National Library of New Zealand
Harvested by the National Library of New Zealand on: Jun 21 2014 at 12:27:56 GMT
Search boxes and external links may not function. Having trouble viewing this page? Click here
Close Minimize Help
Wayback Machine

Create and Maintain Recordkeeping Standard

  Continuum Logo

Contents

Chief Archivist's Summary

Acknowledgements

1 Introduction
1.1 Purpose
1.2 Scope
1.3 Relationship with other Standards and Requirements
1.4 Advice and Guidance

2 Mandate and Responsibilities
2.1 Application
2.2 Responsibilities
2.3 Exemptions
2.4 Legislative Basis

3 Overview of Standard
3.1 Risk Management
3.2 Benefits of Good Recordkeeping
3.3 Normal, Prudent Business Practice
3.4 Recordkeeping Framework

4 Principles

5. Glossary of Key Terms

6. Appendix: Checklist of Minimum Requirements
 

Chief Archivist's Summary

The capability to manage corporate information well is fundamental to any successful organisation. The Create and Maintain Recordkeeping Standard identifies the key requirements for successful information management for recordkeeping purposes. The standard supports the Public Records Act 2005 requirement for the creation and maintenance of full and accurate business records. It sets out the minimum requirements for your organisation’s corporate information to remain accessible, reliable and useable as part of good business practice.
 
This requirement to keep full and accurate business records does not mean every work-related conversation, interaction, or piece of correspondence needs to be kept. It relates to those records which document a business action, transaction, or decision and are a record of your business activity. To meet these requirements, some change to current business processes will be needed in organisations where good recordkeeping practice is not already well established. This change may require additional resources, but the benefits and business efficiencies of having useful, well organised, reliable and sustainable information cannot be underestimated.
 
Creating and maintaining effective information requires technical expertise, as well as an understanding of information management and recordkeeping. The Create and Maintain Recordkeeping Standard is intended for a predominantly specialist
recordkeeping audience. Staff in your organisation who are responsible for information and records management or recordkeeping technology management should refer to this document when designing business information policies and systems. This will give you confidence that your information assets are being well managed.
 
This standard sets out a systematic approach to ensure organisational information can be managed efficiently; that it can be found when needed; and it can be relied upon to support informed decision making and effective service delivery. Adopting this standard across both central and local government will improve knowledge sharing within and between organisations. Common outcomes can be achieved by using shared approaches and processes.
 
This standard contains a checklist to help you measure your current recordkeeping practices and capability and identify any areas for improvement. If you have any questions or comments about this standard please contact the Government
Recordkeeping Programme at Archives New Zealand.
 
Signed:

Chief Executive and Chief Archivist
 
Date: 30 June 2008
 
Review date: 2012
 
Continuum logo Back to top

Acknowledgements

This standard was developed by Stephen Clarke and Alice Patterson, Senior Advisors, Government Recordkeeping Programme, Archives New Zealand, with advice and guidance from an advisory group comprising:

The Chief Archivist acknowledges the advice and guidance of the advisory group members, who have been central to the development of this standard.
 
The Chief Archivist would like to acknowledge the influence of the standards issued by The Records Authority of New South Wales: ‘Standard on Full and Accurate Records’; The Queensland State Archives: ‘Recordkeeping Standard (IS40)’; State Records of South Australia: ‘Adequate Records Management Standard’ and The British Standards Institution ‘Effective records management – Part 4: How to comply with BS ISO 15489-1’ in the preparation of this standard’s content.
 
 
Continuum logo Back to top

1. Introduction

This standard specifies minimum requirements for the creation and maintenance of records under the Public Records Act 2005. Archives New Zealand has developed the standard to ensure that full and accurate records of New Zealand public offices’ and local authorities’ business activities are created and managed effectively and continue to be accessible and useable over time.
 
The requirements of this standard are the Chief Archivist’s interpretation of s17 of the Public Records Act 2005 which imposes statutory responsibilities for the creation and maintenance of records.

1.1 Purpose

This standard aims to support and improve recordkeeping in public offices and localauthorities as defined by s4 of the Public Records Act 2005. Its goals are:

The desired outcome of these goals will be the preservation of records for as long as they are required, in order to allow future retrieval and reuse.
 
Meeting the minimum requirements in this standard will:

1.2 Scope

This standard applies to all records of the activities, decision-making processes, actions and transactions of organisations covered by the Public Records Act 2005 (with the exception of state and integrated schools). This standard applies to the management of records:

This standard is intended for use by:

1.2.1 Out of Scope: Archives

This standard is specifically designed to provide a framework for current records of business activity, usually in frequent use, required for the conduct of ongoing business. Some of these records may be identified for long-term retention as archival records; however this standard does not include the management of archives, such as:

1.3 Relationship with other Standards and Requirements
1.3.1 Status of ISO 15489 as Guiding Principles Document

The International Standard ISO 15489-1: 2001 Information and documentation — Records management — Part 1: General; and ISO/TR 15489-2: 2001 Information and documentation — Records management — Part 2: Guidelines comprises the high level guidance element of this standard. ISO 15489 provides the conceptual basis for the recordkeeping principles outlined in this standard and in the Archives New Zealand Continuum suite of recordkeeping publications. We recommend that all New Zealand recordkeeping practice should be consistent with the principles of this internationally recognised records management standard.

