[ Skip to content | Skip to Table of Contents | PDF of this document | VAGO Home | VAGO Publications | Reduce Text Size | Enlarge Text Size ]
Victorian Coat of Arms

Managing Public Sector Records

Ordered to be published

VICTORIAN GOVERNMENT PRINTER MARCH 2017

PP No 249, Session 2014–17

The Hon. Bruce Atkinson MLC
President
Legislative Council
Parliament House
Melbourne
The Speaker
Legislative Assembly
Parliament House
Melbourne

Dear Presiding Officers

Under the provisions of section 16AB of the Audit Act 1994, I transmit my report Managing Public Sector Records.

Yours faithfully

Signature of Andrew Greaves (Auditor-General)

Andrew Greaves
Auditor-General

8 March 2017

Audit overview

Good records management is the foundation of government accountability. In Victoria, accountability is enshrined in the Public Administration Act 2004, which requires public servants to submit themselves to appropriate scrutiny. This typically includes scrutiny of the records they make or receive in the course of their duties. These records are known as 'public records'.

Well-managed public records enable governments to make informed decisions, to deliver services, and to demonstrate performance, transparency and accountability.

Legislative and regulatory framework for records management

The Public Records Act 1973 (the Act) sets out records management requirements for Victorian public sector agencies. The Act makes agency heads ultimately accountable for their agencies' records management by placing direct responsibility on them to ensure that 'full and accurate records of the business of the office are made and kept'.

The Act established the Public Record Office Victoria (PROV), to better preserve, manage and use the state's public records. The head of PROV—the Keeper of Public Records (the Keeper)—is responsible for establishing standards for public records management (the PROV standards) and assisting agencies to apply them.

The PROV standards set out what agencies must do to ensure that public records are accessible and reliable—at the time they are created, and for as long as they might be needed. Under the Act, agency heads must ensure their agency has a records management program that complies with the PROV standards.

The Department of Premier and Cabinet (DPC) oversees PROV and is responsible for whole-of-government information management. PROV must report annually on its activities to the Special Minister of State. However, unlike other essential agency functions—such as risk management or financial management—there is no whole-of-government oversight of agency records management.

Victoria's changing information landscape

Victoria's information management landscape has changed significantly since the Act was first established. Today's business environment is now vastly different. With outsourcing and privatisation becoming more common, many government services are delivered by third-party providers, who now create and manage the records of those services. However, third-party providers are not subject to the Act. If a provider does not meet the state's record management requirements, the agency using the provider may be in breach of the Act.

The volume of records created and held by agencies and third-party providers has also increased significantly. At the same time, new business practices and advances in technology have increased the risks relating to information integrity, accessibility, security and preservation.

Further, there are now more information agencies operating in Victoria, some with their own separate information legislation. Such agencies include the Office of the Freedom of Information Commissioner, the Office of the Commissioner for Privacy and Data Protection, the Crime Statistics Agency, and the DataVic office in the Department of Treasury and Finance, along with government's planned Victorian Information Commission.

These changes and the fact that the Act has not been subjected to a major review in its 43 years of operation mean that Victoria's information management environment is highly fragmented and disconnected—with multiple sets of policies and standards that can sometimes contradict each other.

Previous reviews

In 1996, Parliament's Public Accounts and Estimates Committee conducted an inquiry into PROV. The inquiry found agencies paid insufficient attention to managing Victoria's public records, and there was a need to strengthen PROV's related oversight role and legislative framework.

Our 2008 audit Records Management in the Victorian Public Sector similarly found that Victoria's records management legislation was outdated and unfit for purpose, hindering the efforts of PROV and agencies to manage records effectively.

In December 2015, PROV published the Victorian Government Records Management Review, also referred to as the Landell report. The report concluded that, across the Victorian public sector, 'records management failures are systemic, chronic and pervasive' and that 'greater emphasis and investment in information management within agencies is critical to avoiding waste and loss of public confidence'.

Our 2015 audit report Access to Public Sector Information also highlighted this fragmentation and described the state's information management environment as 'confused'.

The scope of this audit

In this audit, we examined whether:

In doing so, we looked at whether the records management practices of the Department of Education and Training (DET) and the Department of Health and Human Services (DHHS) comply with the Act's records management standards.

Soon after our audit commenced, the government announced a joint review of the Act and the Freedom of Information Act 1982. The review is intended to develop a revised public records framework. At the time of our audit it was expected to be completed in March 2017.

Conclusion

PROV has achieved positive change since our 2008 audit, overcoming a past lack of support from DPC for initiatives to improve records management. In particular, PROV's release of improved records management standards and agency tools has strengthened the public sector's ability to effectively manage the government's information.

However, further reform is needed, as longstanding weaknesses in Victoria's regulatory framework remain. These weaknesses—particularly the absence of system-wide compliance monitoring and reporting and out-dated legislation—heighten the risk of key government records being lost, inaccessible, inappropriately accessed, unlawfully altered or destroyed.

These risks materialised for key records we examined at DET and DHHS, which are not fully compliant with legislative requirements. Consequently, neither agency sufficiently understands the records it owns and holds, and cannot be assured that their records are being effectively managed and maintained. Encouragingly, both agencies acknowledge these issues, and have started to address them.

DPC's recent positive actions to strengthen PROV's administrative arrangements and the government's announcement that it will review the Act are important reforms with significant potential to address these longstanding weaknesses.

Findings

The issues we identified in this audit are consistent with those identified in the Landell report, suggesting that the following problems are unlikely to be confined to the two portfolio departments we looked at in detail. All public sector agencies should take note of our findings and recommendations.

Supporting oversight of public sector records management

DPC is responsible for whole-of-government information management and has operational oversight of PROV.

The review of the Act—called for by the Minister for the Arts in 2008—was assigned to DPC, along with stewardship of PROV's funding requests to implement the recommendations of our 2008 audit. However:

In 2015, after DPC commissioned a review of PROV's business model, PROV was reassigned to the Special Minister of State's portfolio. In 2016, PROV received $8.2 million of additional funding for the next four years and ongoing funding of $2.57 million a year to better meet service demand.

These changes have given PROV new opportunities to focus on ways to ensure that agencies create, manage and preserve a full and accurate record of government activities for future use.

PROV's assistance to agencies

Although PROV's funding request to address our 2008 recommendations did not progress, PROV received special funding to produce a more comprehensive set of records management standards for use by agencies to comply with the Act.

However, PROV did not introduce recommended competency programs, or better monitoring and reporting on agency compliance. As a result, records management does not have the same level of education, monitoring and reporting that exists for other aspects of public sector information, such as freedom of information and privacy.

PROV has never sought a legal opinion on the accuracy of its interpretation of its powers, but we consider that the Act empowers the Keeper to inspect agency records management programs. The relevant clauses of the Act are shown in Figure A.

Figure A
Public Records Act 1973, section 13A, 13(b) and 21(1),

  • Section 13A—The Keeper of Public Records may enter, at any reasonable time, a public office or any place in which the public records of that office are stored to inspect the storage and conservation arrangements of the records in the office or place and the carrying out in that office or place of the programme of records management referred in section 13(b).
  • Section 13(b)—… a programme of records management in accordance with the standards established under section 12 by the Keeper of Public Records.
  • Section 21(1)—The Keeper of Public Records shall at least once in every year and not later than the 30th day of September in each year lodge with the Minister a report on the carrying out of his functions under this Act during the year ending on the preceding 30th day of June.

Source: VAGO from the Public Records Act 1973.

As a result of PROV not implementing our recommendations:

Instead, PROV has used alternative mechanisms to find out what support agencies need. For example, using its Information Management Maturity Measurement Tool (IM3), PROV learned that records management compliance monitoring and reporting programs were not sufficiently developed in government departments.

Agencies' records management

Insufficient executive support for, and attention to, records management is preventing DET and DHHS from achieving full compliance with the PROV standards, and thus fully lawful and effective records management.

Authority

Agency records management units require agency-wide authority to direct staff and third-party providers on all matters related to records management. This includes education and training, compliance management, reporting, recruitment, resource allocation and staff activities.

In both agencies we looked at, the core records management units provide strong support to the rest of the organisation. However, in DET the unit does not effectively exercise its authority, and in DHHS the unit does not have the necessary authority. In both cases, this reduces assurance that departmental staff are managing records lawfully.

Education and training

People who create and manage records—which, in today's digital age is all public sector staff, as well as its contractors, consultants and volunteers—must have enough records management training to enable them to apply PROV's standards. However, neither agency provides or has access to education and training that is adequate for the needs of those who deal with public records.

Compliance monitoring and reporting

Standards under the Act require agencies to have a records management compliance monitoring and reporting program.

DET has no compliance program, but has committed to establishing one. In DHHS, ad hoc monitoring occurs, but more robust assessment is needed, and reports are not made to the secretary, who is ultimately responsible for the program. In both cases the secretaries have diminished visibility of the risks they are accountable for.

Because third-party providers of government services are not subject to the Act, Victoria's records management standards make agencies responsible for ensuring their third-party providers comply with the Act when delivering services on the government's behalf. However, because both agencies have not adequately monitored third-party compliance, there is limited assurance that these providers are lawfully managing records related to the government services they provide.

Compliance with PROV's trustworthiness specification—Capture

The 'Capture' specification contained in the PROV standards focuses on ensuring government records are authentic, reliable and usable, and have integrity—that is, they are protected from undetected and unauthorised alteration, and can be trusted as 'the real thing'.

Neither agency met any of the Capture specification's requirements.

Both agencies are aware of the need to improve their records management and have either committed to or are now addressing the identified weaknesses through initiatives to improve compliance, education and training, and oversight.

Recommendations

We recommend that the Department of Premier and Cabinet as part of its review of the Public Records Act 1973:

  1. address the recommendations of the 1996 Public Accounts and Estimates Committee review—in particular, a continuous program of random audits of agencies to ensure that records management practices are compliant with Public Record Office Victoria standards (see Section 2.2)
  2. address the complexities and risks for records management arising from increased outsourcing arrangements and advances in technology since the Public Records Act 1973 was first drafted (see Section 2)
  3. work to harmonise the Public Records Act 1973 with Victoria's changed information legislation environment—including legislation such as freedom of information, privacy and data protection (see Section 2.3)
  4. incorporate the improved regulatory measures that are applied in other jurisdictions—including monitoring, reporting and penalties for noncompliance (see Section 2.3).

We recommend that the Public Record Office Victoria:

  1. seek legal advice as a matter of priority on each of its powers and duties, but with particular attention to the extent and purpose of:
    • section 12: the requirement to 'assist public officers' to apply Public Record Office Victoria's standards—and what specifically would satisfy this requirement
    • section 13A: Public Record Office Victoria's powers of inspection of records management programs (see Section 3.4)
  2. implement VAGO's 2008 recommendation to introduce competency‑based training (see Section 3.3)
  3. determine the appetite across government for a records manager 'community of practice' similar to that of the whole-of-government information management group—and if the demand is sufficient, establish this forum (see Section 3.3).

We recommend that the Department of Health and Human Services and the Department of Education and Training:

  1. establish agency-wide internal records management compliance programs that monitor and report to the agency head on compliance with each of the Public Record Office Victoria standards—a risk-based phased approach should be used to manage the programs' size, complexity and cost, and the program should be linked to the agency's continuous improvement activities to drive agency-wide improvement in records management (see Section 4.2)
  2. establish processes to ensure that third-party providers are managing their records in compliance with Public Record Office Victoria's standards (see Section 4.3.3).

Responses to recommendations

We consulted with the Public Record Office Victoria, the Department of Premier and Cabinet, the Department of Education and Training and the Department of Health and Human Services, and we considered their views when reaching our audit conclusions. As required by section 16(3) of the Audit Act 1994, we gave a draft copy of this report to those agencies and asked for their submissions and comments.

The following is a summary of those responses. The full responses are included in Appendix A.

Our recommendations were accepted by the Public Record Office Victoria, the Department of Premier and Cabinet, the Department of Education and Training and the Department of Health and Human Services.

