Recordkeeping requirements and the Government Information (Public Access) Act 2009

Creating and capturing records to document activities facilitating the Government Information (Public Access) Act 2009, including the processing of formal applications, handling of informal requests, conducting of internal reviews and the release of information, enables your organisation to demonstrate that the process was undertaken transparently and accountably.

Records provide an audit trail that can support organisational decision-making and provide transparency. As a number of decisions are reviewable under the GIPA Act, the organisation should build requirements for records creation into procedures for GIPA activities and make sure that all staff are aware and familiar with the requirements.

This guidance has been prepared to enable records managers to understand the relationship between records management and the GIPA Act, the search process, and to inform and assess recordkeeping processes in relation to GIPA. It has been prepared in consultation with the Information and Privacy Commission (IPC) as the agency with oversight for the GIPA Act.

Back to top

Recordkeeping requirements for processing GIPA requests

To ensure records relating to the processing of GIPA applications (formal requests), informal requests and reviews are created and discoverable, your organisation needs to:

• Assess what records to create and what information the records should include (particularly in relation to requests that could escalate or relate to high risk areas of business)
• Establish systems, processes and business rules for creating and capturing records for GIPA activities, including how to document verbal communications (i.e. phone calls, discussions about requests, and meetings)
• Create records to document GIPA activities
• Capture records into approved systems using agreed titles, structures, taxonomies, metadata and records classification schemes
• Keep a record of systems and locations used to store the records

For more information refer to the Standard on records management. The standard is designed to help your organisation meet its recordkeeping obligations under the State Records Act 1998.

It is important to recognise that under the GIPA Act the principal officer of the agency is ultimately accountable for GIPA Act compliance. Within cluster arrangements there may be a number of individual principal officers.

Informal release and proactive release of information

Under the GIPA Act, organisations may release information via informal requests or decide to proactively release information.

Organisations should have business rules and procedures informing staff about how to manage informal access and proactive release of information, and the types of records that must be made of the assessment and decision-making process, authorisations and any conditions attached.

See Documenting the Proactive and Mandatory release of Government Information for further information.

Formal release of information

Organisations should have business rules and procedures informing staff about managing GIPA applications. The business rules and procedures should inform staff about managing applications, and the types of records that must be made at each decision point in the GIPA process, beginning with the application assessment.

Application assessment

Throughout the assessment, it is important to document reasons and supporting actions that informed decisions to proceed, refuse or re-scope applications, for example if a decision is being made about the validity of an application or that the application may constitute an unreasonable and substantial diversion of resources:

If the application	Document
Is not valid…	Reasons why the application is not valid Actions taken to clarify the request, including attempts to telephone the applicant Communication with the applicant e.g. emails and notes of telephone calls Outcome of action taken
Is too broad in scope…	What informed the assessment? How was the assessment undertaken? Details of the assessment process Details of searches for information undertaken during the assessment Internal discussions and/or discussions with third party stakeholders that led to this conclusion Communication with the applicant e.g. emails and notes of telephone calls How decisions to amend/narrow the scope of the application were reached Consent to proceed with a reduced scope or refusal to deal with the application (note: GIPA requires consent in writing)
Constitutes an unreasonable and substantial diversion of resources…	What informed the assessment? How was the assessment undertaken? Details of the assessment process Internal discussions that informed the decision Details of searches for information undertaken during the assessment Any actions taken to re-scope the request, including communication with the applicant e.g. emails and notes of telephone calls Resources needed to be diverted/cost to the organisation Assessment of the demonstrable importance of the information to the applicant such as whether it is the applicant’s personal information, or that it could assist the applicant to exercise a right under an Act or a law.

Thorough documentation will be beneficial during any external review of an application by either the Information and Privacy Commission or the NSW Civil and Administrative Tribunal (NCAT).

Communication

There are a number of points through the GIPA process where the ‘Right to Information’ officer (or person dealing with the application) may need to contact the applicant, internal stakeholders, business units, or third parties in relation to an application. For example, to clarify or re-scope a request, assess disclosure interests, or confirm holdings related to the information sought.

If the communication does not automatically generate a record (e.g. a telephone conversation) then a note of the discussion should be created and captured into the records management system. If the communication does create a record (e.g. an email) it should be captured into the records management system.

