Managing the records and information management considerations of outsourcing NSW Government business
It is important that NSW public offices identify and address records and information management requirements associated with the outsourcing of Government business functions and activities. Each organisation needs to make adequate provisions in outsourcing contracts so that contractors and service providers make, keep and manage properly records of the Government business that is outsourced.
The information presented here is intended as general guidance and is not a comprehensive guide to managing outsourcing processes. Public offices are advised to seek legal advice when entering into contractual arrangements.
What is outsourcing?
Outsourcing can be defined as the activities involved in arranging, procuring and managing the performance of work or the provision of services by an external contractor or consultant, or by using external bureau services.
Outsourcing of Government business can occur in many forms. Some of the commonest forms of Government outsourcing involve core business functions. For example, an agency might outsource construction / infrastructure projects or the provision of customer/client services. This type of outsourcing is most often done by Government with private sector organisations.
Some outsourcing of activities can be to other NSW government organisations, and while these providers are covered by the State Records Act 1998 it is still appropriate for agencies to clarify the recordkeeping responsibilities in these arrangements.
Shared service arrangements or outsourcing administrative activities
Many NSW public offices outsource or contract services to provide common administrative or 'support' activities, such as information technology (ICT) infrastructure and support, personnel and payroll, maintenance and cleaning, or storage of records. Arrangements may be made with other parts of NSW Government, or with private contractors.
This can include agencies in shared service arrangements for performance or delivery of common administrative functions. The options generally employed are:
- organising sharing arrangements with other agencies
- setting up an internal shared services unit within an agency or cluster
- using centralised services, whether internal to government or a private sector organisation.
Outsourcing - considerations at a glance
NSW Government public offices engage in a wide range of outsourcing arrangements, all of which have information management and recordkeeping implications. Some key points to bear in mind are outlined below.
Public offices are accountable
Outsourcing a business functions or activity does not diminish a public office's responsibility to ensure that it is carried out properly, accountably and that all requirements for information and records are met.
If there is failure to ensure that records of the outsourced business are created and managed by a service provider there could be a risk to the organisation of:
- failing to meet legislative obligations
- loss of information or incomplete information upon which to base decisions, provide services or defend actions
- loss of public accountability and transparency through inability to produce records of outsourced business.
A failure by a public office to meet its recordkeeping obligations would signal a failure by its chief executive to comply with the State Records Act 1998 (s.10).
Public offices have key responsibilities
Public offices are responsible for ensuring that:
- appropriate records of the outsourced business are made and kept
- records of the outsourced business are securely managed and stored both during and after the period of the outsourcing contract
- ownership of records is clearly addressed and understood
- records of the outsourced business are accessible as appropriate and when required
- records of the outsourced business that are required after the contract has ended are returned
- records of the outsourced business are disposed of lawfully.
Importance of the contract and establishing controls
While NSW public offices must meet the requirements of the State Records Act 1998, this legislation does not extend to a private sector service provider or outsourced organisation as a matter of course. This means that recordkeeping obligations should be clearly articulated to service providers to ensure that the obligations of the public office are met. The primary means by which a public office can meet its information and recordkeeping obligations is to build appropriate requirements into the outsourcing contract. Managing the contractual relationship is key to ensuring that all information and recordkeeping requirements are met at all stages of the outsourced arrangement.
Outsourcing arrangements must be monitored
Public offices have a responsibility to follow up with monitoring of service providers and other checks to ensure that contractual arrangements are being met.
Public offices' responsibilities
The regulatory and policy framework that governs records and information management in NSW will establish the boundaries for your recordkeeping obligations as a NSW public office, and inform any outsourcing arrangements your public office enters into.
State Records Act 1998
Public offices must ensure that the Government business they outsource is supported by sound records and information management practices. This can be achieved through the appropriate consideration and communication of the following sections of the State Records Act in arrangements with service providers:
- obligation to keep full and accurate records: full and accurate records should be kept of all a public office's activities, including those that are outsourced (section 12 (1))
- protection of records held by other persons or organisations: all public offices must ensure the 'safe custody and proper preservation' and 'due return' of all the records under their control, including those that are in the custody of (held by) a service provider (section 11)
- maintaining accessibility to digital records: there is an obligation to maintain accessibility to equipment/technology dependant records (section 14(1))
- the Chief Executive's responsibility: the Chief Executive of a public office that outsources its business is ultimately responsible for ensuring that the records of the contracted out business are created, maintained, securely managed and disposed of in accordance with the State Records Act (section 10)
- lawful disposal of State records: State records, including records of Government business generated or kept by service providers, may not be destroyed unless in accordance with the State Records Act (section 21).
Recordkeeping requirements apply in diverse systems
Much of the business that is conducted on public offices' behalf under outsourcing arrangements is done using digital business processes and systems, such as email systems, databases, collaborative platforms or web technology. Regardless of the means by which the business is transacted, requirements for information and evidence apply.
Public offices should ensure that service providers are aware that records of the outsourced business that are created, generated or received using these technologies are subject to all the usual requirements of the State Records Act and the records management standards issued under the Act.