[ Contents of this report | VAGO Home | VAGO Publications ]

1 Audit context

1.1 Victoria's records management environment

1.1.1 Victoria's Public Records Act 1973

The Public Records Act 1973 (the Act) is the foundation of Victoria's legislative framework for managing government information. The Act regulates how government records must be captured and managed.

Many of Victoria's other laws—such as freedom of information, privacy and even the Audit Act 1994—can operate effectively only when agencies comply with the Act and manage their records effectively.

The Act was Victoria's first legislation to explicitly address how the evidence of government business should be created and kept. Legislation covering specifics such as access to records—including freedom of information, privacy and data protection––was not enacted until almost a decade later. This has also resulted in the establishment of a number of additional 'information agencies', including the Office of the Freedom of Information Commissioner, the Office of the Commissioner for Privacy and Data Protection, and the government's intended Victorian Information Commission.

Today's business environment is vastly different to the one that existed when the Act was first enacted. This has led to changes in how government does business, and therefore how records are created and managed.

In 1973, most government services were provided by government offices and agencies. Today, outsourcing arrangements are a common method of service delivery. Consequently, records of those outsourced services are created and managed by the third‑party providers delivering the service on the government's behalf.

The Act has never had a major review. Shortly after this audit began, the government committed to a full review of the Act.

1.1.2 The Department of Premier and Cabinet

The Department of Premier and Cabinet (DPC) is responsible for whole-of-government information management and has operational oversight of the Public Record Office Victoria (PROV), which is a DPC portfolio agency.

DPC facilitates PROV's access to government when it seeks endorsement of its approach to records management across the public sector—including submissions, policy proposals and budget bids.

DPC's objectives are outlined in the Victorian Government's Budget Paper 3. They include protecting the values of good public governance, integrity and accountability in support of public trust. The objectives also specify that DPC provide direction to government on the management of public records, and ensure that the historical memory of the Victorian Government endures, and is secure and accessible.

1.1.3 The Public Record Office Victoria

PROV was established by the Act in 1973 for the better preservation, management, and use of the state's public records. The head of PROV—the Keeper of Public Records (the Keeper)—is responsible for establishing public records management standards and assisting public servants to apply them. The Public Records Advisory Council (PRAC) is responsible for promoting cooperation between PROV and public offices, and is able to report and make recommendations to the Special Minister of State (the minister) on any matter relating to the Act's administration.

The Act empowers the Keeper to perform inspections of agency records management. However, unlike other essential government functions—such as risk management or financial management—there is no whole‑of‑government oversight of agency records management.

PROV issues standards under the Act that set out how public records must be managed. These are supported by specifications and underlying criteria that detail the compliance requirements. Figure 1A shows the eight standards, and their 19 supporting specifications.

Figure 1A
PROV standards and specifications

A list of PROV standards and specifications

Source: VAGO.

1.1.4 The Department of Education and Training

The Department of Education and Training (DET) delivers statewide learning and development services to at least one-third of all Victorians each year. It provides these services to children, young people and adults through government schools, and through funding and regulation of early childhood services, non‑government schools, and government‑contracted education and training providers.

DET has a centralised head office, and uses a regional model to deliver services across four Victorian regions—north east, north west, south east and south west. The department has about 58 681 full-time equivalent staff who are located at DET's head office and spread across 1 539 schools throughout Victoria.

The 2016 Independent Broad‑based Anti‑corruption Commission (IBAC) investigation of DET discussed weaknesses in the department's records management systems and processes, including:

The link between DET's poor records management and incidents of fraud suggested that an examination of DET's records management program would help it to strengthen its integrity controls.

1.1.5 The Department of Health and Human Services

The Department of Health and Human Services (DHHS) develops and delivers policies, programs and services to support the wellbeing of citizens. DHHS serves a number of government portfolios, including health, mental health, families and children, and youth affairs.

Like DET, DHHS also has a centralised head office and a regional service delivery model—north, south, east and west—each with their own records management staff. DHHS has about 10 476 full-time equivalent staff.

Records and information management at DHHS has been criticised on a number of occasions since our 2008 audit, particularly its management of child protection records, including:

1.2 Reviews of records management

The following reviews highlight recurring issues with records management.

1996—Parliamentary inquiry

In 1996, Parliament's Public Accounts and Estimates Committee conducted the Inquiry into the Public Record Office Victoria. Its findings included:

2008—VAGO audit

In our 2008 audit Records Management in the Victorian Public Sector, we found that outdated and unfit‑for‑purpose records legislation was hindering the efforts of PROV and agencies to manage records effectively. We also found that Victoria's records management framework lacked mechanisms to:

We concluded that in the absence of these mechanisms, the state cannot be assured that its records management objectives are being met.

2012—VAGO audit

Our 2012 report Freedom of Information (FOI) revealed 'serious flaws in recordkeeping practices and FOI searches'. In 2013, the UK's Information Commissioner's Office stated that the most common basis for upheld complaints in the health sector was not complying with an individual's right of access to their information.

2015—the Landell report

In December 2015, PROV published the Victorian Government Records Management Review (the Landell report)—a high-level analysis of 224 VAGO and Victorian Ombudsman records management findings from 2010 to 2014. It concluded that there was a pattern of systematic and extensive ongoing records management failures within Victorian government departments and agencies. It also reported that across the Victorian public sector, 'records management failures are systemic, chronic and pervasive' and 'greater emphasis and investment in information management within agencies is critical to avoiding waste and loss of public confidence'.

During the course of this audit, DPC presented the Landell report to the Victorian Secretaries' Board (VSB). VSB has referred the report to a VSB subcommittee for further study and advice.

1.3 Related inquiries

Recent high-profile inquiries have increased attention on the need for improved public records management, including the:

The Wrongs Amendment (Organisational Child Abuse) Bill 2016

In response to the Victorian Parliament's Betrayal of Trust inquiry and the Royal Commission into Institutional Responses to Child Abuse, the government introduced the Wrongs Amendment (Organisational Child Abuse) Bill 2016.

Survivors of abuse while in state care have historically encountered barriers to obtaining redress. Organisations have been able to argue that they had no knowledge of the abuse, and therefore could not be held accountable. The onus of proof has been on survivors to demonstrate that abuse had occurred—often requiring them to gain access to government records through the Freedom of Information Act 1982.

The new Bill is designed to reverse this onus of proof. Instead of the survivor being dependent on the effectiveness of an agency's records management practices, the agency itself will be dependent on the reliability of its records—and those of the organisations it contracts services to—to prove that 'reasonable precautions' were taken to prevent abuse.

Once the Bill is passed, the laws will apply to all religious institutions, community organisations, childcare facilities and government bodies that exercise care, supervision or authority over children, and these organisations and agencies can be sued.

The Wrongs Amendment (Organisational Child Abuse) Bill 2016 makes compliance with the Act more important than ever. This is because the Act not only requires that agencies ensure that care providers create and keep records, but that they do it in a way that ensures the records are authentic, reliable and usable, and have integrity. Compliance with these legislated requirements provides the assurance that a record can be trusted.

1.4 Why this audit is important

Good records management is the foundation of government accountability—the integrity of government records directly influences public perception of the integrity of the government itself. Well managed records are also central to the government's ability to make informed decisions, efficiently and effectively provide goods and services, protect the community, and demonstrate delivery on its commitments.

Effective records management ensures that:

Conversely, agencies without effective records management are at risk of:

1.5 What this audit examined and how

In this audit, we examined whether DET and DHHS are managing their records in accordance with legislative requirements, and whether DPC and PROV are effectively assisting them to do this. We had a particular focus on:

We conducted our audit in accordance with Section 15 of the Audit Act 1994 and Australian Auditing and Assurance Standards. The cost of this audit was $540 000.

1.6 Structure of the report

The remainder of the report is structured as follows:

[ Contents of this report | VAGO Home | VAGO Publications ]

2 Central oversight and support

A transparent and accountable government depends on the accessibility and reliability of its records. Effective records management requires a robust framework of legislation, centralised governance and oversight, monitoring, and disincentives for noncompliance.

There are four well‑documented barriers to achieving fully effective records management in Victoria:

Victoria's integrity bodies—and the Public Record Office Victoria (PROV)—have been making the case for establishing a more robust oversight framework for managing public records since the 1990s.

Our 2008 audit recommendations included reviewing the Act and implementing the recommendations of the 1996 Public Accounts and Estimates Committee (PAEC) Inquiry into the Public Record Office Victoria—particularly recommendations concerning oversight of, and education in, agency records management.

Our recommendations were designed to improve PROV's oversight of agency records management by establishing:

This Part of the report examines progress in implementing key oversight recommendations from our 2008 audit Records Management in the Victorian Public Sector.

2.1 Conclusion

The limitations we previously identified in Victoria's records management oversight framework persist, and as a result central oversight and monitoring of agency compliance remains inadequate.

The state's oversight mechanisms also continue to lag behind more advanced jurisdictions that have implemented better practices, such as audit programs and significant penalties for not following the Keeper of Public Records' directives.

However, more recent activities signal renewed support for improving oversight, including:

In combination, these changes present significant opportunities for improvement in Victoria's record management practices.

PROV must have effective support to address the enduring problems in records management and overcome the barriers to improving government transparency and accountability.

2.2 Progress on past recommendations

In our 2008 audit, we found that the Act hinders the efforts of PROV and agencies to manage records effectively. We recommended that the Act be reviewed to make it more relevant to the modern public sector. We also recommended that the review consider PAEC's 1996 recommendations, including that PROV establish robust whole‑of‑government oversight through a records management auditing and reporting program.

We also wrote to PAEC in December 2009, stressing the significance of the recommendation and that it should be rated as a high priority for implementation.

Two key activities were initiated to introduce the recommended oversight—a review of the Act and a request for funding by PROV to implement compliance monitoring and reporting and a competency development program.

2.2.1 Review of the Public Records Act 1973

In response to our 2008 recommendations, the responsible minister at the time—the Minister for the Arts—assigned responsibility for reviewing the Act to the Department of Premier and Cabinet (DPC).

DPC elected to take a two‑stage approach to the review:

Stage 1—options paper

It took 19 months for DPC to engage a consultant to prepare an options paper to inform the review. We could not find clear evidence of the reasons for this delay because DPC's records of the review are sparse, and details of the actions DPC took to avoid or mitigate delays are unknown. Further, because many of the staff involved in the review are no longer working in DPC, much of this corporate history has been lost.

The consultant submitted the paper to PROV, which then provided it to DPC so that DPC could begin stage 2. The paper offered a number of options to consider in the report to the minister.

Stage 2—report to the minister

Draft documents exist that indicate that DPC had intended to progress this stage of the review. However, no records show that this resulted in a brief to the minister, as initially intended.

After DPC received the options paper, PROV attempted to engage DPC and prompt greater progress. In some instances, responses to PROV's enquires were delayed. In other instances, PROV received no response at all. Further, there is no evidence that DPC responded to requests to finalise the review by:

In our 2015 report Access to Public Sector Information, we recommended that the government ensure improvements to public sector information management were underpinned by appropriate legislation. The 2010 options paper that was prepared for the legislative review of the Act supports our recommendation, stating that legislative reform may be a part of creating a sustainable information management strategy into the future.

2.2.2 A records management oversight program

Education is a critical part of an information regulator's mandate. PROV requested funding to implement our 2008 recommendations to establish a compliance monitoring and reporting program and a competency development program. The Minister for the Arts and the DPC secretary both supported the initiative, but PROV's funding request was not submitted to government.

DPC's records do not explain why the funding request was not submitted to government. DPC should improve its compliance with the Act to so that a full and accurate record of government decision-making is created and kept.

2.3 Reform of public records oversight

To better understand what improved oversight might look like in practice, we considered the approaches of other jurisdictions. We compared the requirements for agencies to demonstrate their compliance with records management legislation, including approved records management plans, compliance attestations, self‑assessments, independent assessments and audits. We also looked at penalties in place for noncompliance, in light of the 2016 recommendations arising from the Victorian Parliamentary Inquiry into the CFA Training College at Fiskville.

