Skip to main content

Publications

Records Management Policy

Foreword

As a Commonwealth agency, DFAT has an obligation to
maintain good records of its business activities for legal and efficiency
purposes. Our records are vital assets that support our operations, enabling us
to access the information we require and to preserve our corporate memory. They
enable us to operate efficiently and to meet our accountability and compliance
requirements. Sound recordkeeping practices are essential for DFAT to be a
well-managed organisation. To these ends, the DFAT Records Management Strategic
Plan 2015-2019 provides the vision for the department's records management
program.

This policy supports the Strategic Plan and articulates
the policy framework which will be adopted within DFAT for managing
requirements for adequate recordkeeping of business activities and
decision-making. Individual recordkeeping responsibilities applying to all
staff and contractors are stipulated and mandatory. This policy supersedes all
previous recordkeeping and records management policies.

This policy establishes a framework for the creation,
capture, management and use of complete and accurate records in all formats,
however in accordance with the whole-of-Government Digital Transition Policy
the policy supports the transition from paper to digital recordkeeping. The
policy also endorses the principles of digital continuity for electronic
records to ensure that records are complete, available and useable for as long
as needed by all potential users, including for purposes beyond the intended
original use.

The potential benefits of digital recordkeeping are
broad-ranging, from individual to departmental level. At the individual level,
recordkeeping tasks including filing can potentially be automated and made
transparent to staff conducting their core business. Reduced time thinking how
and where to file or find a document, along with version control, ready access,
reusability and other benefits of working digitally, provides more time to
focus on core work. Where feasible, automated records capture also ensures that
they are created and managed appropriately. Potential benefits of digital
recordkeeping are outlined in detail at Appendix D of the policy.

A Records Management Manual supports this policy and
provides a single reference source for detailed instructions, procedures and
guidance on the management of specific types of records and use of the EDRMS.
The manual is located on the DFAT intranet so that it is accessible by all
staff and will be regularly updated.

Compliance with this policy is mandatory for all staff
including contractors. All officers working for the department have a
responsibility to follow this policy and to maintain sound recordkeeping
practices in their daily work.

Peter
Varghese

Secretary

Department
of Foreign Affairs and Trade

Table of Contents

1.
Purpose

The purpose of this Records Management Policy is to
provide direction to staff for the creation, maintenance, storage and disposal
of records and associated metadata within the Department of Foreign Affairs and
Trade (DFAT).

This policy, together with the Strategic Plan for DFAT
Records Management 2015-2019, and the Records Management Manual, will ensure
that complete and accurate records of DFAT's business activities are available
and accessible for as long as required for operational, accountability and
compliance purposes. The detailed Records Management Manual supporting this
policy is intended to ensure that DFAT undertakes best practice records management
processes during the policy's period of application, specifically as the department
continues the transition from paper-based processes and recordkeeping to a
predominantly electronic recordkeeping environment.

This policy replaces the DFAT Recordkeeping Policy dated 9
August 2012.

2.
Policy Statement

DFAT's
records are its corporate memory and a vital asset for ongoing accountability.
Good recordkeeping is critical to corporate governance and operational
efficiency, provides essential evidence of business activities and
transactions, and demonstrates accountability and transparency in DFAT's
decision-making processes.

DFAT
is committed to implementing and maintaining best practice recordkeeping
policy, practice and procedure.

DFAT recognises its legislative and regulatory
requirements as a Commonwealth agency under the Archives Act 1983. It
is committed to meeting the principles and practices set out in the following
whole-of-Government policies and standards endorsed by the National Archives of
Australia (NAA):

  • the whole-of-Government Digital Transition Policy (DTP)
  • the whole-of-Government Digital Continuity Policy (DCP)
  • the International and Australian Standard for Records Management (ISO 15489)
  • the Australian Government Recordkeeping Metadata Standard (AGRkMS)
  • the Principles and Functional Requirements for Records in
    Electronic Environments (ISO 16175).

All staff within DFAT, including
locally engaged staff (LES) and contractors, are responsible for recordkeeping.
All staff must, therefore, be aware of their obligations under this policy and
take reasonable action to ensure ongoing compliance. Non-compliance with the
recordkeeping policy may result in action, ranging from counselling to formal
disciplinary proceedings.

Records
created in DFAT must be complete and accurate, as defined in ISO 15489. They
must:

  • enable current and future DFAT staff to take appropriate action, and make well-founded decisions based on the records in their day to day operations
  • enable an authorised person to examine the conduct of DFAT business
  • protect the financial, legal and other rights of DFAT
  • protect people affected by DFAT's actions and decisions.

3.
Authority

This policy has been approved by the Secretary, DFAT and
is the authority for recordkeeping and records management within DFAT. It shall
remain valid until such time as amended, revoked or otherwise superseded by the
direct authority of the Secretary.

4.
Review Date

This policy is due for review in 2017 in line with the mid-point
of the Strategic Plan for DFAT Records Management 2015 – 2019.

5.
Scope

This policy applies to all records and associated metadata
from the time of creation or capture and covers:

  • all DFAT staff, regardless of employment type
  • all aspects of DFAT's business operations
  • all types and formats of records created to support business activities
  • all business applications used to create records
  • organisations and businesses,
    including their employees, to which DFAT has outsourced its functions or
    activities, and therefore associated recordkeeping responsibilities.

This policy does not relate to records created by any
other agencies, except where they form part of a DFAT business transaction.

6.
Definition of a Record

Records are evidence of
business conducted by an organisation. Any
reference to a record in this policy refers to records in any format as defined
in the Archives Act 1983. The Glossary of Terms at Appendix A includes Complete
and Accurate Record(s), which highlights characteristics that differentiate a
record from other types of information and provide for a record to be
admissible as evidence.

