Recordkeeping including the Management of Electronic Records
The objective of the audit was to assess the extent to which entities were meeting their recordkeeping responsibilities. In particular, the audit examined how effectively the entities were managing records that were created and stored electronically in corporate recordkeeping systems and in other electronic systems in accordance with recordkeeping requirements.
A key element of sound public administration and accountability is the adequate recording of the business of government. As such, recordkeeping is a fundamental function of all Australian Government entities. This is reflected in the Australian Public Service Commission's 2004–2005 State of the Service Report:1
The values set out in the [Public Service] Act provide that the APS is openly accountable for its actions within the ministerial responsibility to the Government, the Parliament and the Australian public. The maintenance of effective recordkeeping systems allows agencies to demonstrate that due process has been followed in actions and decisions. It also helps agencies to achieve business goals by ensuring that necessary corporate information is available and accessible as required. Furthermore, effective recordkeeping assists employees to meet their specific obligations to Ministers, the Government and the Parliament.
The importance of good recordkeeping is reinforced by the Australian Standard on Records Management:2
Records contain information that is a valuable resource and an important business asset. A systematic approach to the management of records is essential for organisations and society to protect and preserve records as evidence of actions. A records management system results in a source of information about business activities that can support subsequent activities and business decisions, as well as ensuring accountability to present and future stakeholders.
The need for effective recordkeeping has also been highlighted in recent times in successive State of the Service Reports issued by the Public Service Commissioner, publications issued by the Management Advisory Committee (MAC), reports on specific agency activities and reports by the Australian National Audit Office (ANAO).3 Collectively, these reports and publications reinforce the message that the effective management of records is an essential element of public administration, as well as detailing the consequences, including the financial and human cost, of poor recordkeeping practices.
The following two developments are expected to impact positively on recordkeeping in the public sector:
(a) on 6 September 2006, a Bill to amend the Archives Act 1983 was introduced into the Senate. The Bill proposes a number of amendments designed to better equip the National Archives of Australia (Archives) to carry out its functions; and
(b) MAC is currently undertaking a study on recordkeeping in the Australian Public Service (APS), with a view to publishing a report that will:
- articulate the purpose of recordkeeping in the APS context, the ‘business case' for it, and identify any impediments to effective recordkeeping;
- explain how recordkeeping interacts with the Australian Government's information collection, use and disclosure obligations; and
- explain how efficient and effective recordkeeping can be achieved in a modern Commonwealth Agency, having regard to the increasing scale and complexity in recordkeeping, brought about by the proliferation of electronic communications and new electronic media.
The ANAO understands that a draft of the report is proposed to be considered at a MAC meeting scheduled towards the end of 2006, and it is expected that the MAC report will provide practical advice in relation to the issues discussed in this report.
Audit objective and coverage
The objective of the audit was to assess the extent to which entities were meeting their recordkeeping responsibilities. In particular, the audit examined how effectively the entities were managing records that were created and stored electronically in corporate recordkeeping systems and in other electronic systems in accordance with recordkeeping requirements. It is the third audit in a series of Recordkeeping audits undertaken by the ANAO since 2001–2002.
The audit was conducted in the following entities:
- The Attorney-General's Department;
- The Australian Electoral Commission; and
- The Department of the Prime Minister and Cabinet.
Issues impacting on entities' recordkeeping responsibilities
Records can be defined as ‘… information in any format created, received, and maintained as evidence and information by an organisation or person, in pursuance of legal obligations or in the transaction of business…'.4 In this context, much of the information created, received and maintained by public sector entities will meet the definition of records. It is, however, a matter for each entity to determine policies that guide recordkeeping practices so that legal and business requirements are met. In this context, the Archives has issued a range of better practice advice and guidance material to assist entities in meeting their legal and business requirements.
The increasing complexities of public administration means there is now a wide range of legislative, policy and administrative requirements that have recordkeeping implications.5 These requirements are contained in a variety of documents and are administered by a range of different entities. This situation can impact on the extent that these requirements are understood and applied by individual entities.
