Information management policy
An Information management policy is a key strategic document that will help align information management practices to fulfill the requirements of an information governance framework. An information management policy provides direction and guidance to staff for creating, capturing and managing information to satisfy business, legal and stakeholder requirements, and assigns responsibilities across the agency.
An information policy is consistent with, and based on, the principles, environment and directions described in the information governance framework and the information management strategy. The policy:
- sets out the expected information management practices in your agency
- explains the benefits of good information management
- outlines roles and responsibilities
- demonstrates commitment to meeting business, legislative and regulatory requirements
- enhances business performance by guiding information management practices, processes and systems that will protect information as an asset
- contributes to an environment that values the integrity and accessibility of the information to support the efficient delivery of business outcomes
The policy document should be reviewed and updated so that it remains current.
Information management policy – template
This policy template provides a useful guide on the key aspects and components to include in an agency policy. It should be tailored to your agency's unique situation.
Date and version number
Explain why an information management policy is needed and the benefits of good practice. For example:
The purpose of this policy is to provide guidance and direction on the creation and management of information, and to clarify staff responsibilities. [The agency] is committed to establishing and maintaining information management practices that meet its business needs, accountability requirements and stakeholder expectations.
The benefits of compliance with this policy will be trusted information that is well-described, stored in known locations and accessible to staff and clients when needed.
This policy is written within the context of [the agency's] information management framework which is located at XXXX. This policy is supported by complementary policies and additional guidelines and procedures which are located at XXXX.
Provide a brief statement of the agency's commitment to good information management practices. If applicable, mention briefly factors influencing information management within the agency. For example:
[Our agency's] information is a corporate asset, vital both for ongoing operations and also in providing valuable evidence of business decisions, activities and transactions.
There is an expectation that [this agency] will [mention here any obligations that apply specifically to your agency] and is committed to creating and keeping accurate and reliable information to meet this obligation.
In addition, [the agency] is committed to the principles and practices set out in whole-of-government policies and best-practice standards.
Our agency will implement fit-for-purpose information management practices and systems to ensure the creation, maintenance and protection of reliable information. All information management practices in [this agency] are to be in accordance with this policy and its supporting procedures.
Specify who and what aspects of the agency's business and business transactions the policy covers. Indicate the business applications and systems the policy covers, e.g. websites, email, and business systems. For example:
This policy applies to [agency] staff and contractors, to all aspects of the agency's business and all business information created and received. It covers information in all formats including documents, email, voice messages, memoranda, minutes, audio-visual materials and business system data. The policy also covers all business applications used to create, manage and store information including the official information management systems, email, websites, social media applications, databases and business information systems. This policy covers information created and managed in-house and off-site.
Legislation and other key mandates
Your information management strategy and framework documents cover the legal, regulatory and business context within which your agency operates. Only duplicate as much as necessary for staff to understand the environment within which this policy document is set. You might specifically mention requirements that more directly affect staff, for example agency-specific legislative requirements for creating or keeping particular information. However, in general, refer staff to the relevant sections of the framework and strategy rather than duplicating the information.
Creation and maintenance of information
Provide guidance on the types of information that need to be created, captured and managed to support agency business and legal requirements. Operational workgroups may have specific requirements to create and capture information and these should be referenced (but not reproduced) in the policy. Any separate information or training available on aspects of information s management such as titling or capture should be mentioned here. For example:
Business information must be created and captured by everyone subject to this policy. Business information created should provide a reliable and accurate account of business decisions and actions. Include all necessary information to support business needs including the names, dates and time, and other key information needed to capture the business context.
All business information created and received should be captured into endorsed information systems unless they can be disposed of under a normal administrative practice (NAP). See below for a further explanation of NAP and information about endorsed systems.
Regular training is offered on titling information and when and where to capture information.
