View Current

Records Management Policy

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Purpose

(1) This policy sets out Charles Sturt University's (the University) obligations and responsibilities under the State Records Act 1998 (NSW) for the creation, management and disposal of University records.

Scope

(2) This policy applies to:

  1. all employees and contractors, consultants or others doing work for or on behalf of the University
  2. all University records.
Top of Page

Section 2 - Policy

Compliance

(3) The University, as a public office, must comply with the State Records Act 1998 (NSW) and the Standard on Records Management (NSW).

(4) The University and individual employees, contractors and consultants have records management obligations arising under a range of legal obligations and other external drivers, including legislation, mandated standards and contracts. Some examples of those external drivers include, but are not limited to:

  1. Higher Education Support Act 2003 (Cth)
  2. Higher Education Standards Framework (Threshold Standards) 2021 (Cth)
  3. Education Services for Overseas Students Act 2000 (Cth)
  4. Government Information (Public Access) Act 2009 (NSW)
  5. Australian Code for the Responsible Conduct of Research, 2018

(5) The University is also expected to retain complete and transparent records in order to maintain accountability and answer scrutiny from a range of external sources including, but not limited to:

  1. Commonwealth and state education departments 
  2. Australian Research Council (ARC) 
  3. National Health and Medical Research Council (NHMRC) 
  4. other funding bodies 
  5. industry partners 
  6. individual members of the public, who are entitled to request access to University information under the Government Information (Public Access) Act 2009 (NSW).

(6) The Legislative compliance guide (internal access only) and University policies provide further information about the University's compliance obligations, including requirements for records.

(7) All University practices and procedures concerning the management of University records must be in accordance with this policy and its related procedures.

Records management program

(8) For the purpose of s 12(b) of the State Records Act, the University’s records management program is the framework of processes and resources that support conformity with the Standard on Records Management. The elements of the program are defined as follows:

People
All University employees and other individuals within the scope of this policy who create and use University records.
Positions and roles with specific responsibilities as stated in this policy.
Policies, procedures and practices
This policy, its procedures and other supporting resources.
The University’s Legislative Compliance Guide.
Related policy texts such as the Privacy Management PlanInformation Technology Procedure – Information Security, Research Data Management Policy, Legal Policy, Legal Procedure – Legal Records [in development] and the Collections Policy.
Records and information asset plans and registers, work instructions and operating procedures developed by organisational units to support their records management practices.
Records
The records and information assets that support the University's functions and business requirements.
Monitoring processes
Processes and practices developed by organisational units to ensure records are being created, retained and disposed of as required.
Business continuity plans.
External reporting activities as required.
Information and records systems
Official University information systems recorded in the Applications Portfolio, including systems of record, records management systems and other general-purpose data storage systems.
Controls and processes to ensure business needs and compliance obligations are met.

Records management principles

(9) Management of University records is based on the following principles:

  1. The University recognises that records management is an important element of strong governance. Among other things, good University recordkeeping and records management:
    1. promotes consistency of practice, and continuity, efficiency and productivity in program delivery, management and administration
    2. provides evidence of actions and decisions
    3. supports policy formation and high level decision-making
    4. helps the University to deliver its services in consistent and equitable ways
    5. helps the University to make good use of precedents and organisational experience
    6. ensures transparency
    7. ensures the University can meet its evidentiary needs and obligations
    8. is vital to support the University's daily functions and operations
    9. enables retention of organisational memory
    10. ensures the University can meet its legal obligations and can demonstrate institutional accountability to its funders, collaborators and stakeholders.
  2. University records are the property of the University, and not of the employee, contractor or consultant who created or received them.
  3. Organisational units are responsible for day-to-day management of their records. Units are supported by the Policy and Records unit to develop consistent, compliant and appropriate records management practices.
  4. University records must be maintained and managed for as long as they are needed.
  5. Records management processes and arrangements are proportionate to the business value and risks associated with the record or information. In particular, records identified as high risk and high value will be prioritised.
  6. High risk and high value records will generally be those that:
    1. support the processes and functions that have a high or very high risk rating in the University's risk ratings matrix (under the Risk Management Policy)
    2. demonstrate the performance of the University’s principal functions under the Charles Sturt University Act 1989Higher Education Standards Framework (Threshold Standards) 2021 and Education Services for Overseas Students Act 2000
    3. hold personal or health information as defined in the Privacy Management Plan
    4. are required as State archives or have long term (50+ years) retention requirements.
  7. Access to University records must be appropriately authorised.
  8. University records will be managed securely and confidentially as necessary to:
    1. maintain accurate and up-to-date records of enrolments, progression, completions and award of qualifications
    2. prevent unauthorised or fraudulent access to private or sensitive information, including information where unauthorised access may compromise academic or research integrity
    3. document and record responses to formal complaints, allegations of misconduct, breaches of academic or research integrity and critical incidents
    4. demonstrate compliance with the Higher Education Standards Framework (Threshold Standards) 2021 and other obligations (see the ‘Compliance’ heading of this policy).
  9. University records and information assets will be maintained and appropriately managed across all formats, systems, operating environments (including cloud environments) and physical locations, and will be sustained through system and service transitions.
  10. Disposal and destruction of records will be systematic, accountable, authorised and legally appropriate.
  11. University records required as State archives are subject to additional requirements under the Collections Policy and related procedures.
  12. University records and information will be made available internally and to the public in accordance with legislation and business needs, subject to privacy, confidentiality, security, intellectual property and archival access requirements.

