Standard on records management

Introduction

Records and information are at the core of government business and are core assets.

In NSW public offices, records and information help organisations plan for and achieve short and long term outcomes that are relevant and valuable to the community, business and government. Records and information:

drive collaboration and communications
preserve public knowledge for reference and reuse
provide the foundation for sustainable and effective products and services
outline responsibilities
support decision-making
document rights and entitlements
make up the corporate memory of an organisation
provide stakeholders with transparency around and accountability for government operations.

To support the benefits identified above records and information need to be:

trustworthy and managed accountably
readily accessible, understandable and useable
valued as critical to business operations
governed by appropriate risk management approaches
maintained to meet business, government and community purposes.

To achieve these outcomes, records and information must be supported by effective records and information management.

1.1 Purpose

This standard establishes the requirements for effective records and information management. It is designed to assist public offices discharge their obligations under Part 2 ‘Records management responsibilities’ and Part 3 ‘Protection of State records’ of the State Records Act 1998.

1.2 Authority of this standard

This standard is issued under section 13(1) of the State Records Act 1998 which enables the State Records Authority of NSW (‘NSW State Records’) to ‘approve standards and codes of best practice for records management by public offices’.

1.3 Who should use this standard

This standard applies to all public offices defined in section 3 of the State Records Act 1998, to which Part 2 of the Act applies.

1.4 Scope of this standard

This standard covers records and information in all formats, including both digital and physical records. It has been designed to support digital recordkeeping as the NSW Government transitions to digital business processes.

Underpinning this standard is the need to ensure that business is supported by sound records and information management practices. Importantly, the standard has been framed and targeted to support good information practices in complex business and information environments.

This standard refers to both records and information and establishes requirements for the holistic management of records and information. Taking this approach to the management of records and information better reflects the way in which most organisations now manage their information resources in an integrated manner.

This standard is the product of a process to consolidate and streamline requirements from the following standards:

Standard on full and accurate records
Standard on managing a records management program
Standard on digital recordkeeping
Standard on counter disaster strategies for records and recordkeeping systems
Standard on the appraisal and disposal of State records.

With the issue of this new standard, the above five standards have been revoked and are no longer in use. These older standards can be consulted on www.opengov.nsw.gov.au.

Public offices should consult the Standard on the physical storage of State records for requirements for the storage of non-digital records and counter disaster requirements applicable to non-digital records.

1.5 Benefits of using this standard

Applying this standard will assist public offices to:

create trustworthy, useful and accountable records and information in evolving business environments
ensure that meaningful, accurate, reliable and useable records and information are available whenever required for government business needs
sustain and secure the records and information needed to support short and long term business outcomes
enable the reliable sharing of relevant records and information
automate governance, sharing and continuity processes
minimise records and information volumes, preventing unnecessary digital and physical storage and management costs
proactively protect and manage the records and information that provide ongoing value to government business and to the community of NSW.

1.6 Structure

This standard sets out three principles for effective records and information management:

Organisations take responsibility for records and information management
Records and information management support business
Records and information are well managed

This standard also identifies the minimum compliance requirements that apply to each principle.

Each minimum compliance requirement is accompanied by a range of examples of how a public office can demonstrate compliance with the requirement. These examples can provide ‘evidence’ of meeting the requirement but may not be the only way that compliance can be demonstrated.

1.7 Further information

To assist NSW public offices implement this standard, NSW State Records has mapped the requirements of the standard to the guidance and training available from NSW State Records. The mapping is available at http://www.records.nsw.gov.au/recordkeeping.

Requirements in this standard build on requirements contained in a number of earlier standards issued by State Records NSW. State Records NSW has mapped the requirements of this standard to those of earlier standards. This mapping is available at www.records.nsw.gov.au/recordkeeping/rules/standards.

For more information on this standard, please contact State Records NSW or see www.records.nsw.gov.au/recordkeeping/rules/standards.

Principles

Principle 1: Organisations take responsibility for records and information management
Principle 2: Records and information management support business
Principle 3: Records and information are well managed

Principle 1: Organisations take responsibility for records and information management

To ensure records and information are able to support all corporate business operations, organisations should establish governance frameworks. These include:

policy directing how records and information shall be managed
assigning responsibilities
establishing provisions for records and information in outsourcing and service delivery arrangements
monitoring records and information management activities, systems and processes.

