Records Management Standard for the New Zealand Public Sector May 2014

Records Management Standard for the New Zealand Public Sector 2

Document details

Authority Archives New Zealand, Department of Internal Affairs

Author Archives New Zealand, Department of Internal Affairs

Document status Publication

Version Version 1.1

Contact for enquiries Client Capability Directorate Archives New Zealand Phone: (64 4) 499 5595 Email: rkadvice@dia.govt.nz

Licence

Crown copyright ©. This copyright work is licensed under the Creative Commons Attribution 3.0 New Zealand licence. In essence, you are free to copy, distribute and adapt the work, as long as you attribute the work to Archives New Zealand, Department of Internal Affairs and abide by the other licence terms. To view a copy of this licence, visit http://creativecommons.org/licenses/by/3.0/nz/.

ISSN 1176-2713

ISBN 978-0-478-43050-9

Records Management Standard for the New Zealand Public Sector 3

Table of contents

1 Introduction 4 i. Purpose 4 ii. Audience 4 iii. Mandate 4 iv. Approach 4 v. Scope 4 vi. Collaborative approach 5 vii. The Treaty of Waitangi / Te Tiriti o Waitangi 5 viii. Advice, guidance and training 5

2 Records management 6 i. Definition 6 ii. Benefits of managing records 6 iii. Risks of not managing records 6 iv. Government and community expectations 7

3 Structure of the standard 8 i. Guiding principles and mandatory requirements 8 ii. Principles 8 iii. Requirements 8

4 Principles and requirements 9 Principle 1: Create and maintain records 9 Principle 2: Classify and organise records 11 Principle 3: Assign records management metadata to records and aggregations 12 Principle 4: Provide access to records 15 Principle 5: Appraise records and dispose of them appropriately 17 Principle 6: Maintain the integrity of records 20 Principle 7: Manage records systematically 23

5 Background of the standard 26 i. Origins 26 ii. Wider framework 26

6 Implementing the standard 27 i. Lower-value records 27 ii. Data 28

7 Compliance 29 i. Obligation to create and maintain records 29 ii. Compliance monitoring 29 iii. Exemptions 29 iv. Offences under the Public Records Act 29 v. Records of business activities contracted out 29

8 Self-assessment checklist 30

Records Management Standard for the New Zealand Public Sector 4

1 Introduction i. Purpose This standard sets out minimum requirements for the management of records by public offices and local authorities. Implementing these requirements will help to ensure that public records and local authority records are reliable, authentic, have integrity and are usable. Records with these characteristics provide trustworthy evidence of business activity. They enable public sector organisations to meet both their internal operational and reporting needs and their external accountability obligations.

ii. Audience This standard is written for public sector staff tasked with managing records or who have a particular interest in records management. Among these staff are likely to be:

• senior managers responsible for implementing and governing records and information management programmes

• staff in records, knowledge and information management roles • staff in compliance roles • staff in risk and assurance roles • staff in privacy roles • staff in information technology roles • staff in enterprise and information architecture roles.

Vendors and consultants providing records management products and services to public sector organisations should also read this standard.

iii. Mandate This standard is issued by the Chief Archivist under section 27 of the Public Records Act 2005. It is mandatory for public offices, with the exception of state and integrated schools, and for local authorities, including council-controlled organisations. It is discretionary for state and integrated schools.

Public offices and local authorities are defined in section 4 of the Public Records Act. Contact Archives New Zealand if you are unsure whether this standard applies to your organisation.

iv. Approach

This is a performance-based standard designed for flexible implementation. It requires public sector organisations to achieve a range of records management outcomes but recommends or suggests rather than prescribes specific methods for doing so (see Archives New Zealand’s Standards Policy for further information).

v. Scope

Format This standard applies to records in all formats, including physical, digital and hybrid.

Archival records This standard does not apply to the management of archives in archival facilities. Many of the principles outlined in this standard are relevant to the management of records selected for permanent preservation and transferred to archival storage. But the day-to-day management of these kinds of records differs from the day-to-day management of records in active business use.

Contact Archives New Zealand for guidance on the management of archives.

Records Management Standard for the New Zealand Public Sector 5

Lower-value records In principle, all public and local authority records should be managed in line with the requirements in this standard. However, this standard recognises that different levels of care are appropriate for different kinds of records. Records that have no or only transitory value as evidence of business activity do not require the same level of care as more substantive records.

Therefore public sector organisations will be compliant with this standard if they implement its requirements with regard to a reasonable and defensible subset of the records they hold. This aligns with normal, prudent business practice (see section 6 for further guidance).

Data This standard applies to data as well as documents. This standard recognises, however, that several of the requirements it sets out conflict with data management imperatives and realities.

Public sector organisations are expected to assess the evidential value of data and manage it appropriately. They are not required to treat data exactly like documents (see section 6 for further guidance).

vi. Collaborative approach Public sector organisations are encouraged to adopt a collaborative approach to meeting the requirements in this standard. Where possible and practical, organisations should pool expertise and resources to acquire and implement common capabilities for records management. This will:

• realise scale efficiencies • simplify the public sector technical environment • reduce duplication and fragmentation • streamline system maintenance and upgrades, and • support end-to-end business processes across agency boundaries.

This approach aligns with strategic goals for the management of public sector information and ICT. Further information can be found on www.ict.govt.nz.

vii. The Treaty of Waitangi / Te Tiriti o Waitangi This standard acknowledges and respects the rights of Māori to their recorded knowledge, which is a tāonga in the terms of the Treaty of Waitangi. Public sector organisations should provide the highest possible level of care for records containing traditional knowledge. (Principles 4, 5 and 6 in this standard are particularly relevant in this regard. See page 14 onwards.)

viii. Advice, guidance and training

Archives New Zealand provides advice, guidance and training to help public sector organisations comply with the requirements in this standard. Visit Archives New Zealand’s website for further information, or contact:

Client Capability Directorate Archives New Zealand PO Box 12-050, Wellington 6144 Email: rkadvice@dia.govt.nz Phone: (04) 499 5595

Records Management Standard for the New Zealand Public Sector 6

2 Records management

i. Definition

Records management is an integrated framework of governance arrangements, architectures, policies, processes, systems, tools and techniques that enables organisations to create and maintain trustworthy evidence of business activity in the form of records. Records provide trustworthy evidence when they are reliable, authentic, have integrity and are usable, that is, when:

• their provenance or origin can be traced and confirmed • the information they contain is full and accurate • their content, structure and format are preserved materially unchanged over time, and • they can be located, retrieved, presented and interpreted.

ii. Benefits of managing records

Trustworthy evidence of activity Public sector organisations cannot function without trustworthy evidence of business activity. Credible records are required to:

• design and deliver services • make good decisions and good policy • earn public confidence • understand, manage, report on and account for business activities • track progress against objectives • demonstrate compliance with legislative and regulatory requirements • prepare effectively for litigation • protect their contractual and other interests • achieve business continuity, and • maintain corporate memory.

