Queensland State Archives Digital Rights Management Technologies and Public Records - A Guideline for Queensland Public February 2010
Document details Security Classification Authority Author Document Status Version PUBLIC Queensland State Archives Queensland State Archives Final Version Version 1.0 Contact for enquiries All enquiries regarding this document should be directed to: Manager, Policy and Research Unit Queensland State Archives 07 3131 7777 info@archives.qld.gov.au http://www.archives.qld.gov.au/ Copyright Digital Rights Management Technologies and Public Records - A Guideline for Queensland Public The State of Queensland (Department of Public Works) 2010 Licence Digital Rights Management Technologies and Public Records - A Guideline for Queensland Public by Queensland State Archives is licensed under a Creative Commons Attribution 2.5 Australia Licence. To view a copy of this licence, visit http://creativecommons.org/licenses/by/2.5/au. Information security This document has been security classified using the Queensland Government Information Security Classification Framework (QGISCF) as PUBLIC and will be managed according to the requirements of the QGISCF.
Table of Contents 1. Introduction... 3 1.1 Background...3 1.1 Purpose...3 1.2 Audience...3 1.3 Authority...3 1.4 Scope...4 1.5 Definitions...4 1.6 Acknowledgements...4 2 Understanding Digital Rights Management... 5 2.1 Purpose of DRM...6 2.2 How does it work?...6 2.3 How do you know if information is controlled by DRM?...7 3 Recordkeeping and Digital Rights Management... 8 3.1 Legislative and Regulatory Requirements... 8 3.2 Recordkeeping implications of DRM...10 3.3 Guiding Principles for the implementation and use of DRM...14 4 Strategies for implementation... 15 4.1 Governance...15 4.1.1 Consideration of alternative measures...15 4.1.2 Analysis of risk and cost-benefit...16 4.1.3 Development of a DRM governance policy...16 4.1.4 Development and implementation of a training and awareness strategy...17 4.2 Application of DRM controls...17 4.2.1 Minimisation of the number of staff who may apply DRM restrictions...17 4.2.2 Minimisation of the application of DRM restrictions...17 4.2.3 Effective management of encryption/decryption processes...18 4.3 Receipt and acceptance of DRM-controlled records...18
4.3.1 Capture into the recordkeeping system...18 4.3.2 Limitations on communication with systems outside the control of a public authority...19 4.3.3 Solicitation of information in tenders...19 4.3.4 Consideration of situational changes...19 4.3.5 Informed contractual negotiations...20 5 Appendix A Recordkeeping Checklist for DRM implementations... 21 6 Appendix B Example of a DRM Governance Policy Template... 24
1. Introduction 1.1 Background Digital Rights Management (DRM) technology allows the creator or provider of digital information to control its use by restricting access, copying or conversion to other formats. DRM technologies have received more attention and increasing interest in recent years 1 and surveys have indicated that the use of DRM is on the rise. 2 While there may be benefits to deploying DRM, its use within Queensland public authorities may prevent preservation of and access to, the evidence of Queensland government s business activities and decisions over time. Its use may therefore impair the ability of public authorities to meet their legislative recordkeeping obligations. 1.1 Purpose This document provides guidance to public authorities about the recordkeeping implications of Digital Rights Management technology. It does not constitute a direction to use or accept DRM controlled information but simply provides recordkeeping advice for those public authorities that are considering its implementation. The Guideline has been developed to ensure that access to and disposal of public records is not compromised by the application of DRM. This Guideline outlines the recordkeeping risks of deploying DRM and recommends a range of strategies that public authorities may adopt to help ensure recordkeeping obligations are met. 1.2 Audience The primary audience for this document is Chief Information Officers and other Senior Information Management and IT Managers implementing or considering the implementation of Digital Rights Management technologies within Queensland public authorities, as defined in the Public Records Act 2002. 1.3 Authority Queensland State Archives is responsible for the provision of advisory and support services relating to a wide range of strategic information management and recordkeeping issues for Queensland public authorities. This Guideline forms one part of a wider framework that aims to promote best-practice recordkeeping and information management in Queensland public authorities. 1 Gartner Wagner, R. & Ouellet, E. (Feb 2007) Key Selection Criteria for Enterprise Digital Rights Management Products, ID No. G00146714 2 For example, The Gilbane Group (August 2008) Enterprise Rights Management: Business Imperatives and Implementation Readiness Version 1.0 February 2010-3 -
The State Archivist has issued this Guideline in accordance with s.25(1)(f) of the Public Records Act 2002. 1.4 Scope This Guideline focuses on: the recordkeeping risks arising from the deployment and application of Digital Rights Management within Queensland public authorities, and the use of Digital Rights Management to control public records. This Guideline does not address the technical ICT issues or business requirements associated with implementation. 1.5 Definitions DRM-related terms are explained throughout this Guideline. Records and information management-specific terms are defined in Queensland State Archives Glossary of Archival and Recordkeeping Terms available on Queensland State Archives website. 3 1.6 Acknowledgements Concerned by the reduction in recordkeeping control caused by DRM, a number of Australian and international archival authorities have issued advice on this topic. This Guideline has been based on the Council of Australasian Archives and Records (CAARA) Digital Rights Management Position Statement 4 and State Records of South Australia s Digital Rights Management Implications for Recordkeeping. 5 These publications were in turn informed by the State Services Commission of New Zealand s Trusted Computing and Digital Rights Management Principles & Policies. 6 Queensland State Archives also acknowledges the contribution made by members of the external reference group formed for the development of this Guideline, and those agencies that provided feedback on draft documentation. 3 Queensland State Archives (January 2008) Glossary of Archival and Recordkeeping Terms Version 2.0. Available at archives.qld.gov.au/recordkeeping/grkdownloads/documents/glossaryofarchivalrkterms.pdf 4 Available from http://www.adri.gov.au/content.asp?cid=3 5 State Records of South Australia (25 September 2007) Digital Rights Management Implications for Recordkeeping. Available at http://www.archives.sa.gov.au/files/armdigital_drmandrecordkeeping.pdf 6 State Services Commission (September 2006) Trusted Computing and Digital Rights Management Principles & Policies. Available at http://www.e.govt.nz/policy/tc-and-drm Version 1.0 February 2010-4 -
