Future Proof – Protecting our digital future

Recently, State Records staff attended a very informative session hosted by the NSW Privacy Commissioner, Dr Elizabeth Coombs. This “Privacy Matters” event was held to mark Privacy Awareness Week, which is an initiative supported by the Asia Pacific Privacy Awareness forum.

State Records had a stand at the forum in conjunction with staff from NSW Finance and Services. In preparation for the event, and in the spirit of privacy awareness week, we have been thinking about how information and records management can improve privacy management for public sector organisations.

As you all know, State Records NSW is responsible for the State Records Act 1998, which contains obligations for the management of records and information across the NSW public sector. Achieving appropriate protection and accountability when managing private information is an important objective underlying our guidance and standards. 

To support organisations to understand and implement good records and information practices, State Records has recently issued the new Standard on Records Management, which consolidates five previous standards into 21 requirements under three core principles:

Principle 1: Organisations take responsibility for records and information management

Principle 2: Records and information management support business

Principle 3: Records and information are well managed

We think that these principles are very supportive of privacy management.

How does information and records management support privacy?

Managing the privacy aspects of government information is closely connected with the maturity of information and records management in an organisation.

Organisations which have well defined, easy to use, and appropriately monitored information and records management processes and tools will have a much better base from which to manage their privacy obligations.

The privacy rights and concerns of individuals, and the legislated responsibilities to support these, are one of the key outcomes supported by well managed information. Examples of this include:

Classification of information for recordkeeping purposes reduces the chance that information is accessed or used for a purpose other than it was intended

Privacy breaches can occur because information is managed only within the very narrow scope of executing a process, at which point it may not be managed any further. Recordkeeping classification in based on an understanding of both immediate business needs and obligations over time.

Control of information provides the ability to audit access and usage

When information has been poorly managed, an organisation may be unable to demonstrate if it was kept safe. Information which has been controlled by appropriate information and records management processes and systems can demonstrate that information was kept safe, or allow misuse to be identified and rectified.

At the forum, one of the event’s panellists spoke about the limitations of many organisations’ approach to information security, in which they protect the perimeter of the digital environment but do not examine the weaknesses within that environment.

Rather than assuming information security provides an impermeable fortress, the internal processes for managing digital information should appropriately reflect the sensitivity of the information, such as the privacy of individuals. If the organisation’s system has appropriate protections designed in to and robust procedures, then the impact of security failures will be significantly mitigated.

Authorised disposal of information no longer required for business or accountability purposes ensures that privacy-sensitive information is not retained longer than legally required

Managing private information is a key benefit of an authorised disposal framework. It addresses community expectations that sensitive information is not retained when it is no longer necessary, provides organisations with an accountable framework for avoiding the accumulation of extraneous client information, as well as providing a justification for the retention of private information that is required for long-term purposes.

Well described and managed information allows for straightforward and time-efficient “informal release” of information about an individual to that individual

Individuals have rights to access personal information about them held by a government agency under the Privacy and Personal Information Protection Act 1998. Properly identified and well managed information allows this process to be managed better for both the government agency and the individual.

Feedback welcome!

More information about our rules, guidance and resources is available at www.records.nsw.gov.au/recordkeeping.

As always, we welcome feedback and examples regarding ways in which your information / records management programs and projects have demonstrated benefits, so if you have an example you would like to discuss with us, please get in touch!

Photo: Flickr (CC BY-SA 2.0)