Risk management guide for disposal of records
Risk Management Guide for Disposal of
Records
September 2015
ANZ 15/G1: Risk management guide for disposal of records
Document details
Document Identifier: ANZ 15/G1
Authority
Author
Document status
Version
Contact for enquiries
Government Recordkeeping Directorate
Archives New Zealand
Phone: +64 4 499 5595
Email: rkadvice@dia.govt.nz
Licence
Archives New Zealand, Department of Internal Affairs
Archives New Zealand, Department of Internal Affairs
Final
Version 1.0
Crown copyright ©. This copyright work is licensed under the Creative Commons Attribution 3.0 New Zealand licence. In essence, you are free to copy, distribute and adapt the work, as long as you attribute the work to
Archives New Zealand, Department of Internal Affairs and abide by the other licence terms. To view a copy of this licence, visit http://creativecommons.org/licenses/by/3.0/nz/ .
Acknowledgements
Archives New Zealand acknowledges the contribution of time and experience from all those involved in developing this document.
2 Printed copies are uncontrolled Version 1.1
ANZ 15/G1: Risk management guide for disposal of records
CONTENTS
APPENDIX - WORKBOOK
B Why it is important to identify current and future disposal-of-records risks ............... 10
Version 1.1 Printed copies are uncontrolled 3
ANZ 15/G1: Risk management guide for disposal of records
1 INTRODUCTION
This Guide provides assistance to public offices and local authorities in identifying, assessing and mitigating current and future risks associated with the over-retention of records. It supports the
Records Management Standard for the New Zealand Public Sector, Principle 5: Appraise records
and dispose of them appropriately.
It encourages routine and efficient business practice in public offices under the authority of the
Chief Archivist, the regulator of records, across government.
Supporting and implementing Guide will enable public offices and local authorities to achieve:
compliance with relevant information, security and privacy legislation;
cost savings on staff time used and storage;
better identification of opportunities and threats for information assets;
effective management of information assets and records; and,
lowered risk of business inefficiency caused by over-retention of records of low business value and use.
2 RISK MANAGEMENT – WHAT IS IT?
Risk management, in an information context, is about creating and enhancing the efficient use of records as information assets and business resources by managing them effectively. A suggested operational process for this can be found in the appendix at the end of this document.
This document was developed because Archives New Zealand recognises that public offices and local authorities retain many records longer than is required for their business, creating unnecessary risks in terms of cost, business efficiency and reputation.
It addresses the problem of the over-retention of records by recommending ‘disposal authorities’ and emphasises the importance of disposing of records in a timely manner in accordance with approved and applicable Disposal Authorities or General Disposal Authorities.
3 INTENDED AUDIENCE
The Guide is intended for public office and local authority staff responsible for managing records, and staff responsible for assessing and mitigating risks associated with records disposal. These are likely to include:
managers responsible for information asset management and advice to their corporate leadership;
managers governing records and information management;
staff in risk and assurance roles;
staff in records, knowledge and information management roles;
staff in project management roles;
4 Printed copies are uncontrolled Version 1.1
ANZ 15/G1: Risk management guide for disposal of records
staff with privacy roles; and,
contractors, vendors and consultants providing risk or records management services.
Some of the content may also be broadly applicable to private and community sector organisations. These organisations do face many of the risks associated with the long retention of records that are featured in this document; however their legislative and operational requirements may be different from those detailed here.
4 THE RISKS OF OVER-RETENTION
When effectively managed, the information contained in records is a valuable asset. All records can be useful, but not all records have equal enduring value.
Records which have transitory value or are required for a defined business period must eventually be destroyed. Retaining records longer than is required can pose critical risks to an organisation.
Over-retention of records can impact on an organisation’s ability to attain:
legislative compliance
privacy and information security
business efficiency and cost savings
information discovery and integrity.
4.1
Legislative compliance
While all public offices and local authorities have legislative requirements they must comply with, most have legislative provisions governing the destruction of records/information under other
Acts. For example:
Public Records Act 2005
Companies Act 1993
Evidence Regulations 2007
Financial Reporting Act 2013
Privacy Act 1993
Health (Retention of Health Information) Regulations 1996.