The authoritative information contained in credible records can also be used within the public sector, and potentially reused by businesses, social organisations and individuals, to generate new and added economic, social and cultural value.

Systematic records management Adopting a systematic approach to creating and maintaining records enables public sector organisations to achieve the benefits described above, and to do so effectively and efficiently. It allows them to:

• make the records they really need • realise the true value of their records as information assets • find and access all of the right records at the right time and use them with confidence • preserve records for as long as required and then dispose of them appropriately • assess the relative importance of different kinds of records • identify and protect records containing sensitive, confidential or private information, and • control costs associated with finding, accessing and preserving records.

iii. Risks of not managing records

Public sector organisations that do not systematically manage the creation and maintenance of their records are more likely to:

• create records that are not fit for purpose • leave important activities undocumented

Records Management Standard for the New Zealand Public Sector 7

• misunderstand the information in records • lose track of, misplace or accidentally damage or destroy records, including those with long-term value to

the New Zealand public • lose the ability to access records when required • lose trust in the records that can be found and accessed • allow inappropriate access to records containing sensitive, confidential or private information, and • incur unnecessary operational and remediation costs.

Ineffective and inefficient records management thus exposes public sector organisations to a range of higher-level risks. These include:

• compromised service design and delivery • poor decision- and policy-making • diminished client or customer confidence • reduced ability to understand, manage, report on and account for business activities • reduced ability to track progress against objectives • reduced ability to demonstrate compliance with legislative and regulatory requirements • reduced ability to prepare for litigation • reduced ability to protect contractual and other interests • reduced ability to recover from interruptions to business processes, and • impaired corporate memory.

iv. Government and community expectations

Managing records in line with the requirements in this standard will help public sector organisations to realise the benefits and mitigate the risks described above. It will also help them to meet government and community expectations for the management of public and local authority records. These expectations include the:

• effective and responsible stewardship of information assets • creation and maintenance of records that can be used to hold public sector organisations to account, and • preservation of records with long-term historical or cultural value, or which contribute to New Zealanders’

sense of their national identity.

Records Management Standard for the New Zealand Public Sector 8

3 Structure of the standard i. Guiding principles and mandatory requirements

This standard is organised into higher-level guiding principles and lower-level mandatory requirements. The principles provide an overview of the core areas of records management focus and effort. The requirements are specific records management outcomes that public sector organisations must achieve.

ii. Principles This standard has seven principles:

1. Create and maintain records 2. Classify and organise records 3. Assign metadata to records and aggregations 4. Provide access to records 5. Appraise records and dispose of them appropriately 6. Maintain the integrity of records 7. Manage records systematically

Supporting each principle is a short explanation which indicates why the principle is important, describes it in more detail and outlines its implications.

iii. Requirements

Format: statements and guidance notes

Each of the seven principles noted above is unpacked into two or more related requirements. These requirements are numbered and consist of a statement and a guidance note.

The statements mandate specific records management outcomes. The guidance notes establish a common context for interpreting the requirements, and recommend or suggest ways of achieving them.

Obligations: statements and guidance notes

The requirement statements are mandatory: they must be complied with. The guidance notes are informative and explanatory rather than directive. Although they make specific suggestions and recommendations for meeting the requirements, these need not be followed. They may not apply to every organisation or be appropriate in every situation.

Public sector organisations are free to achieve the outcomes mandated in this standard in ways that suit their individual circumstances, and are encouraged to do so.

Readers of this standard should note that the guidance notes are not comprehensive blue-prints for compliance. They do not cater for every situation or outline every action that may need to be undertaken to achieve a particular outcome. Further advice on achieving the mandatory outcomes in this standard can be found on Archives New Zealand’s website.

Readers of this standard should also note that some of the actions described in the guidance notes, while not mandatory in terms of this standard, are obligatory under statutes such as the Electronic Transactions Act, the Privacy Act and the Official Information Act (see, for example, the guidance notes for requirements 1.5, 4.1 and 5.3).

Records Management Standard for the New Zealand Public Sector 9

4 Principles and requirements PRINCIPLE 1: CREATE AND MAINTAIN RECORDS

The requirements in this principle lay the groundwork for making and keeping fit-for-purpose records of business activity, and for maintaining them for as long as required.

Effective and efficient records management begins with an analysis and understanding of internal requirements and external obligations relating to the creation and maintenance of records. The next step is to create and maintain records in order to meet those requirements and obligations.

When making records of business activity, it is important to ensure the information they contain is authentic, reliable and has integrity. Making them in a timely manner and as a normal part of the business processes they support and document improves their authenticity and reliability. Fixing their content establishes their integrity and preserves it over time.

REQUIREMENTS

1.1 Statement Internal requirements and external obligations to create and maintain records of business activity must be identified and documented

Guidance Ensure that your organisation understands its records management requirements and obligations. Document those requirements and obligations appropriately in, for example:

• strategic plans • contracts and service level agreements • operational policies • IT policies • business process maps • design documents and implementation and configuration guidelines for electronic

systems • records and information management policies • retention and disposal schedules • a vital records register.

When identifying and analysing internal requirements and external obligations, assess:

• operational, reporting and audit needs • the likely need to submit records as evidence in court • legislative and regulatory responsibilities • the need to protect citizens’ rights and entitlements • stakeholder expectations • Iwi Māori expectations, and • current and future research interest in your organisation's activities.

1.2 Statement Records must be created and maintained to meet internal requirements and external obligations

Guidance Operational teams have primary responsibility for creating records as outputs of business processes, but records management staff should monitor these processes across the organisation as a whole.

Problems in delivering services, reporting on objectives, meeting audit and monitoring requirements, answering Parliamentary Questions, responding to Official Information Act

Records Management Standard for the New Zealand Public Sector 10

requests, and so on, may indicate that records are not being created and maintained to meet requirements and obligations.

Ensure that existing records are fit-for-purpose as evidence of business activity. Carry out a records stock-take periodically. Include records held in:

• corporate records management systems • line of business systems • email folders or vaults • personal or shared drives • databases or data-warehouses • cloud-based applications • website content management systems • social media sites • filing cabinets and store-rooms • off-site storage.

Use the principles and requirements in this standard as a benchmark to assess the authenticity, reliability, integrity and usability of your organisation’s existing records. Prioritise the analysis of high-value or high-risk records.

1.3 Statement The content and structure of records must fit their purpose and audience

Guidance Document your organisation’s activities in sufficient detail to meet internal requirements and external obligations. Meet any specific legal or other requirements relating to the format, layout or wording of your organisation’s records.

