Records, information and data risks

Records, information and data risks (information risks) can occur at any stage. These risks are a combination of threats and vulnerabilities that may have a negative or positive impact on the trustworthiness and availability of records, information and data. Understanding risk is therefore critical in managing core records, information and data.

Types of information risks

Risks public offices need to consider in managing records, information and data (information assets) relate to:

reliability and integrity
accessibility and retrieval
safe custody
retention
ownership.

Examples of information risks

Below are risk events or scenarios for different types of information risks that organisations may encounter.

Please note that the risks, causes and mitigation activities/controls listed are selected for illustration purposes only. The likelihood of the risks occurring, their underlying causes and the method(s) for responding is dependent on the operating environments of individual organisations.

Refer to Identifying and managing high-value and high-risk records, information and data for examples of high-risk records.

Reliability and integrity

Risk Events/Scenarios	Causes (threats and vulnerabilities)	Possible mitigation activities/controls
Poor quality information and data not “fit for purpose”	Duplication and inconsistencies following the migration and/or importation or merging of information and data. Omitted information or data. Typographical errors (e.g. spelling, values, etc.). Obsolete information or data.	Business rules and procedures created for data entry quality control practices. Use of encoding schemes for data requiring manual entry. Adequate monitoring. Use of data cleaning software tools to detect and correct problems in database records.
Poor quality information and data not “fit for purpose”	Metadata incorrect or the minimum metadata required not captured in full.	Minimum metadata requirements identified and included in planning, procurement and migration decision making. Additional metadata that supports organisational recordkeeping, along with business and legal requirements, should also be identified. Use of encoding schemes for metadata requiring manual entry.
Poor image quality of digitised records (e.g. documents and photos)	Digital surrogate does not possess the essential characteristics of the original record. Essential characteristics are elements of a record that need to be reproduced for the record to retain its meaning and/or evidential value.	Defining image quality requirements through the implementation of benchmarks (e.g. technical specifications).
Unauthorised alteration of information and data by staff or third parties (e.g. sub-contractors of the cloud provider or hackers)	Personal/financial gain in altering data. Disgruntled employee. Inappropriate security settings and/or user permissions.	Information security and protection mechanisms in place that reflect the risk and value of the information assets (e.g. event logs that track access and usage). User permissions reflect individual staff members’ positions and responsibilities. Information assets backed up along with metadata.