Over-retention of records can have consequences for a public office’s/local authority’s reputation if they cannot demonstrate their compliance with relevant legislative and regulatory requirements.
This includes an increased likelihood of intervention by a regulator, such as the Chief Archivist.
The Chief Archivist is mandated by the Public Records Act 2005 to inspect records of public offices and local authorities and to direct the administrative head of a public office or of an approved repository to report on any aspects of its recordkeeping practice. There is also a recordkeeping audit role under the Public Records Act with an annual report on the audit findings presented to
Parliament.
Version 1.1 Printed copies are uncontrolled 5
ANZ 15/G1: Risk management guide for disposal of records
4.2
Privacy and information security
Over-retention of records can impact on a public office’s/local authority’s ability to securely contain and manage those which have sensitive or private information. In failing to legally dispose of sensitive or private records in a timely fashion, organisation’s increase their risk of those records being inappropriately released.
The inadvertent release of sensitive or private information could breach privacy legislation, and if publically reported, can compromise an organisation’s reputation as a secure holder of public information.
4.3
Business efficiency and cost savings
Over-retention of records can impact on an public office’s/local authority’s ability to efficiently and effectively process information within their systems. This can also impact on their overall costs due to unnecessary physical on-site and off-site storage, and electronic storage costs (including costs of digital migration and ensuring digital accessibility).
There can be significant and lasting consequences for business efficiency and cost savings. Not being able to find accurate information quickly when needed can result in the overall inability to make accurate business decisions due to unreliable information to hand.
Staff time is wasted searching for or re-creating records because they cannot find the information they require and compromised efficiency in customer service or in business processes such as litigation preparation, finance, human resources or supply chain management.
4.4
Information discovery and integrity
Over-retention of records can impact on the ability to identify valuable records, and specifically can have significant impacts on the ability to discover and use meaningful information within records.
Additionally, over-retention of records can impact on the integrity of the information held within them. The risk of accidentally losing important records during any migration of digital information is increased if the system contains, or is cluttered by, records which should have been destroyed earlier. This can directly impact on stakeholders and the public, especially if there is difficulty in proving entitlements to rights and privileges due to the lack of evidential records, resulting in significant damage to the reputation of the organisation.
Over-retention of records can have significant consequences for information discovery and integrity. The corporate, or business, memory of an organisation can be impaired significantly when efficient business information discovery processes are compromised, which has additional consequences for the public office’s/local authority’s ability to carry out their functions and responsibilities.
5 MITIGATIONS TO OVER-RETENTION
The categories of mitigations to the problem of over-retaining records have broad applicability to a range of records and information management activities, decisions and operations. The identification and mitigation of recordkeeping disposal risks may be influenced by the varying needs and obligations of the public office/local authority.
6 Printed copies are uncontrolled Version 1.1
ANZ 15/G1: Risk management guide for disposal of records
Determining all legislative requirements are included within the internal risk management strategy and business continuity plans, reflecting this in the Disposal Authority.
Ensuring that the enterprise architecture planning and implementation is a reflection of how the organisation needs to and will use its information assets.
Regularly performing destruction of records that have met their retention periods according to a Disposal Authority or General Disposal Authority, or, for local authorities, the Retention and Disposal Schedule.
Sentencing records at the point of creation and managing accessibility so that the most important records are managed through their lifetime and will not become inaccessible due to technological obsolescence.
Building long-term business requirements for information use into ICT (Information
Communication Technology) systems design and development to minimize the risks of losing valuable records during migration.
Sentencing existing digital records at or before the point of migration so that records of low business value will not be migrated to new operating systems.
6 BENEFITS OF TIMELY DISPOSAL
Managing current and future risks associated with the over-retention of records in line with the principles of this Guide will help organisations to meet government and community expectations for the management of public and local authority records. These expectations include the:
effective and responsible stewardship of information assets;
creation and maintenance of records that can be used to hold public offices and local authorities to account;
preservation of records which have enduring historical or cultural value, or which contribute to New Zealanders’ sense of their national identity.
