A short guide to implementing the Standard on digital recordkeeping
Advice on meeting the minimum requriements of the standard including case studies of digital recordkeeping implementations.
- 4.1 Identify high risk business processes
- 4.2 Identify and define the digital records you need to create and keep
- 4.3 Capture the records into an official digital recordkeeping system
- 4.4 Manage the metadata
- Case study 1: Assessing business and recordkeeping needs in relation to the management of GIS data at Gosford City Council
- Case study 2: The implications of not keeping the metadata required by the Standard
- Case study 3: NSW Fire Brigades IAM system implementation
- Case study 4: NSW Fire Brigades recordkeeping metadata quality improvement
- Case study 5: Moving from keeping digital records in network directories to using a recordkeeping system
1 Using this guide
This guide contains generic advice on implementing the Standard on digital recordkeeping and case studies to demonstrate ways in which some organisations have made improvements to digital recordkeeping. Each public office that implements digital recordkeeping systems will have its own requirements, risk factors and technological environments to consider when implementing digital recordkeeping, and should tailor its strategies accordingly.
This guide should be read in conjunction with further guidance from State Records on digital recordkeeping. Public offices may also find the Future Proof podcast series or contributions to the Future Proof blog helpful; go to: http://futureproof.records.nsw.gov.au/
There is a printable version of this guide (PDF, 138kb)
2. About the Standard
State Record’s Standard on digital recordkeeping establishes a framework for making and keeping the records that are needed to support your business when it is done using information and communications technology (ICT) systems. The Standard applies to digital records in the form of email, scanned documents, work documents, data in business systems, web pages and many more.
Government business is reliant on access to relevant and accurate information and so it is critical that records are made and kept. In many digital business systems, however, the making and keeping of authentic, complete and accessible records is not an automatic process.
To make sure that your organisation does have authentic, complete and accessible digital records whenever it needs them the Standard requires that you:
- know what digital records are required to support your business
- routinely register these records in a digital recordkeeping system such as an Information Asset Management System (e.g. an EDRMS) or manage them as records within the business system
- adequately describe and manage these records using metadata so that they can be found when needed and trusted as accountable evidence
- make sure your business systems are configured appropriately to keep records or integrated with an IAMS so that they can make and keep required records.
3. Compliance timetable
State Records will be monitoring compliance with the Standard. You will be advised in advance of any compliance monitoring activities.
There is a timetable for the phased introduction (PDF, 55kb) of the requirements of the Standard. In summary:
- From 30 June 2009:
For any new ICT systems procured or built from this date (IAMS/EDRMS or business systems), you should define whether digital records are required for the business the systems support. If so, it should ensure that, when implemented, the systems have minimum required functionality and metadata and are mapped to the metadata requirements of the Standard.
- By 30 June 2011:
You should define those digital records that are needed to support high risk business processes using existing ICT systems.
- By 30 June 2012:
You should ensure that existing ICT systems supporting high risk business processes, with defined digital records, have the minimum required functionality and metadata and are mapped to metadata requirements of the Standard.
4. Implementing the Standard
The following advice provides a roadmap for meeting the requirements of the compliance timetable for the Standard on digital recordkeeping, and therefore focuses on digital recordkeeping for high risk business processes. Public offices need to work towards overall compliance with the Standard for all business conducted electronically after they have addressed new systems and high risk business done using existing systems.
Identify high risk business processes
Identify and define the digital records you need to create and keep of those processes
Ensure the records are routinely captured into an official recordkeeping system
Create metadata mappings from the Standard to official recordkeeping systems to confirm compliance and for ongoing management purposes
4.1 Identify high risk business processes
The compliance timetable for the Standard on digital recordkeeping requires that public offices:
- define those digital records that are needed to support high risk business processes using existing ICT systems, and
- ensure that existing ICT systems supporting these high risk business processes have the minimum required functionality and metadata and are mapped to metadata requirements of the Standard.
4.1.1 Criteria for identifying your organisation’s high risk business processes
Identifying high risk business processes will depend on the nature of your organisation’s business. High risk business processes may are likely to involve one or more of the following:
- regular, routine or direct contact with individuals (for example, a regulatory, enforcement, health or welfare activity)
- impact on citizens' rights, entitlements and wellbeing
- the creation of policy for offices with impact on individuals and communities
- the making of legal agreements on behalf of NSW Government
the making of laws - the determining of policy on government functions and activities
- a significant investment by Government
- an investigation by the ICAC, Ombudsman or other watchdog agency with recordkeeping issues relating to the process being identified
- processes that are open to corruption or the potential of corrupt behaviour
- a significant contribution to the economic and social development and management of NSW either directly or indirectly
- a significant contribution to the economy, the management of natural resources, the protection and security of the state , and/or infrastructure of NSW
- a major program of international/national/state significance
- records that are included in the organisation’s vital records register
- significant records relating to Aboriginal people and heritage
- profiling in the media for matters that indicate possible recordkeeping failures
or - the production of State archives.
