Challenging questions on social media and the cloud – interesting enquiries to State Records NSW in December 2012 January 24, 2013
Here are some of the really interesting digital recordkeeping enquiries that the Government Recordkeeping section at State Records received in December.
- We are using a cloud-based business system but need to export key records out of it and back into corporate business systems. What do we do with the copies of records of these records that stay in the cloud?
- Do I really have to make official records to document what my organisation is doing on Facebook? If so, how do I do it?
- Can I keep social media records in the business system that generates them?
- Do I need to know when I broadcast a social media message and know when someone receives it?
- What does the requirement for read-only records actually mean and how do I achieve it?
- With my social media records, do I need to keep them in their original format and make sure they look just like they did in their social media environment?
- Should I use PDF or PDF/A for document scanning?
- Will State Records be providing new advice on recordkeeping in SharePoint 2013?
- Can I modify and use State Records’ e-learning courses in my own organisation?
The advice we provided in response to these questions is listed below. If you have any comments, suggestions or feedback on the advice we gave, please do let us know!
We are using a cloud-based business system but need to export key records out of it and back into corporate business systems. What do we do with the copies of records of these records that stay in the cloud?
Export and migration are essentially copying processes. They take a copy of a record and move that to a new location. A version of the record also remains behind in the original location.
The records and their metadata that you export out of the cloud and into your business system will be regarded as your official records of this business. The versions left behind in your cloud system will be copies of these records.
These records and their metadata that have been left behind are classed as ‘source’ records that have been migrated to your business system. The disposal of source records is authorised by State Records’ General retention and disposal authority for source records that have been migrated (GA33).
Ideally, after you have had time to validate that all the records were exported completely into your business systems, you will be able to arrange with your cloud service provider to purge the copies of your records that remain in the cloud system.
However, an issue with some cloud systems is that they have no or limited purge functionality. This is a risk that does need to be actively mitigated. Ideally, when setting up a contract with a cloud provider you would specify what type of purge controls, schedules and accountabilities you want applied. If however the cloud system you are using does not have regular purge capacities, you will need to develop some risk mitigation strategies.
For example, could it be a risk that there are potentially two places for doing business (in the cloud and in the corporate business system), and so there is no ‘single source of truth’? Can this risk be mitigated through restricting access to the cloud system, or clearly labelling the information in the cloud as completed or superseded etc? You should also consider what risks are posed by certain forms of information continuing to exist for an indefinite period in an external cloud environment.
Do I really have to make official records to document what my organisation is doing on Facebook? If so, how do I do it?
The business conducted via social media is official government business. Your organisation does need to know the advice, decisions and commitments that are being made via social media and making official records is the way to do this.
That said, all business is not created equal and there is no over-arching requirement to keep absolutely all records of business in your organisation. You should make and keep records based on an assessment of your business needs and risks. Decisions about whether to make and keep records should be based on questions like:
Will I need this information:
- for reporting?
- as the basis for subsequent actions?
- to incorporate user-generated content into business products or processes?
- for responding to future enquiries?
- to feed business intelligence back into the organisation?
- for legal requirements?
- for ongoing client management?
- for planning?
- to monitor or improve business process?
- to measure the impact of your social media strategies?
You also don’t have to necessarily officially capture all comments, posts, updates etc. You can choose to capture only the content that has ongoing business requirements or relevance.
When making these decisions about what records to officially capture, you also need to bear in mind that social media systems are generally third party owned and located in the cloud. There are no guarantees that social media systems will keep your information or make it accessible for any significant periods of time. Therefore if there are business needs to keep records of your social media operations, you do need to proactively plan for the export of relevant information out of your social media system.
Ways you can make records of your Facebook activity include:
- regularly export your Facebook generated Activity Log from the Facebook administrators page – this will provide a copy of all posts, comments etc on your Facebook page
- using a third party service such as Social Safe to regularly export a version of your Facebook content
- if only a small proportion of your Facebook content needs to be officially captured, using RSS feeds of updated content, screenshots, reporting or other mechanisms to capture this content.
State Records will be issuing draft advice for comment on its Future Proof blog in February that provides additional advice on social media recordkeeping.
Can I keep social media records in the business system that generates them?