Compile records in such a way that later users, who may not have key contextual information, can understand them. Cite references within records to help users understand their content and context.

Standardise your organisation’s records to improve their accuracy, strengthen their credibility and make them easier to understand. Where possible, use forms, templates, stylesheets, and a house style. Quality assure data entry and digitisation work (see Archives New Zealand’s Digitisation Toolkit).

1.4 Statement Records must be created in a timely manner

Guidance Create records as a normal part of business activities. Automate or trigger their creation as outputs of those activities or make them as soon as possible after the activities have finished. Encourage the people best-placed to make records to do so.

1.5 Statement The content of records must be fixed

Guidance Capture records into a formal records management system or manage them in-place in line of business systems with appropriate records management functionality (see the Digital Recordkeeping Standard for further information). After a business activity has ended and a suitable period of time has passed, prevent unauthorised changes to records documenting that activity.

Set and follow business rules for altering the content of fixed records, for example to correct personal details under Principle 7 of the Privacy Act 1993. Track changes to fixed records by assigning records management process metadata to them (see principle 3). Continue to provide managed access to fixed records (see requirement 4.1).

Records Management Standard for the New Zealand Public Sector 11

PRINCIPLE 2: CLASSIFY AND ORGANISE RECORDS

Classifying and organising records is crucial to achieving records management outcomes. Sorting and ordering them in a logical way ensures they are connected to other records as well as to the business activities they document. Classifying and organising records also makes it easier to find and retrieve them when required, manage access to them (see principle 4), and appraise and dispose of them (see principle 5).

A key tool for classifying and organising records is a business classification scheme (BCS). A BCS is a conceptual model of the functions and activities an organisation carries out, or the way in which it works or is structured. A BCS is the product of business analysis.

Organisations may possess or end up developing more than one BCS. These classification schemes may be constructed on different principles and their scope and level of detail may vary.

REQUIREMENTS

2.1 Statement Business activities must be documented in a business classification scheme

Guidance Develop one or more business classification schemes. Assess different approaches to developing a scheme or schemes, including functional, organisation-based, process-based and subject-based classifications.

Note the advantages of functional classification, particularly its effectiveness at capturing business context, its rigour and its durability. Be aware of the pitfalls of organisational classification, particularly its vulnerability to rapid and frequent changes in the structure of the organisation.

Choose the approach or approaches best suited to the business needs of your organisation, tailoring the scope and level of complexity as appropriate. A combination of different approaches and schemes may be most effective.

2.2 Statement Records must be classified and organised according to a business classification scheme

Guidance Use your organisation’s business classification scheme or schemes to develop a file-plan for records, assign standardised metadata to records, or both.

Enhance and supplement existing schemes to meet user needs and preferences. Explore techniques such as collaborative or social tagging and auto-classification.

Records Management Standard for the New Zealand Public Sector 12

PRINCIPLE 3: ASSIGN RECORDS MANAGEMENT METADATA TO RECORDS AND AGGREGATIONS

Records management metadata is information about the context, content and structure of records and their management through time. Assigning records management metadata to records enables the creation and maintenance of trustworthy evidence of business activity.

Records management metadata can be divided into two types: point of capture metadata and process metadata. The former provides information about the context in which records are created, including the creator, date of creation, relevant business activity, content of the record and so on. The latter provides information about the actions subsequently carried out on records, such as accessing, altering or disposing of them, as well as information about the people who carried out those actions.

Designing records management metadata, assigning it to records, and maintaining it for as long as required, underpins the effective and efficient management of records. It is difficult if not impossible to guarantee the reliability, authenticity and integrity of records lacking appropriate metadata. Records management metadata also helps organisations to find, access and understand records, to identify and manage access to sensitive or security classified information, and to preserve records for as long as required.

REQUIREMENTS

3.1 Statement The following minimum records management metadata must be assigned to records and aggregations of records (see also requirement 5.6):

• a unique identifier • a name • the date of creation • the business activity documented by the record • the creator (person or system) of digital records • the name and version of the software application used to create digital records • the subsequent actions, if any, carried out on the record, such as accessing,

modifying or disposing • the identification of the persons or systems carrying out those actions, and • the dates those actions were carried out.

Guidance The records management metadata described above is the minimum necessary to manage records. Your organisation may need to assign further records management metadata to ensure that records are full and accurate, to establish a complete context for them or to prove their authenticity. (See Archives New Zealand’s Electronic Recordkeeping Metadata Technical Specifications for further information. Note that the metadata described above corresponds to specific elements or combinations of elements in the Technical Specifications.)

Operating systems and applications create and assign much of this minimum metadata by default. Identify and address any omissions.

Automate the assignment of metadata where possible. Assign metadata to aggregations and allow individual records within those aggregations to inherit it.

Add to the value of records by supplementing records management metadata with geospatial, medical, legal, financial, military, multimedia and other types of metadata. Provide appropriate metadata to users when they access records. Make use of metadata to identify vital, closed, security classified and embargoed records.

Records Management Standard for the New Zealand Public Sector 13

Note:

In some circumstances (for example, when using shared drives to manage digital records) it may not be feasible to assign separate unique identifiers to individual records. Organisations will be compliant with this requirement if they assign to records a unique combination of other metadata elements, such as name, date and file-path.

3.2 Statement Metadata management tools must be developed and maintained, and changes made to them must be tracked and documented

Guidance Metadata management tools include metadata schemas and encoding schemes. Metadata schemas define the overall structure of the metadata assigned to records and explain the meaning of particular metadata values. Encoding schemes define the content of specific metadata values.

More precisely, metadata schemas define:

• how many metadata values can be assigned • whether they are mandatory or optional • how they fit together, and • what each individual value (’date of creation’, ‘name’) means concretely.

Encoding schemes:

• set out what information can be entered against a value (one or more of a list of set entries or numbers, or free text, or a combination)

• specify how that information is arranged, and • define which symbols (dashes, commas, colons) are used to separate the individual

chunks of information in each value.

Use metadata schemas and encoding schemes together to promote the entry of meaningful, standardised and consistent metadata.

Track changes to the metadata schemas and encoding schemes your organisation is using. Record when and for how long particular schemas and schemes were in use. Communicate changes to allow business rules and system settings to be updated in a timely manner.

Implement standard metadata schemas and encoding schemes where possible, such as the records management metadata elements set in the Electronic Recordkeeping Metadata Technical Specifications, the AS/NZS 19115 Standard for geographic information, and the ISO 8601 Standard for the representation of dates and times. (Further standard encoding schemes are listed in Appendix C of the Technical Specifications.)

