Skip to main content
To top Back to top back to top

1. Introduction

Organisations often need to employ external parties to perform various business functions and activities. Engaging external parties has implications for information and records management. It is important that information and records management requirements are identified and addressed before making any agreement to outsource business. Any organisation that intends to outsource business needs to ensure that any related contracts include provisions for contractors and service providers to make, keep and properly manage relevant information and records.

The information in this document is intended as general guidance and is not comprehensive advice on how to manage the outsourcing. Seek legal and procurement advice when entering into contractual arrangements to outsource business.

2. Defining outsourcing

Outsourcing can be defined as the activities involved in arranging, procuring and managing the performance of work or the provision of services by an external contractor or consultant.

Outsourcing can occur in many forms. Some of the most common forms of outsourcing involve core business functions. For example, an organisation might outsource an infrastructure construction project or the provision of customer services.

Some activities can be outsourced to other public offices or local authorities. While these providers are covered by the Public Records Act 2005 (the Act), it is still appropriate to clarify the information and records management responsibilities in these arrangements.

3. Organisational responsibilities when outsourcing

Outsourcing a business function or activity does not lessen an organisation’s responsibility to ensure that it is carried out properly and that all requirements for information and records are met.

If records of an outsourced function or activity are not created or managed appropriately by a service provider, the organisation doing the outsourcing could be exposed to risk. Risks include:

  • failure to meet legislative obligations

  • loss of information or incomplete information on which to base decisions, provide services, or defend actions

  • loss of public accountability and transparency through inability to produce records of outsourced business.

And under the Act (s.17), an administrative head is considered to have failed his or her obligations if an organisation does not meet expectations for information and records management when outsourcing business.

3.1 Organisations have key responsibilities

When outsourcing business, organisations are responsible for ensuring that:

  • appropriate information and records of the outsourced functions or activities are made and kept

  • information and records of the outsourced functions or activities are securely managed and stored, both during and after the period of the outsourcing contract

  • ownership of information and records is clearly addressed and understood

  • information and records are accessible as appropriate and when required

  • information and records that are required after the contract has ended are returned

  • information and records of the outsourced business are disposed of lawfully.

3.2 Importance of your contract and establishing controls

The Act does not extend to a private sector service provider or outsourced organisation. This means that information and records management obligations should be clearly articulated in your contract with service providers to ensure that the obligations of the organisation are met. Build appropriate requirements: this is the primary means by which an organisation can meet its information and records management obligations. Managing the contractual relationship is key to ensuring that all information and records management requirements are met at all stages of the outsourced arrangement.

3.3 Outsourcing arrangements must be monitored

Organisations have a responsibility to follow up with monitoring of service providers and other checks to ensure that contractual arrangements are being met.

4. The role of a contract

The basis of the relationship between an organisation and a service provider is the official documentation of the agreement between the parties. Both the initial tender and contract are important for communicating information and records management requirements.

In making a decision about a provider, the contracting organisation must be confident that the provider can meet all legislative and policy requirements. This includes requirements for the proper management of information and records.

Any contract with an outsourced provider should include clauses relating to:

  • the information and records management requirements of the business being outsourced

  • compliance with the Act (and other relevant legislation)

  • compliance with standards for information and records management

  • ownership (including intellectual property) of information and records

  • timely information and records disposal

  • the return of information and records at the end of the contract

  • information and records security (including systems security and records storage security)

  • privacy management and protection of personal information

  • rights of access and arrangements for access to information and records

  • monitoring and inspection arrangements for compliance

  • the processes and penalties that apply when information and records requirements are not met.

5. Specifying access rights and privacy provisions

Any contract between an organisation and an outsourced service provider must specify access rights and restrictions related to records and information. A contract must also require that privacy obligations are met and that all private or sensitive information is protected.

5.1 Ensuring access to information held by a service provider

Under the Act (s.17(2)(3)), organisations must ensure that any contract with an outsourced service provider states that the organisation has immediate right of access to all information and records held by the service provider. The contract should also address privacy, confidentiality and public access considerations.

An organisation needs to ensure it has access to records to assess compliance with the requirements of a contract, and to meet other legal obligations.

5.2 Meeting privacy obligations and securing information

Organisations must ensure service providers are aware of their obligations to meet the requirements of the Privacy Act 2020 and the Government Chief Privacy Officer where appropriate.

Records generated during business may be confidential because they relate to individuals or have significant commercial value. This is particularly important to be aware of where records are used, linked or analysed in conjunction with other information or databases.

Contractual agreements with service providers should therefore include provisions to protect private or sensitive information. Where appropriate, they should point to the relevant policy statements of the organisation.

