R

Records, information and data risks

Aleana.Frost — Sun, 27 Mar 2022 09:37:51 +0000

Records, information and data risks Aleana.Frost Sun, 2022-27-03 20:37

Records, information and data risks (information risks) can occur at any stage. These risks are a combination of threats and vulnerabilities that may have a negative or positive impact on the trustworthiness and availability of records, information and data. Understanding risk is therefore critical in managing core records, information and data.

Types of information risks

Risks public offices need to consider in managing records, information and data (information assets) relate to:

reliability and integrity
accessibility and retrieval
safe custody
retention
ownership.

Examples of information risks

Below are risk events or scenarios for different types of information risks that organisations may encounter.

Please note that the risks, causes and mitigation activities/controls listed are selected for illustration purposes only. The likelihood of the risks occurring, their underlying causes and the method(s) for responding is dependent on the operating environments of individual organisations.

Refer to Identifying and managing high-value and high-risk records, information and data for examples of high-risk records.

Reliability and integrity

Risk Events/Scenarios	Causes (threats and vulnerabilities)	Possible mitigation activities/controls
Poor quality information and data not “fit for purpose”	Duplication and inconsistencies following the migration and/or importation or merging of information and data. Omitted information or data. Typographical errors (e.g. spelling, values, etc.). Obsolete information or data.	Business rules and procedures created for data entry quality control practices. Use of encoding schemes for data requiring manual entry. Adequate monitoring. Use of data cleaning software tools to detect and correct problems in database records.
Poor quality information and data not “fit for purpose”	Metadata incorrect or the minimum metadata required not captured in full.	Minimum metadata requirements identified and included in planning, procurement and migration decision making. Additional metadata that supports organisational recordkeeping, along with business and legal requirements, should also be identified. Use of encoding schemes for metadata requiring manual entry.
Poor image quality of digitised records (e.g. documents and photos)	Digital surrogate does not possess the essential characteristics of the original record. Essential characteristics are elements of a record that need to be reproduced for the record to retain its meaning and/or evidential value.	Defining image quality requirements through the implementation of benchmarks (e.g. technical specifications).
Unauthorised alteration of information and data by staff or third parties (e.g. sub-contractors of the cloud provider or hackers)	Personal/financial gain in altering data. Disgruntled employee. Inappropriate security settings and/or user permissions.	Information security and protection mechanisms in place that reflect the risk and value of the information assets (e.g. event logs that track access and usage). User permissions reflect individual staff members’ positions and responsibilities. Information assets backed up along with metadata.

Accessibility and retrieval

Risk Events/Scenarios	Causes (threats and vulnerabilities)	Possible mitigation activities/controls
Failure to locate and retrieve information assets	Staff poorly trained in performing complex searches (e.g. using Boolean operators, relational expressions and wildcard symbols).	Training staff in performing simple and advanced searches in business systems.
	Staff unfamiliarity with available systems, databases and other repositories.	Providing an information pack listing systems used by individual business units/the organisation.
	Poorly organised or inadequately indexed repositories: no structured file plan for grouping related information assets creation of duplicate folders due to inadequate labelling practices use of miscellaneous folders boxes of physical records sent to storage without their contents being listed misfiling of records.	Business classification scheme (BCS) developed for grouping related information assets. Development of naming conventions. Migration of electronic information assets to a controlled system (e.g. an electronic document and records management system (EDRMS)). Implementation of controls for records in accordance with the Standard on records management and Standard on the physical storage of State records. Adoption of document indexing methods, such as: computerised full-text indexing, generating index entries from the content of records, documents, etc. (e.g. nouns and other significant words) an approved thesaurus. Use of federated search technologies to simplify search and retrieval operations across multiple repositories.
Unauthorised access to non-public information (e.g. personal information or confidential/sensitive business information)	Organisation not aware of information-disclosure restrictions under the Health Records and Information Privacy Act 2002, the Privacy and Personal Information Protection Act 1998 and the Data Sharing (Government Sector) Act 2015. Incorrect interpretation of laws and regulations (e.g. Government Information (Public Access) Act 2009) in disclosing confidential/ sensitive business information.	Allocation of responsibility for identifying and interpreting regulatory requirements that prohibit information disclosure. Creation of policies and business rules on the disclosure requirements of non-public information, including responsibility for managing the process.
	Unintentional non-compliance by staff due to a lack of training/education around requirements.	Staff educated/trained in managing personal information and confidential/ sensitive business information.
	Inadequate security infrastructure.	Establish an information security governance framework, in collaboration with ICT, to ensure appropriate policies, procedures and monitoring are in place to prevent data and information breaches.
	Unlawful collection of personal information not directly related to the organisation’s activities.	Creation of policies and business rules on the collection of personal information (e.g. making notations that personal information/documents have been sighted rather than keeping a copy).
Information assets unretrievable from cloud hosted storage	Organisation not aware of legal requirements in the cross-border transfer and storage of information assets. A cloud service provider may suspend an organisation’s account due to: delinquency suspected infringement on another organisation’s intellectual property a breach in the terms of service. Service provider goes out of business/is taken over.	Use the cloud computing checklist to identify areas where risks may eventuate. Allocation of responsibility for identifying, analysing and interpreting both local laws and regulations (including General authority for transferring records out of NSW for storage with or maintenance by service providers based outside of the State (GA35)) as well as those of the jurisdiction the information assets will be stored in. Adequate contractual control, including but not limited to: NSW laws apply to the contract/agreement ownership remains with the State return of information assets, including metadata, to the public office when requested, on termination of the contract or if the provider goes out of business/is taken over. Adequate monitoring.
Accessibility to equipment/technology dependent information assets not sustained	Degradation or discontinuation/obsolescence of analogue and electronic storage media (e.g. microfiche and hard drives respectively). Discontinuation/obsolescence of compatible software and hardware that can read information and data on specific storage media or in a particular file format.	Implementation of a preservation program/ strategy to ensure information assets are accessible for as long as they are required. Determination of information and data migration frequency based on retention requirements of individual classes of information assets. Electronic information assets are saved in sustainable formats (e.g. PDF/A format).
	Information assets unable to be opened and read/ viewed due to format conversion errors.	Use of file conversion software to preserve the readability of digital content over time.

Safe custody

Risk Events/Scenarios

Causes
(threats and vulnerabilities)

Possible mitigation activities/controls

Storage of physical records in poor environmental conditions

Exposure to contaminants (e.g. mould) and high or fluctuating temperatures.

Presence of vermin.

Incidents of water incursion.

Facility/repository located near manmade hazards (e.g. heavy atmospheric pollution and hazardous industries).

Inadequate or no storage equipment used (e.g. shelving, boxes, etc.).

Compliance with the
Standard on the physical
storage of State records.

Educating staff in the proper management/ storage of physical records.

Loss or damage to information assets due to natural disaster

Flooding

Bushfire

Landslide

Tornado

Earthquake

Having an up-to-date and tested disaster and counter disaster plan in accordance with the Standard on records management and Standard on the physical storage of State Records.

Relocation of physical records and infrastructure if located in known disaster-prone areas.

Back-up copies made of high-value records.

Loss of information assets during the decommissioning of systems

Technology obsolescence (e.g. systems at end-of-life).

Format obsolescence for text, images, videos, databases, websites, etc.

Metadata not captured in full when transferred to the new business system.

Decommissioning planning (in regards to records and information management requirements) is part of the standard project methodology in the acquisition and development of new systems. See system design and implementation guidance.

Use sustainable file formats.

Identifying and disposing of information assets that are due for destruction – and with the required authorisation – prior to the system being decommissioned.

Data stolen

Security patching is out-of-date/inadequate security infrastructure.

Outdated computer systems and applications.

Staff opening suspicious emails or clicking on suspicious links or attachments.

Malicious cyber attacks (e.g. phishing emails, malware, etc.).

Operating systems and applications are kept up-to-date with the latest security patches.

Implementation of firewalls.

Records and information management teams working in collaboration with IT in the management of security classified records, or sensitive records that require additional controls.

Establishing and managing disposal programs to ensure that records and information are destroyed according to relevant retention and disposal authorities.

Rolling cyber security training provided to new and existing staff.

Refer to Digital NSW’s cyber security resources for further information.

Accidental loss of information assets

Unintentionally overwriting information and data during editing.

Damage to records (e.g. spilling liquids on physical records).

Losing external hard drives and physical records that have been removed from the office.

Review the records processes of business units where the loss has occurred.

Editing information and data within an EDRMS where possible.

Real-time back-up of files.

Education or retraining of staff in the appropriate management/handling of information assets.

Loss of information assets due to media instability

Damage in use (unstable working copies).

Long term information and data kept on paper.

Creation of policies and business rules aligned with the standards on records management and the
physical storage of State records.

Purchase of high-quality electronic storage media, paper, photographic film, etc. that conforms to specifications presented in international standards.

Prior to use, storage of electronic storage media, paper and photographic films under temperature and humidity conditions specified by the manufacturer.

