Checklist for assessing business systems

The main purpose of implementing business systems is to support a business activity. Determining whether the business system holds or will hold unique information upfront ensures that resources (time, effort, money) are allocated accordingly.

If the system contains duplicate information that has already been captured in an official recordkeeping system or which does not relate to the official business of the organisation, there is no need for the recordkeeping assessment to continue.

Regulatory requirements are imposed upon your organisation by laws, regulations, whole-of-government policies, directives, standards or similar instruments. Regulatory requirements will be most common for business activities or operations that are tightly controlled or monitored.

Business requirements are internal requirements that result from the activities and business processes of your organisation. They specify what information is necessary for the organisation to carry out its operational work and responsibilities.

If the answer to this question is ‘yes’, it is likely that this system will need to keep the same types of records.

‘Previous systems’ include paper-based systems for keeping records.

We recommend organisations focus on business systems supporting core functions and high risk business areas. These areas of the business require trustworthy, reliable, usable, interoperable and secure business systems.

If the answer to this question is ‘yes’, please ensure appropriate mechanisms are in place for quality assurance, and that security measures and business continuity strategies and plans are developed for this system.

For more information, see “Identifying and managing high value and high risk records and information” and “Identifying information risks that might be impacting on high risk business.”

Many high value records and information are generated by common organisational functions.  The value of records is dependent on a number of factors such as their currency and usefulness.

If the answer to this question is ‘yes’, specify the functions and check the retention requirements. See GA28 for more information.

Retention and disposal authorities provides authorisation for the disposal of State records and for deciding which records will be retained as State archives.

If the answer to this question is ‘yes’, check the retention requirements and consider the expected life of the business system in your assessment.

If retention periods are longer than the expected life of the business system, take into account:

• interoperability
• preservation strategies
• export / import functionality of the business system
• format of the records, making sure that the records are in human-readable form
• technology obsolescence
• accessibility of the records
• whether integration with an external recordkeeping system, such as an electronic document and records management system (EDRMS), is viable.

Creating records in context

Does or will the business system capture records created or received, regardless of format and technical characteristics?

Capturing means that:

• records at the time of creation must be retrievable at any period of time
• records must be presented in human readable formats
• if records were altered, the business system must log and show how and when they were changed and who changed them
• content composed of several parts (e.g. email with attachments) is related together.

The business system needs to be able to save records entered by the user. In some cases records are captured automatically.

The business system should be able to keep a fixed and complete version of each record that is defined, whether in documentary form or a collection of data representing a transaction.

Some business systems are designed to be current with minimal redundancy of data. If a business system that is being assessed for its recordkeeping capabilities allows for the continual updating of information without keeping a record where required the option of exporting records to an external recordkeeping system should be employed.

If yes, document how this requirement is supported by the business system.

If no, flag this as a gap and explore options for addressing this requirement. Take a risk-based approach in deciding which option is the most appropriate way to proceed.

If yes, document how this requirement is supported by the business system.

If no, flag this as a gap and explore options for addressing this requirement. Take a risk-based approach in deciding which option is the most appropriate way to proceed.

The system should be capable of capturing and managing core recordkeeping metadata.

Much of the metadata in business systems is present in the system, imported from another system or is generated as a natural part of the operation of the system. Some may be added by system users.

Metadata may be applied to individual records or aggregations of records. It can also be applied to entire systems (e.g. system documentation can provide the required information about the business context of records in the system).

For more information please see our guidance “Minimum requirements for metadata for authoritative records and information.”

If yes, include in your system documentation information describing the content and context of records, its structure, relationship with other records, and business actions or events the system supports or will support.

If no, flag this as a gap and explore options for addressing this requirement. Take a risk-based approach in deciding which option is the most appropriate way to proceed.

Metadata in digital systems is abundant and permeating. Organisations should identify what metadata in business systems is necessary to meet specific requirements and/or to support organisational business requirements.

More information about metadata can be found in “Metadata for records and information.”

If yes, document how this requirement is supported by the business system.

If no, assess whether there is a need to create additional metadata elements. If there is a need, flag this as a gap and explore options for addressing this requirement. Take a risk-based approach in deciding which option is the most appropriate way to proceed.

