Queensland State Archives. Digital Rights Management Technologies and Public Records - A Guideline for Queensland Public Authorities

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Queensland State Archives. Digital Rights Management Technologies and Public Records - A Guideline for Queensland Public Authorities"

Transcription

1 Queensland State Archives Digital Rights Management Technologies and Public Records - A Guideline for Queensland Public February 2010

2 Document details Security Classification Authority Author Document Status Version PUBLIC Queensland State Archives Queensland State Archives Final Version Version 1.0 Contact for enquiries All enquiries regarding this document should be directed to: Manager, Policy and Research Unit Queensland State Archives Copyright Digital Rights Management Technologies and Public Records - A Guideline for Queensland Public The State of Queensland (Department of Public Works) 2010 Licence Digital Rights Management Technologies and Public Records - A Guideline for Queensland Public by Queensland State Archives is licensed under a Creative Commons Attribution 2.5 Australia Licence. To view a copy of this licence, visit Information security This document has been security classified using the Queensland Government Information Security Classification Framework (QGISCF) as PUBLIC and will be managed according to the requirements of the QGISCF.

3 Table of Contents 1. Introduction Background Purpose Audience Authority Scope Definitions Acknowledgements Understanding Digital Rights Management Purpose of DRM How does it work? How do you know if information is controlled by DRM? Recordkeeping and Digital Rights Management Legislative and Regulatory Requirements Recordkeeping implications of DRM Guiding Principles for the implementation and use of DRM Strategies for implementation Governance Consideration of alternative measures Analysis of risk and cost-benefit Development of a DRM governance policy Development and implementation of a training and awareness strategy Application of DRM controls Minimisation of the number of staff who may apply DRM restrictions Minimisation of the application of DRM restrictions Effective management of encryption/decryption processes Receipt and acceptance of DRM-controlled records...18

4 4.3.1 Capture into the recordkeeping system Limitations on communication with systems outside the control of a public authority Solicitation of information in tenders Consideration of situational changes Informed contractual negotiations Appendix A Recordkeeping Checklist for DRM implementations Appendix B Example of a DRM Governance Policy Template... 24

5 1. Introduction 1.1 Background Digital Rights Management (DRM) technology allows the creator or provider of digital information to control its use by restricting access, copying or conversion to other formats. DRM technologies have received more attention and increasing interest in recent years 1 and surveys have indicated that the use of DRM is on the rise. 2 While there may be benefits to deploying DRM, its use within Queensland public authorities may prevent preservation of and access to, the evidence of Queensland government s business activities and decisions over time. Its use may therefore impair the ability of public authorities to meet their legislative recordkeeping obligations. 1.1 Purpose This document provides guidance to public authorities about the recordkeeping implications of Digital Rights Management technology. It does not constitute a direction to use or accept DRM controlled information but simply provides recordkeeping advice for those public authorities that are considering its implementation. The Guideline has been developed to ensure that access to and disposal of public records is not compromised by the application of DRM. This Guideline outlines the recordkeeping risks of deploying DRM and recommends a range of strategies that public authorities may adopt to help ensure recordkeeping obligations are met. 1.2 Audience The primary audience for this document is Chief Information Officers and other Senior Information Management and IT Managers implementing or considering the implementation of Digital Rights Management technologies within Queensland public authorities, as defined in the Public Records Act Authority Queensland State Archives is responsible for the provision of advisory and support services relating to a wide range of strategic information management and recordkeeping issues for Queensland public authorities. This Guideline forms one part of a wider framework that aims to promote best-practice recordkeeping and information management in Queensland public authorities. 1 Gartner Wagner, R. & Ouellet, E. (Feb 2007) Key Selection Criteria for Enterprise Digital Rights Management Products, ID No. G For example, The Gilbane Group (August 2008) Enterprise Rights Management: Business Imperatives and Implementation Readiness Version 1.0 February

6 The State Archivist has issued this Guideline in accordance with s.25(1)(f) of the Public Records Act Scope This Guideline focuses on: the recordkeeping risks arising from the deployment and application of Digital Rights Management within Queensland public authorities, and the use of Digital Rights Management to control public records. This Guideline does not address the technical ICT issues or business requirements associated with implementation. 1.5 Definitions DRM-related terms are explained throughout this Guideline. Records and information management-specific terms are defined in Queensland State Archives Glossary of Archival and Recordkeeping Terms available on Queensland State Archives website Acknowledgements Concerned by the reduction in recordkeeping control caused by DRM, a number of Australian and international archival authorities have issued advice on this topic. This Guideline has been based on the Council of Australasian Archives and Records (CAARA) Digital Rights Management Position Statement 4 and State Records of South Australia s Digital Rights Management Implications for Recordkeeping. 5 These publications were in turn informed by the State Services Commission of New Zealand s Trusted Computing and Digital Rights Management Principles & Policies. 6 Queensland State Archives also acknowledges the contribution made by members of the external reference group formed for the development of this Guideline, and those agencies that provided feedback on draft documentation. 3 Queensland State Archives (January 2008) Glossary of Archival and Recordkeeping Terms Version 2.0. Available at archives.qld.gov.au/recordkeeping/grkdownloads/documents/glossaryofarchivalrkterms.pdf 4 Available from 5 State Records of South Australia (25 September 2007) Digital Rights Management Implications for Recordkeeping. Available at 6 State Services Commission (September 2006) Trusted Computing and Digital Rights Management Principles & Policies. Available at Version 1.0 February

7 2 Understanding Digital Rights Management Digital Rights Management 7 is a set of technologies designed to apply and enforce access and use restrictions to digital information, as specified by the information provider. 8 An information provider or creator can regulate the types of actions that can be undertaken with the information and the timeframe in which that information remains accessible. For example, an information provider/creator may be able to set: Who can: o view o modify o print o copy o forward, and/or o save the information When usage/access rights expire, and/or Automatic deletion dates. These restrictions are persistent in their nature and are inextricably bound to the information, wherever that information may move or be transmitted. Therefore, a person operating within a DRM-restricted environment cannot override the controls such as opening the document and saving a copy or moving it to an unrestricted area outside of the system in question. Examples of information not regarded as being DRM-restricted include: Information held in a network file system that restricts access based on an ACL (access control list) for security reasons, such as confidentiality. If a user has access rights, they can copy the information to a location where the ACL is not enforced. 7 Although Digital Rights Management is most commonly used in Australasia, different terms may be used to refer to the same or similar technologies. These include Information Rights Management, Document Rights Management, Rights Services Management, Enterprise Rights Management, Electronic Rights Management, Enterprise Digital Rights Management, and Electronic Copyright Management. Technological Protection Measures (TPM) is also a related term used to refer to any technological devices or tools that prevent unauthorised or illegal access to, or copying or reproduction of, copyright materials. TPM is commonly used when referring to material such as sound recordings, films and computer software, and e- books. 8 State Services Commission (September 2006) Trusted Computing and Digital Rights Management Principles & Policies. Available at Version 1.0 February

8 A document held in a document management system or electronic document and records management system (edrms), for which a user with access rights can open the document and save a copy to an unrestricted area outside of the system. Both of the above examples are not considered to be DRM because when the information is moved from the system in which it is stored, the restrictions do not persist. DRM functionality is used in a range of formats 9, including DVDs, sound recordings, videos, images and common office applications, such as within Microsoft Word and Excel and Adobe Acrobat. 2.1 Purpose of DRM DRM provides a technological mechanism for protecting digital information by allowing creators or providers to control what happens to the digital information after it has been issued or sent. Therefore it is often used to control intellectual property rights. It is also typically used in circumstances where information is highly confidential or where there are strictly defined process requirements for controlling information. 2.2 How does it work? Implementation of DRM within an organisation will typically involve defining a set of rules which authorise the rights to take particular actions on electronic information. These rules are technically configured onto the server of the organisation creating the information. When a staff member creates information, they apply an appropriate rule from the server, inextricably binding the rule to the information. For example, a staff member may apply the rule Allow this paper to be edited by my team over the next week, but do not allow anyone else to view it. In a week s time, automatically dispose of all copies. When a person attempts to access the information, their software contacts the creating organisation s server to confirm that their intended access and use is authorised. DRM may also involve the transmission of information to third-party systems owned by the supplier of technology. For example, when the software is used by an organisation, it may contact the software vendor s server and transmit personal information such as the name of the user, or name of the file being read. 9 For example, DRM is used by many major content producers in controlling the use and number of times music files can be played. DVDs are also often encoded with DRM technology to prevent the transfer or copying of content from the DVD to another medium. Version 1.0 February