1.3.2 New Zealand Standards and Requirements

This standard applies specifically to the creation and maintenance of records and their subsequent accessibility. However, there is an inevitable overlap with other interrelated requirements when dealing with recordkeeping systems. Requirements for other related processes are outlined in other publications issued by Archives New Zealand. These include:

Public offices and local authorities creating health records should also be aware of the New Zealand Standard on Health Records, NZS 8153:2002, which gives some guidance on creation and maintenance of these records.

1.3.3 The Treaty of Waitangi / Te Tiriti o Waitangi

The rights of Mãori to their recorded knowledge, which is a taonga in the terms of the Treaty of Waitangi, should be respected when incorporated into government records and recordkeeping systems. The recordkeeping requirements of this standard (to create full and accurate records and maintain them in accordance with all New Zealand legislative requirements) aim to support the Treaty of Waitangi in respect of Mãori cultural practice regarding the creation and identification of records containing traditional or sensitive knowledge and the appropriate maintenance of these records.
 

1.4 Advice and Guidance

This standard sets out to clearly specify minimum requirements for the creation and maintenance of records. Further guidance and implementation information is available in the International Standard ISO 15489-1: 2001 Information and documentation — Records management — Part 1: General; and ISO/TR 15489-2: 2001 Information and documentation — Records management — Part 2: Guidelines.
 
Recordkeeping advice and technical guidance on implementation of this standard is available from Archives New Zealand:
 
Government Recordkeeping Programme
Archives New Zealand
PO Box 12050
Wellington 6144
Telephone: 04 499-5595
Email: rkadvice@dia.govt.nz
 
Continuum logo Back to top

2. Mandate and Responsibilities

This standard is issued under s27 of the Public Records Act 2005. The standard is mandatory for all public offices and for all local authorities, with the exception of state and integrated schools.
 
Organisations are now expected to be working towards compliance with this standard. Full compliance with all requirements in the standard will be expected from 1 July 2010.

2.1 Application

The standard is mandatory for:

The standard is discretionary for:

2.2 Responsibilities
2.2.1 Administrative Head/Chief Executive Responsibilities

Ultimately the organisational administrative head, usually the chief executive, has the responsibility to ensure organisational compliance with the recordkeeping requirements of the Public Records Act 2005, including the requirements of this standard.
 
The Public Records Act 2005 defines an administrative head within a public office as:

The Public Records Act 2005 defines an administrative head within a local authority as:

Where any doubt exists as to who is the administrative head of an organisation,please contact Archives New Zealand or seek legal advice to clarify the organisational responsibility.

2.2.2 Responsibilities for Records of Functions Carried out under Contract

The Public Records Act 2005 requires public offices and local authorities to createand maintain full and accurate records of their affairs, including records of matters contracted out to independent contractors. The legal obligation to ensure that records of government functions are created and maintained therefore rests always with the government entity, not the independent contractor. Depending on the nature of the work being contracted out, this will require either:

Such records must be created and maintained according to the requirements of this standard. Contracts or agreements with contractors should contain provisions to ensure this can happen.

2.2.3 Compliance Framework

Under the Public Records Act 2005, there are a number of mechanisms to encourage compliance with these responsibilities:

2.3 Exemptions

The Chief Archivist may grant exemptions from compliance with the standard, under certain terms and conditions. Appeals against these decisions may be made to the Minister responsible for Archives New Zealand, who may allow or disallow the appeal after consultation with the appropriate minister and the Archives Council.
 
Organisations who wish to seek an exemption should follow the process outlined on the Archives New Zealand website.

2.4 Legislative Basis

The Public Records Act 2005 imposes the following responsibilities to ensure that public offices and local authorities document their business activities adequately and manage those records for as long as is necessary. (The full text of the Public Records Act 2005 and other New Zealand legislation are available online at: www.legislation.govt.nz/ ).
 
s17, which requires public offices and local authorities to create and maintain records, states:

  1. Every public office and local authority must create and maintain full and accurate records of its affairs, in accordance with normal, prudent business practice, including the records of any matter that is contracted out to an independent contractor.
  2. Every public office must maintain in an accessible form, so as to be able to be used for subsequent reference, all public records that are in its control, until their disposal is authorised by or under this Act or required by or under another Act.
  3. Every local authority must maintain in an accessible form, so as to be able to be used for subsequent reference, all protected records that are in its control, until their disposal is authorised by or under this Act.

s18 states that no person may dispose of public records or local authority protected records without authority from the Chief Archivist, unless disposal is required by or under another act.
 
s27 allows for the Chief Archivist to issue standards in relation to public records and local authority records.
 
s28 allows for the Chief Archivist to stipulate the application and content of any recordkeeping standards.
 
s30 outlines the process for gaining exemptions from compliance with standards.
 
s40 outlines requirements for protected records of local authorities.
 
Various other acts also support the need for a good standard of recordkeeping by public offices and local authorities in New Zealand. These include the following legislation:

 
Continuum logo Back to top

3. Overview of Standard

3.1 Risk Management

Recordkeeping can only be successfully undertaken once risk management issues have been considered and addressed. Organisations should assess their systems and procedures against potential risks and then find ways to mitigate them. The joint Australian and New Zealand standard AS/NZS 4360:2004 Risk management and the explanatory companion guidelines set out a framework for assessing risk which can be applied to recordkeeping issues.