DFAT
staff are responsible for keeping a record of business transactions conducted
as part of their duties for the department. Examples of business transactions
include documenting actions, events, conversations or other transactions where
they provide evidence of formal advice or directions, or significant decisions.
Records can be in any format. This includes but is not limited to:

  • Hard copy or electronic documents – e.g. Word, Excel, Power Point
  • Paper or electronic files – e.g. EDRMS containers
  • Electronic messaging – e.g. Email, voicemail, instant messaging (including Lync), SMS (short message service), multimedia message service (MMS)
  • Social media – e.g. Twitter, Facebook, LinkedIn, blogs, wikis, discussion boards/forums
  • Web content – e.g. public websites, intranet
  • Photographs – e.g. official photographs documenting business activities, Flickr
  • Videos – e.g. YouTube, Vimeo, video conferencing, teleconferencing, video instant messaging and podcasts
  • Data in business systems – e.g. PeopleSoft, SAP, AidWorks, PICS (Passport Issue and Control System), CIS (Consular Information System, and CMIS legacy records)
  • Models, plans and architectural
    drawings

SharePoint and social media are
relatively new forms of collaboration and communication for the department. Staff
who use these tools for their work should be aware that content published in
this media may constitute a record as defined in this policy. Advice documents issued by the Corporate Records Section
regarding the capture of records and associated metadata, from communications
conducted via social media platforms, are provided on the intranet and are to
be followed.

For
a record in digital format to be meaningful and to serve as admissible evidence
of a business transaction, associated metadata needs to be captured or created
with the record to provide adequate context and to support its authenticity and
management over time. Along with other provisions, as set out in the relevant
areas of this policy, minimum metadata standards set by the NAA in the Australian
Government Recordkeeping Metadata Standard
are to be met. This will help to
ensure that DFAT's business, accountability and archival requirements are met
in a systematic and consistent way, and that digital records are described, reliable,
meaningful, admissible as evidence, accessible, sharable and re-usable for as
long as they need to be retained.

7.
Digital Transition Policy

In line with the Government's DTP, DFAT is transitioning
away from a predominantly paper-based records management system to digital
recordkeeping, primarily for efficiency purposes. This means the majority of
DFAT's records will be created, stored and managed digitally, and where feasible
paper records will be scanned to reduce the number of paper files.

Where paper files that are overdue for disposal exist,
sentencing and disposal will be conducted as resources permit using records authorities
issued by the NAA to reduce paper-based holdings.

Hybrid files (containing paper and digital records) will
be phased out through the archiving process during the current Records
Management Strategic Plan period (2015-2019). To ensure business, accountability
and archival requirements are adequately catered for, a review of active hybrid
files and remediation action will be conducted by Corporate Records Section in
coordination with relevant stakeholders (eg. business area, system and process
owners) as required. In light of the DTP, no hybrid files are to be created in
DFAT from the date of the publication of this policy.

New or reviewed business systems and processes must be
designed to support digital recordkeeping, including automated/transparent
records capture, as far as practicably possible.

Advice documents issued
by the Corporate Records Section regarding the creation of authentic, complete
and accessible image copies of records, and the compliant management of the
original document after scanning, is to be followed. This advice includes:

  • coverage of technical and legislative requirements to preserve official records of enduring evidential or informational value for future reference
  • an outline of the existing legal framework in the Australian Federal Government jurisdiction that supports tendering digital images of records for legal proceedings or for other evidentiary purposes
  • how to manage and dispose of source records after they have been scanned
  • exclusions regarding records that have
    been designated to be always retained in original format, and/or source records
    that cannot be destroyed after scanning.

Exceptions to the creation of, conversion to and
management of records (files and documents) in digital format (including hybrid
files) require a business case to do so and/or authorisation from the Director,
Corporate Records Section (COR).

8.
Digital Continuity Policy

In line with the Government's DCP, developed to build on
the foundations of the DTP, DFAT is embracing an approach to keeping and
managing digital records and associated metadata to ensure that they are
complete, available and can be used for as long as needed, including beyond
their original business use.

The
DCP requires that:

  • records and information created are complete, accurate, up-to-date, discoverable and usable by those with legitimate need, interoperable across the Commonwealth, and available and usable for as long as needed and not kept any longer than required
  • business transactions and decisions are recorded digitally, using digital authorisations and workflows by default wherever possible
  • business systems creating, capturing and/or managing records protect information from unauthorised alteration, deletion or misuse, and comply with ISO 16175
  • minimum metadata standards set by the NAA are met to ensure that digital content is described, sharable, admissible as evidence and re-usable
  • standard professional information and records management specialist qualifications, skills and capabilities set by the NAA are met
  • DFAT reports annually to the NAA on
    progress in digital information management capabilities and maturity.

9.
Authorised Recordkeeping Systems

The EDRMS is the primary recordkeeping system for DFAT for
the management of both physical and electronic records (documents and
files/containers) along with the required associated metadata.

DFAT records (irrespective of format) stored in shared
drives, personal drives, email folders, SharePoint sites, the Cloud, local
applications, cabinets, workstations and on backup disks or drives are not
compliant with DFAT's recordkeeping obligations.

These drives and locations do not capture sufficient
metadata to meet the legal recordkeeping retention and disposal requirements,
and/or do not allow records to be widely searchable or accessible to all who
need them, are not authenticated and are not secure from alteration or
deletion.

This business information remains non-compliant until it
is registered as a record in the EDRMS or an authorised business system (assessed
for records management functionality against ISO 16175 and approved by the
Director, Corporate Records Section), as required.

Shared network drives are not authorised for the storage
and management of records. Records are not to be stored on shared network
drives without approval from the Director, Corporate Records Section, based on
a business case that justifies doing so.

