GROUP RECORDS MANAGEMENT POLICY SUMMARY FOR THIRD PARTY SUPPLIERS

Size: px

Start display at page:

Download "GROUP RECORDS MANAGEMENT POLICY SUMMARY FOR THIRD PARTY SUPPLIERS"

Elijah Carter
5 years ago
Views:

GROUP RECORDS MANAGEMENT POLICY SUMMARY FOR THIRD PARTY SUPPLIERS RATIONALE Lloyds Banking Group (the Group) and its Third Party Suppliers (suppliers) have moral, legal and regulatory obligations to

1 GROUP RECORDS MANAGEMENT POLICY SUMMARY FOR THIRD PARTY SUPPLIERS RATIONALE Lloyds Banking Group (the Group) and its Third Party Suppliers (suppliers) have moral, legal and regulatory obligations to create, preserve, protect, and manage records effectively. This Policy mandates the Group s requirements that its suppliers must meet for a robust records management approach to ensure that evidence of business activity is created, captured and managed and made accessible to those who need it, for as long as it is required. This enables the following: compliance with legislation and regulations; informed decision making; management of business risks; continuity in the event of disaster; the protection of rights and obligations of the Group and colleagues; protection and support in litigation; reduction of costs through greater business efficiency; protection of intellectual property; the protection of corporate memory; maintaining customer confidence; and protection of the Group s commercial interests and reputation; The objectives of this Policy are to mitigate the risks that suppliers fail to: create and retain complete and accurate records; retrieve complete and accurate records in a timely manner; adequately protect records; and destroy records appropriately. Customer Impact The Group s vision is to be the best bank for customers. The Policy supports this vision by: SCOPE Ensuring our customers' records are managed and protected appropriately throughout their lifecycle, from creation to destruction, in accordance with legal and regulatory requirements; and Ensuring the Group s ability to evidence fair customer outcomes by ensuring the availability and retrievability of the right records at the right time. This third party version of the Policy applies to any suppliers that create, store, process, retain, retrieve or destroy the Group s records or may be impacted by Page 1 of 6

2 records management risks. Records and managing records Records capture information and provide authoritative evidence about the Group s business activity. They can be distinguished from other types of information by their role as evidence in the transaction of business and by the fact that they have context which we need to preserve. For example, contracts, customer interactions, call recordings, financial statements, transactions, campaign briefs, and compliance arrangements. Managing records (records management) encompasses the creation, capture and management of records until destruction. This Policy is only applicable to Critical Records (which includes Critical Conduct Records). These are defined as follows: Critical Records are those which ensure the continuation or survival of the organisation and / or evidence our legal and regulatory requirements. Critical Records include: Critical Conduct Records. These are those Critical Records which also evidence and/or support our management of customer conduct risk and fair customer outcomes, e.g. Customer interactions with the Group, Customer or product related risk assessments or decision making reporting, strategic decisions, end to end customer processing. Personal Information (PI) and Sensitive Personal Information (SPI) are defined within the Group Third Party Data Privacy Policy which also sets out the minimum requirements for handling and protecting PI and SPI. Any PI or SPI which forms part of a Critical Record is also required to be compliant with this Policy. Any PI or SPI which is not part of a Critical Record must be managed in accordance with the Gr oup Data Privacy Policy. Non Critical Records are all other records and must be managed in agreement with the Supplier Manager. MANDATORY REQUIREMENTS GENERAL Different suppliers provide different services to the Group and therefore have different responsibilities for the Group s Critical Records. Therefore this Policy may be relevant in part or in whole to suppliers depending on the services they provide. As a guide, the following categories have been created and they are referenced throughout the Policy where we think they are applicable. Category A The supplier creates, manages, stores, preserves and destroys the Group s Critical Record on our behalf at their own premises. Category B The supplier manages and stores the Group s Critical Record on our behalf at their own premises. Category C - The supplier destroys only (not stores) the Group s Critical Record on our behalf at their own premises. Category D The supplier processes the Group s Critical Record on our behalf at their own premises but does not store or retain any copies. Category E - The supplier processes the Group s Critical Record on our behalf at/on Page 2 of 6

3 systems at the Group s premises. Category F The supplier does not create or have any access to the Group s Critical Records. Accountability categories A, B, C, D, E) Suppliers must ensure that: They appoint a person, in accordance with the supplier s governance structure, to be accountable for implementation of this policy, monitoring the key controls defined below and for confirming to the Group s Supplier Manager that the Records Management capability meets the Group s requirements. They have a Records Management framework in place which ensures compliance with legislation, regulation and this Policy (as appropriate). They have ongoing control testing/assurance plans in place to monitor compliance with Policy, identifying where remediation is required and implementing agreed actions. Records Management requirements are considered if there is any change to their business processes or location that could impact the creation, management, storage, preservation or destruction of Group records. Records management risks, incidents or events are identified and reported to the Group s Supplier Manager. Records released to them are protected and that records are destroyed on the request of the Group The supplier s employees are appropriately trained to understand how the requirements of this Policy affect their role and their responsibilities. The contract between the third party supplier and Lloyds Banking Group contains the relevant records management clauses detailed in the Group Security Schedule. Critical Records The supplier must identify and maintain (review at least annually) a list of the Group s Critical Records that it creates, store, processes, retains or destroys. (Applicable to supplier categories A, B, C, D) The Group s Critical Records must be created and maintained so that they are: Accurate and complete: Contain all the information that is expected to be in the record or is required to be in the record. Reliable: The record content can be trusted as an accurate representation of the transaction, activities or facts to which they attest. The record can be depended upon in the course of subsequent transactions or activities. Usable: Are legible and can be interpreted throughout their life. categories A, B) The Group s Critical Records must be retained for as long as is necessary and in accordance with the following rules categories A, B) Records must be retained in line with one of the following retention period categories: Page 3 of 6

