Document Comments

Bulletin Board - Review and Comment

Step 1 of 4: Provide comments and feedback

How to make a comment

1. Use the Protected Document to open a comment box for a specific section, part, heading or clause.

2. Enter your feedback into the comment box and click ‘save comment’.

3. There is an opportunity to leave general comments and feedback on the second page.

4. Complete all three pages – make sure you ‘save and continue’ and ‘finalise submission’ before leaving the bulletin board.

5. You will be emailed a pdf copy of your comments. If you don’t receive this, your comments may not have saved correctly.

 

 

Important Information

The following tips will help to avoid losing your comments or corrupting your entries:

  1. Sessions may time out, so submit multiple responses instead of trying to complete a long document in one session. 

  2. Avoid jumping between web pages/applications while logging comments.

  3. Log comments for one document at a time. Complete and submit all comments for one document before commenting on another.

  4. Use paste as plain text in the comment boxes if you need to copy and paste from another source (e.g. Word, email or other web content). 

  5. You can’t save your progress, so if you need to stop, submit your current set of comments. The system will email you a copy of your comments so you can identify where you were up to and add to them later.

  6. Complete all three stages and ‘finalise submission’ before leaving the bulletin board. 

 

Records Management Procedure

Section 1 - Purpose

(1) This procedure supports the Records Management Policy by setting out processes and requirements to ensure the safe custody and proper preservation of University records.

Top of Page

Section 2 - Policy

(2) See the Records Management Policy.

Top of Page

Section 3 - Procedures

Part A - Identify and create records

Identify record needs

(3) Organisational units will determine the University records they need to create and keep by considering:

  1. applicable legal obligations and other external drivers relevant to their function, including legislation, regulatory requirements, mandated standards and contract obligations
  2. evidence required when an authority is exercised and other requirements under rules, delegations and policies relevant to their function
  3. business requirements of the unit
  4. internal and external expectations for evidence, information, accountability and scrutiny
  5. relevant NSW general disposal authorities
  6. advice from the University's Policy and Records unit.

(4) The following resources may help an organisational unit identify its record needs:

  1. What records do I need to keep? – RM Skills Hub
  2. Record and information asset management plan template
  3. Records management guide - managing web content

Create records

(5) University records must be routinely created during the normal business practice of individuals, organisational units and committees, to provide evidence of decisions and actions taken as part of their work or function.

(6) If an activity does not automatically generate records (such as business activities or transactions performed in an information system), processes must be established to create them (for example, minutes taken at meetings, recording a conversation or documenting it afterwards).

(7) University records must be reliable and trustworthy with enough information and metadata to give meaning and context to each record. This might include capturing additional information about who made a decision, when, why or under what authority, if a system based process does not automatically capture this.

Part B - Store, use and protect records

Record storage requirements

(8) University records must be stored in an appropriate system or location that allows them to be:

  1. identifiable, retrievable and accessible for as long as they are required
  2. protected from unauthorised or unlawful access, destruction, loss, deletion or alteration.

(9) In addition to the provisions in this part, some record types will have specific requirements under other University policies or procedures, including but not limited to:

  1. Research Data Management Procedure
  2. Legal Procedure - Legal Records

(10) University records (both physical and electronic/digital) that are stored outside of New South Wales must be done so in accordance with the general disposal authority GA35 – Transferring records out of NSW [etc].

High risk and high value records

(11) The Records Management Policy provides the criteria for identifying high risk and high value records. All high risk and high value records and information must:

  1. be registered on the information asset register (maintained by the Office of Governance and Corporate Administration) with details about where/how they are stored and how the records management compliance obligations are being met
  2. be included in business continuity plans for critical processes, identifying risks to the records and any appropriate processes for monitoring and managing those risks.

Electronic records and information systems

(12) Electronic/digital records must be captured as soon as practicable in a University-managed information system, such as one of the following:

  1. The system of record: the business information system that creates the record, with appropriate controls and processes in place to ensure compliance obligations are met (e.g. Banner, Brightspace, Ascender, CASIMS/CDAP, Tweek!, Protecht or CRM).
  2. A records management system: one of the University's approved, compliant record-keeping systems (e.g. Unirecords for corporate records, the student record management system for student records).
  3. A general purpose data storage system: for records that are not high risk or high value, University supported storage or platforms (e.g. shared/S drive, Confluence or OneDrive) may be used, with appropriate controls and processes in place to ensure compliance obligations are met.

(13) Exchange Online (the University email system) will retain captured emails for seven years (for non-executive staff) or permanently (for executive staff). However, Exchange Online is not a records management system and appropriate controls and processes must be used to meet compliance obligations such as longer retention periods, privacy, security, and disposal. These requirements must be determined based on the content of the email and the activity or transaction it records.

