Information and records management. Purpose. Scope

Transcription

1 Information and records management NZQA Quality Management System Policy Purpose The purpose of this policy is to establish a framework for the management of information and records within NZQA and assign responsibilities for ensuring that full and accurate records of the business activities of the organisation are created, maintained and disposed of in accordance with best practice. Good records management is critical to NZQA achieving its outcomes. Accessible records are essential in supporting the efficient operation of NZQA by making information readily available for: Decision-making Ensuring accountability by creating complete and authoritative records. Managing risk via inappropriate access or destruction of records. Supporting legal compliance. This policy establishes the high level framework to achieve NZQA s goals of: Ensuring the accessibility of records. Ensuring accountability through complete and authoritative records. Ensuring appropriate access and destruction of records. NZQA is committed to effective and efficient management practices that meet its business needs, accountability requirements and the expectations of stakeholders. Implementation of an overarching information and records management policy will ensure that internal processes are consistent, appropriate and effective, and that NZQA will be compliant with relevant statutory requirements and standards. The Public Records Act 2005 (section 33) requires Archives New Zealand to audit, and report to Parliament, on the recordkeeping practices of all government agencies. Audits began in 2010 and occur on a 5 year cycle. Implementation of this policy will contribute to NZQA s ability to meet Archives New Zealand s audit standards and criteria. Scope This policy applies to all NZQA Personnel operating either onsite or offsite on behalf of NZQA (whether permanent or temporary, including contractors and consultants). All business activities performed by or on behalf of the organisation in whatever manner they are conducted (internally or by third party providers). This policy applies to all aspects of NZQA s business, all information collected and records created during business transactions, and all business applications used to create records including, but not limited to, , databases, websites, mobile devices, and social networking tools and/or sites. Compliance with this policy is required under the NZQA Code of Conduct This policy supports legislative compliance and client service.

2 Records Management Programme NZQA is required to establish a records management programme that complies with the requirements of the Public Records Act 2005 and the mandatory standard(s) issued under it. The Records Management Programme is the management framework, which includes the people, and the recordkeeping and information systems required to manage and maintain full, authentic, accurate and accessible records over time. NZQA will ensure that all staff comply with the organisation s approved recordkeeping framework and will provide training and guidance in support of this. The Records Management Programme delivers the following key benefits to the organisation: Cost savings and efficiency in terms of significantly reducing duplication of effort and the time staff spend looking for information. Effective management in ensuring awareness of and access to the NZQA's records. Accountability by ensuring that records which document important activity are safely retained for an appropriate length of time. Preserving the institution's corporate memory by enabling records of enduring cultural and historical value to be identified, captured, and transferred to the possession of an approved repository at the end of their life cycle. Policy Principals NZQA will comply with all legislative, regulatory and administrative requirements for information and records management in the government sector. NZQA is committed to good records management practice, and having systems consistent with the Public Records Act 2005, the international standard on records management ISO 15489, whole-of-government standards and the standards, guidelines and frameworks issued by Archives New Zealand. NZQA s information and records management systems will support: The creation and maintenance of authentic, reliable and usable records for as long as they are required to effectively and efficiently support business functions and activities. The protection of record integrity and authenticity. The security of records. Access to records. Disposal of records. NZQA will develop processes and procedures to ensure that staff are aware of their recordkeeping responsibilities and how to meet them. NZQA will provide staff with records management best practice training opportunities appropriate to their role 1 Creation, collection and capture NZQA will demonstrate compliance with the Public Records Act by meeting the mandatory requirements under section 27 requiring that public records are authentic, reliable, complete, comprehensive, use-able and maintain integrity. Information and records will be controlled, defined and have integrity so that they are fit for the purpose of their collection. Where possible, information shall be collected once and shared by authorised users and systems internally, across education sector agencies and with other agencies and/or bodies as appropriate.

