Te whakahaere pae ipurangi hei mauhanga
Managing websites as records
Read our guidance for public sector organisations managing websites as records. Learn about your obligations under the Public Records Act 2005, what web records are, and how to manage and maintain them.
Managing websites and the Public Records Act
Websites are a collection of related web pages, images, videos, or other digital assets, written in mark-up language such as HTML or XML, accessed through an IP address or domain name.
New Zealand public offices and local authorities (public sector organisations) use websites to fulfil a range of functions—from delivering basic information to online transactions. The content and activity on these websites are public or local authority records under the Public Records Act 2005 (the Act).
Web content is currently considered as a publication and the website as the digital publishing platform. Websites that perform functions, provide services or contain information that is not replicated offline are the primary source of an organisation’s business activity.
The Act requires public sector organisations to create and maintain full and accurate records of their affairs in accordance with normal prudent business practice. Web content and website activity are part of these web records.
Using this guide
This is a best practice guide for New Zealand public sector organisations. It will help you manage websites in line with your organisation-wide information and records management strategies, policies and systems.
To ensure this guide applies to a variety of processes and systems, its focus is on informing decision-making rather than delivering a procedure. The information given is not a prescription for implementation. Our aim is to provide direction and present you with options to consider when applying information and records management policies to websites.
Who this guide is for
This guidance will help you plan for the management of websites, including both existing and legacy web records. It’s intended for:
records, knowledge and information management professionals and their support staff
information technology professionals
communications professionals
web managers, developers and other web professionals
all other staff responsible for the creation and management of websites.
What this guide applies to
This guidance applies to all websites created and maintained by public sector organisations, including information and records that are:
on the website
on third party websites—such as social media, file sharing platforms and project management platforms
on intranets (private websites used to distribute information within an organisation)
on secured extranets (private, secured websites that share part of an organisation's information or operations with suppliers, vendors, partners, customers or other businesses)
relevant to the creation, maintenance and functioning of the website
in any format, regardless of whether access is restricted or public.
You need to manage discontinued or decommissioned websites and non-current web records until they can be destroyed or archived under an approved disposal authority.
Find out more about web archiving methods and processes.
If your website conforms to the New Zealand Government Web Standards, you might find it easier to manage web records.
What web records are
A web record can be any information—in whole or in part—that appears on a website and provides evidence of business activity. Websites include ‘deep web’ content that public search engines cannot discover, such as information found on intranets, extranets and secured websites. Web records can also be from informal web applications such as wikis, blogs, forums and shared workspaces.
In some situations, an entire website may be managed as a record (for example a website devoted to a single project). But in most cases, a web record will be an element of a website. This could be a page, content item, image, document, submitted information, or log entry recording an action taken. The web record may have many pages, items, or log entries, and will have separate metadata about changes made over time.
Deciding how to manage web records
Your organisation must make a clear decision on how to manage websites—in whole and in part. When making this decision, remember to consider republished content and web records on third-party websites and applications. You should also consider information about web projects and the management of websites.
Website content republished from another source
Some website content is likely to have been republished from another source, with the original managed as a record elsewhere. For example, your organisation may capture and manage annual reports and strategic plans in your corporate recordkeeping system.
In these cases, the document on the website is a duplicate which you may not need to keep unless there is good reason. For example, the added functionality and context on the website could change the interpretation of the information. You also need to consider keeping change logs to document when the information was available to the public.
Web records on third-party websites and applications
Web records located on third-party websites and applications need to be managed as public records and be accessible to both your organisation and the public. This could be through an Official Information Act 1982 or Local Government Information and Meetings Act 1987 request. Your information and records management policies and procedures should inform the creation and management of these records and be included in any contracts or agreements. Examples of third-party websites include:
online project management websites such as Basecamp and social networking platforms such as LinkedIn, Facebook and Twitter
websites operated by other organisations such as Google Analytics, Wikipedia, extranets, shared workspaces, survey tools and third-party forums
file sharing websites such as Google Docs, Issuu and Peer-to-Peer.
Web projects and the management of websites
Information about web projects and the management of websites are records. This may include:
website commissioning information such as project documentation, email correspondence, strategies and reports
website management information such as site statistics, site reports, user testing results, and communications about website operations including hosting and support
system documentation recording the functionality and ongoing maintenance requirements for the website that ensures its management can be understood over time.
Creating and maintaining web records
The creation and maintenance of websites and web records should support good business practice and be part of organisation-wide information and records management processes.
