Records provide evidence of business activity and transactions, that is, what the University has (and hasn’t) done. Like the University’s other key resources (staff, finance, infrastructure and intellectual property) records are critical for the University to conduct business now and in the future. Knowledge and information are at the core of the University’s business and JCU has a duty to treat the information it collects and produces as an essential, valuable and authoritative resource and to effectively manage our knowledge resources and corporate memory.
Having and maintaining a properly managed system and set of practices for University records provides confidence to the University’s stakeholders’ that the University’s records are treated as a core business resource that will support the ongoing achievement of our strategic objectives, the delivery of services to our clients, protect our rights and enrich the historical resources of the community.
Ongoing improvements to the University’s records management systems and practices will derive benefits such as:
- more efficient business processes that rely on information;
- consolidation of different information sources into a single point of truth for corporate records;
- faster retrieval of records to facilitate information sharing, collaboration and reuse;
- more informed and evidence based decision making;
- better security of our records;
- improved access through the capture and management of electronic records;
- rationalisation of physical and electronic storage space;
- greater availability of records to support compliance, accountability, transparency, enforce our legal rights and for evidential purposes;
- improved internal management processes and control of information resources;
- improved compliance with legislative and statutory requirements and in particular the Public Records Act 2002 (Qld) the Right to Information Act 2009 (Qld) and the Information Privacy Act 2009 (Qld); and
- preservation of the University’s corporate memory and cultural collections to enrich the community.
The University has developed and will continue to develop and review a framework for managing and using its records and corporate information in order to achieve the above.
Underpinning the Framework are the legal requirements set by the government to ensure that public agencies manage their resources effectively, ethically and efficiently. As a University, we are obliged to manage our records in accordance with legislation, evidentiary and accountability requirements, which include:
- Public Records Act 2002 – the main purpose of the Act is to ensure the public records of Queensland are made, kept, managed and preserved in a usable form for the benefit of present and future generations. The Act promotes consistency and accountability in record keeping practices. >
- Right to Information Act 2009 – this Act promotes greater openness and accountability by giving individuals a right to apply for access to documents held by agencies and requires agencies to publish a publication scheme on its website which includes an online disclosure log of documents that have been released in response to Right to Information applications. This Act requires that full and accurate records be effectively managed to ensure that they are available in a useable and timely manner should access be approved.
- Information Privacy Act 2009 - the object of this Act is to govern access to and amendment of an individual’s personal information and provides legislative safeguards regarding the handling of personal information. From a records management perspective this Act, like the Right to Information Act requires that full and accurate records be effectively managed to ensure that they are available in a useable and timely manner should access be approved but it also specifies the number of the controls required to protect and safeguard personal information held by the University.
- Evidence Act 1977 – amongst other provisions this Act specifies the conditions to be met to allow the admission of records and documents as evidence in legal proceedings.
- Financial Accountability Act 2009 – this Act requires that all public money and public property, including records and other information assets, be appropriately administered.
This legislation assigns responsibility for records management to the Chief Executive Officer, JCU’s Vice Chancellor, who in turn has delegated this responsibility to all officers, employees and other persons acting in their official capacity for or on behalf of the University.
2. Information Standards
Standards are measurable and can be subject to audit to determine the level of compliance or may set a benchmark within a sector. There are three main types of standards.
2.1 Qld Government Information Standards and Policy
Information Standards (IS) are issued under the authority of legislation and promote best practice in the management of information, information systems and technology which support business processes and service delivery. They provide strategic level principles on which the policies, guides and other tools are based. Some of the principles in these standards are mandated and therefore place a compliance obligation on the University.
Relevant to records management are:
- IS18: Information Security – this standard focuses on establishing a set of principles to protect the confidentiality, integrity and availability of information through appropriate physical, electronic and human security controls.
Records Governance Policy
The aim of this policy is to enable agencies and public authorities to:
- provide a strong foundation for systematically and effectively managing complete and reliable records and information
- ensure that those records that are most important are actively managed and preserved
- increase the discoverability and accessibility of records and information
- empower agencies to establish their own fit-for-purpose records and information governance practices
- apply a phased implementation approach focusing on increasing records management capability and maturity.
