Implementation guide
We have written this guide to help your organisation understand and apply the requirements of the Information and records management standard . The Information and records management standard was issued by the Chief Archivist on 22 July 2016.
The standard’s purpose
The standard covers information and records in any format. It has been designed to support digital recordkeeping as the public sector continues its transition to digital business processes. The purpose of the standard is to ensure that business is supported by sound, integrated information and records management in complex business and information environments. This approach better reflects the way that most organisations now manage their information assets.
The earlier standards
This standard is the result of consolidating and streamlining the requirements from these Archives New Zealand standards:
Records Management Standard for the New Zealand Public Sector 2014
S4 Access Standard 2006
S5 Digital Recordkeeping Standard 2010
AS/NZS ISO 13028: 2012, Information and documentation – Implementation Guidelines for digitization of records
The standards above have been revoked and incorporated into this standard.
Further requirements for local authorities and approved repositories
Local authorities and approved repositories must follow:
the Protection and preservation of protected records: Instruction to local authorities
the Maintenance of public archives: Instruction to approved repositories
How to implement the standard
This document sets out three principles:
Principle 1: Organisations are responsible for managing their information and records
Principle 2: Information and records management supports business
Principle 3: Information and records are well managed Under each principle are listed the minimum compliance requirements, an explanation for each requirement, and key guidance for implementing the requirements. This guidance will be regularly added to.
Principle 1: Organisations are responsible for managing information and records
To ensure information and records are able to support all business functions and operations, organisations must establish a governance framework. This framework will help an organisation to:
develop strategies and policies to direct how information and records will be managed
assign responsibilities and allocate resources
establish provisions for information and records management in outsourcing and service delivery arrangements
monitor information and records management activities, systems and processes.
1.1 Information and records management must be directed by strategy and policy, and reviewed and monitored regularly
Governance frameworks are critical to the achievement of effective information and records management. Your organisation must set high-level strategy and policy for managing its information and records. The administrative head of the organisation must adopt it.
Strategy and policy include:
appointment of an Executive Sponsor to oversee information and records management – requirement 1.2
clear requirements for the creation, capture and management of information and records – requirement 3.1
setting an information security policy – requirement 3.4
identifying and assigning responsibilities of senior management for information and records management – requirement 1.2
identifying the need for information and records management staff or skills (do this through performance plans and/or service agreements) – requirement 1.4
identifying business owners responsible for including information and records management in all systems and processes – requirement 1.5
setting information and records management responsibilities for staff and contractors – requirement 1.6
addressing information and records management in all service arrangements – requirement 1.7
implementing an information security policy and appropriate security mechanisms – requirement 3.4
implementing policies (and business rules and procedures) to ensure that information and records are kept for as long as they are required and to identify how their disposal is managed – requirement 3.6
implementing policies to identify how to manage the disposal of information and records – requirement 3.7.
Key guidance
1.2 Information and records management must be the responsibility of senior management. Senior management must provide direction and support to meet business requirements as well as relevant laws and regulations
Ultimate responsibility for information and records management lies with the administrative head and senior management. They must provide direction and support and ensure information and records management meets business requirements, the law and regulations.
Responsibility for information and records management is cascaded down throughout the organisation, through various levels of management.
Responsibilities are identified and assigned in strategy and policy.
This requirement mirrors legislative obligations for example in the Public Service Act 2020 (s.52) and the Local Government Act 2002 (s.42(2)) and reinforces the need for the administrative head and senior management to provide high-level direction and support, including ensuring adequate resourcing for information and records management.
Key guidance
1.3 Responsibility for the oversight of information and records management must be allocated to a designated role (the Executive Sponsor)
This new requirement clarifies what was implicit in the previous standard. The Executive Sponsor oversees information and records management. They must be a senior manager with organisation-wide influence and appropriate strategic and managerial skills. Their role is to:
provide oversight of information and records management within the organisation, including monitoring of information and records management to ensure that this meets the needs of the organisation
ensure responses to monitoring/reporting requests from us.
Include establishing this role in your policies and strategies for information and records management. The Executive Sponsor’s role should be incorporated into their performance plan. Your organisation must advise us of your Executive Sponsor, when they are appointed and when the role changes hands.
