Information and records management. Purpose. Scope. Policy

Transcription

1 Information and records management NZQA Quality Management System Policy Purpose The purpose of this policy is to establish a framework for the management of corporate information and records within NZQA. NZQA is committed to effective and efficient management practices that meet its business needs, accountability requirements and the expectations of stakeholders. Implementation of an overarching information and records management policy will ensure that internal processes are consistent, appropriate and effective, and that NZQA will be compliant with relevant statutory requirements and standards. The Public Records Act 2005 (section 33) requires Archives New Zealand to audit, and report to Parliament, on the recordkeeping practices of all government agencies. Audits began in 2010 and occur on a 5 year cycle. Implementation of this policy will contribute to NZQA s ability to meet Archives New Zealand s audit standards and criteria. Scope This policy applies to all NZQA Personnel operating either onsite or offsite on behalf of NZQA. This policy applies to all aspects of NZQA s business, all information collected and records created during business transactions, and all business applications used to create records including, but not limited to, , databases, websites, mobile devices, and social networking tools and/or sites. Compliance with this policy is required under the NZQA Code of Conduct This policy supports legislative compliance and client service. Policy NZQA will comply with all legislative, regulatory and administrative requirements for information and records management in the government sector. NZQA is committed to good records management practice, and having systems consistent with the Public Records Act 2005, the international standard on records management ISO 15489, whole-of-government standards and the standards, guidelines and frameworks issued by Archives New Zealand. NZQA s information and records management systems will support: The creation and maintenance of authentic, reliable and usable records for as long as they are required to effectively and efficiently support business functions and activities. The protection of record integrity and authenticity. The security of records. Access to records. Disposal of records. 1 Creation, collection and capture Information shall only be created or collected where the value from the creation or collection can be clearly demonstrated to stakeholders.

2 Where possible, information shall be collected once and shared by authorised users and systems internally, across education sector agencies and with other agencies and/or bodies as appropriate. All records will be captured in an NZQA record keeping system in accordance with the NZQA records management process and guides and available for access unless there are valid business valid business reasons for them to be withheld. NZQA Personnel must not keep public records in separate individual systems or on their hard-drive. Physical files will be kept in designated areas unless required for specific purposes. Location details for physical files will be kept up-to-date at all times in the record keeping system. 2 Management Information and records are a strategic asset of the organisation and must be effectively governed and actively managed throughout their lifecycle. NZQA shall develop and maintain records and information management systems that capture and maintain records and information with appropriate evidential characteristics (e.g. meta-data and business classification). NZQA shall develop and maintain an information directory identifying and describing all corporate information assets. The information directory must identify the authoritative source and information custodian for each information set. Each division must appoint sufficient records coordinators to support records management requirements in their business units/ divisions. 3 Ownership All information and records produced by NZQA employees in the course of their employment is NZQA s intellectual property and must be managed according to the requirements of this policy. 4 Security and privacy All information and records must be classified (or deemed unclassified) in accordance with the definitions below and be managed in accordance with the security measures in the Clear desk for classified information policy and the Computer and information security policy. All records of personal information must be managed in accordance with the requirements of the Privacy policy and procedure. 5 Retention and disposal No NZQA Personnel will dispose of public records unless authorised to do so. NZQA will retain and dispose of all public records created in accordance with legislative requirements, the NZQA Retention and Disposal Schedule authorised by Archives New Zealand and the Disposal Standard issued by Archives New Zealand. 6 Business continuity All vital records i.e. those without which NZQA could not continue to function are identified and particular attention is paid to their protection. Responsibilities Position Responsible for Chief Executive authorising the information and records management policy. actively supporting a culture that values effective information and records management. ensuring compliance with the record keeping requirements of the Public Records Act 2005.

3 Chief Information Officer and Quality Assurance Advisor overseeing the management of this policy within NZQA. Information Custodians managing the corporate information they are responsible for on a day-to-day basis as specified by SMT. ensuring that access rules and/or controls are established and maintained. ensuring that all users of the information are adequately trained in its management, use, retention and disposal. ensuring that the required metadata for the information under their control in the corporate information directory is accurate and current. Information Services maintaining the technology for NZQA s information management systems, including responsibility for maintaining the integrity and authenticity of electronic records and information. providing advice, support and training to managers and staff with regard to all aspects of information technology. providing advice and support to NZQA project teams both internally and as part of sector or government-wide initiatives as required. Managers and Team Leaders ensuring that all information and records management practices relating to the business of the team are identified, documented and kept current. ensuring that the information and records management practices in their team meet the requirements of this policy. supporting and monitoring the information and records management practices of all staff as defined by this policy. ensuring that all new staff receive appropriate information and records management training as and when required for the effective performance of their role. ensuring that staff with responsibility for supporting the team s information and records management practices receive recognition for that responsibility and are supported in developing their skill and knowledge. ensuring that their staff and any third parties for whom they are responsible complete their information and records management obligations before leaving NZQA. Members of SMT the management of this policy through resource allocation and other management support. actively championing good practice information and records management throughout the business. monitoring and reviewing all NZQA s information and records management strategies, policies and procedures. aligning information and records management policies, processes and services to relevant NZQA strategic initiatives and services. appointing Information Custodians and Records Coordinators for specific corporate information collections and records collections and monitoring their performance. NZQA Personnel understanding and complying with NZQA s records and information management policy and processes. creating full and accurate records of activities, transactions and decisions carried out during the course of daily business

