Implementation guideline – Principle 7: Business information is saved in systems where it can be appropriately managed
Manage needed business information in systems that protect its integrity and support trusted and reliable use.
7.1 Identify what functionality the system will need to enable and support use of business information including the required level of:
- creation or import
- description (metadata)
- interoperability with other systems
- security and preservation
- destruction or export of all or selected information.
7.2 Determine the degree to which it is necessary to trust or prove that business information is genuine, complete, accurate and unaltered.
7.3 Create, save or capture business information into systems with sufficient functionality to satisfy operational and other stakeholder needs for reliable and trusted information.
This includes the ability, as required, to:
- enable authorised and prevent unauthorised actions including access, alteration, removal, deletion or destruction
- track or provide audit trails of actions such as access or alteration
- securely preserve and export information of long-term value.
How business information needs to be managed depends on its content and use by your agency and other stakeholders. High risk or high value business information needs to be managed so that it retains its value as trusted evidence over time. This requires being able to prove that it is genuine, complete and has not been altered, or that any alterations are known and authorised. Requirements for managing business information for as long as it is needed should be analysed and understood before a particular system is designated for its ongoing management. The other principles in this Standard will assist you to determine requirements. These might include the need to limit access to classified information (Principle 8, Action 8.1), provide adequate description of the content and context of your business information (Principle 3, Action 3.2) or ensure systems will manage business information for the duration of known retention periods (Principle 5, Action 5.2). Your analysis will inform what functionality is required by a system to meet your information management needs. An information review can be used to improve understanding of your agency's business information needs and to gather information management requirements that a system will need to meet.
The National Archives Business System Assessment Framework (BSAF) provides a risk-based approach to assessing information management functionality in business systems. It is based on Part 3 of ISO 16175 Principles and Functional Requirements for Records in Electronic Office Environments. ISO 16175 provides detailed specifications for information managed in both business systems and electronic records management systems (EDRMS).
If your analysis reveals that your systems need to share or exchange data, our advice on interoperability development phases covers six core phases to assist when building interoperability between systems. These phases contain useful advice when designing and implementing any new system.
Digital Continuity 2020 Policy targets:
31 December 2020 – information is managed based on format and metadata standards for information governance and interoperability. All business systems meet functional requirements for information management. Cross-agency and whole of government processes incorporate information governance requirements and specifications.
31 December 2018 – all business systems are evaluated against the Archives' business system assessment framework to meet functional requirements for information management. Functional requirements are implemented where necessary.
31 December 2016 – all business systems procured after this date will meet minimum metadata standards ad be evaluated against the Archives' business system assessment framework to meet functional requirements for information management.
7.4 Have appropriate governance measures to ensure systems enable the creation or capture, and management of quality, fit-for-purpose business information.
If systems do not have the necessary functionality to meet your agency's information management requirements there are a number of solutions. You can add the required functionality or integrate with another system with the needed functionality. Another solution is to use appropriate governance measures such as policies, procedures and business rules. The Business System Assessment Framework provides some examples of how gaps in system functionality can be remediated through governance in Solution 4 External (Governance).
The National Archives also has advice on suggested governance measures to improve the management of business information held in network drives as well as manging information in shared systems between government agencies.
7.5 Periodically review that systems are managing information effectively to support business needs.
You need to continually review how effectively your agency's systems are managing information to support business needs because operational processes change over time. Stakeholder consultation is critical to assessing how well your systems are supporting the information needs of business areas.
It is important to monitor how effectively your agency's information needs are being met after implementing new systems or system functionality. This ensures confidence that the system is managing fit for purpose business information for as long as required and allows any barriers to using the system to be understood and addressed.
7.6 Plan for decommissioning of systems and migration of needed business information.
Factors to consider when decommissioning systems include the value of the business information and any ongoing need to access it. If the information is no longer required, you need authorisation to legally destroy that information. The National Archives provides authorisation to destroy Australian Government business information in the form of records authorities.
General Records Authority 31 permits the destruction of information and records after they have been successfully migrated from one system to another. A successful migration means quality control demonstrates that the migrated business information is at least functionally equivalent to the source record for business, legal and archival purposes.
If business information needs to be migrated to a new system this needs to be planned to ensure that the quality of the data, including metadata associated with the business information, is not compromised by the migration. Our interoperability guidance on legacy data migration provides practical advice on specific processes to include during a data migration.
Phase 2, Module 3 Export/Import and Phase 3, Solution 3 External (Export) of the Business System Assessment Framework also provides guidance about issues to consider when exporting business information, including supporting mitigations.
7.7 Provide risk-based advice to staff on where business information should not be stored, because it cannot be managed appropriately. Examples of such areas may include uncontrolled network drives, removable media, email applications and third party sites such as social media platforms.
Your information management policy should define which locations are endorsed for the capture and storage of business information. Include reference to these locations in any training and procedural guidance given to staff on work processes or managing corporate assets. This advice may approve some locations as suitable for short periods of time, but not for long term storage. For example staff may store information in removable media while transferring it from one location to another but not on a long term basis. A risk-based approach could also be applied. The advice might state that some locations such as social media platforms are suitable for storage of short term value business information but not suitable if that business information is needed for longer periods of time.
Increasingly staff are able to access and use cloud-based technology applications. There is potential for these applications to be used without approval or the due diligence checks required by information management governance, which may place agency business information at risk. This may be addressed through requiring approval before using such applications, or by listing types of applications endorsed or not endorsed for use. Engage with staff to develop a practical awareness of how and why these applications are being used in your agency. You can use this information to assist in the development of more appropriate solutions for managing business information.