Manage record access and security

• Records access and security
• Identifying records access and security requirements
• Ensuring that your recordkeeping systems support access and security
• Reviewing strategies for records access and security

This section discusses the importance of managing the security and accessibility of your records. It focuses on how the DIRKS Manual can help you to meet your record access and security requirements.

Records access and security

Recordkeeping systems should provide timely and efficient access to, and retrieval of, records. Systems should also include and apply security controls on access to ensure the integrity of records is not compromised.

Having an effective access and security program in place will help to ensure that records:

• are available, when appropriate, for use
• are not subject to unauthorised use
• cannot be altered, and
• cannot be inappropriately destroyed.

Doing DIRKS to manage record security and access could involve:

• identifying access and security requirements that relate to specific business activities and/or business units
• allocating the appropriate classifications or access rules to records
• incorporating requirements in a suitable, responsible and compliant way in recordkeeping systems, and
• monitoring decreasing sensitivities and changing requirements in systems over time.

Tip: Don't be over prescriptive
Access to records should only be restricted when there is a business need or when restricted access is required by law. Staff of your organisation need access to records - try to facilitate this wherever possible.

Ideally record access and security should be defined and implemented across your whole organisation. Such a project could however could be implemented in stages, so you could examine your organisation's access and security requirements by unit or function. Priority should be given to areas where you have identified higher risks for unauthorised disclosure.

Identifying records access and security requirements

Undertaking Steps A-C of the DIRKS methodology can help you to identify the types of requirements your organisation has concerning record access and security.

Step A: Preliminary investigation

Step A will provide you with a broad overview of the requirements relating to access and security that your organisation is subject to. In Step A you should identify:

• what existing rules for access and security operate in your organisation
• the access and security rules contained in:
• government-wide and industry-wide legislation
• policies and codes of practice, and
• specific regulatory sources for your organisation.

Example:

Your Step A analysis may reveal that your organisation needs to implement an access and security program in order to protect:

personal information, according to the requirements of the Privacy and Personal Information Protection Act 1998

the commercial confidentiality of some of the business operations you conduct, and

the physical security of your organisation's premises.

Your Step A analysis should reveal the need to comply with public rights of access to your records contained in:

• State Records Act 1998
• Government Information (Public Access) Act 2009, and
• Privacy and Personal Information Protection Act 1998.

Your development of access and security frameworks will need to take these requirements for both security and accessibility into account.

The sources you examine in Step A will also help you to understand what business is performed in your organisation, how and why it is performed and who is involved. This is important knowledge if you wish to establish better access and security frameworks. Risks and stakeholders are also examined in Step A and both of these may impact on your decision making about access and security requirements.

Tip:
Security and access classification is a risk based decision - use your awareness of the risks faced by different areas of your business to prioritise how and where you need to most securely manage your organisational information.

When your focus is on one business function or unit

Even if you are intending to develop access and security regimes for one function or business unit at a time, you should still broadly analyse your organisation and its operations in Step A. You can then start to concentrate on those areas that relate to access and security in the particular function or business unit you have identified as a priority.

Legacy records

Remember you may also have legacy records that will require access decisions, so you may need to do some research into the history of your organisation or the particular function or area of business in Step A, and build up a base of knowledge about the sensitivities that may have been involved in your organisation's past business activities.

Step B: Analysis of business activity

In Step B you learn about business processes and practices at a more detailed level, and identify the records that are generated from them. This assessment will help you to understand:

• which records require access and security management, and
• where the risks in relation to access and security management lie.

A key product of Step B is a business classification scheme. This is a tool that maps the business your organisation performs, by identifying the functions, activities and transactions that comprise your business operations. Your access and security requirements can be mapped to this framework to help you identify and manage these requirements.

When your focus is on one business function or unit

If you are developing access and security regimes for one business unit or function at a time, you should still look at this analysis broadly, and at least map a preliminary classification scheme before concentrating your attention on one particular area.

Step C: Identification of recordkeeping requirements

In Step C you will need to identify all of the recordkeeping requirements - requirements contained in legislation, best practice requirements or community expectations - that relate to giving or restricting access. The regulatory environment for the government and industry in which your organisation operates will establish broad principles on access rights, conditions and restrictions. There may also be specific requirements for the organisation.