2 Understanding Digital Rights Management Digital Rights Management 7 is a set of technologies designed to apply and enforce access and use restrictions to digital information, as specified by the information provider. 8 An information provider or creator can regulate the types of actions that can be undertaken with the information and the timeframe in which that information remains accessible. For example, an information provider/creator may be able to set: Who can: o view o modify o print o copy o forward, and/or o save the information When usage/access rights expire, and/or Automatic deletion dates. These restrictions are persistent in their nature and are inextricably bound to the information, wherever that information may move or be transmitted. Therefore, a person operating within a DRM-restricted environment cannot override the controls such as opening the document and saving a copy or moving it to an unrestricted area outside of the system in question. Examples of information not regarded as being DRM-restricted include: Information held in a network file system that restricts access based on an ACL (access control list) for security reasons, such as confidentiality. If a user has access rights, they can copy the information to a location where the ACL is not enforced. 7 Although Digital Rights Management is most commonly used in Australasia, different terms may be used to refer to the same or similar technologies. These include Information Rights Management, Document Rights Management, Rights Services Management, Enterprise Rights Management, Electronic Rights Management, Enterprise Digital Rights Management, and Electronic Copyright Management. Technological Protection Measures (TPM) is also a related term used to refer to any technological devices or tools that prevent unauthorised or illegal access to, or copying or reproduction of, copyright materials. TPM is commonly used when referring to material such as sound recordings, films and computer software, and e- books. 8 State Services Commission (September 2006) Trusted Computing and Digital Rights Management Principles & Policies. Available at http://www.e.govt.nz/policy/tc-and-drm Version 1.0 February 2010-5 -
A document held in a document management system or electronic document and records management system (edrms), for which a user with access rights can open the document and save a copy to an unrestricted area outside of the system. Both of the above examples are not considered to be DRM because when the information is moved from the system in which it is stored, the restrictions do not persist. DRM functionality is used in a range of formats 9, including DVDs, sound recordings, videos, images and common office applications, such as within Microsoft Word and Excel and Adobe Acrobat. 2.1 Purpose of DRM DRM provides a technological mechanism for protecting digital information by allowing creators or providers to control what happens to the digital information after it has been issued or sent. Therefore it is often used to control intellectual property rights. It is also typically used in circumstances where information is highly confidential or where there are strictly defined process requirements for controlling information. 2.2 How does it work? Implementation of DRM within an organisation will typically involve defining a set of rules which authorise the rights to take particular actions on electronic information. These rules are technically configured onto the server of the organisation creating the information. When a staff member creates information, they apply an appropriate rule from the server, inextricably binding the rule to the information. For example, a staff member may apply the rule Allow this paper to be edited by my team over the next week, but do not allow anyone else to view it. In a week s time, automatically dispose of all copies. When a person attempts to access the information, their software contacts the creating organisation s server to confirm that their intended access and use is authorised. DRM may also involve the transmission of information to third-party systems owned by the supplier of technology. For example, when the software is used by an organisation, it may contact the software vendor s server and transmit personal information such as the name of the user, or name of the file being read. 9 For example, DRM is used by many major content producers in controlling the use and number of times music files can be played. DVDs are also often encoded with DRM technology to prevent the transfer or copying of content from the DVD to another medium. Version 1.0 February 2010-6 -
Figure 1 Example of how Digital Rights Management technology works 2.3 How do you know if information is controlled by DRM? There is no global technical standard for verifying the occurrence of DRM. 10 may therefore be difficult to detect the presence or absence of DRM. The file header of the information may indicate that the information is controlled by DRM. On a technical level, DRM-controlled information will typically be encrypted. If a program can read the encrypted information but is unable to save the information in unencrypted form, this suggests that the information is DRM-controlled. Some DRM systems may store details about the control in a non-encrypted wrapper around the information. This wrapper can be used to confirm the presence of a digital rights management control. It 10 State Services Commission (September 2006) Trusted Computing and Digital Rights Management Principles & Policies. Available at http://www.e.govt.nz/policy/tc-and-drm Version 1.0 February 2010-7 -