Key guidance
1.4 Organisations must have information and records management staff, or access to appropriate skills
Your organisation must have staff with information and records management skills or be able to access this expertise.
Each organisation’s strategy will likely need a range of different levels of responsibility and skills. Reflect this in job descriptions.
An organisation must be able to access information and records management skills through recruitment, service providers, and by networking with other organisations.
An organisation must identify and assign responsibilities through strategy and policy, performance plans and/or service agreements.
Key guidance
1.5 Business owners and business units must be responsible for ensuring that information and records management is integrated into business processes, systems and services
This new requirement clarifies what was implicit in the previous standard.
An organisation must identify business owners and system owners who are responsible for ensuring information and records management is included in all systems and processes used.
Those owners must be aware that information and records management requirements are needed when they move to a new service environment, develop new business processes, systems or services, or improve on existing business processes, systems or services.
Responsibilities for business owners must be identified and assigned in policies and within performance plans.
Business owners must demonstrate that they have considered information and records management requirements and assessed risks as part of the development process.
This requirement places responsibilities more broadly within an organisation. It reflects a business manager’s detailed understanding of the information and records produced by and necessary to perform their work, and their responsibility for ensuring its management.
Cascading responsibility to different business areas of the organisation lets business unit staff and information and records staff work together to ensure that information and records management is integrated into business processes, systems and services.
Key guidance
1.6 Staff and contractors must understand the information and records management responsibilities of their role. They must understand relevant policies and procedures
All staff of the organisation, including contractors, must understand their information and records management responsibilities.
Policies, business rules and procedures must include clear requirements for all staff for creating and managing information and records.
Contractors come into organisations to perform specified tasks. Information and records that are produced and managed in their performance of the contract need to be covered. And contractors must know their information and records management responsibilities and the relevant policies and procedures.
Responsibilities must be identified and assigned in policies. Skills, capabilities and responsibilities must be assigned in role descriptions and performance plans.
Key guidance
1.7 Information and records management responsibilities must be identified and addressed in all outsourced and service contracts, instruments and arrangements
This new requirement clarifies what was implicit in the previous standard.
An organisation must ensure that information and records management is addressed in all service contracts, instruments and arrangements.
An organisation’s strategy and policy must include responsibilities to ensure that information and records requirements are identified and addressed. An organisation must undertake risk assessments and address information and records management risks in contracts, instruments and arrangements that it agrees to.
Service contracts, instruments and arrangements include:
functions, activities or services of the organisation being outsourced to an external provider
functions, activities or services being moved to cloud services or other service providers (internal or external to the New Zealand public sector).
An organisation must ensure that the portability of information and records and associated metadata is assessed and appropriately addressed in outsourced and service contracts, instruments and arrangements.
Key guidance
1.8 Information and records management must be monitored and reviewed to ensure that it is accurately performed and meets business needs
An organisation must regularly monitor information and records management activities, systems and processes to ensure they are meeting the needs of the organisation and conforming to requirements. Any issues identified through a monitoring process must be addressed in a corrective action plan.
An organisation must monitor activities such as process and system audits of systems that are high-risk, high-value, or both. Any system of assurance for information and records management should be integrated into the wider organisational assurance processes.
The Executive Sponsor has responsibility for overseeing this monitoring.
Key guidance
Principle 2: Information and records management supports business
Information and records management ensures the creation, usability, maintenance, and sustainability of the information and records needed for business operations. It also ensures business operations meet government and community expectations.
By appraising business activities, organisations define their key information requirements. Appraisal is used to design and embed information and records management into business processes and systems.
Taking a planned approach to information and records management means:
considering all operating environments
ensuring that all service and systems arrangements consider the creation and management of information and records needed to support business.
2.1 Information and records required to support and meet business needs must be identified
This requirement provides the foundation for managing information and records in all environments.
By appraising its functions and activities, an organisation can identify what information and records it needs to support business. It can also identify other requirements, including Treaty of Waitangi/Te Tiriti o Waitangi obligations, and government and community expectations.
This work provides the foundation for understanding what information and records to keep. It identifies what systems and business processes are high-risk, high-value, or both for the organisation, and the information and records required to support these.