4.2 Identify and define the digital records you need to create and keep
To define the digital records required for high risk business processes you need to:
- analyse recordkeeping requirements
- based on identified requirements, define digital records including metadata and dependencies (see ICA guidelines) - at an adequate level of detail for implementation purposes. [1]
4.2.1 Analyse recordkeeping requirements
Recordkeeping requirements are requirements arising from regulatory sources, business needs and community expectations. They identify the types of records you need to create and the management framework you need to establish in order to have and accountably manage all the business information that is necessary for your organisation.
Recordkeeping requirements can exist for all business conducted using any type of system, from email systems to case management systems or websites.
Detailed guidance on the identification of recordkeeping requirements is available in Strategies for documenting government business: the DIRKS manual, ‘Step C: Identification of recordkeeping requirements’.
4.2.2 Define the records – structured data in business systems
Business systems, such as human resource management systems or case management databases, may consist of:
- a collection of data elements (or structured data) that are linked and controlled by the system, e.g. entries in a database
- distinct digital objects controlled by the system that have a clearly defined data format (or unstructured/semi-structured information), e.g. documents, emails or spreadsheets
or
- a combination of the above [2]
In order to meet an identified recordkeeping requirement for a particular transaction carried out using the system you should:
- identify the data elements and digital objects that make up the content of the record
- identify the management information (metadata) that needs to be persistently linked to the record.
Case study:
An University student services staff member updates a student’s exam result for a particular course following an appeal in the Student system, a relational database. Owing to past instances of corrupt behaviour involving tampering with student results, this is considered a high risk business process for the University.
The recordkeeping requirement that the University has identified indicates that the following data elements must be saved:
- student (Name, ID)
- course (Name, ID)
- semester (Semester Name, ID)
- result (the new result)
- authorisation (Name, ID)
- student services operator (Name, ID)
- date of update
In addition, this record is required to be linked to the digital object which is the scanned copy of the appeal report. This collection of data and linkage to the scanned report is created by the system as an XML document that includes a hyperlink to the report’s permanent location in a separate database of scanned documents.
For records in unstructured data environments a greater level of specificity is required to enable implementation and monitoring.
Tip:
These types of definitions of records might be recorded in functional requirements / technical specifications for new or upgraded business systems, or in a report of a review of an existing business system.
4.2.3 Define records in unstructured data environments (emails, scanned records, documents, web pages etc)
There are a wide range of applications that generate unstructured data, such as the Microsoft Office suite of applications, web authoring applications and email systems. Use of these systems to create letters, emails and other document-style digital records. Recordkeeping requirements may indicate that any of these need to be saved as a record.
Tip:
a NSW Government agency that routinely provides advice to the public by email will have a recordkeeping requirement to save emails sent
a Council that publishes policies affecting rate payers will have a recordkeeping requirement to save the policy as well as details of when it was published on the web.
Digital records in document-style form generally require less specificity to enable recordkeeping.
- Appropriate ways to define these types of digital records may include:
organisational policy stating that all outgoing business related emails are saved by the sender into the organisation's EDRMS - a requirement in the specifications for the web content management system that each page published to the web is automatically saved to the organisation’s EDRMS.
4.3 Capture the records into an official digital recordkeeping system
The Standard on digital recordkeeping requires that any digital records the public office has defined for a process must be captured into an official digital recordkeeping system. A digital recordkeeping system can be:
- a business system with recordkeeping functionality
or
- a business system linked with a dedicated records management / information asset management system
or
- a dedicated records management / information asset management system.
The Standard further requires that to be regarded as a compliant official digital recordkeeping system, it must possess the following functionalities:
- capture read only versions of digital records
- retrieve and present digital records in human readable form
- restrict or permit access to records by specified individuals or groups
- capture and manage the minimum required recordkeeping metadata as defined in this standard.
