General Disposal Authority. For encrypted records created in online security processes



Similar documents
Records Authority. Private Health Insurance Administration Council

Records Authority. National Childcare Accreditation Council

General Records Authority

Australian Institute of Family Studies - Research & Research Communication

Records Authority. Australian Security Intelligence Organisation

General Records Authority 34

Records Authority. Department of Health Private Health Insurance

Comcare Asbestos Related Compensation Claims & Workers Compensation Claim Management

Records Management Policy

Gatekeeper PKI Framework. February Registration Authority Operations Manual Review Criteria

Management of Official Records in a Business System

Records Issues for Outsourcing

Certification Practice Statement (ANZ PKI)

Queensland State Archives. Digital Rights Management Technologies and Public Records - A Guideline for Queensland Public Authorities

RECORDS MANAGEMENT POLICY

9. GOVERNANCE. Policy 9.8 RECORDS MANAGEMENT POLICY. Version 4

Management of Records

Records and Information Management. General Manager Corporate Services

Staffordshire County Council. Records Retention and Disposal Policy

Cloud Computing and Records Management

Information Management Advice 4 Managing Electronic Communications as Records

ELECTRONIC DATA INTERCHANGE (EDI) TRADING PARTNER AGREEMENT THIS ELECTRONIC DATA INTERCHANGE TRADING PARTNER AGREEMENT

Scotland s Commissioner for Children and Young People Records Management Policy

Electronic business conditions of use

For all other applications, including new applications, please visit

USER AGREEMENT FOR: ELECTRONIC DEALINGS THROUGH THE CUSTOMS CONNECT FACILITY

Records Disposal Schedule Anti-Discrimination Services Northern Territory Anti-Discrimination Commission

Territory Records (Records Disposal Schedule Disaster Recovery (Human Services) Records) Approval 2005 (No 1)

Records and Document Management

Implementing an Electronic Document and Records Management System. Key Considerations

UNIVERSITY OF MANITOBA PROCEDURE

TOWN OF COTTESLOE POLICY MANAGEMENT

The Australian Guidelines for Electronic Commerce

Zinc Recruitment Pty Ltd Privacy Policy

Records Management Policy

POLICY STATEMENT 5.17

LONDON PUBLIC LIBRARY POLICY

COUNCIL POLICY R180 RECORDS MANAGEMENT

FISHER & PAYKEL PRIVACY POLICY

Information Circular

Implementing an Electronic Document and Records Management System. Checklist for Australian Government Agencies

Transglobal Secure Collaboration Program Secure v.1 Gateway Design Principles

TERRITORY RECORDS OFFICE BUSINESS SYSTEMS AND DIGITAL RECORDKEEPING FUNCTIONALITY ASSESSMENT TOOL

Queensland recordkeeping metadata standard and guideline

State of Michigan Records Management Services. Frequently Asked Questions About E mail Retention

Guideline 2. Cloud Computing: Tools. Public Record Office Victoria Cloud Computing Policy. Version Number: 1.0. Issue Date: 26/06/2013

Management: A Guide For Harvard Administrators

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

Guideline 2. Cloud Computing: Tools. Public Record Office Victoria Cloud Computing Policy. Version Number: 1.0. Issue Date: 26/06/2013

Scope and Explanation

Issues to Address: The Privacy Concerns of Individuals

State Records Guideline No 15. Recordkeeping Strategies for Websites and Web pages

Chapter WAC PRESERVATION OF ELECTRONIC PUBLIC RECORDS

Guideline 1. Cloud Computing Decision Making. Public Record Office Victoria Cloud Computing Policy. Version Number: 1.0. Issue Date: 26/06/2013

itrust Medical Records System: Requirements for Technical Safeguards

Records Management - Council Policy Version 2-28 April Council Policy. Records Management. Table of Contents. Table of Contents... 1 Policy...

