Standard on records management

Principles of records management

On this page

Principle 1: Organisations take responsibility for records and information management

Establishing governance frameworks for the management of records, information and data is key to supporting all corporate business operations and instilling good recordkeeping culture. Frameworks include policy, assigning of responsibilities, establishing provisions for records, information and data in outsourcing and service delivery arrangements, and monitoring.

Minimum compliance requirementsExamples of how a public office can demonstrate compliance with the requirement
1.1  Corporate records and information management is directed by policy and strategy.
  • Corporate policy on Records Management (RM)/Information Management (IM) has been endorsed at senior executive level.
  • Corporate policy on RM/IM has been communicated and made available to all staff and contractors.
  • Corporate strategy on RM/IM, aligned to the organisation’s strategic direction, has been endorsed at senior executive level.
1.2  Records and information management is the responsibility of senior management who provide direction and support for records and information management in accordance with business requirements and relevant laws and regulations.
  • Responsibility is assigned in corporate policy on RM/IM.
  • Policy reflects chief executive’s responsibility to ensure compliance with section 10 of the State Records Act.  
  • Delegations Manual is updated to include records and information management responsibilities and referenced in policy.  
  • Information and/or Data Governance group is established to oversee all aspects of records and information management.
1.3  Corporate responsibility for the oversight of records and information management is delegated to a designated individual (senior responsible officer).
  • Responsibility is assigned in corporate policy on RM/IM.
  • Delegations Manual is updated to include records and information management responsibilities and referenced in policy.  
  • Responsibility is assigned in individual performance plans.
  • State Records NSW has been advised of the organisation’s senior responsible officer.
1.4  Organisations have skilled records and information staff or access to appropriate skills.
  • Responsibility is assigned in corporate policy on RM/IM.
  • Skills and capabilities are reflected in relevant role descriptions.
  • Responsibility is assigned in performance plans and/or service agreements.
  • Organisation has assessed its records and information management capability and capacity against its business needs.
1.5  Responsibility for ensuring that records and information management is integrated into work processes, systems and services is delegated to business owners and business units.
  • Responsibility is assigned in corporate policy on RM/IM.
  • Responsibility is assigned in performance plans and/or service agreements.
  • Documentation identifies owners of systems.
  • Responsibility for ensuring the inclusion of records and information management in systems and processes is assigned to owners of systems.
1.6  Staff and contractors understand the records and information management responsibilities of their role, the need to make and keep records, and relevant policies and procedures.
  • Responsibility is assigned in corporate policy on RM/IM.
  • Skills, capabilities and responsibilities are reflected in relevant role descriptions and/or performance plans.
  • Policy, business rules or procedures articulate/document staff requirements and responsibilities for the creation and management of records.
  • Responsibilities are included in staff induction, awareness programs and ongoing corporate training.
1.7  Records and information management responsibilities are identified and addressed in all outsourced, cloud, contracted and similar service arrangements.
  • Responsibility is assigned in corporate policy on RM/IM.
  • Records and information management is assessed in outsourced and service arrangements, and included in contracts and instruments where required.
  • Responsibilities are identified and monitored in outsourced, cloud, contracted and similar service arrangements.
  • Portability of records and information is assessed in outsourced, cloud, contracted and similar service arrangements.
1.8  Records and information management is monitored and reviewed to ensure that it is performed, accountable and meets business needs.
  • Monitoring of recordkeeping performance, systems and processes, and corrective actions undertaken to address issues are documented.
  • Records management and recordkeeping are evaluated as part of internal or external audits.
  • Performance and compliance of the organisation’s records management are assessed using State Records NSW’s Records Management Assessment Tool (RMAT).
  • Organisation has a structured approach to addressing non-compliance issues and ensuring continuous improvement of records and information management.
  • Reports on monitoring of records management are prepared for the Audit and Risk Committee.


 

Principle 2: Records and information management support business

Identifying and defining records, information and data required to meet or support business needs and recordkeeping requirements enables the public office to design and implement systems which will ensure the creation, maintenance, useability and sustainability of the records, information and data needed for short and long term business operations.