3 Recordkeeping and Digital Rights Management 3.1 Legislative and Regulatory Requirements A public record is recorded information created or received by a public authority in the transaction of business or the conduct of affairs, that provides evidence of the business or affairs. Public records may be in any format - they are not confined to hardcopy documents. The legislative and regulatory framework which underpins the information management responsibilities of Queensland agencies related to Digital Rights Management technologies includes 11 : Public Records Act 2002 12 the intent of this Act is to ensure that public records of Queensland Government are made, managed, kept and, if appropriate, preserved in a useable form for the benefit of present and future generations. A key element of this Act is the requirement for a public authority to make and keep full and accurate records of its business activities. Information Standard 40: Recordkeeping 13 this is a standard to assist public authorities to meet their recordkeeping obligations under the Public Records Act 2002. This Standard outlines a range of recordkeeping obligations of public authorities and defines the processes and attributes of full and accurate records: Processes Created - Queensland public authorities must ensure staff create records of their activities, and that systems which support business transactions create appropriate records. Captured - Records capture is a deliberate action that results in the registration of a record into a business system with recordkeeping functionality or a dedicated recordkeeping system. Retained - Records retention describes the keeping of records for as long as they have administrative, business, legislative and cultural value. Records must be retained in accordance with Retention and Disposal Schedules approved by Queensland State Archives. Preserved - Preservation involves storing, protecting and maintaining records to ensure their accessibility over time. 11 Queensland public authorities are responsible for researching and understanding their full legislative and regulatory environment related to the use and acceptance of Digital Rights Management technologies. 12 http://www.legislation.qld.gov.au/legisltn/current/p/publicreca02.pdf 13 http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/informationstandards/current/pag es/recordkeeping.aspx Version 1.0 February 2010-8 -
Attributes Adequate - Records must be adequate for the purposes for which they are created and kept. There should be adequate evidence of the conduct of business activity to be able to account for that conduct. Thus, a major initiative will be extensively documented, while a routine administrative action can be documented with an identifiable minimum of information. Complete - To be complete, records should contain not only the content, but also the structural and contextual information necessary to document and make sense of the business transaction (i.e. recordkeeping metadata). Meaningful - Meaningful records can be understood. This includes having an understanding of the context of the business and the processes for which the records were created and in which they were used. Accurate - Records must correctly reflect what was communicated, decided or done (or not done). An accurate record is one in which its contents, context and structure can be trusted as a representation of the transactions, activities or facts to which they attest and can be depended upon in the course of subsequent transactions or activities. Authentic - An authentic record is one that can be proven to be what it purports to be and to have been referenced, created or transmitted by the person who purports to have created or transmitted it. Inviolate - To be regarded inviolate, a record must be securely maintained to prevent unauthorised access, alteration, removal or destruction. The internal and external processes to which a record has been subject should be traceable. Accessible - Records must remain accessible and available to people both inside and outside the agency, in accordance with security, privacy and legislative requirements, for the designated period for which they must be retained. To be accessible, records must be maintained so that they can be quickly and easily identified and retrieved when they are required. Useable - Records must be kept in a format that allows their continued use. Information Standard 31: Retention and Disposal of Public Records 14 this is a standard to ensure the appropriate disposal of records. This details a public authority s obligations to retain records for at least the specified period in a current Retention and Disposal Schedule that has been authorised by the State Archivist, and the requirements for lawfully disposing of records. 14 http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/informationstandards/current/pag es/retention%20and%20disposal%20of%20public%20records.aspx Version 1.0 February 2010-9 -
Information Standard 18: Information Security 15 a standard to help public authorities protect information from misuse and loss and from unauthorised access, modification or disclosure. Information Standard 33: Information Access and Use a standard to help ensure that citizens and those doing business in Queensland have open access to and are able to use Queensland Government information. Right to Information Act 2009 16 The primary object of this Act is to give a right of access to information in the government s possession or under the government s control unless, on balance, it is contrary to the public interest to give the access. Information Privacy Act 2009 17 - The intent of this Act is to provide for the fair collection and handling in the public sector environment of personal information; and a right of access to, and amendment of, personal information in the government s possession or under the government s control unless, on balance, it is contrary to the public interest to give the access or allow the information to be amended. Copyright Act 1968 (Commonwealth) 18 This is the Act relating to copyright. Under this Act it is generally not permitted to use, manufacture, import, supply or communicate devices to circumvent access control technological protection measures, (such as DRM) to allow unauthorised access or copying of copyrighted material. There are some limited exceptions under certain circumstances and public authorities are advised to seek legal advice in this regard, if relevant. 