Retention

Risk Events/Scenarios	Causes (threats and vulnerabilities)	Possible mitigation activities/controls
Over-retention of information assets containing personal information	Ad hoc/irregular disposal of high-risk information assets that are due for destruction. Lack of planning and management in undertaking disposal activities.	Implementation of a regular program of records disposal (destruction and transfer of records to the State Archives Collection). Routine destruction of time-expired records containing personal information, unless there is a business need to retain the records longer (e.g. actual/pending legal matter).
Under-retention of information assets	Organisation not aware of all applicable recordkeeping requirements, due to, for example, incorrect interpretation of record retention requirements or no in-house records management staff.	Allocation of responsibility either internal (another qualified employee) or external (records management consultants, legal researchers or compliance specialists) responsible for identifying, analysing and interpreting applicable laws and regulations.
	Poorly designed systems or processes not mapped or aligned to relevant retention requirements.	Systems designed and managed in compliance with legal and regulatory requirements that apply to the business documented within them. System compliance should be regularly monitored and assessed.
	Disposal classes linked to an organisation’s business classification scheme (BCS) are out-of-date.	Scheduled reviews of the organisations’ BCS to ensure linked record retention schedules accurately reflect legal and regulatory requirements.
	Disposal coverage of an organisation’s core functions does not exist.	Creation or review of a functional retention and disposal authority to ensure appropriate coverage.
	Staff/business units not aware/up-to-date with their individual recordkeeping requirements.	Creation and implementation of an education strategy to inform staff of their recordkeeping requirements in line with their business processes. Scheduling of ongoing compliance monitoring, including implementation of an escalation pathway for non-compliance.
	Public expectations for particular classes of records to be retained past minimum retention requirements.	Well governed and documented disposal processes. Review relevant functional retention and disposal authorities.
Disposal of records subject to: Current/pending legal proceedings subject to an application for access under the Government Information (Public Access) Act 2009 a Government policy or directive not to be destroyed	Failure by organisation to anticipate proceedings before legal disposal of records.	Implementation of a process which identifies pre-litigation triggers as to when holds need to be placed (e.g. the severity of a complaint).
	Lack of a formal process for notifying business areas to place a hold on disposal. No follow-up with business areas to confirm notification was received and it is understood. Periodic reminders are not issued to business areas when there are long holds on disposal.	Development of policies, business rules and procedures to create a formal notification and follow-up processes.
	Information assets held across multiple known and unknown repositories.	Create a register of business systems.

Ownership

Risk Events/Scenarios

Causes
(threats and vulnerabilities)

Possible mitigation activities/controls

Failure to maintain ownership over information assets hosted by a cloud service provider

Organisation not aware of legal requirements in the cross-border transfer and storage of information assets.

Service provider or external party claims ownership and control over information assets.

Allocation of responsibility for identifying, analysing and interpreting both local laws and regulations (including General authority for transferring records out of NSW for storage with or maintenance by service providers based outside of the State (GA35)) as well as those of the jurisdiction the information assets will be stored in.

Use the cloud computing checklist to identify areas where risks may eventuate.

Adequate contractual control, including but not limited to:

NSW laws apply to the contract/agreement
ownership remains with the State
return of information assets, including metadata, to the public office when requested, on termination of the contract or if the provider goes out of business/is taken over.

Adequate monitoring.

Claim of ownership over information assets by employees, non-employees (contractors, consultants, outsourced employees, etc.) or volunteers

Organisation not aware of or correctly interpret “work-for-hire” laws and regulations.

Contractual terms and conditions do not address or adequately address ownership over information assets regardless of format or media.

Allocation of responsibility for identifying, analysing and interpreting “work for hire” laws and regulations.

Use of contracts/agreements with clauses clearly stating that any information assets created as part of assigned duties or commissioned, is the organisation’s property.

Have any anecdotes regarding information risks your organisation has encountered? If so, we would like to hear from you. As part of building the above tables, we are after “real world” examples of risks public offices have identified and managed. Examples posted can remain anonymous if preferred.

Please email submissions to govrec@nsw.gov.au.

Assessing risks

In developing strategies to manage information risks, a risk assessment needs to be undertaken first. A risk assessment consists of the identification, analysis, and evaluation of risk to determine which risk scenarios/events are likely to occur and what their impact will be.

Where to start

1. Identifying information risks

Review the organisation’s internal and external operating environments – including identifying the organisation’s recordkeeping requirements, records processes and systems and high-risk areas – to determine causes of information risks.

Considerations in establishing the internal and external operating environments include:

Internal Operating Environment

External Operating Environment

the organisation’s structure, history and culture
core functions and activities
policies, procedures, processes (in particular, processes for creating, capturing and managing records)
organisational changes (restructures, areas under transition/change or implementing new policies and processes)
staff (level of records training provided, apathy to information asset management)
the IT environment and its maturity (particularly the software and hardware critical in maintaining information assets)
the organisation’s risk appetite for various types and classes of risk

legal and regulatory environment
political (government priorities and machinery of government changes)
community expectations
IT environment (e.g. technological obsolescence, increasing cyber security threats)

2. Assessing identified risks

Undertake a risk assessment either through formal risk management activities or as part of normal business activities such as:

when new business processes or activities are introduced or updated
in undertaking compliance activities (e.g. implementation of requirements from the Standard on records management and Standard on the physical storage of State records)
during incidents or complaints involving recordkeeping practice
routine team meetings
operational planning sessions
implementing or decommissioning services or systems.

Consult with those responsible in the organisation for risk management (e.g. risk manager, internal audit team, audit and risk committee) to determine whether the risk assessment activity being undertaken needs to be consistent with and linked to the organisation’s risk management framework.

Refer to NSW Treasury’s whole-of-government risk management toolkit for detailed guidance on how to conduct a risk assessment.

3. Devising risk statement

Develop a clear risk statement to articulate risks so they can be effectively communicated and understood by all relevant stakeholders.
For each risk identified, articulate:

the event that will have an affect on information assets
what the cause or causes of the risk are
their consequences.

For example, [the event that will have an affect on information assets] caused by [cause/s] resulting in [consequence/s].

Document the identified risks in a risk register. Depending on the size of the organisation, a hierarchy of risk registers may exist (e.g. an organisation-wide register for high-level risks down to registers for individual business units). Consider developing a register for all information risks within the organisation, if appropriate.
Update the organisations information asset register, where applicable, with the information gathered during the risk assessment.
Update the registers as risks are reviewed.

Acknowledgement

NSW State Archives and Records would like to acknowledge the use of William Saffady’s Managing Information Risks (Rowman & Littlefield, 2020) in the development of this guidance.

Further resources

Standards Australia’s AS ISO 31000:2018 Risk management – Principles and guidelines
Standards Australia’s AS ISO 15489.1: 2017 Information and documentation – Records management, Part 1: Concepts and principles
Standards Australia’s SA/SNZ TR 18128:2015 Information and documentation – Risk assessment for records processes and systems
NSW Information management framework
NSW Data governance toolkit

March 2022

Recordkeeping Advice

Information Management By Design

Recordkeeping A-Z

RMAT FAQ

Catherine.Robinson — Wed, 21 Jul 2021 02:15:54 +0000

RMAT FAQ Catherine.Robinson Wed, 2021-21-07 12:15

RMAT FAQ

This is a list of Frequently Asked Questions about the Records Management Assessment Tool. We will be adding to this page as questions arise.

What is the RMAT?

The Records Management Assessment Tool (RMAT) is a new self-assessment tool. The RMAT will enable public offices covered by the State Records Act 1998 to assess the maturity of records and information management in their organisation, or a part of the organisation (e.g. business unit or information system), or a group of public offices.

The questions in the self-assessment tool are focused on the management of records, information and data in NSW public offices, and how these practices align with requirements in the State Records Act 1998. They highlight the links between records management and regulations for cyber security, privacy, data sharing, open data and information access (GIPAA).

The results of the assessment can be used for reporting on current status; planning for improvement; justifying investment; and measuring progress.

Who should use the RMAT?

We recommend the person or team responsible for records and information management should answer the RMAT questions – or complete the questions collaboratively with key staff, such as a system owner, data custodian or business manager.

This is important because:

The assessment includes some technical terms that may require explanation from a records and information professional. Perhaps you use different or specific terms in your organisation. You can also refer to the Glossary for definitions.
Some questions may be more applicable at the organisation-level (e.g. if there is a central policy or executive leadership). You could consider pre-filling the answers to these questions before asking a system owner, data custodian or business manager to complete other questions.
It builds awareness and communication between the business and the person or team responsible for overseeing records and information management. For example: the SRO must have visibility of records and information management in all parts of the business, in order to fulfil their responsibilities; business managers should be aware of corporate-wide policies.
It enables the person or team responsible for overseeing records and information management to better appreciate the ecosystem of records, information and data; and how well it is supporting business needs.
It enables the person or team responsible for overseeing records and information management to fully understand the level of maturity in their public office, plan for improvements and justify requests for resourcing.

Does the RMAT cover all obligations from the State Records Act 1998?

Yes, the RMAT is based on all obligations and requirements from the State Records Act 1998 and the standards issued under the Act.

When you are using the RMAT, look at the Requirements column in the spreadsheet or the word document; this section of the RMAT will tell you which regulatory requirements are linked to a question.

When you are looking at the Results of your assessment, have a look at the Baseline Compliance Table. This table links regulatory requirements with the RMAT questions and indicates whether compliance is demonstrated for each requirement. This table has traffic light reporting; green indicates compliance and red indicates non-compliance.

How frequently should I use the RMAT?

Public offices should use the RMAT regularly, the assessment shouldn’t just be a one-time or annual activity. We don't mandate how many times a year you should use the RMAT.

We want to see public offices using the RMAT because it helps your business, assists your organisation to understand how recordkeeping is working or not working in your organisation.

What are the maturity levels in the RMAT?

The RMAT uses a 5 level maturity scale to determine the level of compliance with a requirement. You will need to select the maturity level that reflects your organisation’s current situation.

