FAQs on digital information management – State Records NSW enquiries October 2012 November 8, 2012

From the nature of our enquiries this month, it seems that the NSW Government’s ICT Strategy is really encouraging people to consider their information management requirements.

In particular, it seems to be getting people to consider the management of their social media systems and the information that is produced within them. It is excellent that people are really engaging with curly information management issues and that they are really concerned with effectively utilising and managing the data obtained through social media engagement.

Key questions that public offices asked State Records this month were:

  • How long to I need to keep my CEO’s blog for?
  • Can I keep my inactive, high value records in my active business system? IT says they can be stored there indefinitely, backed up and will never be deleted.
  • Is Facebook a government business system? My IT section says that it is not.
  • What tools can I use to make records of my social media communications?
  • Do we still need to create paper records?
  • Can we keep records in the cloud?
  • My records are stored on the network and the backup system. Is this OK?
  • Can I destroy paper records after I scan them?
  • My records are protected against disaster. Are there other risks I should protect them against?
  • What record formats does State Records say I should use for my archival value records?

How long to I need to keep my CEO’s blog for?

Our enquirer was told that this depends on what the blog is being used for. Different retention periods would apply, depending on the purpose of the blog.

Depending on what the CEO is blogging about, the minimum amount of time that the blog would need to be kept is two years, but if it is a significant blog with lots of strategic commentary about your organisation and its operations then it might need to be kept as a State archive.

The classes to consider when deciding how long to keep your blogs are generally contained in the Community Relations function of GA28, Administrative records disposal authority.

The Community Relations – Addresses classification contains a couple of relevant classes. If the CEO’s posts contain significant corporate policy statements or significant public statements, then the Community Relations – Addresses classification at GA28 2.2.3 might be appropriate. Records in this classification are retained as State archives. Alternatively, if the CEO’s posts contain very minor details, then Community relations – Addresses classification at GA282.2.4 with its 2 year retention period, might be more appropriate.

Alternatively, if most of the CEO’s posts have a marketing bent, they can be sentenced under Community Relations – Marketing and they would have a 5 year retention period. (2.14.1)

State Records’ general advice is that organisations should carry out a risk assessment to ascertain if these minimum retention periods are appropriate. You can of course decide to keep any of your records for longer than our  minimum retention periods recommend. For example, you may decide to retain all records of the blog for statute of limitations purposes (7 years), or you may decide to retain them on a permanent basis.

Can I keep my inactive, high value records in my active business system? IT says they can be stored there indefinitely, backed up and will never be deleted.

For the organisation that asked this question, the records involved were incredibly high risk, high business value, archival records. They will need to be accessed for decades into the future and the organisation will need to be able to demonstrate the ongoing authenticity and accuracy of these records.

We said that while technically the strategy of keeping these records in the active business system possibly seems adequate now, we didn’t think it adequately mitigates the risks that could be encountered. Our particular concerns were that:

  • Active systems are not necessarily a stable long term storage environment
  • Being able to demonstrate that these records are authentic, unchanged, accurate representations of he business transacted is critical to the organisation. Having long term information that has to be carried through every version or system upgrade/migration is a genuine risk that could affect the integrity, accessibility and therefore the authenticity of the records. All migrations involve some level of data change and compromise and this is a threat to the ongoing integrity of the records.
  • Data storage and description requirements change over time and we have seen a number of agencies adopt a similar strategy to the one described. The problem that a number of them have encountered is that, because the system primarily needs to be used for current business purposes, the system architecture is regularly changed in order to meet current business requirements. The older database structures controlling the older records are not aligned to the new structure and this has rendered a lot of their information inaccessible, or has meant that they have had to implement costly work-arounds in order to continue to access the older data.
  • IT backups are for disaster management purposes, not long term recordkeeping purposes. Again, given the high accountability requirements associated with these records, back ups which are point in time and configured for disaster recovery purposes are not an effective recordkeeping strategy for such high risk records.
  • We have seen other instances where staff have been told that there data will be stored indefinitely, never to be deleted, but when push comes to shove, these systems are active business environments and current ICT and business priorities generally win out over longer term archival concerns.
  • Under the Standard on Full and Accurate Records and the Standard on digital recordkeeping, records must be ‘fixed’. This means that they must be locked down and changes must not be able to be made to them. From the description provided, it seemed the business system did not have this functionality, just audit trail functionality. Given the long term significance of the records described, they need to be locked down and not able to be changed or edited.