4 Category DESTROY 10 YEARS PERMANENT Retention Period Destroy records after use 10 years from a trigger event Permanent Notes Non Critical Records only can be destroyed after operational or business use. The period of operational or business use can vary depending on business requirements but would typically not exceed 36 months. Critical Records must be retained for 10 years from a pre-defined trigger event. Critical or Non Critical Records which are required to be retained permanently for legal, regulatory or historical reasons only. Where there is specific legislation or a regulatory requirement that mandates a retention period for a definitive length of time outside the 10 YEARS or PERMANENT retention categories, the legislation or regulatory requirement must be followed. In this scenario raise a formal exception with your Supplier Manager to ensure that the Policy Contact has been informed. The Group s Critical Records must be able to be located and retrieved within 3 working days. categories A, B, D) The Group s Critical Records of historical or long-term business value must be sent or made available to Group Archives and considered for permanent retention. categories A, B) Storage of the Group s Critical Records must be fit for purpose to ensure that throughout their lifetime they can be accessed, retrieved and are still legible. categories A, B) The Group s Critical Records must be protected and secured throughout their lifetime. Controls must be in place to prevent unauthorised access, alteration, concealment or destruction. categories A, B, C, D) Controls must be in place to identify time-expired (i.e. records that reach the end of their retention period) Critical Records ready for destruction. categories A, B, C) The Group s Critical Records must be destroyed at the correct time and be carried out in a way that ensures complete destruction. categories A, B, C) Destruction of the Group s Critical Records must be authorised by the Group and evidenced. categories A, B, C) The Group s Critical Records pertaining to a pending or actual litigation or legal action or investigation must not be destroyed. They must be managed in accordance with the instructions issued to the supplier by the Group. categories A, B, C, D) Page 4 of 6

5 KEY CONTROLS Control Title Control Description Frequency Critical Records Inventory A Critical Record Inventory of the Group s Critical Records is in place and reviewed at least annually. categories A, B, C, D) The supplier can show evidence of how it has created and agreed with the Group an inventory of the Group s Critical Records that it creates, store, processes, retains or destroys. Annually Creation and Retrieval Group Critical Records are accurate and complete, reliable and usable and can be located and retrieved within 3 working days. categories A, B) Retention & Destruction Group Critical Records are retained for a period of time in line with the rules in this Policy (unless a Policy exception or Waiver is in place) and destroyed in a timely manner in line with the requirements of this Policy. categories A, B, C) The supplier can show evidence that it has quality reviewed the inventory at least annually. A sample of Critical Records are retrieved and checked for a) Accuracy & completeness b) Reliability c) Usability d) Retrieval timeliness A sample of Critical Records is requested and the supplier can show evidence of how it applies the correct retention periods and trigger events to the Group Records (or evidence of Group sign off of an approved exception/waiver). Semi-Annually Semi-Annually Legal Holds The supplier must be able to preserve Group Critical Records upon request. categories A, B, C) The supplier can evidence that they have controls in place to identify time-expired records, and that destruction is authorised by the Group and is evidenced using a destruction log. The supplier can show evidence of how it applies legal holds/preservation notices issued by the Group. E.g. a procedure document and example of how this has been actioned (if applicable) Annually Page 5 of 6

6 MANDATORY REQUIREMENTS NON-COMPLIANCE Any material differences between the requirements set out above and the supplier s own controls should be raised by the Supplier with Lloyds Banking Group s Supplier Manager. The Supplier Manager will then discuss the non compliance with the Accountable Executive for the relationship and local Risk team to agree way forward, unless an exception has been agreed by the Group. Version Number V1.0 Final May 2014 Effective Date V2.0 Final March 2015 Updated to align with the Group Records Management Policy V3.0 Final 04 January Annual review V4.0 Final 22 November 2016 Annual Review V5.0 Final 30 November 2017 Next Planned Revision: October 2018 Page 6 of 6

Draft: Document Retention and Destruction Policy. 1. Policy and Purposes

1 Draft: Document Retention and Destruction Policy 1. Policy and Purposes This Policy represents the policy of Libertarian National Committee, Inc. (the organization ) with respect to the retention and