Policy requirement 1: Agencies must ensure records management is supported at all levels of the business
Agencies must ensure records management is everyone’s responsibility. This means it must be supported across all areas and all levels of the business by:
- assigning formal records management responsibilities to key roles within the business to monitor and support the active implementation of this policy
- providing appropriate advice and guidance to ensure the business is aware of the value of records and information and how this relates to their obligations and responsibilities as an employee
- fostering a positive, innovative and collaborative recordkeeping culture.
Policy requirement 2: Agencies must systematically manage records using governance practices that are integrated and consistent with broader agency frameworks
Consistent and aligned governance practices provide a strong foundation for systematically managing records and information across all functions of an agency. Records governance must work within the agency’s existing structure and governance and strengthen the agency’s strategic goals and functions.
Agencies must systematically manage records and information by:
- ensuring records and information governance is aligned with broader agency frameworks and incorporated in business strategies and objectives
- developing and implementing appropriate and fit-for-purpose documentation that details how active records management will strengthen agency business imperatives and strategic goals
- complying with relevant legislation that governs recordkeeping requirements
- measuring how well records governance is supporting agency business imperatives and strategic goals.
Policy requirement 3: Agencies must create complete and reliable records
Complete and reliable records provide evidence of activities of the agency and allow the business to operate effectively. Agencies must ensure complete and reliable records are created and retained as appropriate by:
- identifying all the records that allow the business to operate – these provide evidence of decisions, support accountability and transparency, mitigate risk, help the agency meet legislative requirements and reflect the business of the agency
- specifying how these records must be created, when they must be created, the format they must be created in, who must create them and implementing security and preservation requirements associated with those records
- integrating record creation into existing business processes
- ensuring recordkeeping is considered when decisions are made about business systems (particularly decisions around migration and end of life).
Policy requirement 4: Agencies must actively manage permanent, high-value and high-risk records and information as a priority
‘Permanent’ records are those with a permanent retention period. ‘High value’ records are those that are important to the business, its operations, or stakeholders. ‘High-risk’ records are those that pose a significant risk to the agency if they were misused, lost, damaged or deleted prematurely. These records should have the highest priority for agencies when developing and implementing their governance practices. Agencies must actively manage permanent, high-value and high-risk records by:
- defining the criteria and processes for identifying permanent, high-value and high-risk records, including transfer of permanent value records to QSA
- formally documenting details of permanent, high-value and high-risk records
- actively maintaining visibility of these records while they are being used, including monitoring processes for permanent, high-value and high-risk records held in business systems and applications.
Policy requirement 5: Agencies must make records discoverable and accessible for use and re-use
Discoverable records are those that are in business systems and applications approved for use by the agency. Accessible records are those that can be located and continuously used. Agencies must ensure complete and reliable records are discoverable, accessible and are able to be used and re-used for their entire life by:
- keeping records in business systems and applications approved for use by the agency
- being able to discover and appropriately access records, with confidence in sufficiency of search
- actively monitoring the health of records.
Policy requirement 6: Agencies must dispose of records in a planned and authorised way
Agencies must plan for how and when they will dispose of records, using a risk based approach. Records must be disposed of in a planned and authorised way by:
- using the disposal authorities issued by the State Archivist, that provide proper coverage of the specific records you create and keep.
- developing and implementing a disposal plan, which details disposal decisions and actions for the agency. The plan must, at a minimum, cover: disposal endorsement, including how internal endorsement is given
- disposal methods, including how records will be disposed of (physical and digital)
- disposal frequency, including specifying how often certain types of records will be disposed of.
- formally documenting the disposal of records.
Recordkeeping implementation advice
This policy should be read in conjunction with the Records Governance Implementation Guideline (to be published shortly).
Issue and review
Issue date: 6 June 2018 Next review date: June 2020
This policy is published within the QGEA which is administered by the Queensland Government Chief Information Office. This policy was developed by the Queensland State Archives and is approved by the Queensland State Archivist and the Queensland Government Chief Information Officer
2.2 Australian Standards/International Standards Organisation Standards
AS/ISO 15489-1:2001Information and documentation – Records Management Part 1 and 2 – this standard sets out the principles, processes and practices associated with records management and sets out accepted good practice within the industry.
