Information asset and recordkeeping procedure

Audience

Department wide

Purpose

Provide the requirements for managing the department’s information throughout its lifecycle including data, information assets and records.

Provide the requirements for recordkeeping practices within the department to meet legislative obligations.

Overview

The department is required under the Queensland Government’s Information asset custodianship policy (IS44) to identify and register information assets and assign roles and responsibilities to information assets, to protect information in accordance with Information security policy (IS18:2018), to make full and accurate records in accordance with the Records governance policy and lawfully dispose records in accordance with the Records governance policy.

The department is required under the Public Records Act 2002 (Qld), Financial Accountability Act 2009 (Qld), Financial and Performance Management Standard 2019 (Qld) and other legislation and administrative requirements to keep and maintain records of the department's activities.

Responsibilities

Director-General

• is accountable for information management and recordkeeping activities of the department
• has authority to delegate 'responsible officers' for the disposal of business records under Public Records Act 2002 (Qld)
• has authority to delegate 'authorised officers' to set and change restricted access periods and approve access to restricted records under the Public Records Act 2002 (Qld)
• holds authority for the disposal of original paper records after digitisation.

Deputy Director-General, Corporate Services

• has delegation as an ‘authorised officer’ to set and change restricted access periods and approve access to restricted records, including those held by Queensland State Archives, under the Public Records Act 2002 (Qld)
• has delegations as a ‘responsible officer’ to authorise the disposal of business records (except the disposal of original paper records after digitisation which requires Director-General approval).

Information custodians - Assistant Director-Generals and nominated executive directors

Information custodians are accountable for the overall management of information, maintaining its relevance and ensuring that information under their control can be found, used and disseminated appropriately. Accountabilities include:

• ensuring information products are sourced to meet strategic needs
• ensuring the accuracy of conceptual information maps and data flow diagrams
• ensuring acceptable level/standard of information quality is defined
• determining when an information product is no longer required to be collected, stored and/or retained.

Other responsibilities:

• authorising appropriate methods of data collection and sourcing
• approving an appropriate information security classification and applicable privacy considerations (for a list of pre-approved classifications, refer to the Information asset register (DoE employees only))
• authorising the storage of any information products.

For a list of information custodians and the information within their control, refer to the Information asset register (DoE employees only).

Assistant Director-General, Information and Technologies

• has delegation as a ‘responsible officer’ by the Director-General under the Public Records Act 2002 (Qld) to authorise the disposal of business records (except the disposal of original paper records after digitisation which requires Director-General approval)
• has delegation as an ‘authorised officer’ to set and change restricted access periods and approve access to restricted records, including those held by Queensland State Archives, under the Public Records Act 2002 (Qld).

Employees

All employees are responsible for managing the safe transport, storage of and access to departmental information. This includes:

• managing all information (physical and electronic) in a manner consistent with its approved information security classification (for a list of pre-approved classifications, refer to the department’s Information asset register (DoE employees only)
• managing records (received or created) that provide evidence of the business of the department including capturing information required to be created or kept under statutory legislation with financial or legal implications and which may come under scrutiny
• capturing and maintaining all records within an authorised recordkeeping system to maintain them. For corporate users, the department’s authorised recordkeeping system is Content Manager. The department's email system and file hosting share drives (e.g. OneDrive) are not authorised recordkeeping systems
• takes reasonable precautions to protect all information against unauthorised access, illegal or unauthorised use, disclosure, modification, duplication, disruption and/or destruction
• ensuring that requests and the handling of departmental records containing personal information are managed in accordance with the Information privacy and right to information procedure
• making sure any intellectual property including copyright is appropriately identified, labelled and registered in accordance with the Copyright and other Intellectual Property (DoE employees only)
• ensuring records are retained and disposed of following the department's Records retention and disposal (DoE employees only) and that any disposals are authorised by a 'responsible officer' as outlined in this procedure
• completing the Keys to managing information (DoE employees only) online training course upon induction to the department and as a subsequent refresher training program on an annual basis. This applies to all corporate staff and specific school-based roles (please refer to the Mandatory Annual Training - Ready Reckoner: 2022 Edition).

Managers, directors, principals and above

• manages approvals to access and use departmental information within the bounds of approval granted by the information custodian
• ensures appropriate information management and recordkeeping processes and training within their business unit or school, including through encouraging staff to undertake the Keys to managing information course refresher
• ensures the management of financial records is in accordance with applicable financial practices, including the Queensland Government Financial Management Practice Manual (FMPM) website (DoE employees only)
• secures information from unauthorised access, amendment or disclosure in accordance with the Information security classification and handling guideline
• ensures appropriate access controls are implemented and enforced such that classified or sensitive records are only available on a need-to-know basis
• ensures all records are retained as required for business, legislative, accountability and cultural needs in accordance with authorised retention and disposal schedules:
  • Queensland State Archives General Retention and Disposal Schedule (GRDS)
  • Education and Training Sector Retention and Disposal Schedule (ETRDS) (DoE employees only).

Principals or, executive directors or above

• have delegation as ‘responsible officers’ to dispose of business records in accordance with the department's Records retention and disposal (DoE employees only) and in consultation with Director, Information and Governance Management. This excludes the disposal of original paper records after digitisation which requires Director-General approval and consultation with the Director, Information and Governance Management
• in the case of schools, where a cloud-based solution will hold/holds departmental information, an information risk assessment must be performed (which can be found on Service Centre Online) considering:
  • any information risk assessment that results in an initial Low or Medium risk rating may be accepted by the principal
  • where the initial risk rating result is High or Extreme, the designated information custodian must be consulted and agree to accept the risk
  • should the information custodian not agree to accept the risk, the information cannot be held in the cloud-based solution.