4.3.1 Dedicated records management / information asset management systems
Dedicated records management / information asset management systems such as the tools available on the panel contract 2602: GSAS Information Asset Management Systems (IAMS) Software Applications already possess the minimum functionality required under the Standard on digital recordkeeping, as well as extended information and records management capabilities.
Details of the contract ands the maturity matrix are available from the Recordkeeping in brief Selecting records management software (RIB 2).
4.3.2 Business systems as recordkeeping systems
Business systems generally do not automatically possess the required functionalities from the Standard on digital recordkeeping. Therefore it will enable these functionalities by:
- adding functionality to the system itself via programming
- integrating the business system with a recordkeeping system so that the business system creates and stores the records while the recordkeeping system performs functions such as access control and metadata management
or
- enabling the export of digital records and their associated metadata from the business system to a recordkeeping system, so that the recordkeeping system stores and manages the records and the metadata.
These options are not exhaustive; public offices may find other ways to ensure compliance with the Standard.
For more information see International Council on Archives, Principles and Functional Requirements for Records in Electronic Office Environments, 2008, Module 3: Guidelines and functional requirements for records in business systems .
4.4 Manage the metadata
4.4.1 Perform a metadata mapping
The Standard on digital recordkeeping states in requirement 3.2 that metadata mappings from the minimum requirements of the Standard to recordkeeping systems must be performed and kept and that these mappings must be updated where appropriate.
Performing a metadata mapping of this type should be a relatively simple process. It is in essence a matter of checking off the elements in your system against the requirements of the Standard.
The easiest way to perform the mapping is to simply have a list of the standard’s required elements. You then need to ascertain whether your system can comply with these requirements and make a note of how it does so.
A template for performing this assessment is provided below.
Sample mappings that show the type of data you could include in your mapping are provided in Appendix B of the Standard.
4.4.2 Point of capture metadata
Certain metadata elements need to be present as soon as a record is created or registered in a system. The following elements are necessary from creation to sustain the authenticity and useability of records.
| Required point of capture metadata: | Our corresponding element, captured when a record is created or registered in the system: |
|---|---|
| Unique identifier | |
| Title | |
| Date of creation | |
| Who/what created the record | |
| The business function / process it relates to | |
| The creating application | |
| Record type (e.g. letter, fax, memo, report, contract etc.) |
4.4.3 Documenting recordkeeping processes
Before you can assess your recordkeeping process metadata, it is first necessary to identify the processes you perform on your records. Do you:
- capture/register records in your recordkeeping system?
- apply or change access rules to records in your system?
- transfer the ownership of some of your records to another organisation?
- destroy records in accordance with legal requirements?
- migrate your records to new formats or systems?
For any of the processes that you perform you will need to make sure that you can capture the following basic metadata.
| Required process metadata | Our corresponding element, captured when a recordkeeping process is performed |
|---|---|
| Document the date that the action occurred | |
| Document who or what undertook the recordkeeping action | |
| Document what action was undertaken |
5. Case studies
Case study 1: Assessing business and recordkeeping needs in relation to the management of GIS data at Gosford City Council
Summary
Gosford City Council looked at its business requirements and identified that it needed to keep specific geographic data records in order to account for its business decisions. Rather than configure numerous business systems, it decided that it needed to use IAMS software to do this in a comprehensive way and implemented policies and procedures to make this happen.
In assessing its business needs and making changes to support those needs, Gosford City Council has also complied with all requirements of the Standard on digital recordkeeping.
Detailed description
Like all local government authorities, Gosford City Council is reliant on accurate geographic data. Virtually all of its billing, planning, waste management and other activities are based on geographic data and so the Council has identified that this data needs to be maintained as an authentic and accountable record so that Council can justify and explain its billing and planning decisions.
The Geographic Information Systems (GIS) used by Council, however, are not recordkeeping systems in that they overwrite data and do not keep a fixed record of the geographic information at a particular point in time.
Council recognised that it needed fixed records of its geographic information so that it could say, ‘on this date, this was the specific geographic data on which all these business decisions were based’. It then set about identifying the ways it could keep accurate and accountable GIS records.
It employed the following strategies:
implementing detailed quality assurance and quality control processes to regularly test the accuracy of GIS information in the GIS software
- keeping records of all quality assurance and quality control testing and storing these in the Council IAMS
- developing corporate GIS policies and procedures to cover issues such as GIS access, data creation, editing/maintenance, application development, data capture, map production and data provision to external customers
- because the GIS cannot keep fixed records, implementing a key new policy that requires the quarterly export of the corporate GIS database including its metadata, users and permissions as XML files and capturing these into the Council IAMS which is the Council’s official recordkeeping system.
