Introduction

1. A key element of sound public administration and accountability is adequate recording or documentation of the business of government.¹ To achieve this, agencies² need to develop records management frameworks and systems designed to ensure that records are appropriately managed.³ This commences with the creation and subsequent capture of records in records management systems, through to their maintenance and use, and ultimately their transfer to the National Archives of Australia (the Archives) or destruction. Records management needs to be seen as important within the governance, resourcing and information management arrangements of an agency for it to effectively support the management of business activities and risks, and to satisfy records management requirements.

2. The requirements that Australian Government agencies need to meet in relation to records management derive from multiple sources. Access to, preservation and destruction of information created and received when undertaking Australian Government business is governed by the Archives Act 1983 (Archives Act). A key focus of the Archives Act is authorisation of the disposal or destruction of records by the Archives approving records authorities.⁴ Records management obligations are also contained in other Acts including the Freedom of Information Act 1982 and the Financial Management and Accountability Act 1997 (FMA Act).⁵

3. The Archives also has a key role in establishing standards, and providing guidance and assistance to agencies in managing their records management responsibilities. An important piece of guidance issued by the Archives is Check up 2.0, which establishes the minimum requirements for information and records management. These requirements cover agencies’ information and records management arrangements and practices, including frameworks, records’ creation, capture and destruction, and business systems. A number of other Australian Government agencies have issued policies, standards and guidelines relevant to the management of records, including electronic records.⁶ For example, the Attorney-General’s Department has established the Protective Security Policy Framework (PSPF), which outlines mandatory minimum security requirements for all agencies, and has implications for records management.

Records management systems and guidance

4. To support agency business, and meet legal and policy requirements, systems that manage information need to operate so that records can be proven to be genuine; are accurate and can be trusted; are complete and unaltered; are secure from unauthorised access, alteration and deletion; are findable and readable; and are related to other relevant records.⁷ In this respect, a key aspect of an agency’s approach to records management is to determine those electronic business systems that need to be managed as records management systems; and how other electronic business systems should be managed and used to meet records management requirements. Before a decision is made to acquire, develop or upgrade an electronic business system, the records management capability of the system should be considered in the context of the function to be performed by the system.

5. Another important aspect of an agency’s approach to records management is the development of relevant policy and guidance for staff. Policy and guidance gives direction to staff and supports their application of consistent records management approaches. Key elements of policy and guidance are: identification of information that needs to be created, received and maintained as a record for major business activities of the agency; identification of electronic business systems that are records management systems; and how all electronic business systems that contain records should be managed from a records management perspective.

Current trends in the records management environment

6. In 2008–09, the estimated annual cost of onsite paper storage of records for 138 Australian Government agencies and bodies was $208 million.⁸ The increased use of information technology (IT) by agencies has placed pressure on the adequacy of paper-based records management systems to adequately support the capture, maintenance, access, retention and disposal of records. Australian Government agencies create a substantial amount of electronic information and records as part of their normal operations. However, in 2009 less than 30 per cent of these agencies and bodies managed the majority of their records digitally, even though more than half reported having an Electronic Document and Records Management System (EDRMS) and using other electronic business systems to manage records.⁹ Establishing effective records management, particularly digital records management¹⁰, represents a significant business issue for many agencies.

7. To provide impetus and direction for digital records management, in July 2011 the Australian Government announced a policy for agencies to move to electronic records management for efficiency purposes. This policy is referred to as the Digital Transition Policy.¹¹ It involves agencies’ senior management driving a change to digital records management through an increased focus on resource requirements and records management functionality when purchasing new electronic business systems, and reducing paper stockpiles.

Audit objective, criteria and scope

8. The objective of the audit was to assess the extent to which agencies create, manage and dispose of records in accordance with key business, legal and policy requirements.

9. Three high-level criteria were used to assess the performance of the agencies’ records management arrangements and practices. The criteria examined whether selected agencies had:

• formally analysed their records management needs;
• developed and implemented frameworks and systems that adequately supported records management; and
• applied sound records management practices.

10. For the selected agencies, the audit assessed records management arrangements at an agency-wide level and for certain business areas. The audit also assessed the agencies’ progress in transitioning towards digital records management. This included examining the agencies’ implementation and/or use of an EDRMS and other electronic business systems for records management purposes.