9 Figure 1 Example of how Digital Rights Management technology works 2.3 How do you know if information is controlled by DRM? There is no global technical standard for verifying the occurrence of DRM. 10 may therefore be difficult to detect the presence or absence of DRM. The file header of the information may indicate that the information is controlled by DRM. On a technical level, DRM-controlled information will typically be encrypted. If a program can read the encrypted information but is unable to save the information in unencrypted form, this suggests that the information is DRM-controlled. Some DRM systems may store details about the control in a non-encrypted wrapper around the information. This wrapper can be used to confirm the presence of a digital rights management control. It 10 State Services Commission (September 2006) Trusted Computing and Digital Rights Management Principles & Policies. Available at Version 1.0 February

10 3 Recordkeeping and Digital Rights Management 3.1 Legislative and Regulatory Requirements A public record is recorded information created or received by a public authority in the transaction of business or the conduct of affairs, that provides evidence of the business or affairs. Public records may be in any format - they are not confined to hardcopy documents. The legislative and regulatory framework which underpins the information management responsibilities of Queensland agencies related to Digital Rights Management technologies includes 11 : Public Records Act the intent of this Act is to ensure that public records of Queensland Government are made, managed, kept and, if appropriate, preserved in a useable form for the benefit of present and future generations. A key element of this Act is the requirement for a public authority to make and keep full and accurate records of its business activities. Information Standard 40: Recordkeeping 13 this is a standard to assist public authorities to meet their recordkeeping obligations under the Public Records Act This Standard outlines a range of recordkeeping obligations of public authorities and defines the processes and attributes of full and accurate records: Processes Created - Queensland public authorities must ensure staff create records of their activities, and that systems which support business transactions create appropriate records. Captured - Records capture is a deliberate action that results in the registration of a record into a business system with recordkeeping functionality or a dedicated recordkeeping system. Retained - Records retention describes the keeping of records for as long as they have administrative, business, legislative and cultural value. Records must be retained in accordance with Retention and Disposal Schedules approved by Queensland State Archives. Preserved - Preservation involves storing, protecting and maintaining records to ensure their accessibility over time. 11 Queensland public authorities are responsible for researching and understanding their full legislative and regulatory environment related to the use and acceptance of Digital Rights Management technologies es/recordkeeping.aspx Version 1.0 February

11 Attributes Adequate - Records must be adequate for the purposes for which they are created and kept. There should be adequate evidence of the conduct of business activity to be able to account for that conduct. Thus, a major initiative will be extensively documented, while a routine administrative action can be documented with an identifiable minimum of information. Complete - To be complete, records should contain not only the content, but also the structural and contextual information necessary to document and make sense of the business transaction (i.e. recordkeeping metadata). Meaningful - Meaningful records can be understood. This includes having an understanding of the context of the business and the processes for which the records were created and in which they were used. Accurate - Records must correctly reflect what was communicated, decided or done (or not done). An accurate record is one in which its contents, context and structure can be trusted as a representation of the transactions, activities or facts to which they attest and can be depended upon in the course of subsequent transactions or activities. Authentic - An authentic record is one that can be proven to be what it purports to be and to have been referenced, created or transmitted by the person who purports to have created or transmitted it. Inviolate - To be regarded inviolate, a record must be securely maintained to prevent unauthorised access, alteration, removal or destruction. The internal and external processes to which a record has been subject should be traceable. Accessible - Records must remain accessible and available to people both inside and outside the agency, in accordance with security, privacy and legislative requirements, for the designated period for which they must be retained. To be accessible, records must be maintained so that they can be quickly and easily identified and retrieved when they are required. Useable - Records must be kept in a format that allows their continued use. Information Standard 31: Retention and Disposal of Public Records 14 this is a standard to ensure the appropriate disposal of records. This details a public authority s obligations to retain records for at least the specified period in a current Retention and Disposal Schedule that has been authorised by the State Archivist, and the requirements for lawfully disposing of records es/retention%20and%20disposal%20of%20public%20records.aspx Version 1.0 February

12 Information Standard 18: Information Security 15 a standard to help public authorities protect information from misuse and loss and from unauthorised access, modification or disclosure. Information Standard 33: Information Access and Use a standard to help ensure that citizens and those doing business in Queensland have open access to and are able to use Queensland Government information. Right to Information Act The primary object of this Act is to give a right of access to information in the government s possession or under the government s control unless, on balance, it is contrary to the public interest to give the access. Information Privacy Act The intent of this Act is to provide for the fair collection and handling in the public sector environment of personal information; and a right of access to, and amendment of, personal information in the government s possession or under the government s control unless, on balance, it is contrary to the public interest to give the access or allow the information to be amended. Copyright Act 1968 (Commonwealth) 18 This is the Act relating to copyright. Under this Act it is generally not permitted to use, manufacture, import, supply or communicate devices to circumvent access control technological protection measures, (such as DRM) to allow unauthorised access or copying of copyrighted material. There are some limited exceptions under certain circumstances and public authorities are advised to seek legal advice in this regard, if relevant. 3.2 Recordkeeping implications of DRM Application and acceptance of Digital Rights Management technologies may impede preservation of and access to, the evidence of Queensland government s business activities and decisions over time. It may inhibit a public authority s ability to capture and maintain full and accurate records of its business and dispose of records in accordance with the Public Records Act 2002, Information Standard 40: Recordkeeping and Information Standard 31: Retention & Disposal of Public Records. DRM may also compromise a public authority s ability to meet the requirements of other regulations and legislation such as the Right to Information Act 2009 and the Information Privacy Act es/information%20security.aspx E32ED860AE37ECA2570DC000CEA4E?OpenDocument Version 1.0 February

13 Potential risks to recordkeeping arising from DRM include: DRM Feature Expiration dates/ Autodeletion Autodeletion Print disabling Prohibition of saving/ forwarding Risk Public authorities prematurely dispose of public records. Public authorities dispose of public records before consideration of the value of the records beyond the prescribed retention period. Public authorities destroy public records without capture of mandatory recordkeeping metadata. Public authorities that maintain public records in paper format are unable to do so. Public authorities are prevented from capturing electronic records into an electronic recordkeeping system. Description This may occur when the expiration rule set by the information provider conflicts with the retention period authorised in an approved Retention and Disposal Schedule. A key process step prior to disposing of records involves the assessment for any on-going business or legal use of the records. Automatic deletion by the IT system, without manual intervention, means records that are still required for business or legal purposes may be inadvertently lost. Details of the destruction of a public record must be recorded in a public authority s recordkeeping system. When control and management of deletion is retained by the information provider/creator, these details, expressed in recordkeeping metadata, may not be captured. Some agencies do not have an electronic Document and Records Management System (edrms) for managing electronic records. Instead, electronic records are printed and managed in paper form. In these instances, the prevention of printing impairs the ability of a public authority to capture the record into the recordkeeping system and initiate appropriate recordkeeping controls. For those agencies that use an edrms, records are unable to be captured and managed in line with recordkeeping obligations. Version 1.0 February

14 DRM Feature Prohibition of viewing Prohibition of copying/ modifying/ saving Risk Public authorities are unable to meet their obligations to provide access to or produce documentation. Public authorities may not be able to preserve their public records for the required retention period. Public authorities may not be able to re-use the information contained in records. Description This DRM function means that records may not be accessible to those who have a legitimate right to view them. Obligations which may not be met include: Under the Public Records Act 2002, agencies must ensure records remain able to be produced or made available for the authorised retention period. Restricting viewing rights of records may not align with the intent of the Right to Information legislation which encourages more open access. Public authorities may be unable to produce and provide access to documentation for those authorities undertaking monitoring or investigative activities, such as Commissions of Inquiries, auditing, etc. Some records are required to be retained for long periods of time. Due to technology obsolescence, agencies may need to undertake preservation activities such as migration or conversion of the digital records. DRM-restrictions placed on records may prevent the public authority from ensuring the record remains accessible into the future. For efficiency purposes, on occasions, new documents are created by re-using existing documents. The inability to re-use information may delay business processes and create additional resource requirements. Version 1.0 February

