content-left-bg.png
content-right-bg.png

Information asset and recordkeeping procedure

Version number 1.4 | Version effective 25 November 2024
PublishingPageContent
Information asset and recordkeeping procedure

Audience

Department wide

Purpose

Provide the requirements for managing the department’s information throughout its lifecycle including data, information assets and records.

Provide the requirements for recordkeeping practices within the department to meet legislative obligations.

Overview

The department is required under the Queensland Government’s Information asset custodianship policy (IS44) to identify and register information assets and assign roles and responsibilities to information assets, to protect information in accordance with Information security policy (IS18:2018), to make full and accurate records in accordance with the Records governance policy and lawfully dispose records in accordance with the Records governance policy.

The department is required under the Public Records Act 2023 (Qld), Financial Accountability Act 2009 (Qld), Financial and Performance Management Standard 2019 (Qld) and other legislation and administrative requirements to keep and maintain records of the department's activities.

Responsibilities

Director-General

  • is accountable for information management and recordkeeping activities of the department
  • has authority to delegate 'responsible officers' for the disposal of business records under Public Records Act 2023 (Qld)
  • has authority to delegate 'authorised officers' to set and change restricted access periods and approve access to restricted records under the Public Records Act 2023 (Qld)
  • holds authority for the disposal of original paper records after digitisation.

Deputy Director-General, Corporate Services

  • has delegation as an ‘authorised officer’ to set and change restricted access periods and approve access to restricted records, including those held by Queensland State Archives, under the Public Records Act 2023 (Qld)
  • has delegations as a ‘responsible officer’ to authorise the disposal of business records (except the disposal of original paper records after digitisation which requires Director-General approval).

Information custodians - Assistant Director-Generals and nominated executive directors

Information custodians are accountable for the overall management of information, maintaining its relevance and ensuring that information under their control can be found, used and disseminated appropriately. Accountabilities include:

  • ensuring information products are sourced to meet strategic needs
  • ensuring the accuracy of conceptual information maps and data flow diagrams
  • ensuring acceptable level/standard of information quality is defined
  • determining when an information product is no longer required to be collected, stored and/or retained.

Other responsibilities:

  • authorising appropriate methods of data collection and sourcing
  • approving an appropriate information security classification and applicable privacy considerations (for a list of pre-approved classifications, refer to the Information asset register (DoE employees only))
  • authorising the storage of any information products.

For a list of information custodians and the information within their control, refer to the Information asset register (DoE employees only).

Assistant Director-General, Information and Technologies

  • has delegation as a ‘responsible officer’ by the Director-General under the Public Records Act 2023 (Qld) to authorise the disposal of business records (except the disposal of original paper records after digitisation which requires Director-General approval)
  • has delegation as an ‘authorised officer’ to set and change restricted access periods and approve access to restricted records, including those held by Queensland State Archives, under the Public Records Act 2023 (Qld).

Employees

All employees are responsible for managing the safe transport, storage of and access to departmental information. This includes:

  • managing all information (physical and electronic) in a manner consistent with its approved information security classification (for a list of pre-approved classifications, refer to the department’s Information asset register (DoE employees only)
  • managing records (received or created) that provide evidence of the business of the department including capturing information required to be created or kept under statutory legislation with financial or legal implications and which may come under scrutiny
  • capturing and maintaining all records within an authorised recordkeeping system to maintain them. For corporate users, the department’s authorised recordkeeping system is Content Manager. The department's email system and file hosting share drives (e.g. OneDrive) are not authorised recordkeeping systems
  • takes reasonable precautions to protect all information against unauthorised access, illegal or unauthorised use, disclosure, modification, duplication, disruption and/or destruction
  • ensuring that requests and the handling of departmental records containing personal information are managed in accordance with the Information privacy breach and privacy complaints procedure
  • making sure any intellectual property including copyright is appropriately identified, labelled and registered in accordance with the Copyright and other intellectual property procedure (DoE employees only)
  • ensuring records are retained and disposed of following the department's Records retention and disposal schedule (DoE employees only) and that any disposals are authorised by a 'responsible officer' as outlined in this procedure
  • completing the Keys to managing information (DoE employees only) online training course upon induction to the department and as a subsequent refresher training program on an annual basis. This applies to all corporate staff and specific school-based roles (please refer to the Mandatory annual training - ready reckoner: 2025 edition).

Managers, directors, principals and above

  • manages approvals to access and use departmental information within the bounds of approval granted by the information custodian
  • ensures appropriate information management and recordkeeping processes and training within their business unit or school, including through encouraging staff to undertake the Keys to managing information course refresher
  • ensures the management of financial records is in accordance with applicable financial practices, including the Queensland Government Financial Management Practice Manual (FMPM) (DoE employees only)
  • secures information from unauthorised access, amendment or disclosure in accordance with the Information security classification and handling guideline
  • ensures appropriate access controls are implemented and enforced such that classified or sensitive records are only available on a need-to-know basis
  • ensures all records are retained as required for business, legislative, accountability and cultural needs in accordance with authorised retention and disposal schedules:

Principals or, executive directors or above

  • have delegation as ‘responsible officers’ to dispose of business records in accordance with the department's Records retention and disposal schedule (DoE employees only) and in consultation with Director, Information and Governance Management. This excludes the disposal of original paper records after digitisation which requires Director-General approval and consultation with the Director, Information and Governance Management
  • in the case of schools, where a cloud-based solution will hold/holds departmental information, an information risk assessment must be performed (which can be found on Service Centre Online) considering:
    • any information risk assessment that results in an initial Low or Medium risk rating may be accepted by the principal
    • where the initial risk rating result is High or Extreme, the designated information custodian must be consulted and agree to accept the risk
    • should the information custodian not agree to accept the risk, the information cannot be held in the cloud-based solution.

