1. Introduction

Organisations often need to employ external parties to perform various business functions and activities. Engaging external parties has implications for information and records management. It is important that information and records management requirements are identified and addressed before making any agreement to outsource business. Any organisation that intends to outsource business needs to ensure that any related contracts include provisions for contractors and service providers to make, keep and properly manage relevant information and records.

The information in this document is intended as general guidance and is not comprehensive advice on how to manage the outsourcing. Seek legal and procurement advice when entering into contractual arrangements to outsource business.

2. Defining outsourcing

Outsourcing can be defined as the activities involved in arranging, procuring and managing the performance of work or the provision of services by an external contractor or consultant.

Outsourcing can occur in many forms. Some of the most common forms of outsourcing involve core business functions. For example, an organisation might outsource an infrastructure construction project or the provision of customer services.

Some activities can be outsourced to other public offices or local authorities. While these providers are covered by the Public Records Act 2005 (the Act), it is still appropriate to clarify the information and records management responsibilities in these arrangements.

3. Organisational responsibilities when outsourcing

Outsourcing a business function or activity does not lessen an organisation’s responsibility to ensure that it is carried out properly and that all requirements for information and records are met.

If records of an outsourced function or activity are not created or managed appropriately by a service provider, the organisation doing the outsourcing could be exposed to risk. Risks include:

  • failure to meet legislative obligations

  • loss of information or incomplete information on which to base decisions, provide services, or defend actions

  • loss of public accountability and transparency through inability to produce records of outsourced business.

And under the Act (s.17), an administrative head is considered to have failed his or her obligations if an organisation does not meet expectations for information and records management when outsourcing business.

3.1 Organisations have key responsibilities

When outsourcing business, organisations are responsible for ensuring that:

  • appropriate information and records of the outsourced functions or activities are made and kept

  • information and records of the outsourced functions or activities are securely managed and stored, both during and after the period of the outsourcing contract

  • ownership of information and records is clearly addressed and understood

  • information and records are accessible as appropriate and when required

  • information and records that are required after the contract has ended are returned

  • information and records of the outsourced business are disposed of lawfully.

3.2 Importance of your contract and establishing controls

The Act does not extend to a private sector service provider or outsourced organisation. This means that information and records management obligations should be clearly articulated in your contract with service providers to ensure that the obligations of the organisation are met. Build appropriate requirements: this is the primary means by which an organisation can meet its information and records management obligations. Managing the contractual relationship is key to ensuring that all information and records management requirements are met at all stages of the outsourced arrangement.

3.3 Outsourcing arrangements must be monitored

Organisations have a responsibility to follow up with monitoring of service providers and other checks to ensure that contractual arrangements are being met.

4. The role of a contract

The basis of the relationship between an organisation and a service provider is the official documentation of the agreement between the parties. Both the initial tender and contract are important for communicating information and records management requirements.

In making a decision about a provider, the contracting organisation must be confident that the provider can meet all legislative and policy requirements. This includes requirements for the proper management of information and records.

Any contract with an outsourced provider should include clauses relating to:

  • the information and records management requirements of the business being outsourced

  • compliance with the Act (and other relevant legislation)

  • compliance with standards for information and records management

  • ownership (including intellectual property) of information and records

  • timely information and records disposal

  • the return of information and records at the end of the contract

  • information and records security (including systems security and records storage security)

  • privacy management and protection of personal information

  • rights of access and arrangements for access to information and records

  • monitoring and inspection arrangements for compliance

  • the processes and penalties that apply when information and records requirements are not met.

5. Specifying access rights and privacy provisions

Any contract between an organisation and an outsourced service provider must specify access rights and restrictions related to records and information. A contract must also require that privacy obligations are met and that all private or sensitive information is protected.

5.1 Ensuring access to information held by a service provider

Under the Act (s.17(2)(3)), organisations must ensure that any contract with an outsourced service provider states that the organisation has immediate right of access to all information and records held by the service provider. The contract should also address privacy, confidentiality and public access considerations.

An organisation needs to ensure it has access to records in order to assess compliance with the requirements of a contract, and to meet other legal obligations.

5.2 Meeting privacy obligations and securing information

Organisations must ensure service providers are aware of their obligations to meet the requirements of the Privacy Act 1993 and the Government Chief Privacy Officer where appropriate.

Records generated in the course of business may be confidential because they relate to individuals, or have significant commercial value. This is particularly important where records are used, linked or analysed in conjunction with other information or databases.

Contractual agreements with service providers should therefore include provisions to protect private or sensitive information. Where appropriate, they should point to the relevant policy statements of the organisation, such as a privacy management plan or equivalent.

Information security must be considered in all outsourcing arrangements. This includes the use, transmission and storage of information and records.

6. Specifying information and records storage arrangements

The safe storage and proper preservation of information and records is required under the Act. Storage requirements are therefore a vital part in the management of information and records, and should be addressed in outsourcing arrangements.

To ensure the appropriate storage and preservation of information and records, an organisation must ensure that service providers:

  • store and manage information and records securely

  • manage information and records through migrations, systems changes and upgrades

  • protect information and records from loss and disaster

  • handle and transport information and records in a safe and secure manner

  • return specified information and records at the end of the contract.

7. Specifying authorised information and records disposal processes

Organisations have a responsibility to ensure that information and records are disposed of in accordance with the Act. The best way for an organisation to achieve this in an outsourcing arrangement is to specify, in a contract, which information and records disposal processes the contractor can use and which they cannot.

Organisations must ensure contractors do not unlawfully dispose of any information and records that are in their possession during an outsourcing arrangement. Unlawful disposal includes:

  • unauthorised destruction (for example, destruction that is contrary to the requirements in an authorised current disposal authority)

  • transfer to a third party

  • loss, damage or alteration.

Organisations need to:

  • be aware of the main methods for authorised disposal

  • communicate to service providers, through their contract, the authorised disposal processes that the service provider is allowed to use, and also those that are prohibited.

Some outsourcing arrangements last over long periods of time. In these cases, it may be practical to expect the service provider to destroy information and records periodically. Similarly, the contractor may be expected to transfer records back to the organisation periodically.

Information and records disposal that should be prohibited by an organisation in an outsourcing contract should include that which is carried out:

  • contrary to expectations set out in the outsourcing contract

  • corruptly or fraudulently

  • for the purpose of concealing evidence of wrongdoing

  • for any other improper purpose.

8. Specifying the return of information and records at the end of a contract

Certain information and records that are created, received or generated in the course of outsourced business will be essential to the ongoing conduct of that business. Failure to ensure that such information and records are transferred back to an organisation at the end of an outsourcing contract can seriously impact the organisation’s business continuity and accountability. It would also constitute a breach of the Act.

The outsourcing contract must make clear which information and records to return at the end of the contract. It is recommended to include these provisions:

  • restrictions on the service provider using the information and records for commercial profit, unless otherwise allowed in the contract

  • arrangements for information and records to be returned in a certain manner or format

  • agreed timeframes for the return of the information and records

  • deletion of any copies of information and records from the service provider’s systems once transferred.

Sometimes at the end of a contract an outsourcing organisation will identify an ongoing need for information and records from the service provider. Reasons for this include:

  • need for future referral by the contracting organisation (or another contractor) for any reason

  • continuing protection of sensitive or confidential information

  • use of the information and records to establish or protect the rights, entitlements or obligations of the contracting organisation or an individual

  • need for information and records to properly manage facilities or capital works owned by the contracting organisation

  • need for information and records to document the expenditure of public funds, such as the purchase of equipment or other assets

  • need for future research by the contracting organisation or an individual