Implementation guideline – Principle 4: Business information is suitably stored and preserved

Store business information securely and preserve it in a useable condition for as long as required for business needs and community access.

Recommended actions

4.1 Store business information in a secure and suitable environment.

A secure and suitable environment is one:

  • that prevents unauthorised access, duplication, alteration, removal, or destruction
  • that satisfies Australian Government protective security requirements for classified and unclassified information
  • where it is accessible and retrievable for as long as required
  • where Australian Government property rights, including intellectual property, are not compromised.

A key component of managing information is to safeguard the security and integrity of your agency's business information.  This will enable its business requirements and future obligations to be met. The National Archives has developed advice on storing digital and physical information.

The Business Systems Assessment Framework will help your agency identify required information functionality in business systems to ensure business information is suitably stored. This includes when it is necessary to prevent unauthorised access, or identify changes, to information. Our advice on storing information also includes standards for storing physical records.

The National Archives has guidance on protecting business information from unauthorised access or alteration. This refers to the Attorney-General's Protective Security Policy Framework (PSPF) and the Australian Signal's Directorate's Australian Government Information Security Manual (ISM) which provide policy, guidance and better practice advice for Australian government information security. The Office of the Information Commissioner has also issued guidance for securing personal information collected by agencies under the Privacy Act 1988.

Business information stored in data centres, digital repositories and the cloud has specific requirements to ensure the same level of control and protection offered to business information held by your agency. Our advice includes responsibilities for ongoing contract management of business information and how to mitigate risks associated with outsourcing.

Business information created and stored on mobile devices should be part of your information management plan. In some instances you may need to capture and store that information into a more reliable storage medium.

Key Resources

Digital Continuity 2020 Policy targets:

  • 31 December 2018: Agencies identify all information assets, evaluate risk and management requirements, and identify strategies.
  • 31 December 2019: Agencies implement strategies for the management of all information assets.

Recommended actions

4.2 Develop and implement preservation strategies to ensure that information remains useable including:

  • minimising harmful environmental factors
  • having a proactive plan so that technological change does not compromise the accessibility or usability of information
  • implementing routine measures to safeguard business information, such as daily back up
  • incorporating protection or recovery of business information in disaster and business continuity plans. Give particular attention to information vital to continued business operation.

To protect and preserve business information maintained in digital and physical environments your agency should develop plans and strategies to preserve and keep the information usable for as long as required. Digital business information may be needed for longer than the life of the system or storage medium in which it is held.

Guidance on mitigating the risks to digital continuity recommends planning for ongoing access when systems or software are updated to eliminate the risk of technical obsolescence. The type of file format can be important in ensuring ongoing accessibility.  The National Archives' Business Systems Assessment Framework can be used to develop strategies to deal with the decommissioning of systems to ensure minimal risk of loss of information including attachments, metadata and audit trails during migration.

Business information will be subject to different environmental harm risks depending on format. Information in a physical format such as paper and audio visual records are at risk of loss or damage from fire, flood or pests. To assist agencies the National Archives has provided advice on optimal storage conditions to minimise the impact of deterioration. Our advice on storing information contains standards for the storage of physical records which includes guidance on storing them in conditions to ensure preservation for as long as needed.

It is also important to actively plan for the preservation of business information needed for ongoing business through business continuity and disaster planning. This is particularly important for business information critical or vital to the immediate operation of your agency following a disaster or crisis.

Other strategies such as digitising physical records may be an option to protect documents and other information. Many agencies scan incoming paper to protect information stored on fragile formats, to improve accessibility, and to act as a back-up for business continuity purposes.  The National Archives has developed scanning specifications for digitisation of paper and audio-visual records to ensure that business information in these formats can be preserved for later accessibility.

Key Resources

Digital Continuity 2020 Policy targets:

  • 31 December 2018: Agencies identify all information assets, evaluate risk and management requirements, and identify strategies.
  • 31 December 2019: Agencies implement strategies for the management of all information assets.
Copyright National Archives of Australia 2019