15 DRM Feature Risk Description Encryption Records may become inaccessible due to a lack of management of the encryption process and associated keys and certificates required to decrypt the information. Remote Privacy and security of attestation 20 information may be threatened. When access is reliant on communication with an external server, accessibility may be compromised. DRM-controlled information is usually encrypted. Encryption is the process by which information is transformed to conceal its meaning. 19 It is a reversible process and the information can be recovered or decrypted by using a cryptographic algorithm and key. Without appropriate management of these processes, particularly over long periods of time for which some records must be retained, records may become inaccessible. In some DRM systems, each time protected information is accessed, there is communication between the DRM system and external servers. Personal data is at risk of being collected by the external server, without the appropriate authorisation in line with privacy requirements. Security of the information may also be compromised by virtue of firewalls being opened to permit this transmission. The dependence on successful communication with an external device may mean access to records is at a higher risk of being unpredictable or unreliable. 19 Office of Government ICT (2006) Queensland Government Authentication Framework- Authentication Concepts Authentication_Concepts.doc 20 Remote attestation involves confirming the integrity and authenticity of the status and configuration of a system to a remote entity. Software companies may use remote attestation to prevent people from tampering with their software to circumvent technological protection measures. Source: Darmstadt University of Technology, TechRepublic White Paper: A Robust Integrity Reporting Protocol for Remote Attestation. Version 1.0 February

16 3.3 Guiding Principles for the implementation and use of DRM The framework outlined in Section 3.1 provides a policy context for capturing, ensuring security and privacy, providing access to, preserving, and disposing of public records. Based on this recordkeeping framework and to mitigate against the realisation of the risks outlined in Section 3.2, key principles which should guide the implementation and use of Digital Rights Management include: Principle 1. Principle 2. Principle 3. A public authority must be able to capture a full and accurate public record into a recordkeeping system. A public authority must be able to provide access to public records, to those people who are entitled to access them. This includes provision of future access for audit, archival, legal and other purposes. A public authority must be able to retain public records and recordkeeping metadata for the full authorised retention period, while ensuring the authenticity and integrity of these records. Principle 4. A public authority must be able to ensure that recordkeeping activities can be undertaken to preserve public records over time. This includes ensuring public records remain meaningful and able to be understood. Principle 5. A public authority must be able to ensure protection of personal and confidential public records through robust privacy and security controls. Version 1.0 February

17 4 Strategies for implementation While the use and acceptance of DRM controlled information is generally not recommended for Queensland public authorities, it is acknowledged that a public authority may have a business requirement to apply DRM restrictions to information or accept DRM-controlled information from external information providers. Where public authorities decide to create, use or accept DRMcontrolled information, it is recommended agencies implement the following strategies to ensure recordkeeping risks are minimised and obligations continue to be met. These strategies can be broadly grouped into three categories (and are summarised in checklist form in Appendix A): 1. Governance these are strategies related to the overarching decision to adopt DRM. 2. Application of DRM controls these are primarily strategies for public authorities that have decided to create DRM-controlled records. 3. Receipt and acceptance of DRM-controlled records these are primarily strategies for public authorities that have decided to accept DRMcontrolled records. 4.1 Governance Consideration of alternative measures There may be alternative viable options to implementing DRM, and these should be explored before the decision is taken to implement and/or accept DRM-controlled records. To protect and secure information and prevent its unauthorised or improper use within a public authority, appropriate rights access and security can often be achieved through other measures such as through electronic Document and Records Management Systems, as information security controls are established and embedded within these. It is recognised that when providing external parties with information, a public authority may wish to protect the agency s intellectual property. The standardised approach to licensing information, known as the Government Information Licensing Framework (GILF) 21 enables creators of information to allocate, and users to understand, the legally permitted uses of information products. The Framework includes digital licence-management software which enables the information to be tagged with the appropriate licence, thereby explicitly specifying details to users about the lawful use of the information. However GILF does not enforce these licence conditions through digital rights management technology. 21 See for further information. Version 1.0 February

18 4.1.2 Analysis of risk and cost-benefit The decision to implement Digital Rights Management technology is a significant one that requires appropriate deliberation of the recordkeeping risks, along with any other associated business risks. It is recommended that a robust cost-benefit and risk analysis (including assessment of the risks to security, records management and legal aspects) is undertaken prior to the introduction of DRM in order to demonstrate the business imperative and value of implementation. Under the Public Records Act 2002, the Chief Executive Officer is responsible for ensuring the public authority makes and keeps full and accurate records of its activities. Because of the recordkeeping risks arising from Digital Rights Management, it is recommended that the decision to implement and/or accept public records with DRM controls is documented and is authorised by a public authority s Chief Executive Officer and senior management team, and not by Managers of individual business units/divisions or individual staff Development of a DRM governance policy Public authorities should develop an organisational Digital Rights Management policy to guide any deployment, use and receipt, and assist in ensuring recordkeeping responsibilities are addressed. The policy should cover both DRM use within an internal context and the acceptance of DRM-controlled information from external sources. The policy may encompass consideration of: The public authority s position on the receipt of information controlled by Digital Rights Management measures from external organisations. Clear definition of the authorised scope of DRM application. This includes explanation of the conditions and circumstances in which DRM can and cannot be used. Who has the authority to apply and/or accept DRM-controlled information. How DRM use and/or acceptance aligns with the public authority s information management and recordkeeping policy framework and strategies. This includes consideration of information access requirements and the approaches for ensuring that public records remain accessible into the future, in line with their authorised retention period. Identification of the roles and responsibilities of staff. Deployment of DRM requires cooperation between staff with a range of expertise including records management, ICT infrastructure, system administration, business management, system vendors and implementers, and all public authority staff. An example of a DRM Governance Policy template is provided in Appendix B. The policy position of the public authority may be supported by ICT mechanisms. For example, if the agency has decided not to accept DRMcontrolled information, any information containing DRM controls sent from Version 1.0 February

19 external organisations may be scanned and automatically rejected, with an automatic failure of receipt message relayed to the sender. Other organisational policies and operations such as procurement policies or the agency s Standard Operating Environment (SOE) or Managed Operating Environment (MOE) may also require review to ensure they reflect the DRM policy position of the public authority Development and implementation of a training and awareness strategy If DRM technologies are permitted, public authority staff will need to be adequately trained in the use of Digital Rights Management. The development and implementation of a training and awareness strategy should include ensuring that users have a clear understanding of their recordkeeping responsibilities and the scope of the use and/or acceptance of DRM. It will be important to ensure that the public authority s ICT staff who may be involved in the configuration of DRM technology have a comprehensive understanding of legislative recordkeeping obligations. 4.2 Application of DRM controls Minimisation of the number of staff who may apply DRM restrictions In many applications, DRM technology has to be switched on by an administrator at the server level, so that individual users can apply restrictions to particular records. It may be possible for DRM to be linked to existing administrative/directory user groups established within the agency. This means that rights controls can be limited to particular users. Limiting the use of DRM controls to only those authorised staff who have been appropriately trained and require its application to meet a specific business need will help to reduce the complexities associated with the management of public records Minimisation of the application of DRM restrictions It is recommended that restrictions are selected based on critical business needs and requirements, so that a minimal number of constraints are applied. Any application of DRM restrictions must consider the full range of potential usage requirements for the public record, including any future access, such as by Queensland State Archives for preservation purposes, the Auditor-General for auditing purposes, the Attorney-General and the Courts for legal purposes or in response to Right to Information and Information Privacy requests. Version 1.0 February

