Using Shared Services for Records and Information Management

About shared service arrangements

Many Government organisations use shared service arrangements for a range of common administrative or support tasks. Government policy on shared services aims to promote more effective and efficient service delivery across NSW Government agencies.

The aims of shared service arrangements include:

the consolidation of corporate services
better use of available technology
business process re-engineering for greater efficiency.

To achieve these aims, shared service arrangements generally involve a degree of standardisation to allow groups of organisations to use common technical platforms, systems and processes.

Shared records management services

In records management, common models for shared services are:

sharing records management services amongst a group of public offices, such as geographically co-located or functionally similar organisations, or with a 'parent' organisation, or
using a third party provider of services.

This guidance can be used as a reference for:

the negotiation of contractual arrangements between service providers and public offices
clarifying the boundaries of public office / service provider responsibilities
explaining the nature of shared records management services to senior managers to assist in decision making.

This guidance is not designed as advice on managing the recordkeeping issues associated with outsourcing core business activities - see Accountable Outsourcing: Managing the Records and Information Management Considerations of Outsourcing NSW Government Business.

For advice about the use of cloud services see Using Cloud Computing Services – Implications for Information and Records Management.

Points to consider when using a shared service provider

You are accountable

Outsourcing any function of your organisation, including one seen as 'support' or 'administrative', such as records management, does not diminish your organisation's responsibility to ensure that it is carried out properly and that all legal and business obligations are met.

Importance of the contract or agreement

The primary means by which you can ensure that a shared service provider is giving you the best possible service and is helping you to meet your obligations is by building requirements into the contract or service level agreement you make with them. As with any contract or agreement, it should be clear the types and level of services being provided and dispute resolution mechanisms should be included.

Chief Executive is responsible

The Chief Executive is responsible for ensuring that a public office complies with the State Records Act 1998. A failure by your public office to meet its records management obligations even where most of these activities are 'outsourced' to a shared service provider signals a failure by its Chief Executive to comply with the State Records Act (s.10). Perhaps more significantly, records not being properly managed can result in loss of productivity, financial loss and public embarrassment for your organisation.

Records and information management policy and strategy remain a core responsibility of the public office. Defining the policy and strategies for records and information will assist the public office to identify the types of services and the service parameters required from operational records management providers.

Executives and business managers have a role to play in ensuring that records management service offerings which are used by the business or parts of the business are aligned with the overall strategy for records and information.

Your records must remain under your organisation's control

Even when you have outsourced records management or storage, the records created and captured in the conduct of your business that may be managed or stored by a service provider remain the responsibility of your organisation. If your organisation terminates its arrangement with a service provider, your records and control information needed to use them must remain with you.

Outsourcing arrangements must be monitored

You have a responsibility to monitor your shared service provider and employ other checks to ensure that contractual arrangements are being met. Regular communication with and reporting from your service provider is recommended. This may take the form, for example, of periodic meetings or a monthly report.

Adequate monitoring of contracted-out records management services can be more challenging for agencies without qualified records managers. In cases like these, make sure the deliverables and performance measures from the contract are expressed in simple terms to allow non-records professionals to monitor the services effectively.

Tips for shared records management services users

Know the exact nature and extent of the records management services being provided.
Know the existing relationship, context and expectations already established (if any) between your corporate services manager and the shared services provider.
Build service levels and standards for service delivery into arrangements.
Build performance measures into monitoring arrangements with providers.
When you want to address any service or standards gaps, partner with your shared service provider and discuss with them what initiatives your agency is planning to address the gaps. That way, the service provider will be able to support you with advice and will be better placed to help you to implement your initiatives.

Tips for small public offices using shared records management services
Instead of using third party providers, small public offices may enter into arrangements with larger, 'parent' agencies for the provision of certain records management services. Under these circumstances, it is important that arrangements address:

how the records of the small organisation are to be identified and managed as a separate class of records from those of the larger organisation (for example, if the same records management software system is to be used, will there be separate databases?)
how security and access restrictions on the smaller organisation's records will be complied with
monitoring and reporting arrangements so the smaller organisation can be confident the State Records Act's requirements are being met in respect of any of their records that are being managed by the larger organisation.