A Business Information System is an information reporting
and/or transaction system used within DFAT. Business information systems are
not automatically records management compliant – they contain structured data
that potentially constitutes part of a Commonwealth record but this does not by
default contain the contextual information to ensure reliability, authenticity
and usability. Further, legal recordkeeping retention and disposal requirements
(beyond keeping backups of data) are usually not adequately catered for.

Before being authorised to store and manage records, all DFAT
business information systems must be assessed by Corporate Records Section in
consultation with relevant stakeholders as capable of managing the following
processes as a minimum, in accordance with ISO 16175 - the international
standard endorsed by the NAA for that purpose:

  • be capable of collecting all information required for the activity – it should be fit for purpose
  • be capable of capturing content, structure and context of the record
  • provide adequate and compliant storage of records
  • provide protection of record integrity and authenticity
  • ensure the security of records
  • be readily accessible to all staff who need to use the records contained within the system, for as long as the record is needed
  • undertake the disposal of records in accordance with approved disposal authorities
  • ensure the recoverability of records in the event of a disaster
  • ensure the availability of records
    in a useable format through technology changes and migration.

DFAT business
information systems that store records (including email, SharePoint instances
and a range of core business systems), and are not currently approved as
records management compliant, should ensure that appropriate system backup
regimes are in place. This is to ensure the day-to-day accessibility, retrieval
and integrity of records as a minimum is maintained until the system has been
assessed for records management functionality by Corporate Records Section and
authorised to capture and manage records.

10.
Ownership of Records

All records, irrespective of format (i.e. physical or
electronic), created or received by all DFAT staff, in the course of their
duties on behalf of DFAT, are the property of the Department and subject to its
overall control. The only exceptions include if local jurisdiction legislation
or a contract or other legally binding agreement is in place that specifically states
otherwise.

11.
Access to DFAT Records

Under provisions of the Archives Act
1983, Freedom of Information 1982 and Privacy Act 1988
, records created in
DFAT can be released to the public on request, if they meet certain criteria. Failure
to maintain or locate reliable records when requested, may lead to lost revenue
or excessive retrieval costs, legal action or reputational damage for DFAT.

Reforms to the Archives Act 1983 have
resulted in bringing forward the 'open access' period to most records from 30
years to 20 years, which began on 1 January 2011 and will be phased in over a
ten year period.

Reforms to the Freedom of Information Act
1982
promotes a pro-disclosure culture across government ensuring the
public's right to access records held by government agencies. It has simplified
and narrowed the range of exemptions from access.

The Privacy Act 1988 governs the collection, use and disclosure of
information about individuals to ensure that the information collected directly
relates to an agency's functions. Under the Privacy Act, members of the
public have the right to access records about themselves that are less
than 30 years old.

DFAT is regularly served with subpoenas or
orders for the discovery of documents that require the production of selected documents/records
by a specified date. Where a critical time line is not met in this context, the
relevant business area(s) and associated business processes and information
systems will be examined for potential improvements in meeting response times through
digital recordkeeping initiatives.

In
accordance with the Continuing Order of the Senate – Indexed list
of departmental and agency files
, every six months DFAT must publish on the
departmental website an indexed list of titles for files created in the head
office of the department.

12.
Security of Records

Information
Security includes measures such as the application of the Australian Government
security classification system, procedures for the handling, storage and
disposal of official information, and information communications and technology
controls. This policy should be read in conjunction with the Australian
Government Protective Security Manual
, the Australian Government Information
Security Manual
and the DFAT Security Manual.

It
is the responsibility of staff to be familiar with these manuals and the
general principles of handling and managing sensitive information, including
the 'need-to-know' principle, and to apply them where relevant to their
business and recordkeeping in accordance with other individual recordkeeping
responsibilities as set out in Section 16 of this policy.

EDRMS users should note the following when creating,
storing, retrieving, editing and circulating information in the system:

  • Users must ensure that they apply the correct security classification to each document at the time of creation, and save this document in an appropriate file container in the EDRMS. In the EDRMS, the access controls on the file are used as the default access control for a document. Only authorised staff may change the access control on a file.
  • Users should avoid restricting access to named officers, and instead use positions, roles or groups wherever practicable.
  • It is the responsibility of individual users to ensure that security and access controls on documents remain appropriate and in line with the need-to-know principle, as documents are edited, emailed, shared, and to cater for potential changes over time.
  • Documents should be sent within DFAT as a reference link from the EDRMS rather than as an attached document wherever practicable, allowing the EDRMS security and access controls to manage whether the recipient has access.
  • Material with a security classification higher than Unclassified must only be created and saved to files on Satin High.
  • Particular care should be given to
    the access controls applied to documents where privacy issues are involved.

13.
Disposal, Deletion or Destruction of Records

It is an offence to dispose of, delete or destroy any
Commonwealth record without authorisation from the NAA. Under the Archives
Act 1983
and the Crimes Act 1914, DFAT records cannot be disposed of
other than in accordance with the approved NAA disposal authorities. The
disposal authorities relevant to DFAT are the Administrative Functions
Disposal Authority
(AFDA) and the Departmental Agency Functions Disposal
Authority
(DAFDA). The Assistant
Secretary, ICT Services Branch (ISB) and delegated Corporate Records Section
staff, are authorised by NAA to carry out disposal, deletion or destruction of records
for DFAT.

Records
created and received as part of DFAT's business that are of ephemeral value and
are not covered under a Records Authority can be considered for destruction
using NAA's Normal Administrative Practice (NAP) provisions. These records can
be disposed of by the creator, using the appropriate method, without seeking
formal authorisation. Specific guidance on application of the NAP can be found
in the Records Management Manual and on the DFAT Intranet Records Management
pages.