3.1.1 High Level Business Risks

The standard is designed to promote good recordkeeping which can mitigate against business risks such as:

3.2 Benefits of Good Recordkeeping

The benefits of good recordkeeping include:

Authoritative and credible recordkeeping is essential to good governance and for reliable and consistent business practice and service delivery. Organisations may carry out recordkeeping audits and surveys to establish their capability and identify areas of weakness. These processes should form a sound basis for implementing business continuity, contingency and disaster planning programmes.

3.3 Normal, Prudent Business Practice

In the context of the Public Records Act 2005, the phrase ‘normal, prudent business practice’ appears in s17(1) where it is part of the requirement on public offices and local authorities to create and maintain full and accurate records of their affairs.
 
This standard will establish the minimum requirements for developing a recordkeeping framework for the creation and maintenance of records as part of ‘normal, prudent business practice’. Establishing how these principles are applied depends on an organisation’s functions. An organisation’s functions will be defined by an evaluation of core business activities and may be stated in any enabling legislation or foundation documentation.
 
The standard requires that the public office and local authority create and maintain records of their affairs to allow them to meet their statutory, contractual and accountability obligations both for the present, and as an on-going entity. It does
not mean that every work-related conversation or act of correspondence must be identified, recorded and retained. It is the records which document a transaction, business action or business decision that must be identified, captured and maintained as evidence of the business process or outcome.
 
Not every record must be retained. General Disposal Authorities (GDAs) allow routine disposal of records of short-term value or records that do not need to be maintained at all. Further information on GDAs is available online.
 
Making records in accordance with normal, prudent business practice requires creating and maintaining records which:

3.4 Recordkeeping Framework
3.4.1 What is a Recordkeeping Framework?

The recordkeeping framework is a combination of people, policies, procedures, resources, methods, technology, institutional culture, data and knowledge. A recordkeeping framework should be considered as a strategy, not as an automated system or an off-the-shelf software package. It is a strategy that an organisation develops to assess needs, implement recordkeeping practices, manage change and eventually source software or other technological support. An organisation shapes
these components into a structure that supports records creation and management as an output of business activity, actions and transactions.
A recordkeeping framework has a number of key, interconnected elements including: records, procedures, policies, classification, knowledge, resources and technology. Each component can be further defined:

3.4.2 Management of Hybrid Systems

Records are seldom only in an electronic or paper format within a records class or aggregation. Organisations typically manage records that span a range of electronic and non-electronic media. As physical records (such as paper-based files) cannot be physically captured and registered directly into electronic systems, electronic systems may manage a metadata profile of a physical record in order to maintain a link between the physical folders and the electronic folders, or for discoverability and access purposes. Organisations may also consider scanning or otherwise imaging paper-based records so that they may be integrated into electronic systems more easily and accessibly. For further information on the digitisation of paper, or other non-electronic records please see Archives New Zealand’s Digitisation Standard.

3.4.3 Analysis of Business Activity

Business classification/analysis is the systematic identification and arrangement of business activities and/or records into categories according to logically structured conventions, methods, and/or procedural rules. A classification system is usually a
hierarchical representation of business activities and functions represented as an arrangement of headings derived from an analysis (and understanding of) of the relationship between the organisation’s business and its records.The purpose of this process is to develop a conceptual model of what an organisation does and how it does it. It demonstrates how records relate to both the organisation’s business and its business processes. It will contribute to decisions in subsequent steps about the creation, capture, control, storage, retention and disposal of records, and their access status. This is particularly important in an electronic business environment where adequate records will not be captured and maintained without first being classified and having meaningful metadata persistently attributed to them.
 
Analysis of business activity provides the tools to undertake and document business activity in a systematic way and to make best use of its results. The outcomes from this process may include a:

Business activity analysis may be undertaken on a subject basis, structural basis (by organisational hierarchy or business unit), or by functional classification. The system that suits your organisation best will depend on your functions, business and structure, and a combination of approaches may be used.

3.4.4 Business Classification Scheme

Context is necessary to establish the authenticity of a record (usually attributed asmetadata in electronic recordkeeping). The record’s contextual relationship with the business activity that created it, and its relation to other records or business
processes, is usually termed business classification. A business classification scheme is a conceptual, often hierarchical, classification tool which can enable the capture, titling, retrieval, maintenance and disposition of records. It defines the way in which records are grouped together (aggregated) in classes and are linked to the business context in which they were created or transmitted. Within a business classification scheme, a record’s contextual characteristics are attributed through structuring it according to identifiable business processes.
 
Subject-based classification schemes group together records relating to broad subject areas. For example the transactions and activities that occurred under a single subject, such as a particular property or client. However, under subject-based classification, the focus is on what the item or object is about, rather than on the purpose or activity that the record was created to document. Therefore, the context of the business activity can become disassociated, making disposal actions over subject-based files more difficult as they will contain records with differing retention periods.
 
Functional classification schemes are based on an analysis of an organisation’s unique business functions and activities, and are independent of the organisation’s administrative structure. This makes functional classification more flexible and stable as business units and structures are likely to change over time. This system breaks down traditional organisational information silos and enables easier retention and disposal of records.
 
Continuum logo Back to top

Principles

This standard has four principles which should be taken into account to create and maintain full and accurate records. Each principle is followed by a statement of its objective and a set of minimum requirements together with explanations as to why
these requirements are considered essential.
 