3 All records will be captured in an NZQA record keeping system in accordance with the NZQA records management process and guides and available for access unless there are valid business reasons for them to be withheld. NZQA Personnel must not keep public records in separate individual systems or on their hard-drive. Physical files will be kept in designated areas unless required for specific purposes. Location details for physical files will be kept up-to-date at all times in the record keeping system. Business text messaging must only be used for communicating facilitative and transitory information of short-term value to NZQA. On the rare occasion where text messaging needs to be used for communicating a business decision (e.g. in a crisis situation) the entire message (including any response) must be transcribed in a file note and saved in NZQA s record keeping system. 2 Accessibility Organisational records will be available to be shared within NZQA unless they have legal or privacy constraints, security classification or there is a substantial business reason not to share. Records created and received by NZQA and covered by the Public Records Act 2005 will be publicly and equitably available and accessible unless explicit reasons preclude. Treaty obligations and cultural awareness are pertinent to information and records managed by NZQA. 3 Management Information and records are a strategic asset and resource of the organisation and must be effectively governed and actively managed throughout their lifecycle. NZQA shall develop and maintain records and information management systems that capture and maintain records and information with appropriate evidential characteristics (e.g. meta-data and business classification). NZQA shall develop and maintain an information directory identifying and describing all corporate information assets. The information directory must identify the authoritative source and information custodian for each information set. Each division must appoint sufficient records coordinators to support records management requirements in their business units/ divisions. 4 Ownership All information and records produced by NZQA employees, contractors and third parties in the course of their employment is NZQA s intellectual property and must be managed according to the requirements of this policy. 5 Security and privacy All information and records must be classified (or deemed unclassified) in accordance with the definitions below and be managed in accordance with the security measures in the Clear desk for classified information policy and the Computer and information security policy. All records of personal information must be managed in accordance with the requirements of the Privacy policy and procedure. 6 Technology ICT systems developed to manage records will comply with NZQA s ICT Reference Enterprise Architecture and the Infrastructure Strategy. Records captured in business systems will be maintained in an accessible form for as long as they are required. These systems include recordkeeping metadata.

4 Records management functionality will be included in the requirements of all new information systems and substantial upgrades of business critical current systems. ICT will ensure metadata schemas are documented for business systems. An ICT software register will track software in use or legacy software in order to facilitate any requirement to migrate records in order that they are still accessible for use by the organisation. 7 Retention and disposal No NZQA Personnel will dispose of public records unless authorised to do so. NZQA will retain and dispose of all public records created in accordance with legislative requirements, the NZQA Retention and Disposal Schedule authorised by Archives New Zealand and the Disposal Standard issued by Archives New Zealand. 8 Business continuity All vital records i.e. those without which NZQA could not continue to function are identified and particular attention is paid to their protection. Records management activities will be directed towards ensuring business continuity and efficency of services and related organisational outputs. Each business unit will identify their vital records within the appropriate section of the NZQA Business continuity plan. 9 Risk Management. Resources will be allocated to implementing this policy on a priority basis to ensure the capture and maintenance of records of greatest business value to NZQA. NZQA will monitor compliance with the Public Records Act within a risk management framework. Responsibilities Position Responsible for Chief Executive authorising the information and records management policy. actively supporting a culture that values effective information and records management. ensuring compliance with the record keeping requirements of the Public Records Act Chief Information Officer and Quality Assurance Advisor overseeing the management of this policy within NZQA. Information Custodians managing the corporate information they are responsible for on a day-to-day basis as specified by SMT. ensuring that access rules and/or controls are established and maintained. ensuring that all users of the information are adequately trained in its management, use, retention and disposal. ensuring that the required metadata for the information under their control in the corporate information directory is accurate and current. Information Services maintaining the technology for NZQA s information management systems, including responsibility for maintaining the integrity and authenticity of electronic records and information. providing advice, support and training to managers and staff with regard to all aspects of information technology.