Well controlled records and information management that is supported by senior management will produce benefits for public offices and local authorities, including:
contributing to the continuous improvement of business processes and practices;
increasing the likelihood of records management programmes succeeding;
encouraging a high standard of accountability;
ensuring good records and information management practices are established and adhered to;
supporting better business decision making; and,
facilitating compliance with legislative requirements.
Risks associated with the over-retention of records change constantly. Change to the risks faced by an organisation can come in the form of major machinery of government changes, changes in legislative mandates, or changes to internal processes.
Version 1.1 Printed copies are uncontrolled 7
ANZ 15/G1: Risk management guide for disposal of records
Risk management cannot be a one-off activity, but needs to be constantly reviewed. To ensure this happens, organisations need to ensure risk management is factored into their records and information management plans. Regular monitoring and review will ensure that current risks are properly identified and responded to.
7 GLOSSARY OF TERMS
Chief Archivist: The individual who is authorised by the Public Records Act 2005 to set standards for creating and maintaining records for public offices and local authorities (including authorising the disposal of records) and to carry out audits to ensure this is achieved.
Data: Information in a specific physical representation, usually a sequence of symbols that have meaning; especially a representation of information that can be processed or produced by a computer.
Disposal Authority: The document created for a specific public office defining the retention periods and consequent disposal actions authorised for records that the public office creates. For public offices, a Disposal Authority is a formal authorisation issued by the Chief Archivist under section 20 of the Public Records Act 2005. Disposal Authorities should identify the specific records generated by a public office’s functions, the period of time the records need to be retained, and what action will be applied to the records once that period of retention is met.
Disposal: The range of processes associated with implementing records retention, destruction or transfer decisions which are documented in a Disposal Authority. Section 4 of the Public Records
Act 2005 outlines the possible types of disposal as: the transfer of control of a record; or the sale, alteration, destruction, or discharge of a record.
Enduring value record: A record that has significant long-term value and will require the eventual transfer to Archives New Zealand, an approved repository or a local authority archive.
General Disposal Authority (GDA): The documents that define the retention periods and consequent disposal actions authorised for records described in it, and can be used by all public offices. GDA’s cover functions common to a number of public offices, typically functional areas such as Human Resources, Finance, or facilitative and short-term records. GDA’s are not specific to the records generated by a public office’s functions, but rather allow public offices more generally to dispose of corporate function records that are commonly found or records that have short-term and transitory value only.
Information: The aggregation of data with meaning and context, irrespective of medium.
Information system: The organised collections of hardware, software, supplies, policies, procedures and people that store, process and provide access to information.
Local authority: A regional council or territorial authority. Includes council-controlled organisations, council controlled trading organisations, and local government organisations.
Public office: The legislative, executive and judicial branches of the Government of New Zealand and their agencies or instruments, including public service departments, offices of Parliament, state enterprises, Crown entities, the Police, the Defence Force, and the Security Intelligence
Service. Crown entities include district health boards, school boards of trustees and tertiary education institutions
8 Printed copies are uncontrolled Version 1.1
ANZ 15/G1: Risk management guide for disposal of records
Record: Record means information, whether in its original form or otherwise, including (without limitation) a document, a signature, a seal, text, images, sound, speech, or data compiled, recorded, or stored, as the case may be, by means of any recording device or process, computer, or other electronic device or process.
Risk: The effect of uncertainties that may affect, positively or negatively, the objectives of a business or project.
Risk assessment: The systemic processes to understand the nature of and to deduce the level of risk based on an evaluation of situational awareness and agreed susceptibility.
Risk mitigation: The co-ordinated process of selection and implementation of measures to modify and control identified risk.
Sentence: The process of identifying and classifying records according to the requirements of a
Disposal Authority or General Disposal Authority.
Transfer: Here refers to the transfer of records from one recordkeeping system to another. Used with reference to the Public Records Act, refers to the transfer of control of records to the Chief
Archivist, or to a public office or local authority that has taken over the recordkeeping responsibilities of a disestablished public office or local authority.
Transitory value record: A record that only has value for a short, finite period and has no value beyond that.