The principles are:
 
Principle 1: Recordkeeping Must be Planned and Implemented
 
Recordkeeping policies and procedures (compliant with legal, regulatory and administrative requirements) must be implemented and must clearly assign recordkeeping responsibilities and appropriate resources and training.
 
Principle 2: Full and Accurate Records of Business Activity Must be Made
 
Full and accurate records must be made of all business activity for the whole organisation; records should be identified and created to document and facilitate the transaction of business.
 
Principle 3: Records Must Provide Authoritative and Reliable Evidence of Business Activity
 
Organisations must be able to demonstrate that records captured are authentic, reliable, complete, comprehensive, useable, tamperproof and have integrity.
 
Principle 4: Records Must be Managed Systematically
 
Records must be managed systematically across both recordkeeping systems and business systems within an organisational recordkeeping framework.
 
These high level principles are supported and achieved through meeting the requirements outlined in the ‘Requirement’ column. The requirements are the mandatory part of the standard. The requirements are focused on outcomes and the standard is not prescriptive about how these outcomes are achieved. This framework is concerned with identifying outcomes rather than with prescribing specific recordkeeping practices.
 
To help clarify the intent of each requirement, there are corresponding explanations in the next column. The ‘Explanation’ column does not add any additional obligations. Terms such as ‘should’ and ‘will’ are used purely in an explanatory sense.
 
Continuum logo Back to top

Principle 1: Recordkeeping Must be Planned and Implemented

Recordkeeping policies and procedures (compliant with legal, regulatory and administrative requirements) must be implemented and must clearly assign recordkeeping responsibilities and appropriate resources and training.
 

Requirement Explanation
Requirement 1:  Responsibility for recordkeeping compliance must be assigned and endorsed by the administrative head. The administrative head of the organisation is ultimately responsible for recordkeeping and compliance with the requirements of the Public Records Act 2005 (see section 2.2.1 Administrative Head/Chief Executive Responsibilities
A clear line of responsibility in organisations should be evident from the chief executive through the management structure to all staff. Clearly defined roles and responsibilities for recordkeeping are assigned at all organisational levels and a senior manager is identified as responsible for recordkeeping compliance at a strategic level.
 
The recordkeeping policy statement will, therefore, identify a senior member of staff with lead responsibility for records management and for overseeing policy and programme implementation. Endorsement and active support by senior management is a crucial factor in implementing recordkeeping roles and responsibilities successfully. Records managers, or equivalents, may be responsible and accountable for implementing recordkeeping policies and procedures and assessing performance. A ratio of 1:100 FTE records manager (or equivalent) is advisable, dependent on organisational size, for example, a higher ratio for small agencies (e.g. 1:50) and lower ratio for very large agencies (e.g. 1:200).
Requirement 2: Organisations must have a defined, documented and implemented policy for recordkeeping, which is regularly reviewed. A corporate-wide records management policy statement is a statement of intentions. It sets out what the organisation intends to do and includes an outline of the programme and processes that will achieve those intentions.
The policy statement should refer to other policies relating to information (e.g. information systems policy, information security or asset management). It should not seek to duplicate them.
 
It should be supported by:
- procedures and guidelines, planning and strategy statements, disposal authorities and other documents that together make up the records management documentation
- support and endorsement of the policy by all employees at all times. It is particularly important that the policy obliges all employees to create and maintain records that meet the legal, regulatory, fiscal and operational needs of the organisation
- monitoring of compliance with, and periodic review of, the policy for effectiveness is also important.
 
A recordkeeping policy will take into account:
- relevant legislation, regulations, and directives - business needs, business systems, organisational culture and practices
- all record formats including paper and electronic
- community expectations, including those of Mãori stakeholders.
 
Without an information policy, organisations do not have a high level strategic statement on which to develop an integrated recordkeeping framework. See A Guide to Developing a Recordkeeping Policy
Requirement 3: Organisations must have defined, documented and implemented procedures for recordkeeping which are regularly reviewed. Staff need to be made aware of which records they should create, and the routine processes for identifying, creating and/or capturing records received into a recordkeeping framework.
 
Procedural guidance may take the form of:
- forms and templates
- instruction or workflow management manuals
- documented rules and/or regulations.
 
Basic direction should guide staff on good recordkeeping practices, including:
- simple aids outlining approved practices for identifying and capturing essential records of business activities
- procedural controls to ensure capture of electronic records from web-sites, business information systems, email, etc. - maintenance of correspondence and documents stored in personal drives and shared workspaces.
This guidance should be supported by training and regularly reviewed for applicability, as business processes and information systems are subject to change.
Requirement 4: Recordkeeping
responsibilities and resources must be defined, supported and assigned.
Recordkeeping responsibilities should be defined, assigned and communicated to all staff who create, maintain and receive records during their work.
 
 
This includes:
-  all managers
-  all employees
-  internal contractors*
-  volunteers
-  other personnel who have a responsibility to create or use records.
 
 
Recordkeeping responsibilities may be documented in job descriptions and performance assessments, or as part of an organisation’s code of conduct. The level of definition will be contingent on the degree of recordkeeping responsibility of the individual.
 
Responsibilities for recordkeeping processes should be defined and assigned within departmental/organisational recordkeeping procedures policies or manuals.
 
 
Resources and budgets set aside for recordkeeping purposes should be assigned and documented.
 