3.3 Statement Records management metadata must be persistently linked to records and aggregations of records

Guidance Maintain metadata for as long as the records and aggregations it relates to are required. Metadata is at greater risk of becoming separated from records and aggregations when it is stored separately in an external database, index or register.

3.4 Statement The disposal of records management metadata must be managed systematically

Guidance Prevent point-of-capture metadata from being over-written. During the set-up of electronic systems, decide at your discretion how much process metadata will be maintained over time

Records Management Standard for the New Zealand Public Sector 14

(the length of the audit trail). Protect process metadata as appropriate.

Preserve metadata during the transfer of records and aggregations between systems and organisations. Document decisions about which non-mandatory metadata will be transferred across and which will not. Add to existing metadata if necessary to reflect the change in location or control.

Appraise metadata before disposing of it, and protect it from unauthorised disposal. Define and implement procedures for:

• altering metadata, for example, during normal data cleansing processes or to correct personal details under Principle 7 of the Privacy Act 1993, and

• redacting metadata, for example, as part of information sharing arrangements.

Requirements 5.1 through 5.4 in this standard apply to the disposal of metadata.

Records Management Standard for the New Zealand Public Sector 15

PRINCIPLE 4: PROVIDE ACCESS TO RECORDS

Providing access to records involves:

• deciding the access status of records • managing access to records • ensuring that records are available when required • promoting the use of records, and • identifying and mitigating risks to the ongoing accessibility of records.

It is vital to control access to records, particularly those containing private, confidential or sensitive information. At the same time, it is important to maximise the re-use of records so their true value can be realised. Records that go unused because they are anonymous or unavailable or cannot be accessed by the right person at the right time are a wasted resource.

Managing risks to the ongoing accessibility of records protects their value over time and avoids the need for expensive forensic processes to reconstruct their content.

REQUIREMENTS

4.1 Statement Access to records must be managed appropriately

Guidance Implement a robust and consistent but minimally restrictive access regime for your organisation’s records. Identify records containing private, confidential or sensitive information, classify their access status and carefully control access to them. Make other records open access to internal users by default.

Manage the identities of users accessing records and assign access rights to them. Where appropriate, provide read-only access to digital records and use tracking tools, such as metadata audit trails, to monitor access to them.

Meet legislative provisions for public access to records set out in the Official Information Act, principle 6 of the Privacy Act and section 43 of the Public Records Act.

4.2 Statement Records must be accessible when required

Guidance Analyse and meet internal and external user needs for access to records. Assess the value and level of use of records. Provide users with the hardware, software, space, specialist technical equipment, and any other resources required to access records.

Improve the availability of records by maximising the use of controlled repositories (centralised or federated) and minimising the use of removable media and personal filing systems.

Design suitable levels of redundancy into electronic systems providing access to records. Set appropriate recovery time objectives and recovery point objectives. Put in place back-up procedures to meet those objectives.

Ensure business continuity planning takes account of access to vital physical and digital records (see requirement 6.5).

4.3 Statement The use of records must be promoted

Guidance Train and encourage users to use records effectively, and provide supporting guidance. Adopt consistent naming conventions and identifiers to improve the accessibility of records.

Records Management Standard for the New Zealand Public Sector 16

Ensure that sufficient descriptive and contextual metadata is assigned to records to support efficient search and retrieval (see requirement 3.1).

Employ search, collaboration tools, Intranets, social media and other technologies to enhance access to records.

Explore the possibility of converting high-use physical records into electronic form, where there is a clear business case for doing so. Weigh-up options for using mobile devices to support anytime, anywhere access to your organisation’s digital records. Capture records from those devices as required.

Where appropriate release high-value records for public re-use to meet the goals of the Declaration on Open and Transparent Government.

Encourage public reuse of inactive records with long-term value by transferring them to a suitable archival facility (see principle 5).

4.4 Statement Risks to the accessibility of records must be identified and mitigated

Guidance Assess risks to both physical and digital records. Prioritise the assessment of higher-value and fragile records.

Minimise risks to the accessibility of physical records by classifying and organising them, assigning metadata to them and storing them appropriately (see principles 2, 3 and 6).

Analyse and document the file formats of digital records and plan to meet ongoing software and hardware requirements. Document in more detail rare, complex or closed formats, such as those created by specialist or bespoke applications. These formats are at greater risk of becoming inaccessible (see also requirement 3.1 and Archives New Zealand’s Digital Continuity Action Plan).

Adopt open and stable digital formats and widely-supported technologies where possible and practical. Factor ongoing access requirements into ICT licensing and supplier agreements.

Begin planning for technological obsolescence as early as possible. Maintain access to records in obsolete formats either through format migration or bitstream level preservation combined with hardware and software emulation. Keep technical documentation to help with migration or emulation.

Records Management Standard for the New Zealand Public Sector 17

PRINCIPLE 5: APPRAISE RECORDS AND DISPOSE OF THEM APPROPRIATELY

Assessing the value of records, and defining retention periods and disposal actions for them, helps to ensure they are provided with an appropriate level of care and are managed for (only) as long as they need to be. Regularly disposing of records:

• makes search and retrieval easier • controls storage, maintenance, access management and other costs • reduces privacy and security risks associated with retaining records, and • helps to protect records with long-term value and promote their re-use.

Establishing and following a systematic disposal process mitigates the risk that high-value records are destroyed unintentionally or that lower-value records are disposed of incompletely and insecurely.

Disposing of records systematically also helps to ensure that organisations meet legislative requirements for the retention and disposal of records, including those set out in the Public Records Act. Public records and local authority protected records cannot be disposed of without the approval of the Chief Archivist, unless disposal is required by or under another Act (see requirement 5.3).

REQUIREMENTS

5.1 Statement The value of records must be appraised

Guidance Decide how long to maintain your records and what to do with them when your organisation no longer requires them. Assess whether to destroy them or transfer them to Archives New Zealand or another suitable archival facility.

Follow legislative retention requirements and relevant precedents set out in disposal authorities issued by the Chief Archivist, the List of Protected Records or the ALGIM Retention and Disposal Schedule for local authorities.

Where the value of your organisation’s records is unclear, analyse them from different perspectives. Assess:

• their business value, or organisational and administrative importance • their accountability value, or importance as evidence of activity • the role they play in protecting citizens’ rights and entitlements • the role they play in documenting the source of the authority and foundation of the

machinery of government • the role they play in evidencing fulfilment of or aspirations to Treaty of Waitangi/Te

Tiriti o Waitangi principles and the Crown’s obligations, and • their contribution to knowledge and understanding of New Zealand’s history,

geography, society, culture and achievements, and New Zealanders’ sense of their national identity.

Consult with the creators of the records and internal and external stakeholders. Take account of organisational and wider community expectations regarding the preservation of records with long-term value.