4 activity. ensuring records are maintained in a way that does not damage them or compromise their integrity. preventing unauthorised access to records. ensuring that records aren t destroyed or removed unless permitted by disposal authorities. Records Coordinators coordinating records management within their areas of responsibility. being the divisional/ business unit champion for records management. providing support and training in records management within their areas of responsibility. completing regular training to remain up-to-date with records management requirements. References Key external legislation, standards and government frameworks with information and records implications for NZQA include: Education Act 1989 Electronic Transactions Act 2002 Evidence Act 2006 Financial Reporting Act 1993 Income Tax Act 2007 Official Information Act 1982 Privacy Act 1993 Public Finance Act 1989 Public Records Act 2005 National Library of New Zealand Act 2003 Copyright Act 1994 Statistics Act 1975 Policy Framework for New Zealand Government-held Information 2003 (State Services Commission) Security in the Government Sector (SIGS) 2002 (Department of Prime Minister and Cabinet) New Zealand Government Information Technology Security Manual (NZSIT 400) 2005 (Government Communications Security Bureau) ICT Strategic Framework for Education Tertiary Information Strategy Relevant Standards promulgated by Archives NZ Relevant Standards promulgated by Standards NZ Key internal references are: NZQA Code of Conduct Computer and Information Security Policy Clear desk for classified information NZQA Business Continuity Plan

5 Definitions For the purposes of this policy, unless otherwise stated, the following definitions apply. Business activity Chief Archivist Capture Classified information Umbrella term covering all functions, processes, activities and transactions of NZQA. means the office of Chief Archivist for New Zealand which is held by the Chief Executive of Archives New Zealand A deliberate action that results in the registration of a record into NZQA s record keeping system. For certain business activities (for e.g. learner results) this action has been designed into electronic systems so that the capture of records is concurrent with the creation of records. IN-CONFIDENCE information security classifications relate to policy and privacy concerns i.e. not considered to be matters of national security. Unauthorised disclosure of information may prejudice law and order, impede Government business or affect citizen privacy. Examples of IN-CONFIDENCE in the NZQA context may include board, ministerial and cabinet papers, SMT papers, contracts and tender documents and personal information e.g. bank account details, performance management documents, birth certificates, job applications. SENSITIVE information security classifications relate to policy and privacy concerns i.e. not considered to be matters of national security. Unauthorised disclosure information may damage Government interests or endanger citizens. Examples of SENSITIVE in the NZQA context may include information relating to budget appropriations or negotiation of agreements with other countries. Corporate record Disposal Electronic record RESTRICTED, CONFIDENTIAL, SECRET, TOP SECRET Information security classifications relating to matters of national security. NZQA information security controls do not normally allow for this level of security. Special arrangements must be made through the Departmental Security Officer (DSO). Examples in the NZQA context are rare but may include information relating to negotiation of agreements with other countries. means any record that documents decisions made and actions taken in the course of business activity. The corporate record can be in any format including publications, correspondence, plans, photographs, , web pages, electronic documents and sound recordings. means the final decision concerning the fate of records, i.e. destruction or transfer to Archives New Zealand. This also includes the programme of activities to support transfer, such as appraisals of content, boxing and description of files or other media, and evidence of destruction. All NZQA records disposal will be in accordance with the authorised Retention and Disposal Schedule. means any record that is created or stored by digital means and includes documents, databases, and web and intranet content.

6 Information Information Custodian Information Life Cycle NZQA Personnel Public office (as defined in the Public Records Act 2005) Public record (as defined in the Public Records Act 2005) Record Unclassified Vital records is the result of processing, manipulating and organizing data in a way that adds to the knowledge of the person receiving it. Information can be electronic and/or written. in the context of this policy, means the role responsible for the continued existence, availability, integrity and security of data, information or documents for as long as is required by the SMT. includes creation, collection, access, security, retention and disposal and long-term preservation in all formats. (a) employees of NZQA, whether permanent or fixed-term; and Board members, and (b) others, whether individuals or organisations or both, carrying out work for or on behalf of, or providing services to or on behalf of, NZQA, where the agreement or arrangement for the work or services requires compliance with all or some of NZQA's policies, directives, process maps, or procedures means Crown entities as defined under section 7(1) of the Crown Entities Act means a record in any form, in whole or in part, created or received (whether before or after the commencement of the Act) by a public office in the conduct of its affairs. The International Standard on Records Management defines a record as: information created, received and maintained as evidence and information by an organisation or person in pursuance of legal obligations or in the transaction of business. (ISO 15489) The Public Records Act defines a record as: "information, whether in its original form or otherwise, including (without limitation) a document, a signature, a seal, text, images, sound, speech, or data compiled, recorded, or stored, as the case may be:" in written form on any material; or on film, negative, tape, or other medium so as to be capable of being reproduced; or by means of any recording device or process, computer, or other electronic device or process." (PRA, s4)v Information that does not require classification as sensitive, in confidence or higher. Those records that are essential for the ongoing business of NZQA, and without which NZQA could not continue to function effectively. The identification and protection of such records is a primary object of records management and disaster planning. Measurement Criteria NZQA s records and information management policies and procedures comply with standards set by Archives New Zealand, ISO15489 the e-government Data Management Policies and Standards and with any other standards or requirements applicable across the New Zealand government sector. Each audit of NZQA s records and information management practices by Audit New Zealand returns a positive report. All NZQA personal are familiar with NZQA s information and records management policies, processes and guides and with their individual responsibilities under those documents and comply with them. NZQA s systems support the delivery of effective records and information management across the organisation.

7 The disposal of all NZQA records is managed in accordance with the requirements of the Retention and Disposal Schedule and Archives New Zealand Standards.