Meeting the key obligations under the State Records Act

The tables below set out some of the ways in which a public office might comply with the key records management obligations from the State Records Act and associated standards in partnership with a shared service provider. Please note, the information in the tables is intended to be indicative only and does not represent the only model for how such an arrangement might work.

Governance Frameworks

The State Records Act states that 'each public office must establish and maintain a records management program for the public office in conformity with standards and codes of best practice from time to time approved under section 13' (Section 12(2)). Refer to the Standard on Records Management and in particular Principle 1: Organisations take responsibility for records and information management to check the minimum requirements for governance frameworks. It is essential that organisations have an appropriate governance framework for records and information and, access to appropriately skilled staff and monitor records management activity.

A service provider may be contracted to...	...and the public office would...
assist the public office with aspects of the implementation of corporate records and information policy and strategy	develop and approve corporate records and information policy and strategy promulgate records and information management policy across the organisation actively encourage staff to read and understand the policy.
assist the public office in records and information management planning, including development of documentation	approve records and information planning documentation at the appropriate level and incorporate it into the public office's normal planning mechanisms.
supply appropriately skilled and qualified people to carry out day to day records and information management activities or special projects	ensure that the records and information management activities are carried out by appropriately skilled and qualified people monitor services performed.
assist in the design, implementation and ongoing maintenance of new or enhanced corporate recordkeeping systems	provide input and support for the development or enhancement of corporate recordkeeping systems endorse new or enhanced recordkeeping systems at the highest levels in the organisation.
assist in the development of a functional retention and disposal authority	ensure the public office has an up to date functional records retention and disposal authority ensure that staff are not carrying out unlawful disposal by authorising any records destruction or transfer.
assist the public office to implement requirements for information classification and labelling	ensure that requirements for information classification and labelling are understood and implemented by staff
report to the public office on service levels and progress towards meeting objectives, using mutually agreed performance measures	require the service provider to report regularly on how the provider is meeting contractual obligations keep its own documentation on how it is meeting its obligations under the standards and the Act.

Obligation to protect records

The State Records Act states that 'Each public office must ensure the safe custody and proper preservation of the State records that it has control of' (section 11(1)). Refer to the Standard on Records Management and the Standard on the Physical Storage of State Records to check the minimum compliance requirements that your public office must meet in storing records and protecting them.

A service provider may be contracted to...	...and the public office would...
assist the public office in the assessment of risks affecting records, the identification of critical and high value records and the development of BCP planning and disaster records plans	endorse and promulgate the BCP and disaster plans
meet standards set by the public office regarding how records are to be stored and protected from disaster	monitor its own compliance with the standard on storage ensure adequacy of disaster management and recovery for any records that it manages or stores itself and any records managed or stored by service providers, including digital records
ensure that service environments and systems met information security requirements	monitor service environments and systems to ensure information security requirements are met.

Full and accurate records

The State Records Act states that 'Each public office must make and keep full and accurate records of the activities of the office' (section 12(1)). Refer to Standard on Records Management and in particular Principles 2.1 Records and information required to meet short and long term needs are identified and 2.2 High risk and high value areas of business and the systems, records and information needed to support these business areas are identified.

A service provider may be contracted to...	...and the public office would...
assist the public office in identifying requirements for records that need to be met, to ensure that 'full and accurate' records are being kept	approve at a senior level and promulgate policy, procedures and business rules that support the creating and keeping of full and accurate records
design / build business and recordkeeping systems that will support the capture and management of records and information and ensure that records in all formats are accessible	approve at a senior level the identified recordkeeping requirements that will be met by the public office
assist in the development of procedures, business rules and training for staff on making, keeping and managing records and information	promote and promulgate procedures and training to staff; ensure that managers leading by example check to make sure that all staff are aware of and understand procedures and rules for managing information and for recordkeeping.

Monitoring and reporting

The State Records Act states that 'Each public office must make arrangements with the Authority for the monitoring by the Authority of the public office's records management program and must report to the Authority, in accordance with arrangements made with the Authority, on the implementation of the public office's records management program' (section 12(4)).

