1.1 Well-managed government information delivers a number of benefits to the community including that it:

• supports well informed policy and programs across government;
• enables transparency and accountability, and builds trust;
• minimises costs by minimising duplication and re-work; and
• when preserved in the national archives, forms part of the history, identity and memory of Australia both before and after white settlement.

1.2 In December 2022, the Secretary of the Department of the Prime Minister and Cabinet highlighted stewardship as a key responsibility for the public service, and noted the importance of record-keeping in effectively discharging this stewardship:

Public service works best amid stability and accumulated intellectual capital. It implies record keeping so the rationale and authority of a decision is clear.³

Role of the National Archives of Australia

1.3 The National Archives of Australia (National Archives) was established under the Archives Act 1983 (Archives Act) and is a non-corporate Commonwealth entity under the Public Governance, Performance and Accountability Act 2013.

1.4 The National Archives provides advice and assurance that the Australian Government has access to authentic, reliable and usable Commonwealth records to enable evidence-based decisions, provide sound advice, develop good policy, deliver programs effectively.⁴ The National Archives also facilitates access to the archival resources of the Commonwealth of Australia.

1.5 The National Archives:

• sets information and data management requirements for Australian Government entities;
• ensures the Australian Government creates and keeps records of its actions and decisions to demonstrate accountability to the community and evidence of the integrity of the operations of the Australian Public Service;
• authorises destruction of information assets with no ongoing value to government or community; and
• selects and preserves the most significant records of the Australian Government and makes these available to government and the public as a national resource to enrich and inform how Australians live today and into the future.⁵

Building trust in the public record: managing information and data for government and community policy

1.6 The National Archives’ Building trust in the public record: managing information and data for government and community policy (Building Trust policy) came into effect on 1 January 2021. The Building Trust policy is a successor policy to the Digital Continuity 2020 policy.

1.7 The purpose of the Building Trust policy is to ‘improve how Australian Government agencies create, collect, manage and are able to use information assets.’⁶

1.8 The Building Trust policy requires that entities:

• manage information assets strategically with appropriate governance and reporting;
• implement fit-for-purpose information management processes, practices and systems; and
• assess their information management capability annually and report on this to the National Archives.⁷

National Archives’ Check-up survey

1.9 The National Archives has run annual information management surveys of Australian Government entities since 2011, known as ‘Check-up’ surveys. The survey is a mandatory requirement of the Building Trust policy and is approved by the entities’ Accountable Authorities or Chief Executive Officer. It is used by the National Archives to monitor the progress of Australian Government entities in implementing the Building Trust policy and trends in information management maturity and performance in managing their information assets (records, information and data).⁸ The 2022 survey was sent to 170 entities, with 165 responding, resulting in a response rate of 97 per cent.

Role of entities

1.10 The Archives Act sets obligations for the management of information assets for Australian Government entities. The National Archives defines the responsibilities of entities as to:

• create and maintain full and accurate records of their business;
• develop and implement entity-specific information and records management policies and procedures;
• establish clear lines of responsibility for records management and ensure that staff are trained to carry out their records management responsibilities;
• work in consultation with the National Archives to develop records authorities⁹; and
• provide adequate resources for records management activities.¹⁰

Previous reviews and audits

1.11 In October 2019, the Auditor-General tabled the Implementation of the Digital Continuity 2020 Policy audit report that concluded that the National Archives had been largely ineffective in monitoring, assisting, and encouraging entities to meet the targets of the policy.¹¹ The ANAO made five recommendations to the National Archives in regard to the Digital Continuity 2020 policy and successor policies to improve its:

• arrangements to guide implementation as a coordinated program of work;
• stakeholder engagement and communication with entities;
• risk management;
• monitoring, evaluation and performance measures; and
• assurance on the accuracy of reported data on entity progress.

1.12 The Joint Committee of Public Accounts and Audit (JCPAA) reviewed the ANAO’s report in its Report 492: Governance in the Stewardship of Public Resources and recommended the ANAO undertake a follow-up audit of the National Archives’ implementation of the Building Trust policy.¹² The JCPAA also recommended that the National Archives report back to it on several matters (see Appendix 4).

Rationale for undertaking the audit

1.13 Well-managed information assets play a vital role in Australian Government business. Australian Government entities must be able to appropriately identify, categorise, store, and manage all information assets created, collected, received, and retained as part of government business.

1.14 This audit will provide assurance to Parliament on the effectiveness of National Archives’ oversight and support of the Building Trust policy; the National Archives’ implementation of recommendations from the ANAO and JCPAA in regard to the previous Digital Continuity 2020 policy; and the extent to which selected entities’ management of information assets is consistent with the new Building Trust policy.

Audit approach

Audit objective, criteria and scope

1.15 This audit examined the effectiveness of the National Archives of Australia’s implementation of the Building Trust policy and selected entities’ management of information assets (records, information and data).

1.16 To form a conclusion against the objective, the ANAO adopted the following high-level criteria.

• Is the National Archives of Australia effectively implementing the Building Trust policy?
• Has the Department of the Prime Minister and Cabinet established arrangements to effectively manage its information assets?
• Has the Australian National Maritime Museum established arrangements to effectively manage its information assets?

1.17 The implementing entities were selected to provide insight into the challenges and opportunities faced by ‘mainstream’ departments and by smaller, cultural agencies.

Audit methodology

1.18 The audit methodology included:

• a review of documentation held by the National Archives and the selected entities relating to the Building Trust policy and management of information assets;
• analysis of the selected entities’ annual Check-up survey responses and of whole-of-government data held by the National Archives;
• analysis of relevant entities’ training records;
• meetings with relevant staff within the National Archives and the selected entities; and
• examination of relevant records management systems in the selected entities.

1.19 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of approximately $316,743.

1.20 The team members for this audit were Charterpoint, Sam Khaw and Corinne Horton.

2.1 This chapter assesses whether the National Archives established fit-for-purpose arrangements to deliver and support entities to deliver the Building Trust policy. Such arrangements include:

• internal arrangements to support implementation of the Building Trust policy;
• supporting entity compliance with the Building Trust policy; and
• effective monitoring, evaluation and reporting arrangements, including providing assurance on the accuracy of reported data on entity progress in their implementation of the Building Trust policy.

2.2 Auditor-General Report No. 11 2019–20 Implementation of the Digital Continuity 2020 Policy concluded that the National Archives had not developed an effective implementation strategy and had not maintained appropriate governance, oversight, and reporting requirements for the Digital Continuity 2020 policy.¹³

2.3 The report made five recommendations to the National Archives regarding the Digital Continuity 2020 policy and any successor policies addressing internal arrangements to administer the policy, risk management planning, stakeholder engagement and communication arrangements, monitoring and evaluation of policy implementation, and assuring quality of entity-reported data on progress.

2.4 This audit also examines the extent to which the National Archives implemented the recommendations of Auditor-General Report No. 11 2019–20 Implementation of the Digital Continuity 2020 Policy.

Has the National Archives of Australia established fit-for-purpose arrangements to support implementation of the Building Trust policy?

Implementation planning

2.5 The National Archives designed the implementation of the Building Trust policy as a project with three phases.

• Phase 1 from 2019 to 2020 — the design of the policy.
• Phase 2 from 2020 to 2021 — the finalisation and launch of the policy.
• Phase 3 from 2021 to 2025 — the implementation of the policy.

2.6 This audit focuses on Phase 3, which includes the ongoing implementation of the policy for the remainder of its life.

2.7 In December 2020, the National Archives established a Project Implementation Management Plan (Implementation Plan) for Phase 3 to:

guide effective delivery of the policy for the period it is formally in effect… and ensure the recommendations of the 2019 ANAO audit into the implementation of the Digital Continuity 2020 Policy (to 31 December 2020) are appropriately applied.

2.8 The Implementation Plan summarised the nine ‘key deliverables’ through which the project is to be carried out, timeframes, stakeholders, and the assigned roles and responsibilities.

2.9 The National Archives’ Program and Project Management Framework describes the National Archives’ approach to managing programs and projects. The Implementation Plan aligned with this guidance.

2.10 The ANAO assessed National Archives’ progress to December 2022 against the deliverables outlined within the Implementation Plan (see paragraph 2.8). The ANAO’s assessment is summarised in Table 2.1.

Table 2.1: The National Archives’ delivery against the implementation plan

Note Per the National Archives’ website, ‘GAIN or GAIN Australia is a national network supporting agency information and records managers in the Australian Government… membership of GAIN is restricted to Australian Government agency employees.’ From the National Archives of Australia, GAIN Australia [Internet], NAA, available from www.naa.gov.au/information-management/gain-australia [accessed on 2 May 2023].