3.2 Recordkeeping implications of DRM Application and acceptance of Digital Rights Management technologies may impede preservation of and access to, the evidence of Queensland government s business activities and decisions over time. It may inhibit a public authority s ability to capture and maintain full and accurate records of its business and dispose of records in accordance with the Public Records Act 2002, Information Standard 40: Recordkeeping and Information Standard 31: Retention & Disposal of Public Records. DRM may also compromise a public authority s ability to meet the requirements of other regulations and legislation such as the Right to Information Act 2009 and the Information Privacy Act 2009. 15 http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/informationstandards/current/pag es/information%20security.aspx 16 http://www.legislation.qld.gov.au/legisltn/current/r/rightinfoa09.pdf 17 http://www.legislation.qld.gov.au/legisltn/current/i/infopriva09.pdf 18 http://www.comlaw.gov.au/comlaw/legislation/actcompilation1.nsf/lookupindexpagesbyid/f 65E32ED860AE37ECA2570DC000CEA4E?OpenDocument Version 1.0 February 2010-10 -
Potential risks to recordkeeping arising from DRM include: DRM Feature Expiration dates/ Autodeletion Autodeletion Print disabling Prohibition of saving/ forwarding Risk Public authorities prematurely dispose of public records. Public authorities dispose of public records before consideration of the value of the records beyond the prescribed retention period. Public authorities destroy public records without capture of mandatory recordkeeping metadata. Public authorities that maintain public records in paper format are unable to do so. Public authorities are prevented from capturing electronic records into an electronic recordkeeping system. Description This may occur when the expiration rule set by the information provider conflicts with the retention period authorised in an approved Retention and Disposal Schedule. A key process step prior to disposing of records involves the assessment for any on-going business or legal use of the records. Automatic deletion by the IT system, without manual intervention, means records that are still required for business or legal purposes may be inadvertently lost. Details of the destruction of a public record must be recorded in a public authority s recordkeeping system. When control and management of deletion is retained by the information provider/creator, these details, expressed in recordkeeping metadata, may not be captured. Some agencies do not have an electronic Document and Records Management System (edrms) for managing electronic records. Instead, electronic records are printed and managed in paper form. In these instances, the prevention of printing impairs the ability of a public authority to capture the record into the recordkeeping system and initiate appropriate recordkeeping controls. For those agencies that use an edrms, records are unable to be captured and managed in line with recordkeeping obligations. Version 1.0 February 2010-11 -
DRM Feature Prohibition of viewing Prohibition of copying/ modifying/ saving Risk Public authorities are unable to meet their obligations to provide access to or produce documentation. Public authorities may not be able to preserve their public records for the required retention period. Public authorities may not be able to re-use the information contained in records. Description This DRM function means that records may not be accessible to those who have a legitimate right to view them. Obligations which may not be met include: Under the Public Records Act 2002, agencies must ensure records remain able to be produced or made available for the authorised retention period. Restricting viewing rights of records may not align with the intent of the Right to Information legislation which encourages more open access. Public authorities may be unable to produce and provide access to documentation for those authorities undertaking monitoring or investigative activities, such as Commissions of Inquiries, auditing, etc. Some records are required to be retained for long periods of time. Due to technology obsolescence, agencies may need to undertake preservation activities such as migration or conversion of the digital records. DRM-restrictions placed on records may prevent the public authority from ensuring the record remains accessible into the future. For efficiency purposes, on occasions, new documents are created by re-using existing documents. The inability to re-use information may delay business processes and create additional resource requirements. Version 1.0 February 2010-12 -
DRM Feature Risk Description Encryption Records may become inaccessible due to a lack of management of the encryption process and associated keys and certificates required to decrypt the information. Remote Privacy and security of attestation 20 information may be threatened. When access is reliant on communication with an external server, accessibility may be compromised. DRM-controlled information is usually encrypted. Encryption is the process by which information is transformed to conceal its meaning. 19 It is a reversible process and the information can be recovered or decrypted by using a cryptographic algorithm and key. Without appropriate management of these processes, particularly over long periods of time for which some records must be retained, records may become inaccessible. In some DRM systems, each time protected information is accessed, there is communication between the DRM system and external servers. Personal data is at risk of being collected by the external server, without the appropriate authorisation in line with privacy requirements. Security of the information may also be compromised by virtue of firewalls being opened to permit this transmission. The dependence on successful communication with an external device may mean access to records is at a higher risk of being unpredictable or unreliable. 19 Office of Government ICT (2006) Queensland Government Authentication Framework- Authentication Concepts http://www.qgcio.qld.gov.au/02_infostand/downloads/qgaf- Authentication_Concepts.doc 20 Remote attestation involves confirming the integrity and authenticity of the status and configuration of a system to a remote entity. Software companies may use remote attestation to prevent people from tampering with their software to circumvent technological protection measures. Source: Darmstadt University of Technology, TechRepublic White Paper: A Robust Integrity Reporting Protocol for Remote Attestation. Version 1.0 February 2010-13 -
