Information sheet Recordkeeping – general, digital, cloud computing Key facts: General recordkeeping All public authorities in Queensland, including Health statutory agencies are required to comply with recordkeeping requirements under the Public Records Act 2002 (the Act) and have regard to relevant policies, standards and guidelines released by the Queensland State Archivist.
The Act requires a public authority to ‘make and keep full and accurate records of its activities’ (section 7). A public record is defined as recorded information that documents the business decisions and actions of a public authority. Public records are not restricted to just paper records and can exist in any format, for example, emails, maps, records in databases and business systems, and audio-visual material.
Resources are available on the Queensland State Archives (QSA) website to assist public authorities to understand and implement recordkeeping practices in accordance with the Act (refer Attachment 1).
It is a requirement of principle 7, Information Standard 40: Recordkeeping (IS40) for records to be categorised according to a Business Classification Scheme (BCS). Health statutory agencies may wish to adapt the Queensland Health BCS for use by their agency or start with an administrative BCS (Keyword AAA) available from QSA and perform a functional analysis to develop terms for those things that are unique to the agency (links provided at Attachment 1).
A minimum set of recordkeeping metadata should be applied to all public records. Please refer to the Queensland Recordkeeping Metadata Standard and Guideline for more information (link provided at Attachment 1).
Records and information should be classified, stored, handled, and disposed of according to IS40 and Information Standard 31: Retention and disposal of public records (IS31) (links provided at Attachment 1).
Records can only be disposed under the authority of the State Archivist. This authorisation is generally given through an approved retention and disposal schedule (RDS). Upon authorisation of a RDS the health statutory agencies are responsible for the implementation of the RDS and the sentencing and disposal of their public records (links to current RDSs provided at Attachment 1). This can take place without further reference to the QSA. Records that meet the criteria for disposal should only be disposed of after approval from your CEO (or delegate) has been granted.
Records that have met their minimum retention period according to a RDS that has been approved by the State Archivist may be disposed of in accordance with the principles outlined in IS31. Prior to the disposal of any records, checks should be undertaken to ensure the records are not required to be retained for a longer period of time to satisfy legal (e.g. previous or pending legal action), legislative (e.g. has been subject to RTI application) or ongoing business use.
Digital recordkeeping Public records are increasingly created digitally, for example, emails, spread sheets, word-processed documents, photographs, presentation slides, websites and information in business systems.
All records, including those created, communicated and maintained electronically, must be managed in line with the Act. The Electronic Transaction Act 2001 also has implications for public authorities to capture, keep and preserve electronic communications in electronic form for future reference.
Public authorities should develop strategies to maintain digital records in a fixed and unaltered form for as long as they are required under an approved RDS. QSA provides a suite of digital recordkeeping information to assist public authorities comply with current legislation (refer Attachment 1).
Retention and disposal
Records that have met their retention period as set out in an approved RDS and which are not needed for any business/financial purposes etc. do not need to be retained and/or digitised.
If digitised copies of records are stored (by a cloud provider or elsewhere) they cannot be marked as being destroyed in a recordkeeping system and may still be retrieved, for example, through a Right to Information request if relevant. The public authority would also still be responsible for the management and ongoing access to these records regardless of where they are stored.
Hard copy records that have a permanent retention period in an approved RDS are deemed ineligible for digitisation under the Digitisation Disposal Policy. Responsibility for the custody of these records remains with the health statutory agency for the life of the records. Permanent records can also be transferred to the QSA, with the approval of the State Archivist (refer to the QSA ‘Transfer and storage of records guide’ – link provided at Attachment 1).
Hard copy records that have a temporary retention period in an approved RDS may be disposed of if the requirements of the Digitisation Disposal Policy are met (refer link to policy and supporting advice at Attachment 1).
Cloud computing Cloud computing is a means to achieve outsourcing of records storage and presents a number of opportunities for records and information management. However, if considering the use of cloud computing, health statutory agencies should be aware of the associated risks, particularly given that agencies remain responsible for any records stored by a cloud provider.
Records stored as part of cloud computing arrangements may be subject to risks such as: – the same threats and risks as records stored anywhere, such as records being destroyed as a result of a disaster (e.g. fire or flood)
– records being destroyed or compromised as a result of a cyber attack – loss of access or unauthorised access – multiple copies and backups stored in a number of areas – failure to comply with relevant legislation – records may not be disposed of properly (or at all), creating implications for privacy and right to information, especially where records contain personal or sensitive information (refer also ‘Retention and Disposal’ section above).