Appraise records at or before point of creation and at an appropriate level of aggregation. Start by separating records relating to common corporate functions such as human resources, finance, facilities and IT, which are carried out by all public sector organisations, from those relating to your organisation or sector’s unique or core functions.

For further information on the appraisal of records, see Archives New Zealand’s guidance.

Records Management Standard for the New Zealand Public Sector 18

5.2 Statement Retention periods and disposal actions for records must be defined and documented

Guidance Draw up a retention and disposal schedule (RDS) documenting your appraisal decisions or implement existing, applicable schedules. Contact Archives New Zealand at an early stage for advice.

Base your RDS on your organisation’s business classification scheme or schemes, or map it across. Allow individual records to inherit retention and disposal actions assigned at aggregation-level.

Before implementing a newly drawn-up RDS for public records, submit that schedule to the Chief Archivist for approval (see requirement 5.3 and Archives New Zealand’s guidance on the disposal of records).

Update your organisation’s RDS as required to reflect changes in legislative retention rules or organisational requirements. Contact Archives New Zealand before varying formal schedules approved under the Public Records Act.

5.3 Statement The correct statutory process for disposing of records must be followed

Guidance Public records and local authority protected records cannot be disposed of without the approval of the Chief Archivist, unless the disposal of those records is required by or under another Act (see section 18 of the Public Records Act). Note that authorisation from the Chief Archivist to dispose of records does not override pre-existing legal obligations to retain them, if they are found to be in conflict.

Protected local authority records are defined in the List of Protected Records. Non-protected local authority records may be disposed of without the authorisation of the Chief Archivist.

Comply with the requirements of the Electronic Transactions Act 2002 before disposing of physical records that have been digitised (see Archives New Zealand’s Digitisation Toolkit for further information).

5.4 Statement A systematic internal process for disposing of records must be set up and followed

Guidance Build a robust, uniform and transparent internal disposal process. Include the following steps:

• analysing risk • confirming that, where required, you have appropriate and valid disposal

authorisation from the Chief Archivist • sentencing records (matching them to disposal actions) • confirming that there are no operational, legal or other requirements to retain the

records • getting internal sign-off (for example, from the business owner and/or a senior

manager) • disposing of the records, and • documenting the disposal.

Sentence new records at or before point of creation to make disposal easier later on and to reduce the risk of loss or accidental destruction.

Take practical steps to ensure the secure and complete disposal of records, including copies and back-ups.

Records Management Standard for the New Zealand Public Sector 19

5.5 Statement Records must be disposed of regularly

Guidance Dispose of records annually or more frequently to meet business requirements. Automate the disposal of digital records where possible. Include legacy records in regular disposal processes or manage their disposal as a discrete project.

Make use of any current disposal authorities which cover your organisation’s records, including:

• general disposal authorities for common corporate services records and facilitative, transitory or short-term records

• sector-specific disposal authorities for District Health Boards, Universities, Institutes of Technology and Polytechnics and Schools, and

• organisation-specific disposal authorities.

5.6 Statement The following minimum metadata must be generated or captured during the disposal process, and retained for as long as required to account for the disposal of records (see also requirements 3.1 and 3.4):

• a unique identifier • a name • the date of creation • the business activity documented by the record • the creator (person or system) of digital records • the date of disposal • the authority governing the disposal of the records, and • the person/role carrying out the disposal.

Guidance Retain this metadata within your organisation’s electronic systems, aggregate it in a separate disposal register, or add it to existing indexes or finding aids. Protect it to meet your organisation's internal reporting requirements and external accountability obligations.

Note that the metadata described above corresponds to specific elements or combinations of elements in Archives New Zealand’s Electronic Recordkeeping Metadata Technical Specifications.

Public offices may destroy records and metadata documenting disposal decisions 10 years after the year of disposal (see class 8.1.3 of General Disposal Authority 6).

Records Management Standard for the New Zealand Public Sector 20

PRINCIPLE 6: MAINTAIN THE INTEGRITY OF RECORDS

It is important to preserve the structural and informational integrity of records so they can be used with confidence for as long as required, and to protect and realise the upfront investment in them as information assets. Maintaining the integrity of records means:

• protecting them from alteration, damage or destruction, whether intentional or unintentional • preventing their deterioration, and • ensuring they remain usable.

Factors threatening the integrity of records include:

• uncontrolled or unauthorised access and use • poor storage conditions • inappropriate handling practices • large- and small-scale environmental hazards • degradation of storage media, and • technological obsolescence.

Assessing and mitigating the impact of these risk-factors is normal, prudent business practice. In most cases, protecting the content and structure of records is more important than preserving them in a pristine state.

Digital records are particularly vulnerable to some of these risk-factors, including inappropriate access (see principle 4), degradation of storage media and technological change. It is prudent therefore to make early plans for their protection and ongoing maintenance, including the likely need to migrate them between file formats and applications, and from one storage location to another.

REQUIREMENTS

6.1 Statement Records must be secure

Guidance Assess security risks to records and plan and implement protective security arrangements for them. Align these with organisational security protocols. These arrangements may include measures relating to personnel, physical, communications, computer and technical security. Include records stored on-site and off-site, including in cloud-based services, and records being created and maintained by contractors.

Identify sensitive or security classified records and follow applicable security guidelines for them, such as those in the Security in the Government Sector (SIGS) manual and the New Zealand Information Security Manual (NZISM). Establish reasonable safeguards to protect personal information in line with principle 5 of the Privacy Act.

Manage the security of your organisation’s IT systems in line with best-practice requirements, such as those set out in the ISO 27000 series of Standards.

6.2 Statement Records must be protected from natural and man-made hazards

Guidance Assess and reduce the risks of damage and destruction to both your organisation’s physical and digital records. Take into account:

• general environmental factors: light, heat, humidity, dust, pollutants, insects, rodents, mould, power outages

• building location: vulnerability to floods, earthquakes, fires and volcanic eruptions • location in building: vulnerability to flammable finishes or furnishings, chemicals,

Records Management Standard for the New Zealand Public Sector 21

water leaks, and electromagnetic interference generated by power plants, elevator shafts, power cables and lightning conductors.

6.3 Statement Records must be stored on appropriate media or hardware, and in suitable containers and locations

Guidance When choosing storage media or hardware, factor in the value of records, their retention periods and their level of use. Determine baseline stability and reliability requirements and select media and hardware meeting those requirements.

Place records and media in containers such as cases, covers and boxes, to protect and preserve them.

When choosing appropriate storage media for records, factor in the availability and longevity of hardware needed to access that media.

Choose suitable storage locations for records, media and hardware, taking into account the hazards described in requirement 6.2 above. Store copies of high-value or vital records in a different location to minimise the risks posed by these hazards.