Systems used to maintain information
Establish clearly which locations are endorsed for the capture and storage of information and which should not be used. Larger agencies may need to provide generic examples. Endorsed systems will vary between agencies. Some agencies may use electronic information management systems and will prohibit the use of shared folders as an endorsed location for the permanent capture of information. Other agencies may use shared drives as an endorsed system, with appropriate controls and protocols in place. Supporting operational and procedural guidelines should be linked to the policy.
Explain here the circumstances in which paper records will be permitted, for example, for records classified beyond the security level of the EDRMS.
[This agency's] primary information management system is our electronic document information management system (EDRMS), known as XXXX. Where possible, all incoming paper correspondence received by the organisation should be converted to digital format and saved into the EDRMS. In limited circumstances, such as for particular security purposes, there may be a requirement for paper files to be created. Please contact the information management unit in these instances.
The following business and administrative databases and software applications are endorsed for the capture and storage of specific information. These include:
- Business system X
- Finance system Y
A full register of endorsed systems used to create or manage information can be found at XXXX. These endorsed systems appropriately support information management processes such as creation and capture, storage, protection of integrity and authenticity, security, access and retention, destruction and transfer.
Corporate information must not be maintained in email folders, shared folders, personal drives or external storage media as these lack the necessary functionality to protect business information over time. Information created when using social media applications or mobile devices may need to be captured into an endorsed system.
Access to information
Provide a statement supporting the concept that staff should have ready access to corporate information. Describe circumstances when it is appropriate to restrict this access. For example:
Sharing corporate information within [the agency]:
Information is a corporate resource to which all staff may have access, except where the nature of the information requires restriction. Access restrictions should not be imposed unnecessarily but should protect:
- individual staff, or client privacy
- sensitive material such as security classified material or material with dissemination limiting markings, for example 'Cabinet in Confidence'.
When handling information, staff are reminded of their obligations under the APS Values and Code of Conduct, the Crimes Act 1914 and Public Service Regulations.
Release of publicly available information:
In accordance with our obligations under the Information Publication Scheme and in the spirit of open-government policies, access to publicly available information will be provided on our website. This is the responsibility of [person or area responsible in agency].
The public additionally have legislative rights to apply for access to information held by our organisation under the Freedom of Information Act 1982 and the Archives Act 1983. These apply to all information held by the agency, whether in officially endorsed information management systems or in personal stores such as email folders or shared and personal drives. Responses to applications for access under Freedom of Information legislation are the responsibility of [responsible person in agency]. Responses to applications for access under the Archives Act are the responsibility of the National Archives of Australia.
Retention or destruction
Describe the responsibilities that staff have for retention and destruction of the organisation's information. Provide staff with the information they need to comply with authorised destruction of the organisation's information. In particular, outline the correct use of a normal administrative practice (NAP). Any procedures or fact sheets explaining the use of NAP should link from here. Include reference to records authorities issued by the National Archives. Consider making reference to the importance of timely destruction of information and the risks to the agency of over-retention while ensuring staff understand the risks of unauthorised destruction.
Agency information is destroyed when they reach the end of their required retention period set out in records authorities issued by the National Archives of Australia. Retention periods in records authorities take into account all business, legal and government requirements for the information. Our agency uses a number of general and agency-specific authorities to determine retention, destruction and transfer actions for its information.
Some information can be destroyed in the normal course of business. This is information that is of a short-term, facilitative or transitory value that are destroyed as a 'normal administrative practice'. Examples of such information includes rough working notes, drafts not needed for future use or copies of information held for reference. This agency has a normal administrative practice (NAP) policy which has been approved by the National Archives of Australia and which further defines the use of NAP by staff. The NAP policy can be located at XXXX. You should be familiar with the policy and be aware that unauthorised destruction not only risks penalties under the Archives Act but may expose [the agency] to a range of other risks including:
- an inability to comply with regulatory and legislative responsibilities such as the Freedom of Information Act 1982 and the Privacy Act 1988;
- an inability to provide access to information requested by legal discovery action; and
- damage to organisational reputation
Staff should not destroy information, other than in accordance with our NAP policy, without the approval of the information management unit.
