Information Management (IM) is the ‘planning, collection, control, distribution and exploitation of information resources within an organisation, including systems development, and disposal or long-term preservation’ (AS ISO 5127:2017, section 3.2.1.23).

Effective information management involves planning, designing, and implementing IM processes, governance, and infrastructure to manage information throughout its creation, management, use/re-use, destruction, or long-term preservation. Even with adequate development and implementation, the realm of digital information management is ever evolving.

Digital information can be held onsite, outsourced, or is cloud-based. It makes use of different formats, applications, and systems. Yet over time these formats and systems can become outdated. Therefore, continual monitoring, evaluating, and upgrading is necessary to mitigate information challenges. Taking a proactive approach provides the opportunity for improvement to varying aspects of IM including accessibility, authenticity, accuracy, and efficiency of information and data.

Information management challenges

To assist with the diverse information management challenges organisations face, below are some common issues with suggested solutions.

A mixture of these solutions may be required to assist the organisation, or perhaps only one or two approaches are needed. Consider how these strategies/solutions will support or inhibit:

  • The organisation’s culture

  • The organisation’s systems and technological environment

  • The organisation’s financial constraints

  • The risks and implications to the organisation.

Published April 2014/ Updated August 2019/ Updated December 2021

 

FAQs
Issue 1: Maintaining legacy systems for varying business needs.

Examples include:

  • Users are using legacy systems to double-check information. This may be due to users not trusting new systems (or due to incomplete or partial data migrations).
  • No business owner to decide when the legacy system should be decommissioned. 
  • Administrative change (functions move from one agency to another).
  • User familiarity with legacy system (struggling to use new system), etc.
Suggested solutions:

Analysis and design of the new/replacement system:

  • Prior to migration to a new system, establish what records, information and data are required to support and account for ongoing business operations.
  • Build sufficient metadata into the arrangements for migration and procurement decision-making. This will ensure that the integrity, understanding, and trustworthiness of the information is migrated.

Legacy systems:

  • If legacy systems cannot be decommissioned – assess business requirements and arrangements including search, accessibility, format (for long-term preservation), security, offline and online storage (i.e. cloud storage), retention and disposal or transfer to State archives. Establish a plan on how to manage the legacy system/s, including how to monitor and review; regularly dispose of or transfer to NSW State Archives and Records according to relevant authority. Additionally consider disposing of any unnecessary duplication of records, information, or data (use NAP provisions under the State Records Regulation. 
  • If the legacy system contains records required as State archives, consider transferring records to the State Archives Collection. 
  • Review user history of the legacy system to identify which information and data is still being accessed and to what purpose. Information gathered is useful for negotiating or consulting with the business in relation to decommissioning the system. 
  • If the system is no longer used or accessed for business purposes (inactive). Check for previous business owner/s. Consult with legal, governance, ICT, and business unit/s to confirm if a request to decommission a legacy system is possible. If it is possible, place request for decommissioning with CIO/SRO.  If the records, information or data is still required, explore migration and offline/online storage solutions. 

Policies and user training:

  • Develop and deploy change management strategies and training to assist users in learning new system/s. 
  • Develop and implement business rules to inform staff on when and how legacy systems should be accessed. 
Issue 2: Increased use of multiple business platforms and applications causing an inability to easily track, monitor, use, share, and appropriately store information.

For example, staff using various systems such as Microsoft 365, Jira, Confluence, Slack, Smartsheets, social media, and emails. The users then save information on various platforms such as their desktop, shared drives, and cloud-based systems (for example: SharePoint).

Suggested solutions: 

Analysis and design:

  • Recognise what information is required for effective service delivery and where it is located. 
  • Identify the retention and disposal requirements of information (it is a State record). 
  • Foster a good corporate understanding of the information required to support high risk/high value (HRHV) business processes.
  • Recognise where staff are performing high risk/high value business operations. Establish strong information governance frameworks to enable effective information management of HRHV business information/operations. 

Systems:

  • Create an inventory of where this information is stored as part of your information asset register. 
  • Keep up to date on system changes, for example when business delivery or client service mechanisms are updated. Be aware of the impacts to business and information flows when these updates are enabled. 
  • Implement tools or utilise workflows to consolidate business information required for decision making, client management, or to minimise service/information duplication. This could include integrating information from different systems if possible. 
  • Monitor the adoption of new systems, services, applications, and processes to identify and manage changes that will impact on business information. 
  • Do not allow isolated data silos to proliferate. 

