State Records NSW recognises the challenges of managing vast quantities of records, information and data in the current environment of increased cyber risks and an ever-changing technology landscape.
The minimum compliance requirements 2.2 and 2.3 of the Standard on Records Management direct public offices to strategically focus on high-value and high-risk areas of business. These requirements ensure that:
- records, information and data required as State archives and/or of high-value and high-risk are prioritised, protected and managed
- records and information management is a designed component of the most valuable and critical information and systems
- records and information management strategies and initiatives align with the organisation’s critical business priorities
- resources (time, money and staff) invested/allocated are proportionate to the business value of the records, information and data.
This approach to identifying and prioritising records of high-value and high-risk also matches up with the approaches taken by cyber security to protect the most critical information assets of the organisation.
Back to topDefining high-value and high-risk (HVHR) records, information and data
High-value records, information and data are assets that enable organisations to:
- undertake and continue their functions
- provide service to clients
- respond to Royal commissions, inquiries, audits, investigation and legal issues.
A small percentage of high-value records have continuing value to the State and the people of NSW and are required as State archives. (Please consult relevant retention and disposal authorities for information on assets required to be retained as State archives).
High-risk records, information and data are those assets that:
- are created or received in high-risk areas of the business, or high-risk business processes or functions
- pose a significant risk to the organisation if they were misused, released inappropriately or inappropriately accessed and altered, lost, damaged or destroyed prematurely.
While high-risk records and information must be managed with the same care as high-value records for the duration they are required, high-risk records and information may not necessarily have lengthy retention periods.
Back to topIdentifying HVHR records, information and data
High-value and high-risk records, information and data are usually created or received in areas or functions involving:
- core and statutory function/s of the organisation
- significant investment by NSW Government or major contributions to the NSW economy
- direct contact with individuals (for example, a regulatory, enforcement, health or welfare activity where there may be dispute)
- development of policy or service which impacts on individuals and communities or their rights and entitlements
- management of natural resources, places of cultural significance, the protection and security of the state or infrastructure in NSW
- processes that are open to corruption or have the potential for corrupt behaviour
- major programs of international/national/state significance
- collection and use of personal information and health information (as defined by the Privacy and Personal Information Protection Act 1998 and the Health Records and Information Privacy Act 2002)
- policies, decisions, or services which are subject to close scrutiny by the public, media or oversight bodies.
Examples of HVHR records, information and data
The examples below are selected for illustration purposes only. Please note that the business value and risk to records, information and data can change over time depending on the organisation’s context.
| Information Assets | Category | Additional information |
|---|---|---|
| Enterprise data sets managed by the organisation | High-value |
Data sets which are mandated and used for performance reporting are of high-value as they inform decision making, in program analysis and evaluation, and in research. Please note that the value of data sets is subjective and may change over time depending on the organisation’s context, its intended use, data quality, etc. |
| Scanned ID documents used for verification purposes | High-risk |
These are considered supporting documentation and are of low value as soon as the verification has been completed. Records, information and data which contain personal information are generally considered of high-risk as they pose specific risks to individuals, such as, identity theft or fraud, reputational damage, loss of confidentiality or financial loss. |
| Briefing notes to ministers in relation to portfolio programs | High-value and high-risk |
These records are of continuing value to the State and are required as State archives as they are advice about substantive aspects of a major program, service delivery, legislation, etc. These records are considered high-risk as they document decisions that may be subject to public or media scrutiny. |
| Patient records and information in clinical information systems | High-value and high-risk |
These records are of high-value as they relate to core function of provision of health care to patients and clients. These records are of high-risk as they pose specific risks to individuals. Clinical information systems are usually considered high-risk as it would have a huge impact on the organisation if access to the systems were lost or compromised. |
| Client case management records | High-value and high-risk |
These records are of high-value as they document direct contact with individuals and may relate to specific or core services, or individual rights or entitlements. These records are of high-risk as they contain personal, sensitive and/or confidential information and pose specific risks to individuals. |
| Records applied with dissemination limiting markers (DLM) or security classification | High-risk |
These records may be assessed as high-risk depending on the value, importance or sensitivity of information they contain, and the potential damage to government, national interests, organisations or individuals, that would arise if the information’s confidentiality was compromised. |
| Budget records and information |
High-value and high-risk |
These records are high-value as they contain the budget decisions of the State. These are considered high-risk due to their confidentiality and potential consequences of leakage. |
| Council meeting minutes | High-value and high-risk |
These records are high-value as they document significant decisions that have a far-reaching impact on communities and are therefore required as State archives. A local council meeting is a high-risk activity as it enables transparency and scrutiny, or direct participation from members of the community. Also, the loss of public access to council meeting minutes may have potential consequences to the well-being of the community. |
| Financial and human resource records | High-value and high-risk |
These records are high-value as they are essential to the continued operations of the organisation. These records are considered high-risk as they relate to processes where they may be open for corruption or fraud. The digital format of these records is usually considered high-risk for cyber-attacks. |
Approaches to determining HVHR records, information and data
There are various ways of determining HVHR records, information and data.
- Conduct a desktop review and analysis of current documentation. Examples of documentation to review include:
- retention and disposal authorities (records required as State archives and those records with 30+ years retention periods are HVHR)
- risk-related records such as corporate risk registers, business continuity plans, ICT incident management plans or business impact analysis reports
- cyber security attestation or information security planning
- responses to audit, inquiries or litigation
- systems audit or IT asset inventories
- information asset registers
- open data planning, reporting, and data sharing agreements
- privacy impact assessments
- GIPAA review or investigation reports
- annual reports, including internal and external audit reports
- reports of incidents or complaints, including findings and recommendations which may have been publicised.