Records management standards
Outsourcing initiatives must be managed within the framework of whole of government standards and codes of best practice for records management in the NSW public sector.
Recordkeeping arrangements for outsourcing should be managed as part of the public office's records and information management governance framework. This means that a suitably senior officer (could be the Senior Responsible Officer or the Corporate Records Manager) has the responsibility for ensuring the proper management and protection of records of outsourced business along with records kept by the public office itself.
Information access and privacy management
The Government Information (Public Access) Act 2009 applies to the records of government business that are created, generated, received or kept by contractors. When an agency enters into a contract with a service provider to deliver services to the public on its behalf, the agency must have a contractual right to immediately access certain information in the contractor's records. The Information and Privacy Commission provides templates for contractual clauses.
The Privacy and Personal Information Protection Act 1989 (PPIP Act) notes that 'personal information' includes information that is 'in the possession or control of a person employed or engaged by the agency in the course of such employment or engagement' (section 4 (4)). The obligations and principles of the PPIP Act should therefore be conveyed to any contractors engaged by the public office, via contractual arrangements.
Audit and probity requirements
The Audit Office of NSW and other investigative agencies such as the Independent Commission Against Corruption (ICAC) and the NSW Ombudsman use records to determine organisational performance, financial accountability and legislative compliance, or to identify and investigate wrong doing. Ensuring contractors create and manage records that adequately document NSW Government business is necessary to ensure that public offices can represent themselves and their activities for audits or other forms of investigations.
The outsourcing contract
The role of the contract in outsourcing arrangements
The basis of the relationship between a public office and a service provider is the official documentation of the agreement between the parties. Both the initial tender and the contract are important means for the communication of recordkeeping and other requirements.
In making a decision about a provider, the responsible public office must be confident that the provider can meet all legislative and policy requirements, including requirements for the proper management of records and information.
The contract should include clauses relating to:
- the recordkeeping requirements of the business being outsourced
- compliance with the State Records Act (and other relevant legislation) and standards on records management
- ownership (including intellectual property) of records
- timely records disposal
- the return of records at the termination/expiration of the contract
- information and records security ( including systems security and records storage security)
- privacy management and protection of personal information
- rights of access and arrangements for access to records (including access under GIPA legislation)
- monitoring and inspection arrangements for compliance
- the processes and penalties for failing to comply with records provisions in the contract.
Specifying the recordkeeping requirements of the outsourced business
Requirements for records to be made or kept, managed, restricted or disposed of in certain ways are all recordkeeping requirements. Recordkeeping requirements for business that is to be outsourced must be identified so that they may be included in the outsourcing contract, and monitored over time. This will not only ensure that your public office is meeting its legislative obligations, but also it will be valuable information to assist the service provider to manage the business more efficiently.
Recordkeeping requirements derive from legal requirements, business needs for information and community expectations that Government will make and keep records of its functional responsibilities and activities (irrespective of how they are performed).
Recordkeeping requirements can define any aspect of a record's management over time, including:
- purpose and content of records
- how records are kept, labelled and managed
- who should have access
- retention periods applied to records and ultimate disposal action.
Legal requirements relating to records
The need to create and keep records is often based on statements in legal instruments such as Acts or regulations. Legislative requirements include not only administrative legislation such as the State Records Act 1998 but also enabling legislation that provides the basis for a public office’s powers and responsibilities.
Business needs for records
Some recordkeeping requirements are based on business needs, rather than a legislative requirement. For example, it makes good business sense to keep records of past dealings with a customer, for ready reference if required. In an outsourcing contract, you may wish to specify to a contractor that records must be maintained of all contact with clients.
Community expectations for records to be kept
Another type of recordkeeping requirement is based on community expectations that government organisations will keep records of their operations, policies and interactions with the community over time. A service provider to the Government would not be aware of this broad responsibility to keep evidence of government business, so it is up to the public office to communicate these requirements to providers.
Specifying access rights and restrictions
Contractual arrangements should state that the public office retains an immediate right of access to all State records held by a service provider, and should address privacy, confidentiality and public access considerations.
A public office must ensure that it has access to the State records in the possession of a service provider. Access to records will be needed in order to assess compliance with the requirements of the contract and meet other legal obligations such as dealing with applications under the Government Information (Public Access) Act 2009.
Protection of personal, sensitive or commercially valuable records
Public offices should communicate to service providers their obligation to abide by the requirements of the Privacy and Personal Information Protection Act 1998 and Health Records and Information Privacy Act 2002.
Records generated in the course of Government business may be confidential because they relate to individuals, or have significant commercial value, particularly if they are used, linked or analysed in conjunction with other information or databases.
Contracts struck with service providers should therefore include provisions to protect private or sensitive information, and where appropriate point to the relevant policy statements of the public office, such as their Privacy Management Plan or equivalent.
Public access to records 30 years of age and older
Where service providers have custody of records over long periods of time, the public office must ensure that the public access provisions of the State Records Act relating to records that are 30 years of age and older are met. This will involve making an 'access direction' (open or closed to public access) under section 51 of the State Records Act for any records of 30 years of age or more that are in the custody of the contractor. In such cases, the service provider may have to assume the role of access provider according to the provisions of the State Records Act. For further information see the Procedures for making access directions.