Our unofficial surveys across government show that organisations are using lots of different systems to drive their social media operations. Some are using channels such as Twitter and Facebook directly, while others have off-the-shelf or purpose-built business systems that are used to generate content and then automatically broadcast this through various social media channels.
Irrespective of what system you use, can you keep your social media records in this system?
As we say all the time, recordkeeping is a risk-based decision. You will need to consider your own specific business context, business risks and information needs but, in general, our standard advice would be:
For third-party, cloud-based systems like Twitter, Facebook, You Tube, LinkedIn etc:
- low risk business operations, low value business information – you can leave this information in your social media system and rely on the system to provide ongoing access for the short period of time that you may need business access to this information
- higher risk business operations, higher value business information including decisions, advice, public input, feedback etc that are required for ongoing business operations – export this information out of the social media system because there are no guarantees that the system will provide ongoing information support or accessibility.
For business systems that have the capacity to broadcast through multiple channels:
- information will generally be secure in these systems for the length of the system lifespan, but if the system is upgraded, replaced or decommissioned, you will need to determine if any information in the system needs to be kept for ongoing business or legal purposes.
- it may be easier to regularly export high value information out the system throughout its active life and store this in a central records system, rather than determine at system decommission what information requires export for ongoing support and management.
It is important to note that some social media communications, like emergency broadcasts, can have very long legal retention periods, up to 25 years in some cases. An important part of social media recordkeeping strategies therefore is, when business moves to social media platforms, to determine what you need to do in order to keep the records generated in your social media systems for your required retention periods.
Do I need to know the time and date that I broadcast a particular social media message and know when someone receives it?
Yes, irrespective of how you decide to keep your key social media communications, a core piece of information you will need to have in any system or environment you use is a fixed record of the date and time that your social media communication was issued.
You do not need to capture information about when someone receives your communication as often this is not possible to do. Geographical coverage issues, volume capacities, specific device issues and device availability can all affect transmission time and potential. You cannot know or mitigate these issues but you can keep a record of when your advice was officially broadcast. Therefore any recordkeeping strategy must ensure that the date and time of your transmission is able to be captured and kept.
If you are using a business system to generate and broadcast social media communications across a variety of channels, for certain high risk transactions you may also want to ensure that your system can generate an exception report, to ensure you are informed if some posts are not successful.
What does the requirement for read-only records actually mean and how do I achieve it?
We actually had a few enquiries in December about the meaning of ‘read only’. The Standard on digital recordkeeping states that recordkeeping systems must be able to ‘capture read-only versions of digital records’.
Enquirers pointed out that electronic records management software tools often allow users who have permission to continue to edit a record after it is checked into a system. Users are allowed to designate when a record is actually final and only when a record is marked as final it is stored in a read-only format in the system. In many cases, however, users are never actually designating records as final. Record metadata can also be altered or added to over time by users with appropriate permissions.
The ‘Read-only’ requirements which appear in the Standard on digital recordkeeping and elsewhere are essentially requirements to say that records must be protected so that they can always be trusted as an accountable, reliable source of information. You need to be able to rely on the fact that the information presented in a record is the information that was transacted or recorded at the time. Fixing information as ‘read-only’ is one key way of achieving this. You can also use other mechanisms to help prove or maintain the authenticity of records, such as system controls, audit logs or user permissions. Deploying read-only functionality in systems, however, is a very widespread and effective method.
If staff are not finalising their records and thereby not triggering the read-only functionality, you can develop procedures, monitor user behaviour or issue general reminders on the need to finalise records in your system. Not having key records as read-only could lead to their alteration, damage, loss or legal inadmissibility and so it is a business risk if read-only functionality is not deployed.
There are some justifiable reasons why some metadata may need to change over time. Records systems are configured to protect and preserve most metadata but for circumstances where change is required, these should be supported by a simple statement in policy or procedure that states most records system metadata is fixed and unalterable but where changes are required to correct mistakes or to include additional information, this functionality is restricted to certain authorised records staff.
With my social media records, do I need to keep them in their original format and make sure they look just like they did in their original social media environment?
With your recordkeeping, what you ultimately want is business information that is accountable, accessible and useable. Capturing records so that they look exactly as they did in the original social media environment may be desirable, but ultimately it is not as important as information accountability, useability and accessibility and process achievability and sustainability.