Outline instances when information may be required to be transferred. Explain that information of archival value are required to be transferred to the National Archives once they are no longer needed for current use, and that information may be transferred to other agencies as a result of administrative change.
At times certain information may be required to be transferred out of the custody of [the Agency]. This occurs when information of archival value are no longer being actively used. In this instance [the Agency] transfers them to the National Archives. We are still able to access information if a subsequent need arises to consult content in National Archives care. Another instance where information may be transferred is when it may be affected by administrative change and transferred to the inheriting agency.
Roles and responsibilities
Define the roles and responsibilities of all agency employees to ensure that reliable and useable information is created and managed, and are kept for as long as they are needed for business, accountability or historical purposes. This may include:
All employees: All staff are responsible for the creation and management of information as defined by this policy.
Additional responsibilities for certain staff are listed below:
Chief Executive Officer (CEO)/Agency head: The CEO is ultimately responsible for the management of information within the agency. The CEO has authorised this policy. The CEO promotes compliance with this policy, delegates responsibility for the operational planning and running of information management to a senior executive officer in the organisation and ensures the agency's information management program is adequately resourced.
Senior management: Senior executive officers/managers are responsible for the visible support of, and adherence to, this policy by promoting a culture of compliant information management within the organisation and contributing to the development of strategic documents such as the information governance framework and information management strategy.
Information management unit: Under the leadership of the delegated senior executive, the information management unit is responsible for overseeing the management of information in this organisation consistent with the requirements described in the policy. This includes providing training, advice and general support to staff, creating, developing or acquiring and implementing information management products and tools, including systems to assist in the creation of complete and accurate information, developing and implementing strategies to enable sound information management practices, monitoring compliance with information management policies and directives and advising senior management of any risks associated with non-compliance.
ICT staff: ICT staff are responsible for maintaining the technology for [the agency's] business information systems, including maintaining appropriate system accessibility, security and back up. ICT staff should ensure that any actions, such as removing data from systems or folders, are undertaken in accordance with this policy. ICT and information management staff have an important joint role in ensuring that systems support accountable and effective information management across the organisation.
Agency Security Advisor: The security advisor provides advice on security policy and guidelines associated with the management of information.
Managers and supervisors: Managers and supervisors are responsible for ensuring staff, including contract staff, are aware of, and are supported to follow, the information management practices defined in this policy. They should advise the information management unit of any barriers to staff complying with this policy. They should also advise the unit of any changes in the business environment which would impact on information management requirements, such as new areas of business that need to be covered by a records authority.
Contract staff: Contract staff should create and manage information in accordance with this policy to the extent specified in the contract.
Communication and training
Include a statement affirming that the policy will be communicated to staff and that training will be provided on aspects of the policy. When conducting training, keep it up-to-date, schedule it regularly and consider how to tailor it so that it is meaningful to different workgroups in your agency.
Monitoring and review
Make a commitment to reviewing the policy and monitoring compliance. When conducting a review of the policy, consider its relevance, continuing appropriateness and staff awareness of its requirements. Monitor staff adoption of the policy at regular intervals. If direct supervisors are responsible for monitoring compliance of their staff, ensure they are aware of their responsibility and the standards expected of their staff. For example:
This policy will be updated as needed if there are any changes in the business or regulatory environment. It is scheduled for a comprehensive review by 20XX. This review will be initiated by the head of the information management unit and conducted by the information governance committee.
Compliance with this policy will be monitored by the information management unit [with the support of workplace supervisors]. Levels of compliance will be reported at least annually to senior management.
If necessary provide a list of resources that provide additional information. This may include contact details of relevant staff within the agency as well as useful reference material.
Senior management endorsement
Provide evidence that the CEO or senior manager with responsibility for information management has endorsed the policy. This may be done in a brief paragraph signed by the CEO or senior manager recognising the important place of information in the agency and directing staff to comply with the requirements of the policy.