Level	Description	Practices and processes are ...
1. Ad hoc	The desirable processes are non-existent or ad hoc, with no organisational oversight. The organisation or senior responsible officer is unaware of whether a requirement is met.	ad hoc, unpredictable, poorly controlled, no processes, or unaware
2. Developing	Processes are becoming refined and repeatable, but only within the scope of individual teams or projects. There are no organisational standards.	aware, reactive, repeatable, documented processes
3. Defined	Processes are standardised within the organisation based on best practices identified internally or from external sources. Knowledge and best practices start to be shared internally. Level 3 is considered Baseline Compliance for meeting requirements for high risk / high value records and information.	controlled, established, standardised, followed processes
4. Managed	The organisation has widely adopted the standard processes and begins monitoring them using defined metrics.	capable, proactive, measured and reported
5. Optimising	The organisation is optimising, refining and using innovation to increase efficiency within the organisation and, more widely, within its business sector.	efficient, reviewed and audited, data-driven process improvement

Why does the RMAT focus on high risk/high value records and information?

The RMAT seeks confirmation that an organisation has formally identified high risk/high value areas of the business and the records of these business operations. This area of recordkeeping should have the highest priority for investment and management. Identifying and managing records of high risk/high value areas of business means that it is likely that appropriate controls have been implemented for the organisation’s most critical information. This approach to prioritising records of high risk/high value also matches up with the approaches taken by cyber security to protect the most critical information assets of the organisation.

In undertaking the assessment, your organisation will need an agreed list of high risk / high value activities or systems for the organisation or business unit being assessed. For further information see Identifying and managing high value and high risk records and information .

If the records and information management team does not have relevant documentation, check with colleagues in ICT, Security, Governance, Corporate, Risk or Legal to find out if this analysis has been carried out for another purpose. High risk and high value areas of business and systems may be identified during:

Cyber security attestation or information security planning
Business continuity and disaster recovery planning
Corporate risk management (risk registers and plans)
Responses to audit, inquiries or litigation
Systems audit or IT asset inventory
Information lifecycle management planning
Open data planning and reporting
Development of a retention and disposal authority.

Once you have an agreed list, it will be possible to identify records and information relating to those activities – and plan to address them.

How long does the assessment take?

It will depend on the scope of the assessment (e.g. business unit, business system, whole of organisation) and the process you’ve decided to use (e.g. one person doing the assessment, a small team of information professionals from across the organisation, records and information management team with other key staff). It may take a couple of hours or a day to complete the assessment depending on the scope and process used.

TIP: Take some time before you start the assessment to read through the questions and responses and be familiar with the content.

TIP: Allow an hour to factor in the evidence and additional guidance to make preliminary responses.

TIP: If doing the assessment as a team or in collaboration with others, allocate time for everyone to complete their assessments and then have a workshop to discuss individual responses to each question and settle on an overall score.

How should I use the assessment results?

The results of an assessment can be used for reporting on the:

current status of the records and information governance programs
planning for improvement in a particular business unit or information system
justifying investment and measuring progress.

The assessment results can also support planning and reporting for cyber security, privacy, data sharing, open data and information access (GIPAA).

Public offices are also encouraged to use the RMAT assessment results for

Internal or external audit exercises
Annual or quarterly management reporting
Work planning and budgeting
Workforce capability planning
Training needs analysis
Staff development plans
Organisation restructure or machinery of government (MOG) changes
Digital initiatives to procure, decommission, or upgrade systems
Measuring and reporting the impact of an IT or information management project.
Formal request from State Records NSW for information on the organisation’s records and information management practices and conformity with requirements.

Do I send the results of the assessment to State Records NSW?

In 2024 there will be a formal monitoring activity when we will request copies of your assessment results.

We will contact each public office with further information in early 2024 about the monitoring activity.

When will State Records NSW be undertaking annual reporting using the RMAT?

As noted in the Regulatory Framework, State Records NSW re-commenced annual reporting processes using the RMAT in 2022. Each public office needs to do an assessment of their records and information management at that point in time and to provide a report to us. This reporting will give us an overview of the state of records management in NSW Government. The reports on the 2022 Recordkeeping Monitoring Exercise and State of Recordkeeping in NSW are on the website.

We will contact each public office with further information about the 2024 Recordkeeping Monitoring Exercise in early 2024.

When and where will the results of the annual reporting be published?

We publish the results of the annual reporting on our website and in our Annual Report. The reporting is at an aggregate or summarised level (i.e. Sector/Cluster).

The Report on the 2022 Recordkeeping Monitoring Exercise and the State of Recordkeeping in NSW (2023 Report) are on the website.

How should large and complex organisations undertake RMAT assessments?

We suggest that large and complex organisations should consider undertaking individual assessments of divisions, lines of business, or groups of business units. These assessments are then brought together, and a consolidated view of the organisation’s records and information management is developed. Importantly, the consolidated view should be negotiated and agreed upon by those who have undertaken the assessments.

The individual assessments of divisions, lines of business, or business units will be useful in understanding the current state of recordkeeping within these areas of the organisation, as it will identify the gaps or issues, and this information can then be incorporated into the plans for corrective actions. This will also enable the organisation to track progress over time and ensure that recordkeeping issues are managed.

One of the organisations that pilot-tested the RMAT took this approach: The RMAT was provided to a number of different officers within their organisation. Those individuals went away and assessed from their perspective or lens on the organisation. Then they came together to discuss the individual responses to each question and settle on an overall score for each question. From the individual assessments, they could see where there’s good practice or areas that needed improvement.

If you have queries about the assessment process or the results, please feel free to contact us on govrec@staterecords.nsw.gov.au

Published July 2021, updated October 2021, updated November 2022, updated January 2023, updated February 2024

Recordkeeping Advice

Monitoring

Recordkeeping A-Z

Weight

Records Management Fundamentals Presentations

Irene.Chymyn — Thu, 22 Oct 2020 01:02:13 +0000

Records Management Fundamentals Presentations Irene.Chymyn Thu, 2020-22-10 12:02

Records and information are at the core of NSW Government business and are core assets. Records and information help organisations plan for and achieve short and long term outcomes that are relevant and valuable to the community, business and government.

State Records NSW developed presentation slides to assist public sector organisations raise awareness of the importance of good recordkeeping.

Records Management Fundamentals - CEOs and SROs

This presentation looks at the why, what, who and how of recordkeeping:

why records?
what are records and State records?
who is responsible for managing them?
how do we manage and control them?

This presentation references sections of the State Records Act 1998 and Standard on records management in relation to recordkeeping obligations.

Records Management Fundamentals - Staff

The presentation provides a brief overview of the fundamentals of records management and recordkeeping in the NSW public sector. It covers:

why records are important
responsibilities for each public sector organisation and employee, and
common situations where staff should create & save records in official business systems or recordkeeping system
recordkeeping reminders

Published October 2020/Updated slides 2023

Downloads

Recordkeeping Resources

Recordkeeping Awareness Resources

Recordkeeping A-Z

P R

Recordings of virtual meetings

Irene.Chymyn — Sun, 26 Apr 2020 23:26:03 +0000

Recordings of virtual meetings Irene.Chymyn Mon, 2020-27-04 09:26

Due to social distancing requirements during the COVID-19 pandemic NSW public offices have embraced and deployed virtual meetings in lieu of face-to-face meetings.

These virtual meeting/conference platforms enable recording of meetings or conferences. These recordings are usually stored in the cloud and can be downloaded anywhere. These recordings are State records.

We recently received enquiries on how long to keep these recordings. The short answer is, it depends on your organisation’s business rules and the context of the meeting held.

Managing recordings with business rules

We recommend establishing business rules on how to manage these recordings. Your organisation’s business rules or procedures should consider the following:

Types of meetings that are low risk, where minutes of those meetings are sufficient.
Types of meeting that are high risk, where recordings are the preferred record. For example, meetings on contentious issues or meetings with persistent or vexatious complainants.
Purpose of the recording and how long those recordings will be kept (i.e. recordings are kept for accurate minute-taking or used for creating minutes or for replaying your meetings to people unable to attend.)
Which record will be the “official” record of that meeting – the recording or the minutes of the meeting.

Retaining and disposing of recordings

Below are some of the disposal classes which relate to records of meetings (format neutral).

Please note that disposal of recordings of meetings used to prepare correspondence, papers, minutes and transcripts is also permitted under the normal administrative practice (NAP) provisions of the State Records Regulation 2015, when they are primarily facilitative and when the retention of the final version of a record is sufficient to meet the record-keeping requirements of a public office, so long as they are not required to be retained in order to account for policies, decisions, reasons and actions or not required to function as evidence.

To dispose of recordings under NAP public offices should produce internal policies and procedures to further define how long the recordings will be retained for. For example, in local government the recordings of council meetings are retained until the minutes of the meetings have been confirmed.

	Retention and disposal action	Disposal class
Records relating to routine general team, section or unit meetings	keep until administrative or reference use ceases	GA28 Administrative Records: Strategic Management 19.13.1
Records relating to meetings between Chief executives and Ministers, Ministerial employees or senior executives of other government organisations	required as State archives or dispose of under NAP if other records such as the minutes of the meeting are the primary record	GA28 Administrative Records – 10.8.1 or NAP
Records relating to committees, task forces or working groups	Various	GA28 Administrative Records: Committees 1.0.0 or NAP
Local government : Recordings of Council meetings	keep until minutes of meeting have been confirmed	GA39 Local government records: Governance – Meetings 13.6.2
Local government: Records relating to administrative arrangements for all meetings, including recordings	keep until administrative or reference use ceases	GA39 Local government records: Corporate management – Meetings 4.9.2

Any questions? Email us at: govrec@staterecords.nsw.gov.au

Recordkeeping Advice

Managing Formats

Recordkeeping A-Z

F M R

Royal Commission into Institutional Responses to Child Sexual Abuse

Catherine.Robinson — Wed, 13 Nov 2019 22:25:21 +0000

Royal Commission into Institutional Responses to Child Sexual Abuse Catherine.Robinson Thu, 2019-14-11 09:25

Royal Commission into Institutional Responses to Child Sexual Abuse

Volume 8 Recordkeeping and information sharing of the Final Report of the Royal Commission into Institutional Responses to Child Sexual Abuse made five recordkeeping recommendations:

Recommendation 8.1: To allow for delayed disclosure of abuse by victims and take account of limitation periods for civil actions for child sexual abuse, institutions that engage in child-related work should retain, for at least 45 years, records relating to child sexual abuse that has occurred or is alleged to have occurred.