(14) Microsoft Teams is a communication and collaboration tool, which does not have the necessary functionality and controls to be an appropriate recordkeeping system. The Recordkeeping Directive – MS Teams Chat provides guidance on appropriate business communication methods and recordkeeping measures.

(15) Organisational units can assess whether an information system meets their recordkeeping compliance obligations using the NSW State Archives and Records checklist for assessing business systems. The checklist also details whether additional controls or processes are required for a record or system. Policy and Records can be contacted for assistance.

(16) Information systems must be reassessed for records management compliance if they undergo major upgrades or changes in functionality or content. This includes instances where systems move from the University to an external service provider.

Physical records

(17) Digitising records is preferred to physical storage, except where:

  1. the time and resources required would not be proportionate with the value or retention requirements of the records in scope
  2. digitisation is not appropriate for the existing format of the record
  3. destruction of the original or source record would not be allowed under general disposal authority GA45 – Original or source records that have been copied.

(18) Physical records must be stored in suitable locations and protected from loss, damage or unauthorised access in accordance with the NSW standard on the physical storage of State records.

(19) In the event of damage to or loss of physical records, contact Policy and Records, who are responsible for formally notifying State Records NSW, in accordance with the NSW Standard

(20) Where physical records are digitised:

  1. the physical record must be retained for at least three months to allow for quality assurance or disaster recovery. After this, a request to destroy should be made in accordance with this procedure
  2. the digitised records must be in a sustainable file format, in line with the State Records NSW’s preferred file formats and specifications.

Records that must be stored in Unirecords

(21) Certain University records must be captured into the University's corporate records management system, Unirecords:

  1. Unirecords provides the University's contract register. All signed agreements, contracts, leases and licenses must be captured in Unirecords as soon as possible. Where the value of the agreement exceeds $150,000, it must be registered and captured in Unirecords within 40 days of signing, to enable reporting and disclosure as required by the Government Information (Public Access) Act 2009 (GIPA Act).
  2. Electronic records with a permanent retention period (that is, required as State archives) must be stored in Unirecords. Exemptions are permitted where the record is comprised of structured data and metadata elements in a system of record, or as otherwise authorised by the Manager, Charles Sturt University Regional Archives & University Art Collection.

Security of records

(22) All University data, information and records must be classified under the University's Information Classification and Handling Procedure as either:

  1. public
  2. internal
  3. confidential, private
  4. highly sensitive.

(23) To promote efficient business practices, University records should by default be classified as ‘internal’ unless:

  1. there is a reasonable need to make the records ‘confidential, private’, or ‘highly sensitive’ (for example, personal or health records, commercial in confidence records)
  2. the records can be classified as ‘public’ because they are intended for public disclosure and consumption, or are otherwise identified as the University’s open documents under the GIPA Act.

(24) Access, security and user permissions for University systems and locations holding University records and information must be documented and implemented.

(25) Security requirements for University systems are set out in the Information Technology Policy and the Information Security Guidelines.

(26) Security for physical storage of University records must be in accordance with the Standard on Physical Storage of State Records – Principle 6.

(27) The Division of Information Technology document storage matrix includes information about the security capabilities of University information systems.

Access to records

(28) See the Records Management Policy - Student Records and Assessment Items Access.

Part C - Retention and disposal of records

Retention

(29) Minimum record retention periods for NSW public offices are set through general retention and disposal authorities (GDA) under the State Records Act. The Archiving and destroying records website lists GDAs that apply to University records.  The RM Skills Hub also includes links to specific information about how long to keep each type of record.

(30) Minimum retention requirements may also be specified in other legislation, standards or University policies applicable to a business activity. Where different retention periods apply, the longer one must be satisfied.

(31) Notwithstanding clauses 29-30, a direction from any court or tribunal, statutory body, commission or governing agency, must also be satisfied.

(32) University records must only be kept for longer than the minimum retention period if they are demonstrably required for ongoing business purposes, or for historical or research purposes. Longer retention requires consideration of the University's business needs, resource impacts, public interest and privacy obligations.

(33) Where University records held beyond the minimum retention period contain personal, sensitive or health information (as described in the Privacy Management Plan) the new retention period must be discussed with the University Ombudsman (as the University's Privacy Officer).

State and University archives

(34) University records identified as State archives (requiring permanent retention) or requiring long term retention (50+ years) must be transferred to the CSU Regional Archives or captured in Unirecords once administrative use ceases.

(35) Access directions must be in place for all University records that are 30+ years old. The University has a number of access directions approved by the State Archives and Records Authority.

