Governance

The head of every Victorian public office must ensure that their organisation complies with the Recordkeeping Standards issued under the Public Records Act 1973.

The PROS 23/01 Strategic Management Standard requires that an appropriately resourced records management program be established and maintained, with effective governance and clear accountabilities. An effective governance structure for records management must be established, maintained and incorporated into the public office governance processes.

Principle 1 of the Victorian Protective Data Security Framework issued by the Office of the Victorian Information Commissioner states that 'Strong governance arrangements ensure the protective data security requirements of the business are reflected in organisational planning.' The Framework requires public offices to establish security governance arrangements, based on sound risk management, that are appropriate to the circumstances.

The Victorian Public Sector Commission provides guidance and resources for implementing organisational governance arrangements.

Senior level leadership needs to support and promote the importance of good governance for recordkeeping and its relationship with efficient and accountable management and the reduction of risk. It is important that staff with governance responsibilities understand their obligations and how to perform this work ethically and responsibly. Training and instructions should be provided to these staff.

Public office governance is embedded in the structure through which powers, responsibilities and accountabilities are distributed. This structure provides the authorising environment. The purpose of public office governance is to ensure:

• ethical and responsible decision-making, which can be explained and justified
• efficient conduct of the organisation
• accountable and prudent management of resources
• accountable, transparent and consistent decision-making
• compliance with legislation, regulations, codes and standards
• identification and management of risks
• an environment where corrupt conduct does not occur.

Public office governance controls commonly consist of:

• a hierarchy of roles, with decision rights, responsibilities and powers assigned to them
• a committee structure, which provides oversight, monitors progress and approves/endorses decisions and actions
• a program of audits and assessments with results reported to the committee structure.

In order to be visible and obtain support and resources, is it important that oversight of the records management program be included in the public office governance structure.

Effective governance for records management means:

• the head of the public office has formally delegated responsibility to a senior executive
• roles and responsibilities are determined, documented and understood
• oversight of records management is included in the governance committee structure
• staff with responsibility for records management have the authority to make decisions and enforce actions
• key record assets are identified and have a formally designated owner
• there is a strategic plan for improving the maturity of practices across the organisation
• progress against this strategic plan is monitored and reported to the governance structure
• performance/maturity is regularly assessed and reported on. with actions taken to rectify issues or weaknesses
• records management is included in the audit program
• recordkeeping obligations and requirements are included and considered when making key decisions - for example, when selecting or decommissioning business systems or when outsourcing government functions to third party suppliers
• the relationship between good practices and risk mitigation/management is understood.

For example, an organisation might establish a committee (such as a Records/Information Management Governance Committee) which oversees records management. This would typically:

• be chaired by the senior executive(s) with formally delegated responsibility for these areas
• include senior records/information/data management staff and related representatives from across the public office (for example, representatives from IT, legal, information security, FOI, audit, risk management, critical business system owners)
• report into the primary governance body in the public office, escalating issues, seeking approvals/resources and providing progress on projects and initiatives.

As records (also meaning data and information) are created and captured in business systems, Information Technology (IT) arrangements and decisions directly impact how they are managed and disposed of. It is important that those responsible for record assets are involved in making decisions about the systems and storage environments where they are held.

IT governance is an important part of effectively managing a public office given the costs and risks involved. Governance provides the formal framework for ensuring that:

• decisions about IT align with the strategic objectives of the public office
• there are established lines of authority and accountability for making decisions about IT and business systems
• IT-related risks are identified and managed, with processes in place for incident response and recovery.

Public offices need to determine and implement governance controls on business systems and the records they create and hold.

Imposing governance controls on record holdings involves determining, implementing and documenting:

• roles and responsibilities (who "owns" and is responsible for the asset, who has the authority to make decisions about the asset)
• access and security controls
• quality standards - required metadata, description standards, quality checking etc.
• any arrangements for sharing records/information/data with other parties
• processes/programs for monitoring and assessing the quality and use of the asset
• disposal of the asset when no longer required for current business, including transfer to PROV for permanent records/information/data, as authorised by the Keeper of Public Records.

The rigor applied to controls for records should be commensurate with:

• their current and future value to the public office, government and the community
• the impacts which would result if they were lost, stolen or inappropriately accessed.

Stewardship can be a helpful concept, referring to the careful and responsible management of something entrusted to one's care to ensure it is used appropriately and retains its value.

Imposing governance controls on business systems and the records they create, capture and hold will help to:

• improve and maintain the quality of these assets - accuracy, completeness, reliability and authenticity - resulting in better decision-making and more efficient processes
• ensure they are protected from unauthorised access/use (data breaches)
• ensure they are protected from loss
• ensure they are accessible and usable for authorised purposes, including in accordance with data sharing arrangements
• retain and preserve them for the minimum required retention period
• ensure they are disposed of on a timely basis in accordance with the minimum required retention period to reduce costs and risks, including data breaches 
• ensure permanent value holdings are identified and transferred to PROV at the appropriate time.

To meet the obligations set by PROV Standards, recordkeeping requirements must be addressed when key decisions are made about information technology. For example, when:

• business systems are being procured or decommissioned
• business systems are being designed, configured, implemented
• storage arrangements are being made
• outsourcing arrangements are being made.

The degree to which recordkeeping requirements need to be addressed will depend on the value of the records being held in different business systems or storage arrangements. If a business system will hold critical information, a high degree of rigour must be used to ensure that records are captured, controlled and managed in compliance with PROV Standards. Refer to the relevant retention and disposal authority for direction on high value critical information, particularly information that must be retained for a substantial period of time.

An effective way of ensuring that recordkeeping requirements are addressed is to embed the consideration of recordkeeping requirements into the authorising process for major IT decisions. For example, by requiring sign-off by the senior officer responsible for records management as part of approving decisions for major IT projects. For example, procuring, redeveloping or decommissioning systems which hold or will hold high value records.

Records managers should aim to develop a good understanding of and play an active role in governance for key organisational systems, such as the Microsoft 365 environment. How these systems are configured and implemented will determine the extent to which recordkeeping requirements can be met. It can be very difficult to meet recordkeeping requirements if they are not addressed during the design and configuration stage.

There are additional difficulties when public offices are part of a muti-tenant environment or have an outsourced arrangement for IT support/storage. This can mean that records/information/data managers are not able to set controls which are necessary for proper management of the assets.

Those responsible for records management will need to advocate for the inclusion of essential requirements and attempt to become part of the governance structure(s) which makes key decisions about business systems.