	Minimum compliance requirements	Examples of how a public office can demonstrate compliance with the requirement
1.1	Corporate records and information management is directed by policy and strategy.	Corporate policy on IM/RM adopted at Senior Executive level. Corporate strategy on IM/RM adopted at Senior Executive level.
1.2	Records and information management is the responsibility of senior management who provide direction and support for records and information management in accordance with business requirements and relevant laws and regulations.	Responsibility assigned in corporate policy on IM/RM Policy reflects Chief Executive's responsibility to ensure compliance with State Records Act (section 10).
1.3	Corporate responsibility for the oversight of records and information management is allocated to a designated individual (senior responsible officer).	Responsibility assigned in corporate policy on IM/RM. Responsibility assigned in individual performance plans. NSW State Archives and Records has been advised of the organisation's senior responsible officer.
1.4	Organisations have skilled records and information management staff or access to appropriate skills.	Responsibility assigned in corporate policy on IM/RM. Skills and capabilities reflected in relevant role descriptions. Responsibility assigned in performance plans and/or service agreements.
1.5	Responsibility for ensuring that records and information management is integrated into work processes, systems, and services is allocated to business owners and business units.	Responsibility assigned in corporate policy on IM/RM. Responsibility assigned in performance plans. Documentation identifies owners of systems. Responsibility for ensuring records and information management is included in systems and processes, is assigned to owners of systems.
1.6	Staff and contractors understand the records management responsibilities of their role, the need to make and keep records, and are familiar with the relevant policies and procedures.	Responsibility assigned in corporate policy on IM/RM. Skills, capabilities and responsibilities are reflected in relevant role descriptions and/or performance plans. Policy, business rules or procedures articulate/document staff requirements and responsibilities for the creation and management of records.
1.7	Records and information management responsibilities are identified and addressed in outsourced, cloud and similar service arrangements.	Responsibility included in corporate policy on IM/RM. Demonstrate that records and information management is assessed in outsourced and service contracts and instruments and included where required. Portability of records and information is assessed in outsourced, cloud and similar service arrangements.
1.8	Records and information management is monitored and reviewed to ensure that it is performed, accountable and meets business needs.	Documented monitoring of activities, systems and processes, and corrective actions undertaken to address issues.

Principle 2: Records and information management support business

The core role of records and information management is to ensure the creation, maintenance, useability and sustainability of the records and information needed for short and long term business operations.

By undertaking an assessment of records and information needs, public offices can define their key business information. Public offices should use this assessment to design records and information management into processes and systems. This will ensure that records and information support business operations and accountability requirements, and sustain records and information needed for the short and long term.

Taking a planned approach to records and information management means all operating environments are considered. It also means that the creation and management of records and information needed to support business are considered in all system and service arrangements.

	Minimum compliance requirements	Examples of how a public office can demonstrate compliance with the requirement
2.1	Records and information required to meet short and long term needs are identified.	Documented decisions, policy, business rules or procedures on what records and information are required to meet or support business and identified recordkeeping requirements, including accountability and community expectations. Current, comprehensive and authorised records retention and disposal authorities are in place. Decisions are documented or reflected in specifications for systems and metadata schema.
2.2	High risk and high value areas of business and the systems, records and information needed to support these business areas are identified.	Identify and document which systems hold high risk and/or high value records and information. Information risks are identified, managed or mitigated. Systems managing high risk and/or high value records and information are protected by business continuity strategies and plans. Documented policy, business rules and procedures for high risk and/or high value business processes include responsibilities for the creation and management of records and information.
2.3	Records and information management is a designed component of all systems and service environments where high risk and/or high value business is undertaken.	Evidence that records and information management is assessed in system acquisition, system maintenance and decommissioning, and implemented where required. Systems specifications for high risk and high value business include records and information management requirements. Systems specifications include requirements for metadata needed to support records identification, useability, accessibility, and context. Documentation of systems design and configuration maintained.
2.4	Records and information are managed across all operating environments.	Identify and document where records and information are held across diverse system environments or physical locations. Documented strategy for managing records and information in diverse system environments and physical locations.
2.5	Records and information management is designed to safeguard records and information with long term value.	Identify and document which systems hold records of identified or potential permanent or long term value. Identify and document where records of identified or potential permanent or long term value are located. Records and information are kept for as long as they are needed for business, legal requirements (including in accordance with current authorised records retention and disposal authorities), accountability, and community expectations. Decommissioning of systems takes into account retention and disposal requirements for records and information contained in the system.
2.6	Records and information are sustained through system and service transitions by strategies and processes specifically designed to support business and accountability.	Documented migration strategy. Migrating records and metadata from one system to another is a managed process which results in trustworthy and accessible records. Portability of records and information is assessed in cloud service or similar arrangements. Adequate system documentation is maintained.

