Recordkeeping In Brief 54 Storage of State records with service providers outside of NSW
- What is permitted under the general authority
- Conditions applied by the general authority
- Checklist for public offices entering into arrangements with service providers
- Further reading
Under s.21 of the State Records Act 1998 a person must not ‘take or send a State record out of New South Wales’ unless permitted under the provisions of s.21(2). In general, this requires permission or approval from State Records.
However, there are occasions where public offices need to store records with service providers located outside of NSW.
* A number of public offices such as councils, area health services and universities are located near or adjacent to State borders and the availability of suitable storage providers for hard copy records may be in a cross-border location within Australia.
* Some public offices are outsourcing business functions to service providers. These providers may have or use data storage facilities located outside of NSW for the digital records they produce.
* Some public offices are using data storage service providers whose servers are located outside of NSW.
* Sometimes public offices need to take or send records out of the State temporarily for processes such as copying or migration to other formats.
To enable public offices to take and send records out of the State via arrangements with service providers, State Records has approved General authority for transferring records out of NSW for storage with or maintenance by service providers based outside of the State (GA35). This general authority provides approval for the transfer of records outside of the State for storage with or maintenance by service providers based outside the State on the proviso that the records are managed in accordance with all the requirements applicable to State records under the State Records Act.
Note: This Authority should be applied with caution, bearing in mind that the authorisations for taking and sending records out of the State are given in terms of the State Records Act 1998 only. Care must be taken not to take or send record out of the State in contravention of any legal responsibilities or business interests the public office may have. See condition 1. Assess and address risks below for more information.
The purpose of this Recordkeeping in brief is to provide further guidance on:
- how to comply with the conditions in the general authority
- how to ensure your organisation is meeting the requirements of the State Records Act for records created and maintained outside of the State
- issues to be aware of when entering into arrangements that will entail the storage and/or maintenance of records with service providers based outside of the State.
The General authority for transferring records out of NSW for storage with or maintenance by service providers based outside of the State (GA35) approves the transfer and storage of only some State records with service providers outside of NSW. The table below indicates what is permitted for particular types of records, what is required of public offices and the conditions that apply.
|Records||What is permitted||What the public office needs to do||Conditions applied|
|Records not required as State archives||Where there is an identified business need the records may be transferred and stored outside of NSW||Still-in-use determinations must be made for records over 25 years of age Access directions must be made for records over 30 years of age||Storage conditions and accessibility meet requirements of the State Records Act and standards issued by State Records Adequate contractual control Adequate monitoring|
|Records less than 25 years old which are required as State archives in a current retention and disposal authority||Where there is an identified business need the records may be transferred and stored outside of NSW||Once records are no longer in use for official purposes arrangements should be made with State Records to transfer them as State archives||Storage conditions and accessibility meet requirements of the State Records Act and standards issued by State Records Adequate contractual control Adequate monitoring|
|Records over 25 years old and identified as required as State archives in a current retention and disposal authority||May not be transferred and stored outside of NSW||Public offices may seek a specific authorisation for storage outside of NSW which will be assessed on a case-by-case basis|
|Records that are inaccessible because they are not adequately controlled (i.e. not sufficiently described or tagged with metadata)||May not be transferred and stored outside of NSW||Public offices should take steps to ensure the records are adequately controlled|
|Records that are not covered by a current retention and disposal authority||May not be transferred and stored outside of NSW||Appropriate disposal authorisation should be developed in accordance with State Records' procedures and submitted to State Records for approval|
The four main conditions for storing NSW State records with providers outside of NSW are listed below:
1. Assess and address risks
Storage and maintenance of State records with service providers can have a variety of legal risks, issues or implications. Therefore the public office should conduct a thorough risk assessment before entering into any such arrangement. Some of the relevant risks to consider include (but are not limited to):
- the risk that the organisation may not be able to control the relevant State records adequately, and may therefore fail to meet the requirement of s.11(1) of the State Records Act to ‘ensure the ‘safe custody and proper preservation’ of State records
- the risk that a person in another State or country may claim ownership or otherwise take control of the records.
- the risk that the records may not be returned upon request or at conclusion of the contract
- the risk that the provider or owner of the business may go out of business.
All statutory or other limitations on taking or sending records out of NSW should be considered as part of the risk assessment. For example, the special restrictions on the disclosure of information outside of NSW in s.19 of the Privacy and Personal Information Protection Act 1998 should be met.
The level of risk will vary according to the content or subject matter of the records and their level of sensitivity and importance to the business of the organisation or the NSW Government.
The risks identified during the assessment should be addressed by adequate measures to minimise those risks. This could include using appropriate contractual measures, obtaining appropriate legal advice, not using certain providers and not entering arrangements where there is an unacceptable level of risk.
An organisation may decide that some State records are simply too sensitive or important to trust to an interstate or overseas provider.
Organisations should also seek advice as to whether there is any legislation in the relevant interstate or overseas jurisdiction that will apply to the storage and maintenance of State records. For example, it is possible that the privacy laws of an overseas jurisdiction may affect the storage of information within the jurisdiction, even if the information did not originate in that jurisdiction.
Contractual arrangements should address the criteria mentioned in this Recordkeeping in brief.
2. Requirements in Act and standards issued by State Records
Facilities and services of service providers must be able to meet the requirements set out in the State Records Act and the relevant standards issued by State Records NSW. The public office is obliged to ensure these requirements are met.
Information about the State Records Act can be found on State Records' website.
The records management standards issued by State Records NSW are available as part of the Government recordkeeping manual.