These strategies combine to ensure that an accountable, fixed record of the geographic information that was used at any one time as the basis for Council decision making is kept and is easily accessible. Gosford Council has integrated recordkeeping into its business operations to provide accountability for its decision making and to improve its business practices.
It meeting its own business needs, the Council has also complied with the Standard on digital recordkeeping. In establishing that it needs GIS records to account for its decision making it has defined its digital records and identified those that need to be made and kept. It has implemented an IAMS to serve as Council’s digital recordkeeping system. Its IAMS came pre-configured with all necessary management data and so it is meeting the metadata requirements of the standard as well.
Case study 2: The implications of not keeping the metadata required by the Standard
Summary
One organisation bought an information asset management system (IAMS) to use as its official recordkeeping system. However it did not map basic metadata requirements to the system (as per requirement 3.2 of the Standard on digital recordkeeping) and consequently did not enable all necessary metadata elements. This meant they could not run necessary reports and created very costly problems for them to remedy.
Detailed description
When implementing its IAMS, one organisation did not see the benefit of applying date of creation metadata to the records it captured in the system. This is a mandatory requirement in the Standard on digital recordkeeping that should be incorporated into all business systems but although it was an element in the IAMS, it was not activated by the organisation in its implementation.
Shortly after the system went live it was realised that as a consequence of the lack of this date element, it was not possible to run reports based on date criteria, nor to automate business activities based on date information. This had a significant impact on business efficiency. The costs associated with modifying the system and retrospectively applying date data to records already in the system were large and could have been avoided if the organisation’s metadata needs had been adequately assessed in the system design phase.
Case study 3: NSW Fire Brigades IAM system implementation
Summary
NSW Fire Brigades wanted to update its recordkeeping system to effectively manage digital records and improve information access throughout the organisation. In doing so they complied with the requirements of the Standard on digital recordkeeping.
Detailed description
NSW Fire Brigades had a records management system that had been in use for over ten years. As a very large organisation with over 4000 staff spread across the State and as an organisation that performs a high risk and critically important role, Fire Brigades had a significant business need to make its digital information more accessible to all its staff.
To achieve this objective, Fire Brigades began by looking at its business needs. Its key driver was information accessibility, but it also wanted the ability to secure certain records dealing with personnel issues, fire risk assessments etc against inappropriate access. Given the large volume of records created daily in the organisation, it also wanted the ability to apply records management controls to greatly facilitate the management of these records. It also wanted a system that was very simple and intuitive for end users to use.
To find a system that met these needs, Fire Brigades used the Contract 2602: GSAS Information Asset Management Systems (IAMS) Software Applications. They selected the software application from this list that best met their needs.
Fire Brigades then tackled the task of assessing how their records were currently managed and how information was created, processed and used across the organisation. This assessment identified a number of information bottlenecks that they redesigned and resolved as part of the implementation of their new system.
Case study 4: NSW Fire Brigades recordkeeping metadata quality improvement
Summary
In implementing its new information asset management system NSW Fire Brigades wanted to improve its metadata implementation and make metadata a more useable business resource and a tool for increased automation. In making these changes to improve its business efficiency, Fire Brigades also complied with the metadata requirements of the Standard on digital recordkeeping.
Detailed description
Fire Brigades bought a new IAMS software application to replace its old records management system. As part of their system implementation project Fire Brigades assessed their current metadata practices, their business needs, the metadata capacities of their new system and the metadata requirements in the Standard on digital recordkeeping. They noticed that their old system contained a lot of inconsistent metadata that was making information retrieval difficult. Different staff were using the same metadata fields in different ways which made consistent use and management of the records more difficult. In their new system they decided to implement clear rules to specify what information needed to be captured into each of the required metadata fields. They also identified the mandatory metadata requirements of the Standard on digital recordkeeping and mapped these to the relevant fields in the new system to ensure that they were capturing the basic minimum metadata requirements.
Fire Brigades also decided to improve the picklists or encoding schemes that are used to populate some of the metadata fields. Improving these encoding schemes and providing a specific list of preferred values to staff as a default picklist of terms made metadata capture easier for staff and resulted in more consistent and useable data being captured in the system.