Figure 2A summarises the breadth of powers and functions of other records management authorities in comparison with Victoria.

Figure 2A
Records management authorities—oversight powers and functions

 

UK

NZ

Tas

Qld

NSW

NT

WA

Vic

Records authority(a)

Approves agency records management plans and programs

Has the power to inspect entities with public records to ensure they are being lawfully managed

(b)

Monitors and reports on agency compliance

Public offices and agencies covered by relevant legislation

Reports to the records authority or publicly on the implementation of their records management plan or program and compliance with records management requirements

(a) 'Records authority' may also include a related authority, such as Western Australia's Information Commission or the UK's Information Commissioner's Office.

(b) Authority not applied.

Source: VAGO.

As Figure 2A shows, Victoria's oversight of public records management is significantly behind other jurisdictions, particularly those that have adopted the use of audits or assessments to ensure that agencies implement better-practice records management. The approaches of some other jurisdictions are discussed below.

2.3.1 Investigatory bodies

Archives New Zealand

Under the New Zealand Public Records Act 2003, Archives New Zealand audits agency records management regimes every five years.

New South Wales and the National Archives of Australia

New South Wales and the National Archives of Australia have both used independent auditors with specialist records management skills to perform audits. The 2010 options paper for the review of the Act reports that these audits have had a considerable impact.

2.3.2 Commissions

Some jurisdictions have a commission—a centralised information management authority. This structure can bring together agencies that administer legislation for records management, freedom of information, records and data security, and privacy protection. With effective legislation in place that is consistent across the different bodies, as well as organisational capacity, this structure enables information authorities to work together to ensure the transparency and accountability of government through reliable, accessible and secure records and information. Key examples are described below.

State Records Commission—Western Australia

The State Records Commission (WA) includes the state's Auditor-General, Information Commissioner and Ombudsman. It is responsible for monitoring agency compliance with the State Records Act 2000, and investigating potential or actual breaches.

Information Commissioner's Office—United Kingdom

The Information Commissioner's Office (ICO) in the United Kingdom (UK) has the power to audit the freedom of information and data protection activities of a range of public sector agencies. The ICO recognises the central role that an agency's records management practices play in meeting the requirements of the freedom of information and data protection legislation. As a result, records management is one of the six key areas of scope for ICO audits. The ICO has a memorandum of understanding with the UK government, which authorises the UK National Archives to assess agencies' records on the ICO's behalf.

The UK National Archives also carries out information management assessments. Although these assessments are voluntary, a 2014 review commissioned by the UK Prime Minister recommended that they be made mandatory, with the outcome to be reported to departmental boards and added to risk registers.

2.3.3 Penalties for noncompliance

During our audit, Parliament's Environment, Natural Resources and Regional Development Committee provided us with details about the Country Fire Authority's failure to maintain proper workplace health and safety records. Specifically, the Committee advised that this unlawful lack of records management has prevented people affected by breaches of health and safety legislation from having the documentary evidence necessary to prosecute their claims and seek appropriate compensation.

Through standards issued under the Act, PROV determines what public records agencies must create and manage, and how long they must retain them before they can be destroyed. The current penalty for destroying records without this authority is five penalty units (approximately $777.30).

In comparison, maximum penalties for records management offences in other jurisdictions range from fines of $3 600 at the Commonwealth level, to $30 800 in NT . Offences in NT and SA can also incur prison terms of up to one year and two years respectively.

Other jurisdictions also impose penalties for additional records management offences, such as damaging public records, and obstructing requests for information and evidence of records management compliance. Victoria does not issue penalties for these offences.

The 2010 paper developed for the review of the Act specifically comments that the penalties in Victoria for breaching records management requirements are too low to act as a deterrent.

Given the systemic nature of records management issues reported in the Victorian Government Records Management Review (the Landell report), the recommendation from the Parliament's Environment, Natural Resources and Regional Development Committee to review sanctions is very timely.

Figure 2B shows the penalties for unlawful destruction of records and obstruction offences in Victoria and other jurisdictions.

Figure 2B
Penalties for unlawful destruction of records and obstruction offences

Jurisdiction

Illegal destruction of a public record

Obstruction(a) of the authority

Penalty

Imprisonment

Penalty

Imprisonment

Vic

$777.30

NSW

Up to $5 500

Qld

Up to $20 113

Up to $12 190

SA

Up to $10 000

Up to 2 years

Tas

Up to $7 850

WA

$10 000

$10 000

Cwth

$3 600

NT

Up to $30 800

Up to 12 months

NZ

Up to $10 000

Up to $10 000

(a) Obstruction includes wilful destruction of public records and noncompliance with official requests.

Source: VAGO.

2.3.4 A new records management environment for Victoria

A new administrative arrangement and central information management authority

The 1996 PAEC Inquiry recognised that 'there seems to be little understanding that records management and information management are the same function'.

PROV's 2015 reassignment to the Special Minister of State's portfolio is positive as it now locates it with Victoria's other information and integrity bodies and more directly connects it as a portfolio agency of DPC. This will also enable greater whole‑of‑government support and oversight.

In 2016 the government introduced a Bill to establish the Office of the Victorian Information Commissioner (OVIC), to consolidate some of Victoria's information authorities. OVIC will provide oversight of Victoria's information management practices from a single body, and will table any investigations in Parliament.

The arrangement is similar to the structure of other jurisdictions that manage public records management issues more proactively. We consider that if OVIC is to have full oversight of public sector information management, it would also need to have oversight of the Act—as is the case in other jurisdictions.

A new information management framework

In our 2015 audit report Access to Public Sector Information, we discussed Victoria's confused and fragmented information management governance framework, and its proliferation of unconnected, overlapping and inconsistent plans.

We recommended that DPC develop a whole‑of‑government information management frameworkas recommended in the 2009 Parliamentary Inquiry into Improving Access to Victorian Public Sector Information and Dataunderpinned by appropriate legislation, and with records management compliance at its core.

In response to our recommendation, DPC began to develop an information management framework in 2016. A document that captures a high-level view of Victoria's information management landscape was published in December 2016. We anticipate that the framework's functional components will follow in due course.

A new Public Records Act

In June 2016, the government announced a 'root and branch' review of the Act. At the time of our audit, the terms of reference for the review had not been formalised. However, the government also stated that:

When we completed this audit in March 2017, the review had not begun.

[ Contents of this report | VAGO Home | VAGO Publications ]

3 Support for agencies

The Public Record Office Victoria (PROV) is Victoria's primary authority on how to ensure that the evidence of government business is trustworthy—specifically, that it has integrity and is authentic, reliable and usable.

PROV is also responsible under the Public Records Act 1973 (the Act) for assisting agencies to meet the Act's requirements for effective records management programs.

Agencies need to have easy and ample access to PROV's subject matter expertise, skills and experience. PROV's oversight can also provide assurance to agency heads, who are ultimately responsible for their organisations' records.

In this Part of the report, we examine how PROV has helped agencies meet the Act's requirements to carry out an effective and compliant records management program.

3.1 Conclusion

PROV has implemented a number of positive changes in response to the recommendations of our 2008 audit Records Management in the Victorian Public Sector, including:

PROV considers that it does not have the power to inspect agency records management programs and, on that basis, has not introduced a whole-of-government inspection program. However, its interpretation of the Act's powers is not based on informed legal opinion.

The absence of records management oversight reduces visibility of the state's records management problems, and the capacity to address them. It also means that the regulatory framework in place for records management remains insufficient, and agencies still do not receive the support they need to help them comply with the Act.

PROV's recent reassignment to the Special Minister of State's portfolio, additional funding to meet service demands, and the review of the Act are encouraging initiatives that signal positive change.

3.2 PROV's advocacy role

PROV's advice to government has consistently drawn attention to the need for greater oversight of public sector records management. Its advocacy has taken a number of different forms.

PROV's funding submissions discuss the increased public expectations that government will be able to properly manage records in this digital age. Its submissions emphasise the importance of implementing our recommendations for more effective monitoring and reporting on agencies' compliance with the records management standards. PROV has also reiterated this message in presentations to government, other agencies and the public.

PROV also played a key role in developing Victoria's first—but ultimately not completed—Public Sector Information Release Framework, which we reported on in our 2015 audit report Access to Public Sector Information.

PROV actively worked to ensure that the framework's principles and standards had effective and compliant records management at its core.

PROV played a proactive role in the 2008 review of the Act, which was subsequently abandoned, and continued to campaign to government about the need to improve compliance mechanisms.

Victoria's Public Records Advisory Council (PRAC) was established under the Act to promote cooperation between PROV and public offices. In this role, PRAC may make recommendations to the responsible minister on any matter relating to the Act's administration. PRAC wrote to the then new government in December 2010, advocating the need for improved records management legislation—but did not receive a response.

Over 2011 to 2014, PROV made further attempts to influence government decision‑making about improving compliance with the Act, but without success.

Landell report

In 2015, PROV engaged a contractor to analyse VAGO's audit reports and the Victorian Ombudsman's reports from 2010 to 2014. PROV published the final report of this analysis, Victorian Government Records Management Review (the Landell report), in October 2015.

The Landell report includes an analysis of agencies' noncompliance with the Act, describing it as systemic, chronic and pervasive across the public sector, rather than as a collection of isolated incidents. It also notes that the consistent reporting of records management issues across both sets of reports supported this conclusion.

In the absence of structured oversight of agencies' records management, PROV's publication of the report creates some visibility of the nature, extent and impact of agencies' noncompliance with the Act.

During the course of this audit, the Landell report was presented to the Victorian Secretaries Board for consideration. Department of Premier and Cabinet (DPC) also announced the review of the Act. These actions are encouraging, and indicate that DPC has an increased understanding of the need for whole-of-government oversight of public records management.

3.3 PROV's regulatory role

3.3.1 Implementation of oversight activities

In our 2008 audit, we found that the Act:

We also found that the records management framework in Victoria did not include systemic mechanisms to:

We concluded that without these things, the state could not be assured that its records management objectives were being met. We also concluded that PROV's agency education and training options were insufficient to meet agency needs.

To help address these findings, we made several key recommendations, namely that PROV:

PROV planned to address our recommendations by establishing a standards review program and developing a framework to:

PROV advised DPC that implementing these initiatives was dependent on additional funding.

PROV was given funding for—and invested substantial effort in producing—a comprehensive set of records management standards that agencies could use to comply with the Act.

However, PROV's funding submission to government to implement the training and assessment framework was not progressed, and PROV did not receive the extra funding. DPC has no records to explain the government's decision-making process. DPC should improve its efforts to comply with the Act's requirements to ensure that full and accurate records of government activities are created and captured.

PROV chose not to reprioritise its existing resources to develop the framework because the Act does not explicitly require PROV to perform compliance monitoring or agency training.

Implementing these recommendations would have helped to address the finding from Public Accounts and Estimates Committee's (PAEC) 1996 Inquiry into the Public Record Office Victoria that 'records management has not received the status it deserves … [and] has been seen as a function to be staffed at little cost by people of little experience. It is seen as being of low priority, with little or no education standards in records and information management being required by agencies'. It would have also addressed the Inquiry's recommendation to produce a report identifying agencies that do not meet Victoria's records management standards.

We also wrote to PAEC as part of its 2010 Review of the Findings and Recommendations of the Auditor-General's Reports 2008 to reiterate our recommendations. We stated in particular that we considered our recommendation for PROV to implement its training strategy to be a high priority.

To date, the framework has not been implemented, and agencies have continued to operate without effective oversight of whether they are lawfully managing their records.

3.3.2 Information Management Maturity Measurement Tool

Although PROV has not established a whole-of-government compliance monitoring framework, it has developed the IM3—a voluntary questionnaire that agencies can use to assess the maturity of their information management. The assessments range from 'unmanaged' (the lowest maturity level) to 'aware', 'formative', 'operational' and 'proactive'.

PROV uses the results of assessments against the IM3 to gather intelligence on agencies' information management and to better understand the state of records management across the Victorian public sector.

