Manage backups of your records

Backups of entire systems and information in case of failure are usually done for disaster recovery or business continuity purposes.

Recordkeeping considerations

Your agency IT team will create and manage backups. You may need to ensure that:

  • backups can be used to restore some or all records
  • individual records can be extracted
  • backups are managed appropriately, kept for as long as necessary and destroyed correctly.

You may need to consider:

  • the backup cycle (e.g. daily, weekly or monthly)
  • whether backups are incremental, full or a combination of both depending on when it's done
  • how critical the information being backed up is and how often it is changed in the application
  • how often backups are tested to ensure that the system can be recovered from the backups
  • how long backups are kept
  • whether your IT team knows how to extract individual records from the backup.

It may be necessary to have multiple backups in multiple locations. While this can make it difficult to destroy data, it may be necessary if a location or backup fails.

Destroy backups

Backups can be destroyed after business action completed under the General Retention and Disposal Schedule. You and your agency's IT team will need to decide when that is.

Why backups are not a recordkeeping system

Backups are not recordkeeping systems and should only be used for business continuity and disaster preparedness purposes. This is because they:

  • save all your data as one collection of information or as an entire system—this makes it difficult to find information and manage retention periods
  • are usually unable to ensure records remain accessible, usable and preserved for the entire time you need to keep the records
  • don't usually keep or maintain any of the metadata associated with the records
  • use proprietary storage software meaning you need to pay to maintain access to your backups
  • increase the risks to your records and information the longer you keep them, particularly if vendors change or go out of business
  • are at risk of technological obsolescence if they rely on specific software or hardware.

More information

The Information Security Policy includes information on backup requirements and the appropriate disposal of media.

Determine what you need to do to sentence and destroy records, including backups.