty extends to information or documents which will assist a claimant’s case, and those which give rise to additional grounds of challenge.

The duty of candour can be satisfied by giving a full and fair account in a witness statement, and exhibiting key documents. However, where a judicial review includes issues of fact, or requires the court to consider proportionality, more documents may need to be disclosed. 

Under the duty of disclosure in judicial review cases, “a document” includes deleted documents, so even if deleted documents are no longer retrievable, the fact they existed must be disclosed. The duty of disclosure requires a reasonable search, and requires a party to state if they have decided not to search for a category or class of documents on the grounds that it is unreasonable.

Information and records will only be retained for as long as they are needed to support the WRA’s business requirements and legal obligations. At the end of that time, the records will either be destroyed or, if they are historically valuable, transferred to a Place of Deposit for permanent preservation.

The WRA’s Retention and Disposal Schedule is the key to effective information management: it sets out the recommended periods for which particular classes of information must be retained in accordance with legal, audit and operational requirements. It provides a formalised, accountable system for the retention and disposal of information and can help to save time, money and space by ensuring that it is not kept unnecessarily.

The UK GDPR and the Data Protection Act 2018 set up additional requirements around retention of personal data. After the expiration of the applicable retention period, personal data does not necessarily have to be completely erased. It is sufficient to anonymise the data. This may, for example, be achieved by means of:

• regularly deleting information no longer required – such as staff information, CV’s, application forms
• erasing unique identifiers which allow the allocation of a data set to a unique person
• erasing single pieces of information which identify the data subject (whether alone or in combination with other pieces of information)
• separating personal data from non-identifying information (for example, an order number from the customer’s name and address)
• aggregating personal data in a way that no allocation to any individual is possible
• storing personal data in an appropriate area with the correct authorisation access controls, and retention periods
• listing sensitive personal data on the information asset register (IAR)

In line with the Public Records Act 1958, the Freedom of Information Act 2000 (Section 46), and the changes brought in by the Constitutional Reform and Governance Act (CRAGA) 2010, the WRA is required to dispose of, or transfer all public records to a place of deposit by the time they reach twenty years old so that they can be made available to the public.

Wales does not currently have its own national archive comparable to the National Archives, the National Archives of Scotland or the Public Record Office of Northern Ireland. The cost implications of establishing such an archive for Wales are prohibitive and so the National Archives remains the recognised repository for Wales as well as the UK government. The WRA is included in this by means of its agreement with the Welsh Government’s DRO.

A review is conducted of records as they reach the end of their retention review period and the relevant function heads are consulted to decide which records are of no further use and can be destroyed; which records need to be retained by the department for ongoing business use; and which records have historical value and should be transferred to the National Archives. Records marked for deletion at the end of their retention period will be deleted automatically.

The selection of records with historical value is conducted in accordance with the National Archives’ Records Collection Policy and our own Appraisal Policy (when drafted). We will liaise with a dedicated team at the National Archives to review and validate our appraisal decisions. Once agreement has been reached, we prepare the records for transfer (cataloguing, “cleansing”, sensitivity reviewing) before they are accepted by the National Archives. We will develop a Sensitivity Review Policy which outlines how such a review should be undertaken.

For records needing to be retained by departments beyond this period (for example, where they have a long-term business need, or where the information is subject to an ongoing inquiry) we must apply for permission from the Advisory Council (for a “Retention Instrument”) to avoid being in breach of the Public Records Act.

Access to digital information for both short and long term business requirements is vital. All WRA digital information is held in Microsoft Azure datacentres. Corporate information such as emails & documents are subject to WRA retention policy, in Azure simultaneous copies are held in multiple data centres to ensure business continuity. Information held on the tax management system is similarly geo-replicated, audit logs are retained for all changes to the databases. The nature of the WRA's cloud based system means that the corporate, financial and tax systems are using software versions that are always supported and kept up to date.

A document must not incorporate the intellectual property of others unless the WRA has the relevant rights i.e. Crown copyright. Staff will not enter documentation (including scanning) into an information system (such as SharePoint, shared drives) unless the WRA owns or has obtained the copyright to do so. Material specifically addressed to the WRA can be entered into an information management system.

Some social media sites, such as Facebook and Twitter, currently state in their Terms of Usage that content remains the intellectual property of the individual or entity that posts the content. This is not, however, the case for all social media sites, such as YouTube, who assert copyright over content posted on their platform.

Information kept in our Electronic Document and Records Management System (EDRMS) SharePoint, a shared drive or other bespoke system (such as the Tax Management System) can be simultaneously accessed by multiple users.  This constitutes ‘replication’ or in some cases a ‘broadcast’ under copyright legislation, leading to the possibility of an individual claiming compensation for copyright infringement for content published to a social media site being stored in an EDRMS or other system by a government organisation.

26.1 By placing a Freedom of Information (FOI) request 

Requests for WRA records/information less than twenty years old must be handled in accordance with the Freedom of Information Act 2000. At this point in time, the WRA is new enough not to have any records that fall into the TNA catalogue.

Advice on requesting information can be found under How to make a freedom of information request.

26.2 By placing a Data Subject Access Request

Please follow the guidance for placing an FOI request.

27.1 Publications catalogue

To comply with the WRA’s Publication scheme, we need to make sure that our research reports and publications are available to the public.

The WRA may undertake and commission research relevant to its functions and produce regular reports which may be published on our corporate website. To ensure that these are available and accessible over time, they should be catalogued so that members of the public can access or request them via the external online Publications Catalogue.

27.2 Legal deposit

To comply with the UK’s legal deposit legislation, a copy of every WRA print and digital publication must be given to the British Library and the National Library of Wales. 

Materials covered by legal deposit include printed books, journals, magazines and newspapers, microfilm, publications on hand-held media such as CD-ROMs, websites and material available via download

We have a mandatory training course on our intranet for all WRA staff. This e-learning module provides staff with an introduction to the key concepts of good information management. It will enable staff to identify:

• who is responsible for information management
• what a record is
• recordkeeping responsibilities
• where to go for help

All staff must undertake the mandatory e-learning course, “Responsible for Information” every 2 years.   

We will work with The National Archives which monitors compliance on a regular basis through Information Management Assessments.

People leaving the WRA’s employment are responsible for ensuring that they deal with any information and records they have been working on before departure to ensure that:  

• work can be carried on by a successor, without delay
• the WRA can be accountable for their work after they have left
• the WRA complies with the UK GDPR, Data Protection Act 2018 and Law Enforcement Directive (LED)
• the WRA can respond to Freedom of Information and Subject Access Requests accurately and within the legal response times
• the WRA does not incur unnecessary expenditure on records storage and staff time sorting out others’ records

No WRA information should be retained by the leaver.

When a relevant official (as defined by the TCMA) leaves the WRA, they remain bound by the confidentiality agreement they signed.