Source: National Archives of Australia, Project Implementation Plan (Phase 3) and ANAO analysis of delivery at December 2022.

2.11 At December 2022, the National Archives had largely completed delivery against the implementation plan in a timely way, with the exception of the Policy review, which was delivered seven months later than originally planned.

Implementation oversight and reporting

2.12 In January 2021, the National Archives established internal project governance arrangements to oversee and guide its implementation of the Building Trust policy.

2.13 These governance arrangements included:

• a project board responsible for ‘high level oversight, guidance and direction’¹⁴;
• a project sponsor at Assistant Secretary level responsible for the approval of governance and public release schedules and documentation; and
• a project team responsible for undertaking actions for project implementation.

2.14 The relationship of these new bodies to each other and to the existing National Archives governance structure such as the National Archives’ Executive Board and Project Assurance Committee (PAC) is shown in Figure 2.1.

Figure 2.1: National Archives’ governance structure for the Building Trust policy

Note: Dark blue items are ongoing National Archives governance bodies, light blue are those established to guide implementation of the Building Trust policy.

Source: National Archives documents.

2.15 The new arrangements included a project reporting schedule consisting of:

• quarterly reports to the Project Board;
• bi-annual reports to the National Archives’ PAC;
• reporting to the National Archives’ Executive Board in January and June each year; and
• presentations as required to the National Archives’ Audit and Risk Committee (ARC).

2.16 The project governance reporting arrangements were generally implemented. There were quarterly reports made to the Project Board. Reporting to the PAC occurred until April 2021 when the PAC agreed the project became business-as-usual and did not need to report to it further. Reporting to the ARC was not required and did not occur. Reporting to the National Archives’ Executive Board was limited to a single report in 2022 as opposed to the bi-annual requirements set out in the project reporting schedule.

Implementation risk management

2.18 The National Archives’ Risk Management Framework and Policy (the risk framework) states that ‘Generally National Archives accepts medium level of risk for projects and activities which represent opportunities for better outcomes for us and our stakeholders’. It also states that where a risk is rated ‘High’, the National Archives should consider ‘suspending/ending activity OR implementing additional controls to manage or mitigate’, and that mitigation actions must be implemented with Executive Board approval.

2.19 In February 2021, after the release of the Building Trust policy, the National Archives established a risk management plan for the policy. The risk management plan outlines the roles and responsibilities for risk management for the project, the risk appetite for the project to accept moderate to high level risks, and the reporting of risks.

2.20 The risk management plan is supported by a risk register that summarises all project risks, assigns responsibilities for those risks, and describes risk treatments. The risk register is reviewed by the Project Board quarterly and updated as required. As at December 2022, the project risk register included 13 risks, four of which were identified as ‘high’. The four ‘high’ rated risks and the extent to which their treatment was consistent with the National Archives’ risk framework are set out in Table 2.2.

Table 2.2: The National Archives’ identification of high risks to the delivery of the Building Trust policy

Source: ANAO analysis of National Archives documents.

2.21 The risk register does not include a risk that entities’ reporting may be inaccurate. The importance and partial realisation of this risk is discussed at paragraph 2.103.

2.22 At the time of audit fieldwork in December 2022 the National Archives’ risk management arrangements for the implementation of the Building Trust policy were inconsistent with the broader National Archives’ risk management framework in three ways.

• The risk appetite in the Building Trust policy risk management plan was assessed as moderate to high (see paragraph 2.19). The National Archives’ risk management framework states the appetite for risk for projects and activities is medium.
• Two of four high risks in the risk register had no further treatments.
• Mitigation actions for high risks had not been submitted to the National Archives’ Executive Board for approval as required.

2.23 In April 2023, the National Archives reviewed and reassessed the risk register. All high risks were consolidated and either removed or downgraded to medium risk, due to the re-assessed likelihood or consequence.

Does the National Archives of Australia have effective arrangements to support entity compliance with the policy?

Stakeholder engagement

2.24 The National Archives provides guidance, tools and advice to support entities’ implementation of the policy, and to assess entities’ performance in managing information assets. Auditor-General Report No. 11 2019–20 Implementation of the Digital Continuity 2020 Policy found that the National Archives had no communication or stakeholder engagement strategy in place.¹⁵

Stakeholder engagement and communications planning

2.25 In August 2020, the National Archives developed a stakeholder engagement and communications plan for Phase 3 (the stakeholder plan). The purpose of the stakeholder plan is to ensure stakeholders are ‘aware of the policy, understand its requirements, and that agency stakeholders know how to access advice and support to enable its implementation’. The stakeholder plan describes each stakeholder’s interests, the National Archives’ desired engagement level, and engagement method.

2.26 The stakeholder plan identifies six primary stakeholder categories: internal National Archives policy stakeholders; project governance stakeholders; Australian Government agencies; stakeholders involved in external consultation and advice; professional associations; and the government and community.

2.27 The intended outcomes of the stakeholder plan include that Australian Government agencies:

• have a clear understanding of the policy requirements and targets;
• understand how to access tools and advice to assist them with their policy implementation;
• are confident the policy will help improve their business outcomes and drive best practice in their business through more effective digital information management; and
• managers recognise the value of digital information management to entity business and support the entity’s progress towards meeting the policy targets.

Delivery of engagement and communication activities

2.28 The plan sets out the proposed stakeholder communications activities, stakeholder group to be targeted, and the timeframes for activity. The extent to which the National Archives implemented the planned activities is set out in Table 2.3.

Table 2.3: Summary of implementation of the National Archives’ engagement activities

Source: ANAO analysis of National Archives documents.

Engagement with Chief Information Governance Officers and Chief Information Officers

2.29 Chief Information Governance Officers (CIGOs) and Chief Information Officers (CIOs) exercise leadership roles within agencies regarding information management. The stakeholder plan identifies CIGOs and CIOs as a primary stakeholder category and states that communication activities for CIGOs and CIOs are ‘to be determined’.

2.30 The activities in Table 2.3 included CIGOs and CIOs stakeholders such as:

• updates at GAIN forums and via monthly GAIN e-bulletins; and
• direct notifications from the National Archives to CIOs in January 2021, introducing and explaining the policy.

2.31 Much of the activity targeted at CIGOs and CIOs occurred prior to the launch of the Building Trust policy.

2.32 The National Archives largely delivered against planned communication and engagement activities with entities. There is no specific engagement strategy or focus on CIGOs or CIOs as identified in the stakeholder plan.

Measuring stakeholder engagement effectiveness

2.34 The stakeholder plan states that:

The effectiveness of stakeholder management and communications as outlined in this plan will be evaluated as part of regular project and risk assurance activities.

2.35 The Monitoring, Evaluation and Reporting Implementation Plan (MERIP) for the Building Trust policy (see paragraph 2.62) lists the following activities to evaluate or gather feedback on engagement-related activities, and overall entity awareness and views on the Building Trust policy:

• analyse data from the Agency Service Centre (ASC) such as number of enquiries, entity name, topic, and any direct policy link;
• harvest and analyse data about entity visits to the pages and products published on the National Archives’ website;
• conduct snapshot surveys of Agency Advisory Group (AAG) to obtain timely data on use of products released on webpages;
• obtain data from policy-related webpage visits;
• obtain data from ASC enquiries linked to the Building Trust policy;
• snapshot survey results, web sourced data, ASC enquiries are trending positively in last 12 months of policy;
• evaluate entity comments during meetings; and
• during the project, [whether] external entity access and download the resources through the National Archives website.

2.36 The Department of Finance’s Resource Management Guide No. 131 Developing good performance information indicates performance measures must relate to and align with the objectives of the entity or activities being monitored. Measures should address outputs, efficiency and effectiveness.¹⁶

2.37 The evaluation activities listed in the Building Trust policy MERIP are largely existing or planned sources of information to inform judgements about the performance of the stakeholder activities. There is no explicit link to the intended outcomes of the stakeholder plan (see paragraph 2.27). There are no performance indicators for assessing the achievement or implementation and impact of the stakeholder plan.

Check-up survey feedback

2.38 The 2022 Check-up survey (see paragraph 1.9) was sent to 170 entities, with 165 responding, resulting in a response rate of 97 per cent. Among other things the survey asked entities about their use of and views about the products and advice provided by the National Archives to assist them to implement the Building Trust policy. Of the 165 entities responding:

• one hundred and five (64 per cent) said they had used the products;
• fifty-five (33 per cent) provided feedback; and
• thirty-two (20 per cent) provided suggestions for new products or advice to support implementation of the policy.