11. The audit examined the records management arrangements and practices in the: Australian Customs and Border Protection Service (Customs); Department of Immigration and Citizenship (DIAC); and Department of the Treasury (Treasury). These agencies were chosen on the basis that they: held significant records from an archival perspective; had records management approaches at varying levels of maturity with respect to the comprehensiveness of records authorities in relation to core business, and the development of a digital records management environment; and had not been included in previous Australian National Audit Office (ANAO) records management audits.

12. The audit also considered the Archives’ response to Recommendation No.1 from ANAO Audit Report No.6 2006–07 Recordkeeping including the Management of Electronic Records. The recommendation sought the Archives’ clarification of Australian Government records management requirements and provision of further guidance to agencies on addressing these requirements.

Overall conclusion

13. Management of records by Australian Government agencies is integral to the effective administration of programs and services; and should be undertaken in accordance with a broad range of legal, policy and other requirements. At an agency level, records management arrangements include records management systems to support creation, capture, management, and destruction or transfer of records, and policies and procedures to be applied by staff. In this respect, the records management environments within the audited agencies were complex. Creating, capturing and/or using agency records is a widespread and daily responsibility of all staff in the agencies. To support staff to undertake these roles each agency maintained a core records management system and more than 130 other electronic business systems.¹² These systems were generally used to create, capture and/or manage records of business activities. Records management systems and other electronic business systems used to manage records need to be able to support retention, destruction and transfer requirements in accordance with the Archives Act. This was complicated by different types of records needing to be managed for varying periods of time under approved records authorities.

14. There is an increasing amount of legislation, policies, standards and guidance issued by a number of Australian Government agencies that has implications for information and records management. Having multiple sources of requirements makes it difficult for agencies to be aware of and to apply these requirements. Further, these multiple sources do not always clearly indicate whether requirements reflect legislative obligations, policy requirements or good practice, making it difficult for agencies to understand the relative importance of requirements and prioritise action to address them. While the Archives has sought to determine the minimum requirements for information and records management since the ANAO’s 2006–07 records management audit, further work remains to clarify the different nature of requirements, and to provide practical guidance in areas such as digital records management.¹³

15. The agencies created a substantial volume of records on an annual basis in undertaking business activities. At an agency-wide level, the agencies had developed generic records management policy and guidance to assist with determining the records that needed to be created, received or collected. However, at a business activity level there was often little guidance on the records to create and which records management system should be used to capture the records to support business, while meeting legal and policy requirements.

16. The large majority of the agencies’ records were created, captured and/or managed in the agencies’ records management and other systems. This included paper and electronic systems. Each agency maintained a core records management system which supported the management and destruction or transfer of records captured in the system, although there was scope to improve the use and performance of these systems. Many other electronic business systems that were not identified and functioning as ‘records management systems’ were also used by the agencies to create, capture and manage records. These systems did not generally meet legal requirements relating to the management, and destruction or transfer of records. The use of such systems also created a risk that inaccurate or incomplete information could be accessed and used when making decisions, and acquitting legal and policy requirements, such as responding to freedom of information requests.

17. The agencies had all experienced delays in transitioning to a digital records management environment that adequately supports business, meets legal and policy requirements, and is easy to use. Implementing digital records management systems and practices is complex, resource intensive and requires significant cultural change. Nevertheless, the need to have robust digital records management is becoming more pressing, particularly given the cost of managing paper records, application of new and changing technologies to improve programs and service delivery, and the release of the Australian Government’s Digital Transition Policy in July 2011.

18. The audit has highlighted the challenges for agencies in achieving robust records management arrangements in today’s digital environment, particularly for those where there are complex business requirements and a large number of electronic business systems in use. Being successful requires a coherent strategy, and the sustained investment of time and resources, to strengthen systems and refine practices. Further, transitioning effectively to digital records management arrangements requires a strong commitment to the strategy adopted, and to addressing records management needs when selecting, developing or upgrading electronic business systems that contain records. This will position agencies to meet their records management obligations, support efficient operations and provide for timely access to information and records. The ANAO has made three recommendations directed towards agencies: addressing records management needs when selecting, developing and upgrading electronic business systems; appropriately managing and using electronic business systems to meet records management requirements; and developing records management guidance that assists staff to determine the records that need to be created and managed for major business activities, and where these records should be maintained.