A number of social media formats are actually very complex, like Facebook’s AJAX format. These formats are great for immediate, dynamic, complex visual presentations of diverse forms of data, but in the long term you don’t want to capture records in this format and create complex, long term, legacy format management problems in your organisation.
For Facebook, rather than exporting records in AJAX, you could capture your original content, be it a post or video or image in its original format, or capture the information via RSS feed, screenshot or export using a third party service such as Social Safe etc. You can also capture user feedback in the same way. These can be captured as official records in your records system.
If you feel that capturing a visual representation of how your social media sites looked at a particular point in time, or how particular posts, images and videos looked together on a site is important, you can take a screenshot of the site and capture this too as part of your official records.
With digital business information, when it gets down to it, what matters isn’t the format, it’s the information contained in the format. So if original format preservation isn’t appropriate or cost effective or sustainable, it is legitimate to look at other options that are appropriate, cost effective and sustainable, and that provide you with the evidence and information you require.
Should I use PDF or PDF/A for document scanning?
This needs to be a business decision you make, after considering your records.
People use PDF/A because it is likely that documents in this format will be accessible for longer than those in standard PDF. Therefore PDF/A is generally used for records that will be needed by the business for very long periods of time, for example 10-20+ years.
State Records’ digitisation guidelines include a case study about the scanning practices at the University of Western Sydney. The University has a process where they scan their ordinary business records to PDF but business papers with archival value, such as their Board papers, are scanned to PDF/A.
In our August 2012 digital enquiries post, we provided further advice about the different forms of PDF/A.
Will State Records be providing new advice on recordkeeping in SharePoint 2013?
We do not have any guidance specific to SharePoint 2013, but have extensive advice available on recordkeeping considerations in SharePoint 2010.
We hope to publish a brief overview of some of the additional/enhanced recordkeeping functionality in SharePoint 2013 soon. At this stage we have no plans to publish separate guidance on the recordkeeping capabilities of SharePoint 2013 – our contact with government agencies that are implementing/using SharePoint suggests that 2010 will continue to be the primary version for some time.
In the meantime, Andrew Warland has provided a brief overview of the new recordkeeping functionality in SharePoint 2013 on his blog.
If your organisation is interested in providing a case study of its experiences in implementing SharePoint, we are still keen to publish more case studies illustrating the different ways in which SharePoint can be implemented to support various business needs. We have recently published a case study on Bankstown City Council’s innovative SharePoint implementation.
Can I modify and use State Records’ e-learning courses in my own organisation?
Yes you can!
We offer the following eLearning modules:
- Recordkeeping concepts
- Digital recordkeeping concepts
- Framework for recordkeeping in the NSW public sector
- Email management Part A and Email management Part B
- ICT professionals: What records management can do for you
- Recordkeeping and you (Based on National Archives of Australia’s Keeping the Knowledge e-learning module)
- Your responsibilities for managing email
- Recordkeeping and you: senior officers and managers
- Role of the nominated senior officer
Under the terms and conditions for use of the eLearning modules, NSW public offices are free to use, adapt or modify the online modules to suit their needs providing that the following conditions are met:
- the existing, adapted or modified content is not used for commercial purposes or for sale
- the copyright notice “© State of New South Wales through the State Records Authority of NSW” is included in all uses
- public offices do not supply the modified or modifiable versions of the modules to a third party without the prior written permission of State Records NSW
- any adaptations or modifications do not change the meaning or intent of the content
- any adaptations or modifications remain in keeping with best practice and NSW Government policy as articulated by State Records’ standards and guidelines.
The Recordkeeping and you module has slightly different terms and conditions as copyright for the majority of content rests with the National Archives of Australia (NAA). NAA has agreed to allow NSW public offices to use, adapt or modify the module to suit their needs providing the following conditions are met:
- the existing, adapted or modified content is not used for commercial purposes or for sale, such as training for a fee
- use or modification of NAA material is fully acknowledged
- the module will not be provided to a third party.
State Records also requires that any adaptations or modifications to the Recordkeeping and you module:
- do not change the meaning or intent of the content
- remain in keeping with best practice and NSW Government policy as articulated by State Records’ standards and guidelines.
Unfortunately State Records is unable to customise modules for organisations. To assist you in making your own modifications, State Records can provide copies of the training modules to you in HTML, Microsoft Word or AICC.
Leave a Reply
You must be logged in to post a comment.