6.4 Statement At-risk records must be identified and managed appropriately

Guidance Promote awareness of vital organisational records, records with long-term value, records older than 25 years, and records stored close to hazards, in sub-optimal conditions, or on media with known stability issues, such as acetate film and low quality CDs. Take action to reduce or eliminate significant risks to the integrity of records (see requirement 6.7).

6.5 Statement Business continuity and disaster management planning must address the protection and salvage of records

Guidance Incorporate records management requirements into your organisation’s business continuity and disaster management planning. Focus on prevention, preparedness, hazard identification, response and recovery.

Set appropriate response times and salvage actions in the event of a disaster. Prioritise the protection and salvage of high-value records.

Regularly review and test your organisation’s plans and make staff familiar with them (see also requirement 4.2).

6.6 Statement Physical records and digital records held on removable media must be stored in conditions that ensure their safe care and custody. These records must be:

• stored in buildings with fire protection systems and equipment compliant with the New Zealand Building Code

• stored above floor-level using shelving or equipment appropriate to the format of the records or the size of the storage media

• stored away from sunlight and artificial light • stored away from magnetic interference, if they are digital records held on

removable media • arranged in an orderly manner, and • retrieved, handled and reshelved in accordance with set procedures.

Records Management Standard for the New Zealand Public Sector 22

Guidance Contact Archives New Zealand for further advice on the storage of physical records and digital records held on removable media.

Make best-practice arrangements for the networked storage of digital records. Use recognised IT service management or governance frameworks, such as ITIL and COBIT, and emphasise data integrity objectives.

6.7 Statement Inactive physical records and inactive digital records held on removable media must be identified and stored in a dedicated storage area

Guidance Inactive records are those no longer required for the conduct of business. Storing inactive records in a suitable storage area, such as a sole-purpose room or separate building or with a commercial storage provider, will:

• make it easier to manage records through to disposal • reduce the risk of losing records • improve the security of records • make it easier to manage environmental hazards.

See also requirement 6.8.

6.8 Statement Dedicated storage areas for inactive physical records or for inactive digital records held on removable media must ensure the preservation of those records in a usable form. These storage areas must:

• be located in buildings which comply with the provisions of the New Zealand Building Code in force at time of construction and with any associated codes and standards

• have adequate floor loading capacity • have drainage systems adequate to prevent flooding or must be located in

buildings with drainage systems adequate to prevent flooding • be insulated from the outside climate • be protected from internal hazards • be maintained over time in accordance with a documented maintenance

programme • be intruder resistant and have an alarm system or be located within buildings

that are intruder resistant and have an alarm system, and • be kept clean and free of pests such as rodents and insects.

Guidance Store your organisation’s inactive physical records and inactive digital records held on removable media in dedicated areas that are designed and maintained to:

• provide a safe and secure environment for records, and • mitigate the risks associated with storing large volumes of records closely

together.

Records Management Standard for the New Zealand Public Sector 23

PRINCIPLE 7: MANAGE RECORDS SYSTEMATICALLY

Public sector organisations are more likely to achieve records management outcomes if they manage the creation and maintenance of their records systematically.

Systematic records management combines a focus on leadership, accountability and responsibility with a commitment to setting objectives and to regularly reviewing and improving organisational performance. It involves the implementation of technical solutions but extends beyond that to include the development of robust, reliable processes and the provision of training and support for all staff creating, using and managing records.

Records management systems are more likely to be successful if they align and integrate with other business systems and feed into broader organisational objectives.

REQUIREMENTS

7.1 Statement Records management responsibilities must be assigned

Guidance Establish clear lines of responsibility for records management from senior management through to operational staff. Identify roles with overall responsibility for records management. Assign business owners to information assets.

Empower staff with records management responsibilities to make any needed improvements to your organisation's records management policies, processes, technology or culture.

7.2 Statement Staff must be trained to create and maintain records

Guidance Help all staff, including volunteers and contractors, to understand and meet their obligations to create and maintain records of their activities. Point out operational guidelines for creating records and introduce staff to broader records management policies and procedures. Train staff to:

• create full and accurate records • assign effective metadata to the records they create • manage records appropriately, and • dispose of records in line with legislative requirements and business rules.

Embed records management requirements in job descriptions, performance assessments and codes of conduct. Address records management responsibilities in induction training for new staff and in exit processes for departing staff.

7.3 Statement Trained staff must be assigned to carry out records management functions and activities

Guidance Records management expertise will be required to:

• design, implement and govern records management systems • develop records management strategies • identify and report on records management risks • develop an appropriate information architecture • analyse business processes • classify and organise records • design and manage metadata schemas • appraise the value of records, and schedule them for retention and disposal

Records Management Standard for the New Zealand Public Sector 24

• identify internal requirements and external obligations to create and maintain records

• train staff to follow records management policies and processes • write policies, guidelines, standard operating procedures and other documents • develop and track progress against records management objectives • plan and manage digitisation processes, and • manage physical records repositories and associated services.

Permanent or temporary staff, contractors and external service providers can all provide records management expertise.

7.4 Statement Policy for records management must be set and documented

Guidance In a standalone corporate records or information management policy or set of linked policy statements:

• outline your organisation’s records management intentions • set a direction for records management • document where records management responsibilities lie within your organisation • describe internal requirements and external obligations to create and maintain

records, and • outline the risks of not managing records appropriately.

Align and integrate your organisation’s records management policy with policies for ICT, security, privacy, facilities management, business continuity planning and compliance (see Archives New Zealand’s Guide to Developing a Recordkeeping Policy).

7.5 Statement Records management objectives must be defined and documented

Guidance Set objectives that will ensure your organisation preserves the reliability, authenticity, integrity and useability of its records for as long as required. Align those objectives with broader organisational targets.

Regularly review objectives, factoring in changes to your organisation’s:

• operating environment • business requirements • fiscal and legislative constraints • risk profile and appetite, and • IT framework and business processes.

7.6 Statement Records management policies and processes must be implemented, monitored and regularly reviewed

Guidance Design processes, frame policies and use appropriate technology to achieve your organisation’s records management objectives. Adopt a risk-management approach and include records related risks in your corporate risk register.

Ensure your existing processes are comprehensive and your electronic records management systems operate reliably. Embed records management capabilities in new line of business systems.

Use Archives New Zealand’s Digital Recordkeeping Standard to:

• review the functionality of existing electronic systems that create and maintain

Records Management Standard for the New Zealand Public Sector 25

records, and • inform the procurement, implementation and configuration of new electronic

systems.

