Information Management Standard

Introduction

Well-managed business information is a valuable asset that contributes to good government through:

  • supporting efficient business
  • informing decision-making
  • demonstrating government accountability and transparency
  • assisting to mitigate risks
  • adding economic value and protecting rights and entitlements.

Reliable and useable information is crucial to business performance. Digital information can be made available across geographic areas and can be accessed simultaneously, enabling the transformation of business processes. Effective digital information management allows the Australian Government to innovate and deliver services that better meet the needs and expectations of clients and other stakeholders.

Managing public sector information well ensures it remains reliable and trusted and facilitates use and reuse, by both the Government and the general community.

Purpose

The Information Management Standard has been developed and issued to assist Australian Government agencies to create and manage business information effectively by outlining:

  • principles for well-managed information within the Australian Government jurisdiction
  • the National Archives of Australia’s expectations for the management of business information to enable agencies to meet business, government and community needs and expectations.

This Standard is consistent with the key concepts and principles of International Standard ISO 15489 (2016) Records Management.

The National Archives will review how agencies are performing against the Standard as part of its regular survey and evaluation of the Australian Government information management environment.

Authority and scope

Under the Archives Act 1983, the Archives is the lead agency for setting information management obligations and standards for Australian Government agencies.

This Standard applies to Australian Government business information, that is information and records in digital and non-digital formats that are created, used or received as part of government business. This includes both structured and unstructured information.

The Standard applies to business information created and managed:

  • by all non-corporate and corporate Australian Government entities, and wholly-owned companies including government business enterprises (collectively referred to as agencies)
  • internally or in outsourced arrangements, by staff employed by the Australian Government or contracted to perform business on its behalf.

This Standard does not cover the management of collections of published reference material or artefacts such as those typically found in libraries or museums.

Information and the Australian Government jurisdiction

Information is a corporate asset critical to all Australian Government activities, which range from developing national policies on trade, taxation or foreign affairs, to servicing claims for individual benefits and entitlements. Every day the Australian Government takes actions or makes decisions that affect the lives of Australian citizens, residents and visitors.

The Public Service Act 1999 sets out the values and code of conduct for Australian Public Service (APS) employees. The APS Values and Code of Conduct in Practice require employees to ‘document significant decisions or actions consistent with the Archives Act 1983 and to a standard that will withstand independent scrutiny’.[1] The Public Governance, Performance and Accountability Act 2013 requires the Australian Government to provide meaningful information to the Parliament and the public and to accountably govern and manage public resources, including information assets. These Acts are part of a legislative framework that ensures that the Australian Government performs accountably and the Australian community can understand why decisions are made or actions taken.

The Archives is one of several agencies that assist Australian Government agencies to improve their capabilities and performance in managing their business information. The Archives also ensures that Australians, and the global community, have access to the archival collection of the Australian Government. Some areas where other agencies provide guidance and advice on managing information include:

  • its protective security
  • the technology that carries it
  • ensuring the public can access it
  • ensuring that an individual’s privacy is not compromised by its collection or use
  • releasing public sector information as a national resource for community access and use
  • auditing how agencies manage their business information and making recommendations for improvement.

A list of whole-of-government sources – including legislation, policies, standards, advice and guidance – that impact on the information management responsibilities of most Australian Government agencies is available on the National Archives’ website – naa.gov.au.

[1] Australian Public Service Commission, APS Values and Code of Conduct in Practice, Australian Government, 2016 p.2

Outcomes and benefits from using this Standard

Creating and managing information according to the Principles in this Standard will result in business information that:

  • can be found, retrieved, and interpreted when needed
  • can be trusted as complete and accurate
  • is kept for as long as needed and no longer.

This Standard will benefit agency business outcomes by enabling them to:

  • document all needed information about a person, decision, fact or event
  • make sound decisions based on timely access to reliable business information
  • share corporate knowledge easily and avoid duplicated effort
  • improve business efficiency by leveraging opportunities provided by evolving information technologies
  • protect and secure information
  • know who has seen, changed, or removed business information when required
  • retain public and ministerial trust by being able to account for actions undertaken, advice given and decisions made
  • maximise return on investment by providing meaningful datasets to assist Australian Government, and the community, to use and reuse public sector information
  • create and preserve information that will contribute to Australian memory and history.

The strategic value of well-managed business information is commonly under-estimated. Poorly managed information can:

  • undermine rights and entitlements
  • adversely affect decision making
  • negatively impact reputation
  • result in costs and inefficiencies, such as storing and preserving unnecessary information.

Well-managed business information mitigates these risks.

Implementation guidance

This Standard is part of a framework that will include implementation guidelines linking to additional detail and technical guidance on the Principles outlined in the Standard.

For further information about this Standard and implementation guidance contact the Agency Service Centre.

