What is an information management policy?
An information management policy gives staff direction for creating, capturing and managing information assets (records, information and data) to satisfy business, legal and stakeholder requirements. It also assigns responsibilities across the agency.
An information management policy should be consistent with the principles, environment and strategic directions described in your agency's information governance framework.
The Building trust in the public record policy recommends that agencies update their information governance framework to include enterprise-wide information management (action 2).
Developing or updating your agency’s information management policy should be part of implementing this governance framework.
An information management policy:
- sets out your agency's expectations for fit for purposes information management practices, processes and systems that will support the management of information as an organisational asset
- explains the benefits of good information management
- outlines roles and responsibilities
- proves commitment to meeting business, legislative and regulatory requirements
- contributes to an environment that values the integrity and accessibility of information assets to support the delivery of business outcomes.
When developing your information management policy, consider how it supports your agency's strategic objectives and intersects with other strategic documents.
How your information management policy integrates with other policy and governance documents can be influenced by the size and nature of your agency. It should be designed to best meet the size, nature and complexity of your agency's business. For example, a smaller agency may combine the information management policy with other governance documents. A larger agency, or one with a more complex information management environment, may have separate governance documents complemented by other policies on aspects of information management. This can be useful when different policy statements are directed at different audiences, to ensure they are aware of their specific requirements.
Things to include
An effective information management policy will usually include the following:
- details of organisationally endorsed processes, practices and procedures for undertaking information management tasks, including creation and capture
- identification of endorsed systems for managing information assets
- advice on the disposal and destruction of information assets, including the provisions of normal administrative practice (NAP)
- an outline of the roles, responsibilities and expectations of all staff in managing information assets, in addition to detailed guidance for specific position holders as needed.
Interaction with other policies and procedures
Given the complexity of information management, it is likely that it will take more than one policy document to provide guidance across all processes. Information management policy statements should be embedded into a broad range of organisational policies and procedures, to assist ease of access by stakeholders. Dividing policy statements across several documents can also enhance readability by focusing on one area of information management.
For example:
- A Data Migration Policy could lay out considerations for information technology teams migrating data from one business system to another. This may include guidance around interoperability, quality assurance testing, metadata controls and accountable destruction of data, if all data is not being migrated.
- A Normal Administrative Practice Policy would provide advice to staff on which information assets they can routinely destroy. It would outline the types of low-value and short-term information that can be destroyed in the normal course of business.
- An Information Technology Procurement Policy may include a policy statement that requires newly procured business systems to be compliant with the Minimum Metadata Set.
Key aspects of an information management policy
Title, date and version number
Follow your agency’s naming and versioning conventions and identify how frequently the policy will be reviewed.
Purpose
Explain why an information management policy is needed and the benefits of good practice.
For example:
The purpose of this policy is to guide and direct the creation and management of information assets (records, information and data) by staff, and to clarify staff responsibilities. [The agency] is committed to establishing and maintaining information management practices that meet its business needs, accountability requirements and stakeholder expectations.
The benefit of complying with this policy will be trusted information that is well-described, stored in known endorsed locations and accessible to staff and clients when needed.
This policy is written within the context of [the agency's] information governance framework, which is located at XXXX. Complementary policies and additional guidelines and procedures support this policy and are located at XXXX.
Scope
The scope should identify both who and what is covered by the policy, to support the holistic management of all an agency's information assets.
For example:
This policy applies to all [agency] staff members and contractors and to all information assets (records, information and data) in any format, created or received, to support [agency] business activities.
It covers all business applications used to create, manage and store information assets, including dedicated information management systems, business information systems, databases, email, voice and instant messaging, websites, and social media applications. This policy covers information created and managed in-house and off-site, including in cloud based platforms.
Policy statement
Provide a brief statement of your agency's commitment to good information management practices. If it applies, briefly mention factors that influence information management within the agency.
For example:
[The agency] recognises its information assets as valuable corporate assets and is committed to achieving appropriate and ongoing management of these assets to advance [the agency’s] strategic priorities and meet client needs.
or
There is an expectation that [the agency] will [mention here any obligations that apply specifically to your agency]. It is committed to creating and keeping accurate and reliable information to meet this obligation.
Also, [the agency] is committed to the principles and practices set out in whole-of-government policies and best-practice standards. Our agency will implement fit-for-purpose information management practices and systems to ensure the creation, maintenance and protection of reliable information. All information management practices in [this agency] are to align this policy and its supporting procedures.
Legislation and other key mandates
Your information governance framework should cover your agency’s legal, regulatory and business environment. Your information management policy should only cite directions and requirements that directly affect staff or are necessary for them to understand the policy’s operating environment. An example could be agency-specific legislative requirements for creating or keeping particular information. In general, the policy should refer staff to the relevant sections of the framework and strategy rather than repeating them.
For example:
All staff must take steps to protect personal information according to the Privacy Act 1988 and the Australian Privacy Principles. This includes personal information stored in cloud-hosted services.
