Requirement 1:  Responsibility for recordkeeping compliance must be assigned and endorsed by the administrative head.

The administrative head of the organisation is ultimately responsible for recordkeeping and compliance with the requirements of the Public Records Act 2005 (see section 2.2.1
Administrative Head/Chief Executive Responsibilities).

A clear line of responsibility in organisations should be evident from the chief executive through the management structure to all staff. Clearly defined roles and responsibilities for recordkeeping are assigned at all organisational levels and a senior manager is identified as responsible for recordkeeping compliance at a strategic level. The
recordkeeping policy statement will, therefore, identify a senior member of staff with lead responsibility for records management and for overseeing policy and programme
implementation. Endorsement and active support by senior management is a crucial factor in implementing recordkeeping roles and responsibilities successfully.

Records managers, or equivalents, may be responsible and accountable for implementing recordkeeping policies and procedures and assessing performance. A ratio of 1:100 FTE records manager (or equivalent) is advisable, dependent on organisational size, for example, a higher ratio for small agencies (e.g. 1:50) and lower ratio for very large agencies (e.g. 1:200).

Requirement 2: Organisations must have
a defined, documented and implemented
policy for recordkeeping, which is regularly reviewed.

A corporate-wide records management policy statement is a statement of intentions. It
sets out what the organisation intends to do and includes an outline of the programme and processes that will achieve those intentions.

The policy statement should refer to other policies relating to information (e.g. information systems policy, information security or asset management). It should not seek to duplicate them. It should be supported by:

·         procedures and guidelines, planning and strategy statements, disposal authorities and other documents that together make up the records management
documentation

·         support and endorsement of the policy by all employees at all times. It is particularly
important that the policy obliges all employees to create and maintain records that meet the legal, regulatory, fiscal and operational needs of the organisation

·         monitoring of compliance with, and periodic review of, the policy for effectiveness
is also important.

A recordkeeping policy will take into account:

·         relevant legislation, regulations, and directives

·         business needs, business systems, organisational culture and practices

·         all record formats including paper and electronic

·         community expectations, including those of Mãori stakeholders.

Without an information policy, organisations do not have a high level strategic statement on which to develop an integrated recordkeeping framework. See Guide to Developing a Recordkeeping Policy.

Requirement 3: Organisations must have
defined, documented and implemented
procedures for recordkeeping which are
regularly reviewed.

Staff need to be made aware of which records they should create, and the routine processes for identifying, creating and/or capturing records received into a recordkeeping framework.

Procedural guidance may take the form of:

·         forms and templates

·         instruction or workflow management manuals

·         documented rules and/or regulations.

Basic direction should guide staff on good recordkeeping practices, including:

·         simple aids outlining approved practices for identifying and capturing essential records of business activities

·         procedural controls to ensure capture of electronic records from web-sites, business
information systems, email, etc.

·         maintenance of correspondence and documents stored in personal drives and
shared workspaces.

This guidance should be supported by training and regularly reviewed for applicability, as business processes and information systems are subject to change.

Requirement 4: Recordkeeping
responsibilities and resources must be defined, supported and assigned.

Recordkeeping responsibilities should be defined, assigned and communicated to all staff who create, maintain and receive records during their work. This includes:

·         all managers

·         all employees

·         internal contractors*

·         volunteers

·         other personnel who have a responsibility to create or use records.

Recordkeeping responsibilities may be documented in job descriptions and performance assessments, or as part of an organisation’s code of conduct. The level of definition will be contingent on the degree of recordkeeping responsibility of the individual.
Responsibilities for recordkeeping processes should be defined and assigned within departmental/organisational recordkeeping procedures policies or manuals.

Resources and budgets set aside for recordkeeping purposes should be assigned and documented.

See also Fact sheet: Recordkeeping Responsibilities.

*There is separate guidance for external contractors in section 2.2.2 Responsibilities for
Records of Functions Carried out under Contract.

Requirement 5: A programme of internal recordkeeping, monitoring and
compliance must be developed and implemented.

Compliance monitoring should be developed and regularly undertaken to ensure continued compliance with legislation, policies, principles, processes and procedures, over time. Assessment of the recordkeeping framework’s procedures, policies and processes should be undertaken and their effectiveness assessed against the anticipated
outcomes. Evidence of this performance assessment should be identified and maintained.

There are three reasons for monitoring and auditing records systems:

·         to ensure internal accountability and compliance with external regulatory and/or legislative requirements

·         to ensure that records will be accepted as evidence in a court of law, should this
be required

·         to improve an organisation’s performance, by assessment and improvement
of service delivery.

Internal auditing of specific areas of recordkeeping using a risk management approach (e.g. legal compliance risk, web-based activities or OIA response performance), can be used for targeted monitoring. Follow-up mechanisms that ensure appropriate responses on internal audit results should be implemented. Any internal monitoring process will depend on the unique circumstances of the organisation that carries it out.

It may be appropriate to employ external third party consultants to carry out internal compliance monitoring or auditing.