14.
Legislation & Standards

Certain federal government legislation provides direction
on the management of federal government records; this legislation (incorporating
amendments) includes but is not limited to:

  • Archives Act 1983
  • Australian Information Commissioner Act 2010
  • Crimes Act 1914
  • Electronic Transactions Act 1999
  • Evidence Act 1995
  • Financial Framework (Supplementary Powers) Act 1997
  • Financial Framework Legislation Amendment Act 2010
  • Freedom of Information Act 1982
  • Privacy Act 1988
  • Public Governance, Performance and Accountability Act 2013
  • Public Service Act 1999.

DFAT is also committed to
ensuring that its recordkeeping and business systems comply with existing
established standards and major reports into recordkeeping in the Commonwealth
such as:

  • Australian Standard for Records Management - AS ISO 15489 – 2009
  • Australian Standard for Managing Records in an Electronic Environment – ISO 16175
  • Australian Government Recordkeeping Metadata Standard
  • Australian Government's Digital Transition Policy
  • Australian Government's Digital Continuity Policy (including the Digital Continuity Plan)
  • Policies and Guidelines published and endorsed by NAA for Commonwealth agencies
  • Protective Security Policy
    Framework

Additionally,
DFAT is responsible for administering a range of legislation that may include
specific recordkeeping requirements. A list of this legislation can be found at
Appendix C.

15.
Monitoring and Review

This Policy requires recordkeeping practices and processes
to be a significant feature of all business processes and systems. It is the
responsibility of all staff, regardless of level, to contribute to sound
recordkeeping practices. In order to ensure that the policy is effective, DFAT
will monitor recordkeeping practices in a variety of ways to ensure the
compliance of all departmental activities.

Corporate Records Section is the line area directly
responsible for monitoring compliance with the departmental recordkeeping
framework and high-level assessment of the department's compliance with NAA
benchmarks. This includes:

  • monitoring the capture and creation of records into the official recordkeeping system –EDRMS, in particular identifying areas that may not be fully or correctly creating and/or capturing records into the recordkeeping system
  • utilising NAA's "Check-Up Digital" tool to identify areas of non-compliance and areas that need improvement to enhance capability to manage digital records and related information; results will be used as a benchmark for future compliance and strategic planning activities
  • monitoring business system compliance with ISO 16175
  • annually facilitating an external
    records management audit as directed by the DFAT Audit and Risk Committee

Posts undertake periodic reporting using the Self
Assessment Manual (SAM). Reporting requirements and timeframes are dependent on
the experience of the completing officer at post. Part of the SAM undertakes a
self-assessment of compliance based on DFAT's records management policies, and
results are reviewed by Corporate Records Section.

In addition to each officer's individual recordkeeping
responsibilities, managers must ensure that their team is aware of their
recordkeeping responsibilities as part of their daily functions. Managers
should require all staff, including LES and contractors, to include an aspect
of recordkeeping in their performance agreements, and should lead by example
regarding recordkeeping practices and the creation, capture and management of
records into the EDRMS or an authorised business information system.

16.
Roles and Responsibilities

This section defines the duties and responsibilities of all
DFAT staff with respect to recordkeeping.

16.1.
Secretary

The
Secretary is responsible for:

  • authorising and promulgating this policy
  • promoting compliance with this policy
  • supporting and fostering a culture of good recordkeeping in the department
  • nominating the Executive in charge
    of recordkeeping.

16.2.
SES and non-SES managers, HOMs, HOPs and Regional Directors

SES
and non-SES managers, HOMs, HOPs and Regional Directors are responsible for:

  • supporting and fostering a culture of good recordkeeping in DFAT
  • ensuring that officers under their management are aware of their responsibility to maintain accurate records of business
  • providing guidance to staff on managing security and access controls when dealing with security classified, staffing or sensitive records
  • ensuring staff are provided adequate time to undertake recordkeeping responsibilities
  • including the requirement to meet recordkeeping responsibilities in staff (including LES) performance agreements
  • implementing measures to monitor recordkeeping
    responsibility compliance and to address inadequacies in recordkeeping
    practices.

16.3.
CIO, Information Management and
Technology Division (IMD)

The
Chief Information Officer is responsible for:

  • ensuring that recordkeeping policy and practices adopted by the department comply with DFAT's obligations and responsibilities as a Commonwealth Government agency
  • ensuring that the technology used to support the systems that capture and keep records electronically are reliable, available and accessible to DFAT staff as required
  • implementing standards for business information systems that comply with NAA's Standards and Guidelines for electronic recordkeeping, where warranted
  • incorporating electronic recordkeeping requirements (as outlined in Section 9) into business system operational and maintenance plans, and into design specifications when building, reviewing, upgrading or acquiring new business systems
  • providing assurance that back-up and recovery strategies adequately meet electronic recordkeeping storage requirements
  • the development and
    implementation, over time, of a comprehensive information management framework
    which incorporates records management.

16.4.
Assistant Secretary, ICT Services Branch (ISB)

The
Assistant Secretary ISB is responsible for:

  • ensuring this policy is reviewed and is up to date
  • ensuring that all DFAT staff are regularly reminded of their recordkeeping responsibilities
  • in consultation with CIO, authorising each business system managing records
  • ensuring DFAT adheres to appropriate record retention and disposal requirements
  • ensuring that the EDRMS is available, reliable and accessible to staff when required
  • supporting the implementation of EDRMS upgrades and enhancements, in compliance with DFAT's ICT Change and Release Management processes
  • ensuring business systems comply
    with this policy and NAA's electronic
    recordkeeping guidelines and requirements, including NAA-endorsed standards.

