The report centres on electronic records management and archiving, concluding that aspects in selected agencies (including the Treasury Department and Department of Immigration & Citizenship) remain inadequate.
The ANAO comments that
In 2008–09, the estimated annual cost of onsite paper storage of records for 138 Australian Government agencies and bodies was $208 million. The increased use of information technology by agencies has placed pressure on the adequacy of paper‐based records management systems to adequately support the capture, maintenance, access, retention and disposal of records. Australian Government agencies create a substantial amount of electronic information and records as part of their normal operations. However, in 2009 less than 30% of these agencies and bodies managed the majority of their records digitally, even though more than half reported having an Electronic Document and Records Management System (EDRMS) and using other electronic business systems to manage records. Establishing effective records management, particularly digital records management, represents a significant business issue for many agencies.
To provide impetus and direction for digital records management, in July 2011 the Australian Government announced a policy for agencies to move to electronic records management for efficiency purposes. This policy is referred to as the Digital Transition Policy. It involves agencies’ senior management driving a change to digital records management through an increased focus on resource requirements and records management functionality when purchasing new electronic business systems, and reducing paper stockpiles.In looking at the chosen agencies for a snapshot of national government records management practice the ANAO goes on to note that -
Each agency maintained a core records management system which supported the management and destruction or transfer of records captured in the system, although there was scope to improve the use and performance of these systems. Many other electronic business systems that were not identified and functioning as ‘records management systems’ were also used by the agencies to create, capture and manage records. These systems did not generally meet legal requirements relating to the management, and destruction or transfer of records. The use of such systems also created a risk that inaccurate or incomplete information could be accessed and used when making decisions, and acquitting legal and policy requirements, such as responding to freedom of information requests.
The agencies had all experienced delays in transitioning to a digital records management environment that adequately supports business, meets legal and policy requirements, and is easy to use. Implementing digital records management systems and practices is complex, resource intensive and requires significant cultural change. Nevertheless, the need to have robust digital records management is becoming more pressing, particularly given the cost of managing paper records, application of new and changing technologies to improve programs and service delivery,It offers several findings at 19 through 29 -
Assessing records management needs and risks
Assessing records management needs and risks is an important step in developing an appropriate and effective records management approach. A key action that agencies should take is to develop records authorities to determine the retention, destruction and transfer requirements in accordance with the Archives Act. The three agencies had established, or were in the process of establishing, records authorities for their core business to guide proper disposal of records. The agencies had also completed reviews which identified significant issues and business risks in relation to information and records management or, at the very least, acceptance of records management systems and the application of relevant policy and guidance. These reviews identified a range of treatments to address risks presented by the agency arrangements. However, each agency has experienced delays in progressing effective treatments to information and records management risks, reflecting the relative priority of these issues to other business issues, and the complexity of their treatment.
A key records management need relates to the development of a digital records management environment. Each of the agencies had identified a need to move to digital records management by implementing an EDRMS and incorporating records management functionality in electronic business systems that contain records. However, despite identifying a need for an EDRMS in 1999, and in subsequent years, Customs’ records management remains paper based. In 2000 and 2004 respectively, DIAC and Treasury had implemented an EDRMS to manage a significant proportion of their records. However, these agencies had further work to do to improve the use, acceptance and/or performance of their EDRMS.
Other electronic business systems may also be used to create, use, maintain and dispose of records for particular business activities if appropriately managed. To provide for sound management of electronic records in business systems, agencies should consider records management needs during the planning, acquisition, development and implementation of electronic business systems. The agencies generally did not consider the need for records management functionality during these phases, although DIAC had recently changed its IT management arrangements to address this issue. As a result, some agency systems were being used to maintain records even though they had not been designed to do so. Conversely, some systems could have been used to manage records but no consideration had been given to their potential to fulfil this function.
It is important for agencies to identify vital electronic and paper records and develop contingency arrangements to enable their timely recovery in the event of a disaster, as part of business continuity planning. Treasury’s records management area had a vital records register which it updated on an ad hoc basis. However, none of the agencies had identified vital records in the context of their business continuity planning processes. Instead, these processes focused on disaster recovery arrangements for electronic systems, thereby providing the agency with the ability to recover information held in an electronic system within specified timeframes. Such approaches do not address the recovery of vital paper records in the event of a disaster. The need to have in place contingency arrangements for paper records was demonstrated following the 2011 Queensland floods, when some Australian Government agencies needed to destroy paper records affected by flood waters.