20 4.2.3 Effective management of encryption/decryption processes DRM-controlled information is usually encrypted. To maintain the authenticity, integrity and accessibility of public records, the process of encrypting and decrypting records should be robust and be documented under appropriate security controls. This is to ensure public records are always able to be decrypted to restore the content so that they are meaningful, and are not inadvertently lost. 4.3 Receipt and acceptance of DRM-controlled records Capture into the recordkeeping system While many edrms will not allow records that are controlled by DRM to be deleted, the DRM controls can prevent access to the records. 22 This means that while the edrms may attempt to launch the record, the content will not be displayed, rendering the record inaccessible. As records must remain accessible for their authorised retention period, an unencumbered copy of a DRM-protected record will need to be captured into the recordkeeping system. Capturing the unencumbered record into the recordkeeping system allows records management professionals to actively manage the record and help ensure its ongoing accessibility and preservation. To obtain an unencumbered version of the record, public authorities will need to negotiate a process whereby the information creator/provider removes all rights protection. This record will need to be totally unencumbered that is, not simply read access - so that any required records management actions can be undertaken, including transformations or migrations required for digital preservation purposes. The inability to revoke access should be able to be proven. This could be verified by placing the record onto a quarantined machine that has no connection with the vendor s systems, the internet or no prior knowledge of current network users, and confirming that the information can still be accessed and used while in this location. 22 The way a specific edrms product works with DRM-controlled information should be explored with the public authority s edrms vendor, as different products may have different approaches. Version 1.0 February

21 4.3.2 Limitations on communication with systems outside the control of a public authority Where access to public records is dependent on successful communication with an external rights server, it is important to be mindful of the collection, use and protection of personal information by that server. Any collection and use of information should be consistent with the Queensland Government privacy requirements, and explicitly supported through contractual agreements. Reliance on external systems, including the internet, may impair a public authority s ability to ensure ongoing accessibility to public records. Steps should be taken to ensure public records remain accessible in the event that the external systems fail or expire Solicitation of information in tenders DRM technologies may come bundled in a product that forms a fundamental part of a public authority s technical platform, for example, embedded in desktop computer hardware and operating systems. Hardware or software that is limited by DRM technologies can prevent access to information. When initiating a procurement exercise, it can be useful to seek an explicit response from suppliers about whether the product/deliverables include DRM features and whether these features are activated by default and are able to be configured. This may aid efficiency in product selection by ensuring upfront that the supplier s response is in line with the public authority s DRM policy position Consideration of situational changes Situational changes may occur for a range of reasons. For example, public authorities may face administrative variations through machinery of government (MOG) changes. 23 MOG changes may result in the transfer of a business function 24 to another public authority or the abolition of an existing business function or unit. When a function is transferred, the public records relating to that function should also be transferred to allow the receiving public authority to continue to efficiently administer that function. Arrangements for managing DRMcontrolled records should be discussed by both parties and documented to ensure the recordkeeping obligations of the receiving entity can be met. When a public authority ceases to carry out a function, and that function is not going to be conducted by another entity, the public authority must retain the public records relating to that function as legacy records, unless a regulation 23 For further information about machinery of government changes and the management of public records, see the Public Records Brief available at government_changes_management_of_public_records.pdf 24 A business function represents the major responsibilities that are managed by a public authority to fulfil its goals. Functions are high-level aggregates of the authority s activities. Version 1.0 February

22 under the Public Records Act 2002 is introduced to prescribe otherwise. These records must remain accessible for their authorised retention period and therefore public authorities will need to ensure that processes are in place to enable ongoing access to and management of any DRM-controlled records. When a public authority has procured products or services from an external organisation and there is reliance on their external software or servers for accessing and managing records, an assessment of the risk of potential situational changes for the external organisation, such as insolvency, should be conducted. This is to help ensure public records do not become inaccessible due to unavailable services and technologies Informed contractual negotiations In contract negotiations a key issue for discussion and documentation is recordkeeping responsibilities. Public authorities must ensure that all public records can be managed and kept in accordance with the Public Records Act 2002 and therefore a public authority must be able to retain full control over the use of public records. Where it is mutually agreed that records or systems that are controlled by DRM can be received due to a clear business case for doing so, approaches for recordkeeping should be considered and clearly documented within the contractual agreement. For example, it may be agreed that a copy of the public record without the DRM control will be provided by the third party in an arranged process. The New Zealand Government 25 has developed suggested contractual clauses concerning DRM application/receipt which are available at: 07/tc-drm-standards.pdf (See Appendix A of the New Zealand Guideline). A Queensland public authority should obtain appropriate legal advice prior to the use of any such clauses. It is important to discuss and document responsibilities associated with any reliance on external software or servers. Public records may be required to be retained for lengthy periods and may require preservation activities such as migration or conversion to other formats. Arrangements for preservation over time will need to be contractually discussed and documented. It is also important to have full knowledge about, and document any information flows into or out of DRM systems that could involve the collection or transmission of personal information. This includes negotiating with the external party about when such events will occur; what specifically is collected and transmitted; the purpose of the collection; who will access and use the information; and for how long this information will be held. 25 State Services Commission (July 2007) Trusted Computing and Digital Rights Management Standards and Guideline - Available at Version 1.0 February

23 5 Appendix A Recordkeeping Checklist for DRM implementations 1. Governance 1.1 Has due consideration been given by the Chief Executive Officer and senior management to the decision to apply and/or accept DRM controlled records? Have alternative means of controlling the public records been considered, for example through an edrms or through digital licence management software? 1.2 Has a robust cost-benefit and risk analysis been undertaken, including an assessment of the risks to records management, to demonstrate the clear business imperative and value of implementation? 1.3 Has the decision to implement and/or accept public records with DRM controls been documented and authorised by the Chief Executive Officer or equivalent senior management? 1.4 Has a DRM policy been developed to guide any deployment, use and receipt of DRM controlled records? 1.5 Does the DRM policy cover: A position on both application internally within the public authority and acceptance of DRM controlled information from external sources? Clear definition of the authorised scope of DRM application and acceptance. This includes explanation of the conditions and circumstances in which DRM can and cannot be used, and by whom. How DRM use and/or acceptance aligns with the public authority s information management and recordkeeping policy framework and/or strategy. This includes consideration of information access requirements and the approaches for ensuring that full and accurate records are managed and retained for their authorised retention periods. Identification of the roles and responsibilities of staff. 1.6 Is there a need for the DRM policy position of the public authority to be supported by ICT mechanisms? If so, are there appropriate ICT mechanisms in place? 1.7 Have staff been adequately trained in the application and acceptance of DRM controlled records? Yes No Version 1.0 February

24 2. Application of DRM controls 2.1 Has the number of staff who are able to apply DRM restrictions been limited in line with the business need? 2.2 Have the selected types of DRM restrictions been limited to those that are based on critical business needs and requirements? 2.3 Do the restrictions allow for the full range of potential usage requirements for public records, including future access, for example: by Queensland State Archives for preservation purposes by the Auditor-General for auditing purposes by the legal and justice sector for legal purposes Yes No in response to Right to Information and Information Privacy requests? 2.4 Are there documented processes for encrypting and decrypting public records? Are there skills and tools available for doing so? 3. Receipt and acceptance of DRM-controlled records 3.1 Can an unencumbered record be captured into the public authority s recordkeeping system? 3.2 Can the inability to revoke access or restrict management of the record be proven? 3.3 Has any collection of information by an external rights server been discussed between the parties and contractually agreed? Have these arrangements considered: What information will be collected For what it will be used Who can access and use the information When the collection will occur For how long it will be kept? Version 1.0 February

25 3.4 Where access is dependent on an external server/organisation, are processes in place to ensure public records remain accessible in the event of failure or expiration of the external systems or the vendor s insolvency? 3.5 When partnering, outsourcing or contracting services and/or products from an organisation, have discussions included the acceptance (or otherwise) of information/products controlled by Digital Rights Management technology. 3.6 When relevant, in the process of procurement of services or ICT systems, has an explicit response from the supplier been sought about whether the product/deliverables include DRM features and whether these features are activated by default and can be configured? 3.7 When accepting DRM controlled information from external parties, has a documented agreement been negotiated that outlines the recordkeeping responsibilities of each of the parties? This includes consideration about the capture, management, access, security, disposal and preservation of public records; the privacy of any information collected; and the details of any reliance on external software or servers? 3.8 In the event of a machinery of government change, have recordkeeping responsibilities about DRM controlled records been discussed, agreed and documented? Yes No Version 1.0 February