16.5.
Corporate Records Section (COR)

COR
is responsible for:

  • developing and implementing strategies to support this policy
  • supporting and fostering a culture of good recordkeeping in DFAT
  • creating and maintaining recordkeeping procedures with which compliance will be mandatory under this policy
  • delivering recordkeeping and EDRMS training, support and advice to all staff
  • maintaining, monitoring and reviewing the departmental recordkeeping system
  • providing support to EDRMS users through effective service desk support arrangements
  • promoting the effective use of the EDRMS
  • liaising with IT Support Staff to ensure the EDRMS is available, reliable and accessible to staff when required
  • liaising with IT Support Staff for the implementation of EDRMS upgrades and enhancements
  • ensuring that, as far as is practicable, records are kept and accessible for as long as required by DFAT staff, government and the public
  • measuring and monitoring compliance of business information systems that store records against ISO 16175 in coordination with IT and business area stakeholders
  • authorising business information systems to store records and/or associated metadata
  • managing the archiving and disposal of records over time
  • authorising, under delegation, the
    disposal/destruction of records.

16.6.
Business System Owners

All
owners of business information and transactional systems that store records
and/or associated metadata must:

  • fully understand the recordkeeping obligations and responsibilities relating to their system(s) and associated business processes that they interact with or manage
  • adhere to DFAT's policy, procedures and standards in creating and managing records in their system(s), including ensuring that their system(s) are scheduled for assessment of records management functionality compliance against ISO 16175: Part 3, and authorised as a system to create and manage records by COR
  • ensure that in the interim until their system(s) have been authorised by COR to create and manage records, appropriate system backup regimes are in place to guarantee the day-to-day accessibility, retrieval and integrity of records stored in their system; or records from the system stored in the EDRMS
  • in coordination with the CIO, incorporate electronic recordkeeping requirements (as outlined in Section 9) into system operational and maintenance plans, and into design specifications when building, reviewing, upgrading or acquiring new business systems
  • ensure that their system(s) do not
    facilitate deletion/destruction or disposal of records without the correct
    authorisation as set out in Section 13 of this policy, except through the
    appropriate application of NAP, also set out in Section 13 of this policy.

16.7.
All DFAT Staff

All
DFAT staff must:

  • understand the recordkeeping obligations and responsibilities relating to their position
  • adhere to DFAT's policy, procedures and standards in maintaining records as required by their daily tasks
  • attend mandatory recordkeeping and EDRMS training
  • create and capture records in the EDRMS or authorised recordkeeping system
  • be familiar with the provisions
    for handling and managing sensitive and security classified information,
    including the 'need-to-know' principle, and to apply them where relevant to
    their business and recordkeeping practices
  • ensure that they do not destroy records without the correct authorisation, except through the appropriate application of NAP (refer to Section 13 of this policy)
  • include meeting recordkeeping responsibilities in performance agreements
  • be accountable for their actions
    and decision-making to the general public, Commonwealth Government and to
    DFAT's Stakeholders.

17.
Appendix

17.1.
Appendix A: Glossary of Terms

Significant terms used in the Records
Management Policy are defined or explained below.

Term

Definition

Accountability

Based on the
principle that individuals, organisations and the community are required to
be accountable to others for their actions. Organisations and their employees
must be able to account to appropriate regulatory authorities, shareholders
or members, and to the public. This is required to meet statutory
obligations, audit requirements, relevant standards, codes of practice, and
community expectations.

Action Officer

Staff who
conduct business on behalf of DFAT and record that business activity.

Activity

(Business
Activity)

An umbrella
term covering all the functions, processes, activities and transactions of an
organisation and its employees.

All staff

This includes
the following DFAT staff:

  • all DFAT staff, including non-ongoing staff
  • all LES, funded by DFAT appropriations
  • all contractors, and
  • all consultants and service
    providers engaged by DFAT.

Authorised
Recordkeeping System

A system that
stores DFAT's Corporate records and associated information, and has been
assessed by COR as complying with ISO
15489 and ISO 16175.

Refer to Section
9 of this policy for further detail.

Business
Classification Scheme

A conceptual
representation of the functions and activities performed by an organisation.
The scheme is derived from the analysis of business activity.

Classification

Systematic
identification and arrangement of business activities and/or records into
categories according to logically structured conventions, methods, and
procedural rules represented in a classification system.

Source:
International Standard, ISO 15489, 2001, Part 1, Clause 3.6.

See also:
Business Classification Scheme and Security Classification System.

COR

Corporate
Records Section.

Commonwealth
Record

Any official
record of the activities of a Commonwealth Government department or agency.

See also: Corporate
Record and Complete and Accurate Record(s).

Refer to Section
6 of this policy for further detail.

Complete and
Accurate Record(s)

A complete and
accurate record has characteristics that differentiate a record from other
types of information and provide for a record to be admissible as evidence.
These characteristics include that a record is:

  • compliant with the recordkeeping requirements
    arising from the regulatory and accountability environment in which the
    organisation operates
  • adequate for the purposes for which it is
    kept
  • complete – containing not only the content,
    but also the structural and contextual information necessary to document
    a transaction
  • meaningful – containing information and/or
    linkages that ensure the business context in which the record was
    created and used is apparent
  • comprehensive – documenting the complete range of
    the organisation's business for which evidence is required
  • accurate – to reflect the transactions that
    it documents
  • authentic – enabling proof that it is what it
    purports to be and that its purported creators did indeed create it
  • inviolate – securely maintained to prevent
    unauthorised access, alteration or removal.

Adapted from:
Standards Australia, AS 4390, 1996, Part 3, Clause 5.3.

Conversion

Process of
changing records from one medium to another or from one format to another.

Adapted from:
International Standard, ISO 15489, 2001, Part 1, Clause 3.7.

Corporate
Record

Information
created, received, and maintained as information and evidence of the
functions and activities performed by an organisation or person, in pursuance
of legal obligations or in the transaction of business.

Adapted from:
International Standard, ISO 15489, 2001, Part 1, Clause 3.15.

See also: Complete
and Accurate Record(s).

Refer to Section
6 of this policy for further detail.