Accessibility and retrieval

Risk Events/Scenarios	Causes (threats and vulnerabilities)	Possible mitigation activities/controls
Failure to locate and retrieve information assets	Staff poorly trained in performing complex searches (e.g. using Boolean operators, relational expressions and wildcard symbols).	Training staff in performing simple and advanced searches in business systems.
	Staff unfamiliarity with available systems, databases and other repositories.	Providing an information pack listing systems used by individual business units/the organisation.
	Poorly organised or inadequately indexed repositories: no structured file plan for grouping related information assets creation of duplicate folders due to inadequate labelling practices use of miscellaneous folders boxes of physical records sent to storage without their contents being listed misfiling of records.	Business classification scheme (BCS) developed for grouping related information assets. Development of naming conventions. Migration of electronic information assets to a controlled system (e.g. an electronic document and records management system (EDRMS)). Implementation of controls for records in accordance with the Standard on records management and Standard on the physical storage of State records. Adoption of document indexing methods, such as: computerised full-text indexing, generating index entries from the content of records, documents, etc. (e.g. nouns and other significant words) an approved thesaurus. Use of federated search technologies to simplify search and retrieval operations across multiple repositories.
Unauthorised access to non-public information (e.g. personal information or confidential/sensitive business information)	Organisation not aware of information-disclosure restrictions under the Health Records and Information Privacy Act 2002, the Privacy and Personal Information Protection Act 1998 and the Data Sharing (Government Sector) Act 2015. Incorrect interpretation of laws and regulations (e.g. Government Information (Public Access) Act 2009) in disclosing confidential/ sensitive business information.	Allocation of responsibility for identifying and interpreting regulatory requirements that prohibit information disclosure. Creation of policies and business rules on the disclosure requirements of non-public information, including responsibility for managing the process.
	Unintentional non-compliance by staff due to a lack of training/education around requirements.	Staff educated/trained in managing personal information and confidential/ sensitive business information.
	Inadequate security infrastructure.	Establish an information security governance framework, in collaboration with ICT, to ensure appropriate policies, procedures and monitoring are in place to prevent data and information breaches.
	Unlawful collection of personal information not directly related to the organisation’s activities.	Creation of policies and business rules on the collection of personal information (e.g. making notations that personal information/documents have been sighted rather than keeping a copy).
Information assets unretrievable from cloud hosted storage	Organisation not aware of legal requirements in the cross-border transfer and storage of information assets. A cloud service provider may suspend an organisation’s account due to: delinquency suspected infringement on another organisation’s intellectual property a breach in the terms of service. Service provider goes out of business/is taken over.	Use the cloud computing checklist to identify areas where risks may eventuate. Allocation of responsibility for identifying, analysing and interpreting both local laws and regulations (including General authority for transferring records out of NSW for storage with or maintenance by service providers based outside of the State (GA35)) as well as those of the jurisdiction the information assets will be stored in. Adequate contractual control, including but not limited to: NSW laws apply to the contract/agreement ownership remains with the State return of information assets, including metadata, to the public office when requested, on termination of the contract or if the provider goes out of business/is taken over. Adequate monitoring.
Accessibility to equipment/technology dependent information assets not sustained	Degradation or discontinuation/obsolescence of analogue and electronic storage media (e.g. microfiche and hard drives respectively). Discontinuation/obsolescence of compatible software and hardware that can read information and data on specific storage media or in a particular file format.	Implementation of a preservation program/ strategy to ensure information assets are accessible for as long as they are required. Determination of information and data migration frequency based on retention requirements of individual classes of information assets. Electronic information assets are saved in sustainable formats (e.g. PDF/A format).
	Information assets unable to be opened and read/ viewed due to format conversion errors.	Use of file conversion software to preserve the readability of digital content over time.

Safe custody

Risk Events/Scenarios

Causes
(threats and vulnerabilities)

Possible mitigation activities/controls

Storage of physical records in poor environmental conditions

Exposure to contaminants (e.g. mould) and high or fluctuating temperatures.

Presence of vermin.

Incidents of water incursion.

Facility/repository located near manmade hazards (e.g. heavy atmospheric pollution and hazardous industries).

Inadequate or no storage equipment used (e.g. shelving, boxes, etc.).

Compliance with the
Standard on the physical
storage of State records.

Educating staff in the proper management/ storage of physical records.

Loss or damage to information assets due to natural disaster

Flooding

Bushfire

Landslide

Tornado

Earthquake

Having an up-to-date and tested disaster and counter disaster plan in accordance with the Standard on records management and Standard on the physical storage of State Records.

Relocation of physical records and infrastructure if located in known disaster-prone areas.

Back-up copies made of high-value records.

Loss of information assets during the decommissioning of systems

Technology obsolescence (e.g. systems at end-of-life).

Format obsolescence for text, images, videos, databases, websites, etc.

Metadata not captured in full when transferred to the new business system.

Decommissioning planning (in regards to records and information management requirements) is part of the standard project methodology in the acquisition and development of new systems. See system design and implementation guidance.

Use sustainable file formats.

Identifying and disposing of information assets that are due for destruction – and with the required authorisation – prior to the system being decommissioned.

Data stolen

Security patching is out-of-date/inadequate security infrastructure.

Outdated computer systems and applications.

Staff opening suspicious emails or clicking on suspicious links or attachments.

Malicious cyber attacks (e.g. phishing emails, malware, etc.).

Operating systems and applications are kept up-to-date with the latest security patches.

Implementation of firewalls.

Records and information management teams working in collaboration with IT in the management of security classified records, or sensitive records that require additional controls.

Establishing and managing disposal programs to ensure that records and information are destroyed according to relevant retention and disposal authorities.