Establishing effective recordkeeping regimes is not an easy task and represents a significant business issue for many entities. Often it is only when there are pressing business priorities or something goes wrong that the full implications of not having in place good recordkeeping practices become apparent. In these circumstances, entities may have little choice but to access information outside of their recordkeeping system in an endeavour to meet their immediate priorities. However, this situation often does not result in entities taking a longer term, strategic approach to meeting their recordkeeping responsibilities.
It can be difficult to prepare a business case that supports the expenditure required to implement a new or upgraded recordkeeping system, as well as address the related policy, guidance, training and work practice issues. While good recordkeeping should result in direct and indirect business benefits, such benefits may be qualitative in nature and are difficult to measure. Conversely, the costs of poor recordkeeping, particularly inefficient and ineffective work practices, are often accepted as ‘the way things have always been done' and these can be equally difficult to identify and quantify.
Consistent with all other business critical activities, establishing and maintaining an effective recordkeeping regime requires sustained commitment from senior management. It also requires a consistent and disciplined approach to the creation, management6 and disposal of records by all staff in an entity.
Implementing good recordkeeping practices will often require changing long standing and embedded work practices, and challenging work place cultures. These issues often prove the most difficult to address and therefore should be an integral part of, rather than separate from, any initiative involving the introduction of new or revised recordkeeping systems and processes.
Effective recordkeeping also requires considered judgements to be made on a range of issues. A key judgement in respect of a particular programme or business activity is determining the information that needs to be maintained and managed in a recordkeeping system to meet legal and business requirements having regard to risk, cost and disposal considerations. This decision needs to be made in the context that much of the information that is created or received in undertaking entities' business activities is a record. In respect of information held, where it is decided that it is not necessary to maintain the information as a record in the entity's recordkeeping system, this information can be disposed of as a normal administrative practice.7
In addition, other recordkeeping judgements will include:
- who is responsible for creating and managing records;
- how long should the record be retained;
- should the record be destroyed or archived; and
- is the record readily accessible when required.
Such assessments should be made within a broader knowledge or information management context, including the ability to capitalise on, or reuse information. They should also be guided by comprehensive and clear policies and guidance that are tailored to the individual circumstances and culture of the entity, be based on an assessment of risk and be made by people who have an appropriate level of knowledge and training.
The effect that information technology has on entities' recordkeeping environments is a common factor that impacts on the way records are managed by all entities. The creation and storage of records in electronic systems, including email, shared folders and business systems,8 means that traditional recordkeeping practices involving the creation of paper files are, in many situations, unlikely to be suitable or cost effective. There is also an increasing trend for governments to provide services to the community via the Internet, with such services creating an electronic client interface.
The management of records created in this environment also needs to meet minimum recordkeeping requirements.
Managing electronic records poses particular challenges in ensuring compliance with relevant recordkeeping requirements. The capture and retention of all relevant records created electronically, and the capacity to ensure the long term access, integrity and functionality of these records are two challenges facing most entities.
Audit conclusion and key findings
Each of the entities subject to audit were at different stages in addressing their recordkeeping responsibilities. Over recent years, each entity had made improvements, to varying degrees, to their recordkeeping regimes. In one entity this involved a focus on managing their records electronically.
Each entity had developed, to varying degrees, elements of a recordkeeping framework such as strategies, policies and/or guidance to meet their recordkeeping responsibilities. The audit identified that further work was required in each of the entities to complete elements of their frameworks to enable them to fully meet their recordkeeping responsibilities. Each of the entities was using some combination of electronic and paper-based systems to manage their records. This involved using either a paper-based or an electronic corporate recordkeeping system, together with a number of other electronic systems. In each of these entities these latter systems were being used to create, store and manage records. In some cases this was contrary to the entity's recordkeeping policy. In most instances entities did not recognise and manage these systems as part of the corporate recordkeeping framework. As a consequence, the records held in the majority of the electronic systems reviewed as part of the audit were not being managed in accordance with the entity's recordkeeping policy.