An organisation must incorporate this work into comprehensive and authorised disposal authorities for its information and records .
An organisation must document in its business rules, policies and procedures decisions about what information and records are required. The decisions must also be reflected in specifications for systems and metadata schema.
Key guidance
2.2 High risk/high value areas of business, and the information and records needed to support them, must be identified and regularly reviewed
An organisation must identify the areas of high risk, high value, or both of its business. An organisation can better prioritise how it manages, treats and protects these critical systems and the information and records they contain.
An organisation must identify the likely or potential risks to information and records management and manage or mitigate them. This includes protecting the systems that manage information and records that are high-risk, high-value, or both, from loss and damage.
An organisation should set up appropriate security measures and business continuity strategies and plans.
By identifying high-value information and records at creation, an organisation can better manage and use this core asset.
Key guidance
- 16/F2 High value and high risk information and records ⟩
- 17/F22 Information assets ⟩
- 17/F23 Identifying and managing information assets ⟩
- Information asset catalogue template ⟩
- data.govt.nz - New Zealand Data and Information Management Principles ⟩
- digital.govt.nz - Security ⟩
- digital.govt.nz - Privacy ⟩
- SA/SNZ HB 436:2013 Risk management guidelines – Companion to AS/NZS ISO 31000:2009 ⟩
- AS/NZS 5050:2010 Business continuity: managing disruption-related risk ⟩
- ISO 15489-1:2016 Information and documentation - Records Management Part 1: Concepts and principles ⟩
- SA/SNZ TR 18128:2015 Information and documentation - Risk assessment for records processes and systems ⟩
- ALGIM - IM toolkit ⟩
2.3 Information and records management must be design components of all systems and service environments where high-risk/high-value business is undertaken
This new requirement clarifies what was implicit in the previous standard.
In complex business and systems environments, it is important to design information and records management at the start. This is particularly important where the business involved is high-risk, high-value, or both.
Include information and records management when you specify systems and service environments which manage high-risk and/or high-value information and records. You will be better able to manage and use the information and records.
An organisation must consider at the start how to make system maintenance, migrations and decommissioning easier. In taking this “by design approach”, an organisation must ensure:
systems specifications for information and records that are high-risk, high-value, or both, include requirements for managing them
systems specifications include requirements for minimum metadata needed to support information and records identification, usability, accessibility and context
it keeps documents about systems design, configuration and any changes made over time.
Migrating and decommissioning systems can be expensive and time-consuming. An organisation may hold insufficient documentation about:
the information and records held in the system
the configuration of the system
the disposal requirements for information and records held in the system.
Key guidance
- 17/Sp7 Authority to retain public records in electronic form only ⟩
- 16/G2 Integrated information and records systems, process and practices ⟩
- 16/G7 Minimum requirements for metadata ⟩
- 17/G13 Destruction of source information after digitisation ⟩
- 16/F4 Effective information and records management ⟩
- 16/F8 Metadata for information and records ⟩
- Taonga Tuku Iho ⟩
- AS/NZS 5478:2015 Recordkeeping metadata property reference set ⟩
- ISO 15489-1:2016 Information and documentation - Records Management Part 1: Concepts and principles ⟩
- AS/NZS ISO 13028:2012 Information and documentation - Implementation guidelines for digitization of records ⟩
2.4 Information and records must be managed across all operating environments
This is partly a new requirement. Physical information and records are only part of an organisation’s “operating environment” and this requirement widens the standard to better cover digital information and records.
If an organisation knows what information and records assets it has and where they are located and managed, then it can better control them. By maintaining visibility of information and records, no matter what system is used or where the information and records are stored, the organisation can better protect these assets.
Information and records assets can be held in diverse systems environments, in third-party systems in the cloud, by service providers, and in a range of physical locations.
By identifying where information and records are held, an organisation can better manage them in diverse system environments, storage environments and physical locations, and give appropriate access.
