Records governance policy implementation guideline

Final | June 2018 | v1.0.1 | OFFICIAL - Public|Queensland State Archives

This guideline supports the Records governance policy and has been designed to simplify the approach to records management, while recognising the diversity of all Queensland Government agencies.

Scope

Its important to remember that there is no single method for agencies to meet these policy requirements. Each agency has its own individual profile, business environment, strategies and objectives so each journey to meeting these requirements will look very different. We expect that agencies will take a creative and innovative approach to addressing these requirements with a strong focus on collaboration with other agencies to develop and implement shared solutions to common records management problems. For each policy requirement we have provided suggested implementation approaches.

Applicability

This guideline is issued on the authority of the State Archivist under s.25 (1)(f) of the Public Records Act 2002 (Opens in new window) .

This guideline applies to the public authorities as defined in the Public Records Act 2002.

Where this guideline references agencies, this means all public authorities as defined by the Public Records Act 2002.

Policy requirement 1: Agencies must ensure records management is supported at all levels of the business

For records management to be transformed from an operational function to a strategic enabler, we believe that it must be supported at all levels of the business. This means that senior leaders commit to investing adequate time and resources into records management, that records professionals are responsible for promoting the strategic records management agenda and that every employee understands and carries out their legislative obligations to make and keep records and information.

1.1 Assigning formal records management responsibilities to key roles within the business to monitor and support the active implementation of this policy

Agencies may meet this action by:

• introducing high-level, specialist records roles that advocate for and promote the criticality and importance of records management in the agency
• assigning senior roles that are responsible for transforming records management from an operational to a strategic level within the agency
• delegating responsibilities under the Public Records Act 2002 to suitably skilled roles
• introducing internal performance requirements for Senior Executives to be responsible for advocating the value of records management within their business units.

1.2 Providing appropriate advice and guidance to ensure the business is aware of the value of records and information and how this relates to their obligations and responsibilities as an employee

Agencies may meet this action by:

• articulating clearly to employees their specific legislative obligations to make and keep records under the Public Records Act 2002
• developing and implementing an active records training and awareness program, including inductions for new employees
• assigning committee member roles (i.e. ICT Steering committees) to records and information specialists
• using qualified, specialist roles to provide records management advice and guidance
• providing ongoing support and advice to key information access and management roles such as Right to Information Officers, project managers and officers responsible for delivering on the agencies strategic plan
• communicating clearly and regularly the links between records management and the strategic goals of the agency.

1.3 Fostering a positive, innovative and collaborative recordkeeping culture

Agencies may meet this action by:

• introducing records management as a standing item in Senior Leadership meetings (or your agency's equivalent)
• communicating the value of records within the agency
• promoting the benefits of records management at all levels within the agency
• committing to invest adequate agency resources in records management.

Related resources

The following QGEA documents are also relevant to this policy requirement:

• Recordkeeping assessment tool
• Information asset custodianship policy (IS44)
• Information governance policy and guideline (this guideline)
• Information management roles and responsibilities guideline.

Policy requirement 2: Agencies must systematically manage records using governance practices that are integrated and consistent with broader agency frameworks

For records management to be seen as a strategic enabler, we would like agencies to use existing governance practices to embed records governance in their current functions, activities and processes. This means looking at how other parts of your agency manage governance and using those established frameworks, strategies and policies as a basis for how your records governance could look. In meeting this policy requirement, we want agencies to ask themselves how can records management contribute to my agency achieving every objective in our strategic plan?

2.1 Ensuring records and information governance is aligned with broader agency frameworks and incorporated in business strategies and objectives

Agencies may meet this action by:

• assessing how governance is structured and operationalised in other functional areas of the agency
• developing governance frameworks and structures that are aligned with the governance of other functional areas of the agency
• assessing the agency's strategic goals and objectives and using these as a foundation for records governance
• incorporating records management in strategic business activities (e.g. strategic planning)
• continuously adapting records and information governance to the constantly changing strategic imperatives and objectives.

Note: Queensland Government departments should ensure that records management, as a legislatively enforced sub-domain of the broader information management context, is aligned with any formal information management frameworks, strategies and plans.