Key findings

Assessing records management needs and risks

19. Assessing records management needs and risks is an important step in developing an appropriate and effective records management approach. A key action that agencies should take is to develop records authorities to determine the retention, destruction and transfer requirements in accordance with the Archives Act. The three agencies had established, or were in the process of establishing, records authorities for their core business to guide proper disposal of records. The agencies had also completed reviews which identified significant issues and business risks in relation to information and records management or, at the very least, acceptance of records management systems and the application of relevant policy and guidance. These reviews identified a range of treatments to address risks presented by the agency arrangements. However, each agency has experienced delays in progressing effective treatments to information and records management risks, reflecting the relative priority of these issues to other business issues, and the complexity of their treatment.

20. A key records management need relates to the development of a digital records management environment. Each of the agencies had identified a need to move to digital records management by implementing an EDRMS and incorporating records management functionality in electronic business systems that contain records. However, despite identifying a need for an EDRMS in 1999, and in subsequent years, Customs’ records management remains paper based. In 2000 and 2004 respectively, DIAC and Treasury had implemented an EDRMS to manage a significant proportion of their records. However, these agencies had further work to do to improve the use, acceptance and/or performance of their EDRMS.

21. Other electronic business systems may also be used to create, use, maintain and dispose of records for particular business activities if appropriately managed. To provide for sound management of electronic records in business systems, agencies should consider records management needs during the planning, acquisition, development and implementation of electronic business systems. The agencies generally did not consider the need for records management functionality during these phases, although DIAC had recently changed its IT management arrangements to address this issue.¹⁴ As a result, some agency systems were being used to maintain records even though they had not been designed to do so. Conversely, some systems could have been used to manage records but no consideration had been given to their potential to fulfil this function.

22. It is important for agencies to identify vital electronic and paper records and develop contingency arrangements to enable their timely recovery in the event of a disaster, as part of business continuity planning. Treasury’s records management area had a vital records register which it updated on an ad hoc basis. However, none of the agencies had identified vital records in the context of their business continuity planning processes. Instead, these processes focused on disaster recovery arrangements for electronic systems, thereby providing the agency with the ability to recover information held in an electronic system within specified timeframes. Such approaches do not address the recovery of vital paper records in the event of a disaster. The need to have in place contingency arrangements for paper records was demonstrated following the 2011 Queensland floods, when some Australian Government agencies needed to destroy paper records affected by flood waters.

Support for records management

23. Records management policies and guidance outline an agency’s expectations in relation to information and records management for all staff, including the appropriate creation, capture and storage of records in approved records management systems when undertaking their work. Agencies must first determine the information that needs to be created and received in the context of each of their major business activities. In this respect, Customs and DIAC needed to further develop their guidance on records to create for each major business activity, and Treasury needed to promote the use of its existing guidance.

24. Agencies should then identify electronic business systems that are records management systems and specify how all electronic business systems that contain records should be used to manage the records that have been created or received. DIAC and Treasury had adopted a policy to manage a significant proportion of their records electronically by implementing an EDRMS. While this has led to an increase in the volume of records held electronically in the core records management system, further significant changes were required to better support the digital management of records. In particular, the agencies need to discourage unnecessary use of paper files¹⁵ and remove electronic systems, such as shared folders, that provide an alternative place to create, edit and keep records. Customs had a ‘print to paper’ policy that recognised a number of electronic systems were used to create records but required information from those systems to be printed and placed on a paper file. Customs intended to move to an EDRMS as it was recognised that existing arrangements for capturing electronic records were inadequate and inconsistent, and that paper records did not capture all business decisions. More generally, the agencies often had not developed sufficient guidance on the use of other electronic business systems that contain records to help ensure that records are appropriately created or captured, and then transferred to or maintained in approved records management systems, including copying records where appropriate to the core records management system.¹⁶

25. To efficiently manage their records and comply with approved records authorities, agencies need to implement sentencing and disposal programs.¹⁷ Of the three agencies, Treasury had established an annual sentencing program and Customs had commenced development of a sentencing program in July 2011. DIAC had undertaken limited sentencing and disposal work because of a Moratorium on the Destruction of Department Files for several types of records, including client records.¹⁸

Records management practices and systems

26. Systems used to manage records need to be able to preserve the integrity of information, including through quality control procedures to ensure the completeness and trustworthiness of records; and system controls over access and security. However, as indicated in paragraph 16, many electronic systems that were not records management systems, such as shared folders, email, and certain electronic business systems, were being used to store and manage records even though they did not have suitable records management functionality. In some of these systems there were insufficient controls in place to ensure the authenticity and integrity of the records they contained. Delays in filing information from shared folders to the core records management system also exposed records to alteration and deletion, ultimately impacting on the integrity and authenticity of the record.