Records Authority. Family Court of Australia and Federal Circuit Court of Australia

ADRI. Advice on managing the recordkeeping risks associated with cloud computing. ADRI v1.0

Protective Marking Standard Implementation Guide for the Australian Government

Digital Records Preservation Procedure No.: 6701 PR2

Authentication of Documents/Use of Professional Stamps

RECORDS MANAGEMENT POLICY

K-Series Guide: Guide to digitising your document and business processing. February 2014 LATEST EDITION

District Council of Yankalilla

ELECTRONIC TRANSACTIONS ACT

RECORDS MANAGEMENT POLICY

Credit Union Code for the Protection of Personal Information

Information Integrity & Data Management

Applicability: All Employees Effective Date: December 6, 2005; revised January 27, 2009 Source(s):

Disposal Authorisation for Information and Technology Management Records. Administrative Schedule No. 4

VIETNAM LAWS ONLINE DATABASE License Agreement Multi-user Subscription

Management of Research Data Procedure

Records Management Policy

ADRI. Statement on the Application of Digital Rights Management Technology to Public Records. ADRI v1.0

Adequate Records Management - Implementation Plan

Harbinger Escrow Services Backup and Archiving Policy. Document version: 2.8. Harbinger Group Pty Limited Delivered on: 18 March 2008

COLUMBIA UNIVERSITY USAGE POLICY

TEXTURA AUSTRALASIA PTY LTD ACN ( Textura ) CONSTRUCTION PAYMENT MANAGEMENT SYSTEM TERMS AND CONDITIONS OF USE

Cloud Service Contracts: An Issue of Trust

Psychologist s records: Management, ownership and access. APS Professional Practice

Public Record Office Standard. Retention & Disposal Authority for Records of the Transport Accident Prevention and Assistance Functions

Privacy and Cloud Computing for Australian Government Agencies

Records Management Standards. Records Management Standards for Public Sector Organisations in the Northern Territory

Information Security Policies. Version 6.1

Note that the following document is copyright, details of which are provided on the next page.

Information Management Advice 27 Managing

Doug Kerr Insurance Consultants P/L ABN AFSL Tel: Fax:

Policy on Public and School Bus Closed Circuit Television Systems (CCTV)

RECORDS COMMISSION[671]

Life Cycle of Records

Next Business Telecom is also subject to other laws relating to the protection of personal information.

Title. This chapter may be cited as the "Uniform Electronic Transactions Act." TOC

Privacy Policy. Approved by: College Board, 01/12/2005 Principal from 14/02/2014

DATA PROTECTION POLICY

Dartmouth College Merchant Credit Card Policy for Processors

North West Core Skills Programme. Information Governance Implications

Software Escrow & Copyright Agents Pty Ltd - Software Escrow Agreement

Data Management Policies. Sage ERP Online

Information and records management. Purpose. Scope. Policy

Transcription:

General Disposal Authority For encrypted records created in online security processes May 2004

Commonwealth of Australia 2004 ISBN 1 920807 04 7 This work is copyright. Apart from any use as permitted under the Copyright Act 1968, no part may be reproduced by any process without prior written permission from the National Archives of Australia. Requests and inquiries concerning reproduction and rights should be directed to the Publications Manager, National Archives of Australia, PO Box 7425, Canberra Business Centre ACT 2610, Australia.

CONTENTS INTRODUCTION 5 Disposal authorisation 5 Purpose 6 Review 6 Contact information 6 Glossary of terms 7 GENERAL DISPOSAL AUTHORITY 8 General Disposal Authority 9 Exclusions 9 Conditions 9 3