2.3 JCU Records Management Standards
These standards are under development and will specify the standard or benchmark to be followed by staff in performing certain records management activities such as file naming, email naming, TRIM data quality etc.
A policy is a statement that specifies non-discretionary governing principles and intentions which articulate required University practice to meet the organisation’s guiding principles and legislative requirements. University policies must comply with all relevant legislative and statutory requirements and must be approved by the appropriate University authority.
University’s relevant policies are:
4. Schedules and other Tools
Records Management tools support the implementation of recordkeeping policies and provide consistency of practice. These tools include:
- Retention and Disposal Schedules (RDS) – these set out the minimum retention periods for different record classes and the conditions under which the University may dispose of its records. There are two RDS that are applicable to JCU:
- Queensland Universities Retention and Disposal Schedule – this schedule covers a range of functions common to Queensland Universities including records of University Council or Senate, Chancellor, Vice-Chancellor, Student, Research, Teaching and Learning, Health Services, Student Services, Faculty, School, Department, Bookshop, Library, Museum, Child Care Services, Food Services, commercial activities and Art Gallery records.
- General Retention and Disposal Schedule for Administrative Records – unlike the Universities Schedule this schedule coves a range of administrative functions that all public authorities perform including financial management, human resource management, facilities management, corporate governance etc.
- Business Classification Scheme (BCS) – a business classification scheme is a hierarchical taxonomy or index that describes the records in relation to their function, activity, transaction and/or subject. It helps describe the records so that they can be found (similar to keywords in an internet search engine) and places records together that are related because of their subject matter or context within the organisation.
- Records Management Security Classification Scheme (RMSCS) – this scheme sets out different security classifications for records so that it is protected from unauthorised access, use or disclosure.
- Recordkeeping Metadata Scheme – this scheme sets out the metadata that will be captured within the records management system. Amongst other things the scheme identifies the metadata tags, allowed metadata values and any conditions on the use of the metadata.
- Delegations – these authorise particular staff to perform certain activities. For example, under the Public Records Act the Vice-Chancellor is responsible for all records disposals however Records Disposal Delegations authorise other staff to approve the disposal of records.
5. Procedures and Guidelines
Guidelines* and Procedures* are designed to assist the University and its staff in meeting their recordkeeping obligations and to foster good practice.
Procedures set out the logical steps in completing a task, such as scanning a record or disposing of a record while Guidelines provide guidance to staff on particular issues. Records Management Procedures and Guidelines include:
- Record Management Guidelines
- TRIM eDRMS Guidelines
- Information Request Guidelines (for example; right to Information requests, Information Privacy Requests and Official requests)
- JCU Archive Guidelines
* = under development
Every employee of the University is required to manage records and corporate information that they are responsible for and are subject to legislation relating to records management. All staff are accountable for the management of documents and records (including electronic records) generated in the course of their duties or under their direct control. All University records should be appropriately stored and properly secured to prevent unauthorised access, disclosure, modification, loss or damage.
The Vice-Chancellor and President, as Chief Executive, has overall responsibility for ensuring that the University complies with the legislative requirements.
The Director, Governance and University Secretary as Compliance Officer is responsible for ensuring that the University has an adequate and appropriate record and corporate information framework, which is adhered to.
The staff of the Corporate Information and E-Records Section have responsibility for the implementation of the University’s Records Management Framework in accordance with legislative requirements. This includes the provision of:
- A system (TRIM) for the capture, management and keeping of records;
- Advice on and support for good practice records management;
- Appropriate training in records and corporate information management;
- Monitoring and auditing University systems, processes and staff practices in records management;
- A Records Management Framework and defined and identifiable records management program;
- Ongoing management of a comprehensive collection of University records through their lifecycle;
- Securing records to only those authorised to view, use or disclose the information;
- Protection to safeguard the ongoing evidential integrity and usability of the University records; and
- Continual improvement of records management practices across the University.