Digital recordkeeping Q&A at State Records NSW in May and June 2013 – USBs, metadata, dodgy emails and Office 365 July 16, 2013

Lots of juicy questions were fired at Government Recordkeeping staff at State Records in May and June.

Here is a sample:

  • Is it OK to keep old records on a USB stick?
  • Can I use Office 365 for my corporate records management?
  • What information security requirements apply in NSW?
  • If some of my records only need to be kept for a short period of time, do I really need to scan them?
  • What metadata do I have to use to describe our corporate image collection?
  • The emails staff send out are not always the most official looking records. Should I create an official summary instead?
  • We are providing a service to clients on behalf of the government. Is there any requirement for us to keep hard copy records of the services we provide?
  • Can I change the title of an email when I register it into our EDRMS?

Is it OK to keep old records on a USB stick?

No, it is not.

State Records’ advice is that USB or memory sticks should only be used for short term use or access. They should also not be used as the only form of storage for any business information.

Some agencies have reported copying information that they need to keep for medium to long term periods to a series of memory sticks, then putting these memory sticks in a box and then sending this box to storage.

In this scenario, these agencies are never likely to be able to access this information again.

There are multiple possible reasons for this:

1. A memory stick is a physical storage medium. If this physical medium gets damaged, the information on the stick will be impossible to impossible to access and read.

2. A memory stick relies on a piece of hardware in order to access the information on it. If, in the say 2-5 year period that the memory stick has been sitting in the box on the shelf, you have upgraded your hardware at all, it’s quite possible your new hardware won’t have the capacity to allow you to open and read the information on your memory stick.

3. Say it is 2-5 years down the track and your memory stick is physically OK and your old hardware is still operational. The bad news is that the software running on your computers is likely to have changed. Whatever program you used to create the documents on your USB may not be able to be read by your new software.

4. Unless you have tiny writing and a steady hand, you are very unlikely to label a memory stick to identify all its contents. In 5 or 10 years time it is very unlikely that anyone is going to sit down and search through your box of memory sticks in the hopes of finding the information they need.

5. Memory sticks generally store documents isolated from their context. Very mimimal information about a document gets transferred to a memory stick – basic metadata with a title, date and author and little else. Alternatively a memory stick can store a chunk of a network drive from a specific point in time and not much more. The accessibility and useability of the content on your memory stick also depends on how comprehensible your network structure and file titling is going to be in 2-5 years time. Chances are, navigating and understanding this are going to be a challenge.

For all these reasons, it is really important to be aware that memory sticks are short term devices, they are not long term storage tools.

You need your long term value information to be easily accessible, searchable, protected, managed, useable, comprehensible and linked to information that describes what it is. You need to store it in a system or environment that gives you these capacities. You need to protect and value your important business information and storing it on USB sticks is not the way to do this.


Can I use Office 365 as my corporate recordkeeping system?

Office 365 is an online offering of software and services from Microsoft. It is a Windows-based operating environment that can be used by small and large scale organisations and individuals. Depending on the subscription you choose, Office 365 offers Microsoft Outlook, SharePoint, web apps for Word, Excel, PowerPoint and a range of other software and services.

In and of itself, it is not a recordkeeping system, it is a cloud-based operating environment.

Like any business system or operating environment, you will need to develop a strategic information management plan to govern how you can use the tools and services offered by Office 365 to effectively perform your business operations and manage your business information.

Andrew Warland in his post Recordkeeping functionality in SharePoint 2013 – What’s New? points out that SharePoint 2013 available in Office 365 does have a wide range of records management capacities. These do need to be considered, assessed and specifically configured however – an out of the box (or out of the cloud) environment will not automatically meet your specific business and legal requirements.

State Records has developed advice on SharePoint 2010: Recordkeeping considerations. This comprehensive guideline contains a host of advice on the decisions and configurations required to use SharePoint 2010 to meet recordkeeping requirements. You should consult this when developing a strategy for configuring SharePoint 2013 to meet your recordkeeping requirements.

In an entirely cloud-based operating environment like Office 365, you do need to consider information security and longer-term information sustainability and continuity.

You may need to consider whether the management of hybrid cloud and on-premises environments is necessary to manage secure, high risk, or long term value business information that you hold.


What information security requirements and classifications apply in NSW?

The NSW Government digital information security policy establishes the digital information security requirements for the NSW Public Sector.

At set of FAQs is also available on information security is also available on the NSW ICT Strategy website.

State Records has also published some general advice on information security.


If some of my records only need to be kept for a short period of time, do I really need to scan them?

Scanning is actually a very expensive process and if you have a scanning program in your organisation, there is no requirement to scan absolutely everything. Because of the costs involved, you need to ensure you are getting value for money and scanning the records that really do need to be scanned.

The choice of records to scan absolutely needs to be a business and cost benefit decision.

To determine if you are likely to derive business benefits from scanning the records that are generated through certain business processes, you can ask questions like:

  • do people across the organisation or across different business units need access to this information?
  • will this infromation need to be regularly accessed in coming years?
  • do we regularly conduct searches for this information?
  • would new business benefits arise from easier access to this information?
  • could we reuse and repurpose this information if we had it in digital form?

In addition, if you believe there would be business benefits from making certain records available more widely across your organisation, before you scan you should consider whether a digital scanned version of the record itself is the best way to meet this business need, or whether a summary in some form, such as a database summary of enquiries, comments, registrations is a more efficient and accessible way of making this information available.