Version 1.1 Printed copies are uncontrolled 9
ANZ 15/G1: Risk management guide for disposal of records
Appendix - Workbook
A INTRODUCTION
This Appendix provides practical guidance to assist public offices and local authorities to identify, assess and mitigate current and future risks associated with the over-retention of records.
Using the tools here will assist organisations in implementing the Risk Management Guide for
Disposal of Records. It is intended to provide operational records and information management staff in public offices and local authorities with practical tools to support the disposal of records.
Public offices and local authorities that may be developing their records and information management capabilities, or integrating records and information management in their existing risk management strategy, may also find this Appendix useful.
It is not intended as an exclusive approach to recordkeeping risk management.
B WHY IT IS IMPORTANT TO IDENTIFY CURRENT AND FUTURE DISPOSAL-OF-
RECORDS RISKS
The Guide broadly identifies that the failure to dispose of records impacts and has consequences for the ability of public offices and local authorities to attain:
Legislative compliance
Privacy and information security
Business efficiency and cost savings
Improved information discovery and integrity
The effects of over-retaining records can be reduced through a process of identifying, assessing and mitigating current and future risks. In this Appendix, a risk is defined as being the effect of uncertainties that may affect, positively or negatively, on the objectives of a business or project.
It is important to keep an assessment of recordkeeping disposal risks accurate. This involves taking into account the specific environment of a public office or local authority, and aligning the assessment to a public office’s/local authority’s degree of situational awareness, risk tolerance and risk appetite.
Risk tolerance is defined as the specific level of risk that potentially can be tolerated by an organisation. Risk appetite is defined as the broad level of risk that an organisation is prepared to take in order to meet strategic objectives, before mitigations are required to reduce it.
Public offices and local authorities ideally have risk tolerances expressed in strategic risk evaluations in order to reduce uncertainty on operational outcomes, as well as meet legislative and fiscal compliance obligations.
Translating this into how public offices and local authorities will consider current and future disposal of records risks involves internal decision making within the context of their unique culture and structure.
10 Printed copies are uncontrolled Version 1.1
ANZ 15/G1: Risk management guide for disposal of records
C HOW TO IDENTIFY CURRENT AND FUTURE DISPOSAL OF RECORDS RISKS
In implementing the Guide, public offices and local authorities have a baseline from which they can identify, assess and mitigate current and future risks associated with the over-retention of records.
Outlined below is a suggested risk analysis process to identify potential recordkeeping disposal risks. The risk analysis process assists public offices and local authorities in making better decisions based on an assessment of perceived risk.
This approach to risk management involves identifying the likelihood of an event occurring using the risk impact table, and the impact if it does occur using the risk likelihood table, and then plotting these factors on the risk matrix.
The coordinated use of the risk impact table, risk likelihood table, and risk matrix can help to identify and evaluate the risks associated with the retention of records.
The risk matrix assigns a unique risk score to each combination of event impact and event likelihood. This approach ensures that each score clearly relates to only one combination of impact and likelihood. To use the process, first determine the impact and likelihood of the risk using the tables, before assigning a risk score.
D STEP 1 – RISK IMPACT TABLE
The risk impact table measures the likely impact if the risk does occur. Each public office and local authority should determine its own risk impact table based on its specific and agreed degree of risk tolerance and risk appetite.
The table below provides examples of how the impact of potential risks can be determined by aligning the perceived impact of the risk with key financial and strategic and reputational consequences for public offices and local authorities.
Level
5
4
Impact
Severe
Significant
Financial and strategic consequences
Cost would exceed a public office’s/local authority’s resources.
Key government outcomes would not be achieved.
Public office/local authority would need to significantly reprioritize funding to meet budgets.
Key outcomes for the public office/local authority would not be achieved.
Reputational consequences
Extensive national news coverage.
Resignation of public office
Chief Executive and/or
Minister, or in the case of a local authority, Mayor.
Local and/or some national news coverage
Resignation of other responsible managers and/or senior staff.
Stakeholders and/or Minister dissatisfied with public office’s/local authorities performance.
Version 1.1 Printed copies are uncontrolled 11
ANZ 15/G1: Risk management guide for disposal of records
Level
3
Impact
Moderate
2
1
Minor
Minimal
Financial and strategic consequences
Extra costs would exceed budgets.