3.3 Guiding Principles for the implementation and use of DRM The framework outlined in Section 3.1 provides a policy context for capturing, ensuring security and privacy, providing access to, preserving, and disposing of public records. Based on this recordkeeping framework and to mitigate against the realisation of the risks outlined in Section 3.2, key principles which should guide the implementation and use of Digital Rights Management include: Principle 1. Principle 2. Principle 3. A public authority must be able to capture a full and accurate public record into a recordkeeping system. A public authority must be able to provide access to public records, to those people who are entitled to access them. This includes provision of future access for audit, archival, legal and other purposes. A public authority must be able to retain public records and recordkeeping metadata for the full authorised retention period, while ensuring the authenticity and integrity of these records. Principle 4. A public authority must be able to ensure that recordkeeping activities can be undertaken to preserve public records over time. This includes ensuring public records remain meaningful and able to be understood. Principle 5. A public authority must be able to ensure protection of personal and confidential public records through robust privacy and security controls. Version 1.0 February 2010-14 -
4 Strategies for implementation While the use and acceptance of DRM controlled information is generally not recommended for Queensland public authorities, it is acknowledged that a public authority may have a business requirement to apply DRM restrictions to information or accept DRM-controlled information from external information providers. Where public authorities decide to create, use or accept DRMcontrolled information, it is recommended agencies implement the following strategies to ensure recordkeeping risks are minimised and obligations continue to be met. These strategies can be broadly grouped into three categories (and are summarised in checklist form in Appendix A): 1. Governance these are strategies related to the overarching decision to adopt DRM. 2. Application of DRM controls these are primarily strategies for public authorities that have decided to create DRM-controlled records. 3. Receipt and acceptance of DRM-controlled records these are primarily strategies for public authorities that have decided to accept DRMcontrolled records. 4.1 Governance 4.1.1 Consideration of alternative measures There may be alternative viable options to implementing DRM, and these should be explored before the decision is taken to implement and/or accept DRM-controlled records. To protect and secure information and prevent its unauthorised or improper use within a public authority, appropriate rights access and security can often be achieved through other measures such as through electronic Document and Records Management Systems, as information security controls are established and embedded within these. It is recognised that when providing external parties with information, a public authority may wish to protect the agency s intellectual property. The standardised approach to licensing information, known as the Government Information Licensing Framework (GILF) 21 enables creators of information to allocate, and users to understand, the legally permitted uses of information products. The Framework includes digital licence-management software which enables the information to be tagged with the appropriate licence, thereby explicitly specifying details to users about the lawful use of the information. However GILF does not enforce these licence conditions through digital rights management technology. 21 See http://www.gilf.gov.au/ for further information. Version 1.0 February 2010-15 -
4.1.2 Analysis of risk and cost-benefit The decision to implement Digital Rights Management technology is a significant one that requires appropriate deliberation of the recordkeeping risks, along with any other associated business risks. It is recommended that a robust cost-benefit and risk analysis (including assessment of the risks to security, records management and legal aspects) is undertaken prior to the introduction of DRM in order to demonstrate the business imperative and value of implementation. Under the Public Records Act 2002, the Chief Executive Officer is responsible for ensuring the public authority makes and keeps full and accurate records of its activities. Because of the recordkeeping risks arising from Digital Rights Management, it is recommended that the decision to implement and/or accept public records with DRM controls is documented and is authorised by a public authority s Chief Executive Officer and senior management team, and not by Managers of individual business units/divisions or individual staff. 4.1.3 Development of a DRM governance policy Public authorities should develop an organisational Digital Rights Management policy to guide any deployment, use and receipt, and assist in ensuring recordkeeping responsibilities are addressed. The policy should cover both DRM use within an internal context and the acceptance of DRM-controlled information from external sources. The policy may encompass consideration of: The public authority s position on the receipt of information controlled by Digital Rights Management measures from external organisations. Clear definition of the authorised scope of DRM application. This includes explanation of the conditions and circumstances in which DRM can and cannot be used. Who has the authority to apply and/or accept DRM-controlled information. How DRM use and/or acceptance aligns with the public authority s information management and recordkeeping policy framework and strategies. This includes consideration of information access requirements and the approaches for ensuring that public records remain accessible into the future, in line with their authorised retention period. Identification of the roles and responsibilities of staff. Deployment of DRM requires cooperation between staff with a range of expertise including records management, ICT infrastructure, system administration, business management, system vendors and implementers, and all public authority staff. An example of a DRM Governance Policy template is provided in Appendix B. The policy position of the public authority may be supported by ICT mechanisms. For example, if the agency has decided not to accept DRMcontrolled information, any information containing DRM controls sent from Version 1.0 February 2010-16 -