Information privacy and confidentiality1
Cloud computing poses a range of privacy and confidentiality issues, which an agency will need to address and mitigate with appropriate legal, contractual and operational procedures as the cloud service provider assumes responsibility for hosting the information.
When contemplating using cloud facilities it is recommended that a Privacy Impact Assessment (PIA) be conducted to identify and manage risk to protect personal or confidential information prior to making a decision about the use of cloud computing. Links to the Office of the Information Commissioner (OIC) introductory guide to conducting PIAs and a Queensland Health checklist available for Hospital and Health Services (HHSs) are provided at Attachment 1.
Public authorities (except HHSs) must comply with the privacy principles in Schedule 3 of the Information Privacy Act 2009 (IP Act) when dealing with personal information2. The privacy principles include rules about contracted
1
The privacy and confidentiality information provided in this information sheet is general in nature and should not be relied upon as specific advice. If in doubt, seek advice from your Privacy and Confidentiality Contact Officer, lawyer or the Office of the Information Commissioner. 2 If the information is de-identified or is not personal information (e.g. policies or technical reports), the IP Act will not apply (although public records and right to information legislation would still apply).
Information sheet: Recordkeeping – general, digital, cloud computing
-2-
service providers, and about transferring personal information outside of Australia, which are likely to be relevant when agencies are considering using cloud service providers.
HHSs are obliged to comply with the National Privacy Principles listed in Schedule 4 of the IP Act, which set out the rules for how personal information is to be collected, managed, used and disclosed by Queensland government agencies.
HHSs are also subject to the confidentiality provisions in Part 7 of the Hospital and Health Boards Act 2011, which governs the collection of information in the context of providing a public sector health service.
Where an agency is contracting with a service provider, and, as part of the service arrangement there will be an exchange of personal information, the agency is usually obliged to take reasonable steps to bind the service provider to comply with the privacy principles as part of the contract or service arrangement. If an agency fails to take reasonable steps to do so, they can be liable for privacy breaches by the service provider.
Section 33 of the IP Act allows the transfer of personal information outside of Australia only in certain circumstances. Agencies should check where a cloud provider operates from, even when dealing with an Australian company. If the provider, or the hardware used by that provider, is not located in Australia, agencies will need to ensure they comply with section 33 for any personal information sent to the cloud. Section 33 can be complied with, in most cases, where an agency ensures they have a robust contract with the cloud provider which details how personal information will be collected, stored, used, disclosed and accessed.
The privacy principles do not, by any means, prevent the use of cloud computing services by agencies. However, if entering into any cloud computing agreements, contractual arrangements relating to specific recordkeeping requirements should be identified and documented. Refer to the OIC guideline ‘Cloud computing and the privacy principles’ and the further resources listed at Attachment 1.
Attachments: Attachment 1 – Links to recordkeeping resources
Contact for further information: Contact Office of Health Statutory Agencies
Telephone
Email
3234 1705
[email protected]
Revision history: Date
Version no.
