The Records Governance Policy (external) has replaced Information Standard 31: Retention and disposal of public records, and Information Standard 40: Recordkeeping. These information standard have been repealed.
Any references to IS31 and IS40 may be taken as a reference to the current Records Governance Policy if the context permits.
Your agency’s recordkeeping requirements are based on:
- your business needs
- legislative obligations
- the technology you need.
Recordkeeping requirements will tell you:
- which specific records must be created and kept
- what format they need to be created in
- how long they need to be kept
- how to store and manage them
- who should have access to them.
Table of contents
Do an environmental scan or assessment of your business areas to determine the recordkeeping requirements that relate to your business. You can do this by:
- looking at business processes and procedures
- identifying and assessing business systems
- assessing if and how recordkeeping applications are currently used
- finding out how records are formally and informally managed
- reading related documents (e.g. policies, procedures, plans, annual reports, external reviews)
- conducting employee interviews to get specific knowledge from business areas.
We recommend that you:
- focus on one area of the business at a time
- keep a record of your findings (e.g. name and description of the application, owner and users, age of application, what kind of information is captured, what records may be created)
- use process maps or other diagrams to explain how processes relate to business operations.
When assessing specific business applications, concentrate on ones that provide some evidence of business operations (e.g. applications that facilitate transactions). Think about:
- specific processes that support business operations (e.g. workflows)
- business rules applied within the applications
- policies and procedures that support the applications
- who uses and manages the applications
- training for employees in the use of the applications or business processes
- web-based applications that are used (e.g. customer complaints using social media).
Your recordkeeping system and strategic plan will need to include the technology your agency uses (e.g. recordkeeping and business applications, devices, cloud services) and how it is managed (e.g. backups, records creation and storage).
Also consider the people who use or manage the technology, any policies, rules or procedures governing its use, and any associated tools.
Business requirements and functionality
Recordkeeping and business applications need to meet your agency’s business needs. Find out if:
- existing workflows are built into the application
- specific fields are required to capture certain information about records (e.g. unique client numbers, date ranges)
- the business requires specific reporting functionality
- the application can accommodate different data formats.
Recordkeeping requirements and functionality
Recordkeeping functionality is not always considered or included in the initial design of business systems, databases and applications. They may have the capacity to create and store records, but not the functionality to manage records, keep necessary metadata or document the disposal of records.
The following is a list of capabilities and functionality you may need:
- Link the record to business context: Your application should let you create documents and place them in files that have been titled in line with a business titling standard. Saving the document in a file links it to the business context and helps make the information a record.
- Manage the records: Records should remain complete and reliable–this is usually the type of functionality that needs to be built into an application.
- Keep and destroy records: Records need to be kept for specific retention periods then legally disposed of. You will need the record to the information about how long records need to be kept and their disposal. This is usually managed by set rules within the recordkeeping application. The application will also need to be able to report on your disposal activities (like when a record is due to be disposed).
- Facilitate importing and exporting: This will assist you with migrating records from one application to another (to ensure they remain accessible over time or when business systems are decommissioned).
The international standard (ISO 16175) developed by the International Council of Archives outlines the main principles and functional requirements for applications and systems that create, control and dispose of digital records.
The standard contains three parts:
- Part 1: Overview and statement of principles (ISO 16175-1:2010)
- Part 2: Guidelines and functional requirements for digital records management systems (ISO 16175-2:2011)
- Part 3: Guidelines and functional requirements for records in business systems (ISO 16175-3:2010).
You can use the standard and the guideline (1.87 MB) to:
- understand and meet your recordkeeping responsibilities
- implement the principles in the standard
- develop specifications and requirements for a new system
- design records management software or other business information systems
- review the functionality of existing systems.
Systems without recordkeeping functionality
If an application does not have automated recordkeeping functionality, you will need to ensure its records are managed and lawfully disposed of by:
- capturing and retaining logs of business/software applications which can act as the source of recordkeeping metadata
- extracting records for migration so they are kept for their authorised retention periods
- developing processes to show that records have been disposed of in line with authorised retention periods
- using application programming interface (API) technology to move records from business applications into a recordkeeping application or eDRMS.
Cloud-based services, storage and systems
Some technology your agency uses to support your business may be based in the cloud (e.g. storage, services, systems and applications).
Find out about the recordkeeping considerations and risks and how to manage cloud storage and cloud based services.
Business, compliance and budgetary requirements, as well as the size and maturity of your agency, will determine which application is right for you.
See the following overviews of common recordkeeping applications.
Electronic document and records management system (eDRMS)
An eDRMS is designed to manage digital records. It combines document management and records management.
- Easy information retrieval.
- Complete records are made and kept.
- Records are managed throughout their lifetime.
- Less chance of information being lost, destroyed or being accessed inappropriately.
- Able to configure and specify the capture of optional and mandatory metadata.
- Can be expensive to implement and support.
- Implementation is a significant change for the business.
- Integration with existing business applications may be needed for the eDRMS to work more efficiently.
- Agencies with developed IT infrastructure.
- Agencies that want a comprehensive digital recordkeeping environment.
Collaborative applications (e.g. SharePoint, Yammer, Lync) may be integrated with other tools or applications to increase functionality. They can enable both workplace collaboration and records management practice.
- Integration with other applications can be a relatively simple process and can act as a pathway to something more comprehensive, like an eDRMS.
- Integrate existing digital work processes with digital recordkeeping through a collaborative environment.
- To ensure collaborative applications have some recordkeeping functionality, significant configuration may be required.