Breach of policy

(10) A breach of this policy, supporting procedures and/or the State Records Act should be reported as set out in the Compliance Assurance Procedure

(11) Where a breach of this policy or supporting procedures results in unauthorised access, disclosure or loss of personal information, this must be reported as set out in the Information Technology Procedure - Personal Data Breach.

Responsibilities

(12) Delegation schedule A – Governance and Legal and Delegation Schedule D - Facilities and Information Technology set out authorities to approve:

  1. access or disclosure of University information
  2. disposal or removal of University information.

(13) In addition to the delegated authorities, this policy sets out the following authorities and responsibilities:

Officer or body Authorities and responsibilities
Vice-Chancellor As head of the University, is responsible for ensuring that the University complies with the requirements of the State Records Act and the State Records Regulation 2015.
University Secretary As the nominated senior responsible officer under the Standard on records management, oversees compliance with and performance against the University’s records management obligations.
Manager, Policy and Records
As the University Secretary’s delegate, monitors compliance with and performance against the University's records management obligations.
Provides advice and training to University employees and organisational units regarding records management obligations.
Authorises record destruction in accordance with the State Records Act, retention and disposal schedules and the Records Management Procedure.
Executive Director, Division of Information Technology
Provides access to information systems that are capable of compliance with statutory requirements for records, information and data-keeping functionality (e.g. capturing, managing and protecting records).
Ensures that records and information management requirements are assessed in the  acquisition, maintenance and decommissioning of information systems.
Heads of all University organisational units
Ensure that appropriate systems and processes are in place for the creation, management and disposal of University records within their areas of responsibility.
Identify the high risk and high value records they are responsible for and protect these through risk management and business continuity plans and strategies.
Ensure that employees and others performing work on behalf of their unit (including contractors or other external parties) keep full and accurate records of the official University business they transact.
Band 7 heads of organisational units (or delegate) For University records, information and systems that the organisational unit has operational responsibility for, approve internal access to and sharing of records and information between systems and organisational units. This authority is subject to any restrictions or higher authorisation requirements under delegations, the Privacy Management Plan and/or the Legal Policy and its procedures.
Committee chairs and presiding officers Ensure that full and accurate records of business transacted by the committee (or working group, project team, etc.) are captured and retained.
All employees, contractors and consultants
Create and maintain full and accurate records of official University business that they transact.
Ensure University records are only used for proper and authorised purposes.
Protect University records in accordance with this policy and its procedures.
Manager, CSU Regional Archives and University Art Collection Takes custody of University records required as State archives.
Top of Page

Section 3 -  Procedures

(14) The following procedures support this policy:

  1. Records Management Procedure
  2. Records Management Procedure – Access: this procedure is in development and will consolidate:
    1. Government Information (Public Access) Procedure
    2. Personal Files Access Policy
    3. Records Management Policy - Student Records and Assessment Items Access
    4. TRIM Access and Security Policy
Top of Page

Section 4 -  Guidelines

(15) Nil.

Top of Page

Section 5 - Glossary

(16) In this policy:

  1. Applications Portfolio - means the University’s official register of application assets. This does not include items such as network systems, database management systems, active directories systems etc.
  2. High risk and high value records – means University records that are critical because they are the core business of the University and/or have continuing value to the University or the State of New South Wales. High risk and high value records are identified using the criteria at clause 9f. of this policy.
  3. Information asset – means a body of data, information or records defined and managed as a single unit so it can be understood, shared, protected and managed efficiently.
  4. Records management – (as defined by AS ISO 15486.1 2017) means the efficient and systematic control of the creation, receipt, maintenance, use and disposition of records, including processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records.
  5. State archive – means a record that must be retained permanently and that the NSW State Archives and Records Authority is entitled to take control of under the State Records Act 1998.
  6. University record – (in accordance with State Records Act 1998 definitions) means any data or information, in any format or medium, made and kept or received and kept, by any person in the course of the exercise of official functions in the University, or for any purpose of the University, or for the use of the University.