Principle 3: Records and information are well managed

Effective management of records and information underpins trustworthy, useful and accountable records and information which are accessible and retained for as long as they are needed. This management extends to records and information in all formats, in all business environments, and in all types of systems.

	Minimum compliance requirements	Examples of how a public office can demonstrate compliance with the requirements
3.1	Records and information are routinely created and managed as part of normal business practice.	Policies, business rules and procedures articulate/document staff requirements and responsibilities for the creation, capture and management of records of business operations. Assessments or audits demonstrate that systems operate routinely. Exceptions to routine operations that affect information integrity, useability or accessibility are identified, resolved and documented.
3.2	Records and information are reliable and trustworthy.	Adequate metadata to ensure meaning and context is associated with the record. System audits are able to test management controls of systems, including information integrity. Policies, business rules, procedures and other control mechanisms are in place to ensure accuracy and quality of records created, captured and managed.
3.3	Records and information are identifiable, retrievable and accessible for as long as they are required.	System testing is able to verify that systems can locate and produce records which are viewable and understandable. Adequate metadata to ensure that records are identifiable and accessible.
3.4	Records and information are protected from unauthorised or unlawful access, destruction, loss, deletion or alteration.	Information security and protection mechanisms are in place. Records are protected wherever they are located, including in transit and when outside the workplace. Access, security and user permissions for systems managing records and information are documented and implemented. System audits are able to test that access controls are implemented.
3.5	Access to records and information is managed appropriately in accordance with legal and business requirements.	Policy, business rules and procedures identify how access to records and information is managed. Assessments confirm that access is in accordance with the organisation’s policy, business rules and procedures. Access to records is provided in accordance with such instruments as the Privacy and Personal Information Protection Act 1998 ('PPIP Act'), the Government Information (Public Access) Act 2009 ('GIPA Act') and the State Records Act 1998.
3.6	Records and information are kept for as long as they are needed for business, legal and accountability requirements.	Policy, business rules and procedures identify how the retention and disposal of records and information is managed. Records and information are sentenced according to current authorised retention and disposal authorities. Records required as State archives are routinely transferred to NSW State Archives and Records when no longer in use for official purposes.
3.7	Records and information are systematically and accountably destroyed when legally appropriate to do so.	Policy, business rules and procedures identify how the destruction of records and information is managed, including deletion of data. Organisation can account for the disposal of records or information in accordance with legal obligations and accountability requirements. Disposal is in accordance with current authorised records retention and disposal authorities. Disposal of records is documented.

Printable version

A (PDF, 155kb ) version of the standard is available for printing.

Implementation guide

State Records NSW has prepared an implementation guide (PDF 387kb) for the Standard. The implementation guide includes detailed explanations for each minimum compliance requirement with a mapping to guidance and training, how the new standard will assist public offices meet their obligations under the State Records Act, and the relationship between the new code of best practice AS ISO 15489.1: 2017 and the Standard on records management.

Table of Commentary

An account of the comments received during public consultation on this standard is available in the accompanying Table of Commentary (PDF, 111kb).

Compliance timetable

There is a compliance timetable (PDF, 51kb) for this standard, with requirements phased in during 2015.

Published February 2015/ revised October 2017/ revised June 2018/revised November 2018

Downloads

Recordkeeping Rules

Standards

Recordkeeping A-Z

R S