Guidelines for Managing Electronic Documents in Australian Government Agencies - Document management principles

Copyright © Commonwealth of Australia 1995

  1. DOCUMENT MANAGEMENT PRINCIPLES
    1. IDENTIFY YOUR VALUABLE DOCUMENTS
    2. ENSURE THE QUALITY OF THE INFORMATION IN YOUR DOCUMENTS Guidelines for Managing Electronic Documents in Australian Government Agencies - Document management principles

      Guidelines for Managing Electronic Documents in Australian Government Agencies - Document management principles

      Copyright © Commonwealth of Australia 1995

      1. DOCUMENT MANAGEMENT PRINCIPLES
        1. IDENTIFY YOUR VALUABLE DOCUMENTS
        2. ENSURE THE QUALITY OF THE INFORMATION IN YOUR DOCUMENTS
        3. SECURE YOUR VALUABLE DOCUMENTS
          1. General
          2. Security Developments
        4. PROVIDE APPROPRIATE ACCESS TO YOUR DOCUMENTS
          1. Contextual Details
          2. Authentication Considerations
        5. PRESERVE YOUR VALUABLE RECORDS: THE ARCHIVAL PROCESS
          1. Archival Management of Electronic Records
          2. Appraisal
          3. Compliance With Disposal authorities
          4. Implementation of disposal authorities
          5. Access Over Time

      Document management principles

      first four principles discussed in this section apply to electronic documents generally, and the fifth to those documents which qualify as records for archival purposes. They are valid for both the fully electronic and the parallel systems strategies.

      1. Identify your documents;
      2. Ensure the quality of the information in your documents
      3. Secure your documents;
      4. Provide appropriate access to your documents;
      5. Preserve your valuable records: the archival process;

      IDENTIFY YOUR DOCUMENTS

      Information is a corporate asset and should be managed like other assets, with appropriate supporting management procedures and asset registers. The corporate strategic importance of the organisation's document holdings should be identified and linked to agencies' corporate or business plans, with reference to critical success factors and business objectives. An agency must have sufficient knowledge of its record holdings to meet basic accountability and legislative requirements.

      Critical business dependencies on internal and external document sources should have been identified and documented during your review, pointing to existing registers and catalogues and providing such details as volume, source, age, ownership and management responsibilities for the document. The review should also identify all general and specific disposal authorities relevant to the agency. Important business documents should be identified and their links to organisational functions examined.

      The Australian Archives has guidelines on how to identify valuable Commonwealth records in terms of the Archives Act 1983. Australian Archives should be contacted regarding archival processes and disposal authority issues.

      Standard procedures should be implemented for the creation of new documents and the archiving of old. Details of such changes should be communicated to relevant staff.

      The application of this principle will assist the organisation in the development and maintenance of file registries and retention schedules,and provide a high level view of the organisation's total document holdings.

      RECOMMENDED ACTION

      • Identify your document, paying particular attention to critical business dependencies on internal and external document sources, all general and specific disposal authorities and their links to organisational functions

      ENSURE THE QUALITY OF THE INFORMATION IN YOUR DOCUMENTS

      Accuracy of information and confidence in the stated level of accuracy are fundamental to information quality. Accuracy can be as simple as knowing that you have identified the authoritative version of a document.

      As part of managing information quality, an agency should have guidelines that help minimise the duplication of documents. Multiple copies or different versions of electronic documents can exist, and can be widely dispersed over an agency's communications network. It is important, therefore, to be able to identify the authoritative version of a document, especially where it has been through a drafting stage or has been distributed throughout the organisation for comment prior to it becoming the accepted record of a business activity. Management and system procedures should therefore be in place to address the issue of identifying the authoritative document.

      For documents which are records, destruction can occur as a Normal Administrative Practice, in conformance with the Archives Act, where document is :

      • duplicated (eg. a draft or information copy);
      • unimportant (eg. telephone message slips); or
      • of short facilitative value (eg. compliments slips, or some
      • computer test data).
      As a general rule, unimportant records which can be destroyed as Normal Administrative Practice are the equivalent of records that would not be placed on a registry file. All other Commonwealth records should only be destroyed under the terms of a disposal authority or as required by law. Guidance on what constitutes Normal Administrative Practice is outlined in Australian Archives' publication Just for the record . Unnecessary retention of redundant documents is costly and can hinder the effective retrieval of other document.