Monitor and regularly review the effectiveness of your organisation’s policies, processes and systems. Assess performance against defined objectives. Maintain evidence of performance over time to:

• ensure compliance with internal accountability requirements and legislative and regulatory obligations

• ensure that records will be accepted as evidence in a court of law if required • track and control costs, and • support continuous improvement.

7.7 Statement Records management activities must be documented

Guidance Document your organisation’s records management activities as you would any other business activity. Create and maintain records that show how your organisation has:

• met its records management requirements and obligations • classified and organised records • assigned, managed and disposed of metadata • provided access to records • stored records appropriately and securely • implemented and operated electronic records management systems • disposed of records.

Match the level of documentation to the importance of the activity.

7.8 Statement Records management must be resourced

Guidance Allocate sufficient resources to meet your organisation’s internal requirements and external obligations to create and maintain records of business activity. Prioritise investment in the management of records which support and document business critical functions and outcomes.

Records Management Standard for the New Zealand Public Sector 26

5 Background of the standard i. Origins

This standard sets out proven, internationally endorsed requirements for the effective and efficient management of records. It is derived from four separate mandatory standards issued by the Chief Archivist between 2007 and 2010:

• Storage Standard (2007) • Create and Maintain Recordkeeping Standard (2008) • Electronic Recordkeeping Metadata Standard (2008) • Disposal Standard (2010).

These standards in turn drew on foundational principles established in international and Australian standards for records management, including:

• AS 4390: 1996 Records management – Part 1: General; Part 2: Responsibilities; Part 3: Strategies; Part 4: Control; Part 5: Appraisal and disposal; Part 6: Storage.

• ISO 15489-1: 2001 Information and documentation — Records management — Part 1: General; and ISO/TR 15489-2: 2001 Information and documentation — Records management — Part 2: Guidelines

• ISO 23081:1:2006 — Information and documentation — Records management processes — Metadata for records — Part 1: Principle; and ISO AS/NZS 23081:2: 2007 — Information and documentation — Records management processes — Metadata for records — Part 2: Conceptual and implementation issues

• BS PD 5454-2012: Guide for the storage and exhibition of archival materials.

This standard has also drawn on principles established in the more recent ISO 30300 series of Management systems for records standards.

ii. Wider framework

This standard forms part of a wider framework for the management of public sector information. This framework consists of legislation, cabinet-approved documents, and standards and guidance issued by organisations with responsibility for individual aspects of public sector information management. It includes the:

• Official Information Act 1982 • Local Government Official Information and Meetings Act 1987 • Privacy Act 1993 and associated codes of practice, such as the Health Information Privacy Code 1994 • Electronic Transactions Act 2002 • New Zealand Data and Information Management Principles • Declaration on Open and Transparent Government • Government ICT Strategy and Action Plan to 2017 • Principles and Protocols for Producers of Tier 1 Statistics • Security in the Government Sector (SIGS) manual • New Zealand Information Security Manual (NZISM) • Government Enterprise Architecture New Zealand (GEA-NZ) • Trusted Computing and Digital Rights Management Standards and Guidelines • New Zealand Government Open Access and Licensing (NZGOAL) • New Zealand Government Web Standards • Guide on Government Use of Offshore Information and Communication Technologies (ICT) Service

Providers, and • The New Zealand Geospatial Strategy.

The Acts and the other resources described above impose information management obligations on public sector organisations independently of this standard and of the Public Records Act. Contact the appropriate regulator or issuing organisation for further information and advice.

Records Management Standard for the New Zealand Public Sector 27

6 Implementing the standard i. Lower-value records

As noted in section 1.v, all public and local authority records should, in principle, be managed in line with the requirements in this standard. However, this standard recognises that different levels of care are appropriate for different kinds of records. Records that have no or only transitory value as evidence of business activity do not require the same level of care as more substantive records.

Therefore public sector organisations will be compliant with this standard if they implement its requirements with regard to a reasonable and defensible subset of the records they hold. This aligns with normal, prudent business practice.

Defining the scope of the standard The evidential value of records is context-dependent. For this reason it is difficult to frame universally applicable rules confirming which records have value as evidence of activity and which do not. This standard thus gives public sector organisations some freedom to decide which of their records they will manage in line with its requirements and which they will not.

When making these decisions public sector organisations should assess:

• their operational requirements • their general accountability obligations • the regulatory environment in which they operate • stakeholder expectations, and • privacy, security and other risks.

Public sector organisations should monitor and regularly review the results of their decisions to ensure the best fit between their records and their business needs and accountability obligations.

External resources to help define scope Public sector organisations should also note that a wide range of decisions about the evidential status of records have already been made. These decisions are reflected in records retention or management requirements set out in a variety of sources, including:

• legislation • regulatory frameworks • public sector audit and monitoring frameworks • public sector information management frameworks • disposal authorities issued by the Chief Archivist, and • the List of Protected Records issued by the Chief Archivist.

Examples of lower-value records Examples of lower-value records not requiring the level of care mandated in this standard for higher-value records include but are not limited to:

• expired appointment diaries and calendar entries • advertising and promotional material received from an external source • listserv messages • copies of records in managed repositories or systems, such as document management systems, shared

drives, databases and online resources (libraries, e-journals) • duplicates • minor or transitory working notes and calculations • draft records not required to be kept in line with normal, prudent business practice or as part of a managed

process

Records Management Standard for the New Zealand Public Sector 28

• routine circulars.

General Disposal Authority 7 provides further information on these kinds of records, including detailed scope notes. It also authorises their disposal, if they are public records.

Obligations for the management of lower-value public records Regardless of the level of care provided for lower-value records, public sector organisations must ensure that they are disposed of in accordance with the provisions of the Public Records Act. Lower-value public records must also be maintained in an accessible form until their disposal is authorised.

Public sector organisations can meet these obligations by managing lower-value records in line with the following requirements in this standard:

• access requirements 4.1 and 4.2 (p. 15) • appraisal and disposal requirements 5.1 through 5.6 inclusive (pp. 17-19), and • storage and maintenance requirements 6.1 through 6.3 inclusive and 6.6 (pp. 20-21).

ii. Data

Records include data The Public Records Act defines a ‘record’ very broadly to include any and all kinds of information compiled, recorded or stored, in any format (see the glossary for a full definition). Data, which is typically quantitative, highly structured and often highly changeable information, fits within this definition. This standard recognises, however, that several of the requirements it sets out conflict with data management imperatives and realities.

For example, much of the metadata mandated by requirements 3.1 and 5.5 in this standard is typically not assigned to individual data elements or rows in operational databases, or does not make sense to assign at that level. The need to optimise transaction processing speed and query performance may also limit the amount of audit trail metadata that can be assigned to each data value or row, and the length of time that metadata can be maintained.

Moreover, in an environment where data is constantly being updated and overwritten, it may be impossible or undesirable to fix the content of that data and link it persistently to its wider business context.