A service provider may be contracted to...	...and the public office would...
supply the public office with information, demonstrate systems or cooperate in other ways in order to assist the public office to participate in monitoring arrangements	enter into monitoring arrangements with State Records NSW such as records management self-assessments or inspections.

Equipment/technology dependent records

The State Records Act states that 'If a record is in such a form that information can only be produced or made available from it by means of the use of particular equipment or information technology (such as computer software), the public office responsible for the record must take such action as may be necessary to ensure that the information remains able to be produced or made available' (section 14(1)).

A service provider may be contracted to...	...and the public office would...
assist the public office to develop strategic approaches to the management of long-term digital information and records	endorse at a senior level strategic approaches to the management of long-term digital information and records ensure strategic approaches are kept under review so that they remain effective
assist the public office by carrying out activities such as migration and conversion, monitoring records accessibility	be responsible for assigning responsibility for ensuring digital records' accessibility over time, including both records management and IT related responsibility.

Disposal of records

The State Records Act states that 'Public offices may not dispose of State records, transfer their possession or ownership, take or send them out of New South Wales, or alter them, without the approval of State Records' (section 21).

A service provider may be contracted to...	...and the public office would...
assist in the development of an up to date functional retention and disposal authority	be involved in the development of the functional retention and disposal authority and ensure it is appropriate to the needs of the organisation have the functional retention and disposal authority approved by the Chief Executive before it is submitted to State Records NSW for approval.
manage ongoing implementation of records disposal on behalf of agency (routine destruction, transfer to storage or archives etc.)	respond to requests from the service provider to give internal authorisation for records destruction, transfer or other form of disposal ensure staff are aware of the corporate policy and procedures in relation to records disposal.

Management of State archives

Public office records that are required to be kept as part of the State archives must be properly protected while they remain in the public office's custody. Public offices should contact State Records to discuss transfer or other options for their permanent preservation when the records are no longer required for current business needs (State Records Act, Part 4 'Authority entitled to control of State records not currently in use').

A service provider may be contracted to...	...and the public office would...
assist the public office by carrying out systematic disposal activities, including transfer of records as archives to State Records	ensure State archives are identified through the development of an up to date disposal authority use of current general retention and disposal authorities.
comply with State Records' procedures for the transfer of records as archives	authorise the transfer of records to Museums of History NSW as archives in accordance with Museums of History NSW' procedures.

Public access to State records after 20 years

Each public office must ensure that the State records for which it is responsible and that are over 20 year old and not open to public access are the subject of a closed to public access direction (State Records Act, Part 6 'Public access to records after 20 years').

A service provider may be contracted to...	...and the public office would...
keep information on access directions made for records controlled in public office recordkeeping systems as required	make decisions about access to the public office's records that are more than 20 years old.
assist the public office in liaising with Museums of History NSW regarding the making of access directions	ensure that access directions are authorised by the Chief Executive or Corporate Records Manager.

Compliance with other laws and standards affecting recordkeeping

There are a range of laws, standards and codes affecting recordkeeping practice that the supplier of the records management service may need to be advised of. Again, the best way to communicate requirements is via your contractual arrangements. Examples of such rules and standards are:

Privacy and Personal Information Protection Act 1998, and your organisation's Privacy Management Plan
Government Information (Public Access) Act 2009 and your organisation's GIPA procedures
NSW Cyber Security Policy, January 2022
NSW Government Information Classification, Labelling and Handling Guidelines
AS/NZS ISO 31000:2009 Risk management - Principles and guidelines
AS ISO/IEC 27001:2006 Information technology - Security techniques - Information security management systems – Requirements and AS ISO/IEC 27002:2006 Information technology - Security techniques - Code of practice for information security controls and related standards
any quality assurance standards your organisation is seeking to comply with.

Published 2006 / Revised February 2015, July 2015, February 2016 / Updated November 2022 / Updated January 2024

Recordkeeping Advice

Records and Organisational Change

Recordkeeping A-Z