We have written this guide to help your organisation understand and apply the requirements of the Information and records management standard.

The Information and records management standard was issued by the Chief Archivist on 22 July 2016.

The standard’s purpose

The standard covers information and records in any format. It has been designed to support digital recordkeeping as the public sector continues its transition to digital business processes. The purpose of the standard is to ensure that business is supported by sound, integrated information and records management in complex business and information environments. This approach better reflects the way that most organisations now manage their information assets.

The earlier standards

This standard is the result of consolidating and streamlining the requirements from these Archives New Zealand standards:

  • Records Management Standard for the New Zealand Public Sector 2014

  • S4 Access Standard 2006

  • S5 Digital Recordkeeping Standard 2010

  • AS/NZS ISO 13028: 2012, Information and documentation – Implementation Guidelines for digitization of records

The standards above have been revoked and incorporated into this standard.

Further requirements for local authorities and approved repositories

Local authorities and approved repositories must follow:

How to implement the standard

The table in this document sets out three principles:

Principle 1: Organisations are responsible for managing their information and records

Principle 2: Information and records management supports business

Principle 3: Information and records are well managed Under each principle are listed the minimum compliance requirements, an explanation for each requirement, and key guidance for implementing the requirements. This guidance will be regularly added to.

Principle 1: Organisations are responsible for managing information and records

To ensure information and records are able to support all business functions and operations, organisations must establish a governance framework. This framework will help an organisation to:

  • develop strategies and policies to direct how information and records will be managed

  • assign responsibilities and allocate resources

  • establish provisions for information and records management in outsourcing and service delivery arrangements

  • monitor information and records management activities, systems and processes.

1.1 Information and records management must be directed by strategy and policy, and reviewed and monitored regularly.

Governance frameworks are critical to the achievement of effective information and records management. Your organisation must set high-level strategy and policy for managing its information and records. The administrative head of the organisation must adopt it.

Strategy and policy include:

  • appointment of an Executive Sponsor to oversee information and records management – requirement 1.2

  • clear requirements for the creation, capture and management of information and records – requirement 3.1

  • setting an information security policy – requirement 3.4

  • identifying and assigning responsibilities of senior management for information and records management – requirement 1.2

  • identifying the need for information and records management staff or skills (do this through performance plans and/or service agreements) – requirement 1.4

  • identifying business owners responsible for including information and records management in all systems and processes – requirement 1.5

  • setting information and records management responsibilities for staff and contractors – requirement 1.6

  • addressing information and records management in all service arrangements – requirement 1.7

  • implementing an information security policy and appropriate security mechanisms – requirement 3.4

  • implementing policies (and business rules and procedures) to ensure that information and records are kept for as long as they are required and to identify how their disposal is managed – requirement 3.6

  • implementing policies to identify how to manage the disposal of information and records – requirement 3.7.

1.2 Information and records management must be the responsibility of senior management. Senior management must provide direction and support to meet business requirements as well as relevant laws and regulations

  • Ultimate responsibility for information and records management lies with the administrative head and senior management. They must provide direction and support and ensure information and records management meets business requirements, the law and regulations.

  • Responsibility for information and records management is cascaded down throughout the organisation, through various levels of management.

  • Responsibilities are identified and assigned in strategy and policy.

  • This requirement mirrors legislative obligations for example in the State Sector Act 1988 (s.32(1)) and the Local Government Act 2002 (s.42(2)) and reinforces the need for the Administrative head and senior management to provide high-level direction and support, including ensuring adequate resourcing for information and records management.

1.3 Responsibility for the oversight of information and records management must be allocated to a designated role

This new requirement clarifies what was implicit in the previous standard. The Executive Sponsor oversees information and records management. They must be a senior manager with organisation-wide influence and appropriate strategic and managerial skills. Their role is to:

  • provide oversight of information and records management within the organisation, including monitoring of information and records management to ensure that this meets the needs of the organisation

  • ensure responses to monitoring/reporting requests from us.

Include establishing this role in your policies and strategies for information and records management. The Executive Sponsor’s role should be incorporated into their performance plan. Your organisation must advise us of your Executive Sponsor, when they are appointed and when the role changes hands.

1.4 Organisations must have information and records management staff, or access to appropriate skills

  • Your organisation must have staff with information and records management skills or be able to access this expertise.

