Principle 1: Organisations take responsibility for records and information management
To ensure records and information are able to support all corporate business operations, organisations should establish governance frameworks. These include:
- policy directing how records and information shall be managed
- assigning responsibilities
- establishing provisions for records and information in outsourcing and service delivery arrangements
- monitoring records and information management activities, systems and processes.
| | Minimum compliance requirements | Examples of how a public office can demonstrate compliance with the requirement |
|---|
| 1.1 | Corporate records and information management is directed by policy and strategy. | - Corporate policy on IM/RM adopted at Senior Executive level.
- Corporate strategy on IM/RM adopted at Senior Executive level.
|
| 1.2 | Records and information management is the responsibility of senior management who provide direction and support for records and information management in accordance with business requirements and relevant laws and regulations. | - Responsibility assigned in corporate policy on IM/RM
- Policy reflects Chief Executive's responsibility to ensure compliance with State Records Act (section 10).
|
| 1.3 | Corporate responsibility for the oversight of records and information management is allocated to a designated individual (senior responsible officer).
| - Responsibility assigned in corporate policy on IM/RM.
- Responsibility assigned in individual performance plans.
- NSW State Archives and Records has been advised of the organisation's senior responsible officer.
|
| 1.4 | Organisations have skilled records and information management staff or access to appropriate skills.
| - Responsibility assigned in corporate policy on IM/RM.
- Skills and capabilities reflected in relevant role descriptions.
- Responsibility assigned in performance plans and/or service agreements.
|
| 1.5 | Responsibility for ensuring that records and information management is integrated into work processes, systems, and services is allocated to business owners and business units.
| - Responsibility assigned in corporate policy on IM/RM.
- Responsibility assigned in performance plans.
- Documentation identifies owners of systems.
- Responsibility for ensuring records and information management is included in systems and processes, is assigned to owners of systems.
|
| 1.6 | Staff and contractors understand the records management responsibilities of their role, the need to make and keep records, and are familiar with the relevant policies and procedures.
| - Responsibility assigned in corporate policy on IM/RM.
- Skills, capabilities and responsibilities are reflected in relevant role descriptions and/or performance plans.
- Policy, business rules or procedures articulate/document staff requirements and responsibilities for the creation and management of records.
|
| 1.7 | Records and information management responsibilities are identified and addressed in outsourced, cloud and similar service arrangements. | - Responsibility included in corporate policy on IM/RM.
- Demonstrate that records and information management is assessed in outsourced and service contracts and instruments and included where required.
- Portability of records and information is assessed in outsourced, cloud and similar service arrangements.
|
| 1.8 | Records and information management is monitored and reviewed to ensure that it is performed, accountable and meets business needs.
| - Documented monitoring of activities, systems and processes, and corrective actions undertaken to address issues.
|
Principle 2: Records and information management support business
The core role of records and information management is to ensure the creation, maintenance, useability and sustainability of the records and information needed for short and long term business operations.
By undertaking an assessment of records and information needs, public offices can define their key business information. Public offices should use this assessment to design records and information management into processes and systems. This will ensure that records and information support business operations and accountability requirements, and sustain records and information needed for the short and long term.
Taking a planned approach to records and information management means all operating environments are considered. It also means that the creation and management of records and information needed to support business are considered in all system and service arrangements.
| | Minimum compliance requirements | Examples of how a public office can demonstrate compliance with the requirement |
|---|
| 2.1 | Records and information required to meet short and long term needs are identified. | - Documented decisions, policy, business rules or procedures on what records and information are required to meet or support business and identified recordkeeping requirements, including accountability and community expectations.
- Current, comprehensive and authorised records retention and disposal authorities are in place.
- Decisions are documented or reflected in specifications for systems and metadata schema.
|
| 2.2 | High risk and high value areas of business and the systems, records and information needed to support these business areas are identified. | - Identify and document which systems hold high risk and/or high value records and information.
- Information risks are identified, managed or mitigated.
- Systems managing high risk and/or high value records and information are protected by business continuity strategies and plans.