- Apply application controls, business rules, work processes and user training to foster good recordkeeping practices.
Agencies that would like to use collaborative applications to improve business efficiency but who may not have the resources available to implement a dedicated recordkeeping application (e.g. eDRMS).
Ideally, core business applications should include recordkeeping functionality (in reality this may not be the case).
Building functionality allows information and records to be made and kept in the same application.
The best time to think about building recordkeeping functionality into an application is when it is being designed or implemented.
- Employees do not have to duplicate information across applications.
- Eliminates the uncertainty around 2 ‘points of truth’ for business information.
- Integrating recordkeeping functionality can be difficult and expensive.
- Recordkeeping functionality may not be seen as high priority in the design and implementation of new business applications.
- Requires collaboration between IT and recordkeeping areas.
Agencies that want to manage digital records in the business applications that they are first created in.
Shared network drives
If used properly, shared network drives can provide an easy and inexpensive option for storing and locating digital information.
Long term, network drives are not the best strategy for maintaining memory and evidence of business operations.
- An inexpensive way to manage records using existing technology
- User familiarity with this type of technology and the folder structure
- A lack of recordkeeping functionality means records can be changed or deleted.
- Unless strict naming standards are implemented, informal names may lead to issues finding and retrieving information, and records being duplicated.
- Limitations on the amount of metadata (e.g. title, dates) that can be captured, so records may lack context.
- Requires a high level of quality control.
- would like to manage digital records but do not have a formal recordkeeping application or have a limited budget for recordkeeping
- have an already established shared network drive.
Strategies for use
- Create folder and sub-folder titles based on common business activities and/or in alignment with your agency’s retention and disposal schedule.
- Use standard naming convention for folders, sub-folders and document titles.
- Actively manage security, access and the quality of information saved in the shared drive.
- Develop processes to reduce duplicate information (including version control).
- Establish suitable controls to manage access and security.
- Educate all users about the appropriate use of the shared drive. Assign responsibility to someone to monitor the shared drive, manage the folder structure, and apply security and access permissions.
- Invest in a discovery tool to improve search and retrieval.
Paper systems involves printing all records to paper and managing a paper-based environment.
Allows you to keep records in just one format may be less confusing.
- Printing large volumes of paper records isn’t efficient
- When digital records are printed to paper, they may lose context
- Storage space for paper may be expensive
- Paper records may not be accessible to all employees
Agencies with lower levels of technical infrastructure in place (usually very small agencies).
Note: It is not recommended that born digital records are printed and kept in paper. Where possible, they should be managed in their original format, ensuring there are processes in place to:
- manage security and access permissions
- digitally confirm the accuracy of the records
- make them discoverable for as long as required (including following system migrations and upgrades)
- ensure disposal is secure and irreversible.
There is no requirement by QSA or the Public Records Act 2002 to create and keep a physical copy of a born digital record unless you have external business processes that require paper copies.
Hybrid is the capture and use of both paper and digital records.
In a hybrid environment you must be able to manage both formats. Paper records must be captured and managed digitally, usually through the use of a record or file profile that points to the records’ physical location.
- May act as a pathway to a more comprehensive recordkeeping application (e.g. eDRMS).
- Records that must be kept in paper format (e.g. for legal reasons) can be managed.
- Different record formats have different requirements for creation, capture, management, retention and disposal.
- Additional policies, procedures and business rules will need to be put in place to ensure employees know how to create and manage records in each format.
Agencies where recordkeeping maturity and technology differs between business areas.
Recordkeeping obligations and requirements can be found in legislation, policies, procedures and other documents.
Keywords in documents, policies, procedures or legislation that may indicate a recordkeeping requirement include agenda, copy, files, document etc.
See an example of finding a recordkeeping requirement.
Document recordkeeping requirements in the manner best suited to your agency (e.g. spreadsheet, table, form).
This should include all the business, legislative and technology requirements you have identified.
You can use the sample recordkeeping requirements form or adapt it to suit your needs.
You can usually sort requirements by logically grouping them by business or core function (e.g. finance, human resources)
See more advice on recordkeeping requirements for business systems.
- Guidelines and Functional Requirements for Records in Business Systems (1.87 MB), International Council on Archives (ICA)
Provides detailed guidelines on identifying and addressing your recordkeeping needs when looking at business systems, as well as a set of general records management functionality requirements.
- Business Systems Assessment Framework, National Archives of Australia
Provides a streamlined and risk-based tool that you can use to assess the information management functionality in business systems.
- Checklist for assessing business systems, State Archives & Records NSW
Can be used to assess an existing or new business system. It will help you to determine:
- what business activities the system supports and if they are subject to any specific recordkeeping requirements
- how well the system is currently functioning
- what action may be required to enable the system to meet recordkeeping requirements.
- Queensland Government ICT Planning Methodology, QGCIO
This was developed to enable Queensland Government agencies to optimise and align their ICT activities and initiatives with agency and whole-of-Government business direction. It includes clearly defined processes that complement existing strategic, business and ICT planning activities. The methodology is scalable and can be applied to planning units ranging from whole of agency to a single business area.
- Information Technology Infrastructure Library (ITIL), Axelos
Provides best practice guidance to support the service lifecycle. It is a framework for IT service management and covers areas such as service delivery, problem management, change and configuration management and continual process improvement.
- DIRKS Methodology and Manual, State Archives & Records NSW
Provides an eight-step methodology for the design, development and implementation of recordkeeping systems and tools. DIRKS needs to be tailored to fit with the overall project management methodology that is employed by the organisation.