The delivery of shared services, and the sharing of information between government agencies, is becoming more common. These activities may involve the use of shared systems, such as shared databases, shared servers and web portals. This advice provides guidance on how good records management can be performed by government agencies using shared systems.
Shared systems are IT systems in which more than one agency or organisation can:
Shared systems can allow a number of agencies to share information and can span government jurisdictions (federal, state and local). Private organisations or members of the public can also be parties to a shared system.
Some examples of shared systems currently used by Australian Government agencies are:
Shared systems generate two distinct sets of records:
The records management requirements of shared systems need to be considered within the framework of an agency’s overall records management policy. Agencies using shared systems should be clear on the boundaries of the system and the resulting records they need to keep in accordance with this framework.
Where two or more parties share information or manage a system the following questions about responsibilities for records management are raised:
The owner of the system should develop a policy for the management of system records, such as audit trails. In this way, the owner is accountable for the operation and reliability of the system.
Because several parties use a shared system, good management of user access and system security is essential to protect information within systems from unauthorised access and modification.
The manager of the system is responsible for managing system records. They need to ensure that sufficient evidence of system operations is generated and captured to ensure accountability. The owner of the system should set a policy for these records.
The manager of the system also needs to consider the retention and disposal of these records. (See What happens to the old records when a new IT system is implemented? for more information.)
Agencies use shared systems to carry out business. In conducting business, records are generated that provide evidence of the functions of Australian Government agencies.
In cases where all parties sharing a system are Australian Government agencies, the parties need to decide who has responsibility for the records created in the system. In reaching agreement on this decision, agencies should consider what records they need to keep to meet business needs and ensure accountability.
Agencies also should consider how long they need to retain records created within shared systems, and how they will ensure appropriate disposal of these records as authorised by the National Archives of Australia through a disposal authority. The unauthorised destruction of records is a danger within a shared system when multiple parties can modify or delete information from the system.
Where systems are shared across jurisdictions or with private sector partners, decisions need to be made about what records should be created and kept to fulfil an agency’s business needs, legal requirements and ensure accountability. Records relating to the responsibilities of an agency must be created, managed and disposed of in an accountable manner, even if the records are not directly created, stored or disposed of by the agency.
Where systems are shared with parties outside the Australian Government, responsibility for the records rests, in the first instance, with the Australian Government agency. Please contact the National Archives for advice on resolving cross-jurisdictional issues.
When an Australian Government agency is responsible for the records created in a shared system, relevant legislation needs to be considered. Legislation may include the Archives Act 1983, the Freedom of Information Act 1982, the Privacy Act 1988 and the Electronic Transactions Act 1999.
Agencies using shared systems also need to consider who will manage the business records. The agency responsible for the records is ultimately also responsible for the management of the records.
If the management of business records is shared, agencies should clearly set out who has responsibility for particular records in accordance with each agency’s records management requirements.
The management of business records covers:
These records management activities require careful attention within shared systems.
See Digital Recordkeeping Guidelines for further advice on addressing these issues for digital records.
Shared systems allow information to enter a portal or gateway, be processed by the system and then split into constituent parts that go to different agencies. Parties to the system need to decide when this information should be captured and who will be responsible for capturing it.
The creation of metadata must be considered. Agencies should determine what metadata is needed to provide evidence of the transaction and information about the record, together with where this metadata will be captured.
The responsible agency also needs to consider how business records created within shared systems will be captured. Will records be captured within the system itself or stored in another system, such as in an agency’s records management system?
If records are to be captured within a shared system, agencies should ensure it has records management functionality.
Shared systems may include the sharing of data across agencies, such as through a shared server or database. Such systems raise issues about the privacy and security of the information.
Together with the managers of the system, those with responsibility for the business records need to ensure inappropriate access is not given to the information. The business and system records also need to be protected from unauthorised modification or deletion. This should be addressed at both the system and records level.
The party with responsibility for managing the records must ensure that business records are disposed of appropriately. Records owned by individual agencies need to be disposed of in accordance with the records management requirements identified by the agency, and in accordance with a disposal authority for that agency’s records.
This checklist is designed to help agencies when planning shared systems. It lists questions that agencies should consider to make sure that records management responsibilities are addressed.