27. It is important to minimise data quality issues in information and records holdings so that the information and records can be considered accurate and reliable. DIAC is aware of data quality issues affecting significant migration processing systems, for example, the creation of multiple records where it cannot be reliably determined that the client records relate to the same person. In June 2011 a review of potential duplicate records in relation to one of the migration processing systems identified there were 653 861 multiple records.¹⁹ These data quality issues have the potential to increase the risks associated with identity resolution, border operations and departmental reputation. From a policy and guidance perspective DIAC is reviewing the nature and source of data quality issues, and has plans, as part of its information management framework, to implement new data management arrangements to address these issues.

28. A significant risk to Australian Government agencies in relation to records management is their ability to access complete and comprehensive information when it is required for business or legal purposes, including responding to freedom of information (FOI) requests in a timely manner. For the three agencies, information and records access was impeded by existing information and records management arrangements. For example, information and records for a business activity were often held in a variety of locations and electronic business systems. Staff did not have access to all locations and systems, and generally had limited understanding of information holdings that fell outside of their day-to-day responsibilities. Staff often stored information in a variety of places, but did not have consistent rules about the records that needed to be created and where they would be captured. This means information is captured, managed and accessible on a silo basis. The agencies did not have a widespread culture of consistently using approved records management systems, including the EDRMS and electronic business systems, to support efficient and comprehensive searches for information.²⁰

29. Where electronic business systems are used to manage records, the retention and destruction of information should be undertaken in accordance with relevant records authorities. With the exception of designated records management systems, none of the electronic business systems examined by ANAO sufficiently provided for sentencing, destruction and transfer in accordance with records authorities. For most of the systems, fields could be overwritten. If this occurred, available audit trails would indicate an edit had occurred but generally did not identify the changes.

Summary of agency responses

30. The audited agencies’ and the Archives’ summary responses to the audit are provided below.

Australian Customs and Border Protection Service

31. Customs and Border Protection welcomes the opportunity to contribute to the ANAO's audit on Records Management in the Australian Public Service and believes it will provide useful guidance for agencies in their implementation of the Government's Digital Transition Policy. Customs and Border Protection agrees with all three of the recommendations arising from the audit.

Department of Immigration and Citizenship

32. DIAC agrees with the three recommendations of the ANAO report to strengthen records management for systems development, records management guidance and the identification of recordkeeping requirements within electronic business systems. Building on previous cross-agency audits of records management, the latest cross-agency audit in this area has highlighted digitisation of records as an emerging priority area for attention.

33. DIAC will use the audit's findings, observations and recommendations to ensure the management processes continue to improve records management. Our Information and Communications Technology (ICT) Strategic Plan 2011–15 includes improving information management practices as a priority. Our recordkeeping maturity self assessment focuses senior managers' attention on records management. We are reviewing our electronic systems to ensure conformance with better-practice electronic records management. Consideration of digitisation of paper records is an integral part of our systems development life cycle methodology and as outlined in the report, DIAC has a number of digitisation projects underway.

Department of the Treasury

34. The Treasury agrees with the recommendations of the report and will develop strategies for:

• continued support for good recordkeeping practices;
• enhancing its recordkeeping framework;
• implementing strategic business and technology projects to strengthen its management of electronic records; and
• analysing and reporting on the maturity of its recordkeeping environment through the Check-up 2.0 framework.

35. The Strategic Review of the Treasury outlines its commitment to supporting good recordkeeping practices. The review work program recognises the need to modernise the ICT approach to recordkeeping as well as sustained changes to business practices.