Information security must be considered in all outsourcing arrangements. This includes the use, transmission and storage of information and records.

6. Specifying information and records storage arrangements

The safe storage and proper preservation of information and records is required under the Act. Storage requirements are therefore a vital part in the management of information and records, and should be addressed in outsourcing arrangements.

To ensure the appropriate storage and preservation of information and records, an organisation must ensure that service providers:

  • store and manage information and records securely

  • manage information and records through migrations, systems changes and upgrades

  • protect information and records from loss and disaster

  • handle and transport information and records in a safe and secure manner

  • return specified information and records at the end of the contract.

7. Specifying authorised information and records disposal processes

Organisations have a responsibility to ensure that information and records are disposed of in accordance with the Act. The best way for an organisation to achieve this in an outsourcing arrangement is to specify, in a contract, which information and records disposal processes the contractor can use and which they cannot.

Organisations must ensure contractors do not unlawfully dispose of any information and records that are in their possession during an outsourcing arrangement. Unlawful disposal includes:

  • unauthorised destruction (for example, destruction that is contrary to the requirements in an authorised current disposal authority)

  • transfer to a third party

  • loss, damage or alteration.

Organisations need to:

  • be aware of the main methods for authorised disposal

  • communicate to service providers, through their contract, the authorised disposal processes that the service provider can use, and also those that are prohibited.

Some outsourcing arrangements last over long periods of time. In these cases, it may be practical to expect the service provider to destroy information and records periodically. Similarly, the contractor may be expected to transfer records back to the organisation periodically.

Information and records disposal that should be prohibited by an organisation in an outsourcing contract should include that which is carried out:

  • contrary to expectations set out in the outsourcing contract

  • corruptly or fraudulently

  • for concealing evidence of wrongdoing

  • for any other improper purpose.

8. Specifying the return of information and records at the end of a contract

Certain information and records that are created, received or generated during outsourced business will be essential to the ongoing conduct of that business. Failure to ensure that such information and records are transferred back to an organisation at the end of an outsourcing contract can seriously impact the organisation’s business continuity and accountability. It would also constitute a breach of the Act.

The outsourcing contract must make clear which information and records to return at the end of the contract. It is recommended to include these provisions:

  • restrictions on the service provider using the information and records for commercial profit, unless otherwise allowed in the contract

  • arrangements for information and records to be returned in a certain manner or format

  • agreed timeframes for the return of the information and records

  • deletion of any copies of information and records from the service provider’s systems once transferred.

Sometimes at the end of a contract an outsourcing organisation will identify an ongoing need for information and records from the service provider. Reasons for this include:

  • need for future referral by the contracting organisation (or another contractor) for any reason

  • continuing protection of sensitive or confidential information

  • use of the information and records to establish or protect the rights, entitlements or obligations of the contracting organisation or an individual

  • need for information and records to properly manage facilities or capital works owned by the contracting organisation

  • need for information and records to document the expenditure of public funds, such as the purchase of equipment or other assets

  • need for future research by the contracting organisation or an individual

9. Checklist: what to include in a contract

In their contract with a service provider, the contracting organisation should ensure that they have:

  1. Documented and provided the service provider with details of the information and records management requirements for the business being contracted.

  2. Provided details of the information, data and records that are to be returned to the organisation by the service provider at the end of the contract (or periodically)

  3. Specified the technical standards required to enable interoperability between the service provider and the contracting organisation's information and records system

  4. Specified what format information and records need to be returned in by the service provider at the end of the contract

  5. Included a statement of who owns the records created by the service provider (a contract also addresses who owns the intellectual property

  6. Included a statement regarding access rules and details of access arrangements for the records of the outsourced business, for the duration of the contract

  7. Included that the service provider keeps basic control information and related metadata about any records of the outsourced business to facilitate management, access and retrieval

  8. Included that the service provider must abide by the organisation's privacy management plan (or equivalent privacy statement) in terms of the information it keeps for the purpose of the contract

  9. Included that the service provider must classify or label information as specified by the organisation

  10. Authorised the service provider to carry out specific (lawful) disposal processes (in accordance with approved records retention and disposal authorities) for specified classes or types of records

  11. Specified restrictions on the use of information and records by the service provider for commercial or other purposes during the period of the contract

  12. Provided details of dispute resolution procedures

  13. Provided details of penalities for breach of contract, such as failure to return records to the organisation at the completion of the contract

  14. Included that the service provider must manage, secure and store records of the outsourced business in accordance with the Public Records Act 2005 and relevant standards (such as the Information and records management standard)

  15. Provided details of a mechanism by which the organisation can measure the service provider's compliance with the records requirements of the contract (including during and at end of the contract period)