In our 2015 audit report Access to Public Sector Information, we recommended that agencies assess their information management environments using the IM3. In 2016, PROV facilitated these assessments for all departments, including the Department of Education and Training and the Department of Health and Human Services. Only one department did not respond to our recommendation to perform an IM3 assessment.

The results of these assessments show that, collectively, agencies' compliance monitoring and reporting was 'unmanaged'. The highest collective rating was 'formative', in the areas of governance, vision and strategy, and information security. All other areas were rated as only 'aware'.

The IM3 is a useful mechanism for agencies to gain a broad understanding of their information management environments. However, it is not a substitute for a rigorous framework for monitoring and reporting on agencies' compliance with the Act.

Without a regulatory framework for monitoring how effectively agencies manage their records, PROV largely relies on information gleaned from reports from Parliamentary committees and integrity offices—such as audit reports and Victorian Ombudsman reports—to identify agencies with poor systems and practices and offer assistance to them.

PROV is a member of Victoria's whole‑of‑government Information Management Group and, in some cases, is also part of agency records management governance groups. These activities help PROV to understand what kinds of support agencies need.

However, stakeholders have advised that records managers do not have the opportunity to be involved with the IMG, and there is no equivalent group for cross-agency dialogue on records management issues. While PROV hosts a Records Management Network, stakeholders suggest that this more of a showcasing forum with guest presentations—rather than a community of practice for addressing whole-of-government records management issues.

3.4 PROV's inspection powers and reporting requirements

The Keeper of Public Records (the Keeper) is the head of PROV and is accountable under the Act for many of PROV's powers and duties.

PROV interprets these powers to be limited to inspecting the physical storage of records and, on this basis, does not inspect agency records management programs. However, section 13A of the Act reads: 'The Keeper of Public Records may enter, at any reasonable time, a public office or any place in which the public records of that office are stored to inspect the storage and conservation arrangements of the records in the office or place and the carrying out in that office or place of the programme of records management referred to in section 13(b)' [our emphasis].

We interpret section 13A of the Act as giving PROV the power to inspect records management programs.

The Keeper must also report on how PROV has carried out its functions under the Act over the course of the year. In turn, the responsible minister must table the report in Parliament. PROV typically meets this requirement through its annual reporting.

PROV's current interpretation is potentially a missed opportunity for the government to see and better understand the nature and extent of what PROV has identified as systemic failures in records management across the public sector.

PROV should seek legal advice on the extent of its powers under the Act as a matter of priority, as there is the risk that it:

3.5 PROV's administrative realignment

Although still a portfolio agency of DPC, PROV was administratively located in Victoria's former Arts portfolio and was subject to the former Arts Victoria's oversight from 1990 to 2001 and again from 2006 to 2014.

Over the years, there have been a number of reviews recommending that PROV be administratively relocated to a portfolio with a greater capacity to support PROV's legislative mandate.

PROV was moved to the portfolio of Victoria's Special Minister of State shortly after the 2014 election. This portfolio has a strong focus on transparency and accountability, with an objective to 'protect the values of good public governance, integrity and accountability in support of public trust'.

The portfolio also includes Victoria's other information agencies—the Office of the Freedom of Information Commissioner and the Office of the Commissioner for Privacy and Data Protection, which the government intends to merge into a new Victorian Information Commission. As a result of this change, PROV now also shares the portfolio's overarching objective.

Because the Act was written before the use of purpose statements, PROV's core objectives are not explicitly defined in the Act. However, PROV has stated that its primary intent is to:

PROV's realignment signals that the government has an increased focus on PROV's role as the authority on how government should create, capture and manage the evidence of its business activity.

The 2016–17 State Budget allocated PROV about $8.2 million over the next four years 'to ensure that its services match increasing demands for public recordkeeping'. This is in addition to ongoing funding of $2.57 million a year.

Together, these activities create the potential for significant improvement in how well agencies manage their records.

[ Contents of this report | VAGO Home | VAGO Publications ]

4 Agency records management

The Public Record Office Victoria's (PROV) records management standards set out how agencies must make and manage records, so they can be trusted as a true reflection of an agency's activities.

The standards cover all records in all formats, media and business systems, and consist of:

This Part of the report examines the Department of Education and Training's (DET) and the Department of Health and Human Services' (DHHS) compliance with the standards. We focus on the key issues that we identified as barriers to DET and DHHS having a fully effective records management program.

4.1 Conclusion

DET and DHHS have recognised the need for improved records management and have shown a genuine commitment to positive change. A number of plans and projects are now either being developed or have been implemented at both agencies to address weaknesses identified over the course of this audit.

But presently, neither DET nor DHHS has implemented a successful records management program, nor are they managing all of their records in accordance with all legal requirements. Consequently, neither agency sufficiently understands their records holdings. This increases the risk of records being lost, inaccessible, inappropriately accessed, unlawfully altered or destroyed.

Both agencies are responsible for large numbers of highly sensitive records that are not all subject to adequate controls. The key control weaknesses we identified in the records management programs of each agency were largely similar:

4.2 Governance

Effective governance includes establishing clear accountability and appropriate authority, effective education and training, robust compliance monitoring and reporting, informed risk management, and a commitment to continuous improvement.

4.2.1 Accountability

The Public Records Act 1973 (the Act) recognises the head of an agency as having ultimate accountability and responsibility for compliance.

By assigning accountability to a single person or role, the Act makes clear that agencies need to have a program in place that provides assurance that their records can be trusted. In a 2012 public presentation, Victoria's Deputy Ombudsman stated, 'We frequently ask the question: who is responsible?' It is easy to blame the individual who failed to keep the record or destroyed a document, but the leadership of an organisation is ultimately responsible.

At DHHS, both the secretary's position description and DHHS's records management policy recognise the secretary's accountability for the agency's records.

However, this was not the case at DET—no corporate documentation explicitly recognises the secretary's responsibility for records management compliance. To address this, DET's executive services division is drafting a new policy that explicitly acknowledges the secretary's accountability for records management.

4.2.2 Authority

Standards issued under the Act require agencies to have a unit with agency-wide authority for records management. In an effective records management program, a unit with this authority will have a greater level of records management skill and knowledge than other areas of an organisation—this better equips the unit to provide the agency head with expert records management advice and recommendations. Under such an arrangement, the agency will be well placed to maintain its transparency by maintaining accessible and reliable records.

This arrangement is not in place effectively in DHHS or DET.

At both agencies, the core records management unit operates as part of the head office.

At DHHS, the records management unit provides strong support and guidance to divisional staff, but does not have the authority to direct the records management activities of central business units or divisional records management teams. These teams do not report to the central unit, but up through their respective divisional heads.

At DET, the authority of the core unit is clear—but we did not observe this authority being put into practice. This was not surprising in view of DET's devolved authority model.

In both cases, the end result is two‑fold:

4.2.3 Education and training

Standards issued under the Act require agencies to identify the records management training needs of staff and key stakeholder groups. The standards also require agencies to provide customised records management education and training to meet those needs.

These requirements aim to address the report of the 1996 Public Accounts and Estimates Committee Inquiry into the Public Record Office Victoria, which stated, 'Training needs to focus on the skills required to manage public records effectively and to apply standards developed by the Public Record Office. Minimum education standards should not be seen as an imposition on employees'.

DET's records management team provides training to increase staff awareness of the importance of records management, but this is not supported by more comprehensive training focused on building staff's records management skills.

DET's procurement training program includes managing records in the department's procurement approval workflow system. However, it is not compulsory and staff can access and use the system without training.

We observed a staff member using the system without knowing how to capture relevant records into it. A lack of records management know‑how creates incomplete evidence trails for procurement processes—which can have adverse consequences for the agency.

DET's executive services division does not know what, if any, records management education and training is provided beyond its central office and regional branches.

At DHHS, records management training aims to raise high-level awareness of the importance of records management. The central office records management unit offers more in-depth training for central office staff, tailored to DHHS's actual practices and processes. However, this is only provided on request, rather than as part of a mandated education and training program.

Despite the Act's requirements, and as discussed in Section 4.2.2, DHHS's central office records management unit does not have the authority to direct records management activities in regional divisions, and cannot mandate what training and education they develop and deliver. Likewise, the unit cannot require DHHS's learning and development team to design or deliver records management education and training—it must rely on its ability to persuade the team of the importance of incorporating records management training into the agency's broader education and training program.

DHHS and DET are both developing initiatives to improve staff records management capability.

DET's executive services division is developing a 'capability uplift' project, which includes further records management training for corporate and regional staff. It is also developing a program for records training of school staff.

DHHS's corporate services division is developing a recordkeeping awareness and training strategy and program to meet PROV's training and education requirements.

If funded and implemented, these initiatives will be a positive step towards improving the way these agencies manage their records.

Part 3 discusses PROV's decision not to carry out VAGO's 2008 recommendation to implement the competency-based training program that PROV had been planning. In the absence of this program, other agencies have developed and implemented their own records management training programs—usually in isolation from each other.

During the audit, a number of stakeholders expressed frustration at not having whole‑of‑government records management training programs in place that provide records management induction for agency staff and specialist competency development.

PROV's records management standards are complex and detailed, and stakeholders felt that PROV could play a greater role in helping agencies to understand and implement them.

Stakeholders also commented on the potential for efficiencies across the whole of government if centralised, PROV-endorsed training and education programs were put in place.

4.2.4 Compliance monitoring and reporting

In 2010, PROV issued a requirement for agencies to monitor and report on their compliance with the Act.

Complying with Victoria's records management standards requires significant and ongoing effort. Agencies must comply with over 200 criteria of varying scope and complexity within the 19 specifications across the eight standards. Meeting the requirements of some criteria is relatively simple, while meeting others requires considerable resources and expert skills.

For example, the requirement for an independent audit of the agency's records management program at least every five years is complex, time consuming, and requires the skills of records management experts. In comparison, the requirement to formally recognise the head of an agency as having ultimate accountability and responsibility for the agency's compliance with the Act and its standards—although just as important to effective records management—is a more straightforward task.

Given the size of an agency's records management compliance program, it is reasonable that the agency would prioritise its approach to compliance in stages, based on a risk assessment—that is, assessing and then prioritising high-risk areas before moving onto lower risk areas. These areas will be different across agencies and will depend on the records management teams' understanding of where the agency is most at risk because of poor records management. Once the agency has addressed noncompliance in high-risk areas, it can then progress to the next level of priority.

As discussed in Part 3 of this report, the 2016 assessment using PROV's Information Management Maturity Measurement Tool (IM3) revealed that audit and compliance were the weakest areas across all surveyed departments and agencies. This, in addition to our findings, supports PROV's repeated calls for more robust oversight of agencies' compliance with the records management requirements in the Act.

DHHS's central records management unit has been assessing DHHS's compliance since 2013. We observed two key monitoring points in 2013 and 2016.

However, the assessments have not been part of the agency-wide compliance program, and the results are not reported to the secretary. Without this information, the secretary—who is accountable for any noncompliance—is unlikely to be fully aware of any compliance issues and the associated risks.

We identified instances where compliance assessments lacked sufficient rigour—such as outsourced services being evaluated as compliant, despite the absence of a process to determine compliance.

Although DHHS's compliance monitoring would benefit from increased rigour, the fact that compliance monitoring takes place shows that DHHS operates in one of the more mature records management environments.

DET, on the other hand, does not perform any compliance monitoring and reporting, and its understanding of the maturity of its records management environment currently comes only from the IM3 self-assessment.

DET achieved an average maturity rating of 'aware', the second lowest of the IM3's five possible maturity levels. The IM3 tool does not have a description for an average rating of 'aware'—this result indicates that an agency has answered the majority of assessment questions at the 'aware' level, suggesting that the agency is aware of issues but has not yet made much progress in addressing them.

DET has started developing a records management compliance program to address its weakness in this area, reflecting a commitment to improvement.

