Implementing the Records governance policy

Public authorities may meet this action by:

• introducing high-level, specialist records roles that advocate for and promote the criticality and importance of records management in the public authority
• assigning senior roles that are responsible for transforming records management from an operational to a strategic level within the public authority
• delegating responsibilities under the Public Records Act 2023 to suitably skilled roles
• introducing internal performance requirements for Senior Executives to be responsible for advocating the value of records management within their business units.

Public authorities may meet this action by:

• articulating clearly to employees their specific legislative obligations to make and keep records under the Public Records Act 2023
• developing and implementing an active records training and awareness program, including inductions for new employees
• assigning committee member roles (i.e. ICT steering committees) to records and information specialists
• using qualified, specialist roles to provide records management advice and guidance
• providing ongoing support and advice to key information access and management roles such as Right to Information officers, project managers and officers responsible for delivering on the authority’s strategic plan
• communicating clearly and regularly the links between records management and the strategic goals of the public authority.

Public authorities may meet this action by:

• introducing records management as a standing item in Senior Leadership meetings (or the public authority’s equivalent)
• communicating the value of records within the public authority
• promoting the benefits of records management at all levels within the public authority
• committing to invest adequate public authority resources in records management.

The following QGEA documents may also be useful for this policy requirement:

• Information governance policy and guideline
• Information management roles and responsibilities guideline.

Public authorities may meet this action by:

• assessing how governance is structured and operationalised in other functional areas of the public authority
• developing governance frameworks and structures that are aligned with the governance of other functional areas of the public authority
• assessing the public authority’s strategic goals and objectives and using these as a foundation for records governance
• incorporating records management in strategic business activities (e.g. strategic planning)
• continuously adapting records and information governance to the constantly changing strategic imperatives and objectives.

Records management is a legislatively enforced subdomain of the broader information management context. Queensland Government departments should ensure that their formal information management frameworks, strategies and plans  and their records governance approach are aligned.

Public authorities may meet this action by:

• developing authoritative records management tools (e.g. policies, methodologies, plans or equivalent tools relevant to the governance practices of the public authority)
• developing supporting tools (e.g. best practice manuals, procedures, standards or equivalent tools relevant to the governance practices of the public authority)
• integrating records management into core and operational functions (e.g. operational methodologies, practice manuals or equivalent functions relevant to the governance practices of the public authority)
• aligning the intent and objectives of the above tools with the strategic objectives of the public authority
• implementing the above tools with the focus on communicating to all employees their responsibility to fulfil their requirements of this policy.

Public authorities may meet this action by:

• reviewing and mapping their recordkeeping requirements against relevant legislation such as the Public Records Act 2023 on a regular basis
• developing and implementing recordkeeping activities to meet these requirements
• reviewing and monitoring compliance on a regular basis
• integrating these requirements when developing records management tools and frameworks.

Public authorities may meet this action by:

• using the public authority’s strategic plan as a foundation for developing records management metrics, and adapting these to the constantly changing business imperatives and objectives
• assessing current operational records management metrics and only using those that are useful, provide value and support the strategic goals of the public authority
• incorporating records management into formal audit, reporting or business compliance agendas of the public authority
• promoting the positive outcomes of records management metrics that support the strategic goals of the public authority
• proactively developing tools and processes that use records and information to provide business insights.

The following QGEA documents may also be useful for this policy requirement:

• ICT resources strategic planning policy
• Information governance policy and guideline.

Public authorities may meet this action by:

• identifying those business functions that directly support the accountability and transparency of the public authority
• evaluating risk registers or risk reporting tools within the public authority and identifying the records that document and provide evidence of risk mitigation and treatment strategies
• evaluating all legislation and regulatory documentation relevant to the public authority and its operating environment and identifying records that support this
• identifying the records and information that reflect the core and administrative functions of the public authority
• leveraging existing information asset registers (including those submitted under the ICT profiling standard, if applicable) to identify possible records that provide evidence of public authority business
• performing these evaluations and assessments regularly to ensure complete and reliable records are identified
• importantly, identifying the rich context and detail in any related or supporting records
• formally documenting all the above identified records in a format that allows for constant updating, adaptation and reviewing.

Note: Public authorities should have established information asset registers which could be used as a basis for documenting records in the first instance.

Public authorities may meet this action by formally documenting:

• the process of creation for records identified above – some processes will be automated (like data entry in a business system) and some processes will be manual (specifying that an employee must save a record/s in a particular system, application or location)
• expectations of when records must be made – this is particularly important if records are not made automatically and need to be saved into a system, application or location in a timely manner for them to be discoverable and accessible
• where records must be made and kept – this means specifying the business systems, applications and locations that records must be saved to for them to be discoverable and accessible
• who is responsible for making specific records – a simple way of doing this is to map records to business functions and assign responsibilities to roles rather than individuals.

Public authorities may meet this action by:

• identifying opportunities for and implementing record making automation using business system and application functionality
• researching, developing and implementing new methods of record making that complement existing business processes.

Public authorities may meet this action by:

• integrating records requirements in relevant core and operational policies (or equivalent tools relevant to the governance practices of the public authority) related to migration and end of life plans
• assigning specific roles to records and information specialists during the procurement, review and development of business systems
• developing and implementing an authoritative tool (policy statement or equivalent tool relevant to the governance practices of the public authority) to govern this process
• ensuring records requirements are actively considered and supported by allowing records specialists to advocate for and influence discussions and decisions about systems that hold records.