      The relationships between various document management environments should be identified, and procedures developed to address the migration of documents from one environment to another. Responsibilities for accurately capturing documents or records when they are transmitted by electronic mail or migrated across file servers should be clearly identified. Relationships with traditional record management systems should be clearly understood.

      The establishment of standards for the collection and maintenance of contextual information (information about the document ) is critical to information quality. In relation to electronic records, this contextual information can be captured principally through electronic document attributes (see Appendix ???).

      RECOMMENDED ACTION

      SECURE YOUR VALUABLE DOCUMENTS

      General

      These guidelines do not address specific requirements for handling classified electronic documents. Government agencies should observe the provisions of the Protective Security Manual produced by the Attorney-General's Department, as a basis for security planning issues. Part VI, Section 6.15, stipulates that each agency should develop and promulgate comprehensive system security policies, consistent with their agency security policy (see Sections 1.31 - 1.35) and the Protective Security Manual in general.

      Security in relation to electronic documents means maintaining their availability and confidentiality by minimising the risk of loss, corruption and unauthorised access. Security for electronic documents is as much a management issue as a technical issue, and it should be a part of the security arrangements which cover agencies' information systems generally.

      Availability

      Documents may be lost through systems failures and physical disasters such as fire or water damage, civil disturbances etc.

      RECOMMENDED ACTION

      • Set up effective back-up procedures, preferably automatic, and arrange off-site storage of back-up files.
      • Document the back-up, restart and recovery procedures clearly, and bring them to the attention of all staff concerned.
      • Prepare a disaster recovery plan (including location of back-ups, authority to access them, emergency hardware to be used, and procedures to rebuild the system), keep
      • A copy of the plan off-site, and test it annually.
      • Train pc users in agency back-up procedures, make them aware of the importance of following them.
      Documents may also be lost for all practical purposes because they are not capable of being found. With electronic documents standard registration procedures can be more easily enforced than with paper documents.

      RECOMMENDED ACTION

      • Establish a standard registration process for all documents which require such management. For information regarding document attributes, see Table ??? and Appendix A.

      Confidentiality

      Documents can also be lost due to unauthorised access, or deliberate interference causing corruption. Most breaches come from within an organisation. Standard system security packages are designed to counteract this threat, and some application systems have several levels of security built into them. The extent of the measures to be taken depends on the agency and on the sensitivity of the information.

      RECOMMENDED ACTION
      • Enforce sign-on discipline (eg unique sign-on identifiers for each authorised user, no group accounts, suspending unused identifiers, lockouts after three unsuccessful attempts to sign on, password-protected screen savers, and time-outs for inactive sessions on critical systems);
      • Enforce password discipline (eg passwords to be mandatory, changed frequently and stored in encrypted format, and their immediate reuse prevented);
      • Formalise procedures for granting access to information systems, including a declaration that the user will comply with the agency's information technology security policy;
      • Treat electronic documents like paper documents. If they are sensitive (eg staff-in-confidence or commercial-in-confidence), protect them. Saving them on a pc which has no access restrictions is a breach of security. Either put access restrictions on the pc or do not save sensitive material on the pc;
      • Make all authorised users aware of their responsibility to maintain confidentiality of document, to protect their passwords, to abide by their agency's security policy, and to report any breaches of which they become aware;
      • Employ encryption for both storage and transmission of confidential information; and educate staff as to the vulnerability of non-encrypted information held on networked pcs.

      Security Developments

      IT In general, Commonwealth Government information technology security policy issues are the responsibility of the Information Systems Security Policy Subcommittee of the Protective Security Policy Committee, which is chaired by the Commonwealth Attorney-General's Department (Federal Justice Office). The Subcommitte periodically issues Protective Security Bulletins and provides input to revisions of the Protective Security Manual. The Defence Signals Directorate, which is represented on the Subcommittee, provides information technology security advice to heads of Commonwealth agencies.

      The Commonwealth's Information Exchange Steering Committee, which is also represented on the ISSPS, has established an Information Technology Security Working Group to identify key issues and measures that agencies can take. The Working Group has produced draft guidelines addressing the following :

      • security standards for unclassified, restricted and in-confidence computer systems in Australian Government agencies;
      • interconnection user authentication and security issues; and
      • security guidelines for agency interconnections.
      The Working Group has also been considering best practices for secure passwords.