DCP

Digital
Continuity Policy – whole-of-Government policy in support of ensuring that
records and information are complete, available and useable by those who need
it, for as long as required, but not kept for longer than needed.

Destruction

Process of
eliminating or deleting records, beyond any possible reconstruction.

Source:
International Standard, ISO 15489, 2001, Part 1, Clause 3.8.

Digital
continuity

Ensuring that
records and information are complete, available and useable by those who need
it, for as long as required across technological, migration and governance
changes, but not kept for longer than needed.

Digital record

A record that
is communicated and maintained in a digital format. Same as an electronic
record.

Digital
transition

The transition
from paper and other physical formats to digital formats.

Disposal

See
Disposition.

Disposition

Range of
processes associated with implementing records retention, destruction or
transfer decisions which are documented in disposition authorities or other
instruments.

Adapted from:
International Standard, ISO 15489, 2001, Part 1, Clause 3.9.

Refer to Section
13 of this policy for further detail.

Document

Recorded
information or an object that can be treated as a unit. A document becomes a
record when it is registered into an authorised recordkeeping system with relevant
associated metadata.

Adapted from: International
Standard, ISO 15489, 2001, Part 1, Clause 3.10.

DTP

Digital
Transition Policy – whole-of-Government policy in support of transitioning away from a predominantly paper-based
records management environment to digital recordkeeping.

EDRMS

Electronic
Document & Records Management System

Electronic
Document

A document that
is communicated and maintained in an electronic format.

Electronic
Record

A record that
is communicated and maintained in an electronic format. Same as a digital
record.

File Number

A number
attached to each file that serves as a unique identifier.

Function

The largest
unit of business activity in an organisation or jurisdiction.

Instant
Messaging (IM)

The act of communicating in near real-time via a
computer network (e.g. a local area network, a wide area network or the
Internet). IM differs from email in several regards relevant to recordkeeping,
including:

  • Communication is delivered directly to the recipient rather than via the delayed mechanisms (server-to-server routing) used by email protocols,
  • IM packages allow
    users to "chat", where each line of text is displayed as soon as it is typed,
    rather than needing to wait for a complete message to be delivered. Thus,
    email is like an electronic letter, while IM is more like an electronic
    telephone call.

In DFAT, IM is not currently configured to directly
capture records or metadata for recordkeeping purposes. Capturing records
from IM communications is therefore a manual process involving making a Note
for File. As such, IM is not recommended to conduct business
communications that potentially require a record to be kept.

Metadata

Structured data
or other information that describes context, content and structure of records
and their management through time. It allows users to find, manage, control,
understand or preserve the information it relates to.

Adapted from: International
Standard, ISO 15489, 2001, Part 1, Clause 3.12.

Migration

Act of removing
records from one system to another, while maintaining the records'
authenticity, integrity, reliability and useability.

Source:
International Standard, ISO 15489, 2001, Part 1, Clause 3.13.

Multimedia
Message Service (MMS)

An extension of
Short Message Service (SMS), by which users can transfer not only text but
other kinds of material (images, video, audio) to mobile telephones.

NAA

National
Archives of Australia

Naming
Conventions

Standards
relating to the structure of the 'free text' part when naming files (including
punctuation, capitalisation, use of acronyms and abbreviations), and applied
within the context of records management.

NAP

See Normal
Administrative Practice

Normal
Administrative Practice (NAP)

Normal
Administrative Practice (NAP) is a provision under the Archives Act 1983 that
permits the destruction of records that are not covered by a Records
Authority. In general, this applies to records that are deemed to be:

  • Facilitative,
    transitory or short-term records,
  • Rough working papers and/or calculations,
  • Drafts not intended for further use or reference,
  • Copies of material retained for reference purposes only, or
  • Published material not
    forming an integral part of DFAT's records.

Refer to
Section 13 of this policy for further detail.

Preservation

Processes and
operations involved in ensuring the technical and intellectual survival of
authentic, complete and accurate records through time.

Adapted from:
International Standard, ISO 15489, 2001, Part 1, Clause 3.14.

Record

See Corporate
Record and Complete and Accurate Record(s).

Refer to Section
6 of this policy for further detail.

Recordkeeping

The making and
maintaining of complete, accurate and reliable evidence of business
transactions in the form of recorded information into the EDRMS or an
authorised business system. This 'recorded information' includes the record
itself and relevant associated metadata.

Recordkeeping includes:

  • The application of appropriate security and access controls to records on creation, and amending these controls as necessary during the lifetime of the record, to secure them from unauthorised access; and
  • ensuring that records
    are only destroyed with the correct authorisation, or through appropriate
    application of Normal Administrative Practice.

Adapted from:
Standards Australia, AS 4390, Part 1, Clause 4.19; and Part 3, Foreword.

See also:
Complete and Accurate Record(s), Metadata, Authorised Recordkeeping System,
Normal Administrative Practice

Refer to the
following sections of this policy for further detail as noted:

  • Section 6 provides detail
    regarding the definition of a record
  • Section 12 provides detail on record security and access controls
  • Section 13 provides detail regarding records disposal, destruction and application of Normal
    Administrative Practice.

Records
management

The discipline
and organisational function of efficiently and systematically controlling the
creation, receipt, maintenance, use and disposition of records. This includes
processes for capturing and maintaining evidence of and information about
business activities and transactions in the form of records, to meet
operational business needs, accountability requirements and community
expectations.

Adapted from:
International Standard, ISO 15489, 2001, Part 1, Clause 3.16.

Records Manager

The person
responsible for managing official Commonwealth records in DFAT using the recordkeeping
System. Responsibilities include all processes from creation to disposal of
official records and ensuring compliance with legal and administrative
requirements.

Registration

Act of giving a
record a unique identifier on its entry into a system.

Source:
International Standard, ISO 15489, 2001, Part 1, Clause 3.18.