The following QGEA documents may also be useful for this policy requirement:

• ICT risk management
• ICT profiling standard
• Information asset custodianship policy (IS44)
• Information management roles and responsibilities guideline.

Public authorities may meet this action by:

• identifying what permanent, high-value and high-risk means to them – this will look different for each public authority based on their core business, operating environment and strategic priorities.
• formally documenting this criteria and processes – this can be articulated in any way a public authority chooses, on a scale relevant to their requirements (e.g. a methodology, program, standard, policy, guideline or equivalent tool relevant to the governance practices of the public authority).

Note: Vital records will generally fall into this category, although the scope for permanent, high-value and high-risk should be wider than the traditional criteria for vital records.

Note: Public authorities with existing information asset registers should leverage the content of these to help identify high-value and high-risk records.

Public authorities may meet this action by using a register (or equivalent documentation, relevant to the governance practices of the public authority) to formally document specific metadata  of permanent, high-value and high-risk records.

Note: Public authorities with existing information asset registers could use these as a basis for documenting records in the first instance.

Public authorities may meet this action by developing and implementing:

• a comprehensive tool (e.g. methodology, program or equivalent tool relevant to the governance practices of the public authority) that provides for constant visibility over the making, use, health and status of all permanent, high-value and high-risk records.
• processes for actively managing permanent, high-value and high-risk records. Actively managing means continuously applying specific records controls that relate to the management and status of permanent, high-value and high-risk records:
  • Record making and capture
  • Record classification
  • Record storage and preservation
  • Record security and access
  • Record retention and disposal.

Note: Public authorities should use terminology relevant to their own governance practices.

Note: At a minimum, public authorities should apply records controls to identified permanent, high-value and high-risk records. It is best practice that these controls are applied to all records, however the difficulty of doing this in the current digital environment is acknowledged. All public authorities should aspire to applying controls over all records and information, regardless of the system, application or format.

The following QGEA documents may also be useful for this policy requirement:

• ICT profiling standard– refer to At-risk systems requirements and Appendix C: At risk ICT systems reporting guidance
• Information asset register guideline
• Information security policy (IS18:2018)
• Metadata schema for Queensland Government data assets guideline
• Queensland Government Information security classification framework.

Public authorities may meet this action by:

• formally documenting the requirement for records to only be made and kept in business systems and applications that are approved for use by the public authority
• managing the records that are being made and kept in business systems and applications that are approved for use by the public authority
• avoiding the use of business systems and applications are not approved for use by the public authority.

Note: Business systems and applications approved for use by the public authority  are those that are verified, compatible and approved for use by the public authorities ICT administration and/or records area.

Public authorities may meet this action by:

• being able to identify what kinds of records are being made and kept in every business system and application that is being used within the public authority
• implementing modern technical solutions that provide a comprehensive view of records held within all business systems and applications used within the public authority
• develop and implement a process for maintaining continual visibility over records in all business systems and applications used within or on behalf of, the public authority.

Note: Confidence in sufficiency of search means being confident that a performed search will reliably return all relevant records from all systems that can be accessed and used.

Public authorities may meet this action by:

• Implementing modern technical solutions that allow monitoring of the health and status of records held within all business systems and applications used within the public authority. Public authorities should consider the following areas of records control when considering the accessibility and preservation and status of records and information, particularly permanent, high-value and high-risk records:
  • record making and capture
  • record classification
  • record storage and preservation
  • record security and access
  • record retention and disposal.
• Ensuring all solutions and related supporting tools are regularly maintained to adapt to the public authority’s changing environment.

The following documents may also be useful for this policy requirement:

• Private email use policy (Public Service Commission)
• Metadata schema for Queensland Government data assets guideline
• Queensland State Archives records storage advice.

Public authorities may meet this action by evaluating the public authority’s records and mapping these to approved disposal authorities to ensure full minimum retention and disposal coverage.

Public authorities may meet this action by:

• Developing and implementing the process for CEO authorisation of disposal (including the delegation of authority for the disposal of specific records) in accordance with QSA disposal authorities
• Developing and implementing a disposal plan for the public authority. This plan is likely to include elements such as:
  • Disposal endorsement, including how internal endorsement is given
  • Disposal methods, including how specific records will be disposed of
  • Disposal frequency, including how often you choose to dispose of specific types of records
• Developing and implementing tools (e.g. processes, manuals or templates) to support the elements of the disposal plan.
• Ensuring permanent records are transferred to QSA, and non-permanent high-value high risk records are managed and preserved in accordance with disposal authorities and the Public Records Act 2023.

Public authorities may meet this action by maintaining a disposal log (or equivalent tool relevant to the governance practices of the public authority) that contains metadata supporting record disposal and fits the requirements of the public authority.

Suggested metadata includes:

• evidence of the disposal authorisation used
• a description of the records and the date range
• evidence of disposal approval (from the CEO, delegate, etc)
• evidence of how the records were disposed of.

The following QGEA documents may also be useful for this policy requirement:

• Information security policy (IS18:2018)
• Procurement and disposal of ICT products and services (IS13) policy.