      RECOMMENDED ACTION

      • Keep in touch with security developments through responsible agencies.

      PROVIDE APPROPRIATE ACCESS TO YOUR DOCUMENTS

      Contextual Details

      As well as the procedural and technical requirements of network protocols and interfaces, sharing documents in electronic form requires consideration of access to contextual details (i.e., information about the context of the document).

      The contextual details required will depend on the length of time the document is to be retained and the range of persons and agencies with whom the document is to be shared. The longer the document is to be retained, and the wider the range of persons and agencies, the more contextual details will be required. Documents to be shared with International agencies, for example, will require details associated with the country of origin of the document.

      For technical purposes, the contextual details required will include the detailed format in which the document is encoded (Word Processing or Spreadsheet Package, or package-independent format, e.g., American Standard Code for Information Interchange (ASCII) or Rich Text Format (RTF). For document to be retained for extended periods, maintenance procedures may need to be set in place to convert the document to a package independent format.

      For retrieval purposes it is regarded as essential within an agency that enduring identifiers are included in the document attributes; eg Branch and Section names may only be used as identifiers for a limited period, as they may become meaningless after several reorganisations of an agency.

      Document attributes and identifiers are discussed in greater detail in Section ??? (see Table ??? and Appendix A).

      Authentication Considerations

      Authentication of both the source and receiver of document in electronic form is another technical issue requiring consideration.

      Within an agency the authentication issue will normally be handled by the document management software, ie the receiver of a message or the person who accesses a corporate document should be assured that the author of the message or the document is the person who claims authorship.

      Between agencies these requirements may be covered by existing and/or emerging standards for EDI (ISO EDIFACT standards), but in situations where an EDI format has not yet been developed or where EDI facilities are not in place in both the donor and receiving agencies, special care needs to be taken to verify that both the sender and the receiver are the agencies that they claim to be.

      In early 1994, the IESC's EDI Subcommittee conducted a review of the possible development of a Public Key Authentication Facility (PKAF) ie, the use of a digital signature for each message. The need for such a facility is particularly important in an environment where electronic documents are not able to be legally attributed to the person or organisation who sends them across wide area networks, posing the possible problem of wide-spread fraud. The PKAF Working Group has prepared a proposal for the establishment of such a system, based on legal foundation, for consideration by the IESC.

      Another issue to be addressed in the development of security and sharing arrangements is the need for compliance with legal requirements which are common to all Commonwealth Government agencies, and with those which are specific to particular agencies.

      RECOMMENDED ACTION

      IT specialists should be involved in the development of an agency's electronic document management policy, drawing on strategies outlined in its information technology planning.

      PRESERVE YOUR VALUABLE RECORDS: THE ARCHIVAL PROCESS

      Archival Management of Electronic Records

      As mentioned in the introduction, some electronic documents will be records, and all Commonwealth agencies are responsible for the management, over time, of records of permanent value, including those held in electronic form in mainframe, mid-range and PC environments.

      The specific objectives are:

      • that records of permanent value, held within automated systems, are identified in clear and unambiguous ways;
      • that the internal management of automated systems accommodates the identification and tracking of permanent value records in electronic document format;
      • that provision of long term access be provided to permanent value records in electronic format; and
      • that permanent value records in electronic document format are preserved over time.
      There are four important aspects to be considered:

      • appraisal;
      • compliance with disposal authorities;
      • implementation of disposal authorities; and
      • access over time.

      Appraisal

      Australian Archives appraisal criteria classify records as being of either permanent or temporary value, with specified retention periods for the latter. Like paper records, electronic records that are records must be appraised, to identify those of permanent value (value to agency business, and those with national significance).