Minimum requirements for the creation and maintenance of web records are described in the mandatory Information and records management standard.
Key factors to consider in choosing an approach to creating and maintaining web records are:
the volume and complexity of the web records
what the records are about, and the risk associated with the records
the ability of existing or proposed systems to manage web records
existing information and records management policies and procedures
existing appraisal and disposal tools such as our General disposal authorities and other disposal authorities.
When planning the implementation of systems to manage websites, you should also develop procedures and training for all staff to inform the creation and maintenance of web records.
Capturing web records
Capturing or maintaining the context of a web record might require reproduction of the look and feel of the site, page or element. This may involve recording its graphical user interface or software package, including the colours, shapes, layout and typeface (the look) as well as the behaviour of dynamic elements such as buttons, boxes and menus (the feel).
Systems for managing web records
Approaches to choosing a system to manage web records include:
using a web publishing platform like a content management system (CMS) as a recordkeeping system. A CMS allows you to author and publish web pages or content. It can also automatically capture metadata about that content which gives the information context
using an electronic information and records management system (EDRMS), to manage content published on the web. This may require other control mechanisms to ensure there is a record of when content is published. It may also require other methods to capture the look and feel of the website
integrating a web publishing system with an information and records management system so web records management tasks are shared between systems. This will depend on the functionality of both systems.
Most websites today are dynamic and data driven, published and managed by a CMS. Dynamic websites use databases and logical programming to deliver pages, look and feel or content based on variables such as date, user, or randomly selected elements.
On the other hand, static websites ‘serve’ pages to every user with the same information. Nothing on the page changes unless it is edited. Static websites do not use a database or scripting to perform background logic related to the user or page content, layout or structure.
While all references in this guide relate to web publishing using a CMS, the techniques described also apply to static websites. This is because creating and publishing web pages is essentially the same thing a CMS performs automatically.
Risks to web records
As web records can change often, there is potential for loss and inaccuracy. Web records may also be short-lived in their published form, and the process of publication may differ from other formats in the scrutiny received before publishing. You need to be aware of the risks of failing to capture changes made to web records.
The level of risk will depend on the type of information you create and publish on the web, and the nature and frequency of the changes. You should undertake a risk assessment to inform decisions on how often these changes need capturing or documenting. Your organisation will benefit from assessing potential risks to web records and mitigating these by implementing systems, procedures and training. This will improve access to and confidence in the quality of information. Good management of web records can also mitigate business risk.
These risks can include:
failure to meet legislative and regulatory requirements
poor decisions made on inaccurate or incomplete information (including by members of the public)
information not available or accessible for accountability, legal challenge or evidential purposes, and loss of information that has cultural heritage value
static websites may be undermanaged, not updated, and vulnerable.
Deciding what web records to keep
Appraisal of public web records supports good information and records management. It ensures consistent high-level decision making about the management and disposal of the records. This will be determined by how your organisation creates and maintains web records, the values inherent in their content and context, and the functions and activities they document.
The appraisal of web records requires consideration of all elements of a website, including:
pages
content items
files
background processes
look and feel
automated or manual transactions
evidence of business activity in creating and maintaining the website.
The appraisal process does not usually consider the format of the record, as this does not usually impact its value. However, some web records may be defined by format. In these cases, the appraisal process should identify where the format of the record provides specific information and records management requirements. For example, information that's part of the organisational record as a static or ‘fixed’ document might also be on the website with interactive functions—such as allowing comments for consultation feedback. This may need retaining as a record because of the added functionality provided by the website.
Access to web records
All information and records created by public sector organisations—including web records—should meet the access requirements of relevant legislation. Key legislation that informs access to information includes (but is not limited to) the Act, the Official Information Act, the Local Government Official Information and Meetings Act and the Privacy Act 2020.
When establishing access requirements, public sector organisations need to also consider web records that are not accessible on public websites such as information on intranets and extranets. If your organisation chooses to maintain and archive web records in a separate system from other organisational records such as a CMS, you’ll need to ensure access obligations are met.
Digital continuity for web records
Digital information must be proactively managed and cared for to ensure that it is accessible for as long as needed, for both current and ongoing business purpose and as archives in the future if appropriate.
Ongoing and managed processes need to be in place when maintaining web records over time to ensure digital continuity. This includes managing the risks associated with unauthorised access to records as well as events which may damage or destroy them.