5 Managers and Team Leaders providing advice and support to NZQA project teams both internally and as part of sector or government-wide initiatives as required. ensuring that all information and records management practices relating to the business of the team are identified, documented and kept current. ensuring that the information and records management practices in their team meet the requirements of this policy. supporting and monitoring the information and records management practices of all staff as defined by this policy. ensuring that all new staff receive appropriate information and records management training as and when required for the effective performance of their role. ensuring that staff with responsibility for supporting the team s information and records management practices receive recognition for that responsibility and are supported in developing their skill and knowledge. ensuring that their staff and any third parties for whom they are responsible complete their information and records management obligations before leaving NZQA. Members of SMT the management of this policy through resource allocation and other management support. actively championing good practice information and records management throughout the business. monitoring and reviewing all NZQA s information and records management strategies, policies and procedures. aligning information and records management policies, processes and services to relevant NZQA strategic initiatives and services. appointing Information Custodians and Records Coordinators for specific corporate information collections and records collections and monitoring their performance. NZQA Personnel understanding and complying with NZQA s records and information management policy and processes. creating full and accurate records of activities, transactions and decisions carried out during the course of daily business activity. ensuring records are maintained in a way that does not damage them or compromise their integrity. preventing unauthorised access to records. ensuring that records aren t destroyed or removed unless permitted by disposal authorities. Records Coordinators coordinating records management within their areas of responsibility. being the divisional/ business unit champion for records management. providing support and training in records management within their areas of responsibility. completing regular training to remain up-to-date with records management requirements. Records Management Advisor to provide records management training and support to support compliance with Archives NZ mandatory requirements

6 References to ensure appropriate appraisal and disposal of NZQA records Key external legislation, standards and government frameworks with information and records implications for NZQA include: Education Act 1989 Electronic Transactions Act 2002 Evidence Act 2006 Financial Reporting Act 1993 Income Tax Act 2007 Official Information Act 1982 Privacy Act 1993 Public Finance Act 1989 Public Records Act 2005 National Library of New Zealand Act 2003 Copyright Act 1994 Statistics Act 1975 Employment Relations Act 2000 Tax Administration Act 1994 Companies Act 1993 Goods and Services Tax Act 1985 Health and Safety in Employment Act 1992 Ombudsmen Act 1975 Policy Framework for New Zealand Government-held Information 2003 (State Services Commission) New Zealand Government Information Security Manual Relevant Standards promulgated by Archives NZ Including but not limited to Minimum metadata standards for records (Line of Business systems, EDRMS, s etc) Principle 3 Principle 5 Digital Recordkeeping Standard the Chief Archivist recommends this standard is used when making substantial changes to existing business systems or installing new ones. ICA functional requirements for records in electronic office environments Authority to retain digitised public records in electronic form only Electronic transactions Act 2002 Section 25Digitization - Scanning - AS/NZS ISO 13028: 2012 Other best practice standards

7 Run a software register in order to be able to migrate and keep accessible documents of long term value Have metadata schemes for line of business systems (metadata for NZQA data) Relevant Standards promulgated by Standards NZ including but not limited to: ISO 15489: International Standard on Records Management AS/NZS ISO 13028: 2012 Key internal references are: Comply with record keeping legislation NZQA IS Plan Government CIO (GCIO) ICT strategy and action plan Computer and Information Security Policy Clear desk for classified information Policy Official Correspondence Policy External Complaints NZQA Compliance Policy Copyrights, Trademarks and Logos Policy Contractors and Consultants Policy Privacy Policy NZQA Business Continuity Plan NZQA Code of Conduct Electronic Signatures Policy Definitions For the purposes of this policy, unless otherwise stated, the following definitions apply. Business activity Chief Archivist Capture Classified information Umbrella term covering all functions, processes, activities and transactions of NZQA. means the office of Chief Archivist for New Zealand which is held by the Chief Executive of Archives New Zealand A deliberate action that results in the registration of a record into NZQA s record keeping system. For certain business activities (for e.g. learner results) this action has been designed into electronic systems so that the capture of records is concurrent with the creation of records. IN-CONFIDENCE information security classifications relate to policy and privacy concerns i.e. not considered to be matters of national security. Unauthorised disclosure of information may prejudice law and order, impede Government business or affect citizen privacy. Examples of IN-CONFIDENCE in the NZQA context may include board, ministerial and cabinet papers, SMT papers, contracts and tender documents and personal information e.g. bank account details, performance management documents, birth certificates, job applications.