      Consultation with the Australian Archives, or incorporation of Australian Archives appraisal criteria at the development or implementation stage of electronic document management systems, should ensure :

      • appropriate strategies are developed for the management of records of differing value;
      • permanent value records will be preserved;the public can gain access to records where appropriate;
      • document and attributes of permanent value records can be identified for transfer to Australian Archives where and when required; and
      • disposal authorities are in place for records that will be managed by the system.
      Australian Archives appraisal criteria are outlined in the Australian Archives Disposal Manual. The appraisal process should include the following basic steps :

      • assess the functions of the organisation, and the interrelationships of functions (in other words, what is the 'business' of the organisation ?) ;
      • determine the inherent value of this business for the purpose of appraisal ;
      • consider the scope of records created by the functions or activities of the organisation (business transactions records) ;
      • assess the overall ongoing value of these records, in terms of documentary evidence of the organisation's business; and
      • examine groups of records, using recommended appraisal criteria, in cooperation with Australian Archives.
      Standard appraisal criteria applicable to all records, irrespective of format, are as follows :

      • administrative uses;
      • legal values;
      • evidence of rights or obligations;
      • financial value;
      • evidence of policy and precedence;
      • research value;
      • commercial value; and
      • cost.
      Joint appraisal of electronic records by an agency and Australian Archives will result in the issuing of a disposal authority, which will identify the length of time electronic records need to be kept, as well as authorising the destruction of redundant records.

      Ideally, appraisal of electronic records should occur before an estimate of costs for any new system is submitted for agency approval, to ensure that costs associated with building an archival component into the system are included in the overall funding submission, and to ensure that unnecessary costs are not incurred due to unnecessary over-retention. A similar evaluation against costs of management should be made of documents that are not records.

      Compliance With disposal authorities

      The disposal of Commonwealth records involves a process of assessing the value of records for future use, identifying those which should be retained permanently, and identifying how soon the remainder can be destroyed or other disposal action taken (eg the transfer of ownership or custody of the records). It also involves authorising actions arising from the assessment (eg records sentencing); this action is usually automated and should be considered at the functional requirements stage prior to the implementation of any electronic document management system. This could involve holding archiving rules and retention requirements within computer systems or within the agency's document management system, and having the system automatically transfer the 'permanent value' documents to the appropriate medium and dispose of the remaining records after specified periods of retention.

      Section 24 of the Archives Act 1983 provides that records are not to be disposed of without the consent of Australian Archives unless the action of disposal is positively required by law, or takes place in accordance with a Normal Administrative Practice. Advice on the provisions of the Archives Act is obtainable from Australian Archives' National and State Offices.

      A disposal authority is prepared as part of an agency's records disposal program. The two important objectives of such a program are :

      • to ensure that records are kept only for as long as they are of value; and
      • to enable the destruction or other disposal of records once they are no longer of value.
      An Authority's provisions take into account both the administrative requirements of the agency in discharging its functional responsibilities and the potential research use of the records by the Government and the public. An Authority is used in conjunction with General disposal authorities (originally known as General Disposal Schedules) which are issued by Australian Archives to cover housekeeping and other administrative records common to most Commonwealth agencies. Current agency- specific disposal authorities and relevant General disposal authorities should be appropriately recorded.

      Implementation of disposal authorities

      Disposal authorities are developed to account for records of value according to the functions of the agency. Functionally-valuable records may be in a variety of formats on a variety of media: paper, fiche or electronic.

      Once disposal authorities have been agreed, they need to be implemented, and the relevant electronic records need to be maintained and managed over time in accordance with the disposal authorities. The systems that create such records should include appropriate references that reflect compliance with the disposal authorities. Appropriate tools for electronic document management in the office automation environment are becoming available, and should be considered for possible evaluation, preferably in the context of successful implementations in other Commonwealth agencies.

      Access Over Time

      If electronic records are worth keeping, then they should be accessible. Agencies usually allow for the provision of short term access to electronic records to meet immediate business requirements, but they should also allow for long term access, including public access after records are 30 years old. Information managers need to be aware that the Archives Act assures statutory right of public access to government records (with some exemptions) once the records are 30 years old (the 'open access' period). Therefore access provisions to permanent value electronic records need to be catered for.

      To meet the requirements of the Archives Act, no record more than 25 years old should be modified, and Australian Archives will need to be informed of electronic record holdings which have been in existence for more than 25 years. Archives maintains a register of long term value record series and a register of public access decisions relating to them.

      As long as electronic records remain with an agency it must make provision for migrating valuable electronic records across software and hardware upgrades and be able to provide access to such records over time. The public have right of access to cleared records in the open period (30 years after creation).

      RECOMMENDED ACTION

      • Develop disposal authorities in consultation with Australian Archives to include electronic documents.
      • Include compliance with Archives Act obligations in any specification for an electronic document management system.
      • Adopt data storage and migration strategies which will ensure long-term access to electronic documents.