|Category||Administration and Management|
|Approved by||Vice Chancellor, May 2011|
|Date Policy Took Effect||31 May 2011|
|Last approved revision||3 April 2022|
|Sponsor||Registrar and Secretary to the Council|
|Responsible officer||Head of Corporate Records Services|
This policy is written within the context of the University's Information Framework which recognises information as a key strategic asset that underpins all University activities. The Information and Records Management policy establishes the principles which govern the University's creation, maintenance, retention and disposal of its information and records so that it can manage its information appropriately, maximise the operational and strategic value of the information it holds, and comply with relevant legislation. The policy requires the establishment of a consistent and coordinated approach to information and records management and outlines the responsibilities of staff in support of these requirements.
This policy applies to:
- All University of Otago staff, including persons contracted to the University either directly or in partnership with it.
- All information, data and records owned by the University which fall under the coverage of the Public Records Act (PRA) 2005, regardless of format or storage medium. Note: emails, data, datasets, and content created and managed in Microsoft 365 are forms of digital record.
- All business functions and activities of the University which fall under the coverage of the PRA, including those performed by outside contractors.
- All corporate applications used to create, manage, and store information, data, and records which fall under the coverage of the PRA, including business information systems, email, websites, databases, and social media applications.
- All metadata associated with digital information, data, and records which fall under the coverage of the PRA, including data held in business information systems, collaborative workspaces, and content management systems.
While subsidiaries of the University of Otago are separate legal entities, it is acknowledged that the provisions of the Public Records Act 2005 do apply to controlled entities and therefore they may adopt or adapt this policy for their own use.
- Refers to the New Zealand Universities Disposal Authority. This document sets out the retention periods and disposal actions for those records that are common to all New Zealand universities. This document is the University of Otago's legal authority granted by the Chief Archivist to retain, dispose of, or transfer its records.
- A general term meaning facts, numbers, letters, and symbols collected by various means and processed to produce information
- Is the final decision concerning the fate of records, i.e. their physical destruction or electronic deletion, or transfer to an archive.
- Electronic Document and Records Management System (EDRMS)
- A type of content management system that combines document management and records management in an integrated system.
- Electronic Records (or Digital Records)
- Records that require the use of a computer for creation, access, and use. This can include emails, databases, websites, audiovisual files, images, and records migrated or transformed into digital formats.
- Data that has been processed into a meaningful form
- Information and Records Management
- The field of management responsible for establishing and implementing policies, systems, and procedures to capture, create, access, distribute, use, store, secure, retrieve, and ensure disposition of an organisation's records and information.
- Structured information that describes information and / or allows for the finding, managing, controlling, and understanding of information over time. Examples include file name, document properties, and unique identifier and encoding schemes.
- The University of Otago's custom Electronic Document and Records Management System.
- Public Records
- Are defined as records that are created or received by a public office in the conduct of its affairs which are covered by the Public Records Act (PRA) 2005. The University is defined under the PRA as a public office.
- Public Records Act 2005 (PRA)
- Establishes a regulatory framework for information and records management across the public sector. Section 4 of the Act sets out the University's obligations for creating, maintaining, transferring, disposing, and providing access to its information and records.
- Information created, received, and maintained as evidence of the activities carried out by the University and which are thereafter retained (for a set period). Records may be in any format including paper-based, electronic, or a hybrid of the two; or any storage medium including business information systems, email, websites, databases, social media applications and M365 sites.
- Recordkeeping Systems
- Business information systems which include amongst their functions the capability to capture, maintain, provide access to, and apply retention and disposal rules, to information, data, and records in that system..
1. Information and records management lifecycle
The University is required to comply with information and records management legislation and regulatory requirements. This includes the obligations set out in the Public Records Act 2005 (PRA) and any associated mandatory standards issued under the Act. The PRA requires that all University business information, records, and data is managed appropriately throughout its lifecycle, until it is archived or destroyed. The records information lifecycle spans from creation to disposal and is illustrated in the below diagram:
Diagram 1: Information Lifecycle (ARMA International).