- Engage staff within the organisation to understand core functions, services, and business processes. Business owners should be engaged to assess and classify assets based on business risk. Specifically, consult with the organisation’s
- audit and risk committee or risk manager
- cyber and information security officer (CISO) or team
- business managers of areas under transition/change or implementing new policies, new processes and new systems or apps
- business managers of areas where they collect, use or store personal information
- other stakeholders such as internal audit team or officer.
- Use various techniques to gather and analyse information such as:
- surveys
- brainstorming exercises or focus group discussions
- strengths, weaknesses, opportunities and threats (SWOT) analysis
- business impact analysis
- bow tie analysis
- cost benefit analysis
- cause-consequence analysis, etc.
Tips for managing HVHR records, information and data
1. Develop an understanding of the organisational context
This includes:
- gathering information about the organisation using the sources mentioned above
- identifying and analysing recordkeeping requirements
- consulting or collaborating with business units to identify and determine what records, information and data are needed to support core functions and services. This includes identifying any impacts resulting from business disruptions and/or from risks to records, information and data.
2. List the organisation’s records, information and data as information assets
Having this list enables:
- identification of HVHR records, information and data
- identification and assessment of information assets that pose significant risk
- identification of people and positions that are responsible for particular information assets
- compliance with minimum compliance requirements 2.2 and 2.3 of the Standard on records management. Please note a complete, single view of HVHR information assets is one of the indicators used in Q1 of the Records Management Assessment Tool (RMAT).
For each asset, consider the following information:
- size and scope of the records and information held
- size and scope of the system
- the software and hardware critical for the maintenance of the asset
- any dependency on other records/information assets
- format of the records - if paper, include volume and storage information; if digital, include title or name of the data set or file, description, modification date, license and file format
- business owner and users of the system
- policies and processes that govern them, including statutory and regulatory obligations
- business value
- retention periods, including records required as State archives
- level of criticality of the business activities that the system supports, i.e., the potential impact of an interruption to critical business operations.
Here is a standard information asset register template.
3. Apply the organisation’s risk management framework to assess and mitigate risks to HVHR records, information and data
Use the NSW Risk management toolkit to develop and implement a risk management framework over HVHR records, information and data. Risks to HVHR records, information and data may include:
- loss or reduction in ability to access records due to technological obsolescence, system migrations, disaster, corruption of information, or machinery of government change and administrative change
- unauthorised access leading to deletion, unauthorised manipulation or disclosure of sensitive information due to outdated or ambiguous policies and procedures
- loss of government information, corporate memory and/or documentary heritage of NSW.
Risk assessment examples
Below are examples of risk assessment for HVHR records, information and data. The risks and causes identified, including mitigation activities are selected for illustration purposes only. The risk likelihood and impact depend on the organisation’s context.
| Information assets | Risk | Cause | Mitigation activities |
|---|---|---|---|
| Enterprise data sets shared by the organisation | Unauthorised access or disclosure of information | Outdated or ambiguous policies and procedures, or due to machinery of government (MOG) changes |
Use a standard MOU agreement. Implement a consistent, agreed approach to data sharing. Review default access provisions applied to data sets when MOG changes happens. |
| Patient records & information in clinical information systems | Loss of access | System outage or unstable platform |
Put controls in place and regularly monitor to mitigate the threat or risk, and perform risk analysis as required. Perform regular system health checks, including backup systems. |
|
Briefing notes to ministers in relation to portfolio programs |
Failure to locate and retrieve within scheduled time frames | Multiple content repositories |
Put processes and systems in place to enable comprehensive search functionality to simplify retrieval operations. Implement a consistent procedure in managing briefing notes, including where they are stored. |
| Records applied with DLMs or security classification | Information leak, unauthorised access or disclosure of information | Outdated system or human error |
Put controls in place and regularly monitor to mitigate the threat or risk. Implement cyber security education for staff, including information classification, labelling and handling. |
|
Scanned ID documents used for verification purposes |
Information leak, unauthorised access or disclosure of information |
Outdated or ambiguous policies and procedures |
Review current procedures and assess whether there is a need to have a scanned copy of ID documents. If there is an identified need, put controls in place and regularly monitor to mitigate the risk. Update policies and procedures to mitigate or eliminate this risk (Check FAQs: Recordkeeping and personal information). |
| Budget records and information | Information leak and misuse of information | Outdated system or human error |
Put controls in place and regularly monitor to mitigate the threat or risk. Implement cyber security education for staff, including information classification, labelling and handling. |
| Council meeting minutes posted on the website | Loss of access | System outage | Put controls in place and regularly monitor to mitigate the threat or risk. |
| Client case management records | Loss of information |
Natural disasters |
Put controls in place and regularly monitor to mitigate the risk. For physical formats, read our guidance Solutions for Storage | NSW State Archives for more information. For digital, regularly monitor current disaster recovery/incident management processes, procedures and systems. |
4. Collaborate with the CISO and cybersecurity team and/or relevant teams or committees
Collaborate with relevant teams to ensure that all HVHR records, information and data, both hard copy and digital, are included or classified as ‘crown jewels.’ Including HVHR records in the organisation’s list of crown jewels is a step towards prioritising its management and security.
5. Develop and implement a plan for short-term, mid-term or long-term management of HVHR records, information and data
The plan should consider:
- information management needs or requirements of high-risk areas or functions
- robust migration and export strategies to sustain records and information through system and service transitions
- the metadata which makes that information understandable and authoritative
- the eventual transfer of State archives to the NSW State Archives Collection.
Further information
- NSW Risk management toolkit
- IEC 31010:2019 Risk management — Risk assessment techniques
- NSW Data governance toolkit
- NSW Information management framework
Published February 2015 / Updated January 2022
Back to top