Verbal communication such as telephone calls, meetings, and discussions

Records should be created to document verbal communications, including:

• telephone calls
• meetings
• face to face discussions/conversations

between:

• the organisation and the applicant,
• the organisation and internal stakeholders, and
• the organisation and third parties.

To be full, accurate and reliable, records need to document:

• Who? - who participated in the meeting, discussion or telephone conversation, and their position/role
• When? – date/time that the communication occurred
• What? - what was discussed? what advice or instruction was communicated? what was decided or recommended? what commitments or agreements were made? including any permissions/consent granted
• Why? - include reasons for decisions or recommendations.

Records need to be detailed enough to enable others to understand what was communicated, negotiated or agreed. Records made should be captured into the records management system.

Written communications

Written correspondence such as emails or messages should be captured into the organisation’s records management system. When capturing records, controls should be applied to ensure records are discoverable to authorised persons in the future.

Follow business rules to determine and apply:

• titling /naming conventions
• folder/file structure
• records classification
• taxonomies
• metadata (usually applied automatically).

Paper documents created or received through the process should be scanned and saved into the records management system through a digitisation process.

Capturing records at the time of creation or receipt, or as close to as possible, will reduce the risk of records being missed or lost.

Searches and search results

The GIPA Act requires that ‘an agency must undertake such reasonable searches as may be necessary to find any of the government information applied for that was held by the agency when the application was received’.

The creation and capture of records ensures that your organisation has the records it needs to demonstrate and validate that searches for information/records under GIPA are reasonable and adequate. The request for a search to be conducted by an identified officer(s) should be documented.

Records should outline how records holdings (both physical and electronic) were searched, including:

• What systems and locations were searched?
• What search methods were used? (e.g. was metadata used to filter search results?)
• What keywords/terms, alternative spelling and Booleans were applied during the search?
• What dates ranges were searched?
• Which officers, divisions, business units and offices were consulted, contributed to or participated in the search?

Organisations should also document the results of the search, including:

• Details of any relevant records found (including which business unit created them).
• A description of paper records found and how they were searched (e.g. were they scanned/manually assessed).
• Retrieval and checking of any documents that are the subject of the request
• Certification by officers conducting the search.

Analysis of search results

Records should also be created to document the review/analysis of search results.

If search results:	Document:
Show information is already available to the applicant	Where this information is available Communications with the applicant e.g. emails and notes of telephone calls Notifications to the applicant
Show information is not held by the organisation	Internal decisions and/or discussions with other organisations that led to this conclusion Reasons why the organisations would not hold such information Communication with other organisations that are believed to hold information If the application is transferred, document the agency the request was transferred to, and the date of referral Communications with the applicant e.g. emails and notes of telephone calls Notifications to the applicant
Show the organisation has information and can continue to process the application	The decision to proceed How fees and charges will be applied, if applicable Activities and time taken to process the request Communications with the applicant Notifications to the applicant

For more information refer to Information and privacy commission: Knowledge update – reasonable searches under the GIPA Act

Upon release

When releasing information organisations should document:

• Date of release
• What information was released
• Who it was released to
• Decisions relating to the reduction or release of personal information
• Overriding public interest against disclosure, and/or wavier of
• If the information can/will be open access now onwards

Processing time and charges applied

Organisations will also need to document the processing of fees and charges and decisions to relating to the final costing.

In many cases processing of GIPA applications is costed by the hour, therefore the organisation needs to ensure that they can account for the time spent processing applications.

Document:

• Contributing factors to the calculation of estimated processing times
• The activities undertaken for which charges may be made
• Actual time taken to complete the each phase/chargeable activity of the GIPA process
• Activities where charges were not applied (handling of free of charge information)
• Decisions to reduce charges, for example to accommodate financial hardship
• Review of decisions and granting of refunds
• Handling of money, deposits received, refund issued etc.

For more information refer to the Information and Privacy Commission's GIPA Act Fees and Charges

Back to top

Documenting the Proactive and Mandatory release of Government Information

Proactive release

The GIPA Act requires that organisations review their program for the release of information every twelve months to see if there is additional information that could be proactively released.