2.39 The Check-up questions asked only for ‘free-text’ responses and did not provide a ranking or scale which would allow entities to provide ratings or analysis of the percentage of stakeholders that consider an activity is or activities are making a positive impact. Resource Management Guide No. 131 Developing good performance information states that a good performance measure will often have both quantitative and qualitative dimensions.¹⁷ The absence of rating scales in questions limits the ability to quantitatively benchmark and compare views across entities or portfolios, and over time. This also limits the ability to target engagement effort and messages to entities or sectors most at risk of not implementing the Building Trust policy.

Targeting engagement activities

2.41 Auditor-General Report No. 11 2019–20 Implementation of the Digital Continuity 2020 Policy found that the National Archives had no formal process to identify entities that were experiencing difficulties in implementing the policy and provide targeted assistance.

2.42 The September 2021 summary report provided to the minister¹⁸ on the 2021 Check-up survey results noted the ‘potential opportunities to target assistance and support to agencies with the most scope for improvement.’

2.43 The National Archives has identified groups or sectors of entities where information management maturity is relatively lower. For example, the public summary report on the 2020 Check-up survey found that ‘the lowest maturity scores were amongst agencies with cultural or heritage and smaller operational functions’. Conversely, entities with specialist, scientific or regulatory functions had the highest maturity scores on average.

2.44 The National Archives has a variety of information available that would assist it to target its engagement including:

• identifying low-scoring entities in the Check-up survey;
• analysing enquiries made to the National Archives for assistance or information;
• the volume and frequency of entity transfers of information to the National Archives; and
• Auditor-General reports.

2.45 These sources of information and how this information currently assists the National Archives in targeted activities are examined below.

Identifying low-scoring entities from Check-up data

2.46 The National Archives identifies entities reporting lower maturity in the annual Check-up survey. Following the 2021 Check-up survey, the National Archives identified and contacted 43 entities with low scores and offered to work with the entity to improve its information management maturity. Eleven entities responded in writing and there was additional engagement with a further three entities.

Analysing entity enquiries

2.47 Entities can seek assistance on information management from the National Archives via:

• the ‘Agency Service Centre’ (ASC) by email or online;
• attending or contacting online the Government Agencies Information Network (GAIN). GAIN is supported by the National Archives and is a national network for information and records managers in the Australian Government; or
• direct contact to National Archives staff.

2.48 ASC data could provide insights into the effectiveness of engagement-related activities and entity capabilities. During 2022, 11 reports were run on enquiries received during the previous month and reviewed by the section managing the system. The reports are run manually, and the frequency of reports depended on the availability of staff. Reports are made available to other staff on request and are located within the internal document management system. However, the reports were not routinely circulated to other parts of the National Archives, such as the team responsible for the Building Trust policy. There was no longitudinal analysis or summary prepared that might support and inform implementation of the Building Trust policy or identification of ‘at-risk’ entities.

2.49 Entity enquiries made directly to National Archives staff are not tracked or recorded in the central request management system (RefTracker). Such direct enquiries are required to be recorded in the National Archives’ internal document management system. RefTracker only includes around a third of all inquiries received by the National Archives. Information about interactions with entities is sourced from both systems when required.

Monitoring and analysing transfers by entities

2.50 In 2019, the National Archives identified that 41 out of 165 entities that responded to the Check-up survey had not transferred records to it within the previous 10 years. Such absence of records transfer is one indicator that an entity may require assistance to comply with its legislated obligations. There was no evidence of follow-up action taken in regard to the entities that had not transferred, such as the Australian National Maritime Museum (see Chapter 4).

Monitoring Auditor-General reports

2.51 The MERIP for the Building Trust policy states:

We will monitor the ANAO reports that relate to information management (records, information and data) and then we will evaluate if any follow-up action is required.

2.52 The National Archives provided examples of where it has followed up on Auditor-General reports and offered assistance to entities.

2.53 Several recent Auditor-General reports have highlighted gaps in entity record keeping practices.¹⁹ These gaps are identified in the context of a particular program or function being audited and do not specifically address the system — or entity-wide management of information assets as addressed in the Building Trust policy. Follow-up by the National Archives on Auditor-General report recommendations may therefore not inform the National Archives of broader, systemic information challenges in an entity.

2.54 The MERIP further states:

The National Archives cannot conduct official audits of agencies. We will rely on actions of the Australian National Audit Office (ANAO). The ANAO has the legislative authority to audit agency performance and compliance with record keeping standards and good practice and publicly report on findings and recommendations.

2.55 Under section 9 of the Archives Regulations, the National Archives has the ability to request information relating to Australian Government records in a Commonwealth institution’s custody. The Archives Regulations state that the institution must comply with such requests. The Check-up survey advises entities of this section and the powers it gives the National Archives.

2.56 National Archives advised that the Director‐General has not used or contemplated the use of the power set out in section 9 and there has not been a circumstance where it has had to formally invoke the use of section 9. There is no policy or guideline in place to guide the use of this power.

2.57 The National Archives has available a range of information sources regarding entities’ management of information assets and compliance with the Archives Act and has legislated powers to request information from entities. The National Archives has no formal process to collate and analyse these data to target support and engagement toward entities that are at most risk of not implementing the Building Trust policy.

Does the National Archives of Australia have effective monitoring, evaluation and reporting arrangements including providing assurance on the accuracy of reported data on entity progress?

2.60 Auditor-General Report No.11 2019–20 Implementation of the Digital Continuity 2020 Policy found that the National Archives did not design monitoring and evaluation arrangements appropriately and that the measures selected by the National Archives to assess performance in the roll-out of the policy required improvement.²⁰

2.61 The National Archives agreed to recommendations for the National Archives to improve monitoring and evaluation arrangements, including performance measures, and to undertake appropriate assurance of entity-reported data.

Monitoring and evaluation arrangements

National Archives’ approach to monitoring and evaluation of the Building Trust policy

2.62 The National Archives’ approach to monitoring, evaluating and reporting on the Building Trust policy is outlined in three documents:

• the Project Implementation Plan (see paragraph 2.7);
• the Monitoring, Evaluation and Reporting framework for the Building Trust policy (see paragraph 2.35); and
• a Monitoring, Evaluation and Reporting Implementation Plan (MERIP) for the Building Trust policy.

2.63 The relationship and purpose of these documents are shown in Figure 2.2.

Figure 2.2: Overview of National Archives documents related to the monitoring and evaluation of the policy

Source: ANAO reproduction of National Archives documents.

2.64 The MER framework was drafted in December 2020, prior to the Building Trust policy being issued.²¹ The MER framework was formally approved by the Assistant Director-General in June 2021 and updated four times from 2021 to 2022 to focus on the implementation phase and in response to internal feedback.

2.65 The MER framework states that the National Archives will ‘assume that agencies accurately report their progress and achievements in every Check-up survey’.

2.66 In an evaluation, ‘deliverables’ are tangible outputs over which management has direct control. The ‘deliverables’ defined in the MERIP are more properly considered as objectives.

Performance measures for implementation of the Building Trust policy

2.67 Section 27A of the Public Governance, Performance and Accountability Rule 2014 requires the accountable authority of an entity to measure and assess the performance of the entity in achieving its purposes.²²

2.68 The MERIP for the Building Trust policy lists performance measures for the implementation of the policy, including that:

• By 2024: 75 per cent of agencies [have] reported that they have implemented 9 or more policy actions as measured by Check-up surveys;
• By end of project 2026: 100 per cent of agencies [have] reported that they have implemented all policy actions as measured by Check-up surveys; and
• One hundred per cent of Check-up survey responses confirm the Building Trust policy is incorporated within agencies.

2.69 The MERIP was approved before the National Archives’ Corporate Plan 2022–23 to 2025–26 (Corporate Plan) was finalised. The Corporate Plan includes a planned performance measure: ‘Percentage of agencies who have implemented the requirements of the Building trust in the public record policy’. This measure is not included in the National Archives’ MERIP and the National Archives advised the alignment of the measures would be considered in developing the next Corporate Plan.

2.70 Appendix 3 contains the summary 2022 Check-up survey results for all entities.

Monitoring the transfer of ‘retain as national archives’ information assets to the National Archives

Building Trust policy requirements for the transfer of records to the National Archives

2.72 Action 14 of the Building Trust policy is a mandatory requirement for entities to transfer ‘retain as national archives’ information assets as soon as practicable, or within 15 years of creation, to the care of the National Archives. This mandatory action reiterates section 27 of the Archives Act under which Australian Government entities are required to transfer selected information and records with ongoing archival value, known as ‘Retain as national archives (RNA)’, to the National Archives for preservation and access. The Act requires that this transfer is to be done as soon as practicable, or within 15 years of the record coming into existence.