4.3 Agency practices and processes

4.3.1 Legal compliance

DET's and DHHS's records management practices do not comply with all legal requirements. Neither agency fully complies with PROV's records management standards, nor do they have a clear understanding of what records they own and hold.

We assessed compliance by DET and DHHS with the PROV standards. In total, we assessed 218 criteria. DHHS fully complied with 130 criteria, and DET fully complied with 30 criteria. Figure 4A provides a summary of the results. Detailed assessments for each requirement are included in Appendix C.

Figure 4A
Agency compliance with PROV specifications

Standard name

Specification name

Compliance

DHHS

DET

Capture

1

Digitisation requirements

2

Image requirements

3

Capture

Control

1

Control

~

Storage(a)

1

Agency records storage

O

Access

1

Access to records in agency custody

O

~

2

Access to records in PROV custody

O

~

Disposal(b)

1

Developing disposal authorities

O

O

2

Implementing disposal authorities

O

Operations Management

1

Operations management

O

Strategic Management

1

Strategic management

O

~

Victorian Electronic Records Strategy
Note: VERS compliance applies to the records management system's capability for compliant transfer—but does not imply compliance with the transfer process.

1

System requirements for preserving electronic records

2

VERS metadata scheme

3

VERS standard electronic record format

4

VERS long-term preservation format

5

Export of electronic records to PROV

Note: Fully compliant—fully meets every criterion; O Mostly compliant—meets many but not all criterion; ~ Some compliance—meets only a few criterion; No compliance—meets none of the criterion. Ratings are qualitative and not statistically determined. For example, 'mostly compliant' may mean all criterion but one have been met, and 'some compliance' may mean only one criterion out of many has been met.

(a) Storing and managing state archives specification and Approved Public Office Storage Supplier (APROSS) specification not assessed.

(b) Transfer to PROV specification not assessed.

Source: VAGO.

4.3.2 Impact of noncompliance

The principles of the Capture standard are central to the trustworthiness of agency records. Compliance with the standard's Capture specification ensures that agency records are created, are authentic, reliable and usable, and have integrity (are protected from undetected and unauthorised alteration). These principles and supporting requirements provide assurance that a record can be trusted.

The standard's principles are shown in Figure 4B. Neither agency fully met any of the criteria in the standard's Capture specification.

Figure 4B
Principles of PROV's Capture standard

Creation

Full and accurate records of all agency activities and decisions are systematically created by authorised people or systems to meet business needs, accountability requirements and community expectations.

Authenticity

Authentic records of all agency activities and decisions are consistently captured by robust and compliant systems.

Reliability

Public records are correctly and clearly connected to the relevant times, people, systems, processes and events to ensure they are reliable evidence of what occurred.

Usability

Public records are preserved for future use at the time of their creation and capture through effective strategies, methods and formats.

Integrity

Systems that capture public records maintain the integrity of the records as evidence, protecting them from undetected and unauthorised alteration.

Source: VAGO, adapted from PROV, Capture standard.

DHHS

DHHS has made an effort in recent years to address longstanding records management issues that have been reported by various integrity offices. This includes its management of ward records and the access to these records through online tools.

However, DHHS has advised that its efforts in this area have affected its capacity to undertake other activities to improve records management.

Compliant versus noncompliant systems

Some DHHS staff use TRIM, an electronic document and records management system, for managing some records. DHHS has approximately seven million documents in TRIM. Outside of TRIM, DHHS has approximately 100 million electronic documents across its network of drives and shadow systems (records repositories that are additional to the organisation's records management system). This number does not include the documents in DHHS's email systems.

DHHS was unable to determine how many electronic documents were stored in staff email inboxes, and could only determine the number of emails sent and received across the agency over the last year. Of the combined total of 39.3 million emails, they were unable to determine how many had included records.

In 2012, Victoria's Deputy Ombudsman noted in a public speech that 'very often our investigations identify that only paper records are maintained. That is, copies and originals of correspondence to and from an agency. However, when we delve further into an investigation we identify key decision-making is often recorded in email, faxes and notes not maintained on the departmental file'.

The documents that are outside of DHHS's TRIM system do not have adequate storage, maintenance and access controls. DHHS cannot be assured of what types of documents they are, or the level of risk they pose to the secretary and the agency while they sit in these unprotected areas.

A core reason for so many documents not being captured within DHHS's endorsed records management system, when appropriate, may be because the system has only been deployed to 2 130 staff (20 per cent of the workforce).

DHHS's position descriptions and records management policy make it very clear that all staff are responsible for ensuring their own compliance with the Act—and DHHS's records management unit is able to ensure the lawful management of records that staff capture in TRIM.

However, where staff are choosing to manage their records outside of TRIM, in breach of the Capture specification, the records management unit does not have the authority to compel them to lawfully manage their records.

DHHS's central records management unit has worked hard to establish a system that supports effective records management. However, with so many documents sitting outside of TRIM, this work is not being used effectively throughout the agency. As a result, DHHS is not fully realising the potential benefits of its records management system or managing its risks.

Since our 2008 audit, DHHS's records management unit has submitted several business cases to its executive seeking resources to address the risks posed by records sitting in systems that do not meet PROV's standards. Although DHHS has endorsed the business cases, they have not been fully funded.

'Missing' and 'in-transit' files

We learned that an estimated 16 800 files are recorded in TRIM as 'missing'. These include, but are not limited to, files for:

Of the 16 800 files marked as missing in TRIM, 622 are child protection files (0.2 per cent of the child protection files in DHHS's corporate records system), with some marked as missing since 2004 and 2005.

DHHS also advised us that 5 504 TRIM files have been assigned the status of 'in transit' (being transferred from one location to another). Our analysis of these files showed that 3 586 (65 per cent) were client files or contained personal data.

Figure 4C shows the length of time these files have been in transit.

Figure 4C
DHHS files in transit

Chart shows the length of time DHHS files have

been in transit

Source: VAGO, based on data from DHHS.

Because a file can contain one or many records, the number of records within these 16 800 missing files or 5 504 in-transit files is unknown.

We noted that although the secretary is ultimately accountable for these missing and in-transit files, DHHS staff do not report details of missing files to the secretary, or report on the risks they pose to client privacy and DHHS's accountability.

DHHS intends to begin regular monitoring of and reporting on missing files to address this issue, and its statewide audit of uncatalogued physical files registered in TRIM is almost completed. In addition, plans for an annual audit process will help DHHS better manage the risks that such files are being subject to unlawful practices such as unauthorised access, alteration or destruction.

DET

As stated earlier, DHHS operates in one of the more mature records management environments. Because of this, DHHS was able to provide us with a large amount of information on the state of its records management. In contrast, DET's broad noncompliance with PROV's standards means that the agency knows very little about its entire records holdings.

Across the agency, more than 50 different locations are being used for records storage, but the records management unit has no control of them or access to them. There is also a large but unknown number of storage units, storerooms, filing cabinets and other storage repositories spread across the agency in undocumented locations—containing potentially many thousands of boxes of records. DET could not provide information on missing files, or files in transit, and is largely unaware of the extent of the risks related to its records management.

Like DHHS, DET was also unable to determine the number of records held in email inboxes, or the number of sent or received emails that contained records. They could determine the number of sent and received emails over the last six-month period—approximately 196 million.

Unlike DHHS, DET was only able to determine the number of files in one of its eight shared drive areas—approximately 3.8 million files. Because there is no assurance of the uniformity of the eight areas, any extrapolation of file numbers from this single area would only be speculative. As with DHHS, DET is unable to determine how many of those files are agency records.

4.3.3 Managing the records of outsourced activities

In our 2008 audit, we expressed particular concern that agencies were not ensuring that third-party providers were lawfully managing the records related to the services they delivered on the government's behalf.

In 2010 PROV mandated that agencies embed records management clauses in their contracts to improve the way records of outsourced activities are captured and preserved. The requirements are for any arrangement where an agency engages an external service provider—by virtue of a contract or agreement—to perform functions or activities, or to provide services on its behalf.

Figure 4D summarises the requirements, which are detailed in Appendix D.

Figure 4D
Records management contract clauses

1

Records ownership and custody requirements

2

Specific records management requirements as determined by the agency

3

Records disposal requirements

4

Records access requirements

5

Records storage requirements

6

Records security requirements

7

Requirements for service providers to submit to records management practices monitoring and audit as arranged by the agency

8

Requirement to ensure all records management issues are addressed by the service provider prior to contract completion

9

Requirement for the agency to ensure that the contract's budget includes sufficient resources to fund the records management requirements specified in the contract

Source: VAGO, adapted from PROS 10/10 S1 2.4–Outsourced Activities and Privatisation, 21−29, PROV.

DET contracts

DET has not updated its contract management policies, procedures and templates to incorporate these requirements.

We selected 60 DET contracts created since 2010, to examine whether DET had incorporated the records management requirements. Of these 60 contracts, 20 (33 per cent)—with a combined value of $6 364 535—had not been captured in DET's contract management system and could not be assessed.

We noted that DET staff commonly used generic clauses to impose records management requirements. Victoria's records management standards require that contracts specify details such as custody of the records, storage and security requirements, audit activities, and how records must be disposed of.

Of the 40 contracts we could assess against the nine requirements:

The weaknesses in DET's contract management process mean that it does not ensure that its third-party providers understand their records management obligations.

DET's integrity reform program includes a procurement reform project. This project is expected to implement improvements to procurement processes, and includes strengthening the documentation requirements of performance management of third‑party providers.

Records of children in state care

Since our 2008 audit raised concerns about the records of third-party providers, the impacts of inadequate records management by third parties have been reiterated in reports such as the Victorian Ombudsman's 2012 report, Investigation into the Management and Storage of Ward Records by the Department of Human Services, and the more recent Royal Commission into Institutional Responses to Child Sexual Abuse.

Before the introduction of records management legislation, staff at care institutions could legally destroy the records of children who had suffered abuse.

The Ombudsman and Royal Commission reports reveal how the long-term mismanagement of records of former wards of the state by community service organisations (CSO) that provide state care services has had a profoundly damaging impact on survivors of abuse while in care.

In many cases, poor records management practices have made the evidence of abuses committed irretrievable, thereby hampering investigations and potentially protecting the perpetrators.

DHHS has been diligent in its recent efforts to address the records management issues that first emerged with the closure of state care institutions in the 1990s.

DHHS's response to the 2012 Ombudsman Victoria Investigation into the storage and management of ward records by the Department of Human Services resulted in its Ward Records Plan. The plan involved indexing over one million physical records about people who had been institutionalised by the state. On the completion of the plan, DHHS also published the website 'Finding Records', with over 200 guides to help those who were once in state care to find and access records about themselves.

This is an important improvement in DHHS's records management, which we hope marks the start of greater investment in these critical resources.

DHHS contracts

PROV's requirement for contracts of outsourced activities to include records management requirements puts the onus on DHHS to ensure that CSOs are managing the records of children in state care in accordance with the Act.

DHHS has incorporated the requirements into its CSO contracts. However, it does not monitor their compliance and so cannot demonstrate that the CSOs it funds are meeting these requirements.

DHHS contracts around 1 178 CSOs to deliver services on its behalf, and 500 of these are subject to an independent accreditation process as part of their contractual arrangements. However, the process does not include examining the compliance of CSOs' records management systems and processes. The remaining CSOs have no assessment requirements.

With hindsight, there is now a better understanding of the negative impact on survivors of abuse when poor management or destruction of records means that they are unable to access information about their past. This highlights the need for agencies to prevent this from happening now and in the future. It also underscores the importance of obtaining assurance from CSOs that such records are being managed appropriately.

[ Contents of this report | VAGO Home | VAGO Publications ]

Appendix A. Audit Act 1994 section 16—submissions and comments

We have professionally engaged with the Public Record Office Victoria, the Department of Premier and Cabinet, the Department of Education and Training and the Department of Health and Human Services throughout the course of the audit. In accordance with section 16(3) of the Audit Act 1994 we provided a copy of this report or relevant extracts to those agencies, and requested their submissions and comments.

Responsibility for the accuracy, fairness and balance of those comments rests solely with the agency head.

