Information Governance Framework
Information Policy and Systems
8 December 2016
The Information Governance Framework (the Framework) provides the basis for the creation, capture, management and use of full and accurate records, information and data in all formats used for the Archives business. It describes how information is to be governed as a vital corporate asset which is essential to help meet the Archives' business, legal and regulatory requirements.
The framework outlines an approach to information governance integrated with other organisational governance such as audit, accountability, compliance, risk management, business continuity, security and ICT governance. The requirements of this framework are informed by the Archives' business environment, legislation, whole-of-government policies and standards
The framework also describes the cooperation and commitment required from all relevant stakeholders for implementation of effective information governance within the Archives.
The Framework applies to all Archives' staff, contractors and consultants, regardless of employment terms, position and location
The Framework applies to all:
- aspects of Archives' business operations
- information created to support business activities
- business applications and systems used to create, capture and maintain information.
This framework is limited to governance of information related to business activities of the National Archives, and not the collection of archival resources of the Commonwealth in its custody. While the Archives' information assets assist preservation, management and provision of access to the collection, the governance for the collection itself is derived directly from the Archives' Act and implemented through the National Archives of Australia Corporate Plan.
Throughout this document, all of Archives records, information and data holdings are described holistically by the term 'information'.
The objectives of the Framework are to:
- affirm the Archives' commitment to effective information management practices in order to meet legal obligations, accountability requirements, business needs and stakeholders' expectations
- position the Archives as a forward looking, innovative and exemplar Australian Government agency employing better practice approaches for the management of information
- ensure all staff understand their information management responsibilities
- support consistent information management standards and practices across the Archives
- ensure that the Archives meets the requirements of the Digital Continuity 2020 Policy.
Organisational information principles
The Framework sets a number of principles to guide all staff in managing the Archives' information:
- Information is a valuable corporate asset which enables business, helps to manage risk and provides accountability and transparency in decision-making and evidence of business activities over time.
- Information governance is an essential element of Archives' corporate governance. It must be aligned with other organisational governance such as audit, accountability, compliance, risk management, business continuity, security and ICT governance.
- Information is complete, accurate and useable by those with a legitimate need.
- Information must be managed in a timely, efficient and effective manner. This includes capturing and describing information as soon as possible during or after completion of business processes. Also, ensuring it is kept for as long as required and accountably disposed of when it is no longer required.
- Information must be described with appropriate metadata, as defined by relevant standards and business needs. This supports access, context, authenticity and interoperability for information.
- All digital information must be created and actively managed in an accessible digital form for as long as the information is required. Consideration must be given to how digital information will remain available and interoperable across different platforms, operating environments and successive technologies. Information should only be stored in a physical format where there is no suitable digital alternative.
The Framework operates within an overarching governance framework of legislation, whole-of-government policies, international and Australian standards, business policies and processes. It is also defined by the needs of the Archives' unique business environment and by the National Archives requirements for all Australian Government agencies.
The Archives' business environment
The Archives is established by the Archives Act 1983, which identifies its key roles and responsibilities. In particular, the objects of the Archives Act are:
- to provide for a National Archives of Australia, whose functions include:
- identifying the archival resources of the Commonwealth; and
- preserving and making publicly available the archival resources of the Commonwealth; and
- overseeing Commonwealth record-keeping, by determining standards and providing advice to Commonwealth institutions; and
- to impose record-keeping obligations in respect of Commonwealth records.
Types of information created as part of the National Archives' business activities to meet these roles and responsibilities include:
- Unstructured information documenting correspondence, advice, planning activities, policies and procedures
- Structured information in business systems and databases
- Human resources and payroll data
- Transaction and workflow data
- Registers of assets
- Monitoring system data
- Audio/visual assets
- Information describing activities for preserving, managing and providing access to the archival resources of the Commonwealth.
Legislation impacting on the management of the Archives' information includes:
Relevant Whole-of-Government policies
Whole-of-Government policies and strategies impacting on the management of information include:
Relevant information management standards
The Archives is guided by national and international information management standards, particularly those endorsed by the Archives for Australian Government agencies. Key standards include:
Records Authorities authorising the management, retention and disposal of Archives information include:
Key general corporate governance frameworks and policy documents supporting the management of information include:
- The Risk Management Framework and Policy - highlights Archives officials' responsibilities for information management to support ongoing operations, provide evidence of business activities over time and document risk management activities.