4

INTRODUCTION Online security promotes trust and confidence when conducting business over unsecured networks such as the Internet. Part of the online security process may involve encrypting information by means of cryptographic keys to ensure integrity, authenticity and confidentiality during transmission. The sender of encrypted electronic transactions may keep records of the encrypted form as evidence of what was sent. The receiver of encrypted transactions may retain the encrypted versions or make copies of them to verify the decryption process. A party to online transactions may deal with records of both outbound and inbound transactions in encrypted form. Encrypted records created or received by Australian government agencies in online security processes generally are Commonwealth records subject to the Archives Act 1983. In most cases, the encrypted form of the transaction has served its purpose (for both the sender and receiver) once the online security process is verified as trustworthy and the parties accept that the content of the receiver's decrypted form is the same as the sender's unencrypted form. Unless there are special reasons for retaining the encrypted form, keeping records in a form without encryption should be sufficient. Recordkeeping systems operated by an agency should meet applicable standards and be designed to address business and security needs, as well as privacy requirements. A record's placement and storage within a recordkeeping system should therefore imply its continuing authenticity, integrity, reliability and useability. However, storing records in encrypted form raises accessibility issues. The Archives recommends that records not be stored in an encrypted state longer than necessary. The Archives will only accept digital records of archival value into its custody in unencrypted or decrypted form. The Archives has produced guidelines to help agencies effectively manage recordkeeping issues relating to online security processes (available at www.naa.gov.au/recordkeeping/er/summary.html). Disposal authorisation This General Disposal Authority (GDA) is issued to the heads of all Australian government agencies. It authorises arrangements for the disposal of records in accordance with section 24(2)(b) of the Archives Act 1983. Under the Archives Act, the Archives permission is required for the destruction or other disposal of Commonwealth records. Exceptions to this are where the destruction or disposal is required by any law, or is in accordance with a normal administrative practice, other than a practice of a department or authority of which the Archives has notified the department or authority that it disapproves. Advice on the provisions of the Archives Act may be obtained from the National Archives of Australia. 5

Purpose The purpose of the GDA is to permit the destruction of encrypted records, created during online security processes, that are no longer required. The GDA covers encrypted versions of inbound and outbound electronic transactions. A number of conditions are attached to the use of the GDA. The GDA does not cover the disposal of: the corresponding unencrypted records of a sending agency, or the decrypted records of a receiving agency; encrypted records that are subject to an exclusion category; or records subject to encryption outside the context of online security processes. The disposal of these records is subject to the Archives permission through other GDAs and records disposal authorities (RDAs). Further information For information about obtaining disposal authorisation see Appendix 8 of the DIRKS Manual Procedures for developing a records disposal authority in the Commonwealth (available at www.naa.gov.au/recordkeeping/dirks/dirksman/contents.html). Review The Archives intends to review this authority within five years of the date of issue. Agencies using the authority should ensure that it is still current. Comments on the application and use of this authority are welcome. Contact information Inquiries concerning this disposal authority should be directed to the National Archives of Australia: Queen Victoria Terrace Parkes ACT 2600 PO Box 7425 Canberra Business Centre ACT 2610 Tel: (02) 6212 3610 Email: recordkeeping@naa.gov.au Website: www.naa.gov.au/recordkeeping/ 6

Glossary of terms Cryptographic keys Decrypted record Electronic transaction Encrypted record Online security Recordkeeping system Data elements used to encrypt or decrypt electronic messages. They consist of a sequence of symbols that control the operation of a cryptographic transformation, such as encipherment. A digital record that was subject to an encryption process, but that has since been successfully deciphered. A discrete packet of data transmitted in the course of conducting business activity online, whether in the form of a message, automated transaction or other type of digital communication. A digital record that is the product of an encryption process. Collective term to describe both authentication and encryption technologies where they are used to provide confidence and trust in the identity of a party transacting online, and confidentiality of the electronic transaction during transmission. Framework to capture, maintain and provide access to evidence over time, as required by the jurisdiction in which it is implemented and in accordance with common business practices. Recordkeeping systems include: records practitioners and records users; a set of authorised policies; assigned responsibilities; delegations of authority, procedures and practices; policy statements; procedures manuals; user guidelines and other documents which are used to authorise and promulgate the policies, procedures and practices; the records themselves; specialised information and records systems used to control the records; and software, hardware and other equipment, and stationery. Unencrypted record A digital record that will be, or has been, subject to an encryption process. 7