external organisations may be scanned and automatically rejected, with an automatic failure of receipt message relayed to the sender. Other organisational policies and operations such as procurement policies or the agency s Standard Operating Environment (SOE) or Managed Operating Environment (MOE) may also require review to ensure they reflect the DRM policy position of the public authority. 4.1.4 Development and implementation of a training and awareness strategy If DRM technologies are permitted, public authority staff will need to be adequately trained in the use of Digital Rights Management. The development and implementation of a training and awareness strategy should include ensuring that users have a clear understanding of their recordkeeping responsibilities and the scope of the use and/or acceptance of DRM. It will be important to ensure that the public authority s ICT staff who may be involved in the configuration of DRM technology have a comprehensive understanding of legislative recordkeeping obligations. 4.2 Application of DRM controls 4.2.1 Minimisation of the number of staff who may apply DRM restrictions In many applications, DRM technology has to be switched on by an administrator at the server level, so that individual users can apply restrictions to particular records. It may be possible for DRM to be linked to existing administrative/directory user groups established within the agency. This means that rights controls can be limited to particular users. Limiting the use of DRM controls to only those authorised staff who have been appropriately trained and require its application to meet a specific business need will help to reduce the complexities associated with the management of public records. 4.2.2 Minimisation of the application of DRM restrictions It is recommended that restrictions are selected based on critical business needs and requirements, so that a minimal number of constraints are applied. Any application of DRM restrictions must consider the full range of potential usage requirements for the public record, including any future access, such as by Queensland State Archives for preservation purposes, the Auditor-General for auditing purposes, the Attorney-General and the Courts for legal purposes or in response to Right to Information and Information Privacy requests. Version 1.0 February 2010-17 -
4.2.3 Effective management of encryption/decryption processes DRM-controlled information is usually encrypted. To maintain the authenticity, integrity and accessibility of public records, the process of encrypting and decrypting records should be robust and be documented under appropriate security controls. This is to ensure public records are always able to be decrypted to restore the content so that they are meaningful, and are not inadvertently lost. 4.3 Receipt and acceptance of DRM-controlled records 4.3.1 Capture into the recordkeeping system While many edrms will not allow records that are controlled by DRM to be deleted, the DRM controls can prevent access to the records. 22 This means that while the edrms may attempt to launch the record, the content will not be displayed, rendering the record inaccessible. As records must remain accessible for their authorised retention period, an unencumbered copy of a DRM-protected record will need to be captured into the recordkeeping system. Capturing the unencumbered record into the recordkeeping system allows records management professionals to actively manage the record and help ensure its ongoing accessibility and preservation. To obtain an unencumbered version of the record, public authorities will need to negotiate a process whereby the information creator/provider removes all rights protection. This record will need to be totally unencumbered that is, not simply read access - so that any required records management actions can be undertaken, including transformations or migrations required for digital preservation purposes. The inability to revoke access should be able to be proven. This could be verified by placing the record onto a quarantined machine that has no connection with the vendor s systems, the internet or no prior knowledge of current network users, and confirming that the information can still be accessed and used while in this location. 22 The way a specific edrms product works with DRM-controlled information should be explored with the public authority s edrms vendor, as different products may have different approaches. Version 1.0 February 2010-18 -
4.3.2 Limitations on communication with systems outside the control of a public authority Where access to public records is dependent on successful communication with an external rights server, it is important to be mindful of the collection, use and protection of personal information by that server. Any collection and use of information should be consistent with the Queensland Government privacy requirements, and explicitly supported through contractual agreements. Reliance on external systems, including the internet, may impair a public authority s ability to ensure ongoing accessibility to public records. Steps should be taken to ensure public records remain accessible in the event that the external systems fail or expire. 4.3.3 Solicitation of information in tenders DRM technologies may come bundled in a product that forms a fundamental part of a public authority s technical platform, for example, embedded in desktop computer hardware and operating systems. Hardware or software that is limited by DRM technologies can prevent access to information. When initiating a procurement exercise, it can be useful to seek an explicit response from suppliers about whether the product/deliverables include DRM features and whether these features are activated by default and are able to be configured. This may aid efficiency in product selection by ensuring upfront that the supplier s response is in line with the public authority s DRM policy position. 