Rolling cyber security training provided to new and existing staff.

Refer to Digital NSW’s cyber security resources for further information.

Accidental loss of information assets

Unintentionally overwriting information and data during editing.

Damage to records (e.g. spilling liquids on physical records).

Losing external hard drives and physical records that have been removed from the office.

Review the records processes of business units where the loss has occurred.

Editing information and data within an EDRMS where possible.

Real-time back-up of files.

Education or retraining of staff in the appropriate management/handling of information assets.

Loss of information assets due to media instability

Damage in use (unstable working copies).

Long term information and data kept on paper.

Creation of policies and business rules aligned with the standards on records management and the
physical storage of State records.

Purchase of high-quality electronic storage media, paper, photographic film, etc. that conforms to specifications presented in international standards.

Prior to use, storage of electronic storage media, paper and photographic films under temperature and humidity conditions specified by the manufacturer.

Retention

Risk Events/Scenarios	Causes (threats and vulnerabilities)	Possible mitigation activities/controls
Over-retention of information assets containing personal information	Ad hoc/irregular disposal of high-risk information assets that are due for destruction. Lack of planning and management in undertaking disposal activities.	Implementation of a regular program of records disposal (destruction and transfer of records to the State Archives Collection). Routine destruction of time-expired records containing personal information, unless there is a business need to retain the records longer (e.g. actual/pending legal matter).
Under-retention of information assets	Organisation not aware of all applicable recordkeeping requirements, due to, for example, incorrect interpretation of record retention requirements or no in-house records management staff.	Allocation of responsibility either internal (another qualified employee) or external (records management consultants, legal researchers or compliance specialists) responsible for identifying, analysing and interpreting applicable laws and regulations.
	Poorly designed systems or processes not mapped or aligned to relevant retention requirements.	Systems designed and managed in compliance with legal and regulatory requirements that apply to the business documented within them. System compliance should be regularly monitored and assessed.
	Disposal classes linked to an organisation’s business classification scheme (BCS) are out-of-date.	Scheduled reviews of the organisations’ BCS to ensure linked record retention schedules accurately reflect legal and regulatory requirements.
	Disposal coverage of an organisation’s core functions does not exist.	Creation or review of a functional retention and disposal authority to ensure appropriate coverage.
	Staff/business units not aware/up-to-date with their individual recordkeeping requirements.	Creation and implementation of an education strategy to inform staff of their recordkeeping requirements in line with their business processes. Scheduling of ongoing compliance monitoring, including implementation of an escalation pathway for non-compliance.
	Public expectations for particular classes of records to be retained past minimum retention requirements.	Well governed and documented disposal processes. Review relevant functional retention and disposal authorities.
Disposal of records subject to: Current/pending legal proceedings subject to an application for access under the Government Information (Public Access) Act 2009 a Government policy or directive not to be destroyed	Failure by organisation to anticipate proceedings before legal disposal of records.	Implementation of a process which identifies pre-litigation triggers as to when holds need to be placed (e.g. the severity of a complaint).
	Lack of a formal process for notifying business areas to place a hold on disposal. No follow-up with business areas to confirm notification was received and it is understood. Periodic reminders are not issued to business areas when there are long holds on disposal.	Development of policies, business rules and procedures to create a formal notification and follow-up processes.
	Information assets held across multiple known and unknown repositories.	Create a register of business systems.

Ownership

Risk Events/Scenarios

Causes
(threats and vulnerabilities)

Possible mitigation activities/controls

Failure to maintain ownership over information assets hosted by a cloud service provider

Organisation not aware of legal requirements in the cross-border transfer and storage of information assets.

Service provider or external party claims ownership and control over information assets.

Allocation of responsibility for identifying, analysing and interpreting both local laws and regulations (including General authority for transferring records out of NSW for storage with or maintenance by service providers based outside of the State (GA35)) as well as those of the jurisdiction the information assets will be stored in.

Use the cloud computing checklist to identify areas where risks may eventuate.

