Some danger areas in Government information-handling in the transition to a digital records management system have emerged.
With another year drawing to a close many people will clean out their offices, desks and computer filing systems before taking a break and starting fresh in the new year.
Australian Public Service (APS) employees doing any clean-up will need to be more careful than most, especially in the digital age. All APS employees are responsible for managing records; robust record management practices which clearly document the Government's business decisions (including administrative, procurement and grant decisions) are particularly important. And with the move by the Australian Government to reduce its paper-based records, they must now understand the new digital records management requirements.
This massive growth in digital records, combined with the new rules for digital records (which we look at below) and the old ones still in place, and the auditing for compliance by the Australian National Audit Office (ANAO), make this a priority area for Government agencies. So if you're looking for something to do in the New Year, a health check of your information management system should be high on your list of New Year's resolutions - and it's one you should keep.
Basic framework for record-keeping in the Australian Public Service
APS employees must comply with obligations in the APS Values, the Code of Conduct, and various Acts and policies, including your agency's record management processes and the new Digital Continuity 2020 Policy (see below).
Under section 24 of the Archives Act 1983 (Cth) it's an offence to destroy or dispose of a Commonwealth record unless such destruction or disposal without relevant approvals.
The term "records" is defined broadly - it can cover hard and soft copy, writing, maps, plan drawings, photographs, sound or video recordings, or "anything on which there are marks, figures, symbols or perforations having a meaning for persons qualified to interpret them". As such, section 24 is clearly going to capture a broad range of material.
New rules for websites: the Digital Service Standard
This year has seen the establishment of the Digital Transformation Office (DTO) to provide end-to-end, streamlined and simplified digital service delivery across government. As part of this, it's released the Digital Service Standard which establishes the criteria for all existing and new Australian Federal Government digital services within its scope, such as high-volume transaction services (eg. e-tax services) and digital information services (eg. an agency website).
Agencies should note that the Standard may not apply to everything. For example, digital services which are unlikely to process more than 50,000 transactions per year may not be require to meet the Standard. There may also be legislative and/or technical barriers which may prevent some services transitioning to the Standard. Such issues will need to be addressed over time.
This Standard is supported by the Records Management Design Guide, which gives useful guidance on how agencies can meet the legislative records management requirements when it comes to its web content.
In particular, the DTO notes that "content generated, captured or received using web technologies must be kept as evidence of business activities and decision making for as long as it is required. You need to ensure this is captured in your agency's electronic records management system or in a business system."
The DTO then outlines ways in which to capture web content, manage content for ongoing access, store content and dispose of content when no longer needed.
Digital Continuity 2020 Policy
Complementing the DTO's digital transformation agenda is the National Archives' new Digital Continuity 2020 Policy, which "aims to support efficiency, innovation, interoperability, information re-use and accountability by integrating robust digital information management into all government business processes".
It covers Australian Government information, data and records, including systems, services and processes, as well as information created by third parties on behalf of all agencies. Specifically, it identifies digital information management principles and practices recommended for non-corporate and corporate Commonwealth entities, and wholly-owned companies including government business enterprises (collectively referred to as "agencies" in the Policy). All agencies are required to comply with it, and to meet its targets by set timeframes.
There are three Key Principles in the Policy:
- Information is valued.
- Information is managed digitally.
- Information, systems and processes are interoperable.
The second Principle is the most important from a records management perspective, as it requires agencies to develop end-to-end digital work processes. Its aim is for agencies to have entirely digital work processes, and keep information in an accessible digital form.
The target date set by the Policy for agencies to be working digitally (including with business interactions, decisions and authorisations being recorded digitally) as well as for agencies to have migrated information in analogue format to digital format is 31 December 2020.
Health-check for your digital record-management system
So what are some of ways your record-management system could be failing? From the results of the ANAO's audits, some danger areas in Government information-handling in the transition to a digital records management system have emerged:
- Do you have an overarching information management framework? This should include a clear information and records management strategy.
- Is there someone (preferably senior) accountable for your information management?
- Do you have clear guidelines for your information management, including for sentencing (ie. identifying and classifying records according to a disposal authority) digital records upon creation? Can you incorporate version control dates as part of digital file titling protocols, which helps staff to sentence digital files correctly?
- Do you have a strong management and control framework for the finalisation, deletion and destruction of records? This should include criteria for the finalisation of records. Where files/records are to be destroyed, do you document this? Do you confirm that they are destroyed in accordance with the Australian Government Protective Security Policy Framework?
If you need to overhaul your record-management system, some of the basic features of the project should be:
- a Senior Responsible Officer for project implementation and delivery of outcomes;
- a governance framework to oversee implementation of the project;
- a performance reporting framework to assess progress and outcomes; and
- a risk management plan for the project, including a strategy and timeframe for shared drives to become accessible as "read only".
You might also be interested in...
- $30 million Cyber Security Growth Centre intended as a global leader in the cyber security industry
- Pulling up the drawbridge: protecting yourself against cyber attacks Part 1
- Pulling up the drawbridge: protecting yourself against cyber attacks Part 2: Cloud computing
Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this bulletin. Persons listed may not be admitted in all states and territories.