4.3.4 Consideration of situational changes Situational changes may occur for a range of reasons. For example, public authorities may face administrative variations through machinery of government (MOG) changes. 23 MOG changes may result in the transfer of a business function 24 to another public authority or the abolition of an existing business function or unit. When a function is transferred, the public records relating to that function should also be transferred to allow the receiving public authority to continue to efficiently administer that function. Arrangements for managing DRMcontrolled records should be discussed by both parties and documented to ensure the recordkeeping obligations of the receiving entity can be met. When a public authority ceases to carry out a function, and that function is not going to be conducted by another entity, the public authority must retain the public records relating to that function as legacy records, unless a regulation 23 For further information about machinery of government changes and the management of public records, see the Public Records Brief available at http://www.archives.qld.gov.au/recordkeeping/grkdownloads/documents/machinery_of_ government_changes_management_of_public_records.pdf 24 A business function represents the major responsibilities that are managed by a public authority to fulfil its goals. Functions are high-level aggregates of the authority s activities. Version 1.0 February 2010-19 -
under the Public Records Act 2002 is introduced to prescribe otherwise. These records must remain accessible for their authorised retention period and therefore public authorities will need to ensure that processes are in place to enable ongoing access to and management of any DRM-controlled records. When a public authority has procured products or services from an external organisation and there is reliance on their external software or servers for accessing and managing records, an assessment of the risk of potential situational changes for the external organisation, such as insolvency, should be conducted. This is to help ensure public records do not become inaccessible due to unavailable services and technologies. 4.3.5 Informed contractual negotiations In contract negotiations a key issue for discussion and documentation is recordkeeping responsibilities. Public authorities must ensure that all public records can be managed and kept in accordance with the Public Records Act 2002 and therefore a public authority must be able to retain full control over the use of public records. Where it is mutually agreed that records or systems that are controlled by DRM can be received due to a clear business case for doing so, approaches for recordkeeping should be considered and clearly documented within the contractual agreement. For example, it may be agreed that a copy of the public record without the DRM control will be provided by the third party in an arranged process. The New Zealand Government 25 has developed suggested contractual clauses concerning DRM application/receipt which are available at: http://www.e.govt.nz/policy/tc-and-drm/standards-guidelines- 07/tc-drm-standards.pdf (See Appendix A of the New Zealand Guideline). A Queensland public authority should obtain appropriate legal advice prior to the use of any such clauses. It is important to discuss and document responsibilities associated with any reliance on external software or servers. Public records may be required to be retained for lengthy periods and may require preservation activities such as migration or conversion to other formats. Arrangements for preservation over time will need to be contractually discussed and documented. It is also important to have full knowledge about, and document any information flows into or out of DRM systems that could involve the collection or transmission of personal information. This includes negotiating with the external party about when such events will occur; what specifically is collected and transmitted; the purpose of the collection; who will access and use the information; and for how long this information will be held. 25 State Services Commission (July 2007) Trusted Computing and Digital Rights Management Standards and Guideline - Available at http://www.e.govt.nz/policy/tc-and-drm/standardsguidelines-07/tc-drm-standards.pdf Version 1.0 February 2010-20 -
5 Appendix A Recordkeeping Checklist for DRM implementations 1. Governance 1.1 Has due consideration been given by the Chief Executive Officer and senior management to the decision to apply and/or accept DRM controlled records? Have alternative means of controlling the public records been considered, for example through an edrms or through digital licence management software? 1.2 Has a robust cost-benefit and risk analysis been undertaken, including an assessment of the risks to records management, to demonstrate the clear business imperative and value of implementation? 1.3 Has the decision to implement and/or accept public records with DRM controls been documented and authorised by the Chief Executive Officer or equivalent senior management? 1.4 Has a DRM policy been developed to guide any deployment, use and receipt of DRM controlled records? 1.5 Does the DRM policy cover: A position on both application internally within the public authority and acceptance of DRM controlled information from external sources? Clear definition of the authorised scope of DRM application and acceptance. This includes explanation of the conditions and circumstances in which DRM can and cannot be used, and by whom. How DRM use and/or acceptance aligns with the public authority s information management and recordkeeping policy framework and/or strategy. This includes consideration of information access requirements and the approaches for ensuring that full and accurate records are managed and retained for their authorised retention periods. Identification of the roles and responsibilities of staff. 1.6 Is there a need for the DRM policy position of the public authority to be supported by ICT mechanisms? If so, are there appropriate ICT mechanisms in place? 1.7 Have staff been adequately trained in the application and acceptance of DRM controlled records? Yes No Version 1.0 February 2010-21 -