If you have completed Step A: Preliminary investigation, this will involve examining in closer detail many of the sources already identified. In Step C you need to consider and assess the risks of not meeting the requirements and ideally you should map these back to your functions and activities (in the business classification scheme if you have completed Step B: Analysis of business activity) to understand the business context in which the requirement applies.

At the end of Step C you will have identified the range of specific requirements that govern access and security in the area or areas you are assessing. You can then start translating these into specific decisions concerning record accessibility or restriction that you want to implement in your recordkeeping system.

Tip: Discuss your recommendations with colleagues
Do not forget to discuss the access and security decisions you come up with in Step C with your colleagues, particularly those in the business areas that will be affected by your decisions.

Tip: Do not forget public access
During the course of your Step A to C assessments, keep your public access requirements in mind. Under the State Records Act, the public is entitled to access any record in your organisation that is over thirty years of age.
Your organisation has the right to determine what records over thirty years old should be open or closed to public access. Think about this issue as you work through your assessment and identify which of your records should be open or closed to public access. Guidance on making these decisions is contained in Procedures for Making Access Directions.

Ensuring that your recordkeeping systems support access and security

Doing Steps A-C of DIRKS helps you to understand what your organisation's requirements relating to access and security. Steps D-G of the DIRKS methodology can help you to apply this knowledge. These steps of the methodology can help you to:

• determine whether your existing systems enable your access and security requirements to be met
• employ a range of strategies to identify how you can better meet your access and security requirements
• undertake system design work where necessary, to help you meet your access and security requirements, and
• implement access and security requirements effectively across your organisation.

Step D: Assessment of existing systems

In Step D you examine your existing systems to determine whether they are able to meet the access and security requirements you want to establish.

In your Step D assessments you could determine whether systems:

• employ appropriate metadata that clearly labels records that require restriction
• capture audit trails that document when, how and by whom records have been accessed
• have the capacity to restrict the access to certain records
• have security policies and procedures that explain how particular records need to be managed
• are supported by training programs which educate staff about security management
• have documented business rules which specify which records, or classes of records, need to be protected, and
• are regularly updated to reflect changes in staff and their responsibilities.

This assessment will enable you to determine whether systems need to be designed or redesigned to enable you to implement your access and security requirements.

Tip: Don't forget the security of systems that are managed by contractors on your behalf

If some of your organisational functions have been outsourced, be aware of the security or confidentiality requirements that affect the records of these functions. It is important to build these requirements into the contracts you establish with your service providers. In your contract you could require that:

• appropriate physical and technical security is exercised over your records
• personal information contained within your records is managed appropriately
• employees of the contracted service provider and their subcontractors are aware of the requirements of the Privacy and Personal Information Protection Act and the security controls you have specified, and
• personal information is destroyed using appropriate and authorised disposal authorities by the service provider.

In Step D, you should assess whether the systems your service provider is using meet your security requirements.

You should include in your contract a range of penalties that a contractor will be subject to if they breach the access and security requirements you have included in your contract.

Step E: Identification of strategies for recordkeeping

In Step E you decide how to rectify any business information systems that are not adequately managing your access and security needs. In this step you come up with broad ideas for what you want to achieve and how you want to do it. Step E recommends four strategies for turning business information systems into recordkeeping systems:

• policy
• design
• standards, and
• implementation

You can use these strategies individually or in combination to help ensure the effective implementation of your access and security program. The most effective solution is likely to come from a combination of strategies.

Example:
In Step E you may decide that for your high risk records, you will design a technical component of your system that does not enable staff members to see the file titles of records they do not have authority to access, as well as the records themselves (a design tactic). You may also decide to introduce an access policy (policy tactic) and a briefing session on responsibilities and rights of access (implementation tactic) to clearly explain security requirements to staff. In combination you are satisfied that this range of tactics will enable your security requirements to be addressed.

If you are seeking to introduce access and security classification schemes across a range of organisational systems, you may have to decide upon slightly different approaches in each system, depending on the records they administer and their:

• size
• role
• technical infrastructure, and
• user requirements.

Step F: Design of a recordkeeping system

In Step F you design solutions, based on the strategies you developed in Step E: Identification of strategies for recordkeeping, that will enable you to meet your access and security requirements. That is, in Step F you:

• draft policies
• develop technical components of systems to enable you to control access
• develop training programs, and
• draft business rules etc.