Information security must be considered in all outsourcing arrangements. This includes the use, transmission and storage of information and records.
The NSW Government’s Digital Information Security Policy establishes the digital information security requirements for NSW Government agencies. The policy establishes that all NSW Government Departments, Statutory Bodies and Shared Service Providers must have an Information Security Management System (ISMS) based on a comprehensive assessment of the risk to digital information and digital information systems.
The policy states that 'Departments or Statutory Bodies that share risk with a service provider must be satisfied that the service provider has sufficient security controls in place to adequately protect the digital information and information systems of the Department or Statutory Body in accordance with this policy and statutory obligations.'
Specifying records storage arrangements
The safe custody and proper preservation of State records is required under section 11(1) of the State Records Act. Section 11 also requires the safe return of State records that go out of a public office's custody. Storage arrangements are therefore vital ingredients of any records management arrangements and should be addressed in outsourcing arrangements.
This section essentially means that public offices need to ensure that service providers:
- store and manage records securely
- manage records through migrations, systems changes and upgrades
- protect records from loss and disaster
- handle and transport records in a safe and secure manner (for physical records)
- return specified records at the end of the contract.
Specifying authorised records disposal processes
Public offices have a responsibility to ensure that State records are disposed of in accordance with the State Records Act. The best way for a public office to achieve this in outsourcing arrangements is to specify in contracts those records disposal processes that are permitted for the contractor to perform, and those that are not.
Public offices must prevent the unlawful disposal of any State records that are in the possession of contractors in outsourcing arrangements. Unlawful disposal includes:
- unauthorised destruction (for example, contrary to the requirements in an authorised, current retention and disposal authority)
- transfer to a third party
- loss, damage or alteration.
Public offices need to:
- be aware of the main methods for authorised disposal in NSW Government
- communicate to service providers via the contract the authorised disposal processes that they (the contractors) are allowed to perform, and also those disposal processes that are prohibited.
Some outsourcing arrangements last over long periods of time. In these cases, it may be practical to require the service provider to carry out destruction of records periodically. Similarly, the contractor might be required to periodically transfer records back to the public office.
Records disposal that should be prohibited by a public office in an outsourcing contract would include disposal of State records that is carried out:
- contrary to the records disposal provisions in the outsourcing contract
- corruptly or fraudulently
- for the purpose of concealing evidence of wrongdoing
- for any other improper purpose.
Specifying the return of records at the completion of the contract
Certain records that are created, received or generated in course of outsourced business are essential to the ongoing conduct of that business. Failure to ensure that these records are transferred back to a public office at the completion of an outsourcing contract can have serious consequences later in terms of business continuity and accountability. It would also constitute a breach of the State Records Act (section 21).
It is therefore very important that the outsourcing contract makes clear which records should be returned to the public office at the end of the contract. Provisions should include:
- restrictions on the service provider using the information contained in the records for commercial profit, unless otherwise allowed in the contract
- arrangements regarding the manner or formats in which the records are returned
- agreed timeframes for the return of the records
- deletion of information from the service provider’s systems.
Which records should be returned?
Reasons for identifying an ongoing need for records at the end of a contract could include:
- future referral by the public office (or another contractor) for any reason
- continuing protection of sensitive or confidential information
- use of the records to establish or protect the rights, entitlements or obligations of the State or an individual
- records are required to properly manage facilities or capital works owned by Government
- records document the expenditure of Government funds, such as the purchase of equipment or other assets
- use for future research by the State or an individual.
Contract inclusions checklist
- Details of the recordkeeping requirements for the business being contracted out have been documented and provided to the service provider.
- Details of the data and records that are to be returned to the public office or to another service provider at the completion of the contract (or periodically) have been documented and provided to the service provider.
- Technical standards required to enable interoperability between the service provider and agency business information or records system has been specified.
- Any format/s that the records are to be returned to the public office in at the completion of the contract has been specified.
- A statement of who owns the records created by the service provider has been included in the contract (contract also addresses who owns the intellectual property).
- A statement regarding access rules and details of access arrangements for the records of the outsourced business for the duration of the contract is included.
- A requirement that basic control information/metadata is kept about the records of the outsourced business to facilitate management, access and retrieval is included.
- A requirement for the service provider to abide by the public office's privacy management plan or equivalent privacy statement in respect of the information it keeps for the purpose of the contract is included.
- A requirement for the service provider to classify or label information as specified by the public office is included.
- Authorisation by the public office for the service provider to carry out specified lawful disposal processes (in accordance with approved records retention and disposal authorities) for specified classes or types of records is included.
- Specification of restrictions on the use of information or records by the service provider for commercial or other purposes during the period of the contract or after is included.
- Dispute resolution procedures and penalties for breach of contract, such as a failure to return records to the public office at the completion of the contract, are included.
- Requirements for the service provider to manage, secure and store records of the outsourced business in accordance with the State Records Act 1998 and relevant standards (i.e. Standard on Records Management), are included.
- Details of a mechanism by which the public office can measure the service provider compliance with the records requirements of the contract (including during and at end of contract period) are included.
Published 2003, revised February 2015