Business outcomes and key outcomes affected.
Extra costs which can be absorbed within current budgets.
Effect on outcomes and operations can be mitigated.
Extra costs which can be absorbed within current baseline budgets.
May cause minor alteration to outcomes and/or operations.
Reputational consequences
Some isolated news coverage and/or stakeholder interest.
Public office Chief Executive and possibly Minister need to be informed. In the case of local authorities, the Mayor.
Second tier managers need to be informed.
Management need to be informed.
E STEP 2 – RISK LIKELIHOOD TABLE
The risk likelihood table measures how likely the risk is to occur during the period under consideration. The table below shows how risk likelihood can be determined.
Level
5
4
3
Likelihood
Almost
Certain
Highly
Probable
Possible
Description
Probably will occur in the specified period
Will possibly occur in the specified period
May occur during the specified period
Percentage
81-100%
61-80%
41-60%
2
1
Possible But
Unlikely
Unlikely to occur during the specified period
Almost Never Will probably not occur in the specified period
21-40%
0-20%
F STEP 3 – RISK MATRIX
The risk matrix measures the numerical scores for risk impact and risk likelihood from the two tables to assign a ‘risk score’
As an example, consider a situation where there is a 25% chance that an organisation will need to migrate records from one digital information system to another.
12 Printed copies are uncontrolled Version 1.1
ANZ 15/G1: Risk management guide for disposal of records
Because regular disposal has not been carried out previously within that organisation, the costs of the migration would exceed their allocated budgets.
Using the examples in the risk impact table above, the organisation assigns an impact score of 3 –
Moderate.
Because there is a 25% chance of the risk occurring, it is given a likelihood score of 2 – Possible But
Unlikely.
Using the risk matrix table below, the risk score assigned to this risk will be 9.
IMPACT
5-Severe
4-Significant
3-Moderate
15
10
6
19
14
9
22
18
13
24
21
17
25
23
20
2-Minor
1-Minimal
3
1
1-Almost
Never
5
2
8
4
12
7
2-Possible
But Unlikely
3-Possible
LIKELIHOOD
4-Highly
Probable
16
11
5-Almost
Certain
G EXAMPLES OF DISPOSAL OF RECORDS RISKS
When a recordkeeping disposal risk has been identified and evaluated using the risk impact table, risk likelihood table and risk matrix, there are usually several mitigations that can be applied to modify and control the degree of risk faced.
Below are several examples of common recordkeeping disposal risks that public offices and local authorities may experience.
These examples are not intended as an exhaustive list of, or approach to, recordkeeping disposal risks and mitigations.
Each organisation will have to evaluate its own risk tolerance, based on its situational awareness and agreed susceptibility, and apply mitigations to as appropriate.
Version 1.1 Printed copies are uncontrolled 13
ANZ 15/G1: Risk management guide for disposal of records
14
Situation Consequence
A public office/local authority holds an excessive amount of old finance records. Since these records are subject to the Official Information
Act (OIA)(or Local
Government Official
Information and Meetings
Act (LGOIMA)) until they are destroyed, every time the public office/local authority receives an OIA or LGOIMA request related to finance records, they need to search them all to find any information which is in scope.
Several hours of staff time are wasted for each relevant OIA or LGOIMA request.
Risk score
Risk score: 16
Mitigation
Risk impact: 2 –
Minor. Extra staff time is used, but the impact can be mitigated by reducing time spent on other projects.
For public offices, use
General Disposal
Authority 6 to sentence corporate records such as finance and human resources and dispose of them.
Risk likelihood: 5 –
Almost Certain. The public office/local authority receives
OIA or LGOIMA requests such as this at least once per year.
For local authorities, use the approved Retention and Disposal Schedule.
An organisation decides to move to a new document management system. In the process of migrating records from the current system to the new one:
records intended as archives are destroyed before they have met their retention periods, and
Non-compliance with the Public Records Act
2005 (PRA) due to the unauthorised destruction of public or local authority records, and
The new system is unnecessarily clogged by records that have no business value, which requires additional staff time to search for the required records.
records of short-term business value that should be destroyed are unnecessarily migrated to the new system.