Solution managers and ‘information stewards’

Solution managers and ‘information stewards’ are responsible for the management of a specified ICT solution or service. In this role they must:

  • implement and manage electronic processes to support the transfer/collection of sourced information in-line with legislative, regulatory and custodian requirements
  • implement security controls commensurate with the approved information security classification and privacy restrictions
  • implement data entry controls to support quality standards/requirements as outlined by the information custodian
  • develop and maintain conceptual information maps and data flow diagrams
  • ensure records that are generated as part of an ICT business system are captured and retained in accordance with the department’s Records retention and disposal schedule (DoE employees only) within an authorised recordkeeping system
  • liaise with the Director, Information and Governance Management for the migration of information from ICT business systems that do not have recordkeeping capability
  • ensure records being held long term are retrievable in the format they have been captured in
  • for Closed Circuit Television (CCTV) systems, maintain full and accurate records (i.e. adequate, complete, meaningful, authentic, secure, accessible, and usable) which must be kept according to the Queensland State Archives' Surveillance and monitoring records.

Director, Information and Governance Management, Digital Transformation, Information and Technologies Branch

  • manages and maintains the department's information asset register
  • manages, advises on and implement departmental records management activities including retention and disposal, digital continuity, authorised recordkeeping systems, training and other activities to ensure compliance with the Public Records Act 2023 (Qld) and whole-of-government recordkeeping practices
  • manages the processes to sentence and dispose of records in accordance with legislation
  • sets standards for requirements of authorising systems to manage records
  • provides advice to employees performing risk assessments and business needs analysis relating to the disposal of original hardcopy (paper) records after digitisation and seeking Director-General approval. Refer to the Queensland State Archives’ Dispose of source records web page for further details.

Process

Information asset management

Information custodians and stewards must develop and implement processes to manage information assets throughout their lifecycle, including adherence to intellectual property, right to information and all other legislative and regulatory obligations. Administrative management processes include:

  • reviewing the information asset annually, whether available publicly or internal to the department, to ensure it is relevant, accurate and that the quality and integrity is maintained
  • updating and maintaining the information asset's metadata within the department's Information asset register (DoE employees only)
  • reviewing and updating business continuity and disaster recovery plans regularly to reflect current processes, contacts and to ensure required equipment is readily available.

Hardcopy records management

Employees must manage hardcopy records in their care by:

Electronic records management

Employees must manage electronic records in their care by:

  • creating documents to include metadata such as date of creation, status, version, information security classification, purpose and contact (including business unit or school), if appropriate, to assist in any future release of documents
  • creating or inputting data or information within an ICT business system or authorised recordkeeping system complete and/or review for currency and accuracy any required metadata
  • inserting within the document’s footer the information security classification as per Information security classification and handling guideline
  • ensuring requirements under the Copyright and other intellectual property procedure (DoE employees only) are complied with
  • storing or saving information in a central repository on the departmental corporate network and not saving local copies on device hard drives. Ensure (where it is not possible to centrally store records), records that are created and captured by mobile devices or removable media are transferred to an authorised recordkeeping system as soon as possible
  • capturing the title and providing information about the record consistently to assist in later retrieval of the record, in accordance with the authorised recordkeeping system's required processes and the department's Records management's OnePortal site:

Definitions

Term

Definition

Authorised officer

For this procedure, an officer who is delegated by the Director-General as an ‘authorised officer’ is authorised to set and change restricted access periods and approve access to restricted records under the Public Records Act 2023 (Qld).

Authorised recordkeeping system

An ICT business system designed to capture, manage and provide access to records through time, that is intended to preserve the context, authenticity and integrity of the records. Authorisation is provided by a principal, an executive director or above, ensuring compliance with recordkeeping requirements such as Public Records Act 2023 (Qld) and Queensland Government Records governance policy.

Examples of approved recordkeeping systems (DoE employees only) include Content Manager for regional and central offices, the OneSchool (DoE employees only) suite of applications for schools.

ICT business systems that do not qualify as an authorised recordkeeping system include email systems (such as Outlook), OneDrive, Teams, network drives.

Further information can be found in the Records management's OnePortal site (DoE employees only).

Employee

Any permanent, temporary, seconded, casual or contracted staff member, contractors and consultants or other person who provides services on a paid basis to the department that are required to comply with the department's policies and procedures. Within schools this includes principals, deputy principals, heads of department, head of curriculums, guidance officers, teachers and other school staff. Volunteers depending on the engagement may not be considered employees but should have regard for this procedure.

Information asset

An identifiable collection of data stored in any manner and recognised as having value for the purpose of enabling the department to perform its business functions.

Information custodian

An Information Custodian implements and maintains information assets and associated ICT resources according to the rules set in cooperation with the ‘owner’ to ensure proper quality, security, integrity, correctness, consistency, privacy, confidentiality and accessibility throughout its lifecycle. Custodian may be referred to as information custodian, data custodian or business system custodian or subject matter expert.

Information product

May be a dataset or an information artefact that has been compiled/created using data sourced from one or more points of origin.

Records

Records can be in hardcopy, electronic or any other form that provides evidence a business transaction has taken place or a decision has been made.

Responsible officer

For this procedure, an officer who is delegated by the Director-General as a ‘responsible officer’ is authorised to dispose of business records under the Public Records Act 2023 (Qld).

Solution manager / information steward

A steward has the authority and accountability for ICT solutions or services that hold information assets, and approves the rules by which the solution/service is managed.

Legislation

Delegations/Authorisations

  • Nil

Other resources

Superseded versions

Previous seven years shown. Minor version updates not included.

1.0 Information asset and recordkeeping

Review date

01 November 2018
Attribution CC BY
SocialMedia_BottomRight