Digital transformation in NSW Government: recordkeeping opportunities and risks August 17, 2017

“Digital transformation” is a priority of the NSW Government. Transitioning from manual and paper-based processes to automated and digitally enabled processes is expected to simplify and streamline the work of government, as digital transactions and processes are generally faster, more convenient and more efficient. But digital transformation also creates information risks.

Last week I spoke at a seminar organised by GIO for Treasury Managed Fund agencies on the risks associated with digital transformation. Here is some of what I said:

One of the aims of the NSW Digital Government Strategy is to embed a “digital by design” approach across the NSW public sector:

  • All new government processes should be digital.
  • Paper-based processes should be eliminated, and replaced with digital processes.

The Government’s objective is for 70% of government transactions to be conducted by digital channels by 2019. As part of enabling this goal to be met, the NSW Government passed legislation in June 2017 to amend various Acts and Regulations to facilitate digital transactions between government agencies and the community.

These amendments clarify that interacting with government digitally is allowed and encouraged. For example, as a result of the amendments, certain information will be able to be provided to particular agencies in an approved, electronic form instead of a paper‑based statutory declaration. Instead of having to print and fill out a statutory declaration, have it witnessed by the necessary authority and then submit it to the relevant agency, a customer will be able to complete and submit an electronic form via the agency’s website. This will make the relevant interactions with government quicker and more convenient.

However digital transformation creates information risks. NSW public offices must create and keep full and accurate records of their business and maintain these for as long as needed to meet regulatory, business and community requirements. And some records are required to be kept for ever as State archives. The transition to digital processes needs to be accompanied by good recordkeeping so that records are fit for purpose, available when required, protected from unauthorised access or deletion, and destroyed when no longer needed.

Take the example of statutory declarations. An organisation might have had robust processes for creating and keeping records when the process was paper-based: completed statutory declarations may have been filed, and the files stored in secure conditions until they could be legally destroyed. But how will an organisation maintain records of electronic forms? Does it have a process for capturing the submitted form in a digital system? Can this system maintain the form for as long as it needs to be kept? Will the form be protected from unauthorised access, modification and deletion? And what will happen if the organisation moves to a new system?

Transitioning to digital ways of working provides opportunities to embed good recordkeeping practices from the start: organisations can identify the records they need to create and keep to support particular business processes and then design effective ways of creating and keeping these for as long as needed. But creating and keeping records well requires an investment of time, money and people to create appropriate policies and processes, and implement suitable systems, security and storage. It is therefore really important that the business value of records is proportionate to the cost of maintaining them.

Take a risk-based approach

State Archives and Records NSW issued the Standard on Records Management in 2015. The Standard promotes taking a risk-based approach to assessing an organisation’s needs for records and information. Organisations should prioritise the management of records which document and support high risk and high value areas of business, and which are subject to information risks.

The first step is for an organisation to identify the areas of its business that are of high value and high risk. These areas of business will depend on the nature of the organisation’s business.

The second step is for an organisation to identify and document the systems already in use that support high value and high risk areas of business:

  • What are the organisation’s needs for records to support this business?
  • Can the existing systems meet these needs?

Organisations also need to consider needs for records when decommissioning legacy systems and acquiring new systems that support these high risk and high value areas of business:

  • Again, what are the organisation’s needs for records to support this business?
  • What strategies need to be implemented to appropriately manage any legacy systems?
  • Can any proposed new systems meet these needs?

These assessments of existing and proposed systems will identify any information risks that need to be addressed.

Prioritise the cloud

Digital transformation often involves moving business to cloud-based technologies. Organisations are implementing cloud-based customer relationship management systems, HR systems and finance systems, moving their email to the cloud, and moving away from on premise to cloud-based storage of documents (Microsoft Office 365 etc).

High risk and high value areas of business are moving to the cloud. The records created to document and support these areas of business MUST be prioritised for management, as there are numerous information risks associated with moving to the cloud. If an organisation is using cloud-based systems to transact or support high risk or high value areas of business, it must proactively consider recordkeeping requirements and mitigation strategies.

One of the key information risks when moving business to the cloud is that records will not be available when required:

  • Unlike records stored on an organisation’s own network and servers, records stored in cloud-based systems are only accessible through the cloud service provider.
  • Business continuity and disaster recovery processes are generally outside the organisation’s control and in the hands of the cloud provider.
  • Records created by NSW public offices need to be kept for minimum retention periods as outlined in approved retention and disposal authorities, but some cloud-based systems may not be able to prevent unauthorised deletion of records.
  • Some records have very long retention periods and may even be required to be kept permanently as State archives. Not all cloud-based systems have the capability to preserve records with long retention periods.
  • Records created and kept in cloud-based systems may not be returned to the organisation upon request or at the conclusion of the contract, or they may be returned to the organisation but in a format that the organisation cannot readily access or use.
  • The provider of the cloud-based system may go out of business, or cease supporting a particular service or product, and the organisation’s data may not be recoverable.

There is also a risk that records will be accessed or used unlawfully. For example, if the cloud service provider is located in another country, the records may be subject to local laws and therefore be discoverable in those jurisdictions.

NSW public offices must assess and address the risks involved BEFORE moving records to or creating records in cloud-based systems. We recommend that organisations ask a range of questions before starting to use cloud-based systems, especially if these systems will support high value or high risk areas of business. For example:

  • Can the provider commit to storing and processing your data in specific jurisdictions that are acceptable to your organisation (that have, for example, legal frameworks which are compatible with Australia’s environment)?
  • What form can the data be exported from the system in, and what metadata is exportable?
  • Can the provider assure that no copy of the data is retained by the provider after the termination of the contract?
  • Can your organisation specify data to be destroyed and can the provider give assurance of destruction, such as certificates of destruction?
  • Can the provider assure that your data cannot be used for applications not specified in the contract (for example, to data match with databases owned by other clients of the provider)?
  • Will your organisation be consulted regarding any third party seeking to have access to your data? And how will third party access to your records be managed, for example if required by a government watchdog organisation in the jurisdiction in which the records are stored?

State Archives and Records NSW has published a risk management checklist for cloud arrangements. It is vital that organisations identify information risks BEFORE entering into contracts for cloud-based services, and that organisations develop and implement appropriate mitigation strategies. Mitigation strategies might include:

  • establishing contractual arrangements to manage known risks
  • periodically exporting any data that documents high value and high risk areas of business to an on premise system that has appropriate recordkeeping functionality
  • monitoring contractual arrangements.

The friendly folk in the Government Recordkeeping team are here to assist in your organisation’s digital transformation process – please get in touch if you would like specific advice.

photo by: Luca Serazzi
Leave a Reply

You must be logged in to post a comment.