Recommendation 8.2: The National Archives of Australia and state and territory public records authorities should ensure that records disposal schedules require that records relating to child sexual abuse that has occurred or is alleged to have occurred be retained for at least 45 years.

Recommendation 8.3: The National Archives of Australia and state and territory public records authorities should provide guidance to government and non-government institutions on identifying records which, it is reasonable to expect, may become relevant to an actual or alleged incident of child sexual abuse; and on the retention and disposal of such records.

Recommendation 8.4: All institutions that engage in child-related work should implement the following principles for records and recordkeeping, to a level that responds to the risk of child sexual abuse occurring within the institution.

Principle 1: Creating and keeping full and accurate records relevant to child safety and wellbeing, including child sexual abuse, is in the best interests of children and should be an integral part of institutional leadership, governance and culture.

Principle 2: Full and accurate records should be created about all incidents, responses and decisions affecting child safety and wellbeing, including child sexual abuse.

Principle 3: Records relevant to child safety and wellbeing, including child sexual abuse, should be maintained appropriately.

Principle 4: Records relevant to child safety and wellbeing, including child sexual abuse, should only be disposed of in accordance with law or policy.

Principle 5: Individuals’ existing rights to access, amend or annotate records about themselves should be recognised to the fullest extent.

Recommendation 8.5: State and territory governments should ensure that non-government schools operating in the state or territory are required to comply, at a minimum, with standards applicable to government schools in relation to the creation, maintenance and disposal of records relevant to child safety and wellbeing, including child sexual abuse.

Following is a list of resources to assist government and non-government organisations in implementing the Recommendations

Retention and disposal of records	NSW State and Records has conducted an audit of general and functional retention and disposal authorities, and amended authorities to ensure retention periods for records pertaining to incidents or allegations of child sexual abuse are retained in accordance with Recommendations 8.1 – 8.2. New retention and disposal authority for childcare records incorporates the Recommendations.	Functional retention and disposal authority: Childcare services, provision and regulation of (FA404)
Retention and disposal of non-government school records	The Australian Society of Archivists has developed the Records Retention and Disposal Schedule to assist non-government schools with good governance and the retention and disposal of non-government school records. This schedule is relevant to non-government organisations.	Records Retention & Disposal Schedule for Non-Government Schools
Standards for the management and storage of records	NSW State Archives and Records reviewed the Standard on records management to confirm that it meets Recommendation 8.4. Our review found that the Standard did meet the Recommendation and the principles, and that there were no changes required to the minimum compliance requirements listed in the Standard. Good storage conditions and storage environments protect physical records and ensure that records survive for as long as they are required. See the Standard on physical storage of State records for physical records storage requirements.	Standard on records management Standard on the physical storage of State records
Australian Standard on records management AS ISO 15489.1: 2017	This Australian standard is a concise summary of recordkeeping practice. It defines the concepts and principles to be used in developing approaches to the creation, capture and management of records to meet compliance, business and societal requirements. It applies to all records, regardless of format, business or technological environment. This standard is relevant to government and non-government organisations.	AS ISO 15489.1: 2017 Information and documentation - Records management, Part 1: Concepts and principles
Identifying recordkeeping requirements and building recordkeeping into business practices	Recordkeeping requirements are statements specifying which records are to be created and maintained. Requirements are usually expressed in legislation, policies, procedures, industry standards, and contractual arrangements. It is important that recordkeeping is built into business practices. Simple business rules help staff understand when to create and capture records of common business activities. This guidance is relevant to government and non-government organisations.	Recordkeeping requirements Create and Capture
Developing a records and information management policy	A records and information management policy establishes the governance framework for the creation, capture, control, use, maintenance, and disposal of records and information in your organisation. The records and information management policy works in conjunction with records and information management strategies developed by your organisation. This guidance is relevant to government and non-government organisations.	Records and Information Management Policy
Guidance on identifying records relevant to an actual or alleged incident of child sexual abuse, and on the retention and disposal of such records	NSW State Archives and Records has worked with other Australian records and archives authorities to develop guidance to meet Recommendation 8.3. This guidance is relevant to government and non-government organisations.	Guidance for identifying and retaining records which may become relevant to an actual or alleged incident of child sexual abuse
Online training courses on records management and recordkeeping for the NSW public sector	NSW State Archives and Records has a number of free online training courses on records management and recordkeeping.	Online training courses on records management and recordkeeping
Online training course: Managing Out of Home Care records	The Australian Society of Archivists has produced an online training course to assist anyone managing and providing access out-of-home care records.	Out of Home Care online training course
Online training course: A Trauma-Informed Approach to Managing Archives	The Australian Society of Archivists has produced an online training course to assist archives and record-holding organisations implement a trauma-informed approach to their work and services so that all users feel safe and supported to access the records they need.	A Trauma-Informed Approach to Managing Archives
Online training course: Introduction to recordkeeping and archives	The Australian Society of Archivists has produced a range of online training courses to provide a comprehensive introduction to recordkeeping and managing archives.	Keeping Archives online training course
Records and information management training courses	Records and Information Management Professionals Australasia (RIMPA) have produced a range of training courses which provide an introduction to records and information management.	Records and information management training
Leaflets about recordkeeping	NSW State Archives and Records has developed a number of leaflets about recordkeeping for non government organisations. These leaflets can be used to create awareness of good recordkeeping practices.	Recordkeeping fundamentals for non government organisations Recordkeeping fundamentals for non government organisations working with children Recordkeeping reminders for non government organisations

November 2019/Updated April 2020 / Updated August 2020

Recordkeeping Advice

Royal Commission into Institutional Responses to Child Sexual Abuse

Recordkeeping A-Z

R S

Recordkeeping Requirements

Irene.Chymyn — Tue, 20 Aug 2019 00:01:36 +0000

Recordkeeping Requirements Irene.Chymyn Tue, 2019-20-08 10:01

Recordkeeping requirements are statements specifying which records are to be created and maintained by public offices. These requirements may be set out in:

legislation and regulations
whole-of-government policies and procedures
major government or industry standards and codes of practice imposed on or adopted
internal policies, procedures, processes or business rules
agreements and other contracts.

Sometimes the public expects government to create and keep certain records of its activities as part of provision of services and citizen’s rights and entitlement. These expectations reflect either an interest in the records themselves as sources for research, or the desire for government to be transparent and accountable through good recordkeeping.

Types of recordkeeping requirements

Recordkeeping requirements usually relate to:

creating a record
capturing a record, including information that needs to be captured
providing or accepting supporting documentation
maintaining a record, including security, storage and handling
providing access to records
retention and disposal of records.

Requirements can be explicit, but are more often implicit.

For example an explicit requirement for creation and access might be that 'the organisation must create a register of licences and members of the public must be given access to it.' Implicit in this statement is that the records within the register must be captured and maintained for a certain period of time, so that access is possible.

Sources of recordkeeping requirements

There are many sources of recordkeeping requirements, and this page outlines only some of these.

NSW legislation
- Your organisation’s enabling legislation
- Laws that your organisation is responsible for overseeing
- Administrative legislation and associated regulations such as State Records Act 1998, Government Information (Public Access) Act 2009, Privacy and Personal Information Protection Act 1998, Government Sector Employment Act 2013, Electronic Transactions Act 2000
Memoranda and Circulars
- Premier’s Memorandum and Department of Premier and Cabinet Circulars
- NSW Treasurer’s Directions and Treasury Circulars via Administrative Requirements Portal
Retention and disposal authorities
Relevant Audit reports.
NSW Ombudsman’s Good conduct and administrative practice - Guidelines for state and local government

Further advice

ISO/TR 21946:2018 Information and documentation -- Appraisal for managing records.
AS/ISO 15489.1:2017 Information and documentation -- Records management -- Part 1: Concepts and principles
The Strategies for Documenting Government Business: the DIRKS Manual

Published August 2019

Recordkeeping Advice

Recordkeeping Requirements

Recordkeeping A-Z

Recordkeeping guidance for Ministers' Offices

Irene.Chymyn — Tue, 23 Oct 2018 03:01:56 +0000

Recordkeeping guidance for Ministers' Offices Irene.Chymyn Tue, 2018-23-10 14:01

Introduction

This guidance provides information regarding the creation and management of Ministers Offices' records. It supports Ministers Offices in meeting their obligations under the State Records Act 1998.

Offices of New South Wales Government Ministers are 'public offices' as defined in section 3(1) of the State Records Act 1998.

What are State records?

Information created or received in the course of official duties by a Minister or their staff is a State record.

Records can be in any format, from any source, and on any media. Examples of record formats are:

digital and physical documents created or received, using applications such as Office 365, Lotus Notes and G-Suite
messages sent or received via mobile applications such as WhatsApp
digital and physical correspondences sent or received
audio visual recordings of portfolio-related events attended by the Minister
media releases from the Minister's Office posted on website or social media.