26 6 Appendix B Example of a DRM Governance Policy Template 1 Introduction The introduction to the policy should contain opening comments about Digital Rights Management, the context for DRM use and acceptance within the public authority and the intent of the Policy. 1.1 Authority As recommended in this Guideline, the public authority s policy position on the use and acceptance of DRM should be authorised by the Chief Executive Officer (or equivalent) and senior management team. This section should indicate who has authorised the Policy. 1.2 Effective Date This should indicate the date the policy was developed and approved. 1.3 Review Review is an important component of policy development as it ensures that policy reflects current business needs. Documenting the review schedule, along with the history of any previous reviews in this section will help to demonstrate the relevance and currency of the policy. 1.3 Scope This section should be used to explain at a high-level, what the policy does and does not cover (both the use within an internal context and the acceptance of DRM-controlled information from external sources) and to whom it applies. 1.4 Definitions Definitions provide staff with a shared understanding of specific terms and should be included in the policy. They can be included here, in the introduction, or as a glossary or appendix. Please refer to Queensland State Archives Glossary of Archival and Recordkeeping Terms 26 for recordkeeping definitions. 1.5 Regulatory and legal framework This section should contain information about legislation and regulations relevant to the use and acceptance of DRM within the public authority Version 1.0 February

27 2 Policy Principles The policy principles should clearly indicate the public authority s position on the use and acceptance of DRM and the rationale for this position. Where DRM has been authorised, a description of the consideration of alternative measures and the risk and cost-benefit analysis (or a reference to this documentation) should be included within the policy. Policy principles should be developed to cover: The public authority s position on the receipt of information controlled by Digital Rights Management measures from external organisations. This includes explanation of the conditions and circumstances in which DRM can and cannot be accepted, and the associated ICT implications, e.g. the scanning and automatic rejection of DRM-controlled information if this is the position of the agency or a position on the use of systems that rely on external rights servers and the internet for access. The position on the use by the public authority of information controlled by Digital Rights Management measures. This includes explanation of the conditions and circumstances in which DRM can and cannot be used, and the extent of this use (e.g. use of DRM restrictions should be minimised, number of staff that may apply DRM controls should be minimised, etc.) Information about who has the authority to apply and/or accept DRMcontrolled information. If DRM is to be used and/or accepted, statements on how public records will be captured into a recordkeeping system, managed and retained as full and accurate records, so as to enable appropriate access for the authorised retention period. Information about the roles and responsibilities of staff and any training requirements. This could include requirements, where relevant, to ensure procurement exercises entail discussions about DRM-controlled information, and responsibilities for recordkeeping. Version 1.0 February

Queensland recordkeeping metadata standard and guideline

Queensland recordkeeping metadata standard and guideline Queensland recordkeeping metadata standard and guideline June 2012 Version 1.1 Queensland State Archives Department of Science, Information Technology, Innovation and the Arts Document details Security

More information

Records and Information Management. General Manager Corporate Services

Records and Information Management. General Manager Corporate Services Title: Records and Information Management Policy No: 057 Adopted By: Chief Officers Group Next Review Date: 08/06/2014 Responsibility: General Manager Corporate Services Document Number: 2120044 Version

More information

ADRI. Statement on the Application of Digital Rights Management Technology to Public Records. ADRI-2008-001-v1.0

ADRI. Statement on the Application of Digital Rights Management Technology to Public Records. ADRI-2008-001-v1.0 ADRI Statement on the Application of Digital Rights Management Technology to Public Records ADRI-2008-001-v1.0 Version 1.0 6 August 2008 Statement on the Application of Digital Rights Management Technology

More information

Management of Official Records in a Business System

Management of Official Records in a Business System GPO Box 2343 ADELAIDE SA 5001 Tel (08) 8204 8773 Fax (08) 8204 8777 DX:467 srsarecordsmanagement@sa.gov.au www.archives.sa.gov.au Management of Official Records in a Business System October 2011 Version

More information

Cloud Computing and Records Management

Cloud Computing and Records Management GPO Box 2343 Adelaide SA 5001 Tel (+61 8) 8204 8773 Fax (+61 8) 8204 8777 DX:336 srsarecordsmanagement@sa.gov.au www.archives.sa.gov.au Cloud Computing and Records Management June 2015 Version 1 Version

More information

Scotland s Commissioner for Children and Young People Records Management Policy

Scotland s Commissioner for Children and Young People Records Management Policy Scotland s Commissioner for Children and Young People Records Management Policy 1 RECORDS MANAGEMENT POLICY OVERVIEW 2 Policy Statement 2 Scope 2 Relevant Legislation and Regulations 2 Policy Objectives

More information

Trusted Computing and Digital Rights Management Principles & Policies

Trusted Computing and Digital Rights Management Principles & Policies Trusted Computing and Digital Rights Management Principles & Policies State Services Commission September 2006 Version 1.0 ISBN 978-0-478-30301-8 Crown copyright 2006 Trusted Computing and Digital Rights

More information

9. GOVERNANCE. Policy 9.8 RECORDS MANAGEMENT POLICY. Version 4

9. GOVERNANCE. Policy 9.8 RECORDS MANAGEMENT POLICY. Version 4 9. GOVERNANCE Policy 9.8 RECORDS MANAGEMENT POLICY Version 4 9. GOVERNANCE 9.8 RECORDS MANAGEMENT POLICY OBJECTIVES: To establish the framework for, and accountabilities of, Lithgow City Council s Records

More information

Privacy and Cloud Computing for Australian Government Agencies

Privacy and Cloud Computing for Australian Government Agencies Privacy and Cloud Computing for Australian Government Agencies Better Practice Guide February 2013 Version 1.1 Introduction Despite common perceptions, cloud computing has the potential to enhance privacy

More information

ADRI. Digital Record Export Standard. ADRI-2007-01-v1.0. ADRI Submission Information Package (ASIP)

ADRI. Digital Record Export Standard. ADRI-2007-01-v1.0. ADRI Submission Information Package (ASIP) ADRI Digital Record Export Standard ADRI Submission Information Package (ASIP) ADRI-2007-01-v1.0 Version 1.0 31 July 2007 Digital Record Export Standard 2 Copyright 2007, Further copies of this document

More information

TERRITORY RECORDS OFFICE BUSINESS SYSTEMS AND DIGITAL RECORDKEEPING FUNCTIONALITY ASSESSMENT TOOL

TERRITORY RECORDS OFFICE BUSINESS SYSTEMS AND DIGITAL RECORDKEEPING FUNCTIONALITY ASSESSMENT TOOL TERRITORY RECORDS OFFICE BUSINESS SYSTEMS AND DIGITAL RECORDKEEPING FUNCTIONALITY ASSESSMENT TOOL INTRODUCTION WHAT IS A RECORD? AS ISO 15489-2002 Records Management defines a record as information created,

More information

Transition Guidelines: Managing legacy data and information. November 2013 v.1.0

Transition Guidelines: Managing legacy data and information. November 2013 v.1.0 Transition Guidelines: Managing legacy data and information November 2013 v.1.0 Document Control Document history Date Version No. Description Author October 2013 November 2013 0.1 Draft Department of

More information

Information and records management. Purpose. Scope

Information and records management. Purpose. Scope Information and records management NZQA Quality Management System Policy Purpose The purpose of this policy is to establish a framework for the management of information and records within NZQA and assign

More information

Migrating digital records

Migrating digital records Migrating digital records A guideline for Queensland public authorities June 2012 Version 1.0 Queensland State Archives Department of Science, Information Technology, Innovation and the Arts Document details

