Storage of State records with service providers outside of NSW
The page provides information and guidance to public offices in meeting their statutory obligations under the State Records Act 1998 for the ‘safe custody and proper preservation’ of State records when they are stored with service providers based outside of NSW.
Background
Under section 21 of the State Records Act 1998, records cannot be taken or sent out of NSW unless permitted by section 21(2). Generally, permission or approval from State Records NSW is required.
However, there are times when public offices need to store records with service providers outside of NSW.
For example:
- public offices such as councils, area health services, and universities near state borders may need to store records in cross-border locations within Australia
- some public offices outsource business functions to service providers that have or use data storage facilities outside of NSW
- some public offices use data storage service providers whose servers are outside of NSW
- public offices may need to send records out of the state temporarily for processes like copying or changing formats.
To allow public offices to send and store records outside of NSW with service providers, State Records NSW has approved a general authority: transferring records out of NSW for storage with and maintenance by service providers based outside of the State.
This authority allows the transfer of records outside the state for storage or maintenance by service providers, provided the records are managed according to the requirements of the State Records Act.
What is permitted under the general authority?
The general authority for transferring records out of NSW for storage with or maintenance by service providers based outside of the State (GA35) approves the transfer to and storage of some State records with service providers outside of NSW.
The table below shows what is allowed for different types of records, what public offices need to do, and the conditions they must follow.
| Records | What is permitted | What the public office needs to do | Conditions applied |
|---|---|---|---|
| Records not required as State archives. | Where there is an identified business need, the records may be transferred and stored outside of NSW. | Still-in-use determinations must be made for records over 25 years of age. A closed to public access direction (CPA) can be attached to protect sensitive information for records more than 20 years old. See the register of access directions for more information. Access directions must be made for records over 20 years of age. | Storage conditions and accessibility meet requirements of the State Records Act and standards issued by State Records NSW. Adequate contractual control. Adequate monitoring. |
| Records less than 25 years old which are required as State archives in a current retention and disposal authority. | Where there is an identified business need the records may be transferred and stored outside of NSW. | Once records are no longer in use for official purposes arrangements should be made with Museums of History NSW to transfer them as State archives. | Storage conditions and accessibility meet requirements of the State Records Act and standards issued by State Records NSW. Adequate contractual control. Adequate monitoring. |
| Records over 25 years old and identified as required as State archives in a current retention and disposal authority. | May not be transferred and stored outside of NSW. | Public offices may seek a specific authorisation for storage outside of NSW which will be assessed on a case-by-case basis. | |
| Records that are inaccessible because they are not adequately controlled (that is, not sufficiently described or tagged with metadata). | May not be transferred and stored outside of NSW. | Public offices should take steps to ensure the records are adequately controlled. | |
| Records that are not covered by a current retention and disposal authority. | May not be transferred and stored outside of NSW. | Contact State Records NSW to develop or update a disposal authorisation. |
Conditions applied by the general authority
The 4 main conditions for storing NSW State records with providers outside of NSW are:
Storing and managing State records with service providers can involve several legal risks or issues.
Before making any arrangements, public offices should carefully assess these risks.
Some key risks to consider include:
- the organisation might not have enough control over the records, making it harder to meet requirement of section11(1) of the State Records Act to ‘ensure the ‘safe custody and proper preservation’ of State records
- someone in another state or country could claim ownership or take control of the records
- records might not be returned when requested or when the contract ends
- the service provider or the business could go out of business.
It’s important to consider any legal limits on moving records out of NSW. For example, the Privacy and Personal Information Protection Act 1998 (section 19) has restrictions about sharing information outside NSW, which must be followed.
The level of risk depends on the type of records, their sensitivity, and how important they are to the organisation or the NSW Government.
After identifying the risks, the organisation should take steps to minimise them. This may involve using clearly written contracts, getting legal advice, avoiding certain service providers, or not entering into agreements with an unacceptable level of risk.