2.2 Developing and implementing appropriate and fit-for-purpose documentation that details how active records management will strengthen agency business imperatives and strategic goals

Agencies may meet this action by:

• developing authoritative records management tools (e.g. policies, methodologies, plans or equivalent tools relevant to the governance practices of the agency)
• developing supporting tools (e.g. best practice manuals, procedures, standards or equivalent tools relevant to the governance practices of the agency)
• integrating records management into core and operational functions (e.g. operational methodologies, practice manuals or equivalent functions relevant to the governance practices of the agency)
• aligning the intent and objectives of the above tools with the strategic objectives of the agency
• implementing the above tools with the focus on communicating to all employees their responsibility to fulfil their requirements of this policy.

2.3 Complying with relevant legislation that governs recordkeeping requirements

Agencies may meet this action by:

• reviewing and mapping their recordkeeping requirements against relevant legislation such as the Public Records Act 2002 on a regular basis
• developing and implementing recordkeeping activities to meet these requirements
• reviewing and monitoring compliance on a regular basis
• integrating these requirements when developing records management tools and frameworks.

2.4 Measuring how well records governance is supporting agency business imperatives and strategic goals

Agencies may meet this action by:

• using the agency's strategic plan as a foundation for developing records management metrics, and adapting these to the constantly changing business imperatives and objectives
• assessing current operational records management metrics and only using those that are truly useful, provide value and support the strategic goals of the agency
• incorporating records management into formal audit, reporting or business compliance agendas of the agency
• promoting the positive outcomes of records management metrics that support the strategic goals of the agency
• proactively developing tools and processes that use agency records and information to provide business insights.

Related resources

The following QGEA documents are also relevant to this policy requirement:

• Recordkeeping assessment tool
• ICT resources strategic planning policy
• Information governance policy and guideline (this guideline)
• Investment (ICT) planning methodology.

Policy requirement 3: Agencies must create complete and reliable records

For agencies to be able to get the most value out of their records and information, there are two crucial elements records must be created in the first place, and they must be complete and reliable. A complete record is one that tells an entire story, which means it contains rich context and detail from essential metadata like descriptions, relationships and history. In our current digital environment, its likely that a complete record is one thats held across multiple business systems and applications, in a variety of formats. A reliable record is a record that can be trusted and is accurate, authentic and useable. Its the responsibility of the agency to identify what these records are, set governance (rules) around how they are made and kept and work towards making these creation processes as easy as possible for the agency to manage.

3.1 Identifying all the records that allow the business to operate these provide evidence of decisions, support accountability and transparency, mitigate risk, help the agency meet legislative requirements and reflect the business of the agency

Agencies may meet this action by:

• identifying those business functions that directly support the accountability and transparency of the agency
• evaluating risk registers or risk reporting tools within the agency and identifying the records that document and provide evidence of risk mitigation and treatment strategies
• evaluating all legislation and regulatory documentation relevant to the agency and its operating environment and identifying records that support this
• identifying the records and information that reflect the core and administrative functions of the agency
• leveraging existing information asset registers (including those submitted under the ICT profiling standard, if applicable) to identify possible records that provide evidence of agency business
• performing these evaluations and assessments regularly to ensure complete and reliable records are identified
• importantly, identifying the rich context and detail in any related or supporting records
• formally documenting all the above identified records in a format that allows for constant updating, adaptation and reviewing.

Note: We strongly suggest that agencies that have established information asset registers could use these as a basis for documenting records in the first instance.

3.2 Specifying how these records must be created, when they must be created, the format they must be created in, who must create them and implementing security and preservation requirements associated with those records

Agencies may meet this action by formally documenting:

• the process of creation for records identified above some processes will be automated (like data entry in a business system) and some processes will be manual (specifying that an employee must save a record/s in a particular system, application or location)
• expectations of when records must be created this is particularly important if records are not created automatically and need to be saved into a system, application or location in a timely manner for them to be discoverable and accessible
• where records must be made and kept this means specifying the business systems, applications and locations that records must be saved to for them to be discoverable and accessible
• who is responsible for creating specific records a simple way of doing this is to map records to business functions and assign responsibilities to roles rather than individuals.