For all these reasons we thought there was too much risk associated with this proposed strategy.

We did say that if it suits your business purposes to have all past and present information stored in the one system for searching and business intelligence purposes, then there may be some validity to copies of all data in the business system. However from a recordkeeping perspective, we said that the organisation also does need to have a definitive, authentic master or archival set of these records. We said that this set does not need to be complex of difficult to generate. We recommended that they run a regular report which is captured and managed as the official record, or that they come up with their own strategy to give them a definitive, controlled and searchable record.

Is Facebook a government business system? My IT section says that it is not.

Yes! If you are using it for government business purposes, then it is a government business system and you need to make arrangements to manage the information you are producing and receiving.

Facebook however is not a recordkeeping system – it is owned by an external third party and it is located in the cloud. If you need the business information in Facebook to account for your actions, to incorporate in business processes, to track decisions you have made, to provide input into policy development etc etc, then you need to actively export this information out of Facebook because there are no guarantees that it is going to stay accessible in your Facebook account for as long as you are going to need it.

This however does need to be a risk-based decision. For example, if a Facebook account is just used by a library to promote new acquisitions and (for example) library promotional material only needs to be kept for business and legal purposes for 2 years, then you may decide that leaving it on Facebook is an OK recordkeeping strategy. If however officers are providing development advice on Facebook or answering questions about high level business plans, then this is more contentious and trusting Facebook to keep this information for the much longer retention periods that apply to this type of information is not appropriate.

The standard process at this stage for recordkeeping in Facebook and other social media environments is to do a regular export of your data from these systems.

IT staff do need to understand that Facebook is a business system and that genuine and risky government business is already taking place here. So the export you do and the information you need to capture from Facebook needs to be an accurate representation of the business that is being performed. You need date and time representation of transactions, of comments, of posts, possibly of likes. It is important to sit down with business and determine exactly what they are going to need to account for the actions and transactions that are starting to take place in Facebook. And the business moving to social media and mobile environments is only going to increase, and so it’s important to put in place strategies now that are going to enable you to have good and meaningful information both now and in the future.

What tools can I use to make records of my social media communications?

As social media systems are third party, cloud based applications, they do not generally integrate with existing organisational EDRMS or other corporate business systems for recordkeeping purposes.

Given people and organisations want to keep track of the business they are doing in social media systems, social media back up systems have evolved as third party tools to plug some of these gaps. These tools can often be used to provide exportable records of social media activity which can then be captured in corporate recordkeeping systems.

Government organisations are already using:

• Backupify (for Twitter and and some Google apps)

• socialsafe.net (for Facebook)

• Hootsuite (for social media monitoring)

These and similar services are often free or very low cost. They are not the most dynamic records but they at least offer a mechanism for making and keeping this important business information, and reusing it in business processes.

Social media monitoring tools can also provide good recordkeeping value. These tools potentially provide recordkeeping plus some business value – ie you get a record of your tweets etc but you also get added contextual data that tracks the reach of your tweets, or the extent of your followers, or other information about the impact of your social media exchanges.

Do we still need to create paper records?

We had the interesting enquiry this month, that if some of my records need to be kept as archives, do I need to create these records on paper?

The answer is no. A record is a record whether it is paper or digital. An archive is an archive, whether it is paper or digital. If your business practice is to create records digitally, you do not have to make any changes to your standard processes and print out the minutes in paper just because they are archives. Keep them as digital records and make sure you manage them safely and securely so they will continue to be useable and accountable for as long as you need to use them.

Under the State Records Act, can we keep records in the cloud?

Yes, you can definitely keep your records in the cloud.

The State Records Act is designed as a support for government business, wherever that business might occur. The Act does not inhibit your ability to choose flexible, cloud-based options for your business. However, as with any other form of outsourcing, when you move your business information to the cloud you need to be sure that your information will be well protected, well managed and able to be brought back into your organisation if required at the conclusion of any cloud storage arrangements.

We have published some advice on recordkeeping in cloud arrangements. This advice is available in Recordkeeping in Brief 54.

My records are stored on the network and the backup system. Is this OK?

This question would have to be in our top 10 of all time most popular questions.

It is important to be aware of the weaknesses of network storage, particularly for high risk, high value business information. Data in a network environment is seldom read-only which could raise accountability and authenticity risks. It can usually be deleted without many problems which again raises accountability risks. Many network environments are locked down to particular business units which limits corporate information accessibility. Network environments are often cleaned up by well meaning individuals without considering information retention rules. Version control and pinpointing definitive information can be difficult in a network environment and important information can be lost or simply rendered inaccessible because of this. You also can’t manage information in network drives and have audit trails of your management actions. This can impede business and lead to data without integrity.