Taking a planned approach to records and information management means all operating environments and service arrangements are considered.

Minimum compliance requirementsExamples of how a public office can demonstrate compliance with the requirement
2.1  Records, information and data required to meet short and long term needs of the business are identified.
  • Decisions, policies, business rules or procedures on what records, information and data are required to meet or support business needs and identified recordkeeping requirements (for example, accountability, community expectations and ‘privacy by design’) are identified and documented.
  • Current, comprehensive and authorised records retention and disposal authorities are in place.
  • Decisions are documented or reflected in specifications for systems and metadata schema.
2.2  High risk and/or high value areas of business and the systems, records and information needed to support these business areas are identified.
  • High risk and/or high value records, information and data are included in the organisation’s list of key information assets.
  • Systems holding high risk and/or high value records, information and data are identified and documented.
  • Information risks are identified, managed or mitigated, and documented in an Information Asset Register.
  • High risk and/or high value records, information and data are protected by business continuity strategies and plans.
  • Documented policy, business rules and procedures for high risk and/or high value business processes include responsibilities for the creation and management of records, information and data.
2.3  Records and information management is a designed component of all systems and service environments where high risk and/or high value business is undertaken.
  • Evidence that records and information management is assessed in system acquisition, system maintenance and decommissioning is documented and implemented where required.
  • Systems specifications for high risk and/or high value business include records and information management requirements.
  • Systems specifications include metadata requirements needed to support records identification, useability, access controls, classification and search and discovery.
  • Documentation of systems design and configuration is maintained.
2.4  Records, information and data are managed across all operating environments.
  • Information Asset Register identifies and documents where records, information and data are held across diverse and evolving system environments, digital storage locations or physical storage locations.  
  • Business rules and procedures are in place to manage records, information and data in diverse and evolving system environments, digital storage locations or physical storage locations.
2.5  Records and information management safeguard records, information and data, including records with long term retention.
  • Systems holding records of identified or potential permanent or long term retention are identified and documented.
  • Locations of potential permanent or long term retention records are documented.
  • Information Asset Register identifies and documents risks or barriers to accessibility to digital records and information, and informs migration strategies.
  • Information security and protection mechanisms are built into systems and processes to mitigate cyber security incidents and protect sensitive or confidential records, information and data.
  • Regular testing of information security and protection mechanisms.
  • Records, information and data are kept for as long as they are needed for business, legal requirements (including in accordance with current and authorised records retention and disposal authorities), accountability and community expectations.
  • Decommissioning of systems includes retention and disposal requirements for records, information and data contained in the system.
2.6  Records, information and data are sustained through system and service transitions by strategies and processes specifically designed to support business and accountability.
  • Documented migration strategy.
  • Migrating records and metadata from one system to another is a managed process which results in trustworthy and accessible records.
  • Portability of records and information is assessed in outsourced, cloud, contracted and similar service arrangements.
  • Adequate system documentation is maintained.
  • Strategies and processes are in place to monitor and address technology obsolescence.
Minimum compliance requirements
2.1  Records, information and data required to meet short and long term needs of the business are identified.
Examples of how a public office can demonstrate compliance with the requirement