Description of change / revision
19/12/2012
v.1.0
Endorsed first version
23/05/2014
v.2.0
Reviewed May 2014
Information sheet: Recordkeeping – general, digital, cloud computing
-3-
Attachment 1 Links to recordkeeping resources Legislation Public Records Act 2002 https://www.legislation.qld.gov.au/LEGISLTN/CURRENT/P/PublicRecA02.pdf Electronic Transactions (Queensland) Act 2001 https://www.legislation.qld.gov.au/LEGISLTN/CURRENT/E/ElectronTrQA01.pdf Hospital and Health Boards Act 2011 https://www.legislation.qld.gov.au/LEGISLTN/CURRENT/H/HHNA11.pdf Information Privacy Act 2009 https://www.legislation.qld.gov.au/LEGISLTN/CURRENT/I/InfoPrivA09.pdf Right to Information Act 2009 https://www.legislation.qld.gov.au/LEGISLTN/CURRENT/R/RightInfoA09.pdf General recordkeeping Queensland State Archives www.archives.qld.gov.au Information Standard 40: Recordkeeping & Information Standard 31: Retention and disposal of public records http://www.archives.qld.gov.au/Recordkeeping/Governance/Pages/Default.aspx#1 Queensland Health Business Classification Scheme v2.1 http://qheps.health.qld.gov.au/srmt/html/bcs.htm Keyword AAA – a standard thesauri developed by State Records NSW and available free of charge under a whole-of-government licence agreement. To obtain a copy, contact QSA at
[email protected] Queensland State Archives: Classification http://www.archives.qld.gov.au/Recordkeeping/Fundamentals/Pages/Classification.aspx Queensland Recordkeeping Metadata Standard and Guideline http://www.archives.qld.gov.au/Recordkeeping/GRKDownloads/Documents/QRKMS.pdf Queensland Government Information Security Classification Framework http://www.qgcio.qld.gov.au/images/documents/QGEA_documents/QGEA/QGISCF_v3_1_0.pdf Approved retention and disposal schedules General Retention and Disposal Schedule for Administrative Records (updated March 2014) http://www.archives.qld.gov.au/Recordkeeping/GRKDownloads/Documents/GeneralDisposalSchedule.pdf Health Sector (Clinical Records) Retention and Disposal Schedule (http://www.archives.qld.gov.au/Recordkeeping/GRKDownloads/Documents/Health_sector_clinical_records _retention_and_disposal_scheduleQDAN683v1.pdf) Other retention and disposal schedules are available at: http://www.archives.qld.gov.au/Recordkeeping/RetentionDisposal/Pages/RDS-alpha.aspx#_H (A Hospitals Foundation Sector Retention and Disposal Schedule will be available soon.) Queensland State Archives: Transfer and storage of records guide http://archives.qld.gov.au/Recordkeeping/Transfer/Pages/Default.aspx Digital recordkeeping Queensland State Archives – Digital recordkeeping http://www.archives.qld.gov.au/Recordkeeping/Digital/Pages/default.aspx
Queensland State Archives – Digitisation Disposal Policy (http://www.archives.qld.gov.au/Recordkeeping/GRKDownloads/Documents/Digitisation_Disposal_Policy_ve rsion_2.pdf) Queensland State Archives – Retention and disposal (digitising and disposing of paper records) http://www.archives.qld.gov.au/Recordkeeping/RetentionDisposal/Pages/default.aspx Cloud computing Managing recordkeeping risks associated with cloud computing (QSA) (http://www.archives.qld.gov.au/Recordkeeping/GRKDownloads/Documents/managing_recordkeeping_risks _cloud_computing.pdf) Advice on managing the risks associated with cloud computing (Australasian Digital Recordkeeping Initiative) http://www.adri.gov.au/content/products/cloud-computing.aspx Legal Update: Cloud computing may be convenient but guides needed to avoid procurement pitfalls http://crownlaw.govnet.qld.gov.au/publications/documents/Legal%20Updates/Cloud_computing_2.pdf Cloud Computing Guideline (Queensland Government Chief Information Office) http://www.qgcio.qld.gov.au/products/qgea-documents/545-technology/2454-cloud-computing-guideline Cloud computing and the privacy principles (OIC) (http://www.oic.qld.gov.au/guidelines/for-government/guidelines-privacy-principles/applying-the-privacyprinciples/cloud-computing-and-the-privacy-principles) Information Privacy and the Management of Public Records (QSA) (http://www.archives.qld.gov.au/Recordkeeping/GRKDownloads/Documents/Information_Privacy_and_the_ Management_of_Public_Records_Public_RecordsBrief.pdf) Privacy proofing your project – An introductory guide to conducting Privacy Impact Assessments (OIC) (http://www.oic.qld.gov.au/guidelines/for-government/guidelines-privacy-principles/privacycompliance/privacy-proofing-your-project-an-introductory-guide-to-conducting-privacy-impact-assessments) A Queensland Health Privacy Impact Assessment checklist is available to Hospital and Health Services (via the intranet) at: http://qheps.health.qld.gov.au/alt/docs/privacy_impact_assessment.pdf Privacy guideline section 6 – Transfer of personal information out of Australia (OIC) (http://www.oic.qld.gov.au/guidelines/for-government/guidelines-privacy-principles/transferring-personalinformation-out-of-australia)
Information sheet: Recordkeeping – general, digital, cloud computing
-5-