Please note that a record can be a State record even if it is created, transmitted or stored by private means (e.g. personal mobile device/s or a personal email address) or by means which may also be occasionally used for private purposes.

Political, constituency or personal records are not State records and it is important that these are managed and maintained separately to the Minister's official records.

Records management obligations

The State Records Act 1998 (the Act) establishes a number of responsibilities or obligations for Ministers' Offices and their staff. Briefly, these are:

create and maintain full and accurate records of any official government business
retain those records for as long as required
dispose of those records legally and appropriately
transfer records as State archives to Museums of History NSW (MHNSW)
authorise public access to records.

Each Minister’s office needs to ensure that it has appropriate systems, policies and procedures in place to meet these obligations. This includes ensuring that all employees are aware of their responsibilities to create and capture records of the official business that they undertake on behalf of or support of the Minister.

Creating and maintaining full and accurate records

Records should be created of all meetings or activities related to official business or where final decisions are made on departmental or government policy, operations and business.

Examples of activities where records should be created and maintained

Activities	Examples of types of records
Development, implementation and review of government policy and legislation, portfolio operations and projects	agenda, minutes and supporting papers of committees briefing notes informing, recommending, approving or authorising actions decisions, reasons and actions discussion papers drafts showing feedback, significant drafts that contain change on policy direction or contain significant information that is not contained in the final version media releases
Contact with the public, private organisations and other Ministers on portfolio business	briefing notes documenting the contact emails sent or received by the Minister or staff file notes documenting the contact via phone or social media
Attendance to portfolio related events	final transcripts of speeches or addresses media releases

{go to top}

Common activities and what to document

In creating records, it is essential that information relevant to an activity be documented. A risk assessment should be conducted to determine what level of documentation is required.

Common Activities	What to document
Meetings, including discussions conducted or decisions made face to face or via various communication channels (Skype, emails, mobile phones, WhatsApp)	Document the following: date and location of the meeting attendees supporting documents items discussed and decisions authorising or approving actions.
Contact with the public, private organisations and other Ministers on portfolio or government business	Document the following: name of the person / organisation / agency date of contact issues raised decisions, commitments or agreements, including reasons for decisions or recommendations advice, instructions or recommendations information or additional documentation provided / communicated
Communications between staff and outside recipients on official business such as memoranda or circulars	Document information such as: title, subject or description date issued and status scope and its application attachments or supporting documentation
Briefing the Minister	Document information such as: context or background information regarding the subject of the brief issues raised advice, instructions or recommendations attachments or supporting documentation

{go to top}

Standard rules to help manage records

To better support general management, retrieval, access and eventual disposal of records, we recommend the following business rules for emails, social media and the ministerial network or share drives.

Emails

Group received and sent emails under the following categories:
- administrative records - Finance, HR, Procurement
- enquiries from the public
- official Cabinet records
- portfolio records (may be grouped according to cluster / agency name / program or project name / events)
- political / constituency / personal records
Delete ephemera and unwanted emails such as subscriptions, spams, agency newsletters
Delete personal emails
Regularly empty deleted items folders
Unsubscribe from unnecessary mailing lists
Ask to be taken off group emails that don't apply to the Minister's Office
Practice 'only handle it once' (OHIO) method.

This only applies to the social media accounts of Ministers. Only social media posts sent or received during their term of office are State records.

Only use official accounts for social media postings, etc., as a Minister
Keep personal, party/constituency social media accounts separate. Don’t use personal social media accounts for Ministerial/portfolio business.
If the social media post is publicly available, then it should remain publicly available.

It is also recommended that social media accounts of Ministers be verified through the social media site to ensure continued accessibility. The verification badge provided by these sites for high profile accounts provides greater credibility, increased social presence and prevention of identity misuse.

Group records created, received or saved under the following categories:

administrative records - Finance, HR, Procurement
enquiries from the public
official Cabinet records
portfolio records (may be grouped according to cluster / agency name / program or project name / events)
political / constituency / personal records.

Political, constituency or personal records are not State records and it is important that these are managed and maintained separately to the Minister's official records.

{go to top}

Retention and disposal of records

Ministers' offices need to retain records for certain periods of time to provide evidence of the business conducted or to meet legal or other obligations. Some records are required to be retained permanently as part of the State Archives collection.

The General retention and disposal authority: ministers' offices permits Ministerial or Departmental staff to destroy certain records after they are no longer required for administrative purposes.

For financial, personnel and other administrative records, use the General retention and disposal authority: administrative records.

State archives

The General retention and disposal authority: records of a Minister's office also identifies which records are required to be transferred as State archives to MHNSW.

The following are examples of records considered as State archives:

briefing notes and correspondences
diaries of Ministers such as emails and Outlook calendars of Ministers, including attachments
social media content posted or received from the Ministers' accounts during their term of office
media releases.

Official Cabinet records

Follow protocols set by the Department of Premier and Cabinet Secretariat.

Private records

Records created or received by the Minister in their capacity as Member of Parliament (such as those related to constituency matters), or as a member of a political party or as a private citizen are not 'State records' under the State Records Act. Manage or dispose of these records in accordance with the wishes of the Minister.

Budget, Procurement, Travel and Personnel records

Manage or dispose of these records in accordance to the requirements under the Members of Parliament Staff Act (MOPS Act) or as set by the Department of Premier and Cabinet.

The following records can be routinely disposed of if no longer required for reference other purposes

media monitoring reports
subscription service updates, alerts and newsletters
rough notes of meetings and conversations where a formal record has been made
solicited and unsolicited advertising materials

{go to top}

Transfer records as State archives to MHNSW

Records classified as State archives can be transferred at any time during a Minister's term of office or when there is a change of Minister or government.

Minister's emails and electronic calendars

These records must be transferred electronically as State archives, including all relevant attachments. It is recommended that:

emails relating to portfolio business are classified into categories
all relevant attachments such as meeting agenda, meeting minutes, reports and details of attendees must be retained, until transfer to MHNSW.
emails and diary entries relating to personal, constituency or political records are separated, removed or deleted before transferring to MHNSW.
electronic diaries relating to portfolio business, including all relevant attachments such as meeting agenda, meeting minutes, reports and details of attendees must be retained, until transfer to MHNSW. Extracts from diaries of Ministers published online are not sufficient to meet this requirement.

Ministers are responsible for ensuring that the social media records they create as part of official government business are maintained and remain publicly accessible.

Only social media interactions relating to the Minister's portfolio responsibilities and during the Minister's term of office are required as State archives. Where personal accounts are used for portfolio business, social media interactions can still be considered official/State records for the purposes of the State Records Act.

It is recommended that social media posts relating to personal, constituency or political records be removed prior to transfer to MHNSW. If they are not removed they will remain part of State archives.

{go to top}

Authorise public access to records transferred as State archives

Records transferred as State archives need to be authorised as being available for future public access. The Act currently provides an open public access period for records after 30 years. From 1 January 2023 this will reduce to 20 years. Some records, such as media releases and transcripts of speeches, can be made available earlier.

The Minister or delegate can authorise when the public can access records transferred to the State archives collection by notifying MHNSW.

{go to top}

Caretaker period

Below are some of the key activities that Ministers’ Offices can do before, during and after the caretaker period:

Identify and describe types of records held by the Minister's office
- physical records held onsite or offsite
- Ministerial network
- business systems
- social media accounts
Remove any encryptions or electronic protections in your documents, workbooks or presentations.
Follow protocols regarding Official Cabinet records.
Separate enquiries and portfolio records from political/constituency or personal records.
- Enquiries and portfolio records will need to be transferred to NSW State Archives
- Political, constituency or personal records may be disposed of at the Minister's discretion.
Authorise when the public can access records transferred as State archives - from the Minister or delegate by notifying MHNSW.

{go to top}

Published November 2018/Amended 2022

Downloads

Recordkeeping Resources

Ministers' Offices

Recordkeeping A-Z

M R

Identifying and managing high-value and high-risk records, information and data

Anthea.Brown — Thu, 21 Jan 2016 01:50:12 +0000

Identifying and managing high-value and high-risk records, information and data Anthea.Brown Thu, 2016-21-01 12:50

State Records NSW recognises the challenges of managing vast quantities of records, information and data in the current environment of increased cyber risks and an ever-changing technology landscape.

The minimum compliance requirements 2.2 and 2.3 of the Standard on Records Management direct public offices to strategically focus on high-value and high-risk areas of business. These requirements ensure that:

records, information and data required as State archives and/or of high-value and high-risk are prioritised, protected and managed
records and information management is a designed component of the most valuable and critical information and systems
records and information management strategies and initiatives align with the organisation’s critical business priorities
resources (time, money and staff) invested/allocated are proportionate to the business value of the records, information and data.

This approach to identifying and prioritising records of high-value and high-risk also matches up with the approaches taken by cyber security to protect the most critical information assets of the organisation.

Defining high-value and high-risk (HVHR) records, information and data

High-value records, information and data are assets that enable organisations to:

undertake and continue their functions
provide service to clients
respond to Royal commissions, inquiries, audits, investigation and legal issues.

A small percentage of high-value records have continuing value to the State and the people of NSW and are required as State archives. (Please consult relevant retention and disposal authorities for information on assets required to be retained as State archives).

High-risk records, information and data are those assets that:

are created or received in high-risk areas of the business, or high-risk business processes or functions
pose a significant risk to the organisation if they were misused, released inappropriately or inappropriately accessed and altered, lost, damaged or destroyed prematurely.

While high-risk records and information must be managed with the same care as high-value records for the duration they are required, high-risk records and information may not necessarily have lengthy retention periods.