Key guidance
- 17/Sp7 Authority to retain public records in electronic form only ⟩
- 17/G13 Destruction of source information after digitisation ⟩
- 17/G14 Managing information and records during administrative change ⟩
- 18/G15 Cloud services ⟩
- 20/G17 Best practice guidance on digital storage and preservation ⟩
- 16/F3 Text messages and other communications ⟩
- 16/F13 Storage of physical records ⟩
- 17/F22 Information assets ⟩
- 17/F23 Identifying and managing information assets ⟩
- Audiovisual storage ⟩
- Care of motion picture film ⟩
- data.govt.nz - New Zealand Data and Information Management Principles ⟩
- digital.govt.nz - Security ⟩
- digital.govt.nz - Privacy ⟩
- AS/NZS ISO 13028:2012 Information and documentation - Implementation guidelines for digitization of records ⟩
- ALGIM - IM toolkit ⟩
2.5 Information and records management must be designed to safeguard information and records with long-term value
This requirement ensures that an organisation identifies which systems and service environments hold information and records with identified long-term value. This requirement builds on Minimum Compliance Requirements 2.1 and 2.2.
Once the organisation knows what information and records are needed long-term and where they are kept, it can safeguard and manage them.
Information and records required for the long term will outlive both the systems in which they are managed and any outsourcing arrangements and contracts with service providers.
An organisation must ensure it plans and manages the protection of long-term information and records during transitions of systems and changes to service arrangements. Two such transitions are system migrations and decommissioning systems processes. Two such changes to service arrangements are termination of services and new outsourcing arrangements.
An organisation must protect its long-term information and records during changes in administration and through changes in the machinery of government. This includes where information and records must be transferred between organisations.
To help with identifying long-term information and records, an organisation can refer to their authorised disposal authorities.
Key guidance
2.6 Information and records must be maintained through systems and service transitions by strategies and processes specifically designed to support business continuity and accountability
This new requirement makes the standard’s focus more explicit to include both physical and digital information and records.
This requirement ensures that information and records are managed appropriately through system migrations and service transitions. Two examples are upgrades of systems and services offered in cloud environments.
An organisation must have documented migration strategies, and appropriate planning and testing processes. These must ensure that information and records are not “left behind” or disposed of unlawfully.
An organisation must use a managed process to migrate information and records and associated metadata from one system to another. The process must be managed to deliver records that are accessible, reliable and trustworthy. Maintaining appropriate system documentation will help to make migration strategies successful.
An organisation must use migration and decommissioning processes that ensure that information and records are kept for as long as needed for business, legal requirements (including in line with authorised disposal authorities), and government, and community expectations.
This requirement builds on Minimum Compliance Requirement 2.2 and Minimum Compliance Requirement 2.5. They require that information and records that are high-risk, high-value, or both, are supported and migrated appropriately.
The portability of information and records and associated metadata must be assessed in outsourced or service arrangements. Information and records must not be “left behind” in outsourced arrangements. Such arrangements must include provisions for transferring the information and records back to the organisation.
Key guidance
Principle 3: Information and records are well managed
Effective management underpins trustworthy and reliable information and records that are accessible, usable, shareable and maintained. This management extends to information and records in all:
formats (and associated metadata)
business environments
types of systems
locations.
3.1 Information and records must be routinely created and managed as part of the normal business practice
Policies, business rules and procedures must tell an organisation’s staff the requirements and responsibilities for creating, capturing and managing information and records.
An organisation must regularly assess or audit its practices to demonstrate that its business rules, procedures and systems are operating routinely.
An organisation must identify, resolve and document any exceptions that affect the creation, integrity, accessibility and usability of its information and records.
An organisation’s staff and contractors must conform to policies, business rules and procedures, to ensure information and records are routinely created and managed.
The Executive Sponsor is responsible for overseeing this monitoring. This requirement builds on the earlier principles in the standard.
Key guidance
3.2 Information and records must be reliable and trustworthy
An organisation’s information and records must have enough metadata to ensure they are reliable and trustworthy.
Information and records must be accurate, authentic, and reliable as evidence of transactions, decisions and actions. This requirement ensures that information and records have appropriate minimum metadata to provide meaning and context (including te reo Māori), and that this metadata remains associated or linked.
Do regular assessments or audits to demonstrate that management controls of business rules, procedures and systems are operating correctly. This provides assurance of the integrity of the information and records stored in the system.
This requirement builds on the earlier principles in the standard.