8 SENSITIVE information security classifications relate to policy and privacy concerns i.e. not considered to be matters of national security. Unauthorised disclosure information may damage Government interests or endanger citizens. Examples of SENSITIVE in the NZQA context may include information relating to budget appropriations or negotiation of agreements with other countries. Disposal Electronic record Information Information Custodian Information Life Cycle NZQA Personnel Public office (as defined in the Public Records Act 2005) Public record (as defined in the Public Records Act 2005) RESTRICTED, CONFIDENTIAL, SECRET, TOP SECRET Information security classifications relating to matters of national security. NZQA information security controls do not normally allow for this level of security. Special arrangements must be made through the Departmental Security Officer (DSO). Examples in the NZQA context are rare but may include information relating to negotiation of agreements with other countries. means the final decision concerning the fate of records, i.e. destruction or transfer to Archives New Zealand. This also includes the programme of activities to support transfer, such as appraisals of content, boxing and description of files or other media, and evidence of destruction. All NZQA records disposal will be in accordance with the authorised Retention and Disposal Schedule. means any record that is created or stored by digital means and includes documents, databases, and web and intranet content. is the result of processing, manipulating and organizing data in a way that adds to the knowledge of the person receiving it. Information can be electronic and/or written. in the context of this policy, means the role responsible for the continued existence, availability, integrity and security of data, information or documents for as long as is required by the SMT. includes creation, collection, access, security, retention and disposal and long-term preservation in all formats. (a) employees of NZQA, whether permanent or fixed-term; and Board members, and (b) others, whether individuals or organisations or both, carrying out work for or on behalf of, or providing services to or on behalf of, NZQA, where the agreement or arrangement for the work or services requires compliance with all or some of NZQA's policies, directives, process maps, or procedures means Crown entities as defined under section 7(1) of the Crown Entities Act means a record in any form, in whole or in part, created or received (whether before or after the commencement of the Act) by a public office in the conduct of its affairs.

9 Record Records management Transitory or facilitative records Unclassified Vital records The International Standard on Records Management defines a record as: information created, received and maintained as evidence and information by an organisation or person in pursuance of legal obligations or in the transaction of business. (ISO 15489) The Public Records Act defines a record as: "information, whether in its original form or otherwise, including (without limitation) a document, a signature, a seal, text, images, sound, speech, or data compiled, recorded, or stored, as the case may be:" in written form on any material; or on film, negative, tape, or other medium so as to be capable of being reproduced; or by means of any recording device or process, computer, or other electronic device or process." (PRA, s4)v Records management is an integrated framework of governance arrangements, architectures, policies, processes, systems, tools and techniques that enables organisations to create and maintain trustworthy evidence of business activity in the form of records. These are records created through routine administrative and business processes common to most public offices in the course of performing a public office s primary core business functions, duties and responsibilities. They are of short term value and are not required for evidential or legal purposes. Examples include meeting arrangements and comments on minor drafts of correspondence or reports prior to production of the final record. Information that does not require classification as sensitive, in confidence or higher. Those records that are essential for the ongoing business of NZQA, and without which NZQA could not continue to function effectively. The identification and protection of such records is a primary object of records management and disaster planning. Measurement Criteria NZQA s records and information management policies and processes comply with standards set by Archives New Zealand, ISO15489 the e-government Data Management Policies and Standards and with any other standards or requirements applicable across the New Zealand government sector. Each audit of NZQA s records and information management practices by returns a positive report. All NZQA personal contractors and third parties are familiar with NZQA s information and records management policies, processes and guides and with their individual responsibilities under those documents and comply with them. NZQA s systems support the delivery of effective records and information management across the organisation. The disposal of all NZQA records is managed in accordance with the requirements of the Retention and Disposal Schedule and Archives New Zealand Standards