Identifying HVHR records, information and data

High-value and high-risk records, information and data are usually created or received in areas or functions involving:

core and statutory function/s of the organisation
significant investment by NSW Government or major contributions to the NSW economy
direct contact with individuals (for example, a regulatory, enforcement, health or welfare activity where there may be dispute)
development of policy or service which impacts on individuals and communities or their rights and entitlements
management of natural resources, places of cultural significance, the protection and security of the state or infrastructure in NSW
processes that are open to corruption or have the potential for corrupt behaviour
major programs of international/national/state significance
collection and use of personal information and health information (as defined by the Privacy and Personal Information Protection Act 1998 and the Health Records and Information Privacy Act 2002)
policies, decisions, or services which are subject to close scrutiny by the public, media or oversight bodies.

Examples of HVHR records, information and data

The examples below are selected for illustration purposes only. Please note that the business value and risk to records, information and data can change over time depending on the organisation’s context.

Information Assets	Category	Additional information
Enterprise data sets managed by the organisation	High-value	Data sets which are mandated and used for performance reporting are of high-value as they inform decision making, in program analysis and evaluation, and in research. Please note that the value of data sets is subjective and may change over time depending on the organisation’s context, its intended use, data quality, etc.
Scanned ID documents used for verification purposes	High-risk	These are considered supporting documentation and are of low value as soon as the verification has been completed. Records, information and data which contain personal information are generally considered of high-risk as they pose specific risks to individuals, such as, identity theft or fraud, reputational damage, loss of confidentiality or financial loss.
Briefing notes to ministers in relation to portfolio programs	High-value and high-risk	These records are of continuing value to the State and are required as State archives as they are advice about substantive aspects of a major program, service delivery, legislation, etc. These records are considered high-risk as they document decisions that may be subject to public or media scrutiny.
Patient records and information in clinical information systems	High-value and high-risk	These records are of high-value as they relate to core function of provision of health care to patients and clients. These records are of high-risk as they pose specific risks to individuals. Clinical information systems are usually considered high-risk as it would have a huge impact on the organisation if access to the systems were lost or compromised.
Client case management records	High-value and high-risk	These records are of high-value as they document direct contact with individuals and may relate to specific or core services, or individual rights or entitlements. These records are of high-risk as they contain personal, sensitive and/or confidential information and pose specific risks to individuals.
Records applied with dissemination limiting markers (DLM) or security classification	High-risk	These records may be assessed as high-risk depending on the value, importance or sensitivity of information they contain, and the potential damage to government, national interests, organisations or individuals, that would arise if the information’s confidentiality was compromised.
Budget records and information	High-value and high-risk	These records are high-value as they contain the budget decisions of the State. These are considered high-risk due to their confidentiality and potential consequences of leakage.
Council meeting minutes	High-value and high-risk	These records are high-value as they document significant decisions that have a far-reaching impact on communities and are therefore required as State archives. A local council meeting is a high-risk activity as it enables transparency and scrutiny, or direct participation from members of the community. Also, the loss of public access to council meeting minutes may have potential consequences to the well-being of the community.
Financial and human resource records	High-value and high-risk	These records are high-value as they are essential to the continued operations of the organisation. These records are considered high-risk as they relate to processes where they may be open for corruption or fraud. The digital format of these records is usually considered high-risk for cyber-attacks.

Approaches to determining HVHR records, information and data

There are various ways of determining HVHR records, information and data.

Conduct a desktop review and analysis of current documentation. Examples of documentation to review include:

retention and disposal authorities (records required as State archives and those records with 30+ years retention periods are HVHR)
risk-related records such as corporate risk registers, business continuity plans, ICT incident management plans or business impact analysis reports
cyber security attestation or information security planning
responses to audit, inquiries or litigation
systems audit or IT asset inventories
information asset registers
open data planning, reporting, and data sharing agreements
privacy impact assessments
GIPAA review or investigation reports
annual reports, including internal and external audit reports
reports of incidents or complaints, including findings and recommendations which may have been publicised.

Engage staff within the organisation to understand core functions, services, and business processes. Business owners should be engaged to assess and classify assets based on business risk. Specifically, consult with the organisation’s

audit and risk committee or risk manager
cyber and information security officer (CISO) or team
business managers of areas under transition/change or implementing new policies, new processes and new systems or apps
business managers of areas where they collect, use or store personal information
other stakeholders such as internal audit team or officer.

Use various techniques to gather and analyse information such as:

surveys
brainstorming exercises or focus group discussions
strengths, weaknesses, opportunities and threats (SWOT) analysis
business impact analysis
bow tie analysis
cost benefit analysis
cause-consequence analysis, etc.

Tips for managing HVHR records, information and data

1. Develop an understanding of the organisational context

This includes:

gathering information about the organisation using the sources mentioned above
identifying and analysing recordkeeping requirements
consulting or collaborating with business units to identify and determine what records, information and data are needed to support core functions and services. This includes identifying any impacts resulting from business disruptions and/or from risks to records, information and data.

2. List the organisation’s records, information and data as information assets

Having this list enables:

identification of HVHR records, information and data
identification and assessment of information assets that pose significant risk
identification of people and positions that are responsible for particular information assets
compliance with minimum compliance requirements 2.2 and 2.3 of the Standard on records management. Please note a complete, single view of HVHR information assets is one of the indicators used in Q1 of the Records Management Assessment Tool (RMAT).

For each asset, consider the following information:

size and scope of the records and information held
size and scope of the system
the software and hardware critical for the maintenance of the asset
any dependency on other records/information assets
format of the records - if paper, include volume and storage information; if digital, include title or name of the data set or file, description, modification date, license and file format
business owner and users of the system
policies and processes that govern them, including statutory and regulatory obligations
business value
retention periods, including records required as State archives
level of criticality of the business activities that the system supports, i.e., the potential impact of an interruption to critical business operations.

Here is a standard information asset register template.

3. Apply the organisation’s risk management framework to assess and mitigate risks to HVHR records, information and data

Use the NSW Risk management toolkit to develop and implement a risk management framework over HVHR records, information and data. Risks to HVHR records, information and data may include:

loss or reduction in ability to access records due to technological obsolescence, system migrations, disaster, corruption of information, or machinery of government change and administrative change
unauthorised access leading to deletion, unauthorised manipulation or disclosure of sensitive information due to outdated or ambiguous policies and procedures
loss of government information, corporate memory and/or documentary heritage of NSW.

Risk assessment examples

Below are examples of risk assessment for HVHR records, information and data. The risks and causes identified, including mitigation activities are selected for illustration purposes only. The risk likelihood and impact depend on the organisation’s context.

Information assets	Risk	Cause	Mitigation activities
Enterprise data sets shared by the organisation	Unauthorised access or disclosure of information	Outdated or ambiguous policies and procedures, or due to machinery of government (MOG) changes	Use a standard MOU agreement. Implement a consistent, agreed approach to data sharing. Review default access provisions applied to data sets when MOG changes happens.
Patient records & information in clinical information systems	Loss of access	System outage or unstable platform	Put controls in place and regularly monitor to mitigate the threat or risk, and perform risk analysis as required. Perform regular system health checks, including backup systems.
Briefing notes to ministers in relation to portfolio programs	Failure to locate and retrieve within scheduled time frames	Multiple content repositories	Put processes and systems in place to enable comprehensive search functionality to simplify retrieval operations. Implement a consistent procedure in managing briefing notes, including where they are stored.
Records applied with DLMs or security classification	Information leak, unauthorised access or disclosure of information	Outdated system or human error	Put controls in place and regularly monitor to mitigate the threat or risk. Implement cyber security education for staff, including information classification, labelling and handling.
Scanned ID documents used for verification purposes	Information leak, unauthorised access or disclosure of information	Outdated or ambiguous policies and procedures	Review current procedures and assess whether there is a need to have a scanned copy of ID documents. If there is an identified need, put controls in place and regularly monitor to mitigate the risk. Update policies and procedures to mitigate or eliminate this risk (Check FAQs: Recordkeeping and personal information).
Budget records and information	Information leak and misuse of information	Outdated system or human error	Put controls in place and regularly monitor to mitigate the threat or risk. Implement cyber security education for staff, including information classification, labelling and handling.
Council meeting minutes posted on the website	Loss of access	System outage	Put controls in place and regularly monitor to mitigate the threat or risk.
Client case management records	Loss of information	Natural disasters	Put controls in place and regularly monitor to mitigate the risk. For physical formats, read our guidance Solutions for Storage \| NSW State Archives for more information. For digital, regularly monitor current disaster recovery/incident management processes, procedures and systems.

4. Collaborate with the CISO and cybersecurity team and/or relevant teams or committees

Collaborate with relevant teams to ensure that all HVHR records, information and data, both hard copy and digital, are included or classified as ‘crown jewels.’ Including HVHR records in the organisation’s list of crown jewels is a step towards prioritising its management and security.

5. Develop and implement a plan for short-term, mid-term or long-term management of HVHR records, information and data

The plan should consider:

information management needs or requirements of high-risk areas or functions
robust migration and export strategies to sustain records and information through system and service transitions
the metadata which makes that information understandable and authoritative
the eventual transfer of State archives to the NSW State Archives Collection.

Further information

Published February 2015 / Updated January 2022

Downloads

Information Asset Register Template

Recordkeeping Advice

Information Management By Design

Recordkeeping A-Z

H I R

Standard on records management

admin — Mon, 09 Nov 2015 16:02:12 +0000

Standard on records management Tue, 2015-10-11 03:02

Introduction

Records and information are at the core of government business and are core assets.