The audit also found that improvements were required in each of the entity's electronic and paper-based recordkeeping practices. This included, in particular, the need to develop further guidance on circumstances where records are created, received and maintained by the entity having regard to its legal and business requirements. In the context that much of the information that is created or received in undertaking entities' business activities is a record, entities should determine for each major business activity, the information that needs to be maintained and managed in the corporate recordkeeping systems. These decisions should have regard to legal and business requirements.
The ANAO considered that entities needed to give ongoing, and in some cases, increased commitment to meeting their recordkeeping responsibilities. This is particularly the case for those records that are created electronically, including records held in electronic systems. This commitment should extend to finalising the development and implementation of knowledge or information management strategies, of which recordkeeping is a component. A recordkeeping needs analysis and risk assessment that identifies an entity's specific recordkeeping requirements and the actions needed to address these should also be undertaken. Entities should also review the resources required to manage their recordkeeping environments and adopt more formal and structured project management arrangements. This latter requirement should assist entities in better planning and managing the range of projects and tasks needed to enhance their recordkeeping environments. Given that entities are at different stages of developing and implementing their recordkeeping frameworks, the extent and nature of the work required will vary between entities.
To assist entities in meeting their recordkeeping responsibilities, the ANAO considers that Archives should, in consultation with relevant entities, set minimum recordkeeping standards and requirements and develop further practical guidance. Archives should also coordinate, and periodically publish, details of the legislation, policies, standards, and guidance that impact on entities recordkeeping responsibilities.
The audit found that many of the issues facing entities in meeting their recordkeeping responsibilities are similar to those outlined in the two earlier recordkeeping audit reports.9
Key findings are outlined below in relation to entities' recordkeeping frameworks, needs analysis, management and practices. These findings are followed by an outline of seven areas that all entities could usefully focus on to enhance their recordkeeping practices.
Australian Government recordkeeping requirements
The audit identified that there is an increasing range of legislation, standards, policies and guidance that is issued by a number of Australian Government entities that has recordkeeping implications. The status of this material ranged from mandatory legislative requirements to better practice advice and guidance, the majority of which is issued by Archives. The ANAO found there was differing levels of awareness of this material in the entities audited. The ANAO considers that in view of the Archives' existing responsibilities to develop recordkeeping policies, standards and guidance,10 Archives could further assist entities by:
- setting minimum recordkeeping requirements that entities are expected to comply with to meet their legal and business requirements;
- developing further practical guidance entities can use in developing their own guidance material; and
- coordinating, and periodically publishing, details of the legislation, standards, policies and guidance that impacts on the recordkeeping responsibilities of individual entities. This coordination role may also offer the potential for rationalisation of existing material, having regard to the minimum requirements set.
Recordkeeping as an integral part of information management
Each of the entities audited had recognised that their recordkeeping responsibilities needed to be managed in the context of a broader knowledge or information management framework.11 Each agency had, to varying degrees, developed and implemented a strategy or framework that outlined their future recordkeeping directions, that included recordkeeping policies and guidance.
Recordkeeping policies and guidance
One of the entities had adopted a policy to manage its records electronically, wherever practical, and had implemented an electronic document management system (EDMS) for the management of a significant proportion of its records. This has involved a significant investment over a number of years in the entity's recordkeeping function. As an integral part of the introduction of its EDMS, the entity had effectively embedded significant changes to its recordkeeping culture and work practices.
The other two entities had a ‘print to paper' policy,12 while recognising that they had a number of electronic systems that were used to create and, in some cases, store, electronic records. The ANAO considered these two entities should assess the most appropriate way to manage, in the longer term, the ever increasing volume of records that are created or maintained electronically by each entity.13 This assessment should particularly take into account the volume and characteristics of records being created electronically. In this context, the ANAO considers that a ‘print to paper' approach is increasingly unlikely to meet an entity's longer term recordkeeping requirements across the full range of their systems, particularly electronic systems, that are used to create and store records.
The audit found that each entities' recordkeeping policies and supporting guidance focussed on the entity's corporate recordkeeping system but did not address all relevant issues relating to other electronic systems that held records. The ANAO considers that each entity should identify all systems, whether paper based or electronic, where records are held that need to be managed within the entity's recordkeeping systems. In the development or review of their recordkeeping policies, entities should ensure they identify all systems that hold records, irrespective of their format or location.
