All business and information systems must be designed and implemented in accordance with relevant standards to ensure they support the effective management and disposal of their information assets .

Relationship to the Information Management Standard

All information assets must be saved into systems in a timely manner that meet the relevant Standards and whole of government security Frameworks to ensure they are protected from comprise (Behaviour 4.2).

Your agency must design and implement all systems in accordance with Minimum Recordkeeping Metadata Requirements (Metadata Standard) and the Managing Digital Records in Systems (Systems Standard) to support the effective management and disposal of their information assets (Behaviour 2.5).

This should be reflected in the Information Management Plan.

Having compliant systems will also help ensure the quality and authenticity of information assets (Behaviour 4.5) as well as ensuring they are managed and stored appropriately and remain accessible for as long as required (Behaviour 2.6).

For the purposes of the Information Management Standard:

• quality refers to the integrity, reliability and accessibility of information assets to meet your agency’s identified information requirements
• integrity refers to information assets being intact, whole and uncorrupted
• reliability refers to information assets being trustworthy
• accessibility refers to information assets being available and locatable in a readable format
• authenticity refers to the information assets being of undisputed origin, genuine and not a copy.
• compromise includes, but is not limited to, loss, misuse, interference, unauthorised modification and / or unauthorised disclosure.

Characteristics of compliant systems

Compliant systems are format and technology neutral.  Systems may be:

• physical in nature (such as hardcopy filing systems) or
• digital (such as business information applications or dedicated Electronic Document and Records Management Systems (EDRMS)).

The systems might be owned and managed by your agency or by others (such as in the cloud) but used by your agency.

Clear policies that outline each parties’ responsibilities in relation to the management and use of your agency’s information assets are required where systems are used that are outside the control of your agency.  Refer to the Contracting Standard .

Management of digital and hardcopy information assets

Information assets created digitally should be managed digitally. They do not need to be printed for filing or information management purposes.

Information assets created physically can generally be scanned and managed digitally unless:

• there are specific legal reasons to keep hardcopy information assets, such as property deeds
• operational hardcopy information assets are routinely received and it is not possible or feasible to scan them
• existing systems do not have the required controls to manage digital images.

Hardcopy information assets that have been digitised are not able to be destroyed without GDS 21 certification.  Refer to GDS 21 – For Disposal of Hardcopy Source Records after Digitisation and the GDS 21 Guidance Self Certification  for more information.

Where there is a legal, business or evidential need for keeping hybrid files, your agency must ensure that both the hardcopy and digital files are managed in the same manner.  This means that both files should:

• be appropriately linked to one another with the link documented in your agency’s information asset register
• have the same classification and sentence applied
• have the same security classification applied
• be disposed of at the same time and documented accordingly.

Specifying system requirements

All business systems, including EDRMS’, should not only meet your agency’s business requirements, but must ensure data quality and accessibility for as long as the information asset is required.

Business requirements usually identify the functions the systems should perform to support business objectives and operations.  Technical (non-functional) requirements are also usually documented.

Business specific information management requirements are generally identified as part of your agency’s value and risk analysis .

State Records has identified the minimum functional requirements that business systems must have regardless of the purpose of that system.  These include:

• being able to store digital information assets required as evidence of business activity as a record
• ensuring information assets can be located and read
• being able to apply access permissions to information content and metadata
• ensuring information assets can only be deleted through an authorised process.

For a full list of the minimal functional requirements a system must have refer to the Systems Standard .

The Systems Standard is to be used / read in conjunction with the Metadata Standard as business systems need to hold the most up-to-date information while recording the relevant metadata to show the exact state of the data on which decisions were made at a particular point in time.

State Records endorses the use of the international standard ISO 16175 Processes and Functional Requirements for Software for Managing Records if  your agency requires more detailed specifications than listed in the Systems Standard .

These documents can be provided to information system developers and project teams at the early stage of system development projects or specific requirements from these documents can be added into business requirements documents.

Ensuring adequate controls

Compliant systems must have controls. Controls for information assets should include:

• creation (where this occurs inside the system), capture and classification
• access, retrieval and use (including security and personnel security requirements)
• storage and preservation (including preservation of legibility)
• control of changes (such as version control and audit trails)
• retention and disposal.

Designating specific systems that are compliant as “official” information systems can be considered.  These official systems can be taken to hold the true and accurate (original) information asset.

As these ‘official’ information systems are designated as the primary stores for agency information assets, such as EDRMS’, it enables:

• design and implementation of consistent and understood controls (above) across systems
• an agency-wide strategy for implementing retention and disposal of information assets
• embedded staff routines of recording information and storing it in core systems.

For systems other than dedicated records systems processes can be implemented to provide the required controls.  For example:

• define and implement business rules for information management processes
• configure the system to capture additional metadata where needed and / or enable metadata to be entered manually by a user
• design a process for applying retention and disposal requirements
• implement system security functions to prevent unauthorised access or modifications to any information, including metadata
• design system capability to ingest information and / or associated metadata from other business applications
• develop methods to migrate or export information and associated metadata, including security classifications, to another, or a replacement, business application
• develop and implement preservation and migration policies for information assets that require long-term retention.

The above processes may also be applicable to some dedicated records systems too.

The technology itself should be fit-for-purpose, operate on a continuous and reliable basis, and be protected by incident recovery and business continuity regimes.

Corrective action

When systems fail to perform for any reason, corrective action should be taken immediately.

These actions might be as simple as configuring more automatic metadata capture to developing work-arounds (manual processes) for implementing retention and disposal actions, or restricting edit and delete permissions.

They may also relate to increasing the education and training of staff in system use or good information management practice.