Creation and management of information assets
Provide guidance on the type of information assets that need to be created, captured and managed to support agency business and compliance with legal requirements. Operational work groups may have specific requirements to create and capture information which are documented in business procedures. These should be referenced, but not reproduced, in the policy.
Other guidance that could be covered in the policy includes:
- Endorsed systems used to maintain information: establish clearly which locations are endorsed for the capture and storage of information and which should not be used. For example, corporate information assets must not be maintained in email folders, shared folders, personal drives or external storage media.
- Requirements for storage and preservation: for information in digital and physical formats, including security protocols and preservation requirements. This may include referencing preferred file formats.
- Access to information: provide a statement supporting staff having ready access to corporate information. Describe situations when it is appropriate to restrict this access. Document the public’s right of access to information under legislation including the Freedom of Information Act 1982 and the Archives Act 1983. Describe how your agency supports public release of information assets, for example, under the Information Publication Scheme or to meet Australian Government commitments to release publicly available datasets.
- Retention and destruction: describe the responsibilities staff have for retaining and destroying the organisation's information assets. Provide staff with the information they need to comply with accountable and authorised destruction of information assets. This includes the correct use of normal administrative practice (NAP).
- Transfer: outline instances when information may be required to be transferred. Explain that information assets of archival value are transferred to the care of the National Archives, but access can be arranged for staff if they are needed. Note that information may be transferred to other agencies as a result of a machinery of government change.
In all cases, any supporting guidelines, procedures or related documents should be linked to the policy document.
Roles and responsibilities
Define the roles and responsibilities of all agency employees to ensure that reliable and usable information is created and managed, and is kept for as long as it is needed for business, accountability or historical purposes. This may include statements such as:
All staff: responsible for the creation and management of information as defined by this policy.
Additional responsibilities for certain staff are listed below:
Agency head: responsible for information governance within the agency. The agency head has authorised this policy. The agency head promotes compliance with this policy, delegates responsibility for the operational planning and running of information management to a senior executive officer in the organisation, and ensures the agency's information management program of activities is adequately resourced.
Chief Information Governance Officer (CIGO): responsible for the establishment and maintenance of an enterprise-wide culture for an accountable and business-focused information management environmentSenior management: responsible for visible support of, and adherence to, this policy by promoting a culture of accountable information management within the organisation. This includes senior executive officers and managers.
Information management unit: under the leadership of the delegated senior executive, the information management unit is responsible for overseeing the management of information assets (records, information and data) in this organisation consistent with the requirements described in the policy. This includes:
- providing training, advice and general support to staff
- creating, developing or acquiring and implementing information management products and tools, including systems to help create complete and accurate information
- developing and implementing strategies to enable sound information management practices
- monitoring compliance with information management policies and directives
- advising senior management of any risks associated with non-compliance.
ICT staff: responsible for maintaining the technology for [the agency's] business information systems, including maintaining appropriate system accessibility, security and backup. ICT staff should ensure that any actions, such as removing information assets from systems or folders, are undertaken in accordance with this policy. ICT and information management staff have an important joint role in ensuring that systems support accountable and effective information management across the organisation.
Agency security advisor: provides advice on security policy and guidelines associated with the management of information.
Managers and supervisors: responsible for ensuring staff, including contract staff, are aware of, and are supported to follow, the information management practices defined in this policy. They should advise the information management unit of any barriers to staff complying with this policy. They should also advise the unit of any changes in the business environment that would impact on information management requirements, such as new areas of business that need to be covered by a records authority.
Contract staff: create and manage information assets in accordance with this policy to the extent specified in their contract.
Communication and training
Include a statement affirming that the policy will be communicated to staff and that training will be provided on aspects of the policy. When conducting training, keep it up-to-date, schedule it regularly and consider how to tailor it so that it is meaningful to different work groups in your agency.
Mention any separate information or training available on aspects of information management, such as titling, capture, or how to incorporate the policy’s directions into business procedures and workflows.
Monitoring and review
Make a commitment to review the policy and monitor compliance. When reviewing the policy, consider its relevance, if it is still appropriate and staff awareness of its requirements. Monitor staff adoption of the policy at regular intervals. If direct supervisors are responsible for monitoring staff compliance, ensure they are aware of their responsibility and the standards expected of their staff.
For example:
This policy will be updated as needed if there are any changes in the business or regulatory environment. It is scheduled for a comprehensive review by 20XX. The head of the information management unit will initiate this review and the information governance committee will conduct it.
The information management unit [with the support of workplace supervisors] will monitor compliance with this policy. Levels of compliance will be reported at least annually to senior management.
Resources
Provide a list of resources that give extra information. This may include contact details of relevant staff within the agency, as well as useful reference material.
Senior management endorsement
Provide evidence that the head of your agency or a senior officer with responsibility for information management has endorsed the policy. This may be done in a brief paragraph signed by the head of agency or senior officer, recognising the important place of information management in the agency and directing staff to comply with the requirements of the policy.
Information management policy template
The information management policy template (DOCX, 164kB) is a guide to the key aspects and suggested headings of an information management policy. Tailor it to suit your agency’s needs.