Scanning

The process of
capturing an electronic image of a document for storage in an electronic
document system.

Security
Classification System

A set of
procedures for identifying and protecting official information whose
disclosure could have adverse consequences for the Commonwealth. The security
classification system is implemented by assigning markings (such as 'Top
Secret' or 'Protected') that show the value of the information and indicate
the minimum level of protection it must be afforded.

Adapted from:
Attorney-General's Department, Commonwealth Protective Security Manual,
Glossary.

Short Message
Service (SMS)

A function
available on most mobile telephones, which enables users to send brief typed
text messages to other mobile telephones, and in some cases, other handheld
computing devices such as personal organisers.

Social Media

An umbrella
term for Internet-based tools for sharing and discussing information among
people. It refers to user-generated information, opinion and other content
shared and discussed over open digital networks. Social media may include
(although is not limited to):

  • Social networking
    sites (e.g. Facebook, LinkedIn)
  • Instant messaging (e.g. Lync), podcasting and video on demand (VOD
  • Video and photo sharing websites (e.g. YouTube, Flickr)
  • Blogs and micro-blogs
    (e.g. Twitter) and Wikis (e.g. Wikipedia)

Refer to
Section 6 of this policy for further detail.

Storage

The function of
storing records for future retrieval and use.

Thesaurus

A (keyword)
thesaurus provides control and consistency over the vocabulary used for titling
and indexing of records.

Transfer

Change of
location, custody, ownership and/or responsibility for records.

Source:
International Standard, ISO 15489, 2001, Part 1, Clause 3.20.

TRIM

TRIM is the EDRMS
records management software.

Transaction

The smallest
unit of business activity. Uses of records are themselves transactions.

Video instant
messaging

An extension of
instant messaging which enables users to videoconference using an instant
messaging program.

See also:
Instant Messaging

Voicemail

A centralised
method of managing telephone recorded messages for a group of telephones. In
its most basic form, voicemail is simply a large-scale answering machine, but
most modern systems have added functionality, allowing users to check
messages remotely, forward messages to other voicemail boxes or mobile
telephones, and personalise greetings for different callers.


17.2.
Appendix B: Summary of Recordkeeping Legislation

Acts and Standards

Description

Archives Act 1983

The Archives Act 1983 officially established
the National Archives of Australia. The Act empowers the Archives to preserve
the archival resources of the Commonwealth (those records designated
'national archives') and defines their role in supporting and governing the
creation and management of these records. The Act establishes the framework
in which agencies must create, capture and manage their records including:

  • Imposing statutory obligations on all Government departments and agencies for the management of their records
  • Making it illegal to destroy or alter Commonwealth records without the permission of the Archives, unless otherwise stated by law
  • Creating a fundamental right of public access, bringing forward the 'open access' period to most records from 30 years to 20 years, which began on 1 January 2011 and will be phased in over a ten year period other than Cabinet notebooks and census information which have been reduced from 50 years to 30 years
  • Governing the retention and
    disposal of records.

Australian
Information Commissioner Act 2010

The Australian
Information Commissioner Act 2010
established the Office of the
Australian Information Commissioner (OAIC). The OAIC has three sets of
functions:

  • freedom of information
  • privacy
  • government and information
    policy

The OAIC aims to facilitate
public access to government information and encourages agencies to
proactively publish information.

Electronic
Transaction Act 1999

The Electronic
Transactions Act 1999
provides a regulatory framework that enables
business and the community to use electronic communications in their dealings
with government. The primary objective of the Act is to remove impediments
that might prevent a person from using electronic communication to satisfy
obligations under Commonwealth law.

Broadly, the Act provides
that electronic communications and electronic forms of documents may be used
to satisfy requirements or permissions, under Commonwealth laws, for a person
to:

  • give information in writing
  • provide a handwritten signature
  • produce a document that is in the form of paper or other material
  • record information in writing
  • retain a document that is in the form of paper or other material
  • retain information that was the subject of an electronic communication

The Act provides for
exemptions and it identifies conditions that must be met in order to maintain
the integrity and accessibility of information.

Evidence Act 1995

The Evidence Act 1995 recognises the role of modern technologies in
business and government. It abolishes the 'original document' rule and
ensures that faxes, telexes and electronic communications may be admitted
into evidence in all federal courts.

The Act defines a 'document'
:

'anything on which there is writing, anything on which
there are marks, figures, symbols or perforations having a meaning for
persons qualified to interpret them or anything from which sounds, images or
writings can be reproduced with or without the aid of anything else.'

If the document in question
is an 'article or thing on or in which information is stored in such a way
that it cannot be used by the court unless a device is used to retrieve,
produce or collate it', it is permissible to tender 'a document that was or
purports to have been produced by use of the device'.

To be admissible the record must be:

  • authentic - it must be clear that the record or document has not been altered or modified without authority;
  • complete and accurate; and
  • logically sequenced and
    arranged.

Freedom of Information Act 1982

The Freedom of Information Act 1982 provides that a
person has a legally enforceable right to obtain access to a document of an
agency or an official document of a Minister unless that document falls
within one of the exemptions set out in the Act. Generally, exempt documents
are those which must be kept confidential to protect essential public
interests, personal or business information.

Under changes to the FOI
Act 1982
, agencies are required to publish agency plans as well as other
specific categories of information.

ISO 15489

Records Management

The International Standard For Records Management - ISO 15489 provides
strategies and operational guidelines for the implementation of records
management practices and procedures in any organisation. The Standards are
designed to help organisations create, capture and manage complete and
accurate records to meet their business needs and legal requirements as well
as to satisfy other stakeholder expectations. They apply to records in any
format or media, created or received by any public or private organisation
during the course of its activities.

The Standard has been used
as guidance in preparation of these instructions.