To ensure the continuity of digital information, you should consider the following key principles.
Control web records so they’re easily identified and retrieved, without damage or loss. You could achieve this using CMS rollback functionality.
Describe web records well by documenting both the technical aspects and content of the records and ensuring they stay accessible over time.
Establish and maintain disaster management programmes to minimise risks. For web records, IT disaster recovery plans and tests are directly applicable. You should test websites to ensure they can be recovered. Recovery includes the successful retrieval of all background data needed for preservation and access. The purpose of disaster recovery is to mitigate the risk of loss events, and for data recovery. It is not meant to be an ongoing information and records management strategy or as a replacement for information and records management processes.
Secure web records against theft, vandalism, misuse, or inadvertent release. Information and records should be secured against unauthorised alteration, deletion or disposal. Web records should have read, write, and delete permissions applied according to your organisation’s information and records management and privacy policies.
Store web records in systems which will ensure they are managed for as long as they are needed. This means systems are run on supported platforms, hardware is maintained, and tests are carried out to check the information is still accessible.
Ensuring continuity of web records is particularly important when websites are migrated between different CMS products. Planning and testing for continued access to information and records in these situations should be part of the migration.
Information and records management for websites
Strategy and policies
Developing an organisational approach to web records involves managing them as part of an information and records management strategy. An information and records management strategy combines people, policies, procedures, methods, technology, institutional culture, data and knowledge. An organisation develops such a strategy to assess needs, implement practices, manage change and put software and technology support in place.
To support your organisation’s objectives and main functions, you should consider the creation and maintenance of web records when developing information and records management policies.
State the principles of managing web records, and identify the policies used by your organisation to manage those records.
Assign responsibility for the capture or creation and management of web records and communicate this to all staff.
Put in place monitoring and review processes to ensure the policies stay current and continue to support business needs.
You should manage content removed from a website in line with your organisation’s information and records management policies and processes—including standards and disposal authorities issued by the Chief Archivist under the Act.
Ensure content to be disposed of is covered by your organisation’s disposal authority.
No web records may be disposed of unless a disposal authority is in place.
Duplicate information on websites may be disposed of using General Disposal Authority 7.
General Disposal Authority 6 may also be appropriate to use for disposal of some web records.
Document any specific systems, processes and tools used to create, maintain and dispose of web records in relevant information and records management procedures. All staff responsible for undertaking these activities should receive training on these policies and procedures.
Sentencing and disposal
It’s good business practice to sentence information and records (that is, determine their final authorised disposal requirements) as close as possible to the point of creation. This way you can manage them according to their value and avoid retaining them for longer than necessary. This is particularly important with digital information like web records, where adherence to retention periods can avoid extra migration costs and retaining unnecessary volumes of data.
You may use a CMS to automate part of the sentencing and disposal process by using the content scheduling function to delete a web record according to the assigned disposal action. If your organisation is considering using a CMS for web records management, you should think about the disposal functionality you need.
Not all CMS products include scheduling ability. In some systems, existing functionality may need to be modified to meet requirements. In an EDRMS, you can link disposal to the classification structure, and the disposal action automatically applies to a web record when it is captured in the system.
You should document any disposal of web records.
Find out more about authorised disposal.
Using metadata for description and context
Web records must have metadata—no matter which system you use to manage them. Applying metadata to a web record ensures it has meaning, is findable, can be relied upon to be what it appears to be and can be moved safely from one system to another.
Much of the metadata associated with web records will be generated by a CMS and should be captured as part of record creation and the ongoing management process. Consider what metadata you need to adequately describe web records when a new CMS is being implemented or there is a major upgrade. Web records managed in other electronic systems should also have metadata associated with them.
Implementing a migration strategy for web records
Migration involves moving a web record from its current system (for example, an existing CMS) to a new one, or as part of a significant version upgrade of a system (often called a technology refresh). Successful migration strategies enable the maintenance of web records over time when moving them from legacy systems and ensures that any archived web records remain available in the current system.
Migration strategies are most useful when using a CMS as a records management system, as they maintain the required metadata and ensure access. Successful migration involves consideration of the following:
Migrated web records need to include all required metadata and any associated information (such as versions or other transactions) that completes the record.
Any links or pointers to a web record need to remain intact or provide information about how to access the record. For example, create persistent links by updating page URLs so that there is automatic redirection from the old location to the new location.
You should capture information that may change with a new system—such as the look and feel or context of the web record—as part of the record.