In NSW public offices, records and information help organisations plan for and achieve short and long term outcomes that are relevant and valuable to the community, business and government. Records and information:

drive collaboration and communications
preserve public knowledge for reference and reuse
provide the foundation for sustainable and effective products and services
outline responsibilities
support decision-making
document rights and entitlements
make up the corporate memory of an organisation
provide stakeholders with transparency around and accountability for government operations.

To support the benefits identified above records and information need to be:

trustworthy and managed accountably
readily accessible, understandable and useable
valued as critical to business operations
governed by appropriate risk management approaches
maintained to meet business, government and community purposes.

To achieve these outcomes, records and information must be supported by effective records and information management.

1.1 Purpose

This standard establishes the requirements for effective records and information management. It is designed to assist public offices discharge their obligations under Part 2 ‘Records management responsibilities’ and Part 3 ‘Protection of State records’ of the State Records Act 1998.

1.2 Authority of this standard

This standard is issued under section 13(1) of the State Records Act 1998 which enables the State Records Authority of NSW (‘NSW State Records’) to ‘approve standards and codes of best practice for records management by public offices’.

1.3 Who should use this standard

This standard applies to all public offices defined in section 3 of the State Records Act 1998, to which Part 2 of the Act applies.

1.4 Scope of this standard

This standard covers records and information in all formats, including both digital and physical records. It has been designed to support digital recordkeeping as the NSW Government transitions to digital business processes.

Underpinning this standard is the need to ensure that business is supported by sound records and information management practices. Importantly, the standard has been framed and targeted to support good information practices in complex business and information environments.

This standard refers to both records and information and establishes requirements for the holistic management of records and information. Taking this approach to the management of records and information better reflects the way in which most organisations now manage their information resources in an integrated manner.

This standard is the product of a process to consolidate and streamline requirements from the following standards:

Standard on full and accurate records
Standard on managing a records management program
Standard on digital recordkeeping
Standard on counter disaster strategies for records and recordkeeping systems
Standard on the appraisal and disposal of State records.

With the issue of this new standard, the above five standards have been revoked and are no longer in use. These older standards can be consulted on www.opengov.nsw.gov.au.

Public offices should consult the Standard on the physical storage of State records for requirements for the storage of non-digital records and counter disaster requirements applicable to non-digital records.

1.5 Benefits of using this standard

Applying this standard will assist public offices to:

create trustworthy, useful and accountable records and information in evolving business environments
ensure that meaningful, accurate, reliable and useable records and information are available whenever required for government business needs
sustain and secure the records and information needed to support short and long term business outcomes
enable the reliable sharing of relevant records and information
automate governance, sharing and continuity processes
minimise records and information volumes, preventing unnecessary digital and physical storage and management costs
proactively protect and manage the records and information that provide ongoing value to government business and to the community of NSW.

1.6 Structure

This standard sets out three principles for effective records and information management:

Organisations take responsibility for records and information management
Records and information management support business
Records and information are well managed

This standard also identifies the minimum compliance requirements that apply to each principle.

Each minimum compliance requirement is accompanied by a range of examples of how a public office can demonstrate compliance with the requirement. These examples can provide ‘evidence’ of meeting the requirement but may not be the only way that compliance can be demonstrated.

1.7 Further information

To assist NSW public offices implement this standard, NSW State Records has mapped the requirements of the standard to the guidance and training available from NSW State Records. The mapping is available at http://www.records.nsw.gov.au/recordkeeping.

Requirements in this standard build on requirements contained in a number of earlier standards issued by State Records NSW. State Records NSW has mapped the requirements of this standard to those of earlier standards. This mapping is available at www.records.nsw.gov.au/recordkeeping/rules/standards.

For more information on this standard, please contact State Records NSW or see www.records.nsw.gov.au/recordkeeping/rules/standards.

Principles

Principle 1: Organisations take responsibility for records and information management
Principle 2: Records and information management support business
Principle 3: Records and information are well managed

Principle 1: Organisations take responsibility for records and information management

To ensure records and information are able to support all corporate business operations, organisations should establish governance frameworks. These include:

policy directing how records and information shall be managed
assigning responsibilities
establishing provisions for records and information in outsourcing and service delivery arrangements
monitoring records and information management activities, systems and processes.

	Minimum compliance requirements	Examples of how a public office can demonstrate compliance with the requirement
1.1	Corporate records and information management is directed by policy and strategy.	Corporate policy on IM/RM adopted at Senior Executive level. Corporate strategy on IM/RM adopted at Senior Executive level.
1.2	Records and information management is the responsibility of senior management who provide direction and support for records and information management in accordance with business requirements and relevant laws and regulations.	Responsibility assigned in corporate policy on IM/RM Policy reflects Chief Executive's responsibility to ensure compliance with State Records Act (section 10).
1.3	Corporate responsibility for the oversight of records and information management is allocated to a designated individual (senior responsible officer).	Responsibility assigned in corporate policy on IM/RM. Responsibility assigned in individual performance plans. NSW State Archives and Records has been advised of the organisation's senior responsible officer.
1.4	Organisations have skilled records and information management staff or access to appropriate skills.	Responsibility assigned in corporate policy on IM/RM. Skills and capabilities reflected in relevant role descriptions. Responsibility assigned in performance plans and/or service agreements.
1.5	Responsibility for ensuring that records and information management is integrated into work processes, systems, and services is allocated to business owners and business units.	Responsibility assigned in corporate policy on IM/RM. Responsibility assigned in performance plans. Documentation identifies owners of systems. Responsibility for ensuring records and information management is included in systems and processes, is assigned to owners of systems.
1.6	Staff and contractors understand the records management responsibilities of their role, the need to make and keep records, and are familiar with the relevant policies and procedures.	Responsibility assigned in corporate policy on IM/RM. Skills, capabilities and responsibilities are reflected in relevant role descriptions and/or performance plans. Policy, business rules or procedures articulate/document staff requirements and responsibilities for the creation and management of records.
1.7	Records and information management responsibilities are identified and addressed in outsourced, cloud and similar service arrangements.	Responsibility included in corporate policy on IM/RM. Demonstrate that records and information management is assessed in outsourced and service contracts and instruments and included where required. Portability of records and information is assessed in outsourced, cloud and similar service arrangements.
1.8	Records and information management is monitored and reviewed to ensure that it is performed, accountable and meets business needs.	Documented monitoring of activities, systems and processes, and corrective actions undertaken to address issues.

Principle 2: Records and information management support business

The core role of records and information management is to ensure the creation, maintenance, useability and sustainability of the records and information needed for short and long term business operations.

By undertaking an assessment of records and information needs, public offices can define their key business information. Public offices should use this assessment to design records and information management into processes and systems. This will ensure that records and information support business operations and accountability requirements, and sustain records and information needed for the short and long term.

Taking a planned approach to records and information management means all operating environments are considered. It also means that the creation and management of records and information needed to support business are considered in all system and service arrangements.

	Minimum compliance requirements	Examples of how a public office can demonstrate compliance with the requirement
2.1	Records and information required to meet short and long term needs are identified.	Documented decisions, policy, business rules or procedures on what records and information are required to meet or support business and identified recordkeeping requirements, including accountability and community expectations. Current, comprehensive and authorised records retention and disposal authorities are in place. Decisions are documented or reflected in specifications for systems and metadata schema.
2.2	High risk and high value areas of business and the systems, records and information needed to support these business areas are identified.	Identify and document which systems hold high risk and/or high value records and information. Information risks are identified, managed or mitigated. Systems managing high risk and/or high value records and information are protected by business continuity strategies and plans. Documented policy, business rules and procedures for high risk and/or high value business processes include responsibilities for the creation and management of records and information.
2.3	Records and information management is a designed component of all systems and service environments where high risk and/or high value business is undertaken.	Evidence that records and information management is assessed in system acquisition, system maintenance and decommissioning, and implemented where required. Systems specifications for high risk and high value business include records and information management requirements. Systems specifications include requirements for metadata needed to support records identification, useability, accessibility, and context. Documentation of systems design and configuration maintained.
2.4	Records and information are managed across all operating environments.	Identify and document where records and information are held across diverse system environments or physical locations. Documented strategy for managing records and information in diverse system environments and physical locations.
2.5	Records and information management is designed to safeguard records and information with long term value.	Identify and document which systems hold records of identified or potential permanent or long term value. Identify and document where records of identified or potential permanent or long term value are located. Records and information are kept for as long as they are needed for business, legal requirements (including in accordance with current authorised records retention and disposal authorities), accountability, and community expectations. Decommissioning of systems takes into account retention and disposal requirements for records and information contained in the system.
2.6	Records and information are sustained through system and service transitions by strategies and processes specifically designed to support business and accountability.	Documented migration strategy. Migrating records and metadata from one system to another is a managed process which results in trustworthy and accessible records. Portability of records and information is assessed in cloud service or similar arrangements. Adequate system documentation is maintained.

Principle 3: Records and information are well managed

Effective management of records and information underpins trustworthy, useful and accountable records and information which are accessible and retained for as long as they are needed. This management extends to records and information in all formats, in all business environments, and in all types of systems.