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

USER AGREEMENT FOR: ELECTRONIC DEALINGS THROUGH THE CUSTOMS CONNECT FACILITY

USER AGREEMENT FOR: ELECTRONIC DEALINGS THROUGH THE CUSTOMS CONNECT FACILITY USER AGREEMENT FOR: ELECTRONIC DEALINGS THROUGH THE CUSTOMS CONNECT FACILITY CONDITIONS OF USE FOR ELECTRONIC DEALINGS THROUGH THE CUSTOMS CONNECT FACILITY Between: the Commonwealth of Australia, acting

More information

Information Security Policies. Version 6.1

Information Security Policies. Version 6.1 Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access

More information

Managing Closed Circuit Television (CCTV) Records

Managing Closed Circuit Television (CCTV) Records Queensland State Archives Managing Closed Circuit Television (CCTV) Records Guideline for Queensland Public Authorities October 2010 Document details Security Classification PUBLIC Date of review of security

More information

Electronic business conditions of use

Electronic business conditions of use Electronic business conditions of use This document provides Water Corporation s Electronic Business Conditions of Use. These are to be applied to all applications, which are developed for external users

More information

ADRI. Advice on managing the recordkeeping risks associated with cloud computing. ADRI-2010-1-v1.0

ADRI. Advice on managing the recordkeeping risks associated with cloud computing. ADRI-2010-1-v1.0 ADRI Advice on managing the recordkeeping risks associated with cloud computing ADRI-2010-1-v1.0 Version 1.0 29 July 2010 Advice on managing the recordkeeping risks associated with cloud computing 2 Copyright

More information

Mapping the Technical Dependencies of Information Assets

Mapping the Technical Dependencies of Information Assets Mapping the Technical Dependencies of Information Assets This guidance relates to: Stage 1: Plan for action Stage 2: Define your digital continuity requirements Stage 3: Assess and manage risks to digital

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

General Disposal Authority. For encrypted records created in online security processes

General Disposal Authority. For encrypted records created in online security processes General Disposal Authority For encrypted records created in online security processes May 2004 Commonwealth of Australia 2004 ISBN 1 920807 04 7 This work is copyright. Apart from any use as permitted

More information

COUNCIL POLICY R180 RECORDS MANAGEMENT

COUNCIL POLICY R180 RECORDS MANAGEMENT 1. Scope The City of Mount Gambier Records Management Policy provides the policy framework for Council to effectively fulfil its obligations and statutory requirements under the State Records Act 1997.

More information

Information Management Advice 18 - Managing records in business systems Part 1: Checklist for decommissioning business systems

Information Management Advice 18 - Managing records in business systems Part 1: Checklist for decommissioning business systems Information Management Advice 18 - Managing records in business systems Part 1: Checklist for decommissioning business systems Introduction Agencies have systems which hold business information, such as

More information

Digital Archiving Survey

Digital Archiving Survey Digital Archiving Survey Background information Under the Public Records Act 2002 (the Act), public authorities have a responsibility to ensure that digital records under their control remain accessible

More information

Records Management in Health

Records Management in Health The Auditor-General Performance Audit Department of Health Australian National Audit Office Commonwealth of Australia 2015 ISSN 1036 7632 (Print) ISSN 2203 0352 (Online) ISBN 978-1-76033-093-4 (Print)

More information

Digital Continuity Plan

Digital Continuity Plan Digital Continuity Plan Ensuring that your business information remains accessible and usable for as long as it is needed Accessible and usable information Digital continuity Digital continuity is an approach

More information

Management of Email Records

Management of Email Records Department of Culture and the Arts Government of Western Australia State Records Office of Western Australia SRO Guideline Management of Email Records A Recordkeeping Guideline for State Organizations

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

Guideline 1. Cloud Computing Decision Making. Public Record Office Victoria Cloud Computing Policy. Version Number: 1.0. Issue Date: 26/06/2013

Guideline 1. Cloud Computing Decision Making. Public Record Office Victoria Cloud Computing Policy. Version Number: 1.0. Issue Date: 26/06/2013 Public Record Office Victoria Cloud Computing Policy Guideline 1 Cloud Computing Decision Making Version Number: 1.0 Issue Date: 26/06/2013 Expiry Date: 26/06/2018 State of Victoria 2013 Version 1.0 Table

More information

Digital Continuity in ICT Services Procurement and Contract Management

Digital Continuity in ICT Services Procurement and Contract Management Digital Continuity in ICT Services Procurement and Contract Management This guidance relates to: Stage 1: Plan for action Stage 2: Define your digital continuity requirements Stage 3: Assess and manage

More information

RECORDS MANAGEMENT POLICY

RECORDS MANAGEMENT POLICY RECORDS MANAGEMENT POLICY POLICY STATEMENT The records of Legal Aid NSW are a major component of its corporate memory and risk management strategies. They are a vital asset that support ongoing operations

More information

Records Management Policy

Records Management Policy Records Management Policy Responsible Officer Chief Operating Officer Approved by Vice-Chancellor Approved and commenced April, 2014 Review by April, 2017 Relevant Legislation, Ordinance, Rule and/or Governance

More information

1.1 An initial request to enter into a contractual arrangement may be initiated by either Massey University or another party (Other Party).

1.1 An initial request to enter into a contractual arrangement may be initiated by either Massey University or another party (Other Party). CONTRACT MANAGEMENT PROCEDURE Section Risk Management Contact Risk Manager Last Review February 2013 Next Review February 2016 Approval Not required Procedures Contract Initiation Request Mandatory Guidance

More information

Information Management Advice 50 Developing a Records Management policy

Information Management Advice 50 Developing a Records Management policy Information Management Advice 50 Developing a Records Management policy Introduction This advice explains how to develop and implement a Records Management policy. Policy is central to the development

More information

Information and records management. Purpose. Scope. Policy

Information and records management. Purpose. Scope. Policy Information and records management NZQA Quality Management System Policy Purpose The purpose of this policy is to establish a framework for the management of corporate information and records within NZQA.

More information

E-mail Management: A Guide For Harvard Administrators

E-mail Management: A Guide For Harvard Administrators E-mail Management: A Guide For Harvard Administrators E-mail is information transmitted or exchanged between a sender and a recipient by way of a system of connected computers. Although e-mail is considered

More information

Records management in SharePoint 2010

Records management in SharePoint 2010 Records management in SharePoint 2010 Implications and issues Crown copyright 2011 You may re-use this information (excluding logos) free of charge in any format or medium, under the terms of the Open

More information

Life Cycle of Records

Life Cycle of Records Discard Create Inactive Life Cycle of Records Current Retain Use Semi-current Records Management Policy April 2014 Document title Records Management Policy April 2014 Document author and department Responsible

More information

USE OF INFORMATION TECHNOLOGY FACILITIES

USE OF INFORMATION TECHNOLOGY FACILITIES POLICY CI-03 USE OF INFORMATION TECHNOLOGY FACILITIES Document Control Statement This Policy is maintained by the Information Technology Department. Any printed copy may not be up to date and you are advised

More information

Estate Agents Authority

Estate Agents Authority INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in

More information

State Records Guideline No 15. Recordkeeping Strategies for Websites and Web pages

State Records Guideline No 15. Recordkeeping Strategies for Websites and Web pages State Records Guideline No 15 Recordkeeping Strategies for Websites and Web pages Table of Contents 1 Introduction... 4 1.1 Purpose... 4 1.2 Authority... 5 2 Recordkeeping business requirements... 5 2.1

More information

NSW Government. Cloud Services Policy and Guidelines

NSW Government. Cloud Services Policy and Guidelines NSW Government Cloud Services Policy and Guidelines August 2013 1 CONTENTS 1. Introduction 2 1.1 Policy statement 3 1.2 Purpose 3 1.3 Scope 3 1.4 Responsibility 3 2. Cloud services for NSW Government 4

More information

University of Liverpool

University of Liverpool University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October

More information

SourceIT User Notes. Specific Clauses. Licence and Support Contract Commercial off-the-shelf Software RELEASE VERSION 2.