 
See also Factsheet F7: Recordkeeping Responsibilities *There is separate guidance for external contractors in section 2.2.2 Responsibilities for Records of Functions Carried out under Contract.
Requirement 5: A programme of internal recordkeeping, monitoring and compliance must be developed and implemented. Compliance monitoring should be developed and regularly undertaken to ensure continued compliance with legislation, policies, principles, processes and procedures, over time. Assessment of the recordkeeping framework’s procedures, policies and processes should be undertaken and their effectiveness assessed against the anticipated
outcomes. Evidence of this performance assessment should be identified and maintained.
 
 
There are three reasons for monitoring and auditing records systems:
-  to ensure internal accountability and compliance with external regulatory and/or legislative requirements
-  to ensure that records will be accepted as evidence in a court of law, should this
be required
-  to improve an organisation’s performance, by assessment and improvement
of service delivery.
 
 
Internal auditing of specific areas of recordkeeping using a risk management approach (e.g. legal compliance risk, web-based activities or OIA response performance), can be used for targeted monitoring. Follow-up mechanisms that ensure appropriate responses on internal audit results should be implemented. Any internal monitoring process will depend on the unique circumstances of the organisation that carries it out.
 
 
It may be appropriate to employ external third party consultants to carry out internal compliance monitoring or auditing.

 
Continuum logo Back to top
 

Principle 2: Full and Accurate Records of Business Activity Must be Made

Full and accurate records must be made of all business activity for the whole organisation; records should be identified and created to document and facilitate the transaction of business.

Requirement Explanation
Requirement 6: The functions and business activities of an organisation must be identified and documented, including any functions contracted out. Organisations should undertake an analysis of their significant business activities and functions that document:
 
- core business functions
- the records identified for creation in each business process, and the information which needs to be captured as a record
- the contextual links between records
- the requirements for retrieving, using and transmitting records between business processes and users.
 
Functions are high level business activities, such as, ‘Policy’, ‘Strategic Planning’, ‘Financial Management’, ‘Legal Services’, ‘Human Resources’.
 
Business activity is any group of activities and/or processes undertaken by an organisation to produce a product and/or service, and/or in pursuit of its normal prudent business practice.
 
Business activity analysis should include all recorded information in any form (including data in computer systems) that is created or received and maintained by an organisation, or individual in their organisational role, in the transaction of business or the conduct of affairs, and kept as evidence of such activity.
 
This process is the basis for the development of a business classification scheme, metadata schema requirements, retention and disposal scheduling and ensures business continuity and vital records identification.
Requirement 7: Records of business decisions and transactions must be created. Records should be made of all facets of an organisation’s business activity. Recordkeeping should not be selective, so that only some parts of the business are well documented, however identifying high-risk business processes is an important factor. Recordkeeping should take place in all technological environments in which the organisation carries out its business. Records involving the making of decisions or the transaction of business are fundamental evidence of business activity. Such records may include:
 
- inwards and outwards communications, such as, electronic messages, faxes, letters, Short Message Service (SMS)
- documents on shared workspaces, personal/shared drives, project logs, client databases
- minutes or file notes of meetings or telephone conversations
- contracts, variations and agreements.
 
Records include not only those records in organisations’ ‘formal’ recordkeeping systems, but also those outside the recognised recordkeeping systems (such as business information systems, database applications, personal folders, shared drives, web activities, instant messaging). All records of business activity should be identified, regardless of their format. If the information has evidential value, it needs to be considered and managed by organisations.
 
For further guidance see Factsheet: Make a Record.
Requirement 8: All records of business activity must be captured routinely into an organisation-wide recordkeeping framework. Routine capture of records means that the process of identification and capture should be a normal part of the business activity. It should be done in a timely manner, ideally as an output of the business process.
 
Routine capture of records into the recordkeeping framework will:
- ensure information is available to everyone who has a legitimate business need and the right to use it
- ensure records of core business activity are retained in a timely manner
- reduce risk of loss of key business records and their content
- provide access to the most up-to-date records of business activity for improved business decision-making.
 
For further information on what constitutes a recordkeeping framework, see Recordkeeping Framework, section 3.4.
Requirement 9: Staff must receive appropriate, and regular, training for organisational recordkeeping responsibilities. All staff should receive training (whether provided internally or externally) to help them meet the recordkeeping responsibilities of their regular business activity. This may take the form of induction training with periodic refresher courses for new staff and a programme of refresher training for existing staff members or ongoing support training from the records management unit. The level of training will be contingent on the level of recordkeeping responsibility. Basic recordkeeping training may consist of:
 
- legislative recordkeeping responsibilities, including record creation and identification
- the organisations’ authorised disposal practices and processes
- basic direction on records classification to allow efficient search and retrieval
- attribution of essential contextual and records management information (i.e. metadata, file numbering).
 
The training programme should be an organisation-wide programme that will explain policies, procedures and processes in a context that ensures staff understand what they need to do and why.
 
Records managers, or equivalents, should have the relevant training and/or experience to carry out their duties effectively. There may, however, be a need for organisations to supplement existing skill sets, by enlisting specialist expertise to help in the development of a recordkeeping framework. Organisations may consider developing an ongoing communication programme on recordkeeping to maintain awareness and knowledge.

 
Continuum logo Back to top

Principle 3: Records Must Provide Authoritative and Reliable Evidence of Business Activity

Organisations must be able to demonstrate that records captured are authentic, reliable, complete, comprehensive, useable, tamperproof and have integrity.
 

