Why Records Decisions Matter

By Rachael Greaves, CEO Castlepoint Systems

One of the most frequent fallacies related to records management, echoed by users, executives, records managers, and even records-management product vendors, is the statement: ‘that’s not a record’.

It’s quite true that in some (limited) cases, a document or a row of data in the environment is not a record. A ‘record’ is defined as something showing ‘evidence of business’. For government, anything that shows the working and thinking behind a decision or outcome, as well as the end result, is considered a Commonwealth record, and must be formally managed.

For industry and community entities, there is some more leeway, usually based on risk-assessment, as to what must be strictly controlled and what can be managed ad hoc, but there is still a raft of legislation governing many types of information.

So, if most information that we store does actually constitute a record, and if there are laws controlling how we have to manage records, why do we encounter this sentiment so often?

The first reason is confusion about the requirements. We will look at the law and policy for what is and is not a record, and what that means in terms of management, in this article.

But there is another reason – even for those who know the policy well. It’s simple practicality. For most agencies, it’s not possible to manage all their information as records in electronic records management systems. This leads to value judgements about what is and is not a priority for formal records management, which leads to judgements about what is and is not a record.

This subjective approach becomes policy-by-necessity, and flows down all the way from governance, to technology configuration, to user training.

And this does matter. Let’s have a look at why.

What are the risks of insufficient records management?

What happens when we decide some types of content, or in some cases some entire systems, are not records?

When we make the decision to treat information in an ad hoc way, instead of a formal way, we are effectively exposing that information to loss. By deciding that a piece of information is not important enough to control, we leave its fate to the mercy of users and system owners. It can be deleted, removed from its meaningful context, or ‘lost’ by being archived somewhere it can’t be searched for or accessed.  This leads to some risks.

The National Archives of Australia is pretty clear about what a record is:

All information you create, send and receive as part of your role is a record and needs to be managed according to its value. Records provide proof of what your agency did and why it did it.

No matter what the format or the location, all information and records must be managed in accordance with the provisions of the Archives Act 1983.

This applies in any system:

If you have created information using your computer then you have created a digital record and it needs to be managed.

And the Act lists what responsibilities we have with records:

(1)  Subject to this Part, a person must not engage in conduct that results in:

                     (a)  the destruction or other disposal of a Commonwealth record; or

                     (b)  the transfer of the custody or ownership of a Commonwealth record; or

                     (c)  damage to or alteration of a Commonwealth record.

Records can only be destroyed, transferred or modified in accordance with the Act and its regulations. That means, we have to manage and dispose of records in accordance with the appropriate Records Authority. Records Authorities are what determines minimum ‘value’ – not agencies or individuals.

Your agency’s records authority sets out the minimum period that core business information must be kept.

Your agency can also use general records authorities to sentence core or administrative business information that is common to numerous agencies.

If a current records authority does not cover information, you cannot sentence or destroy it. The information must be kept until it can be covered by a records authority.

Records authorities are legislative instruments. They define the minimum time a type of record has to be kept and protected, based on its assessed risk and importance. If, once a minimum retention period is met, the organisation holding the record still thinks it has value for them ongoing, they can keep it longer. You can always keep a record longer – but it’s not lawful to dispose of it too soon.

What is NAP, really?

So, everything that shows evidence of business is a record. After all, if it didn’t contribute at all to our work, why would we have it in the first place? But in some cases, we do accrue information that does not actually show any evidence of our work. There is a certain type of disposal authority called Normal Administrative Practice (NAP) that can be used in this instance – but it is very often abused.

NAP cannot be used to dispose of information that is, or should be, covered in a records authority.

NAP cannot be used to destroy valuable information where there is a gap in your records authority coverage. This information must be retained until it is covered by a records authority, and then disposed of in accordance with the records authority.

NAP lets us ‘delete’ some types of information in an ad hoc way, without needing to follow a more formal disposition process. The Archives Act rule against destroying records does not apply if the information is destroyed in accordance with NAP.

The NAA guidance on NAP says that you can use it for destroying ‘certain types of low-value and short term information’. This is a very broad statement, and if we don’t look closer at the NAP guidance, we could assume that it is up to us what we determine to be low-value, or short term. But if we look deeper, the scope gets more specific.