Responses were received as follows:

RESPONSE provided by the Director and Keeper of Public Records, Public Record Office Victoria

RESPONSE provided by the Director and Keeper of Public Records, Public Record Office Victoria

RESPONSE provided by the Secretary, Department of Premier and Cabinet

RESPONSE provided by the Secretary, Department of Premier and Cabinet

RESPONSE provided by the Secretary, Department of Education and Training

RESPONSE provided by the Secretary, Department of Education and Training
RESPONSE provided by the Secretary, Department of Education and Training
RESPONSE provided by the Secretary, Department of Education and Training

RESPONSE provided by the Secretary, Department of Health and Human Services

RESPONSE provided by the Secretary, Department of Health and Human Services
RESPONSE provided by the Secretary, Department of Health and Human Services
[ Contents of this report | VAGO Home | VAGO Publications ]

Appendix B. Victoria's records management standards

Figure B1 provides an overview of Victoria's records management standards and their respective specifications.

Figure B1
Records management standards and specifications

Standard and specification

Purpose/function/obligation

Capture

1

Digitisation Requirements

Requirements defining the criteria for digitising records with a view to using the digital copy as the official record and disposing of the source record.

2

Digitisation Image Requirements

Minimum set of technical requirements designed to ensure the creation of a full and accurate copy of the physical original (when digitising source records in order to destroy the physical originals after digitisation).

3

Capture

Requirements to ensure that records are created, authentic, reliable, usable and have integrity, regardless of format.

Control

1

Control

Requirements for metadata allocation, records classification and tracking information.

Storage

1

Agency Records Storage

Mandatory conditions for storing public records in agency custody, including authorisation for storage, location, construction, and inspection requirements, preservation and maintenance conditions, and identification and control and systems and processes, security requirements, and business continuity, disaster prevention and recovery programs.

2

Storing and Managing State Archives

Requirements for archival storage of State Archives (in digital and hardcopy formats) in a Public Record Office Victoria (PROV) managed repository or third-party facility appointed under section 14 of the Public Records Act 1973.

3

Approved Public Record Office Storage Suppliers (APROSS)

The records storage requirements (as shown above) for storage suppliers to be approved to store public records.

Access

1

Access to Records in Agency Custody

Requirements for:

  • open access to records—with access restrictions being justified according to endorsed criteria, and closure in accordance with the Public Records Act 1973
  • the use of records to only be for authorised purposes
  • the security of records in agency custody.

2

Access to Records in PROV Custody

Requirements for:

  • establishing clarity about the access status of records, once transferred to PROV
  • managing risk including minimising litigation and inappropriate release
  • ensuring the preservation of Victorian public records.

Disposal

1

Developing Disposal Authorities

Sets out the requirements to ensure that records disposal is legal, informed, planned, justified, accountable, authorised, timely, secure and accurate.

2

Implementing Disposal Authorities

Sets out the requirements for demonstrating that disposal was carried out as detailed above.

3

Transfer to PROV

Criteria for transferring State Archives into the custody of PROV and Places of Deposit (POD) Repositories.

Operations Management

1

Operations Management

Details the requirements for:

  • procedures
  • systems management
  • training and awareness
  • compliance audits
  • continuous improvement
  • transfer of custodianship.

Strategic Management

1

Strategic Management

Sets out requirements for:

  • assignation of responsibilities, authorities, and accountabilities
  • strategic planning, policy and stakeholder engagement
  • outsourced activity and privatisation.

Victorian Electronic Records Strategy (VERS)(a)

1

System requirements for preserving electronic records

Details the functions that a records management system must support if it is to preserve records for a significant period.

2

VERS metadata scheme

Specifies the metadata that a records management system must hold to conform to VERS.

3

VERS standard electronic record format

Sets out the types of VERS encapsulated objects that agencies are permitted to create.

4

VERS long term preservation format

Lists the acceptable data formats for representing documents for a significant period.

5

Export of electronic records to PROV

Approved media and mechanisms for exporting electronic records to the State Archives.

(a) Systems requirements for housing electronic records of permanent value.

Source: VAGO, adapted from PROV's website.

[ Contents of this report | VAGO Home | VAGO Publications ]

Appendix C. Compliance with records management standards

Figure C1 presents the results of our compliance assessment of the Department of Health and Human Services (DHHS) and the Department of Education and Training (DET).

Figure C1
Compliance with records management standards

Standard

Compliance

DHHS

DET

Capture

Specification 1: Digitisation Requirements

1

The agency must prepare and implement a Digitisation Plan in accordance with requirements 2 to 7.

2

The agency must prepare a Digitisation Activity Plan with the following sections: Scope definition, Appraisal analysis, Purpose of digitisation, Statement of benefits, User needs and impacts, Risk analysis, Intellectual property analysis, Format requirements, Value as an artefact, Loan check, Source document review, Digitisation location, Equipment and resources.

3

The agency must prepare a Digitisation Image Specification with the following details for each type of source document: Resolution required, Type of image, Bit-depth, Colour management, Output format(s), Compression algorithms.

4

The agency must prepare a Digitisation Processing Plan with the following sections: Process set-up, Retrieval of records, Pre-processing of records, Scanning records, Post‑processing of source records, Post-processing of images, Capture of metadata, Generation of records, Registration of converted records, Return of source records, Reprocessing of records.

5

The agency must prepare a Management Plan for the Converted Records with the following sections: Record management, Security and access control, Storage, Back-up and restoration, Disaster recovery, Export.

6

The agency must prepare a Management Plan for the Source Records with the following sections: Disposal status, Record management, Disposal process, Audit requirements.

7

The agency must prepare a Quality Control and Assurance Plan for the converted records with the following sections: Image accuracy, Record accuracy, Storage reliability, Quality failure processes, Logging and analysis.

Specification 2: Digitisation Image Requirements

1

For clean, high-contrast documents with text or graphics, for which colour is either not present or not essential and any images are line art, agencies must produce images conforming to the PROV specifications.

2

For documents where colour is present and is important, or for documents with low contrast (e.g. faded text, coloured background) agencies must produce images conforming to the PROV specifications.

3

For black and white photographs agencies must produce images conforming to the PROV specifications.

4

For colour photographs agencies must produce images conforming to the PROV specifications.

5

For black and white negatives agencies must produce images conforming to the PROV specifications.

6

For colour negatives agencies must produce images conforming to the PROV specifications.

7

Where it is required to relax the requirements of this Specification for temporary records, agencies must conduct a usability analysis conforming to the specifications.

Identification of all the reasonable business uses of the records.

Evidence to confirm that it can be reasonably expected that all records will be usable for all identified business uses.

Specification 3: Capture

 

Creation

1

An assessment of the functions and responsibilities of the agency has been undertaken to determine: the records which must be created and captured to meet business needs, accountability requirements and community expectations; and how this should be done (systems, processes, formats, responsibilities, timeframes, metadata capture). This assessment should be based on the value of the records (and the function they serve) to the business, government and the community, considering both current and future needs.

2

Processes must be developed and implemented to ensure that the required records are created and captured so that they are complete and meaningful, meet business and stakeholder needs and are consistent with legislative and other requirements. These processes must be clearly set out in policies and procedures and built into agency systems and activities. They must be communicated to all staff (including volunteers and contractors) who are involved in that function or activity.

3

The minimum level of detail required to ensure that records are complete, meaningful and comprehensive has been determined, built into processes and systems, and communicated to all staff (including volunteers and contractors) who are involved in that function or activity.

 

Authenticity

4

Records of all agency activities and decisions are consistently and routinely created and captured into the appropriate authorised systems.

5

Systems that capture records are compliant with PROV Standards or integrate with systems which are compliant with PROV Standards and information polices and requirements.

6

Processes and systems are in place to ensure that changes to the content or metadata of records are captured (what, who, when), where this might be necessary to demonstrate the authenticity of the record, provide evidence of activity or decision‑making or assist the agency to carry out its business.

Reliability

7

Records are created and captured as part of or as soon as practical after the action, decision or incident that they document.

8

The appropriate metadata is determined and captured, automatically where possible, to ensure the records have context and meaning and provide reliable evidence of activities and decisions.

Usability

9

Risks to records have been identified, assessed and mitigated from the point of creation or capture as part of the agency's overall risk management framework.

10

Records are captured in systems and formats that preserve the integrity of the records whilst facilitating their reuse.

11

The appropriate metadata is captured and preserved with the record for the duration of its retention period.

12

Information needed to locate, retrieve, present and interpret records is captured and preserved with the record for the duration of its retention period.

Integrity

13

Risks regarding unauthorised addition, deletion, alteration, use and concealment of business records have been identified, assessed and are mitigated from the point of creation or capture as part of the agency's overall risk management framework.

14

Procedures are developed and all staff members (including volunteers and contractors) who are authorised to make changes to records are instructed in how to add, delete/remove, or alter records and capture these changes appropriately.

15

Records that carry security classifications are created and captured in compliance with the requirements of that classification.

Control

 

Metadata

1

Metadata schemes are developed and implemented that meet agency business needs and are compliant with legislative and regulatory requirements, including PROV Recordkeeping Standards.

2

The minimum metadata collected cover the following metadata attributes: Identity, Description, Use, Event History, Event Plan, and Relation.

3

The minimum metadata collected are consistent with the International Standard on Managing Metadata for Records (ISO 23081: 2009) and PROS 99/007 Management for Electronic Records.

4

Controls are implemented to assess and verify the accuracy of metadata.

Classification

5

One or more business classification schemes are developed, implemented and maintained in consultation with stakeholders to meet the agency's business needs.

6

Business processes, access controls and disposal programs are assessed to determine what can accurately be mapped to the business classification schemes used by the agency and the results of the assessment are implemented.

7

Current business records, regardless of their format or which system they are in, are classified in accordance with a business classification scheme.

8

Where multiple business classification schemes are used, the language used within these schemes is aligned or mapped with each other.

 

Tracking

9

The movements of business records are accurately tracked, including when they are migrated from one system to another or transferred to an external location or party.

10

Actions related to business records are accurately tracked and maintained.

Storage

Specification 1: Agency Records Storage

 

Authorisation

1

All agency records must be stored in compliant storage areas and facilities unless required to support ongoing business activities.

2

Commercial storage facilities used to store public records must have been appointed as an Approved Public Record Office Storage Supplier (APROSS) by PROV prior to the agency storing any public records within the facilities.

3

Unsentenced records must only be transferred to an APROSS facility once a plan is in place to sentence them within a specified time period. The plan must be approved by the agency and be available to a PROV representative upon request.

4

Permanent records must only be stored in an APROSS if a plan to transfer the records within a specified time period to a State Archive storage facility has been approved by a PROV representative.

 

Inspection

5

Storage areas and facilities must be evaluated against this Specification, with actions needed to address any requirements not met identified and incorporated into the agency's strategic plans.

6

A report of compliance against this specification must be endorsed by a senior agency executive and be made available to a PROV representative upon request.

7

Agencies must inspect and evaluate their storage areas or facilities every five years and after any major changes that affect the storage of public records.

Location and construction

8

An assessment must be undertaken to identify risks posed by the buildings, building services and equipment used for records storage to the records or to the staff managing the records.

9

All risks identified by Requirement 8 must be recorded within the organisational risk register, be reviewed on an annual basis and be mitigated in accordance with agency approved risk mitigation strategies and plans.

10

Agency owned or leased storage facilities must be assessed as being compliant with the Building Code of Australia and associated codes.

11

Storage areas and facilities must have in place appropriate and comprehensive fire detection and protection systems and equipment, in compliance with the Building Code of Australia and Australian Standards.

12

Storage areas and facilities must have sufficient floor loading capacity to safely support the maximum volume of records, their containers and any furnishings or equipment.

13

Shelving must be fit for purpose.

Preservation and safety

14

An assessment must be undertaken to identify risks to the preservation of the records and safety of the staff managing the records.

15

All risks identified by Requirement 14 must be recorded within the organisational risk register, be reviewed on an annual basis and be mitigated in accordance with agency approved risk mitigation strategies and plans.