Standards, like the:
- Standard on the physical storage of State records for physical records
- Standard on digital recordkeeping for digital records
- Standard on counter disaster strategies for records and recordkeeping systems for all records
provide specific benchmarks that should be communicated to a service provider through contractual arrangements.
Public offices and their providers should be aware of retention and disposal requirements for the records that are stored with interstate providers. Any disposal of records must be authorised by State Records, either through general or functional retention and disposal authorities or other forms of authorisation permitted under the State Records Act. Destruction must be undertaken according to State Records’ guidelines. Further information is available from State Records’ website.
For more information refer to:
* State Records’ Standard on the appraisal and disposal of State records
* State Records’ Disposing of records webpage.
Public offices and their providers should also be aware of requirements in the State Records Act and standards that apply to records that are long term or required as State archives in current retention and disposal authorities. For example still-in-use determinations must be made for records over 25 years of age that are still required for current business. There are also specific conditions concerning access to records over 30 years of age.
When records identified as having archival value reach 25 years of age the public office must make arrangements with State Records to transfer them as State archives and to assign access directions. These records need to return to NSW, either to State Records or to a relevant organisation with a distributed management agreement in place.
For more information refer to the following procedures published by State Records:
* Procedures for making access directions
* Procedures for transferring custody of State records as archives
* Procedures for making still in use determinations.
3. Contractual arrangements
Public offices should exercise due diligence when entering into arrangements with service providers involving State records. Public offices must ensure that all contractual arrangements with any service provider including providers outside of NSW must recognise that:
- ownership of State records remains with the State
- the public office has a continuing responsibility for the proper management of those records
- records will be returned to the public office when requested.
Further advice regarding contract inclusions can be found in the outsourcing publications listed below.
A particular issue that public offices should consider with contractual arrangements for digital records is the need to make provision for the return of the records to the public office if and when contracts are terminated. Specific provisions may be required to ensure accessibility can be maintained.
One organisation had a project managed by a service provider. At the conclusion of the project, the service provider handed them a CD containing all of the records from the project. The records were in proprietary formats and the organisation did not have licences to use these formats. They were structured in a way that would make it extremely difficult to migrate the records into the organisation’s recordkeeping systems. The accessibility of the records was therefore compromised.
A university had a large building project undertaken by a service provider. The university stipulated in the contract that the service provider establish an interface between the university’s ERDMS and their system for the ongoing export of records during the project. Therefore the records remained accessible during and after the termination of the contract.
The public office should require assurance that no copy of the records or information is retained by the service provider after termination of contract.
Any contractual arrangements for paper or digital records should address requirements for security, privacy and confidentiality.
Contracts should specify arrangements for the public office to monitor the service provider to ensure the requirements of the State Records Act and any other legislation are being met. Public offices must have mechanisms in place to ensure that third party access can be provided to records as required under any relevant legislation, this includes s.15 of the State Records Act which requires the public office to give the State Records Authority and the Authority’s officers access to State Records that the public office has control of to enable the authority to monitor compliance. This may mean that contracts need to specifically address how access will be given.
The public office is responsible for monitoring the arrangement with the service provider on a regular basis to ensure that all relevant requirements are being met.
For more information refer to:
State Records’ guideline Accountable outsourcing: recordkeeping considerations of outsourcing NSW Government business, in particular the ‘Contract inclusions checklist’
State Records’ Recordkeeping in brief Outsourcing records storage (RIB31), in particular the ‘Checklist for records storage facilities’ and ‘Sample questions for records storage providers’.
Public offices should ensure that a ‘yes’ response is able to be given to each of the questions in the following checklist. This will enable the public office to ensure they have addressed important aspects of their relationship with the service provider. It should be noted that this list does not cover specific ICT matters which also need to be addressed with the service provider (such as business continuity planning, disaster recovery and system security requirements).
|Checklist for public office entering into arrangements with service providers|
|1.||Have you identified whether any hard copy or digital records are being or to be stored outside of NSW?
|2.||Does the service provider conform to best practice in records storage and handling, in particular the principles specified in State Records’ Standard on the physical storage of State records and the Standard on counter disaster strategies for records and recordkeeping systems?
|3.||Does the service provider conform to best practice in the logical management of digital records as defined in State Records’ Standard on digital recordkeeping?
|4.||Have you established adequate controls, including contractual arrangements with the service provider, to ensure the safe custody and proper preservation of your records in transit and storage?
|5.||Have you established adequate controls, including contractual arrangements with the service provider, to ensure that any disposal of records is appropriately authorised by current retention and disposal authorities issued by State Records?
|6.||Have you arrangements in place to monitor the service provider to ensure that they are meeting the relevant standards and requirements of State Records?
|7.||Have you arrangements in place to ensure that records required as State archives and stored outside of NSW are transferred to State Records in a timely manner?
|8.||Have you arrangements in place to ensure the appropriate return of records to your organisation at the end of the storage contract period?
For further information about the legal implications of 'cloud computing' (data processing and storage on computer platforms run by service providers) see:
- Navetta, David. 'Legal implications of cloud computing - Part 1 (The basics and framing the issues)', Information lawgroup blog, August 2009
- Forsheit, Tanya. 'Legal implications of cloud computing - Part 2 (Privacy and the cloud)', Information lawgeoup blog, September 2009
- Navetta, David. 'Legal implications of cloud computing - Part 3 (Relationships in the cloud)', Information lawgroup blog, October 2009.
State Records NSW would like to acknowledge use of the Archives Office of Tasmania’s State Records Guideline No.13: Storage of State records in non-agency facilities in the production of this leaflet.
© State of New South Wales through the State Records Authority, 2009.
First published 2009
This work may be freely reproduced and distributed for most purposes, however some restrictions apply. See our copyright notice for contact information.