2.73 RNA records are categories of records that have been identified in a records authority²³ and are no longer used on a regular basis.

2.74 The ANAO examined the arrangements in place to monitor progress with Action 14 as:

• the transfer of RNA records is a legislative requirement²⁴;
• analysis of previous Check-up surveys conducted by the survey provider, ORIMA, identified disposal of records (including sentencing and transfer of information assets to the National Archives) as an area for considerable scope for improvement, with 34 per cent of entities recording inadequate maturity in this area; and
• the mandatory Action 14 was therefore included in the Building Trust policy to address this low maturity.

2.75 Before a record can be transferred, entities must first appraise the record against the relevant records authority to decide if it should be transferred or destroyed. This process is known as ‘sentencing’.

2.76 Check-up survey data indicates a rapid increase in digital information and records held in entities awaiting sentencing, known as the ‘digital deluge’. Although the quality and consistency of the data collected has varied over time, the National Archives advised that:

• the volume of digital records held by entities has grown on average by 328 per cent a year, from 51 Terabytes in 2013, to over 314,000 Terabytes in 2022; and
• the proportion of records held by entities reported as ‘unsentenced’ rose from 69 percent in 2019 to around 93 per cent in 2022.

2.77 Over time, this trend may represent a risk to the comprehensiveness of the National Archives. The National Archives’ risk register does not identify a risk for the lack of sentencing of records by entities.

2.78 In 2019, the Australian Government commissioned a Functional and Efficiency Review of the National Archives led by former Department of Finance Secretary Mr David Tune. The report (Tune Review) provided to the Attorney-General in January 2020 noted that:

About 6.4PBs (petabytes) of born-digital records (created as digital records) are currently awaiting transfer to the National Archives from agencies. The National Archives holds nearly 2PBs of digital data currently. The volume of born-digital archival records is expected to grow to about 27PB by 2027. This does not include the large amount of deteriorating paper records requiring digitisation.²⁵

2.79 In February 2022, the National Archives commenced several projects, funded as part of the Australian Government’s response to the Tune Review²⁶ to improve entity engagement regarding the management of digital information and the National Archives’ ability to receive security classified information (see paragraph 3.50). The implementation of these projects is on-going as part of a broader ‘Defend the Past, Protect the Future’ program of work to implement the funded recommendations of the Tune Review.

Measuring the effectiveness of the Building Trust policy in regard to transfers

2.80 The MERIP for the Building Trust policy includes an action for the National Archives to ensure the regular sentencing and transfer of significant records to the National Archives. No specific guidance on the monitoring of transfers other than this action is included within National Archives’ MER framework.

2.81 No performance measure was developed to monitor entity compliance with the transfer requirement. The National Archives advised it was waiting on results of the 2022 Check-up survey which became available in February 2023 before developing such a measure.

2.82 As noted at paragraph 2.50, in 2019, in the context of machinery of government changes, the National Archives identified 41 entities that had not transferred any records to it between 2009 and 2019. The National Archives subsequently contacted 10 of these entities, mainly research and development corporations and Indigenous bodies, offering assistance. It is unclear how many of these entities subsequently transferred records. In May 2023 the National Archives advised that:

Although the transfer process has commenced these agencies are still in the process of sentencing and preparing records for transfer and transfers are still pending. Engagement is ongoing and involves multiple business areas within the archives. This may include establishing section 64 arrangements, managing complex digital transfers, sentencing advice and updates of Records Authorities to facilitate transfer.

2.83 The Australian National Maritime Museum (discussed in Chapter 4) was identified as one entity that had not transferred any records within 10 years and was not followed up by the National Archives.

2.84 The 2022 Check-up survey asked entities questions relating to the transfer of RNA records to the National Archives within the last 12 months. Notable responses were that:

• less than half (71 or 43.03 per cent) of entities stated they had attempted to transfer ‘retain as national archives’ information assets; and
• the majority (153 or 92.73 per cent) of entities stated they knew how to get on to the National Archives’ transfer plan, and 11 entities (or 6.67 per cent) did not. One entity (0.61 per cent) did not respond to this question.

2.85 When asked about the extent to which their entity transferred RNA information assets consistent with the requirements of the Archives Act, more than half of responding entities indicated that in the last 12 months they ‘never/rarely’ do (see Figure 2.3). This suggests a large number of entities may not be complying with the requirements of the Archives Act.

Figure 2.3: Entity responses on the extent to which they transfer RNA information assets consistent with s.27 of the Archives Act

Source: ANAO analysis of 2022 Check-up survey data.

2.86 The National Archives has no process to engage and follow up entities that are not transferring RNA records in accordance with the requirements of the Archives Act and the actions and requirements of the Building Trust policy. There is a risk that RNA records may be inadvertently destroyed, corrupted or lost in the absence of actions on the part of entities, with the support of the National Archives.

2.87 The Check-up survey provides useful information for both the National Archives and entities to monitor progress of implementation of the Building Trust policy. Survey results may also assist entities to understand their progress compared to other entities and enable them to identify areas requiring further action.

Assurance on the quality of data provided by entities

2.90 As noted at paragraph 2.65, the National Archives relies on accountable authorities reporting accurately in their annual Check-up survey response. The two methods used by the National Archives to support accurate responses to the 2022 Check-up survey are:

• authorisation by the recognised Agency Head; and
• validation of data by the service provider (ORIMA) conducting the survey on its behalf.

2.91 The 2020 Check-up survey advised entities that:

Under Archives Regulations 2018, the National Archives may make arrangements with individual agencies to validate their survey responses.

2.92 In February 2021, the National Archives conducted an internal audit of the implementation of the Auditor-General Report No. 11 2019–20 Implementation of the Digital Continuity 2020 Policy recommendations. The internal audit report found that the National Archives was yet to formally document the assurance regime over entity responses and recommended this to be done. The internal audit report recommended that the National Archives:

consider other mechanisms that could be used to strengthen assurance processes and evidence requirements, such as spot check audits of agency responses to substantiate and validate reported data and reported information.

2.93 The management response to this recommendation was that:

Options for strengthening quality assurance in future surveys will be considered as part of the work to be done in preparation for the first of the surveys for the Building trust in the public record policy.

2.94 The National Archives has not made any changes to further validate entity responses subsequent to agreeing to the previous ANAO recommendation.

2.95 The internal audit recommendation and the recommendation from the 2019–20 Auditor-General report were accepted for closure by the National Archives’ ARC in March 2023. In support of closing the recommendation, the National Archives stated, ‘The quality assurance regime, as before, is the sign off mechanism for individual agencies’ submission’.

Agency head authorisation

2.96 In its response to the JCPAA Report No. 492: Governance in the Stewardship of Public Resources recommendation (see Appendix 4), the National Archives stated:

The survey submission can only be approved by the Agency Head before it is submitted to National Archives. No submission is possible without such authorisation, unless otherwise agreed by National Archives where extenuating circumstances exist preventing the Agency Head from completing this function.

2.97 For the 2022 Check-up survey, there were six entities approved by the National Archives to submit data without agency head authorisation. These were the:

• Australian Communications and Media Authority, approved in 2022;
• Office of the Australian Information Commissioner, approved in 2022;
• Great Barrier Reef Marine Park Authority, approved in 2022;
• Australian Taxation Office, approved in 2019;
• Australian War Memorial, approved in 2019; and
• Department of the Prime Minister and Cabinet, approved in 2019.

2.98 The National Archives had no records regarding the three ‘standing’ approvals that had been in place since 2019. The National Archives had recorded reasons for the three approvals granted in 2022.

Validation of survey data

2.99 The second process for assuring the accuracy of data is validation of the reasonableness of entity Check-up data by the service provider conducting the survey. The service provider is tasked with identifying:

• very large changes in record volumes between surveys (where the increase between years is more than 1,000 percent or a fall of more than 95 per cent threshold); and
• inconsistencies between record volume answers provided in different questions of the survey.

2.100 The use of a 95 per cent threshold resulted in 17 entities being identified for follow-up. Entities whose reporting shows significant, but less than 95 per cent changes were accepted. For example, in the Department of the Prime Minister and Cabinet, the decline in the reported volume of data between the survey responses from 2020 to 2022 was 88.98 per cent (see Chapter 3). Accordingly, no follow-up action was triggered as the change was below the 95 per cent threshold.

2.101 The ANAO analysed 2022 Check-up survey responses and found that, compared to data reported in the previous 2020 Check-up:

• Forty-two entities (25 per cent) of entities responding, reported an increase in data volumes of 50 per cent or more; and
• Thirty-eight entities (23 per cent) of entities responding, reported a decrease in data volumes of 50 per cent or more.