3.3 Integrating record creation into existing business processes

Agencies may meet this action by:

• identifying opportunities for and implementing record creation automation using business system and application functionality
• researching, developing and implementing new methods of record creation that complement existing business processes.

3.4 Ensuring recordkeeping is considered when decisions are made about business systems (particularly decisions around migration and end of life)

Agencies may meet this action by:

• integrating records requirements in relevant core and operational policies (or equivalent tools relevant to the governance practices of the agency) related to migration and end of life plans
• assigning specific roles to records and information specialists during the procurement, review and development of business systems
• developing and implementing an authoritative tool (policy statement or equivalent tool relevant to the governance practices of the agency) to govern this process
• ensuring records requirements are actively considered and supported by allowing records specialists to advocate for and influence discussions and decisions about systems that hold records.

Related resources

The following QGEA documents are also relevant to this policy requirement:

• Record keeping assessment tool
• ICT risk management
• ICT profiling standard
• Information asset custodianship policy (IS44)
• Information asset register guideline
• Information management roles and responsibilities guideline.

Policy requirement 4: Agencies must actively manage permanent, high-value and high-risk records and information as a priority

We expect agencies to focus their resources on applying records management controls to permanent, high-value and high-risk records as a priority. While QSA is generally responsible for determining permanent value records of the state, its the responsibility of each agency to determine what high-value and high-risk means to them. Agencies must also put appropriate controls in place to actively manage those records from their initial point of creation through to disposal or transfer to Queensland State Archives.

4.1 Defining criteria and processes for identifying permanent, high-value and high-risk records, including transfer of permanent value records to QSA

Agencies may meet this action by:

• identifying what permanent, high-value and high-risk means to them this will look different for each agency based on their core business, operating environment and strategic priorities.
• formally documenting this criteria and processes this can be articulated in any way an agency chooses, on a scale relevant to their requirements (e.g. a methodology, program, policy, standard or equivalent tool relevant to the governance practices of the agency).

Note: what we commonly refer to as vital records will generally fall into this category, although the scope for permanent, high-value and high-risk should be wider than the traditional criteria for vital records.

Note: We strongly suggest that agencies with existing information asset registers leverage the content of these to help identify high-value and high-risk records.

4.2 Formally documenting details of permanent, high-value and high-risk records

Agencies may meet this action by:

• using a register (or equivalent documentation, relevant to the governance practices of the agency) to formally document specific metadata (details) of permanent, high-value and high-risk records.

Note: We strongly suggest that agencies that have existing information asset registers could use these as a basis for documenting records in the first instance.

4.3 Actively maintaining visibility of these records while they are being used, including monitoring processes for permanent, high-value and high-risk records held in business systems and applications

Agencies may meet this action by developing and implementing:

• a comprehensive tool (e.g. methodology, program or equivalent tool relevant to the governance practices of the agency) that provides for constant visibility over the creation, use, health and status of all permanent, high-value and high-risk records.
• processes for actively managing permanent, high-value and high-risk records. When we say actively managing, we mean continuously applying specific records controls that relate to the management and status of permanent, high-value and high-risk records:
  • Record creation and capture
  • Record classification
  • Record storage and preservation
  • Record security and access
  • Record retention and disposal

Note: Agencies should use terminology relevant to their own governance practices.

Note: At a minimum, we would like agencies to apply records controls to identified permanent, high-value and high-risk records. It is best practice that these controls are applied to all records, however we acknowledge the difficulty of doing this in the current digital environment. All agencies should aspire to a reality where they can apply controls over all records and information within their agency, regardless of their system, application or format.

Related resources

The following QGEA documents are also relevant to this policy requirement:

• Recordkeeping assessment tool
• ICT profiling standard refer to 5.1 At-risk systems requirements and Appendix C: At risk ICT systems reporting guidance
• Information asset custodianship policy (IS44)
• Information asset register guideline
• Information security policy (IS18:2018)
• Metadata policy (IS34)
• Queensland Government Information security classification framework (QGISCF).