About the Standard

The Standard is based on the following eight Principles that provide the foundation for well-managed business information:

  • Principle 1: Business information is systematically governed
  • Principle 2: Necessary business information is created
  • Principle 3: Business information is adequately described
  • Principle 4: Business information is suitably stored and preserved
  • Principle 5: How long business information should be kept is known
  • Principle 6: Business information is accountably destroyed or transferred
  • Principle 7: Business information is saved in systems where it can be appropriately managed
  • Principle 8: Business information is available for use and reuse.

The Standard does not prescribe how agencies should meet the Principles. Australian Government agencies vary in size and complexity. Every agency has a unique information management environment with varying culture, risk tolerance, legacy systems and resources. Agencies should implement the Principles to meet their specific circumstances.

Risk

The Principles should be implemented using a risk and value-based approach. The recommended actions should be followed more closely for high value information or information needed to mitigate high business risk. Indicators of this type of business information include that it:

  • is critical to business continuity and/or accountability
  • affects rights and entitlements
  • significantly affects workplace health and safety
  • is subject to a high level of scrutiny or has a high likelihood for legal action
  • involves large sums of public money
  • has a high potential for reuse by other agencies or the general public
  • is of long term value to the community and future generations.

The Principles

Principle 1: Business information is systematically governed

Proactively plan and implement information governance to manage business information as an asset to support immediate and future business outcomes, needs and obligations.

Recommended actions

1.1 Include information governance within corporate governance structures and frameworks.

1.2 Develop frameworks, strategies and policies outlining how business information will be managed to:

  • support and improve operational processes and strategic outcomes
  • satisfy stakeholder needs and legislative and regulatory obligations
  • support the implementation of whole-of-government policies and initiatives such as transitioning to digital practices
  • meet industry and information management standards and codes of practice.

1.3 Ensure valuable information assets are known and controlled by registering them and assigning a responsible business owner or custodian to oversee their management.

1.4 Review and audit how well information management practices and processes support the business and realise return on investment. Develop strategies for quality assurance and continuous improvement.

1.5 Resource information management with: 

  • sufficient budget to support agency needs, particularly in critical areas of business 
  • skilled and proficient staff or expertise 
  • technological systems with adequate functionality to meet business information needs.

1.6 Senior management (particularly those with specialist information roles) coordinate and review information governance and report regularly to the agency head.

1.7 Senior management provide leadership by actively supporting information management, including authorising key products and tools.

1.8 Foster a culture that values and manages information as an asset and an enabler for business use and community reuse.

1.9 Produce and disseminate policies and procedures providing guidance and direction to staff on creating and managing business information. Assign and explain information management responsibilities at all levels from agency head to general staff, including outsourced providers, contractors and volunteers.

1.10 Train and educate staff on an ongoing basis to assist them to meet their responsibilities. Support ongoing professional development for staff with specialist information management roles to enable them to keep up to date with current and evolving information management trends.

Principle 2: Necessary business information is created

Create business information that is fit for purpose to effectively support business needs.

Recommended actions

2.1 Identify where there is a business need to create a record.

Business needs include:

  • having evidence of the efficient and accountable operation of business
  • enabling business operations, decisions and continuity
  • allowing proper scrutiny
  • managing business risks
  • supporting the business if there is legal action or dispute
  • supporting individual and collective rights and entitlements
  • satisfying the requirements of stakeholders
  • meeting legislative and regulatory obligations.

2.2 Document information to meet business needs about activities including:

  • communications made or received
  • actions undertaken or observed
  • research and investigations
  • deliberations and decisions.

This should be recorded at the time of the activity or shortly afterwards.

2.3 Create good quality business information that is fit for purpose, which means that it:

  • contains sufficient detail to meet current business needs and can be understood by others in the future
  • is accurate
  • is created in a format that enables efficient business processes and maximises its potential for use and reuse.

2.4 Ensure business information creation is integrated into business processes and that staff know when and how to create fit-for-purpose business information.

Principle 3: Business information is adequately described

Describe business information so that it can be found, understood and accessed appropriately when needed.

Information that describes an information asset is known as metadata.

Recommended actions

3.1 Analyse and describe what needs to be known about business information so that all needed information can be dependably found, understood and used.

Business information can be found if it contains or links to:

  • identifying information such as a unique identifier or title
  • related information such as documents linked within a file structure
  • tools which have been used to enable consistency in description such as thesauruses or data dictionaries.

Business information can be understood if it contains or is persistently linked to description about:

  • its context such as who created it, when and for what purpose
  • its history and use, such as when it was captured into a system, who has accessed or viewed it, and if it has been changed and by whom.

Business information can be accessed appropriately when needed if it contains or is linked to description about:

  • its format
  • its security status
  • rights to, or restrictions on, individual and public access.

3.2 Determine what level of description is adequate.

Adequate description of business information:

  • provides sufficient detail to meet identified business needs and other uses for the content, such as public reuse
  • is of good quality including that it is accurate, complete and can be understood
  • will vary depending upon the intended useand significance of the information as well as any risk associated with the business activity.

3.3 Design or provide tools and systems that:

  • where possible automate the collection and management of descriptive information
  • enable staff to enter descriptive information in a consistent manner
  • where required, standardise description to support sharing and interchange of quality data between internal and external systems.