2. Application of DRM controls 2.1 Has the number of staff who are able to apply DRM restrictions been limited in line with the business need? 2.2 Have the selected types of DRM restrictions been limited to those that are based on critical business needs and requirements? 2.3 Do the restrictions allow for the full range of potential usage requirements for public records, including future access, for example: by Queensland State Archives for preservation purposes by the Auditor-General for auditing purposes by the legal and justice sector for legal purposes Yes No in response to Right to Information and Information Privacy requests? 2.4 Are there documented processes for encrypting and decrypting public records? Are there skills and tools available for doing so? 3. Receipt and acceptance of DRM-controlled records 3.1 Can an unencumbered record be captured into the public authority s recordkeeping system? 3.2 Can the inability to revoke access or restrict management of the record be proven? 3.3 Has any collection of information by an external rights server been discussed between the parties and contractually agreed? Have these arrangements considered: What information will be collected For what it will be used Who can access and use the information When the collection will occur For how long it will be kept? Version 1.0 February 2010-22 -
3.4 Where access is dependent on an external server/organisation, are processes in place to ensure public records remain accessible in the event of failure or expiration of the external systems or the vendor s insolvency? 3.5 When partnering, outsourcing or contracting services and/or products from an organisation, have discussions included the acceptance (or otherwise) of information/products controlled by Digital Rights Management technology. 3.6 When relevant, in the process of procurement of services or ICT systems, has an explicit response from the supplier been sought about whether the product/deliverables include DRM features and whether these features are activated by default and can be configured? 3.7 When accepting DRM controlled information from external parties, has a documented agreement been negotiated that outlines the recordkeeping responsibilities of each of the parties? This includes consideration about the capture, management, access, security, disposal and preservation of public records; the privacy of any information collected; and the details of any reliance on external software or servers? 3.8 In the event of a machinery of government change, have recordkeeping responsibilities about DRM controlled records been discussed, agreed and documented? Yes No Version 1.0 February 2010-23 -
6 Appendix B Example of a DRM Governance Policy Template 1 Introduction The introduction to the policy should contain opening comments about Digital Rights Management, the context for DRM use and acceptance within the public authority and the intent of the Policy. 1.1 Authority As recommended in this Guideline, the public authority s policy position on the use and acceptance of DRM should be authorised by the Chief Executive Officer (or equivalent) and senior management team. This section should indicate who has authorised the Policy. 1.2 Effective Date This should indicate the date the policy was developed and approved. 1.3 Review Review is an important component of policy development as it ensures that policy reflects current business needs. Documenting the review schedule, along with the history of any previous reviews in this section will help to demonstrate the relevance and currency of the policy. 1.3 Scope This section should be used to explain at a high-level, what the policy does and does not cover (both the use within an internal context and the acceptance of DRM-controlled information from external sources) and to whom it applies. 1.4 Definitions Definitions provide staff with a shared understanding of specific terms and should be included in the policy. They can be included here, in the introduction, or as a glossary or appendix. Please refer to Queensland State Archives Glossary of Archival and Recordkeeping Terms 26 for recordkeeping definitions. 1.5 Regulatory and legal framework This section should contain information about legislation and regulations relevant to the use and acceptance of DRM within the public authority. 26 http://www.archives.qld.gov.au/recordkeeping/pages/publications.aspx Version 1.0 February 2010-24 -
2 Policy Principles The policy principles should clearly indicate the public authority s position on the use and acceptance of DRM and the rationale for this position. Where DRM has been authorised, a description of the consideration of alternative measures and the risk and cost-benefit analysis (or a reference to this documentation) should be included within the policy. Policy principles should be developed to cover: The public authority s position on the receipt of information controlled by Digital Rights Management measures from external organisations. This includes explanation of the conditions and circumstances in which DRM can and cannot be accepted, and the associated ICT implications, e.g. the scanning and automatic rejection of DRM-controlled information if this is the position of the agency or a position on the use of systems that rely on external rights servers and the internet for access. The position on the use by the public authority of information controlled by Digital Rights Management measures. This includes explanation of the conditions and circumstances in which DRM can and cannot be used, and the extent of this use (e.g. use of DRM restrictions should be minimised, number of staff that may apply DRM controls should be minimised, etc.) Information about who has the authority to apply and/or accept DRMcontrolled information. If DRM is to be used and/or accepted, statements on how public records will be captured into a recordkeeping system, managed and retained as full and accurate records, so as to enable appropriate access for the authorised retention period. Information about the roles and responsibilities of staff and any training requirements. This could include requirements, where relevant, to ensure procurement exercises entail discussions about DRM-controlled information, and responsibilities for recordkeeping. Version 1.0 February 2010-25 -