- Recordkeeping requirements for processing GIPA requests
- Documenting the Proactive and Mandatory release of Government Information
- Relationship between the State Records Act and GIPA Act.
Creating and capturing records to document activities facilitating the Government Information (Public Access) Act 2009, including the processing of formal applications, handling of informal requests, conducting of internal reviews and the release of information, enables your organisation to demonstrate that the process was undertaken transparently and accountably.
Records provide an audit trail that can support organisational decision-making and provide transparency. As a number of decisions are reviewable under the GIPA Act, the organisation should build requirements for records creation into procedures for GIPA activities and make sure that all staff are aware and familiar with the requirements.
This guidance has been prepared to enable records managers to understand the relationship between records management and the GIPA Act, the search process, and to inform and assess recordkeeping processes in relation to GIPA. It has been prepared in consultation with the Information and Privacy Commission (IPC) as the agency with oversight for the GIPA Act.
Recordkeeping requirements for processing GIPA requests
To ensure records relating to the processing of GIPA applications (formal requests), informal requests and reviews are created and discoverable, your organisation needs to:
- Assess what records to create and what information the records should include (particularly in relation to requests that could escalate or relate to high risk areas of business)
- Establish systems, processes and business rules for creating and capturing records for GIPA activities, including how to document verbal communications (i.e. phone calls, discussions about requests, and meetings)
- Create records to document GIPA activities
- Capture records into approved systems using agreed titles, structures, taxonomies, metadata and records classification schemes
- Keep a record of systems and locations used to store the records
For more information refer to the Standard on records management. The standard is designed to help your organisation meet its recordkeeping obligations under the State Records Act 1998.
It is important to recognise that under the GIPA Act the principal officer of the agency is ultimately accountable for GIPA Act compliance. Within cluster arrangements there may be a number of individual principal officers.
Informal release and proactive release of information
Under the GIPA Act, organisations may release information via informal requests or decide to proactively release information.
Organisations should have business rules and procedures informing staff about how to manage informal access and proactive release of information, and the types of records that must be made of the assessment and decision-making process, authorisations and any conditions attached.
Formal release of information
Organisations should have business rules and procedures informing staff about managing GIPA applications. The business rules and procedures should inform staff about managing applications, and the types of records that must be made at each decision point in the GIPA process, beginning with the application assessment.
Throughout the assessment, it is important to document reasons and supporting actions that informed decisions to proceed, refuse or re-scope applications, for example if a decision is being made about the validity of an application or that the application may constitute an unreasonable and substantial diversion of resources:
|If the application||Document|
|Is not valid…||
|Is too broad in scope…||
|Constitutes an unreasonable and substantial diversion of resources…||
Thorough documentation will be beneficial during any external review of an application by either the Information and Privacy Commission or the NSW Civil and Administrative Tribunal (NCAT).
There are a number of points through the GIPA process where the ‘Right to Information’ officer (or person dealing with the application) may need to contact the applicant, internal stakeholders, business units, or third parties in relation to an application. For example, to clarify or re-scope a request, assess disclosure interests, or confirm holdings related to the information sought.
If the communication does not automatically generate a record (e.g. a telephone conversation) then a note of the discussion should be created and captured into the records management system. If the communication does create a record (e.g. an email) it should be captured into the records management system.
Records should be created to document verbal communications, including:
- telephone calls
- face to face discussions/conversations
- the organisation and the applicant,
- the organisation and internal stakeholders, and
- the organisation and third parties.
To be full, accurate and reliable, records need to document:
- Who? - who participated in the meeting, discussion or telephone conversation, and their position/role
- When? – date/time that the communication occurred
- What? - what was discussed? what advice or instruction was communicated? what was decided or recommended? what commitments or agreements were made? including any permissions/consent granted
- Why? - include reasons for decisions or recommendations.
Records need to be detailed enough to enable others to understand what was communicated, negotiated or agreed. Records made should be captured into the records management system.
Written correspondence such as emails or messages should be captured into the organisation’s records management system. When capturing records, controls should be applied to ensure records are discoverable to authorised persons in the future.
Follow business rules to determine and apply:
- titling /naming conventions
- folder/file structure
- records classification
- metadata (usually applied automatically).
Paper documents created or received through the process should be scanned and saved into the records management system through a digitisation process.
Capturing records at the time of creation or receipt, or as close to as possible, will reduce the risk of records being missed or lost.
Searches and search results
The GIPA Act requires that ‘an agency must undertake such reasonable searches as may be necessary to find any of the government information applied for that was held by the agency when the application was received’.
The creation and capture of records ensures that your organisation has the records it needs to demonstrate and validate that searches for information/records under GIPA are reasonable and adequate. The request for a search to be conducted by an identified officer(s) should be documented.
Records should outline how records holdings (both physical and electronic) were searched, including:
- What systems and locations were searched?
- What search methods were used? (e.g. was metadata used to filter search results?)
- What keywords/terms, alternative spelling and Booleans were applied during the search?
- What dates ranges were searched?
- Which officers, divisions, business units and offices were consulted, contributed to or participated in the search?
Organisations should also document the results of the search, including:
- Details of any relevant records found (including which business unit created them).
- A description of paper records found and how they were searched (e.g. were they scanned/manually assessed).
- Retrieval and checking of any documents that are the subject of the request
- Certification by officers conducting the search.