2.102 As noted in Chapters 3 and 4, there were errors in the submitted Check-up survey responses submitted by the two entities subject to this audit. The errors related to:

• use of National Archives guidance;
• reported status of key information governance documents;
• reported volumes of digital assets; and
• extent to which information management was supported by a risk management plan.

2.103 The extent of these undetected or unaddressed quantitative and qualitative errors reduces the reliability of the assumption of accuracy of entity data and increase the risk of inaccurate reporting to stakeholders, including entities and relevant ministers.

3.1 PM&C’s primary role is to serve the Prime Minister, support the Cabinet and work across the Australian Public Service to ensure the Government’s programs, policies and priorities are delivered to the highest possible standard.²⁷ Major types of information assets held include:

• unstructured information documenting correspondence, advice, planning activities, policies and procedures;
• structured information in business systems and databases (including human resources, transaction and workflow data); and
• social media and audio-visual data.

3.2 The Building Trust policy requires that entities:

• manage information assets strategically with appropriate governance and reporting;
• implement fit-for-purpose information management processes, practices and systems; and
• assess their information management capability annually and report on this to the National Archives.²⁸

3.3 In 2019, PM&C conducted an internal audit on records management and records keeping. The internal audit report made six recommendations related to: governance arrangements for information management; staff training on records and information management; the use and capabilities of the main document management system (ShareHub); and departmental policies and procedures on records management and record keeping. The PM&C Audit and Risk Committee (ARC) endorsed the closure of all recommendations between March 2019 and December 2021.

Does the Department of the Prime Minister and Cabinet manage information assets with appropriate governance and reporting?

3.4 The Building Trust policy states that entities will ‘Manage information assets strategically with appropriate governance and reporting to meet current and future needs of government and community’.²⁹ The Building Trust policy sets out recommended elements and actions to be undertaken by entities, including:

• an enterprise-wide, strategic approach to managing information assets which includes the conduct of a strategic assessment of current and future needs for information, a plan for how to manage information to meet those needs³⁰ and an information governance framework³¹;
• up-to-date governance arrangements covering all information assets³² and an information assets register³³; and
• staff with the necessary skills and knowledge to manage information according to its value.³⁴

Enterprise-wide strategic management of information assets

Role of the Chief Information Governance Officer (CIGO)

3.5 The National Archives defines the role of the CIGO as being to establish and maintain an enterprise-wide culture for an accountable and business-focused information management environment. Within a medium sized entity, redesigning an existing position such as the Chief Information Officer (CIO) may be appropriate.³⁵

3.6 PM&C has a Chief Information Officer (CIO) who manages the department’s Information Services Branch (ISB). In this capacity, the position manages teams responsible for information and information and communications technology (ICT) functions including:

• applications and information systems (which includes an Information Management team, and a Records Management Unit);
• whole-of-government systems developed by PM&C;
• shared services application development;
• ICT procurement, engagement and governance;
• operations, projects and services delivery; and
• cyber security.

3.7 The role of the CIGO is referred to in information management-related documents and policies, including in the department’s Information Management Policy and Normal Administrative Practice (NAP) Policy. The CIO job description does not include the CIGO role or specify specific information management responsibilities.

Information governance committees and reporting

3.8 Between February 2022 and March 2023, PM&C had two committees responsible for information technology management. Neither committee’s terms of reference included responsibilities for information management and related issues. However, the committees did consider information management-related matters in the context of specific information technology (IT) projects.

3.9 In April 2023, PM&C established an ICT Programme Management Office Programme Board (IPMB), chaired by the CIO. The terms of reference of the IPMB include that it ‘Monitors progress towards Building Trust policy, and future policy targets’. At its first meeting in April 2023, the IPMB considered information management-related topics such as the department’s information management strategy and related risks.

Enterprise-wide frameworks, strategies and policies

3.10 PM&C has two documents addressing the enterprise-wide management of the department’s information assets:

• an Information Governance Framework (drafted in 2018 and approved in May 2023); and
• an Information Management Strategy (in draft since 2019).

3.11 In January 2023, PM&C advised the ANAO that the delay in finalising these documents was due to other priorities and pressures, including disruption from the COVID-19 pandemic and the change of government. In May 2023, the Information Governance Framework was endorsed as part of a wider review of ICT arrangements. The Information Management Strategy was ‘being socialised throughout the department’.

3.12 The Building Trust policy recommends ‘A strategic assessment of current and future needs for information, and a plan for how to manage information to meet those needs, should be documented and reported to senior management’. PM&C has not conducted such an assessment.

3.13 The Building Trust policy also recommends ‘Agencies identify information assets and register them where there is business value in doing so.’³⁶ Such registers include details of asset owners, security controls, usage access and release provisions as well as risk to the assets.

3.14 In April 2023, PM&C advised that:

The Strategic Assessment and Information Asset register are not mandatory obligations under the BT policy.

To date, PM&C has not identified business value in developing an enterprise wide asset register — however work has commenced within the Information Services Branch to develop an Information asset register. The Asset Register will be developed in line with the National Archives of Australia guidance under the Building Trust in the Public Record Policy and the Information Asset Register template. It is anticipated this will be completed over the next 18 months.

Policies and procedures

3.16 The PM&C Information Management Policy (IM Policy) outlines the department’s ‘position regarding the handling and management of all information assets.’ The IM Policy defines official information as:

any information in any format that: demonstrates or is integral to the conduct of the business of PM&C; supports the decision making process; details who made a decision and when it was made; is required by law (including regulations) to be kept; or has significant historical interest to the community.

3.17 The IM Policy applies to:

all PM&C staff, consultants, contractors and all aspects of PM&C’s business operations, and includes any outsourced and other PM&C portfolio bodies with additional responsibilities according to their specific roles. It also applies to all PM&C business functions, capabilities or systems where information is created, captured, controlled, secured, managed, stored, preserved, destroyed or transferred.

3.18 The IM Policy outlines the responsibilities of PM&C personnel, storage, control and security of information, and the deletion of information, and was up to date and consistent with National Archives guidance.

3.19 PM&C has other policies relating to information management, such as:

• File Titling Guidelines, updated January 2023;
• Retention and Destruction of Original Records, updated on 22 March 2022;
• Administrative Functions Disposal Authority updated in March 2010;
• Normal Administrative Practice Policy, updated January 2023;
• a General Records Authority, AFDA Express, updated in March 2010; and
• a Working with Records Procedure, updated in March 2014.

3.20 These policies and procedures were available on the PM&C intranet. The Working with Records Procedure was dated March 2014 and did not reflect current PM&C procedures and management arrangements. An updated version of the Working with Records Procedure was approved in May 2023 (see Appendix 2).

Risk management of information assets

3.21 The National Archives notes that an important part of information governance is to identify the major risks to information and data assets held by an entity in the context of the entity’s overall risk management framework, and to include these risks in an information governance risk register.³⁷

3.22 PM&C’s departmental Risk Management Policy and Framework considers information management, stating that ‘all PM&C managers … must be satisfied that their decisions: … are well documented and that records are maintained.’

3.23 The Information Services Branch Strategic Risk Register includes risks specific to information management and record keeping, covering availability of information and the ICT environment. In April 2023, PM&C advised that all risks are regularly reported to the Executive, as well as other project specific boards to ensure risks are identified and addressed in accordance with the PM&C risk management processes. The PM&C ARC considered risks to electronic records compliance on three occasions between September 2022 and March 2023.

3.24 The risks identified at the branch level address IT-related risks such as insufficient information security requirements or lack of understanding of the PM&C IT environment. There were no information management legislative compliance risks such as that the department may not keep or dispose of records consistent with the Archives Act 1983 (Archives Act).

Appropriately skilled staff

3.25 The Building Trust policy identifies as a sign of success in establishing a robust information governance framework that:

Staff have the necessary skills and knowledge to manage information according to its value as a business and community asset.

3.26 PM&C has an annual Mandatory Training Program with modules that all staff must complete. This program previously included a module on information management, however following a refresh of the program the information management module was removed in September 2022. The module is now only required via the induction program for new staff.

3.27 As shown in Figure 3.1, the number of staff completing the training module has fallen from 459 in 2021–22 (or around 40 per month) to 30 in the six months since the module was removed from the Mandatory Training Program (or around five per month). The department advised that approximately 445 new staff commenced employment during the six-month period between October 2022 and March 2023. The module was created in 2019 and has not been updated.

Figure 3.1: Number of completions for the PM&C information management training module: 2021–22 to 2022–23

Source: ANAO analysis of PM&C data.