The organisation’s rules/procedures for giving access should outline what records are created and kept to document assessments and review for proactive release, and the decisions made.

Records should ensure the organisation has evidence:

• that a considered assessment has been undertaken based on the established procedures
• of what was proactively released with appropriate authorisation
• of what was not made available, and the reasons why.

Records will allow the organisation to demonstrate compliance with the Act and defend the release of information if challenged.

Mandatory release

Organisations should also keep records of the review of mandatory release information, including the annual review of the organisation’s publication guide.

Information published on websites

Organisations should incorporate the management of open access information released under the GIPA Act into its recordkeeping strategy for managing websites.

Organisations need to be able to prove what mandatory information was available on the website at what time/date in order to demonstrate compliance with the Act. This may involve managing different versions of the information over time.

Access directions for open access information

Records created during release assessment can assist the organisation in making access directions under section 51 of the State Records Act 1998. The sensitivities initially identified can be re-assessed to determine if they have diminished with the passage of time.

TIP: Organisations can make an access direction under the State Records Act declaring that all records made available via proactive release under the GIPA Act are available under the early access provisions of the State Records Act. This is a quick and easy way to ensure consistency between the two Acts so that records that are now available will not be closed when transferred to the State Archives Collection.

Back to top

Relationship between the State Records Act and GIPA Act.

Recordkeeping underpins the successful fulfilment of GIPA requirements and responsibilities.

Government organisations rely on the records made and kept under the State Record Act 1998 to fulfil their obligations to facilitate access to Government information under the Government Information (Public Access) Act 2009 (GIPA Act).

These responsibilities closely align with recordkeeping requirements under the State Records Act 1998 and the Standard on Records Management. The standard aims to ensure that government information is appropriately documented and discoverable.

Implementing the standard can save your organisation time and resources otherwise spent on searching for information that may or may not be documented.

Tips to fulfil GIPA recordkeeping responsibilities

The table below provides tips and links to useful resources to help fulfil recordkeeping responsibilities.

GIPA responsibility	Tips	Guidance/resources available
1. Keep up-to-date records to ensure information can be provided where appropriate.	Understand your recordkeeping requirements  Assess what records your organisation needs to create and what information the records should include (particularly in relation to high risk activities) Identify common situations where records should be created and captured e.g. phone conservations, meetings, emails, web chats	Recordkeeping requirements Identifying and managing high value and high risk records and information Create and capture
2. Manage records systematically so they can be located easily.	Keep a record of systems and locations used to store organisational records Use titling, file structure and classification conventions to capture records into approved systems Ensure business systems are designed to meet organisational recordkeeping requirements Undertake timely disposal of records legible for lawful destruction to reduce the amount of documentation your organisation needs to assess Implement Normal Administrative Practice (NAP) to dispose of ephemeral, facilitative and duplicate records and streamline your records holdings. NAP is defined under section 2 of the State Records Regulation 2015 and enables the destruction of certain types of facilitative and duplicate records.	Recordkeeping requirements Create and capture Designing, Implementing & Managing Systems Retention and Disposal Overview Normal administrative practice
3. Keep records for as long as they are required under approved Retention and Disposal authorities in accordance with the NSW State Records Act 1998.	Ensure that records are managed in approved systems Keep a record of systems and locations used to store organisational records Use sustainable file formats when creating records Migrate/convert technology dependent records to retain their accessibility Use approved Retention and Disposal authorities issued to your organisation to dispose of time expired records lawfully	Designing, Implementing & Managing Systems Recordkeeping requirements Sustainable file formats Migrating records: managing source records after migration Retention and Disposal Overview
4. Ensure that your agency is able to access the records held by a contracted service provider.	Ensure that contracts outline responsibilities for recordkeeping and clarify ownership of the records	Accountable outsourcing

For further recordkeeping advice and an outline of your recordkeeping responsibilities under the State Records Act 1998 refer to the Standard on records management.

If you have enquiries about recordkeeping, please contact NSW State Archives and Records at govrec@records.nsw.gov.au.

If you have enquiries about the GIPA Act, please contact the Information and Privacy Commission on 1800 472 679 or at ipcinfo@ipc.nsw.gov.au.

Published April 2020

 

Back to top