Phase 2: Assessment of information management functionality

Based on your answers in Phase 1, you will have been instructed to undertake additional assessment against one (or more) of four additional modules. As in Phase 1, respond to all questions in the appropriate module by providing a 'Yes' or 'No' response.

A 'Yes' response means functionality exists. No further action is required. Add a review date and document the assessment outcomes and other relevant information in the system information management plan.

Module 1: Information is trusted
QuestionConsiderationsMet? Y/NFor 'No' responses, how will this functionality be achieved?Date assessed
Can or will you be able to prove the information is authentic?

Consider the risks if you cannot show:

  • who created it
  • when it was created.

Refer to your metadata standard for relevant metadata.

Can or will you be able to identify or prevent unauthorised changes to the information?

Consider the risks if you cannot:

  • access human-readable audit logs showing changes to content
  • capture all relevant actions in an audit trail.
When you access information, can or will you be able to access all relevant parts of it?

Consider the risks if:

  • a user accesses part of the record without realising there is more relevant information
  • decisions are made based on incomplete information when additional information is available.
Does or will the system meet the Archives' minimum metadata standard?

The Digital Continuity 2020 Policy requires that:

  • business systems procured after 31 December 2016 will meet minimum metadata standards
  • from 31 December 2017 all business systems containing high-value and long-term information assets will meet minimum metadata standards.
Module 2: Disposal is accountable
QuestionConsiderationsMet? Y/NFor 'No' responses, how will this functionality be achieved?Date reviewed
Is or will disposal be controlled, systematic and recorded?

Consider the risks if:

  • you cannot control for information being inadvertently destroyed
  • you cannot manage a disposal freeze
  • If records are not disposed of in accordance with a valid records authority
Where there is more than one disposal class, can or will you be able to manage the different disposal classes?

Changes to disposal class data must not result in any information being inadvertently destroyed.

Can or will you be able to manage the system's control records in line with your accountability needs?

Following destruction of information, you should keep a record of what has been destroyed in case you need to defend the destruction if challenged.

Consider the risks if you:

  • do not know what has been destroyed
  • cannot prove whether or not specific information existed at a particular date
  • cannot show under what authority and with what approval you destroyed information.
Is or will destruction be in line with the Information Security Manual and other relevant policies?See Information Security Manual requirements for destroying digital media
Assessment 3: Export/import
QuestionConsiderationsMet? Y/NFor 'No' responses, how will this functionality be achieved?Date reviewed
Are you or will you be able to export the information in a usable format?
  • your export, import or migration does not include all the metadata you need
  • you are unable to access or use the exported, imported or migrated information
  • your exported information does not support sharing with other agencies.
Are you or will you be able to import information into the system?

Consider the risks if:

  • the system will need to support import if it is likely to replace an existing system and will be required to import informtion from it.
Assessment 4: Reporting
QuestionConsiderationsMet? Y/NFor 'No' responses, how will this functionality be achieved?Date reviewed
Can or will the system generate reports on your information management processes?

Accurate and efficient reporting is essential to accountable information management.

Consider if you need reports such as the number of records:

  • due for destruction on a specific date
  • sentenced on a specific date or under a specific disposal class.
Can or will the system create automatic alerts in response to specific triggers?

Alerts when specific information is due for destruction would be helpful:

  • if you are implementing automated disposal.
Copyright National Archives of Australia 2017