Has the Department of the Prime Minister and Cabinet established fit-for-purpose information management processes, practices and systems?

3.30 The Building Trust policy states that entities:

• must manage all digital information assets, created from 1 January 2016, digitally; and
• should implement strategies, including storage and preservation strategies, for the management of all information assets.³⁸

Managing assets digitally

PM&C policy on managing digitally

3.31 The PM&C IM Policy states that:

• PM&C seeks to ‘promote digital proficiency through the use of electronic document management for our official information’; and
• ‘PM&C’s default position is that all information is managed electronically, in line with the Building Trust in the Public Record policy’.

3.32 The Policy requires that any records classified as confidential, Secret and Top Secret must be retained in hard-copy form. This is because ‘there are currently no electronic [information management] systems available within PM&C to manage material classified above Protected.’ In May 2023, PM&C advised that: it created very few Secret or Top Secret files, it does access classified material held on other whole-of-government systems that PM&C does not manage, and that Cabinet records are managed separately to departmental files.

Use of endorsed record keeping systems including ShareHub

3.33 National Archives guidance suggests entities clearly identify which locations are endorsed for holding information and that corporate information assets must not be maintained in email folders, shared folders, personal drives or external storage media. PM&C’s 2019 internal audit found that ‘The take-up of ShareHub as the primary records keeping system in the Department was not effective and share drives were still being extensively used for document creation and storage.’

3.34 The current PM&C IM Policy states that:

• ‘Official information must not be maintained in shared drive folders, email mailboxes, archive folders, personal OneDrive locations, or MyWorkSpace sites. These electronic storage facilities do not contain the control functionality necessary to ensure that official information will be maintained in accordance with legislative requirements.’;
• ‘All of PM&C’s official information must be captured in an endorsed location’; and
• ‘ShareHub is PM&C’s primary productivity tool and the primary system for the management of official information classified up to Protected.’

3.35 The PM&C online training module states that ‘Records must not be kept on shared, personal or USB drives or in Outlook folders’.

3.36 Shared drives are still in use within the department. In March 2023, PM&C advised that it had taken a number of measures to control the use of shared drives and ensure staff held records only on endorsed systems such as ShareHub. The measures taken included:

• improving the integration of Outlook and ShareHub;
• limiting the number of staff able to store files that are not compatible with ShareHub, are too large to store or require a separate method for storing files; and
• monitoring usage and managing shared drives with appropriate audit compliance.

3.37 The ANAO sought to confirm the effectiveness of these measures to reduce inappropriate use of shared drives. Data available from PM&C was insufficient to confirm if a reduction in use had occurred.

Live Briefing System

3.38 The Building Trust policy and the National Archives recommend entities assess the records management implications of new systems before implementation.³⁹ In 2018, the National Archives issued a ‘Business System Assessment Framework’ (BSAF) to guide entities in conducting such an assessment.⁴⁰ The framework is based on relevant ISO standards first developed in 2010.

3.39 In 2017, prior to the National Archives issuing the BSAF, PM&C created a ‘Live Briefing System’ (LBS) to facilitate collaboration between PM&C and the Prime Minister’s Office (PMO).⁴¹ The LBS was designed to improve the quality, relevance and timeliness of advice provided to the Prime Minister on key policies. The LBS interface allows briefs to be edited and commented upon by multiple authors in real time. Through the LBS interface, officers can subscribe to a notification functionality, which allows for the PMO and PM&C to have real-time discussions to facilitate ‘live’ development of the brief. The LBS is an endorsed record keeping system within PM&C.

3.40 The LBS was examined to assess whether the department had taken record keeping considerations into account in its design and continued development. The LBS was chosen as it is:

• a relatively recent system;
• aligned with the ‘digital first’ approach in PM&C; and
• holds records of archival significance.

3.41 The project brief for the LBS stated that in regard to ‘Information capability’ the initiative ‘will improve information practices by centralising the communication within the system, rather than relying on unmanaged emails’.

3.42 There was no statement regarding how the LBS would affect the ‘Compliance and Assurance’ capability of PM&C, such as considering how archival requirements would be included in the LBS. During development of the system there was no formal assessment of the implications of the system for record keeping. PM&C held general discussions with the National Archives at the time it was developed, however these did not address detailed implementation.

3.43 In March 2023, PM&C advised that there were a large number of documents created in the LBS that would not be filed in ShareHub, resulting in the LBS being the ‘single source of truth’.

3.44 In April 2023, PM&C advised that LBS operates entirely within PM&C managed environments and inherits the security controls and processes standard for those environments. The system was assessed by the PM&C IT Security Adviser office in January 2020 and was given certification and accreditation to go into Production in accordance with the Cyber Security risk management processes.

3.45 In response to ANAO queries, in April 2023 PM&C advised it would commence a review of the LBS during 2023 to assess it against the BSAF and make any changes required and that the BSAF would be applied, where appropriate, to future IT builds.

Disposal and transfer of information to the National Archives

3.46 Under section 27 of the Archives Act, Australian Government entities are required to transfer selected information and records with ongoing archival value, known as ‘Retain as national archives’ (RNA), to the National Archives for preservation and access. This is required by the Archives Act to be done as soon as practicable, or within 15 years of the record coming into existence. Action 14 of the Building Trust policy includes this as a mandatory obligation.

3.47 Such transfers rely on the entity ‘sentencing’⁴² records in a timely, efficient way. The 2019 internal audit (see paragraph 3.3) identified that PM&C’s principal records management system (ShareHub) lacked sentencing capabilities.

3.48 The 2019 internal audit recommended PM&C:

Investigate and implement sentencing capabilities within ShareHub to allow the input of retention information to ensure that records can be appropriately sentenced and destroyed legally in line with the relevant legislation and regulations.

3.49 In January 2023, PM&C implemented a new record keeping solution, ‘R365’. As at April 2023 over 430,000 ShareHub records and files had been ingested into R365 and 200,000 of these had been sentenced using the system. Approximately 2.6 million records are currently held in ShareHub which are planned to be progressively ingested and sentenced during 2023.

3.50 Partly due to its inability to sentence ShareHub records, PM&C has transferred only one digital asset to the National Archives since 2019. PM&C considers the lack of transfers is mainly due to National Archives using an unclassified network to manage the transfers and as a result only unclassified files being available for transfer; and that a transfer ‘freeze’ was in place. Nine instances of paper files and one of ‘3 Dimensional records’ have also been transferred from PM&C to the National Archives over this time period.

3.51 In May 2023, the National Archives advised that:

There is no single Protected/Secret government network that allows online seamless transfers between agencies, and it is not National Archives’ role to implement a Protected/Secret government transfer solution. National Archives is currently working on a more streamlined solution for official:sensitive but for higher classifications, National Archives will have to work with each agency on how to enable transfers. This matter is complex and will require separate solutions depending on the agency. Resourcing investment from Government will be required to develop these solutions.

Does the Department of the Prime Minister and Cabinet accurately report externally on its progress in implementing the policy?

PM&C’s 2022 Check-up response

Check-up response approval and submission

3.52 The National Archives requires, unless otherwise agreed with the National Archives, that Check-up responses to be authorised by the relevant agency head ‘as assurance that the survey has been completed accurately and accountably by the agency in accordance with governance responsibilities, including the Public Governance Performance and Accountability Act 2013’. This is the National Archives’ fundamental assurance method for the survey (see paragraph 2.90).

3.53 In 2019, the National Archives agreed that PM&C response could be approved by an officer other than the Secretary. In November 2022, the National Archives agreed to a further PM&C request that the response be approved by the PM&C CIO.

3.54 There was no evidence that the current Secretary of PM&C had delegated the responsibility to the CIO.

Accuracy of the Check-up response

3.55 The ANAO found three errors in PM&C’s 2022 Check-up response relating to the responsibilities of the CIGO, use of National Archives products, and the volume of digital assets held. ANAO analysis of these errors is summarised in Table 3.1.

Table 3.1: Errors or inconsistencies identified in the PM&C 2022 Check-up response

Source: PM&C response to the 2022 Check-up Survey and ANAO analysis of PM&C activities.

3.56 The ANAO analysed PM&C’s reported volumes of digital assets from 2019 to 2022 and found the reported volumes rose sharply from 2019 to 2021, then fell sharply in 2022 to a level lower than 2019 (see Figure 3.2).

Figure 3.2: PM&C reported volumes of digital assets

Source: PM&C Check-up survey responses.

3.57 In April 2023, PM&C advised that these variations in the reported volume of digital assets were due to its inconsistent approach to measuring the volume of data held across the three surveys. These inconsistencies between surveys, along with the other errors in PM&C’s 2022 Check-up response noted in Table 3.1 suggests that the quality assurance processes for PM&C’s Check-up survey response require strengthening.