Solution managers and ‘information stewards’

Solution managers and ‘information stewards’ are responsible for the management of a specified ICT solution or service. In this role they must:

• implement and manage electronic processes to support the transfer/collection of sourced information in-line with legislative, regulatory and custodian requirements
• implement security controls commensurate with the approved information security classification and privacy restrictions
• implement data entry controls to support quality standards/requirements as outlined by the information custodian
• develop and maintain conceptual information maps and data flow diagrams
• ensure records that are generated as part of an ICT business system are captured and retained in accordance with the department’s Records retention and disposal (DoE employees only) within an authorised recordkeeping system
• liaise with the Director, Information and Governance Management for the migration of information from ICT business systems that do not have recordkeeping capability
• ensure records being held long term are retrievable in the format they have been captured in
• for Closed Circuit Television (CCTV) systems, maintain full and accurate records (i.e. adequate, complete, meaningful, authentic, secure, accessible, and usable) which must be kept according to the Queensland State Archives' Surveillance and monitoring records.

Director, Information and Governance Management, Digital Transformation, Information and Technologies Branch

• manages and maintains the department's information asset register
• manages, advises on and implement departmental records management activities including retention and disposal, digital continuity, authorised recordkeeping systems, training and other activities to ensure compliance with the Public Records Act 2002 (Qld) and whole-of-government recordkeeping practices
• manages the processes to sentence and dispose of records in accordance with legislation
• sets standards for requirements of authorising systems to manage records
• provides advice to employees performing risk assessments and business needs analysis relating to the disposal of original hardcopy (paper) records after digitisation and seeking Director-General approval. Refer to the Queensland State Archives’ Dispose of source records web page for further details.

Process

Information asset management

Information custodians and stewards must develop and implement processes to manage information assets throughout their lifecycle, including adherence to intellectual property, right to information and all other legislative and regulatory obligations. Administrative management processes include:

• reviewing the information asset annually, whether available publicly or internal to the department, to ensure it is relevant, accurate and that the quality and integrity is maintained
• updating and maintaining the information asset's metadata within the department's Information asset register (DoE employees only)
• reviewing and updating business continuity and disaster recovery plans regularly to reflect current processes, contacts and to ensure required equipment is readily available.

Hardcopy records management

Employees must manage hardcopy records in their care by:

• ensuring the hardcopy record is marked with an information security classification as per Information security classification and handling guideline
• ensuring requirements under the Copyright and other Intellectual Property (DoE employees only) are complied with
• consulting with the Director, Information Management when undertaking digitisation of the hardcopy (original paper) record when required through scanning, ensuring compliance with the Public Records Act 2002 (Qld) and other legislative requirements and seeking Director-General approval. This includes a risk assessment and business needs analysis, as not all hardcopy records can be destroyed following digitalisation. Refer to the Queensland State Archives’ Dispose of source records web page for further details.

Electronic records management

Employees must manage electronic records in their care by:

• creating documents to include metadata such as date of creation, status, version, information security classification, purpose and contact (including business unit or school), if appropriate, to assist in any future release of documents
• creating or inputting data or information within an ICT business system or authorised recordkeeping system complete and/or review for currency and accuracy any required metadata
• inserting within the document’s footer the information security classification as per Information security classification and handling guideline
• ensuring requirements under the Copyright and other Intellectual Property (DoE employees only) are complied with
• storing or saving information in a central repository on the departmental corporate network and not saving local copies on device hard drives. Ensure (where it is not possible to centrally store records), records that are created and captured by mobile devices or removable media are transferred to an authorised recordkeeping system as soon as possible
• capturing the title and providing information about the record consistently to assist in later retrieval of the record, in accordance with the authorised recordkeeping system's required processes and the department's Records Management Manual:
  • Queensland State Archives' glossary of recordkeeping terms
  • Business Classification Plan (DoE employees only) (a quick guide to controlled vocabulary used for classifying, titling and indexing records).

Definitions

Legislation

• Financial Accountability Act 2009 (Qld), part 4-5
• Financial and Performance Management Standard 2019 (Qld)
• Public Records Act 2002 (Qld)

Delegations/Authorisations

• Nil

Other resources

• Information Management (DoE employees only)
• Financial Management Practice Manual (FMPM) (DoE employees only)
• Queensland Government - Information asset custodianship policy (IS44)
• Queensland Government - Information security policy (IS18:2018)
• Queensland Government - Records governance policy
• Information privacy and right to information procedure
• Copyright and other Intellectual Property (DoE employees only)
• Use of ICT systems procedure
• CCTV use in schools procedure
• Information security classification and handling guideline
• Business Classification Plan (DoE employees only)
• Queensland State Archives - Glossary of recordkeeping terms
• Queensland State Archives - Dispose of source records web page
• Queensland State Archives - Surveillance records web page
• Education and Training Sector Retention and Disposal Schedule (ETRDS)
• General Retention and Disposal Schedule (GRDS)
• Information asset register (DoE employees only)
• Keys to managing information (DoE employees only)
• Mandatory Annual Training - Ready Reckoner: 2022 Edition
• Records retention and disposal (DoE employees only)

Superseded versions

Previous seven years shown. Minor version updates not included.

1.0 Information asset and recordkeeping

1.0 Information Management (IM)