The system should be able to maintain a metadata profile over time – maintaining links to the record and accumulating process metadata for the record as events occur. The metadata should remain linked to the record even if the records are migrated out of the original system.

Mappings can assist with ensuring that metadata remains linked to records for as long as required, including through and beyond system migrations.

If yes, document how this requirement is supported by the business system.

If no, assess whether it is possible to export any metadata that must be retained beyond the life of a record to account for what was destroyed and when to a separate system. Take a risk-based approach in deciding how to proceed.

If yes, document how this requirement is supported by the business system.

If no, flag this as a gap and explore options for addressing this requirement. Take a risk-based approach in deciding which option is the most appropriate way to proceed.

Managing and maintaining records

Inclusion of this requirement ensures that unauthorised and accidental deletion of records in the business system is prevented. It also ensures the integrity of the business system.

Most importantly, the business system should not permit the removal or deletion of the metadata specified in requirement #9.

The system should be able to maintain a metadata profile over time - maintaining links to the record and accumulating process metadata for the record as events occur. The metadata should remain linked to the record even if the records are migrated out of the original system.

If yes, document how this requirement is supported by the business system.

If no, flag this as a gap and explore options for addressing this requirement. Take a risk-based approach in deciding which option is the most appropriate way to proceed.

This requirement ensures that actions are accountable and transparent.

The business system should have a mechanism to log and show events such as additions, alterations and deletions carried out on the record, date of the action and by whom.

In addition from an information security perspective, event logging increases the security of a system by improving the chances of detecting malicious behaviour.

If yes, document how this requirement is supported by the business system.

If no, flag this as a gap and explore options for addressing this requirement. Take a risk-based approach in deciding which option is the most appropriate way to proceed.

If yes, determine the information security classification of the records in the business system to ensure that appropriate security controls and permissions are in place.

Check the NSW Government Digital Information Security Policy and NSW Government Information Classification, Labelling and Handling Guidelines for more information.

If no, identify what processes are in place or will be needed to ensure that only authorised users have access to the system.

Migration and interoperability

Most business systems have the ability to export records to another system or to an external medium, e.g. a disk or hard drive. However, this requirement is also about the maintenance or preservation of the quality and integrity of the records exported.

We recommend that this requirement be looked at closely during implementation to ensure that quality control mechanisms are in place to ensure that when needed, records and associated metadata can be exported with nil or minimal loss (e.g if the system is decommissioned or the records are required as State archives).  

To do this, agencies have to define and set their quality criteria for exported records and associated metadata.

Some change to look and feel of the records may be permitted. 

If the organisation has a need to share the data as part of open data or other initiatives, the capacity to export manipulable data is important.

If yes, document the export process or function.

If no, assess whether this functionality is required (e.g. records of long term value will likely need to be exported from the system when the system is decommissioned). Take a risk-based approach in deciding which option is the most appropriate way to proceed.

This requirement enables verification of the success or failure of the export process.

In addition, exceptions identified can then be resolved and documented.

Also, this requirement is useful for quality assurance purposes.

If yes, document how this requirement is supported by the business system.

If no, flag this as a gap and explore options for addressing this requirement. Take a risk-based approach in deciding which option is the most appropriate way to proceed.

Retention and disposal of records as required

Controlled disposal or deletion of records in business systems means:

• records are destroyed in accordance with an authorised retention and disposal authority
• business system is able to calculate disposal due dates from relevant triggers
• records subject for deletion undergo an approval process before deletion
• deletion of records is carried out effectively
• deletion or disposal schedule of records can be delayed or amended when there is a legal requirement to do so.

If yes, document how this requirement is supported by the business system.

If no, this requirement may still be adequately addressed by manually mapping the appropriate disposal class/es and having a business process and policy / rules on disposal of records created or received by the business system.

The deletion of any records in the business system must be captured or recorded in the audit log.

The business system must automatically capture the following:

• unique ID of records and information deleted
  • date and time of deletion
• actions done by (optional).

If yes, document how this requirement is supported by the business system.

If no, this requirement may still be adequately addressed by having a business process and rules on disposal of records in the business system.