Policies and user training:

  • Ensure that users are trained to understand the processes and systems needed to create and manage comprehensive and accurate business information. 
  • Establish policies, rules, and practices for using multiple platforms and how to store records in the business environment.  
  • Instruct users in best practice for providing clear, effective metadata to identify definitive versions of reports and other business information. 
  • Implement and maintain an information asset register. 
Issue 3: Inability to retrieve information needed for a given purpose due to volumes of uncontrolled information/data stored in multiple repositories.
Suggested solutions: 

Analysis and design:

  • Analyse and assess the data in storage. 
  • Review GIPA and other requests for information to understand difficulties in identifying and retrieving information. Design appropriate solutions to resolve these difficulties and continue to monitor the success of these approaches. 
  • Establish strong metadata practices to manage data effectively. 
  • Develop procurement processes that implement systems with the capacity to identify and protect high value information. 

Systems:

  • Frequently dispose of information that is no longer needed for business purposes and is authorised for destruction (use NAP provisions under the State Records Regulation  and authorised general and functional authorities).
  • Explore options to procure systems that can apply separate management of information and administer automated destruction according to the applied sentencing. 
  • Regularly monitor data to ensure that appropriate sentencing has been applied. 
  • Explore the use of file analysis systems to assist data deduplication activities. 
  • Make use of federated search technologies to simplify search and retrieval operations. 

Policies and user training:

  • Create well-defined policies for the management of data/information (how to create, capture, store, and dispose). 
  • Train staff in how to create and capture records effectively according to structures/procedures put in place for various systems. For example, where records should be located on a shared drive or content management system, and how they should be titled. 
Issue 4: Risking long term information accessibility by using backup systems for storage of long-term value business information.
Suggested solutions: 

Do not use back up systems for the long-term storage or preservation of information and records. Back up systems are not designed to store data over a long period of time. They are designed to store data for a short period to enable restoration of a system to a fixed date and time. 

Issue 5: Lack of corporate and business awareness of the need to keep some high risk/high value information after its active business use ceases.
Suggested solutions: 

Policies and design:

  • Build strong IM strategies and initiatives for high risk/high value (HRVR) records, information, and data to ensure ongoing usability and accessibility. 
  • Provide retention requirements for system migration plans to ensure that HRHV information is supported through the migration process. 
  • Document critical information/datasets and their dependencies across the organisation and the technology dependencies of these information/datasets. 
  • Establish staff and stakeholder awareness of the importance of HRHV records – they are vital to the organisation to meet business and regulatory requirements and community expectations – beyond active business use. 

Systems:

  • Identify the diverse systems that are used across the organisation, specifically core systems, and understand that information loss and loss of access in one of these systems may impair operations or accountabilities in other systems. 
  • Review and apply authorised retention and disposal authorities to HRHV records, information, and data. This will support understanding business, client, community and/or legislative drives to different areas of organisational operations. 
Issue 6: Increased data and information breach or leaks.
Suggested solutions: 

Systems: 

  • Apply appropriate controls to limit access to authorised personnel and ensure they are regularly monitored and updated. 
  • Ensure appropriate controls are in place to prevent inappropriate alterations. 
  • Regularly monitor data to ensure that appropriate retention, disposal, and security sentencing has been applied. 
  • Frequently dispose of information that is no longer needed for business purposes and is authorised for destruction. 
  • Routinely review business systems: are there any legacy systems that could be decommissioned? Inactive legacy systems pose risks including security vulnerabilities like information breaches or leaks. 
  • Review and advise on issues relating to cloud services for records, information, and data to ensure any necessary additional controls are implemented. 

Policies and user training: 

  • Establish a governance framework that initiates and controls the implementation of information security.
  • Work closely with ICT and cybersecurity to ensure appropriate policies, procedures, and monitoring are implemented to prevent data and information breaches or leaks. 
  • Train staff in cybersecurity issues and threats, security policies and procedures, and privacy legislation practices/responsibilities. 
Issue 7: Poor corporate governance inhibits strategic information management.
Suggested solutions: 

Analysis and design:

  • Strategically identify, protect, manage, and utilise long term value business information. 
  • Develop or procure systems which enable defined management pathways for short-and-long-term value information. 
  • Complete Records Management Assessment Tool (RMAT) to provide justification for strategic planning.
  • Engage corporate governance to understand issues in identifying and meeting requests for information (i.e. GIPA, standing orders, etc.). 

Systems:

  • Routinely purge information that is no longer needed for business purposes and is authorised for destruction. 

Policy and user training:

  • Promote a broad corporate understanding of the high risk/high value information generated and needed by the organisation. 
  • Deploy change management strategies and training to develop an organisational culture which values information management.
Recordkeeping Advice
Recordkeeping A-Z
D