Principle 4: Business information is suitably stored and preserved

Store business information securely and preserve it in a useable condition for as long as required for business needs and community access.

Recommended actions

4.1 Store business information in a secure and suitable environment.

A secure and suitable environment is one:

  • that prevents unauthorised access, duplication, alteration, removal, or destruction
  • that satisfies Australian Government protective security requirements for classified and unclassified information
  • where it is accessible and retrievable for as long as required
  • where Australian Government property rights, including intellectual property, are not compromised.

4.2 Develop and implement preservation strategies to ensure that information remains useable including:

  • minimising harmful environmental factors
  • having a proactive plan so that technological change does not compromise the accessibility or useability of information
  • implementing routine measures to safeguard business information, such as daily back up
  • incorporating protection or recovery of business information in disaster and business continuity plans. Give particular attention to information vital to continued business operation.

Principle 5: How long business information should be kept is known

Analyse and document how long to keep business information to meet identified business and community needs.

Recommended actions

5.1 Analyse and document how long business information needs to be kept to meet:

  • operational needs
  • stakeholder needs including rights and entitlements
  • legislative and regulatory obligations
  • community needs, including the need to have access to valuable Australian Government information for research and reuse.

Under the Archives Act 1983 agencies need the permission of the Archives before:

  • destroying valuable business information
  • transferring custody or ownership of business information outside of the Australian Government
  • transferring care of archival value Australian Government business information to the Archives.

This permission is provided in the form of records authorities. The Archives determines which Australian Government information will be transferred to the Archives as part of the national archives collection.

5.2 Ensure, as appropriate, that the retention period of business information is known by:

  • staff
  • system designers
  • contractors and outsourced providers.

5.3 Provide written and other advice to staff on the types of business information without ongoing value which can be routinely destroyed without formal permission from the Archives. Within the Australian Government this is known as destruction in accordance with a normal administrative practice (NAP).

Principle 6: Business information is accountably destroyed or transferred

Keep business information for as long as required after which time it should be accountably destroyed or transferred.

Recommended actions

6.1 Assess business information against current records authorities to determine which information can be destroyed or transferred.

Plan to do this at regular intervals as keeping unneeded business information is costly and makes required information more difficult to find.

6.2 Confirm that there is no need to keep business information beyond the authorised retention period. 

Examples of needs to keep business information longer include:

  • anticipated requests for access
  • likely legal action
  • a significant increase in public interest in the topic
  • a disposal freeze issued by the Archives for business information on that issue or event.

6.3 Follow any protective security requirements for secure and complete destruction. 

6.4 Document the action, authority and approval for destruction or transfer.

Principle 7: Business information is saved in systems where it can be appropriately managed

Manage needed business information in systems that protect its integrity and support trusted and reliable use.

Recommended actions

7.1 Identify what functionality the system will need to enable and support use of business information including the required level of:

  • creation or import
  • description (metadata)
  • interoperability with other systems
  • access
  • security and preservation
  • destruction or export of all or selected information.

7.2 Determine the degree to which it is necessary to trust or prove that business information is genuine, complete, accurate and unaltered.

7.3 Create, save or capture business information into systems with sufficient functionality to satisfy operational and other stakeholder needs for reliable and trusted information.

This includes the ability, as required, to:

  • enable authorised and prevent unauthorised actions including access, alteration, removal, deletion or destruction
  • track or provide audit trails of actions such as access or alteration
  • securely preserve and export information of long-term value.

7.4 Have appropriate governance measures to ensure systems enable the creation or capture, and management of quality, fit-for-purpose business information. 

7.5 Periodically review that systems are managing information effectively to support business needs. 

7.6 Plan for decommissioning of systems and migration of needed business information.

7.7 Provide risk-based advice to staff on where business information should not be stored, because it cannot be managed appropriately. Examples of such areas may include uncontrolled network drives, removable media, email applications and third party sites such as social media platforms.

Principle 8: Business information is available for use and reuse

Create and manage business information so that it can be effectively accessed over time by staff and other users with a right of access.

Recommended actions

8.1 Make business information readily available unless there is a reason to restrict or partially restrict access, such as security or privacy considerations.

8.2 Remove restrictions on business information as soon as they no longer apply.

8.3 Facilitate the use of business information based on the understood needs of known and potential user groups, for example web content accessibility needs.

8.4 Evaluate the technological environment within which business information will be shared. This could include staff in remote areas or members of the public without access to the most recent technologies.

8.5 Plan to progressively improve business systems governance and architecture to facilitate sharing information and reduce information silos internally and externally.

8.6 Release and publish business information, including datasets, for public discovery and reuse. 

This should be done according to Australian Government law and policy, including to:

  • meet open government objectives
  • comply with the public’s rights of access
  • maximise government, industry and public benefit from Australian Government information and data.

8.7 Govern, create, describe, store, preserve, retain and manage business information with the end purpose of making it easy to find, easy to use and easy to share for reuse, for as long as needed.

Copyright National Archives of Australia 2017