So network environments are not very efficient or very accountable record storage environments.

Also, it is important to be aware that backup tapes are an excellent disaster management solution but they are not a recordkeeping solution. They are not a solution to ensuring ongoing accessibility and useability of high risk, long term value information. They are simply a cupboard into which you put stuff. And just because you put things in a cupboard, it doesn’t mean they will be accessible or able to be found or able to be opened and used once you get there. Backups are for retrieving your information tomorrow after a disaster. They are not a managed and appropriate system for storing data and maintaining its accessibility and integrity in the long term. They are a copy of your network environments too, so any problems that existed there will simply be replicated in your backup environment.

Can I destroy paper records after I scan them?

The three different people who asked this question this month were told yes, they can destroy these paper originals after they have been scanned. This destruction is authorised by GA36, Imaged records, issued under the State Records Act.[UPDATE – January 2015: GA36 has been replaced by GA45] This authority gives you permission to destroy paper originals provided the records have all been scanned and captured appropriately. The scanned image of the record must be retained as the official record for as long as required under the relevant disposal authority.

The one proviso to the blanket approval to destroy paper originals after appropriate scanning this is that records required as State archives that were created prior to 2000 should be kept in paper form. This proviso however did not apply to the records our enquirers were scanning.

State Records has released very extensive digitisation guidance. This is available in Guideline 25.

In particular see the sections relating to Managing original paper records and Disposal of original records after digitisation.

My records are protected against disaster. Are there other risks I should protect them against?

Yes. Most information risks that organisations need to mitigate are not covered by disaster or business continuity planning processes. These are risks like:

  • information not surviving for as long as it should
  • information not being accessible
  • information not being kept in the first place.

To identify what information might be facing these types of risk, look firstly at your disposal authorities. These reflect the various legal, business and operational considerations that apply to your organisation’s business information. If a lot of the information in your organisation has a 2-5 year retention period then you do not need to worry terribly much about it. The business system, network and other environments where the bulk of this information is stored should be fairly robust and stable for this 2-5 year period.

What you need to be concerned about is any information that needs to be kept for longer than 5 years. Disaster management plans deal with how this information will be available tomorrow, but Council also needs to develop strategies and approaches for ensuring this information is going to be available in 5, 10, 20 or 50 years or whatever your specific business needs and retention requirements are. Meeting these types of requirements and mitigating these types of risk can potentially require as much planning as business continuity scenarios.

For example, an organisation’s engineering design records are likely to have long retention and necessary accessibility periods. You could investigate whether this is a consideration in the current creation, storage and management processes around these records? Are they being created in stable formats that will help to ensure their long term accessibility or are they kept in CAD formats that are more subject to change? In the digital environment, it is necessary to assess these types of broader information risks that might apply to many long term records.

You should also consider your business systems. Do they have the capacities to actually create and manage information? Many current systems do not have this capacity. Can your systems export data? Are some more subject to change and upgrade than others? Look at the systems supporting your high risk business processes and generating your long term value corporate data and determine whether they actually have the capacity to make and keep the information you need, and to keep this information for as long as you need it. If they can’t, you will need to develop some risk mitigation strategies to ensure your organisation has the information it needs for as long as it needs it.

What record formats does State Records say I should use for my archival value records?

State Records has no specific format requirements. We have issued general advice which states that where possible, you should try to control and limit the number of file formats you use and, where possible, you should try to use open formats. These recommendations are included in our large guideline, Managing Digital Records.

Given their extensive use, standard Office formats are also regarded as relatively stable and therefore appropriate for archival value records.

The Digital Archives team at State Records is developing plans and processes to accept whole business systems as archives. They are also currently piloting other digital archives transfers. A research paper outlining their system migration strategy is available via the Future Proof blog.

In general, for digital records of archival value we recommend that they are created and stored in an appropriate format, that they are identified as archives early in their life span so that they can be appropriately protected and managed, and that they continue to be protected and managed even when they are no longer in active business use.

That’s all folks!

And those are our FAQs and corresponding advice for October. As usual, we love receiving your comments, questions and feedback so let us know your views on any of the advice we have provided.

Leave a Reply

You must be logged in to post a comment.