- Documented policy, business rules and procedures for high risk and/or high value business processes include responsibilities for the creation and management of records and information.
|
| 2.3 | Records and information management is a designed component of all systems and service environments where high risk and/or high value business is undertaken. | - Evidence that records and information management is assessed in system acquisition, system maintenance and decommissioning, and implemented where required.
- Systems specifications for high risk and high value business include records and information management requirements.
- Systems specifications include requirements for metadata needed to support records identification, useability, accessibility, and context.
- Documentation of systems design and configuration maintained.
|
| 2.4 | Records and information are managed across all operating environments. | - Identify and document where records and information are held across diverse system environments or physical locations.
- Documented strategy for managing records and information in diverse system environments and physical locations.
|
| 2.5 | Records and information management is designed to safeguard records and information with long term value. | - Identify and document which systems hold records of identified or potential permanent or long term value.
- Identify and document where records of identified or potential permanent or long term value are located.
- Records and information are kept for as long as they are needed for business, legal requirements (including in accordance with current authorised records retention and disposal authorities), accountability, and community expectations.
- Decommissioning of systems takes into account retention and disposal requirements for records and information contained in the system.
|
| 2.6 | Records and information are sustained through system and service transitions by strategies and processes specifically designed to support business and accountability. | - Documented migration strategy.
- Migrating records and metadata from one system to another is a managed process which results in trustworthy and accessible records.
- Portability of records and information is assessed in cloud service or similar arrangements.
- Adequate system documentation is maintained.
|
Principle 3: Records and information are well managed
Effective management of records and information underpins trustworthy, useful and accountable records and information which are accessible and retained for as long as they are needed. This management extends to records and information in all formats, in all business environments, and in all types of systems.
| | Minimum compliance requirements | Examples of how a public office can demonstrate compliance with the requirements |
|---|
| 3.1 | Records and information are routinely created and managed as part of normal business practice. | - Policies, business rules and procedures articulate/document staff requirements and responsibilities for the creation, capture and management of records of business operations.
- Assessments or audits demonstrate that systems operate routinely.
- Exceptions to routine operations that affect information integrity, useability or accessibility are identified, resolved and documented.
|
| 3.2 | Records and information are reliable and trustworthy. | - Adequate metadata to ensure meaning and context is associated with the record.
- System audits are able to test management controls of systems, including information integrity.
Policies, business rules, procedures and other control mechanisms are in place to ensure accuracy and quality of records created, captured and managed.
|
| 3.3 | Records and information are identifiable, retrievable and accessible for as long as they are required. | - System testing is able to verify that systems can locate and produce records which are viewable and understandable.
- Adequate metadata to ensure that records are identifiable and accessible.
|
| 3.4 | Records and information are protected from unauthorised or unlawful access, destruction, loss, deletion or alteration. | |
| 3.5 | Access to records and information is managed appropriately in accordance with legal and business requirements. | |
| 3.6 | Records and information are kept for as long as they are needed for business, legal and accountability requirements. | - Policy, business rules and procedures identify how the retention and disposal of records and information is managed.
- Records and information are sentenced according to current authorised retention and disposal authorities.
- Records required as State archives are routinely transferred to NSW State Archives and Records when no longer in use for official purposes.
|
| 3.7 | Records and information are systematically and accountably destroyed when legally appropriate to do so. | - Policy, business rules and procedures identify how the destruction of records and information is managed, including deletion of data.
- Organisation can account for the disposal of records or information in accordance with legal obligations and accountability requirements.
- Disposal is in accordance with current authorised records retention and disposal authorities.
- Disposal of records is documented.
|
Printable version
A (PDF, 155kb) version of the standard is available for printing.
Implementation guide
State Records NSW has prepared an implementation guide (PDF 387kb) for the Standard. The implementation guide includes detailed explanations for each minimum compliance requirement with a mapping to guidance and training, how the new standard will assist public offices meet their obligations under the State Records Act, and the relationship between the new code of best practice AS ISO 15489.1: 2017 and the Standard on records management.
An account of the comments received during public consultation on this standard is available in the accompanying Table of Commentary (PDF, 111kb).
There is a compliance timetable (PDF, 51kb) for this standard, with requirements phased in during 2015.