Example:
If provision of access to records to members of the public has been identified as an area you need to address, you may want to issue a public policy on this point.
See the Department of Corrective Services policy on public access as an example.

Example:
If you have adopted the design tactic, in Step F you could develop an application which enables your records management software to inherit the logins and consequent security controls that govern access to your IT systems. This will ensure consistent control is exercised across your organisation and will save significant duplication of effort.

Example:
If you have adopted the design tactic, you could develop a means to issue a message to all staff at login, that reminds them of their obligations in relation to information security.

Example:
If you have decided to adopt the implementation tactic, you will focus on improving the way systems operate in order to improve record security. You may therefore decide to put a lock on the file room door, or move records staff so that they are adjacent to records storage areas to better monitor the security of these areas. Alternatively you could restrict access to the technical components of systems to the staff who have a requirement to use this system as a part of their business activities.

Example:
If you have adopted the policy tactic, you draft a policy that specifies the different levels of security that operate across the business areas in your organisation. You also draft business rules that specify how and by whom security is to be managed across the range of your organisational business systems. You then implement procedures that require IT staff to update system user permissions as soon as staff leave or arrive in the organisation.

Example:
If provision of access to records to members of the public has been identified as an area you need to address, you may want to issue a public policy on this point.
See the Department of Corrective Services policy on public access as an example.

Example:
If you have adopted the design tactic, in Step F you could develop an application which enables your records management software to inherit the logins and consequent security controls that govern access to your IT systems. This will ensure consistent control is exercised across your organisation and will save significant duplication of effort.

Example:
If you have adopted the design tactic, you could develop a means to issue a message to all staff at login, that reminds them of their obligations in relation to information security.

Example:
If you have decided to adopt the implementation tactic, you will focus on improving the way systems operate in order to improve record security. You may therefore decide to put a lock on the file room door, or move records staff so that they are adjacent to records storage areas to better monitor the security of these areas. Alternatively you could restrict access to the technical components of systems to the staff who have a requirement to use this system as a part of their business activities.

Example:
If you have decided to adopt the implementation tactic, in Step F you will develop training programs to educate your staff about security issues. You may decide to develop an induction training program that informs new staff about privacy and other considerations they need to remember in their day to day business activities.

Step G: Implementation of a recordkeeping system

In Step G you implement the range of access and security solutions you have developed. When implementing this step you:

• provide staff with the policy and business rules you've developed
• present training courses and answer staff questions about security issues, and
• train staff in system use, if the security controls you've implemented have made a significant difference to system operations.

Example:

Further examples of the implementation tactic include:

• requiring all new staff to sign a form acknowledging their understanding of obligations concerning the disclosure of information and protection of private information
• providing an update of security issues at monthly staff meetings
• conducting an annual refresher course on security issues and responsibilities.

Be aware that if the implementation of your access and security requirements is poor, staff and others may gain access to restricted records, which could breach the Privacy and Personal Information Protection Act 1998 or other legislation. Breaches could result in high financial costs and public embarrassment.

Therefore, be sure to devote adequate resources that enable your access and security requirements to be met.

Reviewing strategies for records access and security

Step H: Post implementation review

Don't forget that an important part of access and security programs is to monitor security and access and to update your schemes on a regular basis. In Step H you monitor access and security regimes to ensure they continue to be based on your broad and specific recordkeeping requirements.

Any breaches to security should be used to initiate or inform your monitoring and revision process.

Further information

Further information about determining access requirements for records over 30 years old under the State Records Act 1998 is provided in:

• Attorney General's Guidelines on Making Access Directions
• State Records' Procedures for Making Access Directions

Further information about privacy provisions can be obtained from Privacy NSW. Further information about the Government Information (Public Access) Act 2009 can be obtained from the Office of the Information Commissioner.

Information on security can be derived from sources including the Government Chief Information Office's:

• Guidelines on Information Security
• Guide to Labelling Sensitive Information

International Standard ISO 17799, Information Security Management and its Australian compliance standard, AS 7799.2 available for purchase from Standards Australia.

These sources should be read in conjunction with the steps of the DIRKS methodology and the advice given above.