- The Business Continuity Policy and Plan - provides a framework for the identification and development of actions to respond to and recover from disruptions to Critical Business Processes which have the potential to impact on the Archives' ability to meet its legislative and mandated obligations.
- The Archives Capability Framework - highlights the critical capabilities needed across Archives. This includes providing capability development around best practice digital information management.
- The Information Security Policy 2016 – forms the basis for establishing effective controls that protect the Archives' computing facilities, human resources and intellectual property.
Information Management Policy
To support this Framework, the Information Management Policy, identifies the Archives' commitment to implementing best practice information management to ensure the creation, management and protection of information as a vital corporate asset supporting ongoing business and providing evidence of business activities over time. It also informs and guides staff on the:
- legal, regulatory and business context within which the Archives operates. This includes applicable legislation, policies, business requirements and standards that apply to the management of information
- types of information that need to be created, captured, shared and managed to support business and legal requirements
- use of information management systems for the creation, capture, protection, security, accessibility and storage of the Archives' corporate information.
Information Management Strategies
All information management strategies are consistent with National Archives guidance. The following strategies, policies and plans complement the Framework and provide accountability and guidance for information governance:
- Completion of Check-up Digital, the whole of Australian Government online self-assessment used to measure progress against the Digital Continuity 2020 Policy targets.
- Digital Continuity 2020 Implementation Plan - forms part of the Archives' strategy to implement the recommended actions of the Digital Continuity 2020 Policy for digital information management. The Archives will achieve policy targets by the due dates and will continue to integrate robust digital information management into all business processes. The Executive Board performs the role of the Information Governance Committee to guide strategies to meet the Policy requirements.
- Charter for Information Governance - guides all staff to ensure information is managed appropriately to support organisational outcomes.
- Digital Continuity Strategy for the National Archives of Australia's Corporate Information and Records – July 2013 - sets out the responsibilities for RkU and ICT staff to manage digital information in accessible and useable formats for as long as required.
- Risk mitigation strategies - the major area of risk to the Archives' information assets is information loss, either through accident or negligence or through malicious behavior. To reduce this risk, the Archives has compiled the following:
- High value and long term information risk registers – records the location of all high risk, vital and important information related to both core business and administrative business.
- Information systems architecture register December 2016 – lists the Archives business systems, tracks their assessment using the checklist below and notes any information governance documents for each system.
- Information Management Functionality Checklist – a validation tool used to assess all new business systems and existing systems undergoing significant changes. The checklist is based on the National Archives Business Systems Assessment Framework for assessing systems against the ISO 16175 Principles and Functional Requirements for Records in Electronic Office Environments and the Minimum Metadata Set.
- 'TEMPLATE - Information Management Functionality for Business Systems 2016' – sets out the method for documenting an information management plan for each system, if needed after assessment against the checklist above.
Archives' information systems
The Archives operates a number of information systems to meet its business needs, accountability requirements and stakeholder expectations.
- systems used for Archives' unique functions (eg RecordSearch, Digital Archives System)
- systems and databases used for administrative functions (eg FinanceOne for financial management, Aurion for human resources, e-Commerce for online payments).
To ensure that information in the Archives systems continues to meet these needs, the RkU and system business owners regularly assess systems using the Information Management Functionality Checklist to ensure information management requirements are met.
Consistent with Digital Continuity 2020 Policy requirements, new systems will meet the Information Management Functionality Checklist requirements. The checklist enables a risk-based approach to determine whether information management in the system is adequate or if there are any gaps that need to be addressed by implementing solutions. Based on the results of assessments, a plan is developed for managing information within each system and plans are placed on the Information Systems Architecture register to maintain oversight over time. The checklist also includes the minimum metadata set.
One of the primary information systems for the Archives is the Recordkeeping System (RkS), an instance of HPE Records Manager. It has a major role in managing the Archives' information as it meets the requirements of the international standard ISO 16175-2 and is configured for long term information storage in a controlled environment structured according to the Archives' business needs.
The RkS is used to manage unstructured information, such as documents, spreadsheets and emails generated by Archives staff. The RkS can also accept information exported from many other sources, where this is needed to aid our management of digital information.