Applying the standard at a dataset level In the circumstances noted above, the operational needs of public sector organisations take priority and it will be appropriate to apply records management disciplines at a dataset level.

Information about the context in which data is used may be captured in the design and operation of the database system holding it, or in management and governance arrangements for the dataset as a whole. This information should be managed in line with the requirements in this standard. Where practical, organisations should periodically export data, so that it can be managed as a record outside the database itself, for example, in an electronic document and records management system or data warehouse.

Public sector organisations are expected to assess the evidential value of data and manage it appropriately. They are not required to treat data exactly like documents.

Records Management Standard for the New Zealand Public Sector 29

7 Compliance i. Obligation to create and maintain records Section 17 of the Public Records Act obligates public offices and local authorities to create full and accurate records of their affairs, in line with normal, prudent business practice, and to maintain those records in an accessible and usable form for as long as required. This standard unpacks those responsibilities. Public sector organisations that comply with the requirements in this standard will both satisfy their obligation under section 17 of the Public Records Act and lay the groundwork necessary to meet their records management needs.

ii. Compliance monitoring To monitor compliance with this standard, Archives New Zealand operates an audit programme that, on a rolling five-year cycle, assesses the records management capability of public offices. The Chief Archivist also has the power to inspect public records and local authority records, and may direct a public office to report on any aspect of recordkeeping practice or on the records it controls.

iii. Exemptions

In certain circumstances the Chief Archivist may exempt organisations from the obligation to comply with the requirements in this standard. Organisations seeking an exemption should contact Archives New Zealand at rkadvice@dia.govt.nz.

The Chief Archivist may or may not grant an exemption. Appeals against decisions not to grant an exemption may be made to the Minister Responsible for Archives New Zealand, who may allow or disallow the appeal after consultation with the appropriate Minister and the Archives Council.

iv. Offences under the Public Records Act

The following actions are offences under the Public Records Act:

• wilful or negligent damage of a public record • disposal of a public record otherwise than in accordance with the provisions of the Act, and • contravention of, or failure to comply with, any provisions of the Act or any regulation made under it.

v. Records of business activities contracted out Public sector organisations must ensure that records of business activities carried out under contract are created and maintained. Contracting organisations could:

• require contractors to create and maintain appropriate records, or • require contractors to provide them with sufficient information so they can themselves create and maintain

appropriate records, or • combine the two approaches.

See Archives New Zealand’s guide, Recordkeeping for Business Activities Carried out by Contractors, for further information. Contracting organisations should also ensure that data managed on their behalf by independent contractors can where necessary be captured into corporate systems.

The requirements in this standard apply to records of business activities carried out under contract.

Records Management Standard for the New Zealand Public Sector 30

8 Self-assessment checklist This checklist brings together all of the mandatory requirements in a single table. It can be used to assess compliance with the standard.

NUMBER STATEMENT

1.1 Internal requirements and external obligations to create and maintain records of business activity must be identified and documented

1.2 Records must be created and maintained to meet internal requirements and external obligations

1.3 The content and structure of records must fit their purpose and audience

1.4 Records must be created in a timely manner

1.5 The content of records must be fixed

2.1 Business activities must be documented in a business classification scheme

2.2 Records must be classified and organised according to a business classification scheme

3.1 The following minimum records management metadata must be assigned to records and aggregations of records (see also requirement 5.6):

• a unique identifier • a name • the date of creation • the business activity documented by the record • the creator (person or system) of digital records • the name and version of the software application used to create digital records • the subsequent actions, if any, carried out on the record, such as accessing, modifying or

disposing • the identification of the persons or systems carrying out those actions, and • the dates those actions were carried out.

3.2 Metadata management tools must be developed and maintained, and changes made to them must be tracked and documented

3.3 Records management metadata must be persistently linked to records and aggregations of records

3.4 The disposal of records management metadata must be managed systematically

4.1 Access to records must be managed appropriately

4.2 Records must be accessible when required

4.3 The use of records must be promoted

4.4 Risks to the accessibility of records must be identified and mitigated

5.1 The value of records must be appraised

5.2 Retention periods and disposal actions for records must be defined and documented

5.3 The correct statutory process for disposing of records must be followed

5.4 A systematic internal process for disposing of records must be set up and followed

5.5 Records must be disposed of regularly

Records Management Standard for the New Zealand Public Sector 31

NUMBER STATEMENT

5.6 The following minimum metadata must be generated or captured during the disposal process, and retained for as long as required to account for the disposal of records (see also requirements 3.1 and 3.4):

• a unique identifier • a name • the date of creation • the business activity documented by the record • the creator (person or system) of digital records • the date of disposal • the authority governing the disposal of the records, and • the person/role carrying out the disposal.

6.1 Records must be secure

6.2 Records must be protected from natural and man-made hazards

6.3 Records must be stored on appropriate media or hardware, and in suitable containers and locations

6.4 At-risk records must be identified and managed appropriately

6.5 Business continuity and disaster management planning must address the protection and salvage of records

6.6 Physical records and digital records held on removable media must be stored in conditions that ensure their safe care and custody. These records must be:

• stored in buildings with fire protection systems and equipment compliant with the New Zealand Building Code

• stored above floor-level using shelving or equipment appropriate to the format of the records or the size of the storage media

• stored away from sunlight and artificial light • stored away from magnetic interference, if they are digital records held on removable media • arranged in an orderly manner, and • retrieved, handled and reshelved in accordance with set procedures.

6.7 Inactive physical records and inactive digital records held on removable media must be identified and stored in a dedicated storage area

6.8 Dedicated storage areas for inactive physical records or for inactive digital records held on removable media must ensure the survival of those records in a usable form. These storage areas must:

• be located in buildings which comply with the provisions of the New Zealand Building Code in force at time of construction and with any associated codes and standards

• have adequate floor loading capacity • have drainage systems adequate to prevent flooding or must be located in buildings with drainage

systems adequate to prevent flooding • be insulated from the outside climate • be protected from internal hazards • be maintained over time in accordance with a documented maintenance programme • be intruder resistant and have an alarm system or be located within buildings that are intruder

resistant and have an alarm system, and • be kept clean and free of pests such as rodents and insects.

7.1 Records management responsibilities must be assigned

Records Management Standard for the New Zealand Public Sector 32

NUMBER STATEMENT

7.2 Staff must be trained to create and maintain records

7.3 Trained staff must be assigned to carry out records management functions and activities

7.4 Policy for records management must be set and documented

7.5 Records management objectives must be defined and documented

7.6 Records management policies and processes must be implemented, monitored and regularly reviewed

7.7 Records management activities must be documented

7.8 Records management must be resourced