Requirement Explanation
Requirement 10: Records must be authentic: organisations must accurately document their creation, receipt, and transmission. It should be possible to prove that records are what they purport to be. For example, it must be possible to maintain reliable evidence of the author, creator, sender and recipient of a communication.
For paper records, traditional filing systems and registers may be appropriate to capture this information, although paper records can also be managed in electronic recordkeeping systems using metadata profiles or by digitisation.
For electronic records, the information recording their creation, transmission and receipt will be captured and/or attributed in the recordkeeping metadata, e.g. for email communications this information is captured in the From, To, Subject, Sent, Received, and Size fields.
For telephone records, and conversations outside minuted meetings, a file note may be appropriate.
For further information on electronic records refer to the Electronic Recordkeeping Metadata Standard
Requirement 11: Records must have reliability and integrity and must be maintained unaltered. Organisations should put systems or processes in place to ensure that records are maintained complete and unaltered.
Organisational records management policies and procedures will specify when additions or annotations may be made to a record after it is created or when any alteration to the record is permitted. This information can be recorded in an audit trail or log. For records in dynamic systems, (e.g. an electronic recordkeeping system), any alteration or any authorised and/or unauthorised action after a record has been created will be routinely recorded (and a new record created) and the system will maintain a record of these business process actions (i.e. new version, when/who accessed, when/who altered, when/who deleted).
Records should be tamper-proof; and securely maintained to prevent unauthorised access, destruction, alteration or removal. This can be achieved by a controlled storage environment and access classification for physical records and by user access permissions and other restrictions in electronic systems.
For further guidance on records storage, see the Storage Standard.
For further information on electronic records refer to the Electronic Recordkeeping Metadata Standard
Requirement 12: Records must be useable, retrievable and accessible. To be useable, it should be possible to access a record without the loss of content, context and/or structure. Records should be easily located, retrieved, read and interpreted in direct connection to the business activity or transaction that produced them. The availability of records does not mean, however, that they are necessarily publicly accessible or that access to the records is free. Records are not available unless retrieval systems are adequate, but access to records may be tightly restricted (for example, for security or privacy reasons) or subject to charges. It is not necessary that access to records be free or unrestricted to comply with this requirement.
Appropriate search/retrieval metadata, classification, finding aids or search functionality need to be applied to ensure timely and effective identification and retrieval of records. Reliable and effective accessibility means that recordkeeping actions across individual parts of a recordkeeping framework are carried out consistently; that all records have, for example, consistent naming conventions and identifiers, or access/security classification and retention and disposal scheduling. Records concerning a specific business process should be accessible to those that need the information across business units and storage systems.
Requirement 13: Records must be complete, recording the content and contextual information necessary to document an activity. A record should contain the content, and the structural and contextual information necessary to document a transaction and identify relationships to other related records. This can be achieved by placing the record in its correct place within a file plan or business classification scheme, or for electronic records by having the correct metadata attributed.
It should be possible to understand a record in the context of the organisational processes that produced it and of other related records of that activity or transaction. It should be possible to reconstruct processes, activities and transactions from the content and context of records.
For further information on electronic records refer to the Electronic Recordkeeping Metadata Standard
Requirement 14: Records must be comprehensive and provide authoritative evidence of all business activities. Records should be made of all areas of business activity, of all the organisation’s operations and at all the relevant points within a workflow or business process.
For records to be comprehensive and authoritative, they should document a business activity or process to the required level of detail and to the extent required to document the key processes, decisions and actions. For example, a receipt may be adequate to record a simple purchase, however, for substantial expenditure or significant acquisition the decision-making process, such as the tendering process, should also be recorded.

 
Continuum logo Back to top

Principle 4: Records Must be Managed Systematically

Records must be managed systematically across both recordkeeping systems and business systems within an organisational recordkeeping framework (see section 3.4 Recordkeeping Framework).
 

Requirement Explanation
Requirement 15: Records must be identified and captured within a recordkeeping framework. The ability to control records organisation-wide is dependent on the organisation’s internal structuring. Recordkeeping may be centralised or devolved as long as it is part of an overall framework. However, all records, regardless of format and the technological environment in which they are generated should be captured in an over-arching recordkeeping framework and have systematic controls applied to them. The individual systems do not have to be centralised or accessible by everyone in the organisation nor do they need to be integrated. They can be based on workgroups; they can be designed to meet the specific needs of business units; they can control access and security to meet requirements for confidentiality. They do not have to be dedicated recordkeeping systems; they can be business information systems, or applications, which incorporate the functionality required to maintain records. However, all of an organisation’s records should be managed regardless of where they are created or maintained including environments such as:
- personal and shared drives
- databases
- external storage devices, (laptops, PDAs, CDs, etc.)
- business information systems
- legacy paper and electronic systems.
Requirement 16: Records must be organised according to a business classification scheme. Business classification schemes are an output of business activity analysis. A business classification scheme can be defined as the documented analysis of business processes, their generated record outputs, and their contextual relationships within the entirety of whole-of-business activity that an organisation undertakes, articulated within a (usually hierarchical) structure. A classification may be functional, process-based, subject-based or organisation-based. Whatever form it takes, the classification scheme is the structure that defines, describes and aggregates records within a recordkeeping framework.
 
Business classification schemes provide:
- contextual linkages between individual records in a meaningful structure - a framework for applying consistent and meaningful naming conventions, or identifiers for records over time - identification and retrieval of all records relating to a particular function or activity
- a framework for retention and disposal scheduling.
 