  • Decisions, policies, business rules or procedures on what records, information and data are required to meet or support business needs and identified recordkeeping requirements (for example, accountability, community expectations and ‘privacy by design’) are identified and documented.
  • Current, comprehensive and authorised records retention and disposal authorities are in place.
  • Decisions are documented or reflected in specifications for systems and metadata schema.
Minimum compliance requirements
2.2  High risk and/or high value areas of business and the systems, records and information needed to support these business areas are identified.
Examples of how a public office can demonstrate compliance with the requirement
  • High risk and/or high value records, information and data are included in the organisation’s list of key information assets.
  • Systems holding high risk and/or high value records, information and data are identified and documented.
  • Information risks are identified, managed or mitigated, and documented in an Information Asset Register.
  • High risk and/or high value records, information and data are protected by business continuity strategies and plans.
  • Documented policy, business rules and procedures for high risk and/or high value business processes include responsibilities for the creation and management of records, information and data.
Minimum compliance requirements
2.3  Records and information management is a designed component of all systems and service environments where high risk and/or high value business is undertaken.
Examples of how a public office can demonstrate compliance with the requirement
  • Evidence that records and information management is assessed in system acquisition, system maintenance and decommissioning is documented and implemented where required.
  • Systems specifications for high risk and/or high value business include records and information management requirements.
  • Systems specifications include metadata requirements needed to support records identification, useability, access controls, classification and search and discovery.
  • Documentation of systems design and configuration is maintained.
Minimum compliance requirements
2.4  Records, information and data are managed across all operating environments.
Examples of how a public office can demonstrate compliance with the requirement
  • Information Asset Register identifies and documents where records, information and data are held across diverse and evolving system environments, digital storage locations or physical storage locations.  
  • Business rules and procedures are in place to manage records, information and data in diverse and evolving system environments, digital storage locations or physical storage locations.
Minimum compliance requirements
2.5  Records and information management safeguard records, information and data, including records with long term retention.
Examples of how a public office can demonstrate compliance with the requirement
  • Systems holding records of identified or potential permanent or long term retention are identified and documented.
  • Locations of potential permanent or long term retention records are documented.
  • Information Asset Register identifies and documents risks or barriers to accessibility to digital records and information, and informs migration strategies.
  • Information security and protection mechanisms are built into systems and processes to mitigate cyber security incidents and protect sensitive or confidential records, information and data.
  • Regular testing of information security and protection mechanisms.
  • Records, information and data are kept for as long as they are needed for business, legal requirements (including in accordance with current and authorised records retention and disposal authorities), accountability and community expectations.
  • Decommissioning of systems includes retention and disposal requirements for records, information and data contained in the system.
Minimum compliance requirements
2.6  Records, information and data are sustained through system and service transitions by strategies and processes specifically designed to support business and accountability.
Examples of how a public office can demonstrate compliance with the requirement
  • Documented migration strategy.
  • Migrating records and metadata from one system to another is a managed process which results in trustworthy and accessible records.
  • Portability of records and information is assessed in outsourced, cloud, contracted and similar service arrangements.
  • Adequate system documentation is maintained.
  • Strategies and processes are in place to monitor and address technology obsolescence.