Some records may be too sensitive or important to risk storing with an out-of-state or overseas provider.
Organisations should also check if there are any laws in the state or country where the records will be stored that could affect how State records are managed.
For example, privacy laws in another country might impact how information is stored, even if it didn’t originate there.
Contracts should address these important points.
Facilities and services offered by service providers must comply with:
- the State Records Act
- the relevant standards issued by State Records NSW. This includes:
Public offices are responsible for ensuring these requirements are met.
These standards provide specific benchmarks that should be communicated to service providers through contractual arrangements.
Public offices and their providers must be aware of retention and disposal requirements, especially for records stored with interstate providers. Disposal of records can only occur with authorisation from State Records NSW.
This authorisation can be through general or functional retention and disposal authorities or other forms permitted under the State Records Act. Destruction must follow State Records NSW guidelines. More information is available under Destruction of records.
For records over 25 years of age that are still needed for business purposes, a determination of 'still-in-use' status must be made. For more information, contact Museums of History NSW.
Public offices must exercise due diligence when engaging service providers for handling State records. Contracts with service providers, including those outside of NSW, must include provisions to ensure the following:
- ownership of State records remains with the state
- the public office retains responsibility for the proper management of these records
- records will be returned to the public office upon request.
For additional advice on contract inclusions, see:
Considerations for digital records
Contracts involving digital records should specifically address the return of records to the public office upon contract termination. This ensures that accessibility is maintained and avoids complications such as:
- records being provided in proprietary formats without appropriate licences or documentation, making them difficult to integrate into recordkeeping systems.
- loss of accessibility to critical records post-termination of a contract.
Examples:
- A service provider completed a project and handed over digital records in proprietary formats. The organisation lacked the necessary software licences, making it difficult to use or migrate the records.
- A university managed a building project by requiring the service provider to establish an interface between their system and the university’s ERDMS. This ensured records were accessible during and after the project.
To mitigate risks, contracts should also include provisions that:
- ensure no copy of records or information is retained by the service provider after contract termination
- address requirements for security, privacy, and confidentiality.
The public office is responsible for monitoring the arrangement with the service provider on a regular basis to ensure that all relevant requirements are being met.
Contracts should specify that public offices have the right to monitor the service provider to ensure compliance with the contract, the State Records Act, and any other applicable legislation or standards.
Under section 15 of the State Records Act, the public office must give the State Records Authority NSW and its officers access to State records. Contracts should explicitly address how such access will be facilitated to:
- monitor compliance effectively
- provide third-party access as required under applicable laws.
By embedding these provisions in contracts, public offices can maintain proper management, security, and accessibility of State records throughout their lifecycle.
For more guidance, see Monitoring records management.
Checklist for public offices entering into arrangements with service providers
Public offices should ensure that a ‘yes’ response is able to be given to each of the questions in the following checklist, to ensure they have addressed important aspects of their relationship with the service provider.
Note, this list does not cover specific ICT matters which also need to be addressed with the service provider (such as business continuity planning, disaster recovery and system security requirements).
- Have you identified whether any hard copy or digital records are being or to be stored outside of NSW?
- Does the service provider conform to best practice in records storage and handling, in particular the principles specified in Standard on the physical storage of State records?
- Does the service provider conform to best practice in the logical management of digital records as defined in Standard on records management?
- Have you established adequate controls, including contractual arrangements with the service provider, to ensure the safe custody and proper preservation of your records in transit and storage?
- Have you established adequate controls, including contractual arrangements with the service provider, to ensure that any disposal of records is appropriately authorised by current retention and disposal authorities issued by State Records NSW?
- Do you have arrangements in place to monitor the service provider to ensure that they are meeting the relevant standards and requirements of State Records NSW?
- Do you have arrangements in place to ensure that records required as State archives and stored outside of NSW are transferred to State Records NSW in a timely manner?
- Do you have arrangements in place to ensure the appropriate return of records to your organisation at the end of the storage contract period?