The business classification scheme will reflect:
- the goals and strategies of the organisation
- the functions of the organisation that support the pursuit of these goals and strategies
- the activities and functions of the organisation
- the work processes performed to carry out specific activities and transactions
- all constituent steps that make up the activity
- all the transactions that make up each constituent step
- the groups of recurring transactions within each activity
- the existing records of the organisation.
 
For further information on business activity analysis see ISO/TR 26122: 2008 Information and documentation – Work process analysis for records.
Requirement 17: Records must be reliably maintained over time within a recordkeeping framework. For physical records, this means appropriate storage conditions. However, the requirement to maintain electronic records will outlast electronic business and recordkeeping systems. It is therefore preferable to use common, or accepted, formats and operating systems to achieve an integrated and sustainable approach to longerterm recordkeeping. The organisation may incur increased costs associated with the migration and preservation of records in proprietary, unstable or unusual formats. For further guidance see the Storage Standard.
For records identified as having long-term value, preservation should be considered at the creation stage. For records to be sustainable, a migration strategy has to be developed or an organisation runs the risk that records will not be available in the future through format obsolescence or expiry of licences.
 
- A system that reliably maintains records as evidence of business activity:
- creates and maintains a record of records system faults and failures
- monitors and controls access
- controls and verifies user status
- provides security
- prevents unauthorised access, destruction, deletion, alteration or removal of records
- identifies vital records and enables business continuity planning.
Requirement 18: Records must be useable, accessible and retrievable for the entire period of their retention. Records come in a myriad of formats, such as Maps, plans, photographs, thermal paper, web pages, SMS, and data sets. Therefore consideration should be given to the longterm viability of formats used for recordkeeping purposes. It is not always possible when creating records to use formats predicted to have longevity. However, it is strategically prudent to use stable, commonly used or open formats for records of permanent or long-term value where possible. A migration strategy for records content and context is, therefore, a priority for unstable physical formats and electronic records.
To be useable over time, records should be ‘human readable’, maintain their context and ‘recordness’, and be in accessible formats.
For physical records, this entails secure storage, access controls, and contextual metadata, through file numbering, indexes, maintenance of original order of file and folder contents and file access tracking. For further requirements on the maintenance of physical records over time refer to the Storage Standard.
For the maintenance of electronic records over time, systems that create and/or maintain records should preserve the evidential admissibility of records and support migration of records from one system to another. Appropriate formats and strategies to support this should be assigned. For electronic records to be accessible, useable and retrievable over time, stable formats and storage systems and persistent metadata profiles are imperative. For further guidance on electronic recordkeeping metadata refer to the Electronic Recordkeeping Metadata Standard .
Records should be maintained in an accessible format over time, for as long as they are required, until an authorised disposal action is taken. The strategies to achieve these outcomes may vary according to the type of record and the length of time it needs to be retained. These processes should be planned, controlled, documented and managed according to risk.
Requirement 19: Records’ contextual and structural integrity must be maintained over time. Persistent contextual information should be maintained by the attribution of recordkeeping metadata to records. It should identify the agents involved and the business processes that created them. These contextual attributes are necessary to maintain the reliability and integrity of a record. For example, a contract may only be a true record when its variations are applied, or an email attachment only has full meaning if accompanied by the sender, recipient and content of the email message text. The contextual information or recordkeeping metadata created about a record may include:
a unique identifier (or physical file number)
a title
- the time and date of the creation of the record
- the author and creator
- the business being conducted
- the date of any action undertaken on the record
- the identification of the person undertaking the action
- the action that was undertaken.
 
These fields are not exhaustive and contextual recordkeeping information may be contingent on the type of record or the length of time it needs to be retained. Recordkeeping systems should be configured to automate as much of this contextual data as possible.
For further requirements on mandatory point of capture and process recordkeeping metadata for electronic records, refer to the Electronic Recordkeeping Metadata Standard
Requirement 20: Retention and disposal actions must be applied systematically. To apply systematic control of records’ retention and disposal actions there should be an evaluation of the value of the records. This means developing strategies to actively manage the disposal of paper-based files, as well as strategies for preservation/migration of records held in electronic form; and assessing the occurrence of electronic and paper records that are not currently captured into the formal recordkeeping framework. An effective systematic retention and disposal process will:
- facilitate decisions on the retention or disposal of records across all classes and formats
- initiate actions that are informed by a valid retention and disposal schedule
- identify copies of records that are authorised for destruction, including security copies, preservation copies and backup copies
- maintain an auditable record of all disposal actions and make these records available when required.
 
Risks of ad hoc disposal actions include:
- unintentional disposal of high value records of business actions
- illegal destruction of records pertaining to pending litigation or investigation
- the continuing existence, after authorised disposal actions, of duplicates or copies of disposed records.
 
All records disposal should be authorised either by a General Disposal Authority or organisation specific disposal authority. Unauthorised disposal is an illegal action under s18 of the Public Records Act 2005

 
Continuum logo Back to top

5. Glossary of Key Terms

Included are definitions of terms specific to this standard. For definitions of more general terms please see the Glossary of Archives and Recordkeeping Terms
 
Accessible:
 
1. The right or means of finding, using, or retrieving information.
2. Information that can be identified, located and viewed as required in a form, format or medium that is readable or interpretable or can be interrogated when necessary over time.
 
