What is information rights management? | Implications of information rights management for recordkeeping in NSW Government | Ensuring that information rights management does not impede recordkeeping | For more information

Information rights management is a persistent file-level protection technology that allows users to specify who can access and use documents or e-mail messages, and prevents unauthorised accessing, printing, forwarding or copying. Controls are applied using encryption technologies.

Information rights management is currently a feature of Microsoft Corporation's Office 2003 software. It can be applied in Office applications including Outlook, Word, Excel and Powerpoint.

Can Office 2003 be deployed without information rights management?

Microsoft Office 2003 can be deployed without enabling support for information rights management (IRM). Organisations concerned about the effects of information rights management can safely deploy Office 2003 without enabling support for information rights management.

How is information rights management enabled?

Information rights management support is not enabled by default. It requires the explicit deployment of an infrastructure to support rights management, and purchase of client access licenses to access the supporting infrastructure. Rights management is an optional component of Windows Server 2003. Deploying Windows Server 2003 will not result in the deployment of the rights management infrastructure by default.

Can access to information rights management be limited?

Access to information rights management capabilities can be limited to nominated users within an organisation. Access to the user interface component that enables users to create rights protected documents can also be controlled by policy. This makes it possible for an authorised user to receive rights-protected content, but not actually create it themselves.

Can the controls on a document be 'turned off'?

Designated users with the necessary permissions can override controls applied within their own rights management systems (usually within a single organisation). Users cannot, however, remove controls applied to messages and documents received from outside the system.

How can you tell if a document or message is rights protected?

There are a number of things that will alert users to the fact that a document or message is rights-protected:

• it will be indicated in header information or in 'Properties'
• the content of the document or message may not be immediately available. In this case, the recipient will be required to electronically apply to the author’s rights management service in order to be ‘approved’ to access it. In the meantime, they will be able to access metadata such as its title and creator
• when a recipient of a rights protected email replies to the email, the original message will not be shown in the reply as usually occurs.

Recipients of rights protected documents and messages will need to use the tools in the relevant application (for example, trying to 'Print' in Word) to check exactly what they are permitted / not permitted to do with the document or message.

Regulatory and legislative requirements

Because this technology is designed to limit access and use of information, it has the potential to:

• be an impediment to the creation, capture and management of full and accurate records in accordance with the State Records Act 1998, or
• result in breaches of obligations to produce documentation to competent external authorities such as the NSW Audit Office or the Independent Commission Against Corruption (ICAC).

The use of information rights management technology may also compromise an organisation's ability to meet the requirements of the Electronic Transactions Act 2000. Sections 10 and 11 of the Act are designed to allow an organisation to produce, record and/or retain information in electronic form when the original requirement was for that information to be recorded and/or kept on paper. In addition, these sections set rules which are designed to ensure the integrity of the electronic information that is kept.

While each case should be assessed separately to determine compliance, it is possible that an organisation using information rights management technology could be found not to have complied with these sections of the Act because it has set rules for electronic information that limit its retention or use.

Necessary functionalities of recordkeeping systems

State Records has been in contact with the records/document management software vendors that are approved under the Government contract ITS 2323 - Records and information management systems on this issue. Some vendors have reported to State Records that the implementation of information rights management may cause a number of problems for the operation of their products, including problems with:

• registering, retrieving and rendering electronic messages and documents
• rendering of documents to other formats, and
• cutting and pasting areas of text from documents for reuse.

Software vendors are looking in more depth at the implications of this technology for their products by, for example, reviewing the Software Development Kits (SDKs) developed by Microsoft and talking to their clients about their requirements.

Set the rules

NSW public offices should ensure that corporate policy and procedures relating to records and information management address:

• how information rights management, if used, fits with existing recordkeeping information management strategies
• how and when information rights management may be used
• who (staff positions) is responsible for assigning information rights, and
• how staff are to deal with rights-protected information.

These rules should be endorsed by the senior officers responsible for records management and IT. All staff should be made aware of these rules through normal communication and training channels.

If your organisation decides to implement information rights management, it is recommended that:

• the implementation of the technology is discussed with your records / document management product software vendor to ensure that the records software will continue to function effectively in the changed environment
• users remove rights protections from documents before registering them in records/document management systems, particularly where records are being captured electronically
• any electronic information that is being retained for business/accountability purposes in accordance with the Electronic Transactions Act 2000 is not inappropriately rights-protected using IRM technology
• administrators rights for an IRM system are not assigned to non-permanent employees
• positions responsible for administering or managing protected documents have handover of responsibility for these documents in any exit processes, and
• directory structure locations and the storage of rights protected documents is carefully managed to ensure that these documents are not 'lost'.

Receiving rights protected information

If your organisation is receiving rights protected documents and messages from other organisations, it is recommended that the documents/messages have all rights protection controls removed from them prior to their capture into organisational records/ document management systems. This may involve requiring the document/message sender to re-send the document/message or to use an alternative format or communication method.

Use recordkeeping systems to protect secure information

Public offices should ensure that their recordkeeping systems meet identified requirements for access and security, to prevent unauthorised or improper use of information. More detailed guidance on how to do this is included in State Records' 'DIRKS' Manual (see below).

Microsoft Corporation, Information Rights Management in Microsoft Office 2003: Summary Technical White Paper, April 2003

Microsoft Corporation, Windows rights management services information

State Records Strategies for Documenting Government Business: The DIRKS Manual , (2003).