 

Principle 3: Records, information and data are well managed

Effective management of records, information and data underpins trustworthy, useful and accountable records and information, which are accessible and retained for as long as they are needed. This management extends to records, information and data in all formats, in all business environments, and in all types of systems.

Minimum compliance requirementsExamples of how a public office can demonstrate compliance with the requirement
3.1  Records, information and data are routinely created, captured and managed as part of normal business practice.
  • Policies, business rules and procedures articulate/document staff requirements and responsibilities for the creation, capture and management of records of business operations and processes.
  • Assessments or audits demonstrate that systems operate routinely and records and metadata are created and captured.
  • Exceptions to routine operations that affect information integrity, useability or accessibility are identified, resolved and documented.
3.2  Records, information and data are managed to ensure they are reliable and trustworthy.
  • Adequate metadata is created and captured to ensure meaning and context is associated with the record.
  • System audits are undertaken to test controls of systems and to verify records, information and data integrity and trustworthiness.
  • Policies, business rules, procedures and other control mechanisms are in place to ensure accuracy and quality of records, information and data created, captured and managed.
3.3  Records, information and data are identifiable, retrievable and accessible for as long as they are required.
  • System testing is able to verify that systems can identify, retrieve and produce records which are viewable and understandable.
  • Adequate metadata is created and captured to ensure that records are identifiable and accessible.
  • Data and metadata are used and shared with consideration of Indigenous Data Sovereignty principles and Indigenous Cultural and Intellectual Property protocols.
  • Data is managed to facilitate effective use and reuse of information.
3.4  Records, information and data are protected from unauthorised or unlawful access, destruction, loss, deletion or alteration.
  • Records are stored in accordance with the requirements of the Standard on the physical storage of State records, the NSW Government Data Strategy and the NSW Government Cloud Policy.
  • Information security and protection mechanisms, such as those outlined in the NSW Cyber Security Policy, the NSW Government Information Classification, Labelling and Handling Guidelines and the Australian Protective Security Policy Framework, are in place.
  • Records are protected wherever they are located, including in transit and when outside the workplace.
  • Access, security and user permissions for systems managing records, information and data are documented and implemented.
  • System audits are able to test that access controls are implemented.
  • State Records NSW is notified when damage to records affects the integrity of records, or when records are lost or unlawfully accessed, destroyed, deleted or altered.
  • Systems and processes are in place to identify when records, information and data are inappropriately accessed, shared or destroyed, facilitating internal and external notifications as required of the issue.
3.5  Access to records, information and data is managed in accordance with legal and business requirements.
  • Access to records is provided in accordance with such instruments as the Privacy and Personal Information Protection Act 1998 (‘PPIP Act’), the Health Records and Information Privacy Act 2002 (‘HRIP Act’), the Government Information (Public Access) Act 2009 (‘GIPA Act’) and the State Records Act 1998.
  • Policy, business rules and procedures identify how access to records, information and data is managed.
  • Assessments confirm that access is in accordance with the organisation’s policy, business rules and procedures.
  • Records that are 20 years or older are covered by a closed to public access direction where required. Closed to public access directions are registered with Museums of History NSW in accordance with Part 6 of the State Records Act.
  • Systems and processes are in place to identify when records, information and data are inappropriately accessed, shared or destroyed, facilitating internal and external notifications as required of the issue.
3.6  Records, information and data are kept for as long as they are needed for business, legal and accountability requirements, then disposed.
  • Policy, business rules and procedures identify how the retention and disposal of records, information and data is managed.
  • Records, information and data are sentenced according to current and authorised records retention and disposal authorities.
  • Facilitative or duplicate records, information and data are sentenced according to current and authorised records retention and disposal authorities or normal administrative practice provisions (see State Records Regulation 2024) where appropriate.
  • Decisions to retain records beyond their minimum retention periods are based on business needs, documented and endorsed at senior level.
  • Authorised disposal activities are routinely conducted to minimise over-retention of records, information and data.
  • Records required as State archives are routinely transferred to Museums of History NSW when no longer in use for official purposes.
3.7  Records, information and data are systematically and accountably destroyed when legally appropriate to do so.
  • Policy, business rules and procedures identify how the destruction of records and information is managed, including deletion of data.
  • Destruction is in accordance with current and authorised records retention and disposal authorities.
  • Destruction of records is documented and authorised.
  • Organisation can account for the destruction of records or information in accordance with legal obligations and accountability requirements.
Minimum compliance requirements
3.1  Records, information and data are routinely created, captured and managed as part of normal business practice.
Examples of how a public office can demonstrate compliance with the requirement
  • Policies, business rules and procedures articulate/document staff requirements and responsibilities for the creation, capture and management of records of business operations and processes.