Authenticity:
 
An authentic record is one that can be proven:
 
a) to be what it purports to be
b) to have been created or sent by the person purported to have created or sent it
c) to have been created or sent at the time purported.
 
To ensure the authenticity of records, organisations should implement and document policies and procedures which control the creation, receipt, transmission, maintenance and disposal of records to ensure that records’ creators are authorised and identified and that records are protected against unauthorised addition, deletion, alteration, use and concealment.
 
Business Activity:
 
An umbrella term covering all the functions, processes, activities and transactions of an organisation and its employees to produce a product and/or service in the conduct of normal business practice.
 
Comprehensiveness:
 
The records framework manages records resulting from the entire business activities of the organisation.
 
Format:
 
1. The physical or electronic appearance, design, layout, plan, shape, size, method or medium in which information is recorded, organised, structured or carried, for example paper files, computer printout, photographs, microfilm, machinereadable records, plans, cards, volumes.
2. A format is a pre-established layout for data. A computer program accepts data as input in a certain format, processes it, and provides it as output in the same or another format. All data is stored in some format with the expectation that it will be processed by a program that knows how to handle that format.
 
Integrity:
 
The integrity of a record refers to it being complete and unaltered. Integrity is protected via control measures, such as, access monitoring, user verification, authorised destruction and security.
 
Record:
 
1. Means information, whether in its original form or otherwise, including
(without limitation) a document, a signature, a seal, text, images, sound,
speech; or data compiled, recorded, or stored:
 
(a) in written form on any material; or
(b) on film, negative, tape, or other medium so as to be capable of being reproduced; or
(c) by means of any recording device or process, computer, or other electronic device or process.
 
2. Information created, received and maintained as evidence and information by an organisation or person, in pursuance of legal obligations or in the transaction of business.
 
Reliability:
 
A reliable record is one with contents that can be trusted as a full and accurate representation of the transactions, activities or facts to which they attest, and can be depended upon in the course of subsequent transactions or activities. Records should be created at the time of the transaction or incident to which they relate, or soon afterwards, by individuals who have direct knowledge of the facts or by instruments routinely used within the business to conduct the transaction.
 
Useability:
 
A useable record is one that can be located, retrieved, presented and interpreted. It should be capable of subsequent presentation as directly connected to the business activity or transaction that produced it. The contextual linkages of records should carry the information needed for an understanding of the transactions that created and used them. It should be possible to identify a record within the context of broader business activities and functions.
 
Vital records:
 
Those records that are essential for the ongoing business of an agency, and without which the agency could not continue to function effectively. The identification and protection of such records is a primary object of records management and disaster planning.
 
Continuum logo Back to top

6. Appendix: Checklist of Minimum Requirements

This checklist is a tool for managing risks to the creation and maintenance of records. It can be used to assess compliance with the standard. Where a requirement is not met, an organisation must assess the risks involved and plan to address them.
 

Principle/Requirement Yes No If No, What Risks Exist? Actions Required to Treat Risks
Principle 1: Recordkeeping Must be Planned and Implemented
Recordkeeping policies and procedures (compliant with legal, regulatory and administrative requirements) must be implemented and must clearly assign recordkeeping responsibilities and appropriate resources and training.
       
 1. Responsibility for recordkeeping compliance must be assigned and
endorsed by the administrative head.
       
 2. Organisations must have a defined, documented and implemented policy for recordkeeping, which is regularly reviewed.        
 3. Organisations must have defined, documented and implemented procedures for recordkeeping which are regularly reviewed.        
 4. Recordkeeping responsibilities and resources must be defined, supported and assigned.        
 5. A programme of internal recordkeeping monitoring and compliance must be developed and implemented.        
Principle 2: Full and Accurate Records of Business Activity Must be Made
Full and accurate records must be made of all business activity for the whole organisation; records should be identified and created to document and facilitate the transaction of business.
       
 6. The functions and business activities of an organisation must be identified and documented, including any functions contracted out.        
 7. Records of business decisions and transactions must be created.        
 8. All records of business activity must be captured routinely into an organisation-wide recordkeeping framework.        
 9. Staff must receive appropriate, and regular, training for organisational recordkeeping responsibilities.        
Principle 3: Records Must Provide Authoritative and Reliable Evidence of Business Activity
Organisations must be able to demonstrate that records captured
are authentic, reliable, complete, comprehensive, useable, tamperproof and have integrity.
       
 10. Records must be authentic: organisations must accurately document their creation, receipt, and transmission.        
 11. Records must have reliability and integrity: records must be maintained unaltered.        
 12. Records must be useable, retrievable and accessible.        
 13. Records must be complete, recording the content and contextual information necessary to document an activity.        
 14. Records must be comprehensive and provide authoritative evidence of all business activities.        
Principle 4: Records Must be Managed Systematically
Records must be managed systematically across both recordkeeping systems and business systems within an organisational recordkeeping framework.
       
 15. Records must be identified and captured within a recordkeeping framework.        
 16. Records must be organised according to a business classification scheme.        
 17. Records must be reliably maintained over time within a recordkeeping framework.        
 18. Records must be useable, accessible and retrievable for the entire period of their retention.        
 19. Records’ contextual and structural integrity must be maintained over time.        
 20. Retention and disposal actions must be applied systematically.        

 
 
Issued June 2008
 
 
Continuum logo Back to top