Case study 5: Moving from keeping digital records in network directories to using a recordkeeping system
Summary
One organisation was using its network structure as its recordkeeping system. When the Standard on digital recordkeeping was issued, they checked the capacities of the network against the requirements of the standard and discovered that their network was not an adequate recordkeeping system. They then took steps to employ a more appropriate system.
Detailed description
One organisation used its network structure to store all its digital records. It created a number of specific business folders to store all the records it created while conducting its different business activities. These folders had security attached so that only staff performing the business could access the records of that business. Some folders also had additional security that enabled the records they contained to be kept in a read-only form.
When reading the Standard on digital recordkeeping, however, they determined that their network management solution was not an appropriate recordkeeping system. The metadata captured in the network did not meet the standard’s requirements and it also increasingly did not meet the organisation’s requirements. The metadata did nothing to manage and authenticate the records stored within the network and in reality it served limited useability purposes. The minimal metadata description was also recognised as limiting the immediate and long term useability and manageability of the records. Because the network was really just a storage system and not a management system, all the records management activities in the network had to be done manually and no automation of standard management processes to save time and money was possible.
It was also recognised that the network provided no long term and rigorous capacity to audit record use, alteration and management. In some high risk business areas, this was seen as a significant concern.
The organisation had also noticed that, from a business perspective, the security controls of the network structure were not adequate. In general the organisation wanted broad business access with the ability to restrict access to only a few records where necessary. The network did not enable this degree of control and it was impairing business efficiency.
The organisation therefore took steps to implement a more appropriate recordkeeping system, one that met the basic requirements of the Standard on digital recordkeeping and one that better served the organisation’s business and management needs. It enabled them to make use of workflows, standard templates and automated metadata application, automated recordkeeping actions and very granular search capacities. The new system significantly improved information control and access and enabled much greater business efficiency. Using standard ROI metrics, it calculated that the return on investment was 500% after the first year of implementation.
Case study 6: Addressing recordkeeping issues in a business system
Summary
One organisation had a business system that performed critical business activities. The system had been in operation for five years and served as the organisation’s key procurement system. The organisation is very large and is involved in hundreds of procurement actions each day. After five years the system was overloaded with content. Its operational speeds were significantly less than what they should be, a problem which actually cost the organisation thousands of dollars in lost productivity every day. Comprehensive reports also could not be generated due to the different ways that data standards had been implemented over the years.
The organisation needed a strategy to identify records in the system and to determine a way in which these records could be exported to a dedicated records system which could manage and keep these records until they were authorised for disposal. The organisation used the requirements of the Standard on digital recordkeeping to identify ways in which proper recordkeeping capacities could be integrated with their key procurement system.
Detailed description
As required by the Standard on digital recordkeeping, the organisation started by seeking to define the digital records it kept within its system. It performed sequential analysis to identify the specific transactions involved in their business processes and to identify where in the course of these transactions a fixed record needed to be created as evidence of the completed purchasing transaction.
The organisation used the Standard to identify the basic metadata that would need to be applied to all records. This metadata was seen as necessary to standardise the outputs of the system and to enable data integration with other systems.
To then go about creating fixed records and necessary metadata from the numerous different data fields in the system, the organisation mapped their business transactions to fields in the database and identified the specific fields that needed to be brought together and fixed in order to make a formal record of their standard business transactions.
A template was developed to enable a fixed record of all necessary transactions to be created, a format for this record was decided upon and means to export this record from the business system and into a recordkeeping system via a systems interface was developed. The recordkeeping system was designed to incorporate disposal rules to help manage the procurement records over time. Gradually fixed records of all transactions were exported from the system and the system regained its operating efficiency. The organisation was also assured that it had good, comprehensive records of its many procurement activities that were well managed and easily searchable.
Acknowledgements
State Records would like to acknowledge the kind assistance of a number of people in the production of this guide, including: Gregory Punshon, Gosford City Council; Dawn Routledge, NSW Fire Brigades and State Records' Digital Records Advisory Group.
Footnotes
[1] The Standard on digital recordkeeping notes that the level of detail used by the public office to define the digital records to be made and kept should be adequate for implementation purposes and based on an assessment of the risk associated with the records and the business they document.
[2] International Council on Archives Principles and functional requirements for records in electronic office environments Module 3 Guidelines and functional requirements for records in business systems 2008. Available online at: http://www.adri.gov.au/ICA-M3-BS.pdf
© State of New South Wales through the State Records Authority, March 2009.
This work may be freely reproduced and distributed for most purposes, however some restrictions apply.
ISBN: 978-0-9752176-9-6