The guidance says that we can NAP:

  • Facilitative, transitory or short-term items: like calendar invites, spam emails, personal emails, duplicate copies of records, or emails that have already been copied into a recordkeeping system.
  • Rough working papers and calculations: where the resulting analysis has already been incorporated into a more formal document.
  • Drafts not intended for further use or reference: this is the one that often trips us up – you can only NAP drafts with minor edits for grammar or spelling – not substantive drafts that show changes in the content of the document. Essentially, all draft versions of a document, that aren’t just formatting or spelling updates, have to be retained as records.
  • Copies of material retained for reference purposes only: this means summaries of existing records, and duplicates of records only used for reference.
  • Published material which does not form part of an agency’s record: this is brochures and other materials that are produced by third parties and aren’t used in any decision making.

So, even with NAP, we can’t really make our own value judgements about what is important. It’s spelled out very specifically. Realistically, everything not on the list above is going to be a record, and needs to be managed in accordance with a Records Authority.

We even have to formally manage records that don’t align with any current Records Authority – in those cases, we have to work with NAA to develop an authority that bridges the gap.

Who gets to decide?

The international standard for records management also reinforces the fact that it can’t ever be up to users to decide subjectively how valuable a record is, and as such how long it is kept. ISO 16175-3 requirement 82 states that business systems must:

Restrict the ability to apply and reapply disposition classes to the business system administrator or other authorised user  

Only authorised users can apply disposition rules, which determine how long records are retained. Users can’t decide how long items are kept for by themselves.

And there’s one more gotcha in the Archives Act – if a record is more than 15 years old, not only can it not be destroyed without authorisation, it can’t even be modified. No alterations or additions allowed! Most agencies by now have thousands of digital records that would meet this criterion.

(1)  A person commits an offence if:

                     (a)  a Commonwealth record has been in existence for more than 15 years; and

                     (b)  the person engages in conduct; and

                     (c)  the person’s conduct results in an addition to or an alteration of the record.

Fallacy: You can determine your own retention rules

The only legal instruments that allow for disposal of Commonwealth records are Records Authorities and certain Acts and Regulations. Every single record of business is governed by one or more of these, and while in some cases you can ‘roll up’ several retention rules to keep records longer, you can never apply your own rules that enable disposition to occur sooner than the law allows. 

What are the impacts?

So, let’s say we never applied a records authority to a record, or we NAPed it when we shouldn’t have, or we altered an old record, and now it’s gone. What’s the actual impact, from an Archives Act compliance point of view?

Honestly, it’s negligible. Failing to manage records properly incurs strict liability (i.e., it doesn’t matter whether you meant it or not) of 20 penalty units. A penalty unit is currently about $A200. So, about $4,000, and to be honest, the Commonwealth is unlikely to prosecute itself. So, compliance impacts from NAA are probably not a huge incentive to go to the effort of managing records in accordance with the Act

However, the Archives Act is not the only bit of legislation or regulation that governs how we manage records. There are also rules about what records have to be formally managed, and how long they have to be retained, in these instruments for example:

  • Age Discrimination Act 2004
  • Commonwealth Entities Financial Statements Guide: Resource Management Guide No. 125
  • Commonwealth Procurement RulesCorporations Act 2001
  • Fair Work Act 2009
  • Fair Work Regulations 2009
  • Legal Services Directions 2017
  • Public Governance and Performance Accountability Act 2013
  • (Cth)Safety, Rehabilitation and Compensation Act 1988
  • Superannuation Guarantee (Administration) Act 1992
  • Work Health and Safety Act 2011
  • Work Health and Safety Regulations 2011

 

In addition to these generic Acts and Regulations, each agency will have other applicable laws that control how long records are kept. We recently did some work for the Australian Maritime Safety Authority, and found several more provisions relevant to their core business records in the:

  • Great Barrier Reef Marine Park Act 1975
  • Occupational Health and Safety (Maritime Industry) Act 1993
  • Occupational Health and Safety (Maritime Industry) Regulations 1995
  • Occupational Health and Safety (Maritime Industry) (National Standards) Regulations 2003
  • Radiocommunications Act 1992
  • Transport Safety Investigation Act 2003
  • Trans-Tasman Mutual Recognition Act 1997

 

So, what happens if agencies breach these laws? It’s not great reputationally, if anybody actually notices (like, perhaps, the Australian National Audit Office). In some cases, there can even be jail time – the Airports Act 1996, for example, can be used to lock you up for 6 months even for keeping an incorrect record on file. But usually, Acts just attribute penalty points.

However, if you are found to be in breach of one or more laws, and there has actually been a flow-on harm caused by our maladministration, there is a lot more likelihood of our ‘compliance risk’ progressing into more serious financial, operational, reputational and security risk.

So, there are real risks of deciding ‘that’s not a record’ – beyond simply compliance.