ISO 16175

Principles and
Functional Requirements for Records in Electronic Office Environments

ISO 16175 provides internationally agreed principles and
functional requirements for software used to create digital information in
office environments.

NAA has endorsed the use of
ISO 16175 for use by Australian Government agencies to assess the records
management functionality of a business information or transactional system.

Privacy Act 1988

The Privacy Act
1988
makes provision to protect the privacy of
individuals and prevent the misuse of personal information about members of
the public. It governs the collection, use and disclosure of information
about individuals by Australian Government agencies to ensure that it is only
used for purposes that relate directly to the functions or role of the
agency. It specifies that the information agencies keep must be secure,
accurate, relevant, complete, and not misleading. The Act also gives people
a right to see records about themselves.

Records over 30 years old
are exempt from the Privacy Act. Access to these records is controlled
through the Archives Act 1983.

Public Governance,
Performance and Accountability Act 2013

The Public
Governance, Performance and Accountability Act 2013
includes specific provisions for Commonwealth entity
records relating to governance and reporting, performance and accountability.


17.3.
Appendix C: Legislation Administered by DFAT

Anti-Personnel
Mines Convention Act 1998

Australian
Centre for International Agricultural Research Act 1982

Australian
Civilian Corps Act 2011

Australian
Passports Act 2005

Australian
Passports (Application of Fees) Act 2005

Australian
Passports (Transitionals and Consequentials) Act 2005

Australian
Trade Commission Act 1985

Australian
Trade Commission (Transitional Provisions and Consequential Amendments) Act
1985

Autonomous
Sanctions Act 2011

Charter
of the United Nations Act 1945

Chemical
Weapons (Prohibition) Act 1994

Comprehensive
Nuclear Test-Ban Treaty Act 1998

Consular
Fees Act 1955

Consular
Privileges and Immunities Act 1972

Diplomatic
and Consular Missions Act 1978

Diplomatic
Privileges and Immunities Act 1967

Export
Finance and Insurance Corporation Act 1991

Export
Finance and Insurance Corporation (Transitional Provisions and Consequential
Amendments) Act 1991

Export
Market Development Grants Act 1997

Export
Market Development Grants (Repeal and Consequential Provisions) Act 1997

Foreign
Passports (Law Enforcement and Security) Act 2005

Intelligence
Services Act 2001, except to the extent administered by the
Prime Minister, the Attorney-General and the Minister for Defence

International
Development Association Act 1960

International
Fund for Agricultural Development Act 1977

International
Organisations (Privileges and Immunities) Act 1963

Nauru
Independence Act 1967

Nuclear
Non-Proliferation (Safeguards) Act 1987

Nuclear
Safeguards (Producers of Uranium Ore Concentrates) Charge Act 1993

Overseas
Missions (Privileges and Immunities) Act 1995

Papua
New Guinea Independence Act 1975

Papua
New Guinea (Staffing Assistance) Act 1973, except to the extent administered by
the
Minister for Finance

Registration
of Deaths Abroad Act 1984

Security
Treaty (Australia, New Zealand and the United States of America) Act 1952

South
Pacific Nuclear Free Zone Treaty Act 1986

Tourism
Australia Act 2004

Tourism
Australia (Repeal and Transitional Provisions) Act 2004

Trade
Representatives Act 1933

United
Nations Educational, Scientific and Cultural Organization Act 1947

United
States Naval Communications Station Agreement Acts

US
Free Trade Agreement Implementation Act 2004

Source: http://www.naa.gov.au/Images/AAO_23_December_2014_tcm16-83959.rtf

17.4.
Appendix D: Potential Benefits of Digital Recordkeeping

Digital records
management provides a number of efficiency and other benefits including
improved corporate governance, improved business processes and reduced costs:

  • Improved access to and retrieval of relevant records and information - facilitates better-informed decision-making; better service delivery; fewer information silos; enhanced information sharing across the agency and between agencies; and potential for re-use of information by government and the Australian community.
  • Improved corporate governance - lower compliance costs and enhanced ability to provide accurate, timely and transparent responses to legislative and regulatory requirements. Australian Government agencies need to meet a range of legislative, regulatory and governance requirements. Managing records digitally strengthens corporate governance by helping agencies meet legal obligations and regulatory and governance requirements in an efficient and cost-effective way.
  • Legislative obligations - well-managed digital records support transparent, accurate and timely responses to applications under information access legislation or under subpoena. Under freedom of information reforms charges must be waived if a statutory time frame is not met, so quickly locating the right records can avoid a cost penalty. It is easier to publish digital information on websites, in keeping with Information Publication Scheme requirements, in formats that allow use and re-use.
  • Transparency and accountability - authoritative records provide evidence of, justify or explain actions or decisions. They substantiate responses to audit, official inquiry or other types of investigation. Records protect the democratic rights and entitlements of individuals and provide evidence of interactions between Australia's people and elected governments. Good digital management means records are trustworthy, authoritative and able to withstand scrutiny. Digital management provides accountability benefits that are difficult to duplicate in paper systems. Comprehensive and accurate audit trails not only help an understanding of communications, decisions and actions that have been carried out but also show when a record was created, accessed or amended and by whom.
  • Risk management - a well-managed digital information and records management program is a business and reputational risk mitigation strategy. The ability to demonstrate what and why decisions and actions were taken and how they were carried out reduces the risk of non-compliance due to incomplete or inaccurate records. Reduced reputational risks that can result when information cannot be found or is compromised through unauthorised access.
  • Business continuity - Digital records management will better support disaster recovery and business continuity. Managing information digitally allows off-site back-up of records which a paper-based system cannot easily offer. It also safeguards vital corporate information from loss, misuse, tampering and physical damage.
  • Records management cost savings - from less creation, storage, retrieval and handling of paper
    records.


Last Updated: 21 July 2014
Back to top