Adequate contractual control, including but not limited to:

NSW laws apply to the contract/agreement
ownership remains with the State
return of information assets, including metadata, to the public office when requested, on termination of the contract or if the provider goes out of business/is taken over.

Adequate monitoring.

Claim of ownership over information assets by employees, non-employees (contractors, consultants, outsourced employees, etc.) or volunteers

Organisation not aware of or correctly interpret “work-for-hire” laws and regulations.

Contractual terms and conditions do not address or adequately address ownership over information assets regardless of format or media.

Allocation of responsibility for identifying, analysing and interpreting “work for hire” laws and regulations.

Use of contracts/agreements with clauses clearly stating that any information assets created as part of assigned duties or commissioned, is the organisation’s property.

Have any anecdotes regarding information risks your organisation has encountered? If so, we would like to hear from you. As part of building the above tables, we are after “real world” examples of risks public offices have identified and managed. Examples posted can remain anonymous if preferred.

Please email submissions to govrec@nsw.gov.au.

Assessing risks

In developing strategies to manage information risks, a risk assessment needs to be undertaken first. A risk assessment consists of the identification, analysis, and evaluation of risk to determine which risk scenarios/events are likely to occur and what their impact will be.

Where to start

1. Identifying information risks

Review the organisation’s internal and external operating environments – including identifying the organisation’s recordkeeping requirements, records processes and systems and high-risk areas – to determine causes of information risks.

Considerations in establishing the internal and external operating environments include:

Internal Operating Environment

External Operating Environment

the organisation’s structure, history and culture
core functions and activities
policies, procedures, processes (in particular, processes for creating, capturing and managing records)
organisational changes (restructures, areas under transition/change or implementing new policies and processes)
staff (level of records training provided, apathy to information asset management)
the IT environment and its maturity (particularly the software and hardware critical in maintaining information assets)
the organisation’s risk appetite for various types and classes of risk

legal and regulatory environment
political (government priorities and machinery of government changes)
community expectations
IT environment (e.g. technological obsolescence, increasing cyber security threats)

2. Assessing identified risks

Undertake a risk assessment either through formal risk management activities or as part of normal business activities such as:

when new business processes or activities are introduced or updated
in undertaking compliance activities (e.g. implementation of requirements from the Standard on records management and Standard on the physical storage of State records)
during incidents or complaints involving recordkeeping practice
routine team meetings
operational planning sessions
implementing or decommissioning services or systems.

Consult with those responsible in the organisation for risk management (e.g. risk manager, internal audit team, audit and risk committee) to determine whether the risk assessment activity being undertaken needs to be consistent with and linked to the organisation’s risk management framework.

Refer to NSW Treasury’s whole-of-government risk management toolkit for detailed guidance on how to conduct a risk assessment.

3. Devising risk statement

Develop a clear risk statement to articulate risks so they can be effectively communicated and understood by all relevant stakeholders.
For each risk identified, articulate:

the event that will have an affect on information assets
what the cause or causes of the risk are
their consequences.

For example, [the event that will have an affect on information assets] caused by [cause/s] resulting in [consequence/s].

Document the identified risks in a risk register. Depending on the size of the organisation, a hierarchy of risk registers may exist (e.g. an organisation-wide register for high-level risks down to registers for individual business units). Consider developing a register for all information risks within the organisation, if appropriate.
Update the organisations information asset register, where applicable, with the information gathered during the risk assessment.
Update the registers as risks are reviewed.

Acknowledgement

NSW State Archives and Records would like to acknowledge the use of William Saffady’s Managing Information Risks (Rowman & Littlefield, 2020) in the development of this guidance.

Further resources

Standards Australia’s AS ISO 31000:2018 Risk management – Principles and guidelines
Standards Australia’s AS ISO 15489.1: 2017 Information and documentation – Records management, Part 1: Concepts and principles
Standards Australia’s SA/SNZ TR 18128:2015 Information and documentation – Risk assessment for records processes and systems
NSW Information management framework
NSW Data governance toolkit

March 2022

Recordkeeping Advice

Information Management By Design

Recordkeeping A-Z