To be able to identify all systems that hold records, entities must first be able to determine the information that needs to be created and received in the context of each of their major programmes or business activities.14 Entities should then determine the information that needs to be maintained in the corporate recordkeeping system(s) and how these records will be managed to meet legal and business requirements. In making these judgements an assessment of risk will need to be made.15 By taking these steps, entities will be able to better manage and dispose of their records in accordance with their business needs.
A factor identified by the audit that contributed to inadequate recordkeeping practices was the absence, to varying degrees, of adequate guidance to record users about the expected recordkeeping requirements in specific work areas. Where guidance material did exist, it was not always supported and reinforced by an ongoing programme of training and awareness. The audit highlighted that in situations where individual work areas had developed recordkeeping guidance, tailored to their particular circumstances, the overall quality of recordkeeping practices was of a higher standard.
Recordkeeping needs analysis
Each of the entities had undertaken a limited assessment of their recordkeeping needs in the context of completing elements of the Archives' Designing and Implementing Recordkeeping Systems (DIRKS) process which covers the design and implementation of recordkeeping systems.16
In addition, during the planning, acquisition, design and implementation phases for new electronic systems, entities generally did not consider the need for recordkeeping functionality. As a result, some systems were being used to maintain records although they had not been designed to do so. Conversely, some systems could have been used to manage records but no consideration had been given to their potential to fulfil this function.
The ANAO considered that none of the entities had given adequate consideration to their recordkeeping risks. Entities should assess these risks in the context of their broader risk management framework. These assessments should then be used to update or, in some cases, develop, remaining elements of their information management strategy or framework.
Another common issue identified was the need for entities to identify, in the context of business continuity planning, their vital records and to take steps designed to ensure these records are accessible and usable within specified timeframes in the event of a disaster.
Entities also need to develop a set of minimum metadata17 requirements for electronic systems that contain records, including the corporate recordkeeping system, as part of their information technology (IT) management framework.
Recordkeeping management and practices
The ANAO's review of practices in place for the management of electronic systems within entities identified the need for improvements in the areas of access security, preservation and destruction of relevant records, as well as controls over system design and ongoing development.
There was also a wide variation in recordkeeping management practices across the entities audited. The ANAO considered that a number of management practices contributed to entities not addressing in a timely manner issues with their recordkeeping framework or practices. The ANAO considers that entities needed to improve the planning and monitoring of projects and tasks undertaken to enhance their recordkeeping regimes. This includes establishing timeframes and milestones, determining priorities, allocating sufficient resources and periodically reporting on progress achieved. Entities should also introduce quality assurance programs to periodically assess the extent of compliance with their recordkeeping policies and related requirements.
There was a wide range of recordkeeping practices in place in each of the entities. The ANAO observed a number of practices that adversely impacted the completeness and integrity of entity records. These practices included: file classification practices that did not comply with the Protective Security Manual; using email and shared folders to manage records contrary to the entity's recordkeeping policy; and inconsistencies in decisions about the information, including data in electronic systems, that constituted a record and, therefore, there were inconsistencies in what was captured into entities' recordkeeping systems.
Opportunities for improvement
Based on the results of the two previous recordkeeping audits and the current audit, the ANAO suggests that the following factors are most likely to enhance entities' capacity to meet their recordkeeping responsibilities:
- recognise recordkeeping as an integral part of ‘doing business', requiring a sustained and visible commitment from senior management;
- undertake a recordkeeping needs analysis that identifies the entity's specific recordkeeping requirements and the actions needed to address these. This analysis should be informed by an assessment of recordkeeping and related information management risks, completed as part of an entity's broader risk management framework;
- develop medium to long term strategies that recognise the environment in which an increasing volume of records are being created electronically;
- ensure that recordkeeping policies address all systems, whether paper-based or electronic, that are used to create and store records and information;
- for each major programme and business activity determine the information that needs to be created, received and maintained in entities' recordkeeping systems, and how these records will be managed to meet legal and business requirements;
- supplement the entity's strategic and policy framework with practical guidance and advice, together with an ongoing programme of training and awareness, designed to assist record creators and record users to meet their specific recordkeeping responsibilities. Such a programme should recognise that work practice and cultural issues can be significant impediments to improving recordkeeping practices; and
- assess the resources required to establish, and sustain, a recordkeeping regime that meets the entity's legislative and policy requirements.