How long you need to keep records for to meet your business needs is actually another really important consideration. If you only need to keep certain records for 1 or 2 years, the effort and costs involved in their scanning and subsequent management may be hard to justify within this very short time frame, unless they are subject to regular high rates of organisational access, customer enquiries etc.

Therefore, when everything is considered, a blanket scanning program may not always be the most efficient approach. Instead, like any project, scanning should be strategic and be developed in targetted ways that best meet your organisation’s specific business requirements.


What metadata do I have to use to describe our corporate image collection?

As with all aspects of records and information management, it all depends on your specific business needs.

With photos and any other forms of records, you need to make sure that your metadata is fit for purpose and that it meets your business needs for how you want to use your images.

For example, what do you want to use your image collection for? Is it mainly for providing images that you will use on your website or corporate publications? If so, use metadata elements that will help maximise your efficiencies here. You can create metadata elements or tags that identify the business areas that these images best apply to, or to identify different images sizes or image quality levels  for different types of publications.

Alternatively, do you want to use your image database to manage image copyright, sales and licensing? If so, make sure you have good metadata that will help you to do this as easily and efficiently as possible.

If your images are primarily used for monitoring or law enforcement purposes, your images will need strong date and time metadata, location metadata and operator metadata. Metadata for these images also needs to facilitate accurate searching based on business requirements – you don’t want your users having to search through hundreds of photos titled image001, image002 etc.

When considering metadata, you should also always consider interoperability and sharing. Simple, standard metadata elements such as those contained in the AGLS metadata standard are widely adopted and give you a great place to start if your primary aim is to share your photos with others and make your photos easily accessible and useable.

Metadata sets like AGLS are also extensible and so you can also add your own specific copyright or sales metadata, or folksonomy tags to a core AGLS set.

The minimum metadata requirements in the Standard on Digital Recordkeeping which apply to photographic records are:

  • title
  • date of creation
  • who/what created the record
  • the business function/process it relates to
  • the creating application
  • record type (e.g. letter / memo / report / contract / fax / schematic / blog, or locally defined types

For images, title and date metadata in particular are especially important, and should be standard metadata requirements.


The emails staff send out are not always the most official looking records. Should I create an official summary instead?

Your organisation should determine how and when email messages need to be captured. Generally, a message should be captured as a record if:

  • it approves or authorises actions
  • it is a formal communication between staff relating to work
  • it signifies a policy change or development
  • it commits your organisation to an arrangement or to a business deal
  • it contains advice, provides guidance or constitutes formal communications with people inside or outside the organisation
  • the recipient is required to act upon it
  • it is external correspondence relating to work
  • it was sent for a business purpose
  • it is used to make a work-related decision
  • the information it contains would be needed by team members/colleagues to continue with a matter, project etc.
  • it relates to a matter which may be reviewed or audited later.

If a message meets one or more of the above criteria, it should be captured as a record.

The danger with making a file note in lieu of capturing a message is that human error may result in the file note failing to constitute a full and accurate record of the business transaction.

In addition, this requires an additional action by an employee – experience suggests that employees are more likely to capture records when the effort required is minimised. It is generally easier/quicker/more efficient to capture an email message directly into a recordkeeping system than to document the contents of an email in a file note and then capture the note.

If your organisation has concerns about the inclusion of informal ‘chat’ in corporate records, you may like to consider the need to emphasise to all employees that email is a corporate business system and messages sent or received using email systems may be corporate records.

State Records recommends that organisations establish email templates to prompt employees to record all necessary information in a message, as well as to remind them that care needs to be taken with what is said in business emails. Templates help to differentiate between official correspondence and personal messages.


We are providing a service to clients on behalf of the government. Is there any requirement for us to keep hard copy records of the services we provide?

There is no requirement under the State Records Act to store records as hard copy, nor is there any other general legislative requirement that says records must be managed in paper.

A core message of State Records’ Standard on digital recordkeeping (2008) is that if a record is born digital it should stay digital.

As long as your digital records are authentic, reliable, useable and accessible for as long as they need to be, then there is no need to retain or create hard copy client files.

If you are required to hand over your client files to a government organisation at the end of your service contract or when a client ceases to use your services, you need to be mindful that the government organisation will need to be able to manage and provide access to your files for probably quite some time in the future. Your digital records therefore need to be robust, exportable, in widely used or open formats and searchable and useable by staff who have not been directly involved in your service provision.

Alternatively, if your service contract with government states that you will continue to manage client files on the government’s behalf for an extended period of time, you must make sure your digital files continue to be accountable, accessible, secure and useable.


Can I change the title of an email when I register it into our EDRMS?

In most EDRMS platforms, registering an email with a revised title that makes it easier and more accessible to users does not actually change the title or subject of the saved email record itself.

An EDRMS saves an email in its native form with original sender, date and subject metadata intact. When you create registration metadata in the EDRMS, this is separate and additional to the specific email header metadata and it can be useful to use this metadata to make the information in the email as accessible and useable as possible. You could add names, keywords, project names, attachment names and a whole host of extra detail in these EDRMS registrations, if this helps to improve your information accessibility and to assist staff to find the information they need.


As usual, your feedback on our advice is always welcome and appreciated.

Michael Alchin July 19th, 2013


Regarding the question on emails and their non-professional look, Premier’s Memorandum – ‘M2004-14 Use and Retention of Email for Government Communications’ is still current. See:



Kate Cumming July 22nd, 2013

Hi Michael – thanks for this highly appropriate and still relevant reference. Cheers, Kate

Leave a Reply

You must be logged in to post a comment.