Recordkeeping Requirements within Business Information Systems
Issued: 26 November 2007
Recordkeeping Advices issued by the State Archivist provide advice on the management of records of State and local government organisations and support or explain recordkeeping requirements set out in formal State records guidelines.
This advice has been developed by the Inter Agency Policy and Projects Unit (IAPPU), Department of Premier and Cabinet, as a project sponsored by the Inter Agency Steering Committee with input from the Archives Office and other Government Agencies. The project outcome is now issued as a Recordkeeping Advice by the State Archivist
TABLE OF Contents
The purpose of this document is to provide advice to agencies on recordkeeping requirements within business information systems, including decommissioning and data migration. In particular, this guide offers a recordkeeping perspective to IT staff supporting business information systems.
It is a companion guide to Advice No. 17, Implementing Better Records and Information Management.
This guide does not replace Guidelines, Advices and Retention and Disposal Schedules issued by the State Archivist under the Archives Act 1983, that provide the framework and processes for recordkeeping and through which retention requirements are determined and approved. However, these determinations are based on initial recommendations made by the agencies based on their business needs. This guide is intended to provide additional supporting information to assist agencies in implementing their requirements under the Archives Act.
Agencies have a wide number of business information systems, such as financial, HR, records, email, web content management, or licensing systems. Agencies may also have business systems that operate as large repositories of information, including data warehouses and archival or secondary storage systems, such as email archive systems.
By their nature, all information systems manage records. A record, in a records management sense, consists of:
· Content (data)
· Structure (relationships) and
· Context (an understanding of the reason for the data’s existence).
Depending on the circumstances, a record may be made up of any or all of the following:
· Tables in a database
· Individual database records themselves (field information)
· Entire database
· Application(s) and/or documentation with some or all of the above
· Reports generated by the application
· Associated documents/information in other systems
· The audit logs of people’s access and use of the database.
In order to determine what ‘the record’ is, it is necessary to first assess what business actions the system is recording. The key question then becomes, what evidence needs to be retained to support that business?
In accordance with normal recordkeeping practices records metadata can be associated with business information systems. The metadata could simply be for the whole system, or for subcomponents of the system. The appropriate repository for the business information system metadata would be the agency records system.
In accordance with recordkeeping practices, authoritative records must:
· Be accurate – must be a correct reflection of what was done, communicated or decided
· Be authentic – be proven to be what it claims to be, to have been created or sent by the person claimed to have created or sent it, and to have been created or sent at the time claimed
· Have integrity – be complete and unaltered, now and in the future and be proven to have been managed appropriately through time
· Be accessible and useable – understandable, complete, retrievable and available through time
The level of risk and the nature of the activity will influence the required quality of recordkeeping. Factors that should be considered when determining the quality of recordkeeping include:
· Value to the business of the activity
· Political importance of the activity
· Financial risk
· Industry practices and expectations
· Likelihood that records within the business application will have to support:
o Criminal court action
o Prosecution or defence of civil proceedings
o Staff discipline, including dismissal of staff
o Responses to Ombudsman’s enquiries
o Responses to ministerial requests
o Responses to FOI requests
· Confidentiality requirements for sensitive or highly sensitive information, and associated risk management strategies including access and audit controls
· Capital and operational costs of recordkeeping
These factors contribute to what can be described as “non-functional” requirements of the business information system and the “fit for purpose” test of the system.
It is illegal to dispose of records, including information within a business information system, without the authority of the State Archivist. Normally this is authorised in Retention and Disposal Schedules that have been authorised and issued by the State Archivist.
In addition to business specific retention and disposal schedules, there are number of generic retention and disposal schedules that also apply to business systems including:
· DA No 2157 - records derived from common administrative functions
· DA No 2158 - short term value records
· DA No 2159 - source records
The authorised retention and disposal schedules are available from www.archives.tas.gov.au/legislative/disposal.
To determine the minimum retention requirements of a business system the retention and disposal schedules need to be mapped against the:
· Source records (e.g. lodged forms)
· Business application, including the -
o Data schema
o Business rules and processes of the service provided by the system
· Reports produced (or that maybe produced) by the system
The mapping process may be complex and will require qualitative and risk based assessments. Formal Guidelines and Advices issued by the State Archivist may assist in the process. In complex cases separate advice may be required.
The mapping process may highlight the need for changes to the retention and disposal schedules, or highlight records for which a retention and disposal schedule has not been developed.
There will be different retention requirements for the source records, data held in the system, and reports produced by the system.