  • Assessments or audits demonstrate that systems operate routinely and records and metadata are created and captured.
  • Exceptions to routine operations that affect information integrity, useability or accessibility are identified, resolved and documented.
Minimum compliance requirements
3.2  Records, information and data are managed to ensure they are reliable and trustworthy.
Examples of how a public office can demonstrate compliance with the requirement
  • Adequate metadata is created and captured to ensure meaning and context is associated with the record.
  • System audits are undertaken to test controls of systems and to verify records, information and data integrity and trustworthiness.
  • Policies, business rules, procedures and other control mechanisms are in place to ensure accuracy and quality of records, information and data created, captured and managed.
Minimum compliance requirements
3.3  Records, information and data are identifiable, retrievable and accessible for as long as they are required.
Examples of how a public office can demonstrate compliance with the requirement
  • System testing is able to verify that systems can identify, retrieve and produce records which are viewable and understandable.
  • Adequate metadata is created and captured to ensure that records are identifiable and accessible.
  • Data and metadata are used and shared with consideration of Indigenous Data Sovereignty principles and Indigenous Cultural and Intellectual Property protocols.
  • Data is managed to facilitate effective use and reuse of information.
Minimum compliance requirements
3.4  Records, information and data are protected from unauthorised or unlawful access, destruction, loss, deletion or alteration.
Examples of how a public office can demonstrate compliance with the requirement
  • Records are stored in accordance with the requirements of the Standard on the physical storage of State records, the NSW Government Data Strategy and the NSW Government Cloud Policy.
  • Information security and protection mechanisms, such as those outlined in the NSW Cyber Security Policy, the NSW Government Information Classification, Labelling and Handling Guidelines and the Australian Protective Security Policy Framework, are in place.
  • Records are protected wherever they are located, including in transit and when outside the workplace.
  • Access, security and user permissions for systems managing records, information and data are documented and implemented.
  • System audits are able to test that access controls are implemented.
  • State Records NSW is notified when damage to records affects the integrity of records, or when records are lost or unlawfully accessed, destroyed, deleted or altered.
  • Systems and processes are in place to identify when records, information and data are inappropriately accessed, shared or destroyed, facilitating internal and external notifications as required of the issue.
Minimum compliance requirements
3.5  Access to records, information and data is managed in accordance with legal and business requirements.
Examples of how a public office can demonstrate compliance with the requirement
  • Access to records is provided in accordance with such instruments as the Privacy and Personal Information Protection Act 1998 (‘PPIP Act’), the Health Records and Information Privacy Act 2002 (‘HRIP Act’), the Government Information (Public Access) Act 2009 (‘GIPA Act’) and the State Records Act 1998.
  • Policy, business rules and procedures identify how access to records, information and data is managed.
  • Assessments confirm that access is in accordance with the organisation’s policy, business rules and procedures.
  • Records that are 20 years or older are covered by a closed to public access direction where required. Closed to public access directions are registered with Museums of History NSW in accordance with Part 6 of the State Records Act.
  • Systems and processes are in place to identify when records, information and data are inappropriately accessed, shared or destroyed, facilitating internal and external notifications as required of the issue.
Minimum compliance requirements
3.6  Records, information and data are kept for as long as they are needed for business, legal and accountability requirements, then disposed.
Examples of how a public office can demonstrate compliance with the requirement
  • Policy, business rules and procedures identify how the retention and disposal of records, information and data is managed.
  • Records, information and data are sentenced according to current and authorised records retention and disposal authorities.
  • Facilitative or duplicate records, information and data are sentenced according to current and authorised records retention and disposal authorities or normal administrative practice provisions (see State Records Regulation 2024) where appropriate.
  • Decisions to retain records beyond their minimum retention periods are based on business needs, documented and endorsed at senior level.
  • Authorised disposal activities are routinely conducted to minimise over-retention of records, information and data.
  • Records required as State archives are routinely transferred to Museums of History NSW when no longer in use for official purposes.
Minimum compliance requirements
3.7  Records, information and data are systematically and accountably destroyed when legally appropriate to do so.
Examples of how a public office can demonstrate compliance with the requirement
  • Policy, business rules and procedures identify how the destruction of records and information is managed, including deletion of data.
  • Destruction is in accordance with current and authorised records retention and disposal authorities.
  • Destruction of records is documented and authorised.
  • Organisation can account for the destruction of records or information in accordance with legal obligations and accountability requirements.


 

Download or print

Download Standard No.15 Standard on records management PDF 206.01KB Current as of Friday, 14 February 2025.
Download Standard No.15 Appendix A PDF 29.8KB Current as of Friday, 14 February 2025.
Download Standard No.15 Table of commentary PDF 224.14KB Current as of Friday, 14 February 2025.
Download Standard No.15 Implementation guide PDF 369.39KB Current as of Friday, 14 February 2025.
Print this page

Request accessible format of this publication.

Previous
Introduction to the Standard on records management
Page 3 of 4
Next
Appendix A – Consolidated list of compliance requirements
Top of page