Ngā mōhiohio me ngā mauhanga whai uara, whai mōrearea hoki

High-value and high-risk information and records

How your organisation defines its high-value and high-risk information and records depends on your business. Your definition should include the information and records you need to:

• carry out your core functions

• make key decisions, and

• provide future evidence of these.

High-value information and records

High-value information and records include those that are critical to your core business — for example, information and records about how your organisation performs legislated functions.

High-risk information and records

High-risk information and records include those that pose a risk to:

• the way your organisation operates

• your organisation’s business transactions

• how you interact with other organisations

• how you manage relationships with clients and employees. 

• Poor management of these risks can expose you to major loss of reputation, financial or material loss, or breach of statutory obligations.

High-value and high-risk business functions

Your organisation may have business functions that generate high-value and high-risk information and records if it:

• receives significant investment from the Government

• makes major contributions to the economy

• performs an activity that impacts on individuals — such as, a regulatory, enforcement, health or welfare protection activity where disputes may arise

• develops policy that will impact on individuals and communities or rights and entitlements

• manages natural resources, the protection and security of the state, or its infrastructure

• uses processes that are targets of corruption or offer potential for corrupt behaviour

• undertakes a major programme of international or national significance.

Useful sources for identifying high-value and high-risk business functions include your organisation’s:

• risk register

• internal and external audit reports

• risk or governance reports

• information and record asset registers.

Make sure you also evaluate high-value information and records created by routine business functions. Routine functions can create information and records that may have value beyond their initial business need, such as public accountability or cultural heritage. 

We have issued general disposal authorities that apply to the common corporate functions and activities of many public sector organisations — including functions and activities that may generate high-value information and records.

You should document or register your organisation’s high-value and high-risk information and record assets in enough detail, so they’re easy to find in the future. When documenting them, you can include details such as:

• the extent of the asset — information and records can exist as many interconnecting data sources, so you should document what is part of the asset and what is not

• the business unit responsible for the asset, and its accountability

• the business function it supports

• the software and hardware for maintaining this asset — the technology it may depend on to be accessible

• its dependency on other assets — the separate internal or external information sources necessary for understanding the information asset and its high-value or high-risk uses.

Ensure your organisation’s metadata and audit logs are complete and that the contents match their description.

Have a plan for long-term management

Taking a strategic and planned approach to managing your organisation’s high-value and high-risk information and records is essential to managing these assets successfully over time.

You should have a plan for identifying and documenting high-value and high-risk information and records. This plan’s level of detail should be appropriate for the business context of the information and records, and relevant to their size and complexity. It should cover not only your immediate needs, but also provide a long-term strategy for the management of these assets — for example, where the need for the information and records will outlast the life or the systems in which they are created and held. 

Migrating high-value and high-risk information and records

When your organisation no longer has an immediate need for high-value and high-risk information and records, you should routinely export or migrate them to a system suitable for long-term management.  You need to ensure the migration process includes the minimum metadata required to support any long-term accountability needs for evidence of your organisation’s business activities.

Software-as-a-service

If your organisation is using software-as-a-service such as cloud computing, you need to make sure the services are contracted to provide long-term information and records management. 

Disposal of high-risk and high-value information and records

You should ensure any disposal processes, such as destroying or archiving information and records, are well managed so they do not create risks themselves.

Identify and monitor any gaps and shortcomings in your disposal processes.  High-risk information and records can sometimes be overlooked in these processes if assumptions are made. For example, you might assume that the information and records:

• exists — when it may not

• sufficiently documents the activity — when it may not

• is sufficiently well managed — when it may not be.

Risk management frameworks

Your organisation’s management of its high-value and high-risk information and records should contribute to its wider risk management frameworks, such as those based on ISO 31000 Risk Management.

Personal information and records

Systems that manage personal information and records can expose your organisation to significant risk, so you need to give particular attention to their capabilities. There are strict rules governing:

• how organisations may retain personal data

• how organisations may use this data, and

• organisations’ ability to report on these — both to the individual concerned and to oversight bodies such as the Privacy Commissioner.

You need to be aware of these limitations and ensure any systems managing personal information and records are appropriately secure.