SourceIT User Notes. Specific Clauses. Licence and Support Contract Commercial off-the-shelf Software RELEASE VERSION 2. SourceIT User Notes Specific Clauses Licence and Support Contract Commercial off-the-shelf Software RELEASE VERSION 2.3 DECEMBER 2012 AGIMO is part of the Department of Finance and Deregulation SourceIT

More information

INFORMATION AND DOCUMENTATION RECORDS MANAGEMENT PART 1: GENERAL IRISH STANDARD I.S. ISO 15489-1:2004. Price Code

INFORMATION AND DOCUMENTATION RECORDS MANAGEMENT PART 1: GENERAL IRISH STANDARD I.S. ISO 15489-1:2004. Price Code IRISH STANDARD I.S. ISO 15489-1:2004 ICS 01.140.20 INFORMATION AND DOCUMENTATION RECORDS MANAGEMENT PART 1: GENERAL National Standards Authority of Ireland Glasnevin, Dublin 9 Ireland Tel: +353 1 807 3800

More information

Vodafone New Zealand Microsoft Privacy Statement Dated: August 2013

Vodafone New Zealand Microsoft Privacy Statement Dated: August 2013 Vodafone New Zealand Microsoft Privacy Statement Dated: August 2013 This Microsoft privacy statement sets out how your personal information is used by Vodafone in connection with the provision of the Microsoft

More information

Implementing an Electronic Document and Records Management System. Key Considerations

Implementing an Electronic Document and Records Management System. Key Considerations Implementing an Electronic Document and Records Management System Key Considerations Commonwealth of Australia 2011 This work is copyright. Apart from any use as permitted under the Copyright Act 1968,

More information

ROYAL AUSTRALASIAN COLLEGE OF SURGEONS

ROYAL AUSTRALASIAN COLLEGE OF SURGEONS 1. SCOPE This policy details the College s privacy policy and related information handling practices and gives guidelines for access to any personal information retained by the College. This includes personal

More information

Protective security governance guidelines

Protective security governance guidelines Protective security governance guidelines Security of outsourced services and functions Approved 13 September 2011 Version 1.0 Commonwealth of Australia 2011 All material presented in this publication

More information

Digital Archives Migration Methodology. A structured approach to the migration of digital records

Digital Archives Migration Methodology. A structured approach to the migration of digital records Digital Archives Migration Methodology A structured approach to the migration of digital records Published July 2014 1 Table of contents Executive summary... 3 What is the Digital Archives Migration Methodology?...

More information

INTEGRATING RECORDS MANAGEMENT

INTEGRATING RECORDS MANAGEMENT INTERNATIONAL RECORDS MANAGEMENT TRUST INTEGRATING RECORDS MANAGEMENT IN ICT SYSTEMS Good Practice Indicators CONTENTS Figure 1: Designing a Records Management Improvement Programme iv Figure 2: Integrating

More information

IT Security Management

IT Security Management The Auditor-General Audit Report No.23 2005 06 Protective Security Audit Australian National Audit Office Commonwealth of Australia 2005 ISSN 1036 7632 ISBN 0 642 80882 1 COPYRIGHT INFORMATION This work

More information

RECORDS MANAGEMENT POLICY

RECORDS MANAGEMENT POLICY RECORDS MANAGEMENT POLICY Section Institute Governance and Management Approval Date 20.08.2012 Approved by Senior Management Team Next Review Aug 2015 Responsibility Director of Finance and Corporate Services

More information

Information Management: A common approach

Information Management: A common approach Information Management: A common approach July 2013 Document Control Document history Date Version No. Description Author July 2013 1.0 Final Department of Finance and Services October 2013 1.1 Updated

More information

This Policy is issued by the Sector Head responsible for Records Management.

This Policy is issued by the Sector Head responsible for Records Management. Records Management Policy Effective Date: This Policy takes effect on July 15, 2013 Purpose The purpose of this policy is to achieve efficient and effective management of CMHC information with business

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

Email Protective Marking Standard Implementation Guide for the Australian Government

Email Protective Marking Standard Implementation Guide for the Australian Government Email Protective Marking Standard Implementation Guide for the Australian Government May 2012 (V2012.1) Page 1 of 14 Disclaimer The Department of Finance and Deregulation (Finance) has prepared this document

More information

NSW Government Open Data Policy. September 2013 V1.0. Contact

NSW Government Open Data Policy. September 2013 V1.0. Contact NSW Government Open Data Policy September 2013 V1.0 Contact datansw@finance.nsw.gov.au Department of Finance & Services Level 15, McKell Building 2-24 Rawson Place SYDNEY NSW 2000 DOCUMENT CONTROL Document

More information

Records Management Standards. Records Management Standards for Public Sector Organisations in the Northern Territory

Records Management Standards. Records Management Standards for Public Sector Organisations in the Northern Territory Records Management Standards Records Management Standards for Public Sector Organisations in the Northern Territory August 2010 Overview of the standards Standard 1 Governance (including identification

More information

DFS C2013-6 Open Data Policy

DFS C2013-6 Open Data Policy DFS C2013-6 Open Data Policy Status Current KEY POINTS The NSW Government Open Data Policy establishes a set of principles to simplify and facilitate the release of appropriate data by NSW Government agencies.

More information

Guideline for the Implementation of Retention and Disposal Schedules

Guideline for the Implementation of Retention and Disposal Schedules Guideline for the Implementation of Retention and Disposal Schedules Guideline for Queensland Public Authorities Queensland State Archives March 2014 Department of Science, Information Technology, Innovation

More information

Records Management - Council Policy Version 2-28 April 2014. Council Policy. Records Management. Table of Contents. Table of Contents... 1 Policy...

Records Management - Council Policy Version 2-28 April 2014. Council Policy. Records Management. Table of Contents. Table of Contents... 1 Policy... Council Policy Records Management Table of Contents Table of Contents... 1 Policy... 2 Policy Objectives... 2 Policy Statement... 2 Records Management Program... 2 Accountability Requirements... 3 General

More information

Information Integrity & Data Management

Information Integrity & Data Management Group Standard Information Integrity & Data Management Serco recognises its responsibility to ensure that any information and data produced meets customer, legislative and regulatory requirements and is

More information

State Records Guideline No 18. Managing Social Media Records

State Records Guideline No 18. Managing Social Media Records State Records Guideline No 18 Managing Social Media Records Table of Contents 1 Introduction... 4 1.1 Purpose... 4 1.2 Authority... 5 2 Social Media records are State records... 5 3 Identifying Risks...

More information

Guideline 2. Cloud Computing: Tools. Public Record Office Victoria Cloud Computing Policy. Version Number: 1.0. Issue Date: 26/06/2013

Guideline 2. Cloud Computing: Tools. Public Record Office Victoria Cloud Computing Policy. Version Number: 1.0. Issue Date: 26/06/2013 Public Record Office Victoria Cloud Computing Policy Guideline 2 Cloud Computing: Tools Version Number: 1.0 Issue Date: 26/06/2013 Expiry Date: 26/06/2018 State of Victoria 2013 Version 1.0 Table of Contents

More information

Recommendations for companies planning to use Cloud computing services

Recommendations for companies planning to use Cloud computing services Recommendations for companies planning to use Cloud computing services From a legal standpoint, CNIL finds that Cloud computing raises a number of difficulties with regard to compliance with the legislation

More information

Information Management Advice 4 Managing Electronic Communications as Records

Information Management Advice 4 Managing Electronic Communications as Records Information Management Advice 4 Managing Electronic Communications as Records Introduction Whether an electronic communication is a record does not depend on its format or means of communication, rather

More information

RECORDS MANAGEMENT PROCEDURE

RECORDS MANAGEMENT PROCEDURE AMINISTRATIVE 5 RECORS MANAGEMENT PROCEURE Parent Policy Title Associated ocuments Preamble General Records & Archives Management Policy Recordkeeping Guidelines The University is committed to making and

More information

RECORDS MANAGEMENT POLICY

RECORDS MANAGEMENT POLICY Reference number RM001 Approved by Information Management and Technology Board Date approved 23 rd November 2012 Version 1.1 Last revised July 2013 Review date May 2015 Category Records Management Owner

