Requirement 15: Records must be identified and captured within
a recordkeeping framework.

The ability to control records organisation-wide is dependent on the organisation’s internal structuring. Recordkeeping may be centralised or devolved as long as it is part of an overall framework. However, all records, regardless of format and the
technological environment in which they are generated should be captured in an over-arching recordkeeping framework and have systematic controls applied to them. The individual systems do not have to be centralised or accessible by everyone in the organisation nor do they need to be integrated. They can be based on workgroups; they
can be designed to meet the specific needs of business units; they can control access and security to meet requirements for confidentiality. They do not have to be dedicated recordkeeping systems; they can be business information systems, or applications, which incorporate the functionality required to maintain records. However, all of an
organisation’s records should be managed regardless of where they are created or
maintained including environments such as:

·         personal and shared drives

·         databases

·         external storage devices, (laptops, PDAs, CDs, etc.)

·         business information systems

·         legacy paper and electronic systems.

Requirement 16: Records must be
organised according to a business
classification scheme.

Business classification schemes are an output of business activity analysis. A business classification scheme can be defined as the documented analysis of business processes, their generated record outputs, and their contextual relationships within the entirety of whole-of-business activity that an organisation undertakes, articulated within a (usually hierarchical) structure. A classification may be functional, process-based, subject-based
or organisation-based. Whatever form it takes, the classification scheme is the structure that defines, describes and aggregates records within a recordkeeping framework.

Business classification schemes provide:

·         contextual linkages between individual records in a meaningful structure

·         a framework for applying consistent and meaningful naming conventions, or
identifiers for records over time

·         identification and retrieval of all records relating to a particular function or activity

·         a framework for retention and disposal scheduling.

The business classification scheme will reflect:

·         the goals and strategies of the organisation

·         the functions of the organisation that support the pursuit of these goals and strategies

·         the activities and functions of the organisation

·         the work processes performed to carry out specific activities and transactions

·         all constituent steps that make up the activity

·         all the transactions that make up each constituent step

·         the groups of recurring transactions within each activity

·         the existing records of the organisation.

For further information on business activity analysis see ISO/TR 26122: 2008 Information
and documentation – Work process analysis for records.

Requirement 17: Records must be reliably maintained over time within a
recordkeeping framework.

For physical records, this means appropriate storage conditions. However, the requirement to maintain electronic records will outlast electronic business and recordkeeping systems. It is therefore preferable to use common, or accepted, formats
and operating systems to achieve an integrated and sustainable approach to longerterm recordkeeping. The organisation may incur increased costs associated with the migration and preservation of records in proprietary, unstable or unusual formats. For further guidance see the Storage Standard.

For records identified as having long-term value, preservation should be considered at the creation stage. For records to be sustainable, a migration strategy has to be developed or an organisation runs the risk that records will not be available in the future through format obsolescence or expiry of licences.

A system that reliably maintains records as evidence of business activity:

·         creates and maintains a record of records system faults and failures

·         monitors and controls access

·         controls and verifies user status

·         provides security

·         prevents unauthorised access, destruction, deletion, alteration or removal of records

·         identifies vital records and enables business continuity planning.

Requirement 18: Records must be useable, accessible and retrievable for the entire period of their retention.

Records come in a myriad of formats, such as Maps, plans, photographs, thermal paper, web pages, SMS, and data sets. Therefore consideration should be given to the longterm viability of formats used for recordkeeping purposes. It is not always possible when creating records to use formats predicted to have longevity. However, it is strategically prudent to use stable, commonly used or open formats for records of permanent or
long-term value where possible. A migration strategy for records content and context is,
therefore, a priority for unstable physical formats and electronic records.

To be useable over time, records should be ‘human readable’, maintain their context and ‘recordness’, and be in accessible formats.

For physical records, this entails secure storage, access controls, and contextual metadata,
through file numbering, indexes, maintenance of original order of file and folder contents and file access tracking. For further requirements on the maintenance of physical records over time refer to the Storage Standard.

For the maintenance of electronic records over time, systems that create and/or maintain records should preserve the evidential admissibility of records and support migration of records from one system to another. Appropriate formats and strategies to support this should be assigned. For electronic records to be accessible, useable and retrievable over time, stable formats and storage systems and persistent metadata profiles are
imperative. For further guidance on electronic recordkeeping metadata refer to the
Electronic Recordkeeping Metadata Standard .

Records should be maintained in an accessible format over time, for as long as they are required, until an authorised disposal action is taken. The strategies to achieve these outcomes may vary according to the type of record and the length of time it needs to be retained. These processes should be planned, controlled, documented and managed according to risk.

  Requirement 19: Records’ contextual
and structural integrity must be
maintained over time.

Persistent contextual information should be maintained by the attribution of recordkeeping metadata to records. It should identify the agents involved and the business processes that created them. These contextual attributes are necessary to maintain the reliability and integrity of a record. For example, a contract may only be a true record when its variations are applied, or an email attachment only has full meaning if accompanied by the sender, recipient and content of the email message text.

The contextual information or recordkeeping metadata created about a record may include:

·         a unique identifier (or physical file number)

·         a title

·         the time and date of the creation of the record

·         the author and creator

·         the business being conducted

·         the date of any action undertaken on the record

·         the identification of the person undertaking the action

·         the action that was undertaken.

These fields are not exhaustive and contextual recordkeeping information may be contingent on the type of record or the length of time it needs to be retained.

Recordkeeping systems should be configured to automate as much of this contextual
data as possible.

For further requirements on mandatory point of capture and process recordkeeping metadata for electronic records, refer to the Electronic Recordkeeping Metadata Standard .

 Requirement 20: Retention and disposal
actions must be applied systematically.

To apply systematic control of records’ retention and disposal actions there should be an evaluation of the value of the records. This means developing strategies to actively manage the disposal of paper-based files, as well as strategies for  preservation/migration of records held in electronic form; and assessing the occurrence of electronic and paper records that are not currently captured into the formal recordkeeping framework. An
effective systematic retention and disposal process will:

·         facilitate decisions on the retention or disposal of records across all classes and formats

·         initiate actions that are informed by a valid retention and disposal schedule

·         identify copies of records that are authorised for destruction, including security
copies, preservation copies and backup copies

·         maintain an auditable record of all disposal actions and make these records
available when required.

Risks of ad hoc disposal actions include:

·         unintentional disposal of high value records of business actions

·         illegal destruction of records pertaining to pending litigation or investigation

·         the continuing existence, after authorised disposal actions, of duplicates or copies
of disposed records.

All records disposal should be authorised either by a General Disposal Authority or organisation specific disposal authority. Unauthorised disposal is an illegal action under s18 of the Public Records Act 2005.