4.1 The ANMM is Australia’s national centre for maritime collections, exhibitions, research and archaeology. Its purpose is to ‘collect and share unique stories about people, objects and events to engage, educate and inspire Australians about our nation’s relationship with the sea’.⁴³ At 30 June 2022, it held nearly 159,000 items in its collection and held over $264 million in total non-financial assets including the collection, buildings, land and infrastructure.⁴⁴ The ANMM creates, uses, handles, stores, shares and disposes of information in the course of performing its functions.

4.2 The Building Trust policy requires that entities:

• manage information assets strategically with appropriate governance and internal reporting;
• implement fit-for-purpose information management processes, practices, and systems; and
• assess their information management capability annually and report on this to the National Archives.⁴⁵

Does the Australian National Maritime Museum manage information assets with appropriate governance and reporting?

4.3 The Building Trust policy states that entities will ‘Manage information assets strategically with appropriate governance and reporting to meet current and future needs of government and community’.⁴⁶ The Building Trust policy sets out recommended elements and actions to be undertaken by entities, including:

• an enterprise-wide, strategic approach to managing information assets which includes the conduct of a strategic assessment of current and future needs for information, a plan for how to manage information to meet those needs⁴⁷ and an information governance framework⁴⁸;
• up-to-date governance arrangements covering all information assets⁴⁹ and an information assets register⁵⁰; and
• staff with the necessary skills and knowledge to manage information according to its value.⁵¹

Enterprise-wide strategic management of information assets

4.4 A number of mechanisms recommended by the Building Trust policy that would support an enterprise-wide, strategic approach to managing information assets are absent, including:

• an information governance framework or strategy;
• a documented strategic assessment of information needs;
• an information governance committee or similar mechanism; and
• a Chief Information Governance Officer (CIGO) or similar role.

4.5 Records and information are governed separately from data in the ANMM. Data is managed by the information and communications technology (ICT) team and the team responsible for the registration of all items entering the collection. Records management is a responsibility of one member of the governance team, along with other responsibilities.

4.6 The ANMM does not have an enterprise-wide, strategic approach to managing information assets as recommended by the Building Trust policy.

Policies and procedures

4.7 The ANMM has an Information Management Policy (IM policy) dated 2019. The IM policy addresses issues including:

• creating, maintaining and storing information, and states that ‘Corporate information must not be maintained in email folders, shared folders, personal drives or external storage media’;
• retention or destruction of information;
• transfer of information to the National Archives; and
• reference to the ANMM’s normal administrative practice and records authority.

4.8 The IM policy states that ‘When information of archival value is no longer being actively used, the Museum may transfer it to the National Archives’. This statement is not consistent with the provisions of the Archives Act which states that this to be done as soon as practicable, or within 15 years of the record coming into existence. Action 14 of the Building Trust policy reiterates this as a mandatory obligation (see paragraph 4.44).

4.9 An update of the IM policy commenced in November 2022 and as at April 2023 has not been finalised.

4.10 The ANMM has a draft document developed in 2022 titled ‘Data management protocols and guidelines’ addressing topics including:

• data governance;
• ensuring data quality;
• planning for the life of the data;
• data continuity: maintaining ongoing data; and
• data retention.

4.11 The purpose of this protocol is not clear.

4.12 The ANMM has a policy regarding disposal of source records that have been digitised and placed in ELO (the ANMM’s document management system).

4.13 Other policies listed on the ANMM’s intranet and marked as draft or not accessible via the relevant hyperlinks included:

• ICT Governance — Terms of Reference (2022);
• ICT Information Management Policy (2018); and
• ICT Information Classification and Handling Policy (2017).

Governance of information assets

4.14 The ANMM holds records in the following systems, constituting its major information assets:

• The Museum System (TMS) — a collection management system cataloguing and documenting the ANMM’s collection (an endorsed record keeping system)⁵²;
• An electronic document management system (ELO) — used for holding administrative records and information such as emails relevant to collection management (an endorsed record keeping system);
• Microsoft Outlook (not endorsed); and
• shared network folders holding a mixture of record types (not endorsed, see paragraph 4.7).

4.15 This audit focused on the collection management system (TMS) and the electronic records management system (ELO) as the two endorsed systems for records management in the ANMM and its most important information assets.

4.16 TMS is the responsibility of the registration team within the ANMM. ELO has no formally designated owner but is administered by the governance team.

4.17 As at March 2023, no ANMM staff had access to the service provider support portal (system help desk) for ELO. This limits the ANMM’s ability to manage the system without contacting the provider; plan improvements; and ensure appropriate access and system controls are in place.

4.18 The two databases each include information relevant to the management of the collection. Changes to one system may have implications for the other. Their separate management limits opportunities to integrate and coordinate the management of records in the ANMM and risks duplication of effort or gaps in document management.

4.19 The Building Trust policy recommends ‘Agencies identify information assets and register them where there is business value in doing so’.⁵³ The National Archives has developed templates for entities to use when developing such registers, including a ‘streamlined’ template for a basic register suitable for small entities. The ANMM does not have such a register and advised that it considers one would be of little business value given that ANMM is a small organisation, with only a small number of information assets and has had to prioritise activities within its available resources to ensure that core functions are adequately resourced.

Risk management of information assets

4.20 The National Archives notes that an important part of information governance is to identify the major risks to information and data assets held by an entity in the context of the entity’s overall risk management framework, and to include these risks in an information governance risk register.⁵⁴

4.21 The ANMM’s risk management policy and framework states that the ANMM has ‘a low-risk appetite related to security risks [and] information management’ and identifies ‘Information systems & security’ as a risk category. The ANMM’s risk register addresses only technology-related risks and does not include any specific information management risks, such as of not complying with the Archives Act (see paragraph 4.44).

Appropriately skilled staff

4.22 The Building Trust policy identifies as a sign of success in establishing a robust information governance framework that:

Staff have the necessary skills and knowledge to manage information according to its value as a business and community asset. Plans are in place to address capability gaps, in particular for staff with specialist information management roles.⁵⁵

4.23 The ANMM requires new staff to complete the APS Academy online training for the induction of APS staff. This induction training is hosted on the APS Learn platform and includes a module on Information Management. The module includes important concepts and principles regarding information management and the role of the Archives Act.

4.24 It is the responsibility of managers to monitor staff completion of the modules and their completion is not tracked by the ANMM’s HR staff. In the absence of data available from the ANMM, the ANAO requested completion data from the owner of the APS Learn platform. Data from APS Learn indicates that in 2021–22, 14 ANMM staff commenced the module and five completed it. Over the same period the ANMM had 32 new starters. The overall completion rate (the number actually completing the module as a proportion of those who should have completed it) was 15.6 per cent.

4.25 The APS Academy module does not address the use of specific information management systems or practices in the ANMM.

Has the Australian National Maritime Museum established fit-for-purpose information management processes, practices and systems?

4.28 The Building Trust policy states that entities:

• must manage all digital information assets, created from 1 January 2016, digitally; and
• should implement strategies, including storage and preservation strategies, for the management of all information assets.⁵⁶

4.29 The ANMM’s 2019 IM policy does not state that all digital information should be managed digitally. The IM policy states that ‘Information should be maintained in a digital format wherever possible’. A procedure titled ‘Disposal of source records that have been digitised and placed in ELO’ states that ‘These procedures represent our continuing adherence to the National Archives’ Digital Transition Policy, which requires government agencies to move to electronic record keeping and reduce physical stores.’ The Digital Transition Policy was superseded in 2014.

ANMM’s collection management system

4.30 Collection management systems are databases which contain records about the collections and will often be the entity’s most important digital asset. A report by the Victorian Auditor-General noted that:

The initial documentation and recording of information about newly acquired items is a key step in managing a cultural collection. Recording comprehensive information on acquisition enables proper management of items over their life cycle in the collection.⁵⁷

4.31 The ANMM uses TMS as its collection management system. The ANMM requires that TMS be used for all phases of the management of items in the ANMM’s collection, from first consideration of acquisition, decision-making and reporting, and de-accessioning.

4.32 TMS has a number of areas of sound practice, including that:

• the system is off-the-shelf, which is appropriate for an organisation of ANMM’s size;
• a support agreement is in place with the provider to provide additional guidance and assistance to ANMM staff if needed;
• administrative access to the system is controlled and limited to a small number of ANMM staff;
• the valuations of assets in TMS are updated every five years as required by accounting standards;
• the team managing TMS has extensive knowledge of the system and train new staff in its use;
• there are a range of guides and manuals available to support ANMM staff in use of the system as well as templates that support consistent data entry; and
• audit trails and access logs are kept.