More information

GUIDELINE ON THE APPLICATION OF THE OUTSOURCING REQUIREMENTS UNDER THE FSA RULES IMPLEMENTING MIFID AND THE CRD IN THE UK

GUIDELINE ON THE APPLICATION OF THE OUTSOURCING REQUIREMENTS UNDER THE FSA RULES IMPLEMENTING MIFID AND THE CRD IN THE UK GUIDELINE ON THE APPLICATION OF THE OUTSOURCING REQUIREMENTS UNDER THE FSA RULES IMPLEMENTING MIFID AND THE CRD IN THE UK This Guideline does not purport to be a definitive guide, but is instead a non-exhaustive

More information

Identifying Information Assets and Business Requirements

Identifying Information Assets and Business Requirements Identifying Information Assets and Business Requirements This guidance relates to: Stage 1: Plan for action Stage 2: Define your digital continuity requirements Stage 3: Assess and manage risks to digital

More information

Information Management Advice 39 Developing an Information Asset Register

Information Management Advice 39 Developing an Information Asset Register Information Management Advice 39 Developing an Information Asset Register Introduction The amount of information agencies create is continually increasing, and whether your agency is large or small, if

More information

TONBRIDGE & MALLING BOROUGH COUNCIL INTERNET & EMAIL POLICY AND CODE

TONBRIDGE & MALLING BOROUGH COUNCIL INTERNET & EMAIL POLICY AND CODE GENERAL STATEMENT TONBRIDGE & MALLING BOROUGH COUNCIL INTERNET & EMAIL POLICY AND CODE 1.1 The Council recognises the increasing importance of the Internet and email, offering opportunities for improving

More information

NSW Data & Information Custodianship Policy. June 2013 v1.0

NSW Data & Information Custodianship Policy. June 2013 v1.0 NSW Data & Information Custodianship Policy June 2013 v1.0 CONTENTS 1. PURPOSE... 4 2. INTRODUCTION... 4 2.1 Information Management Framework... 4 2.2 Data and information custodianship... 4 2.3 Terms...

More information

Guideline 2. Cloud Computing: Tools. Public Record Office Victoria Cloud Computing Policy. Version Number: 1.0. Issue Date: 26/06/2013

Guideline 2. Cloud Computing: Tools. Public Record Office Victoria Cloud Computing Policy. Version Number: 1.0. Issue Date: 26/06/2013 Public Record Office Victoria Cloud Computing Policy Guideline 2 Cloud Computing: Tools Version Number: 1.0 Issue Date: 26/06/2013 Expiry Date: 26/06/2018 State of Victoria 2013 Version 1.0 Table of Contents

More information

Implementing an Electronic Document and Records Management System. Checklist for Australian Government Agencies

Implementing an Electronic Document and Records Management System. Checklist for Australian Government Agencies Implementing an Electronic Document and Records Management System Checklist for Australian Government Agencies Acknowledgments The checklist for implementing an electronic document and records management

More information

University of Aberdeen Information Security Policy

University of Aberdeen Information Security Policy University of Aberdeen Information Security Policy Contents Introduction to Information Security... 1 How can information be protected?... 1 1. Information Security Policy... 3 Subsidiary Policy details:...

More information

Principles and Functional Requirements

Principles and Functional Requirements International Council on Archives Principles and Functional Requirements for Records in Electronic Office Environments Module 2 Guidelines and Functional Requirements for Electronic Records Management

More information

Data Protection Act 1998. Guidance on the use of cloud computing

Data Protection Act 1998. Guidance on the use of cloud computing Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered

More information

State Records Office Guideline. Management of Digital Records

State Records Office Guideline. Management of Digital Records State Records Office Guideline Management of Digital Records An Information Management Guideline for State Organizations Version 2 January 2015 www.sro.wa.gov.au Contents GLOSSARY... 2 PURPOSE... 5 BACKGROUND...

More information

Using AWS in the context of Australian Privacy Considerations October 2015

Using AWS in the context of Australian Privacy Considerations October 2015 Using AWS in the context of Australian Privacy Considerations October 2015 (Please consult https://aws.amazon.com/compliance/aws-whitepapers/for the latest version of this paper) Page 1 of 13 Overview

More information

Metadata, Electronic File Management and File Destruction

Metadata, Electronic File Management and File Destruction Metadata, Electronic File Management and File Destruction By David Outerbridge, Torys LLP A. Metadata What is Metadata? Metadata is usually defined as data about data. It is a level of extra information

More information

Corporate Records Management Policy

Corporate Records Management Policy Corporate Records Management Policy Introduction Part 1 Records Management Policy Statement. February 2011 Part 2 Records Management Strategy. February 2011 Norfolk County Council Information Management

More information

Records Retention and Disposal Schedule. Information Management

Records Retention and Disposal Schedule. Information Management Records Retention and Disposal Schedule Information Management Version control Version Author Policy Approved By Approval Date Publication Date Review Due V 1.0 Information Governance Unit Philip Jones,

More information

Corporate Information Security Policy

Corporate Information Security Policy Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives

More information

Module 12 Managed Services TABLE OF CONTENTS. Use Guidelines

Module 12 Managed Services TABLE OF CONTENTS. Use Guidelines 1 Module 12 Managed Services Version 3.0 TABLE OF CONTENTS 1. AGREED TERMS AND INTERPRETATION... 2 2. TERM OF... 4 3. TRANSITION IN... 4 4. SERVICES... 10 5. SERVICE LEVELS... 12 6. CHANGE CONTROL... 13

More information

Information Management and Security Policy

Information Management and Security Policy Unclassified Policy BG-Policy-03 Contents 1.0 BG Group Policy 3 2.0 Policy rationale 3 3.0 Applicability 3 4.0 Policy implementation 4 Document and version control Version Author Issue date Revision detail

More information

Queensland State Archives. Strategic Recordkeeping Implementation Plan Workbook

Queensland State Archives. Strategic Recordkeeping Implementation Plan Workbook Queensland State Archives Strategic Recordkeeping Implementation Plan Workbook 1 Document Details Version 1 Version 1.01 Version 2 21 March 2002: Released to State and Local Authorities 9 January 2003:

More information

ELECTRONIC RECORDS MANAGEMENT SYSTEM (ERMS) SYSTEM SPECIFICATIONS FOR PUBLIC OFFICES

ELECTRONIC RECORDS MANAGEMENT SYSTEM (ERMS) SYSTEM SPECIFICATIONS FOR PUBLIC OFFICES ELECTRONIC RECORDS MANAGEMENT SYSTEM (ERMS) SYSTEM SPECIFICATIONS FOR PUBLIC OFFICES CONTENTS 1. INTRODUCTION 1.1 Scope 1.2 Background 1.3 Purpose 1.4 Audience 1.5 Related standards 1.6 Terminology 1.7

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

Cloud Software Services for Schools

Cloud Software Services for Schools Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Supplier name Address Contact name Contact email Contact telephone Parent Teacher Online

More information

Information and Compliance Management Information Management Policy

Information and Compliance Management Information Management Policy Aurora Energy Group Information Management Policy Information and Compliance Management Information Management Policy Version History REV NO. DATE REVISION DESCRIPTION APPROVAL 1 11/03/2011 Revision and

More information

Information Security Policy

Information Security Policy Information Security Policy Touro College/University ( Touro ) is committed to information security. Information security is defined as protection of data, applications, networks, and computer systems

More information

help fulfil corporate governance obligations such as transparency or good administrative behaviour 2 ;

help fulfil corporate governance obligations such as transparency or good administrative behaviour 2 ; 2 July 2014 Executive Director Records management POLICY/no 0026 Status: Public Effective date: 10 July 2014 Review date: 10 July 2017 Supersedes: Version 17-SEP-08 1. Introduction and purpose To comply

More information

New York State Electronic Signatures and Records Act

New York State Electronic Signatures and Records Act PIANY Doc. No. 31174 New York State Electronic Signatures and Records Act The information contained within this Resource kit was made available by the New York State Department of State Division of Administrative

More information

IT ACCESS CONTROL POLICY

IT ACCESS CONTROL POLICY Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance

More information