Te whakawhanake kaupapahere mō ngā mōhiohio me ngā mauhanga

Information and records management policy

Please note that the PDF of this page has been removed because the content is the same and our website has a feature to print a webpage. You can also see a preview of this by using the print command (CTRL + P). If you still require a PDF version, please contact us at rkadvice@dia.govt.nz

An information and records management policy is a statement of intent for managing corporate information and records appropriately.  

This policy shows your organisation’s commitment to a successful information and records management programme – one that is compliant, reliable, systematic and well managed.

An information and records management policy:

• demonstrates the value of your business information to staff and stakeholders

• shows that managing information and records well is crucial to helping your organisation achieve its core objectives

• acknowledges information and records are key assets, and that managing them is a fundamental corporate function.

Everyone is responsible for information and records management

Your policy should state core principles for effectively managing your business information and records. This gives a clear directive from senior management to all staff.

By describing acceptable information and records management behaviour, your policy highlights that this is the responsibility of all staff and assigns roles and obligations at all levels of the organisation.

Your policy supports your strategy

An information and records management policy supports your organisation’s information and records management strategy. Together, the policy and strategy establish an overall governance framework for information and records.

Learn more about creating a strategy for information and records management

An information and records management policy has several benefits. It:

• helps your organisation meet its evidentiary, accountability and regulatory requirements – and the expectations of both government and the public

• ensures compliance with information and records management standards and other relevant legislation

• formalises your intentions for information and records management

• promotes efficiency of your business processes, practices and service delivery

• encourages ethical, responsible and professional behaviour at all levels

• influences your organisation’s culture and practice

• supports internal monitoring for compliance.

You should develop an information and records management policy with a full understanding of your organisation’s needs. These 2 steps will help you do this.

Step 1: Set the policy

• Align the policy with your organisation’s operating environment and strategic direction. You should also align it with ongoing needs and overall objectives.

• Link the policy to related business policies and programmes. For example, you could relate it to your organisation’s information and communications technology policy.

• Specify how you’ll comply with relevant legislative requirements and standards. Identify how you’ll also demonstrate compliance with them.

• Incorporate all systems that contain information and records – and all associated practices – into your policy.

• Identify information and records management standards to use.

• Demonstrate how staff can be consistent with codes of conduct and ethical standards when managing information and records.

• Briefly outline how information and records should be created and maintained. Include requirements for their authorised disposal (that is, their destruction or transfer to us).

• Write the policy in plain language and keep it brief so all staff can understand it.

Step 2: Communicate and implement the policy

• Encourage senior management to endorse the policy actively and visibly — and to resource its implementation.

• Ensure the policy is supported with procedures, guidance and tools for information and records management.

• Communicate the policy regularly across the whole organisation. Promote it to all staff and contractors.

• Keep the policy current by reviewing and updating it regularly. When you do this, consider any changes in your organisation’s business objectives, priorities and activities.

The role of information and records management

Your policy should clarify the relationship of information and records management to your organisation’s overall business strategy. Information and records management is critical to the purpose and operation of your organisation because it supports effective business and efficient service delivery. This includes outsourced activities. Make sure your policy explains the importance of information and records management in achieving organisational outcomes.

Your policy also needs to state how your organisation will meet legislative requirements to create and maintain full, accurate and accessible information and records.

Statement of the ownership of information and records

Your information and records management policy must emphasise the government ownership of information and records. Stress that they are public assets that do not belong to individual staff.

Information and records need to be regarded and handled as key strategic assets. This extends to those created by contractors for any outsourced business.

Overall commitment by senior management

Your policy needs to outline the responsibility of senior management to:

• support it in line with the information and records governance framework and strategy

• resource and appropriately monitor its implementation.

Your Executive Sponsor’s role and responsibilities must be clearly stated – including their position in relation to other executive and regulatory roles and responsibilities.

Read more about the roles and responsibilities of your Executive Sponsor

Legislation and standards

Your information and records management policy must include your organisation’s commitment to comply with any relevant legislation and standards. This includes the Public Records Act 2005 and the minimum compliance requirements of the mandatory Information and records management standard.

References to other corporate policies

An information and records management policy does not exist in isolation. It’s part of your organisation’s overall policy framework – including policies related to security, privacy, information technology, risk management and the code of conduct. Your information and records management policy should outline clearly how it relates to your other policies and programmes.

Responsibilities

Your policy should identify the roles and responsibilities of all staff for managing information and records – at every level of your organisation. Staff should be in no doubt that their work falls within the scope of the policy.

References to supporting documents

Your policy should list any specific:

• business rules, procedures and processes

• guidance and tools

• that support how your organisation will implement the policy.

Monitoring of achievement and compliance

Your policy should briefly explain how you’ll carry out reporting, internal audits and self-monitoring on your organisation’s information and records management. It should also identify an appropriate person or role to be in charge of monitoring and preparing reports.

Learn more about monitoring information and records management

Organisation-specific components

Your policy should specify how your organisation will align the requirements of the Public Records Act 2005 with other frameworks governing information and records — such as privacy.

You can also note your organisation’s approach to managing any special collections of information and records not included in the definition of a public or protected record.

The following are useful to consider when developing and implementing information and records management policies, procedures and tools.

• Policies, processes and supporting technology need to be user-focused to eliminate barriers to use.

• Information and record assets, the technology that supports them – and the business requirements, policies and processes that govern them – must have identified, defined and accountable owners.

• The time, resource and effort spent on managing information and records needs to be proportionate to their value.

• Applications used to store and manage high-value and high-risk information and record assets should operate in a reliable and consistent way. They should also enable the content and context of the information and records to accompany any authorised transfer to us.

• The value of information and records can only be fully realised if each asset –regardless of format – has the attributes of availability, completeness and usability.

• Information and record assets are evidence of actions, decisions and processes. They may be subject to requests for access or to official scrutiny.