- Digitised copies of paper source records
- Information from any business systems less suitable for long term storage or not meeting information management requirements.
Creation and maintenance of paper files is limited to only 'CLASSIFIED' information or in special circumstances as approved by the Director responsible for the RkU. The Archives has a secure network and information system to support access examination but it has not been practical or necessary to extend this, to avoid a small number of paper files being created.
Some less controlled systems such as email inboxes and folders (Outlook and other email accounts), personal or shared network drives, external storage media, or temporary documents folders, are available to Archives staff to facilitate business activities or for reasonable personal use. These systems have limited controls and are not suitable for storing most business information. Archives' staff are required to file any useful information in the RkS or an approved business system and discouraged from using these systems other than to facilitate more immediate business activities.
Roles and Responsibilities
The Director-General of the National Archives of Australia (also the Chair of Archives' Information Governance Committee) is responsible for:
- the standard of information management within the Archives
- the efficient, effective and ethical use of information resources within the Archives
- authorising the Information Governance Framework and the Information Management Policy
- approving major reviews of information management capability and maturity, such as the Check-up Digital online assessment
- promoting compliance with the Archives' information management policies and procedures.
The Information Governance Committee (which comprises of members of the Executive Board) is responsible for:
- monitor effectiveness of the Archives' information governance framework, and all information strategy, policy and architecture documents
- ensure coordination of the Archives' information governance reporting and external information audits and reviews
- identify who is responsible within the Archives for information assets identified in audit and review processes
- develop an information management workforce plan with the support from People Management and Development section
- monitor information infrastructure according to the Archives' business information needs
- coordinate internal information reviews to identify information assets and their value, manage risk and compliance, and improve business processes
- ensure that the Archives' information is managed for its entire life in accordance with risk, including risks associated with security, access, privacy, continuity, and cost
- act as interdepartmental liaison for whole-of-government information initiatives, such as implementing standards, information and system interoperability
- ensure coordination of information standards implementation, for example, business systems functionality, metadata and interoperability capabilities
- ensuring the Archives meets its Digital Continuity 2020 Policy targets.
The Assistant Director General responsible for information management (Information Policy and Systems branch) shall:
- ensure that the Archives' information management practices comply with its obligations and responsibilities as an Australian Government agency
The Director responsible for information management (Information Policy and Systems branch) shall:
- develop strategies to ensure the Archives establishes itself as an exemplar site of information management
- oversee, support and review the functionality of the Archives' information management system(s)
- approve the destruction of Archives' business information, with concurrence from relevant business owners across the Archives
Records Manager (operating under the supervision of the Director responsible for information management) shall:
- develop, maintain and review this Framework, and the supporting policy, guidelines and procedures for the consistent management of Archives' information
- maintain and monitor the Archives' Records Authorities
- provide input and advice on the functionality and compliance of agency's business systems
- co-ordinate the delivery of information management training and advice to all staff
- liaise with internal and external stakeholders on information management issues
- provide secretariat to the Information Governance Committee.
Staff in the Recordkeeping Unit (operating under the supervision of the Director responsible for information management) shall:
- promote the Archives' information management policies and procedures to all staff
- monitor staff compliance with the information management principles, policies and procedures
- deliver information management training and advice to all staff
- ensure that business information is kept for as long as required
- inform and assist ICT to develop solutions for better use of information during business processes.
ICT staff, including system administrators shall:
- ensure that technologies are developed and implemented efficiently and that they support information management principles and strategies outlined in this document
- provide Information Technology support
- promote accessibility, usability and interoperability of the Archives' business systems.
All managers and supervisors shall:
- monitor staff under their supervision to ensure that they understand and comply with the Archives' information management principles, policies and procedures
- support and foster a culture within their workgroup that promotes good information management practices.
All employees of the Archives shall:
- understand the information management obligations and responsibilities that relate to their position
- adhere to organisational policies, procedures and standards in keeping information documenting their daily work, and specifically create and capture information into approved information management system(s) for the following business activities:
- approval or authorisation
- guidance, advice or direction
- information relating to projects or activities being undertaken
- formal business communications between staff and external recipients
- formal business communications between staff
- not destroy business information, regardless of format, that is evidence of business activities unless approved by the Recordkeeping Unit.
This Framework will be reviewed every two years from the date of approval, unless required earlier.
National Archives of Australia
8 December 2016