National Archives of Australia

36. The National Archives welcomes the timing of this report and its findings. Information and records are a key agency asset and their management is integral to agency governance and accountability. This is a three-pronged approach involving people, processes and technology. Overall responsibility for the management of an agency's records must rest with the most senior staff in order to drive a culture that recognises and values the importance of records. Records management in today's digital world requires appropriately skilled staff and close liaison with, and cooperation of, the Chief Information Officer and ICT areas to ensure proper long term management and accessibility. In a practical sense, responsibility for the creation and capture of appropriate records has to rest with every member of an agency's staff, all of whom must be trained to understand and meet their obligations. In addition, technologies need to be appropriate for the ongoing support and maintenance of agency information and records to mitigate business risk. In the digital environment in which we work, records are more complex than just documents to be captured into an EDRMS. They are created by, and held in, a variety of business systems. Their context and relationship to other records can be as important as the information they individually contain. Systems that hold records must either have records management functionality appropriate to the value of the records they hold or have the facility to capture records into an EDRMS. The information architecture and taxonomies need to ensure consistency in approach so that all relevant information in an agency can be found when it is required.

Footnotes

[1]   Under the Public Service Act 1999, subsection 10(e), the Australian Public Service’s (APS’s) values include that the APS is openly accountable for its actions, within the framework of Ministerial responsibility to the Government, the Parliament and the Australian public.

[2]   The term ‘agencies’ is used throughout the report to refer to Australian Government agencies subject to the Financial Management and Accountability Act 1997 (FMA Act). It is important to note than most of the information and records management requirements discussed in this report also apply to Australian Government bodies subject to the Commonwealth Authorities and Companies Act 1997.

[3]   Records can be defined as ‘information in any format created, received, and maintained as evidence and information by an organisation or person, in pursuance of legal obligations or in the transaction of business’. Standards Australia, Australian and International Standard—Records Management AS ISO 15489.1, p. 3. The Archives Act 1983 definition of a record is consistent with the Australian and International Standard (Archives Act 1983, as amended 25 July 2011, p. 5).

[4]   A records authority is a formal instrument that defines the retention periods and consequent disposal actions authorised for classes of records described in the authority. Following a period of time, disposal action includes destruction or transfer to the Archives. Records authorities typically apply to the core business records of a single agency or body, while general records authorities, such as the Administrative Functions Disposal Authority, normally apply to Australian Government agencies and bodies. Source: <http://naa.gov.au/records-management/agency/keep-destroy-transfer/index.aspx> [accessed 21 November 2011].

[5]   Legislation relating to the functions and responsibilities of particular agencies may also contain specific records management requirements for the relevant agencies.

[6]   These requirements are discussed in Chapter 1 at paragraphs 1.4 and 1.5, and Appendix 2: Australian Government Records Management Requirements.

[7]   The Archives’ website, available at: <http://naa.gov.au/records-management/agency/digital/
digitalsystems/index.aspx>.

[8]   Figures are based on responses to the Archives’ most recent records management survey of Australian Government agencies and bodies, which occurred in 2010. The Archives also estimated that they would receive 12 kilometres of physical records to manage as National Archives in 2010 alone.

[9]   Estimates are based on these agencies’ and bodies’ responses to the Archives’ 2010 Recordkeeping Survey.

[10]   Digital records management involves the majority of an agency’s records being created, stored and managed digitally, where possible, and scanning incoming paper records.

[11]   Available at: <http://naa.gov.au/records-management/strategic-information/transition/index.aspx> [accessed 21 November 2011].

[12]   While Treasury reported having 177 electronic business systems, many of these systems were applications that did not hold information or records.

[13]   The Archives advised that it has recently released a Digital Continuity Plan to guide agencies in their ongoing management of digital records.

[14]   Treasury had developed records management functional requirements for electronic business systems, but did not require their application when selecting, developing or upgrading electronic business systems.

[15]   Under the Archives’ General Records Authority (GRA) 31—Source (including original) records after they have been copied, converted or migrated, agencies can scan a paper record to a records management system and then destroy the paper record. There are some exceptions to the permission to destroy under GRA 31, including where there is a security or legislative requirement to maintain a record in paper format.

[16]   This includes business areas consulting with the records management unit, and determining whether an electronic business system could support records management requirements, and be classified as a records management system (see also paragraph 21).

[17]   Sentencing is the process of using a records authority or general records authority to decide whether to retain, destroy or transfer a record.

[18]   DIAC advised in April 2012 that the Moratorium had ceased in 2011.

[19]   The information in this system is shared with some of Customs’ electronic business systems.

[20]   In this respect, the agencies did not apply consistent record, information and data titling conventions making it more difficult to locate relevant information.