16

Agencies must not allow permanent records or long-term temporary records to become damaged or unusable during their retention period, as a result of the prevailing or fluctuating environmental conditions in storage areas or facilities.

17

Staff members responsible for handling records within archive storage areas and facilities must have received training in safe manual handling practices to minimise risk of injury and of causing damage to records.

18

Records in danger of becoming unusable during their retention period must be treated by a professional conservator.

19

Record storage areas, facilities and equipment must meet identified work health and safety needs and be supported by safe work practices.

Identification and control

20

Responsibility for the identification and control of records must be assigned to staff with the appropriate skills and competence in records management.

21

Systems and metadata for the physical and intellectual control of public records within storage areas and facilities must be implemented to allow for effective management, identification, retrieval and tracking of records.

22

Identification, control, retrieval, handling and return of records must be undertaken by those authorised to access them in accordance with agency approved policy, process and procedures.

Security

23

Records that carry security classifications must be handled and stored in compliance with the requirements of the classification.

24

Access to public records in storage areas or facilities or in transit must be controlled, monitored and restricted to authorised staff, with security breaches reported to the appropriate authority.

Maintenance

25

Maintenance of storage areas and facilities must be actively monitored and identified maintenance issues resolved in a timely manner.

26

Software and systems used to store digital records must be supported and maintained by people with the appropriate skills and competencies.

Business continuity, disaster prevention and recovery

27

A disaster preparedness, management and recovery program for public records within agency owned or managed storage areas and facilities must be:

  • developed
  • implemented
  • tested in accordance with program requirements and time frames
  • updated based on the outcomes of the test.

28

Records in agency storage must be insured for recovery and restoration in the event of a disaster.

29

Records identified by the agency as being vital must be provided with adequate protection from disasters or be duplicated and stored in two physically distinct sites.

Access

Specification 1: Access to Records in Agency Custody

Openness

1

Policies and practices have been established to support open access to records.

2

Policies governing access to records align with legislation and Victorian government policy.

3

Policies governing access to records have been documented and communicated to employees, contractors, volunteers and the public.

Justifiable restriction

4

Processes to facilitate access to records have been documented and communicated and are regularly reviewed as part of a continuous improvement program.

5

Documented criteria, based on legislation and policy, are used to justify restrictions on records.

6

Access restrictions for records are implemented in all appropriate systems.

7

Periodic reviews of the restriction criteria are developed and established to maintain validity of the justification.

8

Restrictions applied to records are reviewed biannually to ensure restrictions only apply for the appropriate length of time.

9

A policy on the use of records is established and communicated to all relevant members of staff, including contractors and volunteers.

Use of records

10

Relevant legislation is considered and taken into account in relation to the use of records.

11

Records are used subject to copyright, licensing, contractual or other conditions.

12

Processes to facilitate public use of records have been documented and communicated and are regularly reviewed as part of a continuous improvement program.

Security

13

A security policy for records is established and communicated to all relevant members of staff, including contractors and volunteers.

14

Security measures, procedures and protocols relating to access to records are established, documented, and designed to prevent unauthorised access, alteration, destruction or release.

15

Record security obligations are communicated to all members of staff, including contractors and volunteers, and training provided.

16

The recordkeeping audit program includes monitoring, assessment and reporting on the security of records.

Specification 2: Access to Records in PROV Custody

Openness

1

Stakeholder consultation regarding appropriate access arrangements has been undertaken prior to the transfer of the records to PROV.

2

Transfer plans developed in collaboration with PROV include arrangements for establishing the access status (either open or closed) of the records being transferred into PROV custody.

3

Unavailability of records due to licensing and copyright issues has been made clear at the time of transfer.

4

Any record nominated for transfer into PROV custody that has a restriction in place (while in the custody of the agency) has had the restriction reviewed to determine whether: (a) the restriction is time expired or remains valid, (b) a valid restriction aligns with a section of the Public Records Act 1973 and can be nominated for closure, or (c) the restriction should be removed before transfer.

5

Records with a restriction are complete, full and accurate, with no records or parts of records removed, altered, de-identified, redacted or destroyed prior to transfer to PROV.

Justifiable restrictions

No requirements

Closure of records in the custody of PROV

6

Records to be closed under the appropriate sections of the Act have been identified and recommended for closure.

7

Evidence justifying the nominated closure of records under the Act has been collated and presented to the relevant party.

8

Consultation between the agency and PROV has occurred to assess records recommended for closure and obtain agreement for the closure of those records.

9

Records to be closed under the Act have not been de-identified and individual documents that form part of the record have not been destroyed or altered prior to their transfer into PROV custody.

Use of records

10

Processes are in place to ensure that records retrieved by the agency from PROV custody are managed in accordance with the agency's access provisions, including security arrangements and justified restrictions.

11

Prior to returning records to PROV, a quality assurance using the completed Record Description Lists (for physical records) and manifests (for digital records) is conducted.

Disposal

Specification 1: Developing Disposal Authorities

Legality

1

All relevant legislative and regulatory requirements must be incorporated into disposal authorities.

Informed decision-making

2

Analysis of the legislative contexts within which agency records are created and maintained must be undertaken to inform authorised disposal actions and retention periods.

3

Analysis of the administrative and business contexts for which agency records are created and maintained must be undertaken to inform authorised disposal actions and retention periods.

4

Analysis of accountability requirements must be undertaken to inform authorised disposal actions and retention periods.

5

The rights, entitlements and obligations of agency clients must be considered when determining an appropriate disposal action and retention period for records.

6

Key stakeholder groups, internal to the agency, must be identified and consulted during the development of disposal authorities.

7

Key stakeholder groups, external to the agency, must be identified and consulted during the development of disposal authorities.

Justification

8

The determination of disposal actions and retention periods for public records must be the outcome of an appraisal process.

9

The rationale for disposal actions and retention periods must be well informed, expressed clearly and concisely, and able to withstand scrutiny.

10

Appraisal decisions must be documented and submitted to PROV in the specified format for consideration before a disposal authority can be authorised by the Keeper of Public Records.

Accountability

11

The head of the agency must endorse the final recommended disposal actions and retention periods submitted to PROV.

Authorisation

12

Prior to the disposal of any records, authorisation must be obtained from the Keeper of Public Records.

13

Agencies that do not have disposal authorisation for all of their records must, in consultation with PROV, establish an agreement for the development of a disposal authority.

14

Agencies that PROV determines as requiring a specific Records Disposal Authority or Single Instance Disposal Authority, must plan for their development as part of their records disposal program.

15

As part of developing a new disposal authority, the agency must plan how they will implement it in their records disposal program.

Timeliness

16

Retention periods must be set at the minimum period of time needed for meeting PROV appraisal criteria.

Accuracy

17

Changes in agency business needs, or legislative and accountability requirements must be assessed in terms of their impact upon existing disposal authorisations.

18

An agency must ensure their disposal authorisation coverage is updated as a result of any machinery-of-government change, legislative change or other changes, such as an administrative arrangements change.

Specification 2: Implementing Disposal Authorities

Legality

1

Public records must only be disposed of in accordance with the requirements of the Public Records Act 1973 and any other legislation that impacts an agency's recordkeeping requirements and responsibilities.

2

Internal procedures and educational programs are in place in the agency which raise awareness regarding records disposal and how it must be undertaken lawfully.

Informed decision-making

3

Persons responsible for sentencing records must have a good understanding of the records as well as recordkeeping skills in disposal to ensure that a disposal authority has been used correctly and appropriately.

4

Prior to implementing an authorised disposal action, agencies must check that the records are no longer required for any other justifiable purposes.

Justification

5

Agencies must maintain evidence of any records disposal activities that have occurred (excluding normal administrative practice) to be able to justify actions undertaken.

Accountability

6

All decisions to dispose of records must be approved and overseen by public sector employees with the appropriate delegations.

7

Disposal of all public records must be documented with details of the disposal authority and class used, the nature and time of disposal and the identity of the officer or contracted service provider who undertook the action.

8

Details of the agency's overall disposal activities, including records sentencing, destruction and custody transfers must be provided to PROV upon request.

Authorisation

9

The disposal of public records must be in accordance with a disposal authorisation issued by the Keeper of Public Records.

10

Retention and disposal authorisations must be current when records are sentenced.

11

Retention and disposal authorisations must be current when records are disposed of.

12

Only applicable disposal authorities, such as those developed for the specific sector or agency, are used by the agency to carry out records disposal.

13

Policies and procedures are in place to ensure records disposal is carried out under an authority issued by the Keeper of Public Records.

Planning

14

Records sentencing and disposal activities must be undertaken as a routine and regular part of the agency's records management program.

15

Plans must be in place for the transfer of State Archives to the custody of PROV once administrative use has concluded.

16

Plans must be in place to reduce the quantity of unsentenced records in the agency's custody (including those stored offsite).

Timeliness

17

Records that are covered by a disposal authority must be sentenced as soon as it is possible and practical, ensuring that the records are appropriately managed and retained for as long as they are required.

18

Records identified as temporary and to be retained for a specified period by a disposal authority, must not be destroyed until that period has expired and requirements of the disposal action have been met.

19

Records identified as temporary and to be retained for a specified period by a disposal authority, must be reviewed for destruction as soon as possible after that period has expired and requirements of the disposal action have been met.

20

Permanent records must be transferred to PROV in accordance with Specification 3 Transferring State Archives to PROV.

Security

21

Methods used to destroy records must comply with any legislated privacy and confidentiality requirements.

22

Methods used to destroy records must be irreversible.

23

Records sentencing and disposal activities must be monitored to ensure that disposal authorities are interpreted correctly and implemented accurately.

Operations Management

Procedures

1

Recordkeeping procedures required to ensure full and accurate records are created and maintained consistently, adequately and appropriately across the agency have been identified and developed to support the agency's records management policy, and in accordance with PROV Standards and Specifications.

2

Recordkeeping procedures clearly identify the roles and responsibilities of staff.

3

Relevant stakeholder groups have been consulted during the development and testing of draft recordkeeping procedures.

4

Recordkeeping procedures have been approved by a senior officer responsible for recordkeeping within the agency, and have been published and communicated to all relevant people within the agency.

Systems management

5

Recordkeeping procedures are assessed whenever processes are changed to ensure they are accurate and up-to-date.

6

The purpose and value of records has been appraised to ensure they are managed appropriately.

7

New or upgraded systems have been acquired, developed or integrated to meet the agency's business needs and recordkeeping requirements.

8

Processes and controls have been established to ensure the day-to-day reliability of systems for all users.

9

Systems are monitored and maintained to ensure the integrity and performance quality of the system over their life.

Training and awareness

10

Recordkeeping competencies and training needs of key stakeholder groups have been identified and analysed.

11

An ongoing recordkeeping training and awareness program has been developed and endorsed by a senior officer with recordkeeping responsibility.

12

Recordkeeping training and awareness activities have been developed to meet agency needs and have been customised for key stakeholder groups.

13

Recordkeeping training and awareness activities have been communicated and delivered to all staff, consultants, contractors and volunteers who are creating, managing or using public records.

14

The agency's induction program addresses employee recordkeeping roles and responsibilities and compliance with the agency's recordkeeping procedures.

15

The recordkeeping training and awareness program has been assessed annually using feedback to ensure its currency, effectiveness and relevance.

Compliance audits

16

Recordkeeping procedures to be assessed by internal or external audits have been identified.

17

A recordkeeping audit program has been developed and endorsed by the senior executive with recordkeeping responsibility.

18

Recordkeeping audit procedures and criteria have been developed, and assessed following each audit.

19

Results of recordkeeping audits and any audit recommendations have been documented, presented and reported to senior executives and relevant stakeholders.

20

The progress of recordkeeping audit recommendations are monitored and reported to senior executives.

Continuous improvement

21

Continuous improvement activities are regularly conducted to enhance agency recordkeeping practices.

22

Staff and client feedback processes have been established to routinely identify opportunities to improve recordkeeping.