Sound and Better Practice
The Report outlines sound and better practice highlighted during the audit. These practices were considered beneficial to improving recordkeeping practices in the audited entities.
The Report makes eight recommendations that are based on the findings made in the entities reviewed but are likely to have relevance to other Commonwealth entities. Previous ANAO recordkeeping audit reports18 have made a number of similar recommendations and these recommendations should be read in conjunction with the recommendations in this report.
Each of the audited entities and the Archives responded positively to the audit report19 and agreed to each of the recommendations.
1 Australian Public Service Commission, State of the Service Report 2004–2005, November 2005, p. 46.
2 Standards Australia, Australian Standard-Records Management AS ISO 15459.1, p. 4.
3 Relevant reports include ANAO Audit Report No.45 2001–02, Recordkeeping in Large Commonwealth Organisations; ANAO Report No.7 2003–04, Recordkeeping; ANAO Report No.18 2004–05, Regulation of Non-Prescription Medicinal Products; ANAO Report No.32 2005–06, Management of Tender Process for the Detention Services Contract; M.J. Palmer AO, APM, Inquiry into the Circumstances of the Immigration Detention of Cornelia Rau, July 2005.
4 Standards Australia, op. cit., p. 3.
5 In addition to the Archives Act 1983, recordkeeping requirements are contained in other Acts, standards, policies and guidance including the Electronic Transactions Act 1999, the Evidence Act 1995, the Freedom of Information Act 1982, the Privacy Act 1998, the Protective Security Manual, and the Australian Government Information and Communications Security Manual (ACSI 33).
6 The management of records encompasses the storage, protection, security and archival of records.
7 A discussion of the disposal of information as a normal administrative practice is included in the Report in the section titled The creation, receipt, maintenance and management of records, on p. 52. The decision to dispose of information as a normal administrative practice should be made in the context of entity guidance that indicates the information that should be maintained as a record in a recordkeeping system, and the information that can be discarded as part of a normal administrative practice.
8 Examples of electronic business systems include financial and human resource systems, ministerial correspondence systems and agency specific systems such as those supporting the management of the electoral roll and legal opinions.
9 op.cit., ANAO Audit Report No.45, 2001–2002 and ANAO Report No.7, 2003–2004.
10 The Archives Amendment Bill 2006 introduced into the Senate on 6 September 2006, amongst other things, states the role of Archives includes ‘overseeing Commonwealth record-keeping, by determining standards and providing advice to Commonwealth institutions'.
11 This situation acknowledges that good information or knowledge management practices can assist in decision making by better utilising corporate knowledge through improved information access and retrieval. Each of the entities, nevertheless, had gaps in their strategy or framework that will require further sustained commitment to develop and implement.
12 A ‘print to paper' policy means that the official record of the entity is the physical record or file rather than the electronic copy. In practice this requires staff to print and file records that have been created electronically.
13 These records encompass those that are printed and placed on a paper file, those that are created in electronic business systems and those that were created in paper form and subsequently converted into an electronic format.
14 These activities can range from large scale payment processing systems to administrative activities such as the management of leases.
15 Standards Australia, op. cit. AS ISO 15489.2, p. 11 ‘…a decision not to require formal capture of records is usually based on the assessment of the risk arising from having incomplete records of the business activity…'.
16 The DIRKS process enables entities, amongst other things to obtain a records disposal authority, enabling them to destroy records that are no longer needed. It also provides entities with a business classification scheme to assist in record titling.
17 Metadata is structured information that describes and/or allows users to find, manage, control, understand or preserve other information over time.
18 Refer to ANAO Audit Report No.45, 2001–2002, and Audit Report No.7, 2003–2004.
19 Entities' general or specific comments are provided in the relevant section of the report to which they refer and/or in Appendix 1.