Key guidance
3.3 Information and records must be identifiable, retrievable, accessible and usable for as long as they are required
Information and records must be identifiable, retrievable from storage (physical or digital), and accessible, usable and reusable for as long as required.
To maintain the accessibility and usability of physical information and records, an organisation must store them in appropriate storage areas and conditions.
To maintain the accessibility and usability of digital information and records, an organisation must ensure it regularly migrates or moves them from one system or platform to another.
An organisation must associate or link appropriate minimum metadata (including te reo Māori terms) to information or records to ensure the information and records can be identified, retrieved and shared.
An organisation must regularly test systems and perform assessments or audits to demonstrate that the systems can locate and produce information and records that people can read and understand.
This requirement builds on the earlier principles in the standard.
Key guidance
- 16/Sp2 Maintenance of public archives (Instruction to approved repositories for physical (non-digital) archives) ⟩
- 16/G7 Minimum requirements for metadata ⟩
- 20/G17 Best practice guidance on digital storage and preservation ⟩
- 16/F8 Metadata for information and records ⟩
- Public access to information and records ⟩
- 16/F13 Storage of physical records ⟩
- Audiovisual storage ⟩
3.4 Information and records must be protected from unauthorised or unlawful access, alteration, loss, deletion and/or destruction
An organisation must protect information and records.
An organisation must implement an information security policy and appropriate security mechanisms. The policy must cover information and records held physically or digitally, or both.
Security measures must include:
access and use permissions in systems
processes to protect information and records no matter where they are located, including in transit and outside the workplace
secure physical storage facilities.
Undertaking regular assessments or audits will help an organisation verify that access controls have been implemented appropriately and are working.
Key guidance
3.5 Access to, use of, and sharing of information and records must be managed appropriately in line with legal and business requirements
This requirement builds on the requirements in Part 3 of the Public Records Act 2005.
An organisation must ensure that access to, use and sharing of information and records are in line with legal requirements including:
the Official Information Act 1982
the Local Government Official Information and Meetings Act 1987
the Privacy Act 1993
the Health Information Privacy Code 1994
organisational policies, business rules and procedures.
Undertaking regular assessment s or audits of systems will help an organisation verify that access to, use and sharing of information and records is managed in line with business requirements, legal obligations and the Government ICT Strategy or Action Plan (where appropriate).
Key guidance
3.6 Information and records must be kept for as long as needed for business, legal and accountability requirements
An organisation must implement policies, business rules and procedures to ensure that information and records are kept for as long as required, and to identify how their disposal is managed.
The policies, business rules and procedures must be in line with the requirements of the Public Records Act 2005 and authorised disposal authorities.
Information and records must be sentenced and disposed of in line with the practices of authorised disposal authorities. This includes information and records located in business systems, in outsourced or service arrangements, or in physical storage. Disposing of digital information and records may be part of a planned migration process or the decommissioning of systems.
Information and records of permanent value that are identified as public or local authority archives must be transferred to Archives New Zealand, an approved repository or a local authority archive, when authorised and no longer needed for business purposes.
Key guidance
- 16/Sp4 List of protected records for local authorities ⟩
- GDA6 (PDF 508.50 KB) ⟩
- GDA7 (PDF 233.53 KB) ⟩
- 17/Sp7 Authority to retain public records in electronic form only ⟩
- 16/G4 Explanatory notes for the list of protected records for local authorities ⟩
- 16/G4 Disposal - Sentencing ⟩
- 17/G13 Destruction of source information after digitisation ⟩
3.7 Information and records must be systematically disposed of when authorised and legally appropriate to do so
This requirement builds on the earlier principles in the standard.
An organisation must implement policies, business rules and procedures that identify how the disposal of information and records is managed. This includes:
assigning responsibility for sentencing and disposal of information and records (sentencing is using a disposal authority to decide whether to keep, destroy or transfer a record)
using disposal authorisation processes
implementing disposal actions
deleting metadata
decommissioning systems
documenting the disposal of information and records.
An organisation must be able to account for their disposal of information and records in business systems, outsourced arrangements, and physical storage. This includes providing evidence that the disposal of information and records is permitted and authorised under disposal authorities’ and legal obligations, including the Public Records Act 2005.
Key guidance
Last modified on 30 November 2020