4.33 There are areas for further improvement in TMS, particularly in regard to minimising the risk of inappropriate access, multiple logins and deletion or modification of records.

ANMM’s document management system

4.35 ELO, the ANMM’s document management system, is an off-the-shelf system with sentencing, searching and organising capabilities.

4.36 The ANMM has not updated ELO since 2018. The ANMM acknowledges that the version of ELO currently in use is outdated and is planning to progressively upgrade to a new version.

4.37 There is currently no centre of expertise or advice on the use of ELO within the ANMM and the availability of records management expertise and support to staff in using ELO has varied over time. In 2019, following the departure of its records manager, the ANMM established an internal network of ELO ‘super users’. The purpose of the network was to provide administrative support, such as the creation of new folders or changes to the structure of ELO.

4.38 Since 2019, the number of these super users has fallen from 12 to seven. This is due to staff departures over the period and no new super users being created. A ‘super user pack’ provided to support users has not been reviewed since 2019. At the time of the audit, there was no up-to-date guidance on the use of ELO or structured training in its use.

4.39 In February 2023, ANMM advised that:

• the role of the super users had changed over time and was now focused mainly on training new staff rather than original administrative support roles; and
• due to the decentralised approach to managing ELO its use varied between various teams within the ANMM, as practices evolved over time and staff changed.

4.40 Before November 2022, there was no support agreement in place between the ANMM and the service provider for ELO. The absence of such an agreement limited the ability of ANMM staff to receive training in ELO or manage the system. Staff were unable to delete records or containers created in error potentially affecting data reliability and accessibility. In November 2022, the ANMM and the service provider established a support agreement. Once the support agreement was in place, the ANMM identified priorities for training the ANMM’s records management staff. These were:

• establishing a base understanding of ELO;
• controlling access, use of access groups and adding users; and
• how to make structural changes to the ELO database.

4.41 The ANMM’s most recent records manager commenced in June 2022 and left in December 2022. The training priorities identified have not been achieved.

4.42 The case study below demonstrates the impact of poor records management.

Note a: The Closing Letter is prepared to communicate matters to the entity and its audit committee that are directly relevant to the financial statements or that the auditing standards require be communicated before the statements are signed.

Note b: Category C findings are defined by the ANAO as those that pose a low business or financial management risk to the entity. These may include findings that, if not addressed could pose a moderate risk in the future.

4.43 In February 2023, the ANMM’s Museum Council papers and minutes for its November 2022 meeting had not been uploaded to ELO, more than three months after the meeting was held due to a gap in staffing. Board papers are an important category of information and should be placed in an endorsed record keeping system as soon as possible.

Disposal and transfer of information to the National Archives

4.44 Under section 27 of the Archives Act, Australian Government entities are required to transfer selected information and records with ongoing archival value, known as ‘Retain as national archives’ (RNA), to the National Archives for preservation and access.⁵⁸ The Act requires this to be done as soon as practicable, or within 15 years of the record coming into existence. Action 14 of the Building Trust policy reiterates this as a mandatory obligation.

4.45 The ANMM’s records authority⁵⁹ defines RNA documents as those relevant to the high-level control, preservation, and use of the collection. These records include:

• overarching collection management policies and plans, including the collection development policy and long-term preservation plans;
• acquisition records, such as proposals and reasons for acquisition, provenance, invoices, deeds of gift, approvals, property rights agreements, including intellectual property rights and copyright, object description papers, object condition and conservation reports, and negotiations and letters of acceptance for items which are eventually accessioned;
• records documenting proposed acquisitions for complex and/or high financial value objects that do not proceed;
• accessioning and de-accessioning registers, proposals and approvals;
• control records, such as the collection management database, classification methods, other catalogues and registers and metadata that provide essential finding aids and provenance for the collection;
• final project documentation;
• minutes of program committees; and
• original research.

4.46 The ANMM was established in 1991. It is therefore likely to have records that would fall into the above categories, that have been in existence for more than 15 years, and should therefore have been transferred to the National Archives as RNA.

4.47 ANMM has never transferred records to the National Archives. In this regard the ANMM will not be compliant with the Archives Act.

4.48 It was not clear from available documentation and staff why no records had ever been transferred. Contributing factors included:

• a lack of records management expertise within the ANMM, due to turnover of staff and insufficient resourcing;
• this lack of expertise resulting in a view that as much of the information was held within TMS, it was not feasible or appropriate to transfer records; and
• a lack of systematic governance of records management that did not highlight important legislative requirements and put in place procedures to meet these requirements.

4.49 The ANMM became aware that no records had ever been transferred in July 2022 when the records manager contacted the National Archives and asked for details of past transfers. The National Archives advised that ‘there have been no transfers of any format to the National Archives from the Australian National Maritime Museum’.

Does the Australian National Maritime Museum accurately report externally on its progress in implementing the policy?

The ANMM’s Check-up response

4.52 The ANMM submitted its 2022 Check-up survey response to the National Archives in November 2022. The ANMM advised that the response had been approved by the CEO however did not have evidence of the approval. As noted in Chapter 2 this is a fundamental part of the National Archives’ assurance controls.

4.53 The ANMM accurately reported that it ‘never/rarely’ transferred ‘retain as national archives’ information assets, as soon as practicable, or within 15 years of creation to the care of the National Archives.

4.54 The ANAO reviewed the ANMM’s 2022 Check-up survey response and identified answers that could not be substantiated by the ANMM and were inconsistent with the ANAO’s analysis of available ANMM documentation. ANAO analysis of the answers is in Table 4.1.

Table 4.1: Inconsistent answers in the ANMM’s 2022 Check-up survey response

Source: ANMM response to the 2022 Check-up Survey and ANAO analysis of ANMM activities.

4.55 The response also stated that the ANMM did not use the products and guidance produced by the National Archives to support implementation of the Building Trust policy. ANMM staff confirmed that they had little contact with the National Archives and were unaware of ways to engage with the National Archives.

Appendix 1 Entity responses

Appendix 2 Improvements observed by the ANAO

1. The existence of independent external audit, and the accompanying potential for scrutiny improves performance. Improvements in administrative and management practices usually occur in anticipation of ANAO audit activity; during an audit engagement; as interim findings are made; and/or after the audit has been completed and formal findings are communicated.

2. The Joint Committee of Public Accounts and Audit (JCPAA) has encouraged the ANAO to consider the ways in which the ANAO could capture and describe some of these impacts. The ANAO’s 2022–23 Corporate Plan states that the ANAO’s annual performance statements will provide a narrative that will consider, amongst other matters, analysis of key improvements made by entities during a performance audit process based on information included in tabled performance audit reports.

3. Performance audits involve close engagement between the ANAO and the audited entity as well as other stakeholders involved in the program or activity being audited. Throughout the audit engagement, the ANAO outlines to the entity the preliminary audit findings, conclusions and potential audit recommendations. This ensures that final recommendations are appropriately targeted and encourages entities to take early remedial action on any identified matters during an audit. Remedial actions entities may take during the audit include:

• strengthening governance arrangements;
• introducing or revising policies, strategies, guidelines, or administrative processes; and
• initiating reviews or investigations.

4. In this context, the below actions were observed by the ANAO during the audit. It is not clear whether these actions and/or the timing of these actions were planned in response to proposed or actual audit activity. The ANAO has not sought to obtain assurance over the source of these actions or whether they have been appropriately implemented.

Appendix 3 2022 Check-up survey results

Appendix 4 Recommendation 3 of the JCPAA Report 492: Governance in the Stewardship of Public Resources

The Committee recommends that the National Archives of Australia (NAA) report back:

• with details of its risk management plan for the Building Trust digital policy, and on how NAA is identifying, managing and reporting risks to implementation of the policy
• on its monitoring and evaluation plan for implementation of the Building Trust policy, including details of:
  • how the performance measures it has established are relevant, reliable and adequate; are consistent with the policy objectives, to enable accurate assessment of NAA performance against objectives and accurate analysis of Commonwealth entity performance in implementing targets; and clearly define how success will be measured and reported
  • how its annual surveys have been redesigned to reflect the objectives of the Building Trust policy and gauge entity progress in implementing the policy, to enable direct comparison of survey results with policy targets, and ensure consistent and comparable data is collected
  • the findings of its review of implementation of the policy (due in 12 months), including performance reporting on NAA’s effectiveness in monitoring and assisting entities to meet the targets of the policy
• on its assurance framework for verifying the accuracy of reported data in Commonwealth entity self-assessments from annual surveys, in terms of implementation of the Building Trust policy.