Risk impact: 3 –
Moderate. Extra staff time is used to deal with the consequences of being non-compliant with the PRA, and to search the system for required records.
The reputation of the organisation can also be damaged by being noncompliant.
Consult all relevant records and information management staff before the migration takes place to ensure that all records of archival value and ongoing business value are migrated, ensuring that content that records that have met their retention periods and can be destroyed are not migrated. This process should be documented with the relevant approvals given.
Risk likelihood: 4 –
Highly Probable. The organisation is planning a large scale migration process.
Risk score: 17
Ensure also that good metadata schemas are adhered to and that sentencing of the records are mapped to the new system in line with the public office’s Disposal
Authority, General
Disposal Authority, or the local authorities
Retention & Disposal
Printed copies are uncontrolled Version 1.1
ANZ 15/G1: Risk management guide for disposal of records
Situation Consequence Risk score Mitigation
Schedule, or to no disposal action.
An organisation contracts out policy development work to third parties but fails to put recordkeeping disposal and retention conditions in third party contracts, and fails to make the contractors aware of their recordkeeping obligations under the Public Records
Act 2005 in any induction processes.
Important working papers or key policy documents could be destroyed.
Risk impact: 2 –
Minor. Extra staff time is used to recover documents that have been destroyed.
Risk likelihood: 3 –
Possible.
Risk score: 8
Put recordkeeping disposal and retention conditions in third party contracts. Managers should be upfront about recordkeeping obligations from the start as mandatory training in recordkeeping should a key feature of induction processes. Managers should work with contractors and Human
Resources to ensure the consequences of unauthorised disposal of records are promoted in a policy.
H HOW TO MITIGATE CURRENT AND FUTURE DISPOSAL-OF-RECORDS RISKS
Identified records disposal risks can be modified and controlled when mitigation actions are applied. The mitigation of potential recordkeeping disposal risks involves identifying first the risk tolerance, and risk appetite, within the organisation.
The below table provides examples of actions that organisations can apply as part of operational business activity, and how the action mitigates recordkeeping disposal risks.
Recordkeeping disposal risks
Illegal disposal of records
Privacy and information security risks are not managed
High likelihood of accidental releases of private or sensitive information
Mitigation action
Appropriately sentencing records under a Disposal Authority,
General Disposal Authority, or, for local authorities, a Retention
& Disposal Schedule, and regularly performing destruction of records
Reputations of organisations are damaged as they are not able to demonstrate their compliance with legislative
Ensuring legislative requirements for recordkeeping are included in records management plans
Version 1.1 Printed copies are uncontrolled 15
ANZ 15/G1: Risk management guide for disposal of records
Recordkeeping disposal risks and regulatory requirements
Organisations are not compliant with the Public
Records Act 2005
Mitigation action
Business objectives cannot be met
Ensuring that enterprise architecture planning and implementation reflects business activities
Unnecessary records of no business value are migrated to new business systems
Sentencing digitally-born records at the point of creation
Failing to consult with a variety of perspectives within the organisation during policy or procedure development, or during migrations to new business systems
Enabling and encouraging communication between Information
Technology, Information Management and Privacy staff
Recordkeeping disposal risks are not identified early and reported
Continually checking and monitoring current and possible future recordkeeping disposal risks, which could lead to a revision of the risk or changes to procedures and processes, application of other mitigations, or upgrades to the recordkeeping and information management environment as part of ongoing records management procedure
I HOW TO PLAN FOR FUTURE DISPOSAL-OF-RECORDS RISKS
Public offices and local authorities should regularly review and monitor recordkeeping disposal risks as part of overall risk management plans. The context for recordkeeping disposal risks will change within organisations as identified risks are explored, and mitigations for those risks are advanced or implemented. Further mitigations may be required and should be applied as circumstances change. The recordkeeping disposal risk component should include:
A method for regularly monitoring the progress of risks being mitigated, and the types of mitigations being applied; and
The means to continually review recordkeeping practice and the records and information management programme for potential additional recordkeeping disposal risks.
16 Printed copies are uncontrolled Version 1.1