Disposal actions within a business information system cannot be fully automated as records pertaining to pending or actual litigation, investigation, FOI or similar actions, should not be destroyed. The State Archivist’s advice on retaining an appropriate record of disposals should also be followed.
Data cleansing of system logs is a disposal activity, and normally covered by the generic Disposal Schedules.
Recordkeeping implications in decommissioning a business information system requires an appraisal of records held by the system that need to be retained into the future and the development of an appropriate plan to manage this process.
The key tasks that should be undertaken as part of this are:
· Identify the retention requirements of the records associated with the system to be decommissioned (see Section 0 above)
· Identify the data, if any, that will be migrated into the replacement system(s)
· Develop a migration strategy for the data that will be migrated that meets the business requirements and meets the requirements of the State Archivist for the migration and conversion of records, the strategy is likely to cover:
o Migration to replacement system(s), including:
- Possible conversion or cleansing of data
- Audit trails and other evidentiary records to prove that the transfer is of an appropriate quality (see Section 0 above)
o Time period that the existing system will be maintained after cut-over
o Migration and storage of records that are not migrated into replacement systems which are required after the existing system has been decommissioned
o Supporting information, such as contextual information, metadata, documentation or systems, required to ensure the accessibility and usability of all retained information
· Thorough and extensive testing of the migration(s)
The retention and/or quality of records requirements will impact on the design of the replacement system(s) and migration strategy.
With a clear understanding of the risk and types of actions the records need to support the desired level of quality required can be established.
A number of techniques can be utilised to improve the quality of records within a business information system. Where appropriate the techniques need to be applied both within the system and to the surrounding environment. Some of the techniques can be “retrofitted”, while others have to be built into the design of the system.
The following list is a sample of possible techniques.
Audit of changes to records
Securely retain a record of the identity of the user creating or changing the record and the time it was created or changed. This information must not be forgeable or capable of being altered by either users or system administrators.
Audit of access to records
If confidentiality is considered a risk, securely retain a record of the identity of users who access records within the system.
User account management
User account management procedures need to reflect the level of risk, issues to consider include:
· Timeliness in removing a persons access after leaving a position
· User authorisation to have no access by default and only allowed access where explicitly given
· For high risk applications, consideration should be given to two-factor authentication
Privileged user controls
Controls, including audit logs, on privileged users must be equal to, or preferably stronger, than controls on other users.
Where privileged users have the ability to “impersonate” other users, comprehensive audit logs on these activities are essential.
Audit log security
Audit logs need to be retained securely. Options include:
· Storing the logs in a separate read-only system
· Digitally signing the logs to facilitate tamper detection
· Purchasing a commercial audit log management system for all agency systems
Options used will be based on cost and risks.
Change control procedures
Formal change control procedures are required to be able to answer questions such as:
· At this point in time, which version of the system was used
· What information was displayed to users and when
· The upgrade to the system was appropriately authorised
Testing procedures and results need to be documented and include testing of the various logs and access controls.
See the Tasmanian Government Information Security Framework, Sections 10, 11 and 12 of AS/NZS ISO/IEC 17799:2006 Information technology – Security techniques – Code of practice for information security management and Public Records Office of Victoria’s Specification 1: System Requirements for Preserving Electronic Records for further techniques on securing business information systems.
Archives Office of Tasmania, 2003, DA No 2157 - records derived from common administrative functions, www.archives.tas.gov.au
Archives Office of Tasmania, 2003, DA No 2158 - short term value records, www.archives.tas.gov.au
Archives Office of Tasmania, 2003, DA No 2159 - source records, www.archives.tas.gov.au
Archives Office of Tasmania, 2005, Guideline 1 – making proper records, www.archives.tas.gov.au
Archives Office of Tasmania, 2005, Guideline 15 – recordkeeping strategies for websites and web pages, www.archives.tas.gov.au
Archives Office of Tasmania, 2005, Guideline 2 – retention and disposal of state records, www.archives.tas.gov.au
National Archives of Australia, 2003, Archives Advice 23 Providing electronic records in evidence, www.naa.gov.au
National Archives of Australia, 2006, Functional Specifications for Recordkeeping Functionality in Business Information Systems Software, Exposure Draft, www.naa.gov.au
National Archives of Australia, 2006, Guidelines for Implementing the Functional Specifications for Recordkeeping Functionality in Business Information Systems Software, Exposure Draft, www.naa.gov.au
Standards Australia, 2002, AS ISO 15489.1-2002 Records Management Part1: General
Tasmanian Government Information Security Framework, www.egovernment.tas.gov.au