Policy requirement 5: Agencies must make records discoverable and accessible for use and re-use

We believe that we dont keep records just to keep them; we keep them so we can use them for something routine (like making a decision or providing evidence) and then re-use them for something new and innovative (like using records to provide key insights to predict government trends). With discoverability and accessibility as drivers, agencies should take steps to make use and re-use as easy as possible. By this, we mean keeping records in the systems and applications that theyre created in (there are exceptions to this) and putting processes in place to be able to maintain overall visibility of these records.

5.1 Keeping records in business systems and applications approved for use by the agency

Agencies may meet this action by:

• formally documenting the requirement for records to only be made and kept in business systems and applications that are approved for use by the agency
• managing the records that are being made and kept in business systems and applications that are not approved for use by the agency
• avoiding the use of non-agency endorsed platforms for government business.

Note: when we say business systems and applications approved for use by the agency, we mean those that are verified, compatible and passed for use by the agencies IT administration

5.2 Being able to discover and appropriately access records, with confidence in sufficiency of search

Agencies may meet this action by:

• being able to identify what kinds of records are being made and kept in every business system and application that is being used within the agency
• implementing modern technical solutions that provide a comprehensive view of records held within all business systems and applications used within an agency
• develop and implement a process for maintaining continual visibility over records in all business systems and applications used within or on behalf of, an agency.

Note: When we say confidence in sufficiency of search, we mean how confident you feel that a performed search will reliably return all relevant records from all systems that can be accessed and used.

5.3 Actively monitoring the health of records

Agencies may meet this action by:

• Implementing modern technical solutions that allow the ability to monitor the health and status of records held within all business systems and applications used within an agency. Agencies should consider the following areas of records control when considering the accessibility and preservation and status of records and information, particularly permanent, high-value and high-risk records:
  • record creation and capture
  • record classification
  • record storage and preservation
  • record security and access
  • record retention and disposal.
• Ensuring all solutions and related supporting tools are regularly maintained to adapt to the agency's changing environment.

Related resources

The following documents are also relevant to this policy requirement:

• Recordkeeping assessment tool
• Private email use policy (Public Sector Commission)
• Metadata policy (IS34)

Policy requirement 6: Agencies must dispose of records in a planned and authorised way

Agencies must plan for how and when they will dispose of specific records. We expect that agencies will take a risk-based approach and prioritise disposal based on what will provide the best return for government, noting that disposal includes transferring your permanent records to Queensland State Archives. For agencies with large volumes of records, you might need to dispose of records regularly to free up space and resources. Some agencies might keep the majority of records in business systems and applications until its more convenient to dispose e.g. at the end of a systems life. Some agencies could focus their disposal plan only on the disposal of those records that hold considerable risk if they werent disposed of.

6.1 Using the disposal authorities issued by the State Archivist, that provide proper coverage of the specific records you create and keep

Agencies may meet this action by:

• evaluating the agency's records and mapping these to approved disposal authorities to ensure full retention and disposal coverage.

6.2 Developing and implementing a disposal plan, which details disposal decisions and actions for the agency

Agencies may meet this action by:

• developing and implementing the process for CEO authorisation of disposal (including the delegation of authority and standing arrangements for the disposal of specific records) in accordance with Queensland State Archives disposal authorities
• developing and implementing a disposal plan for the agency. This plan is likely to include elements such as:
  • disposal endorsement, including how internal endorsement is given
  • disposal methods, including how specific records will be disposed of
  • disposal frequency, including how often you choose to dispose of specific types of records.
• developing and implementing tools (e.g. processes, manuals or templates) to support the elements of the disposal plan.
• ensuring permanent records are transferred to Queensland State Archives, and non-permanent high-value high risk records are managed and preserved in accordance with disposal authorities and the Public Records Act 2002.

6.3 Formally documenting the disposal of records

Agencies may meet this action by:

• maintaining a disposal log (or equivalent tool relevant to the governance practices of the agency) that contains metadata supporting record disposal and fits the requirements of the agency. Suggested metadata includes:
  • evidence of the disposal authorisation used
  • a description of the records and the date range
  • evidence of disposal approval (from the CEO, delegate, etc)
  • evidence of how the records were disposed of.

Related resources

The following QGEA documents are also relevant to this policy requirement:

• Record keeping assessment tool
• Information security policy (IS18:2018)
• Procurement and disposal of ICT products and services (IS13) policy.