Support for records management
Records management policies and guidance outline an agency’s expectations in relation to information and records management for all staff, including the appropriate creation, capture and storage of records in approved records management systems when undertaking their work. Agencies must first determine the information that needs to be created and received in the context of each of their major business activities. In this respect, Customs and DIAC needed to further develop their guidance on records to create for each major business activity, and Treasury needed to promote the use of its existing guidance.
Agencies should then identify electronic business systems that are records management systems and specify how all electronic business systems that contain records should be used to manage the records that have been created or received. DIAC and Treasury had adopted a policy to manage a significant proportion of their records electronically by implementing an EDRMS. While this has led to an increase in the volume of records held electronically in the core records management system, further significant changes were required to better support the digital management of records. In particular, the agencies need to discourage unnecessary use of paper files and remove electronic systems, such as shared folders, that provide an alternative place to create, edit and keep records. Customs had a ‘print to paper’ policy that recognised a number of electronic systems were used to create records but required information from those systems to be printed and placed on a paper file. Customs intended to move to an EDRMS as it was recognised that existing arrangements for capturing electronic records were inadequate and inconsistent, and that paper records did not capture all business decisions. More generally, the agencies often had not developed sufficient guidance on the use of other electronic business systems that contain records to help ensure that records are appropriately created or captured, and then transferred to or maintained in approved records management systems, including copying records where appropriate to the core records management system.
To efficiently manage their records and comply with approved records authorities, agencies need to implement sentencing and disposal programs. Of the three agencies, Treasury had established an annual sentencing program and Customs had commenced development of a sentencing program in July 2011. DIAC had undertaken limited sentencing and disposal work because of a Moratorium on the Destruction of Department Files for several types of records, including client records.
Systems used to manage records need to be able to preserve the integrity of information, including through quality control procedures to ensure the completeness and trustworthiness of records; and system controls over access and security. However, as indicated ... many electronic systems that were not records management systems, such as shared folders, email, and certain electronic business systems, were being used to store and manage records even though they did not have suitable records management functionality. In some of these systems there were insufficient controls in place to ensure the authenticity and integrity of the records they contained. Delays in filing information from shared folders to the core records management system also exposed records to alteration and deletion, ultimately impacting on the integrity and authenticity of the record.
It is important to minimise data quality issues in information and records holdings so that the information and records can be considered accurate and reliable. DIAC is aware of data quality issues affecting significant migration processing systems, for example, the creation of multiple records where it cannot be reliably determined that the client records relate to the same person. In June 2011 a review of potential duplicate records in relation to one of the migration processing systems identified there were 653,861 multiple records. These data quality issues have the potential to increase the risks associated with identity resolution, border operations and departmental reputation. From a policy and guidance perspective DIAC is reviewing the nature and source of data quality issues, and has plans, as part of its information management framework, to implement new data management arrangements to address these issues.
A significant risk to Australian Government agencies in relation to records management is their ability to access complete and comprehensive information when it is required for business or legal purposes, including responding to freedom of information (FOI) requests in a timely manner. For the three agencies, information and records access was impeded by existing information and records management arrangements. For example, information and records for a business activity were often held in a variety of locations and electronic business systems. Staff did not have access to all locations and systems, and generally had limited understanding of information holdings that fell outside of their day‐to‐day responsibilities. Staff often stored information in a variety of places, but did not have consistent rules about the records that needed to be created and where they would be captured. This means information is captured, managed and accessible on a silo basis. The agencies did not have a widespread culture of consistently using approved records management systems, including the EDRMS and electronic business systems, to support efficient and comprehensive searches for information.
Where electronic business systems are used to manage records, the retention and destruction of information should be undertaken in accordance with relevant records authorities. With the exception of designated records management systems, none of the electronic business systems examined by ANAO sufficiently provided for sentencing, destruction and transfer in accordance with records authorities. For most of the systems, fields could be overwritten. If this occurred, available audit trails would indicate an edit had occurred but generally did not identify the changes.