8

GENERAL DISPOSAL AUTHORITY FOR ENCRYPTED RECORDS CREATED IN ONLINE SECURITY PROCESSES Person to whom notice of authorisation is given: Heads of Commonwealth institutions under the Archives Act 1983, as listed in National Archives file 2004/1153. Purpose: Authorises arrangements for the disposal of records in accordance with section 24(2)(b) of the Archives Act 1983. Application: The authority permits the destruction of encrypted records that result from the use of online security processes, subject to exclusions and conditions. This authorisation applies to only the disposal of the records described on the authority in accordance with the disposal action specified on the authority. The authority will apply only if disposal takes place with the consent of the organisation that is responsible at the time of disposal for the functions documented in the records concerned. Authorising Officer, National Archives of Australia Date of issue Adrian Cunningham Acting Assistant Director-General Government Recordkeeping Job Number: 2004/00238694 9

General Disposal Authority Entry Description of records Disposal action 8626 Encrypted versions of inbound and outbound electronic transactions resulting from the use of online security processes except those covered by the attached Exclusions. Destroy at agency discretion, subject to the attached Conditions. Exclusions 1.1 The authority does not cover the disposal of encrypted records where: (a) (b) (c) (d) (e) (f) there is a legal requirement to keep or retain the records in encrypted form; the records are required, or likely to be required, for a current or pending court action, government inquiry or investigation, or are the subject of a current application for access under the Freedom of Information Act 1982, Archives Act 1983 or other relevant legislation; there is a government policy or directive not to destroy the records; an agency has identified significant business or other reasons for the retention of the records; the records are subject to a disposal freeze which states that this authority does not apply. This authority may otherwise be applied to records covered by disposal freezes; or attempts to decrypt encrypted records are unsuccessful. Notes on the Exclusions (1) In the cases of (a) to (f) above, encrypted records must be retained together with the appropriate metadata and log files. (2) In the case of (f) in particular, this will enable an agency to make a case in the event of factual disputes where the outcome may depend on proof of whose decryption method was at fault. Conditions Management of the online security process 1.1 Agencies must ensure that: (a) (b) adequate quality control and verification procedures for their online security processes are in place and are routinely applied; sufficient system documentation is kept to demonstrate that the online security process used routinely produces encrypted records that can be reliably and accurately decrypted; and 10

(c) sufficient system documentation is kept to demonstrate that the online security process used routinely produces decrypted records that maintain their authenticity, integrity, reliability and useability. Recordkeeping requirements of encryption processes 2.1 Upon creation of encrypted records intended for transmission, agencies must ensure that the unencrypted versions of the records are retained and captured into an appropriate recordkeeping system together with associated log files and recordkeeping metadata. 2.2 Before transmission, agencies must ensure that encryption has been performed to a standard that permits the encrypted records to be accurately decrypted. Recordkeeping requirements of decryption processes 3.1 Upon receipt of encrypted records, agencies must ensure that, before destruction, decryption is performed to a standard that ensures accuracy of translation and proper functioning of security and business processes. 3.2 Decrypted records should be retained and captured into an appropriate recordkeeping system together with associated log files and recordkeeping metadata. Maintenance of decrypted and unencrypted records 4.1 Agencies must ensure that: (a) (b) the decrypted or unencrypted records are maintained for as long as required by any current disposal authority applying to the class of records to which they belong; and the decrypted or unencrypted records are kept in accordance with relevant recordkeeping standards and guidelines promulgated from time to time by the Archives for Australian government use. Management of destruction process 5.1 Control records or recordkeeping metadata must be kept that adequately specify the types and ranges of encrypted records that are destroyed. Management of electronic systems 6.1 In an electronic environment, agencies must ensure that they have appropriate systems and strategies in place to maintain their records in an accessible condition for as long as required. 11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information