23

Recordkeeping frameworks and key processes are analysed, researched, benchmarked, or compared with similar organisations to identify industry trends and opportunities for improvement.

24

Results of recordkeeping process improvements are measured and reported to senior executives.

Transfer of custodianship

 

25

Plans for record custodianship transfers have been developed, and endorsed by the senior executive responsible for recordkeeping.

26

Record custodianship transfer activities are coordinated between senior officers with recordkeeping responsibilities in each agency.

27

When functions are transferred between agencies due to amalgamations, structural, functional, or administrative changes (also known as machinery-of-government changes), all records of that function are identified and documented.

28

Current records related to a function that is being transferred between Victorian government agencies must be transferred with the function to the receiving agency.

29

Records being transferred between agencies must be transferred with their metadata and in an accessible format.

30

Inactive records identified for transfer must be sentenced before custodianship transfers occur.

31

Temporary records that are time expired are reviewed for destruction by the transferring agency in consultation with the receiving agency and in accordance with the Disposal Standard.

32

Permanent records that are no longer in administrative use are transferred to PROV by the transferring agency in consultation with the receiving agency and in accordance with the Disposal Standard.

33

Where permanent records of the function have been previously transferred to PROV, the transferring agency has notified PROV of the change of responsibility for the transferred function.

34

Senior officers responsible for recordkeeping have negotiated to set specific responsibilities, define costs, schedule activities, prescribe service parameters and ensure business continuity for record custodianship transfers.

35

Procedures for record custodianship transfers have been communicated to all relevant staff prior to transfer occurring for all transfer of custodianship arrangements.

36

Record custodianship transfers are confirmed in writing once the records have been successfully incorporated into the agency's recordkeeping systems and copies of digital records are not destroyed until this confirmation is received.

37

The custodianship of records can only be transferred outside the Victorian jurisdiction with the approval of the Keeper of Public Records.

Strategic Management

Responsibilities, authorities and accountabilities

1

The head of the government agency is formally recognised as having ultimate accountability and responsibility for agency compliance with the recordkeeping requirements of the Public Records Act 1973 and other regulatory instruments, including PROV standards.

2

The records management function is an identifiable business function, strategically linked to corporate services such as Information Management, Governance (Risk Management, FOI and Legal) and Information Technology. The records management function is assigned agency-wide authority for the management of records in all formats (including electronic records and records within business systems) within the agency from creation to disposal.

3

A senior executive, designated by the head of the government agency, has been assigned agency-wide and strategic responsibility for recordkeeping and this responsibility is assigned, documented, communicated and assessed on an annual basis.

4

Senior officers have been assigned responsibility for recordkeeping operations and ensuring agency compliance with the recordkeeping requirements of the Public Records Act 1973 and other regulatory requirements, including PROV standards. [Agencies can assign this responsibility to one senior officer if required.] This responsibility is assigned, documented, communicated and assessed on an annual basis.

5

Records management specialists, with the appropriate skills and competence, have been assigned responsibility for the provision of expert records management advice, tools, procedures, standards, guidelines, delivery of compliance assessments and services consistent with PROV standards. These responsibilities are assigned, documented, communicated and assessed on an annual basis.

6

Specialist staff members, with the appropriate skills and competence, are assigned responsibilities for implementing and supporting the records management strategy, such as change management, training, communications, project management and information technology. These responsibilities are assigned, documented, communicated and assessed on an annual basis.

7

A program for documenting all staff's understanding and acceptance of their assigned recordkeeping responsibilities has been developed and implemented.

8

Records management responsibilities are a specific part of conditions in the appointment of all those creating, managing or using records on behalf of the agency, including contractors, consultants, and volunteers.

Strategic planning

9

The agency has developed an executive endorsed records management strategy which is integrated with other relevant management strategies and is appropriate to agency needs, corporate culture, technological environment and its exposure to risk. The strategy is assessed on an annual basis.

10

Records management requirements are identified and integrated into key interagency, intra-agency and cross jurisdictional strategic projects, programs and systems that have been assessed as having recordkeeping implications.

11

Records management requirements are identified in any agency information or knowledge management strategies.

12

Records management requirements are identified in the agency's information and communications technology strategies.

13

Records management requirements are identified in the agency's management systems and strategies including security, risk, occupational health and safety and environmental management.

14

Management makes available the appropriate resources (funds, skilled staff, infrastructure, systems and any other resources) to implement, maintain and improve the records management strategy and action audit requirements.

15

Records management performance measures are identified, integrated in the agency's business and operational plans, and assessed for improvement each performance cycle.

16

The agency's records management program is independently audited at least every five years to ensure compliance with cultural, agency, legislative and accountability requirements and corrective action is taken to address deficiencies where necessary.

17

The agency will assess its internal business unit compliance with its records management policies, standards, procedures, training and systems at least every two years. Any high-risk compliance breaches are reported to the executive. Corrective action is documented and implemented to address breaches.

18

The agency shall implement reporting mechanisms and processes to keep the executive informed about records management.

Policy

19

The agency has developed and implemented an executive endorsed records management policy which is assessed for improvement on an annual basis.

20

Records management policy is integrated with other relevant agency policies.

Outsourced Activities and Privatisation

21

Ownership and custody of records of outsourced or privatised activities is determined and documented in the legal documents that govern the relationship with contracted service providers or privatised entities.

22

Contracted service providers and privatised entities must be required to comply with records management requirements determined by the agency.

23

Records of outsourced or privatised activities must only be disposed of in accordance with the Public Records Act 1973 and other relevant legislation.

24

The same level of access to records of outsourced or privatised activities must be available to the public regardless of who is delivering the service.

25

The contractual or legislative arrangements must specify appropriate standards of storage for any records of outsourced or privatised activities that are not in government custody.

26

The contractual or legislative arrangements must specify appropriate standards of security for any records of outsourced or privatised activities that are not in government custody.

27

Arrangements for monitoring and audit of contracted service provider or privatised entity records management practices are agreed and specified.

28

All outstanding records management issues (including disposal) must be addressed by contracted service providers prior to the completion of the contract.

29

The agency must ensure that the total budget for a contract includes sufficient resources to fund the cost of the recordkeeping requirements as specified in the contract.

Stakeholder engagement

30

Internal and external groups that have a stake in the management of agency records must be identified and analysed.

31

A stakeholder engagement model for key agency stakeholders regarding recordkeeping requirements must be developed and implemented.

32

The agency's stakeholder engagement model must be assessed for improvement on an annual basis.

Victorian Electronic Records Strategy (VERS)

Specification 1: System requirements for Preserving Electronic Records

Record authenticity

1

The recordkeeping system must be capable of demonstrating that a record is authentic; that is, the system must prove that the content is what it appears to be, who created it, and when it was created.

The recordkeeping system must record the identity of the user creating the record and the time it was created. This information must not be forgeable or capable of being altered by either users or system administrators.

Record integrity

2

The recordkeeping system must be capable of proving that a record has integrity—that is, that any alterations to the record are authorised and documented.

Records must be protected against undocumented modification by normal users, records managers, and system administrators.

It must not be possible for records to be destroyed or deleted except by authorised users. All destruction or deletion of records must be recorded.

The system must be capable of verifying whether a record has retained its integrity.

The system must be capable of auditing the integrity of a random sample of records.

Any failure to verify a record must be logged and immediately brought to the attention of the system administrator.

Document conversion

3

Record content must be converted to one of the standard long-term preservation formats specified in PROS 99/007 Specification 4: VERS Long Term Preservation Formats or a format otherwise approved by PROV.

Metadata capture

4

A recordkeeping system must capture or generate the mandatory metadata specified in PROS 99/007 Specification 2: VERS Metadata Scheme. It must also capture the conditional metadata in Specification 2 if the relevant condition applies.

The record capture system must be able to limit the metadata entered into a metadata element to those values specified in PROS 99/007 Specification 2: VERS Metadata Scheme.

Modifying information associated with records and folders

5

It must be possible to modify the information associated with electronic records or folders without compromising the integrity of the record or folder.

Documenting the history of the records and folders

6

The system must be capable of recording all events that affect records.

All accesses to records or folders must be capable of being logged.

It must not be possible for any users, records managers, or system administrators to modify the audit log without a record being made of the modification.

Reliability

7

The system must not lose records or folders once they have been registered with the recordkeeping system.

Records or folders must not be lost due to catastrophic failure of the system, media failure, or physical disaster (e.g. fire).

The accuracy of any copy must be verified by ensuring that all records or folders that have not been marked for destruction have been copied, and that the contents of the records or folders have been copied accurately.

Metadata refreshing

8

The system must have the ability to refresh the media on which records and folders are stored.

The accuracy of the refresh must be verified by ensuring that all records and folders (except those which have been disposed of) have been copied, and that the contents of the records and folders have been copied accurately.

If records and folders are stored on removable media (e.g. CDs), the system must have the capability to manage the media, including generating media identifiers that are unique within the system.

Record export

9

Records and folders must be capable of being exported from a recordkeeping system.

An export of records or folders from a recordkeeping system is not complete until the receiving system has acknowledged that the record or folder was exported without error and the receiving system has accepted responsibility for the record or folder.

Importing or exporting of records and folders from a recordkeeping system must be documented:

  • in the standardised format given in PROS 99/007 Specification
  • containing at least the mandatory metadata given in PROS 99/007 Specification 2: VERS Metadata Scheme
  • with the content in an approved long-term format given in PROS 99/007 Specification 4, VERS Long Term Preservation Formats or a format otherwise approved by PROV
  • on one of the approved media formats and using the mechanisms given in PROS 99/007 Specification 5: Export of Electronic Records to PROV.

Specification 2: VERS Metadata Scheme

The metadata that supports the management, finding, and retrieval of the electronic record is the metadata used by the National Archives of Australia (NAA) in its metadata standard.

Specification 3: VERS standard electronic record format

VEO Types

XML Requirements

Encryption

Digital Signature Requirements

XML Document Type Definition

Specification 4: VERS long term preservation format

Use of Encryption/Passwords/Copy Protection

Standard Long Term Preservation Formats

Specification 5: Export of electronic records to PROV

Mechanisms used to export electronic records to PROV

  • Physical export mechanisms
  • Labelling of media
  • Media accepted by PROV
  • Digital archive manifest
  • Acceptance of custody of electronic records

Note: ✔= compliant; ✘= noncompliant.

Source: VAGO.

[ Contents of this report | VAGO Home | VAGO Publications ]

Appendix D.PROV requirements for records of outsourced activities

Figure D1 lists the records management clauses that agencies are required to include in their third-party outsourcing agreements and contracts.

Figure D1
PROV requirements for records of outsourced activities

Requirement

Description

1

Records ownership

and custody

Ownership and custody of records of outsourced or privatised activities is determined and documented in the legal documents that govern the relationship with contracted service providers or privatised entities.

2

Records management compliance

Contracted service providers and privatised entities must be required to comply with records management requirements determined by the agency.

3

Records disposal

Records of outsourced or privatised activities must only be disposed of in accordance with the Public Records Act 1973 and other relevant legislation.

4

Records access

The same level of access to records of outsourced or privatised activities must be available to the public regardless of who is delivering the service.

5

Records storage

The contractual or legislative arrangements must specify appropriate standards of storage for any records of outsourced or privatised activities that are not in government custody.

6

Records security

The contractual or legislative arrangements must specify appropriate standards of security for any records of outsourced or privatised activities that are not in government custody.

7

Monitoring/audit arrangements

Arrangements for monitoring and audit of contracted service provider or privatised entity records management practices are agreed and specified.

8

Records management issues resolution

All outstanding records management issues (including disposal) must be addressed by contracted service providers prior to the completion of the contract.

9

Resources

The agency must ensure that the total budget for a contract includes sufficient resources to fund the cost of the recordkeeping requirements as specified in the contract.

Source: PROS 10/10 S1 2.4 – Outsourced Activities and Privatisation, 21–29, Public Record Office Victoria.

[ Contents of this report | VAGO Home | VAGO Publications ]