(1) This procedure supports the Records Management Policy by setting out processes and requirements to ensure the safe custody and proper preservation of University records. (2) See the Records Management Policy. (3) Organisational units will determine the University records they need to create and keep by considering: (4) The following resources may help an organisational unit identify its record needs: (5) University records must be routinely created during the normal business practice of individuals, organisational units and committees, to provide evidence of decisions and actions taken as part of their work or function. (6) If an activity does not automatically generate records (e.g. business activities or transactions performed in an information system), processes must be established to create them (e.g. minutes taken at meetings, recording a conversation or documenting it afterwards). (7) University records must be reliable and trustworthy with enough information and metadata to give meaning and context to the record. This might include capturing additional information about who made a decision, when, why or under what authority, if a system based process does not automatically capture this. (8) University records must be stored in an appropriate system or location that allows them to be: (9) In addition to the provisions in this part, some record types will have specific requirements under other University policies or procedures, including but not limited to: (10) University records (both physical and electronic/digital) that are stored outside of New South Wales must be done so in accordance with the general disposal authority GA35 – Transferring records out of NSW [etc]. (11) The Records Management Policy provides the criteria for identifying high risk and high value records. All high risk and high value records and information must: (12) Electronic/digital records must be captured as soon as practicable in a University-managed information system, such as one of the following: (13) Exchange Online (the University email system) will retain captured emails for seven years (for non-executive staff) or permanently (for executive staff). However, Exchange Online is not a records management system and appropriate controls and processes must be used to meet compliance obligations such as longer retention periods, privacy, security, and disposal. These requirements must be determined based on the content of the email and the activity or transaction it records. (14) Microsoft Teams is a communication and collaboration tool, which does not have the necessary functionality and controls to be an appropriate recordkeeping system. Therefore, staff must ensure that their communications are documented appropriately. (15) Organisational units can assess whether an information system meets their recordkeeping compliance obligations using the NSW State Archives and Records checklist for assessing business systems. The checklist also details whether additional controls or processes are required for a record or system. The Policy and Records Unit can be contacted for assistance. (16) Information systems must be reassessed for records management compliance if they undergo major upgrades or changes in functionality or content. This includes instances where systems move from the University to an external service provider. (17) Digitising records is preferred to physical storage, except where: (18) Physical records must be stored in suitable locations and protected from loss, damage or unauthorised access in accordance with the NSW standard on the physical storage of State records. (19) Where physical records are digitised: (20) Certain University records must be captured into the University's corporate records management system, Unirecords: (21) More information about Unirecords is available on the Records Management website. (22) All University data, information and records must be classified under the University's Data Security Classification Scheme as either: (23) To promote efficient business practices, University records should by default be classified as ‘internal’ unless: (24) Access, security and user permissions for University systems and locations holding University records and information must be documented and implemented. (25) Security requirements for University systems are set out in the Information Technology Policy and the Information Security Guidelines. (26) Security for physical storage of University records must be in accordance with the Standard on Physical Storage of State Records – Principle 6. (27) The Division of Information Technology document storage matrix includes information about the security capabilities of University information systems. (28) See the Records Management Procedure – Access. (29) Minimum record retention periods for NSW public offices are set through general retention and disposal authorities (GDA) under the State Records Act. The Archiving and destroying records website lists GDAs that apply to University records. (30) Minimum retention requirements may also be specified in other legislation, standards or University policies applicable to a business activity. Where different retention periods apply, the longer one must be satisfied. (31) Notwithstanding clauses 28-29, a direction from any court or tribunal, statutory body, commission or governing agency, must also be satisfied. (32) University records may be kept for longer than the minimum retention period if they are required for ongoing business purposes, or for historical or research purposes. Longer retention requires consideration of the University's business needs, resource impacts, public interest and privacy obligations. (33) Where University records held beyond the minimum retention period contain personal, sensitive or health information (as described in the Privacy Management Plan) the new retention period should be discussed with the University Ombudsman (as the University’s privacy officer). (34) University records identified as State archives (requiring permanent retention) or requiring long term retention (50+ years) must be transferred to the CSU Regional Archives or captured in Unirecords once administrative use ceases. (35) Access directions must be in place for all University records that are 30+ years old. The University has a number of access directions approved by the State Archives and Records Authority. (36) University records (including records held in information systems or with service providers) must only be destroyed where either: (37) University records may only be destroyed where there are no disposal alerts, court orders or other disposal suspension directives in place related to the records. (38) The destruction of University records must be undertaken in a secure manner that is appropriate to the format and relevant security classification. (39) Destruction of University records must be documented (unless destroyed under NAP) with a record of destruction retained in accordance with the relevant retention and disposal authorities. (40) Information about appropriate methods of destruction of records is available from NSW State Archives and Records. (41) UniMarket lists the document shredding and recycling companies that may be used for the destruction of University paper records. (42) Organisational units wishing to destroy University records must complete an Authority to destroy records form. This form must be signed by: (43) The completed, signed authority must be returned to the Manager, Policy and Records for capture and retention in Unirecords. (44) Pre-approval to destroy University records may be given where: (45) Pre-approved destruction processes must: (46) The State Records Regulation allows certain records to be disposed of as part of normal administrative practice (NAP) with no further approval or documentation required. (47) The following are types of University records that may be destroyed under NAP, however, see schedule 2 of the State Records Regulation for exceptions: (48) The destruction of University records under NAP must be undertaken in a secure manner that is appropriate to the format and content of the record. (49) Records and information management activities, systems and processes must be monitored for accountability and to ensure business needs are being met. (50) The Manager, Policy and Records will conduct reviews and report on overall compliance with the State Records Act and the Records Management Policy as required under the Compliance Management Procedure. (51) Organisational units must ensure that their high risk, high value information assets are accounted for in their business continuity plans under the Resilience Policy. (52) Security and access to information systems holding University records must be monitored and reviewed in accordance with the Information Security Guidelines Part D. (53) When an employee leaves their position they must make arrangements for the ongoing custody of University records for which they were responsible. This includes ensuring records are left accessible to others or ensuring records that are no longer required have been properly stored or destroyed in accordance with this procedure. (54) Nil. (55) This procedure uses terms defined in the Records Management Policy, as well as the following:Records Management Procedure
Section 1 - Purpose
Section 2 - Policy
Section 3 - Procedures
Part A - Identify and create records
Identify record needs
Create records
Part B - Store, use and protect records
Record storage requirements
High risk and high value records
Electronic records and information systems
Physical records
Records that must be stored in Unirecords
Security of records
Access to records
Part C - Retention and disposal of records
Retention
State and University archives
Destruction of records
Requests to destroy
Pre-approval to destroy
Normal administrative practice
Part D - Miscellaneous
Monitoring the records program
Employees leaving their position
Section 4 - Guidelines
Section 5 - Glossary
View Current
This is the current version of this document. To view historic versions, click the link in the document's navigation bar.