You should assign lead responsibility for records management within the organisation at a level of seniority high enough to be able to affect change to policy, process and culture. Where resources are available, you should nominate an appropriately skilled records management lead to coordinate the management of records within the business. This may be combined with other roles within the organisation.
* Organisational arrangements to support records management, The National Archives website

A policy will enable you to address how records are used within your organisation in a consistent manner. This can be part of a general policy or a standalone policy statement that is supported by specific records management procedures such as storage and maintenance of records or disposal of records.

The policy should clearly set out your business's approach to records management and as a minimum should address the organisation's overall commitment, the role of records management, references to related policies and documents, staff roles and responsibilities and monitoring of compliance.

The National Archives has developed comprehensive guidance on how to create an effective records management policy.

*Records management policy, The National Archives website

You should carry out regular exercises to identify, assess and manage records management risks. This process simply seeks to identify what might go wrong with a process and why. Measures can then be put in place to mitigate these risks.

Where a corporate Risk Events is already in place this can be used to record risks to records management functions; these might include records not being updated, not being destroyed in a timely manner or not being held securely.

* Inclusion of records management and information management in the corporate risk management framework, in Organisational arrangements to support records management, The National Archives website

* Assessing and managing risk,The National Archives website

You should brief all staff on their responsibilities for the creation, use, maintenance and eventual destruction of records on or shortly after appointment with regular updates to maintain levels of awareness. Awareness materials might include posters, office wide emails, intranet updates, records management content in newsletters.

Staff with specific records management responsibilities such as management of disposal schedules, monitoring of data quality or oversight of records management practice should receive appropriate training in order to allow them to carry out their role effectively.

* Outsourcing: A guide for SMEs ,ICO

* Training checklist for small and medium sized organisations, ICO

Many small businesses outsource some or all of their data processing requirements to hosted (including cloud based) services eg for archiving purposes, confidential waste disposal or IT network services. You should be satisfied that these 'data processors' will treat your information securely as your business will be held responsible under the DPA for what they do with the personal data.

You must choose a provider that gives sufficient guarantees about its security measures. For example, you might review copies of any security assessments and, where appropriate, visit their premises to make sure appropriate security arrangements are in place.

You must also have a written contract setting out what the provider is allowed to do with the personal data and requiring them to take the same security measures you would have to take to comply with the DPA.

* Outsourcing: A guide for SMEs, ICO

* Information security, in ICO Guide to data protection

* Cloud computing, ICO

* Model contract clauses: International transfers of personal data, ICO

* Model Contracts for the transfer of personal data to third countries, European Commission website

You should set out how you manage information risk.

You should develop ways of checking staff compliance to ensure policies and procedures are adhered to eg after hours desk sweeps to ensure compliance with clear desk policy, checks of disposal procedures to ensure that confidential waste is being disposed of correctly.

Performance measures might include progress against a records management action plan, archive retrieval rates measured against a service level agreement (SLA), progress regarding deletion of records against requirements of a retention schedule or data quality and accuracy. Reports on performance to KPIs should be reported periodically to management to provide assurances on compliance.

You should ensure procedures and guidelines for referencing, titling and indexing new records are in place to control access to those records and allow for efficient management, retrieval and disposal.

If the collection of data is in your organisation's legitimate interests, and is fair and lawful, you will most likely comply with the DPA.

Although emails are often perceived differently to other records, they still contain information which has a wider business purpose as well as personal or sensitive personal data, so you should managed them in a consistent way.

* Keeping records to meet corporate requirements, The National Archives website

* Processing personal data fairly and lawfully, in ICO Guide to data protection

* Managing digital records without an electronic record management system,The National Archives website

* Managing emails, The National Archives website

In order to ensure that personal data is managed effectively and securely it is necessary for you to know what information you hold and how. As such it may be necessary to carry out an 'information audit' or 'records survey' to identify records and data sets held by the organisation.

This process will help in determining which business functions create certain records, which records are vital to the functioning of the business, where they are kept, how long they are kept for and who needs to use them now and in the future.

Once this information is gathered it may allow for the development of retention and disposal schedules, improved security practices, and the development of disaster recovery processes.

* Undertaking a record survey, JISC

* Find out what information you have, The National Archives website

The DPA requires that personal data is accurate and up to date. What is considered to fall under these categories will change over time and as an organisation's business needs change. You should have processes in place to ensure that personal data which is inaccurate or is out of date is removed from records on a regular basis.

You should have a process in place to ensure that you take reasonable steps to ensure the accuracy of personal data collected and to deal with challenges to the accuracy of personal data from individuals about whom information is recorded over time. This should allow for the personal data to be amended, removed or clarified where appropriate.

The DPA says that personal data should be adequate, relevant and not excessive. If you do not make decisions regarding what personal data you should hold for your business purposes then you are at risk of collecting excessive data and infringing the privacy of an individual, or you may hold too little to facilitate effective decision making about those individuals. Again what is adequate, relevant and not excessive will change with business need.

* The amount of personal data you may hold, in ICO Guide to data protection

* Keeping personal data accurate and up to date, in ICO Guide to data protection

* Retaining personal data, in ICO Guide to data protection

In many circumstances employees will be required to take paper records offsite in order to work remotely, eg to visit service users or to attend court hearings. Equally you may wish to store archived records offsite due to limitations on space within your offices. When doing so, you should have appropriate procedures in place to ensure that your business knows what records are offsite and who is holding them so you can recover them if necessary or destroy them when they reach the end of their retention period.

When transferring data offsite, it should be minimised, use an appropriate form of transport, eg secure courier for sensitive personal data, log the transfer in and out where appropriate and put checks in place to ensure that data is received. Security measures which you could use include lockable containers, tamper evident packaging, and removal from public view and accessibility.

Tracking records , The National Archives website

Personal data may be transferred offsite using electronic means such as email or removable media eg USB sticks or DVDs. CDs, DVDs, USB drives, smartphones and tablet devices in particular are highly vulnerable to theft or loss.

When transferring data offsite, it should be minimised, you should use an appropriate form of transport eg secure courier for sensitive personal data, you should log the transfer in and out where appropriate and check that data has been received. Security measures which you could use include tamper evident packaging, and storage on encrypted devices.

Where there is a business need to transfer personal data via email or removable media, personal data should be minimised and encrypted. You could use other secure methods such as Secure Transfer Protocols (STP).

* The amount of personal data you may hold, Get Safe Online website

* Exporting and transferring electronic data, The National Archives website

You should use lockable offices, cabinets and drawers to store records, with higher levels of security for records containing sensitive personal data. You should store keys securely and lock records away when staff are absent for extended periods, eg overnight. Where screens are left unattended they should be locked to avoid unauthorised access, theft, destruction or alteration of the data displayed with no clear audit trail.

Environmental controls might include waterproofing and drainage to protect against flood risk, fire protection such as use of fire resistant or fire proof materials, fire control systems and heating to protect against damp.

* Key definitions , in ICO Guide to data protection

* Information security , in ICO Guide to data protection

* 5 benefits to having a clean desk policy , Privacysense website

* Toolkit for managing paper records , Information and Risk Management Society website

* Protecting archives and manuscripts against disasters , The National Archives website

* Cloud computing , ICO

In order to reduce the risk of unauthorised access you should consider who needs access to what personal data in order to fulfil their function. For example, it is likely that only specific members of staff would need access to HR records. In such instances, you should limit access by means of keys, swipe cards, pin codes or other security measures.