Destruction of records

(36) University records (including records held in information systems or with service providers) must only be destroyed where either:

  1. the destruction has been approved via an application for destruction (see the ‘Requests to destroy’ heading below)
  2. a pre-approval for the destruction has been authorised  (see the ‘Pre-approval to destroy’ heading below)
  3. the disposal or destruction is allowed under normal administrative practice (NAP) (see the ‘Normal administrative practice’ heading below).

(37) University records may only be destroyed where there are no disposal alerts, court orders or other disposal suspension directives in place related to the records.

(38) The destruction of University records must be undertaken in a secure manner that is appropriate to the format and relevant security classification.

(39) Destruction of University records must be documented (unless destroyed under NAP) with a record of destruction retained in accordance with the relevant retention and disposal authorities.

(40) Information about appropriate methods of destruction of records is available from NSW State Archives and Records.

Requests to destroy

(41) Organisational units wishing to destroy University records must complete an Authority to destroy records form. This form must be signed by:

  1. the Manager, Policy and Records, to confirm that retention requirements have been met
  2. the appropriate unit manager, to confirm the records are no longer required for business purposes
  3. the party undertaking the destruction, to confirm that the records have been securely destroyed. This may be an external party (e.g. the system vendor for decommissioned systems or a document shredding/recycling company).

(42) The completed, signed authority must be returned to the Manager, Policy and Records for capture and retention in Unirecords.

(43) A record of destruction must be retained by the organisational unit for 20 years in accordance with State Records NSW retention requirements.

Pre-approval to destroy

(44) Pre-approval to destroy University records may be given where:

  1. the record is not high risk or high value
  2. the minimum retention period is low (generally less than two years or ‘until administrative reference use ceases’)
  3. using an information system’s automated deletion functions would better meet the University's obligations for the secure, confidential and timely destruction of personal or sensitive information than submitting a request to destroy.

(45) Pre-approved destruction processes must:

  1. be authorised by the Manager, Policy and Records and the appropriate unit manager
  2. have a means of documenting the destruction (for example, an audit log) that can be retained in accordance with the relevant retention and disposal authority
  3. be regularly monitored and reviewed by the organisational unit.

Normal administrative practice

(46) The State Records Regulation 2024 allows certain records to be disposed of as part of normal administrative practice (NAP) with no further approval or documentation required.

(47) The following are types of University records that may be destroyed under NAP, however, see schedule 2 of the State Records Regulation 2024 for exceptions:

  1. drafts and working papers (e.g. background notes, reference materials) that do not contain significant decisions, discussions or rationale not covered by the final record
  2. copies or duplicates of University records
  3. computer support records once they have been acted upon or superseded and are not required for ongoing business requirements
  4. ephemeral facilitating instructions (for example: corrections of typing errors, changes to formatting or distribution lists)
  5. low risk, ‘for your information’ messages that do not require action by the recipient
  6. unused forms, stationery and templates
  7. externally published material including solicited and unsolicited advertising material.

(48) The destruction of University records under NAP must be undertaken in a secure manner that is appropriate to the format and content of the record.

Part D - Miscellaneous

Monitoring the records program

(49) Records and information management activities, systems and processes must be monitored for accountability and to ensure business needs are being met.

(50) The Manager, Policy and Records will conduct reviews and report on overall compliance with the State Records Act and the Records Management Policy as required under the Compliance Management Procedure.

(51) Organisational units must ensure that their high risk, high value information assets are accounted for in their business continuity plans under the Resilience Policy.

(52) Security and access to information systems holding University records must be monitored and reviewed in accordance with the Information Security Guidelines Part D.

Employees leaving their position

(53) When an employee leaves their position they must make arrangements for the ongoing custody of University records for which they were responsible. This includes ensuring records are left accessible to others or ensuring records that are no longer required have been properly stored or destroyed in accordance with this procedure.

Top of Page

Section 4 - Guidelines

(54) Nil.

Top of Page

Section 5 - Glossary

(55) This procedure uses terms defined in the Records Management Policy, as well as the following:

  1. Access direction – means a direction that a series, group or class of records is open to public access after 30 years or closed to public access for a longer period of time to protect sensitive information.
  2. Administrative use – means records that are still in use by the organisational unit and/or for the business purpose for which it was created. Under the State Records Act, records more than 25 years old are presumed not in use.
  3. Digitising – means converting a physical record to a digital format for management and preservation (e.g. scanning or imaging a physical document, transferring tape or disc recordings to computer storage).
  4. Normal administrative practice – means the process allowing for the lawful disposal of low value, transitory or ephemeral records generated or accumulated as part of standard business practices, as outlined in Schedule 2 of the State Records Regulation 2024.