Outsourcing arrangements, third party and shared service providers
When outsourcing or engaging a service provider to deliver a function or activity on behalf of your agency, they will create, receive and manage records relating to that function.
These records will be public records and your agency remains responsible for them. You need to ensure you can continue to meet your recordkeeping obligations.
This applies to outsourcing or service arrangements for core and administrative functions (e.g. recordkeeping, IT, finance, software-as-a-service arrangements). Arrangements may be with private organisations including non-government organisations, shared service providers or other government agencies.
Determine the status of records
When outsourcing or using a shared service provider, you need to determine:
- what records are created and received on your behalf by the service provider
- which records are your agency's public records and which belong to the service provider
- how public records should be managed.
This will depend on who created the records and why.
Use the status of records during outsourcing cheat sheet to help you.
There are specific recordkeeping considerations when using a service provider.
The service agreement should:
- require the service provider to create and keep complete and reliable records of the activities they perform on behalf of your agency
- require that any public records are returned to you at the end of the agreement unless lawfully destroyed
- ensure recordkeeping responsibilities and requirements associated with the function being outsourced can continue to be met (e.g. access restrictions, privacy, preservation)
- clearly indicate who is responsible for which records
- clearly indicate who is responsible for the actions needed to manage those records, including endorsing the transfer or disposal of records
- ensure each party has access to the records that they need.
Note: If you are supplying a copy of a record to a service provider, consider whether or not you need to remove any confidential or personal information, including from the metadata (e.g. author details). Information should only be removed from a copy of a record, not the original source record.
Find out more about custody, ownership and responsibility for records.
Find out about the options to provide access to records when outsourcing.
Sentencing records created and managed by a service provider
The service provider does not need permission from QSA to use the GRDS or your agency's retention and disposal schedule for your core records.
Any records about the management of the service arrangement should also be sentenced against the most appropriate class in either your agency's core retention and disposal schedule or the GRDS.
Any service provider that is a Queensland government agency should sentence their core and administrative records against their agency schedule or the GRDS as normal.
Private service providers can manage any private records (i.e. their core and administrative records) as per their normal practices.
The following advice includes things to consider before entering into an outsourcing or service arrangement and the recordkeeping requirements.
- Custody, ownership and responsibility for records
- Provide access to records
- Recordkeeping considerations for service arrangements and outsourcing agreements
- Prepare and transfer records to a service provider.
See also cloud services and storage.