  • Each organisation’s strategy will likely need a range of different levels of responsibility and skills. Reflect this in job descriptions.

  • An organisation must be able to access information and records management skills through recruitment, service providers, and by networking with other organisations.

  • An organisation must identify and assign responsibilities through strategy and policy, performance plans and/or service agreements.

1.5 Business owners and business units must be responsible for ensuring that information and records management is integrated into business processes, systems and services.

This new requirement clarifies what was implicit in the previous standard

  • An organisation must identify business owners and system owners who are responsible for ensuring information and records management is included in all systems and processes used.

  • Those owners must be aware that information and records management requirements are needed when they move to a new service environment, develop new business processes, systems or services, or improve on existing business processes, systems or services.

  • Responsibilities for business owners must be identified and assigned in policies and within performance plans.

  • Business owners must demonstrate that they have considered information and records management requirements and assessed risks as part of the development process.

  • This requirement places responsibilities more broadly within an organisation. It reflects a business manager’s detailed understanding of the information and records produced by and necessary to perform their work, and their responsibility for ensuring its management.

  • Cascading responsibility to different business areas of the organisation lets business unit staff and information and records staff work together to ensure that information and records management is integrated into business processes, systems and services.

1.6 Staff and contractors must understand the information and records management responsibilities of their role

They must also understand relevant policies and procedures.

  • All staff of the organisation, including contractors, must understand their information and records management responsibilities.

  • Policies, business rules and procedures must include clear requirements for all staff for creating and managing information and records.

  • Contractors come into organisations to perform specified tasks. Information and records that are produced and managed in their performance of the contract need to be covered. And contractors must know their information and records management responsibilities and the relevant policies and procedures.

  • Responsibilities must be identified and assigned in policies. Skills, capabilities and responsibilities must be assigned in role descriptions and performance plans.

1.7 Information and records management responsibilities must be identified and addressed in all outsourced and service contracts, instruments and arrangements

This new requirement clarifies what was implicit in the previous standard.

An organisation must ensure that information and records management is addressed in all service contracts, instruments and arrangements. An organisation’s strategy and policy must include responsibilities to ensure that information and records requirements are identified and addressed. An organisation must undertake risk assessments and address information and records management risks in contracts, instruments and arrangements that it agrees to. Service contracts, instruments and arrangements include:

  • functions, activities or services of the organisation being outsourced to an external provider

  • functions, activities or services being moved to cloud services or other service providers (internal or external to the New Zealand public sector).

An organisation must ensure that the portability of information and records and associated metadata is assessed and appropriately addressed in outsourced and service contracts, instruments and arrangements.

1.8 Information and records management must be monitored and reviewed to ensure that it is accurately performed and meets business needs

An organisation must regularly monitor information and records management activities, systems and processes to ensure they are meeting the needs of the organisation and conforming to requirements. Any issues identified through a monitoring process must be addressed in a corrective action plan. An organisation must monitor activities such as process and system audits of systems that are high-risk, high-value, or both. Any system of assurance for information and records management should be integrated into the wider organisational assurance processes. The Executive Sponsor has responsibility for overseeing this monitoring.

Principle 2: Information and records management supports business

Information and records management ensures the creation, usability, maintenance, and sustainability of the information and records needed for business operations. It also ensures business operations meet government and community expectations.

By appraising business activities, organisations define their key information requirements. Appraisal is used to design and embed information and records management into business processes and systems.

Taking a planned approach to information and records management means:

  • considering all operating environments

  • ensuring that all service and systems arrangements consider the creation and management of information and records needed to support business.

2.1 Information and records required to support and meet business needs must be identified

This requirement provides the foundation for managing information and records in all environments. By appraising its functions and activities, an organisation can identify what information and records it needs to support business. It can also identify other requirements, including Treaty of Waitangi / Te Tiriti o Waitangi obligations, and government and community expectations. This work provides the foundation for understanding what information and records to keep. It identifies what systems and business processes are high-risk, high-value, or both for the organisation, and the information and records required to support these. An organisation must incorporate this work into comprehensive and authorised disposal authorities for its information and records An organisation must document in its business rules, policies and procedures decisions about what information and records are required. The decisions must also be reflected in specifications for systems and metadata schema.