	Minimum compliance requirements	Examples of how a public office can demonstrate compliance with the requirements
3.1	Records and information are routinely created and managed as part of normal business practice.	Policies, business rules and procedures articulate/document staff requirements and responsibilities for the creation, capture and management of records of business operations. Assessments or audits demonstrate that systems operate routinely. Exceptions to routine operations that affect information integrity, useability or accessibility are identified, resolved and documented.
3.2	Records and information are reliable and trustworthy.	Adequate metadata to ensure meaning and context is associated with the record. System audits are able to test management controls of systems, including information integrity. Policies, business rules, procedures and other control mechanisms are in place to ensure accuracy and quality of records created, captured and managed.
3.3	Records and information are identifiable, retrievable and accessible for as long as they are required.	System testing is able to verify that systems can locate and produce records which are viewable and understandable. Adequate metadata to ensure that records are identifiable and accessible.
3.4	Records and information are protected from unauthorised or unlawful access, destruction, loss, deletion or alteration.	Information security and protection mechanisms are in place. Records are protected wherever they are located, including in transit and when outside the workplace. Access, security and user permissions for systems managing records and information are documented and implemented. System audits are able to test that access controls are implemented.
3.5	Access to records and information is managed appropriately in accordance with legal and business requirements.	Policy, business rules and procedures identify how access to records and information is managed. Assessments confirm that access is in accordance with the organisation’s policy, business rules and procedures. Access to records is provided in accordance with such instruments as the Privacy and Personal Information Protection Act 1998 ('PPIP Act'), the Government Information (Public Access) Act 2009 ('GIPA Act') and the State Records Act 1998.
3.6	Records and information are kept for as long as they are needed for business, legal and accountability requirements.	Policy, business rules and procedures identify how the retention and disposal of records and information is managed. Records and information are sentenced according to current authorised retention and disposal authorities. Records required as State archives are routinely transferred to NSW State Archives and Records when no longer in use for official purposes.
3.7	Records and information are systematically and accountably destroyed when legally appropriate to do so.	Policy, business rules and procedures identify how the destruction of records and information is managed, including deletion of data. Organisation can account for the disposal of records or information in accordance with legal obligations and accountability requirements. Disposal is in accordance with current authorised records retention and disposal authorities. Disposal of records is documented.

Printable version

A (PDF, 155kb ) version of the standard is available for printing.

Implementation guide

State Records NSW has prepared an implementation guide (PDF 387kb) for the Standard. The implementation guide includes detailed explanations for each minimum compliance requirement with a mapping to guidance and training, how the new standard will assist public offices meet their obligations under the State Records Act, and the relationship between the new code of best practice AS ISO 15489.1: 2017 and the Standard on records management.

Table of Commentary

An account of the comments received during public consultation on this standard is available in the accompanying Table of Commentary (PDF, 111kb).

Compliance timetable

There is a compliance timetable (PDF, 51kb) for this standard, with requirements phased in during 2015.

Published February 2015/ revised October 2017/ revised June 2018/revised November 2018

Downloads

Recordkeeping Rules

Standards

Recordkeeping A-Z

R S

Recordkeeping and Committees

admin — Mon, 09 Nov 2015 16:02:12 +0000

Recordkeeping and Committees Tue, 2015-10-11 03:02

Introduction

Every organisation in the NSW Public Sector has an involvement with a range of committees. Committees coordinate and facilitate a wide range of functions undertaken by the organisation.

It is important that recordkeeping procedures are established for each committee that your organisation has an involvement with, so that the appropriate records are created and managed properly, and disposal is undertaken in an accountable way.

Good recordkeeping procedures allow committee members to have a clear understanding of what they need to do with records of the committee and how to manage duplicate copies of agendas, minutes, and meeting papers. The procedures may differ depending on whether the committee is an internal or external committee. The recordkeeping rules are broadly the same for either type of committee.

Recordkeeping rules

Recordkeeping rules for committees include making and keeping minutes of meetings, managing the master set of minutes, agendas and business papers of the Committee, and managing the disposal of committee records. These rules should be incorporated into recordkeeping procedures for internal and external committees.

Recordkeeping procedures for external committees

Committee secretariat

Committee members should determine who will be the Secretariat for the committee, so that there is a clear understanding about responsibilities for:

recording the minutes of each meeting of the Committee
managing the master set of minutes, agendas and business papers of the Committee
registering the records into the organisation's recordkeeping system
disposing of the master set of minutes, agendas and business papers.

If your organisation is...	then...
the Secretariat of the Committee	you should also consider establishing file titling conventions to distinguish between the different types of records being created, for example: actions and initiatives; administration and correspondence; agendas and business papers; agenda briefings.
not the Secretariat (just a representative on the Committee)	you will just need to establish files to hold your organisation's copy of meeting agendas, minutes and other committee papers.

Manage the master set of minutes, agendas and business papers of the Committee

By confirming who will be the Secretariat for the Committee, it is possible to determine who will be responsible for the master set of minutes, agendas and business papers of the Committee.

If your organisation is...	then...
not the Secretariat (but provides input into the setting of agendas)	records will need to be retained within your organisation's recordkeeping system covering such actions and initiatives, administration and correspondence.

Registering the records into the organisation's recordkeeping system

It is important that all records pertaining to committees are registered or captured into the organisation's official recordkeeping system. This ensures that records are:

accessible to all who require them, subject to any restrictions that may apply
controlled and managed in accordance with policy and procedures
secured against tampering, unauthorised access or unlawful deletion
disposed of promptly in accordance with legal authority.

If your organisation is...	then...
the Secretariat of the Committee	ensure that all records are registered into the recordkeeping system in a timely manner.
not the Secretariat (just a representative on the Committee)	ensure that the organisation's representative/s are aware of that they are required to register records of their involvement with the Committee into the recordkeeping system.

Manage the disposal of records

The disposal of records should be managed within the organisation's disposal program and in accordance with the relevant retention and disposal authorities. Most Committee records are covered in the General Retention and Disposal Authority: Administrative Records under COMMITTEES.

You will need to determine the type of committee, for example whether it is an advisory committee, and inter-agency committee, or national committee, in order to determine the appropriate retention period for the records. These guidelines are not intended to cover the management and disposal of records of inter-governmental organisations, for example, the Border Rivers Commission or the Murray Darling Basin Commission. The management and disposal of these records must involve consultation between the relevant State or Territory archival authorities. Separate disposal authorisation for these records must be sought from State Records.

Recordkeeping procedures for internal committees

Committee secretary

The Secretary is responsible for:

recording the minutes of the each meeting of the Committee
managing the master set of minutes, agendas and business papers of the Committee
registering the records into the organisation's recordkeeping system
managing the disposal of the master set of minutes, agendas and business papers.

The Secretary of the Committee should manage the master set of minutes, agendas and business papers of the Committee. All other members of the Committee should only have duplicate copies of the agendas, minutes, and business papers. Duplicate copies can usually be disposed under the normal administrative practice provisions of the State Records Act, unless there is an operational need for the duplicate copies.

The master copy of Committee records should be identified as the master set in the organisation's recordkeeping system. It is the responsibility of the Secretary of the Committee to register all committee records into the recordkeeping system. This ensures that records are:

accessible to all who require them, subject to any restrictions that may apply
controlled and managed in accordance with policy and procedures
secured against tampering, unauthorised access or unlawful deletion
disposed of promptly in accordance with legal authority.

Published 2005

Recordkeeping Resources

Committees

Recordkeeping A-Z

C R

R

Records, information and data risks

Types of information risks

Examples of information risks

Reliability and integrity

Accessibility and retrieval

Safe custody

Retention

Ownership

Assessing risks

Where to start

1. Identifying information risks

2. Assessing identified risks

3. Devising risk statement

Acknowledgement

Further resources

RMAT FAQ

RMAT FAQ

What is the RMAT?

Who should use the RMAT?

Does the RMAT cover all obligations from the State Records Act 1998?

How frequently should I use the RMAT?

What are the maturity levels in the RMAT?

Why does the RMAT focus on high risk/high value records and information?

How long does the assessment take?

How should I use the assessment results?

Do I send the results of the assessment to State Records NSW?

When will State Records NSW be undertaking annual reporting using the RMAT?

When and where will the results of the annual reporting be published?

How should large and complex organisations undertake RMAT assessments?

Records Management Fundamentals Presentations

Records Management Fundamentals - CEOs and SROs

Records Management Fundamentals - Staff

Downloads

Recordings of virtual meetings

Managing recordings with business rules

Retaining and disposing of recordings

Royal Commission into Institutional Responses to Child Sexual Abuse

Royal Commission into Institutional Responses to Child Sexual Abuse

Following is a list of resources to assist government and non-government organisations in implementing the Recommendations

Recordkeeping Requirements

Types of recordkeeping requirements

Sources of recordkeeping requirements

Further advice

Recordkeeping guidance for Ministers' Offices

Introduction

What are State records?

Records management obligations

Creating and maintaining full and accurate records

Examples of activities where records should be created and maintained

Common activities and what to document

Standard rules to help manage records

Emails

Social media accounts

Ministerial network or share drive

Retention and disposal of records

State archives

Official Cabinet records

Private records

Budget, Procurement, Travel and Personnel records

Transfer records as State archives to MHNSW

Minister's emails and electronic calendars

Social media records

Authorise public access to records transferred as State archives

Caretaker period

Downloads

Identifying and managing high-value and high-risk records, information and data

Defining high-value and high-risk (HVHR) records, information and data

Identifying HVHR records, information and data

Examples of HVHR records, information and data

Approaches to determining HVHR records, information and data

Tips for managing HVHR records, information and data

1. Develop an understanding of the organisational context

2. List the organisation’s records, information and data as information assets

3. Apply the organisation’s risk management framework to assess and mitigate risks to HVHR records, information and data

Risk assessment examples

4. Collaborate with the CISO and cybersecurity team and/or relevant teams or committees

5. Develop and implement a plan for short-term, mid-term or long-term management of HVHR records, information and data

Further information

Downloads