Analysis of search results
Records should also be created to document the review/analysis of search results.
|If search results:||Document:|
|Show information is already available to the applicant||
|Show information is not held by the organisation||
|Show the organisation has information and can continue to process the application||
For more information refer to Information and privacy commission: Knowledge update – reasonable searches under the GIPA Act
When releasing information organisations should document:
- Date of release
- What information was released
- Who it was released to
- Decisions relating to the reduction or release of personal information
- Overriding public interest against disclosure, and/or wavier of
- If the information can/will be open access now onwards
Processing time and charges applied
Organisations will also need to document the processing of fees and charges and decisions to relating to the final costing.
In many cases processing of GIPA applications is costed by the hour, therefore the organisation needs to ensure that they can account for the time spent processing applications.
- Contributing factors to the calculation of estimated processing times
- The activities undertaken for which charges may be made
- Actual time taken to complete the each phase/chargeable activity of the GIPA process
- Activities where charges were not applied (handling of free of charge information)
- Decisions to reduce charges, for example to accommodate financial hardship
- Review of decisions and granting of refunds
- Handling of money, deposits received, refund issued etc.
For more information refer to the Information and Privacy Commission's GIPA Act Fees and Charges
The GIPA Act requires that organisations review their program for the release of information every twelve months to see if there is additional information that could be proactively released.
The organisation’s rules/procedures for giving access should outline what records are created and kept to document assessments and review for proactive release, and the decisions made.
Records should ensure the organisation has evidence:
- that a considered assessment has been undertaken based on the established procedures
- of what was proactively released with appropriate authorisation
- of what was not made available, and the reasons why.
Records will allow the organisation to demonstrate compliance with the Act and defend the release of information if challenged.
Organisations should also keep records of the review of mandatory release information, including the annual review of the organisation’s publication guide.
Information published on websites
Organisations should incorporate the management of open access information released under the GIPA Act into its recordkeeping strategy for managing websites.
Organisations need to be able to prove what mandatory information was available on the website at what time/date in order to demonstrate compliance with the Act. This may involve managing different versions of the information over time.
Access directions for open access information
Records created during release assessment can assist the organisation in making access directions under section 51 of the State Records Act 1998. The sensitivities initially identified can be re-assessed to determine if they have diminished with the passage of time.
TIP: Organisations can make an access direction under the State Records Act declaring that all records made available via proactive release under the GIPA Act are available under the early access provisions of the State Records Act. This is a quick and easy way to ensure consistency between the two Acts so that records that are now available will not be closed when transferred to the State Archives Collection.
Relationship between the State Records Act and GIPA Act.
Recordkeeping underpins the successful fulfilment of GIPA requirements and responsibilities.
Government organisations rely on the records made and kept under the State Record Act 1998 to fulfil their obligations to facilitate access to Government information under the Government Information (Public Access) Act 2009 (GIPA Act).
The Information and Privacy Commission have outlined four organisational responsibilities to keep records under the GIPA Act.
- Keep up-to-date records to ensure information can be provided where appropriate.
- Manage records systematically so they can be located easily.
- Keep records for as long as they are required under approved Retention and Disposal authorities in accordance with the NSW State Records Act 1998.
- Ensure that your agency is able to access the records held by a contracted service provider.
Taken from the Information and Privacy Commission's Quick guide to my responsibilities under the Government Information (Public Access) Act 2009 (GIPA Act) NSW, January 2020
These responsibilities closely align with recordkeeping requirements under the State Records Act 1998 and the Standard on Records Management. The standard aims to ensure that government information is appropriately documented and discoverable.
Implementing the standard can save your organisation time and resources otherwise spent on searching for information that may or may not be documented.
Tips to fulfil GIPA recordkeeping responsibilities
The table below provides tips and links to useful resources to help fulfil recordkeeping responsibilities.
|GIPA responsibility||Tips||Guidance/resources available|
|1. Keep up-to-date records to ensure information can be provided where appropriate.||
Understand your recordkeeping requirements
Assess what records your organisation needs to create and what information the records should include (particularly in relation to high risk activities)
Identify common situations where records should be created and captured e.g. phone conservations, meetings, emails, web chats
|2. Manage records systematically so they can be located easily.||
Keep a record of systems and locations used to store organisational records
Use titling, file structure and classification conventions to capture records into approved systems
Ensure business systems are designed to meet organisational recordkeeping requirements
Undertake timely disposal of records legible for lawful destruction to reduce the amount of documentation your organisation needs to assess
Implement Normal Administrative Practice (NAP) to dispose of ephemeral, facilitative and duplicate records and streamline your records holdings.
NAP is defined under section 2 of the State Records Regulation 2015 and enables the destruction of certain types of facilitative and duplicate records.
|3. Keep records for as long as they are required under approved Retention and Disposal authorities in accordance with the NSW State Records Act 1998.||
Ensure that records are managed in approved systems
Keep a record of systems and locations used to store organisational records
Use sustainable file formats when creating records
Migrate/convert technology dependent records to retain their accessibility
Use approved Retention and Disposal authorities issued to your organisation to dispose of time expired records lawfully
|4. Ensure that your agency is able to access the records held by a contracted service provider.||Ensure that contracts outline responsibilities for recordkeeping and clarify ownership of the records||Accountable outsourcing|
If you have enquiries about recordkeeping, please contact NSW State Archives and Records at email@example.com.
If you have enquiries about the GIPA Act, please contact the Information and Privacy Commission on 1800 472 679 or at firstname.lastname@example.org.
Published April 2020