2. Creation and maintenance of information and records
- All information, data and records must be created in a complete and contextual manner which reliably documents the business activities of the organisation across all physical and digital operating environments.
- All information, data and records must be maintained appropriately in managed and approved storage solutions that are able to ensure their integrity, usability, and discoverability for their full life cycle.
- Information and records must not be created and maintained in any personal or private cloud storage services such as Dropbox, Google Docs, iCloud, or OneDrive.
- All information, data and records must be managed and protected commensurate with their value and information security classification.
- Information and records must be considered in all IT-enabled projects and services such as new business information system implementations, or improvements to existing systems, whereby the functionality and system requirements for information and records are defined and designed during the evaluation phase or process.
3. Accessibility of information and records
- Information and records must be collected and organised in a way that is easy to find and accessible over time for the purpose of discovery or investigation.
- Information and records must be secured and protected from corruption, damage, alteration, unauthorised access, use or disclosure, or premature disposal, and in accordance with the University's Cyber Security Framework.
- Information and records must be available as a corporate resource to all staff, except where the nature of the information requires restriction in accordance with the University's Access Framework for University of Otago Records,
4. Retention and disposal of information and records
- All University information, data, and records, including data in business information systems, must be retained for at least the minimum periods set out in the New Zealand Universities Disposal Authority (DA).
- Information and records must be identified so that where practicable retention periods are applied at the time of creation, either using system functionality or as an information management exercise undertaken outside of the system, and records of longer-term value and permanent retention are protected.
- Information and records must be disposed of in a timely and efficient manner when they are no longer legally or administratively required.
- Information and records that are of short-term, facilitative, or transitory in value can be disposed of as part of normal administrative practice.
- Information, data, and records must be retained in the system in which they were created, or reformatted (digitised) and /or migrated to an approved recordkeeping system as appropriate, so that digital or other technology dependent information and records are retained in an authentic and accessible form for as long as is required.
- Original hard copy information and records that are reformatted (digitised) must meet certain technical and quality assurance requirements before the destruction of the hard copy can take place. Please refer to the University's Digitisation of Records Procedures.
- Hard copy information and records that have been identified for permanent retention and that are no longer in current use or required administratively by the University must be transferred to the possession of the Hocken Library and the control of the Chief Archivist.
5. Recordkeeping systems
- The University uses a variety of IT storage systems and services that create and maintain digital information. How and where digital information is stored will affect their viability over time, and it is important to consider that digital information is likely to have a lifespan beyond the life of the system in which they are born.
- Not all IT storage systems and services in use at the University will be capable of performing as, or be designated, digital record keeping systems. An appropriate digital record keeping system will be capable of:
- Sustaining the information for as long as is required to support their legal retention (or capable of exporting the information, together with their relevant metadata, into a new system as and when required to support the required retention)
- Enabling the destruction of time-expired information in a systematic and auditable way in line with the University's legislative requirements
- Supporting the management and monitoring of information and records including maintaining and retaining an auditable record of use
- Allowing privacy and security requirements for information and records to be managed and enforced
- Organising information appropriately and maintaining accessible and useable metadata to appropriate standards
- Vendor scrutiny and assessment to ensure widespread industry support and to avoid the system becoming obsolete and unsupported
- IT storage systems and services that create and manage digital information but are not deemed capable of performing as, or be designated, a digital record keeping system will at a minimum need to be capable of allowing data migration and / or have the ability to export records and their metadata from one storage solution to another for the purpose of digital archiving.
- OURDrive, the University's EDRMS, shall be the University's system for managing public records from systems that are not capable of functioning as a digital recordkeeping system.
- Maintaining original paper source files, or printing and filing records, may be a suitable approach for some types of information. Physical recordkeeping systems will continue to be in operation as a supported record keeping tool until this process is superseded by digital equivalents.
6. Staff responsibilities
- The University's Information Framework provides general responsibilities associated with the management of information. Specific responsibilities relating to recordkeeping are as detailed in this section.
- The University Registrar is the designated Executive Sponsor and has strategic and executive responsibility for overseeing information and records management in the University.
- The Head of Corporate Records Services is responsible for:
- Providing advice, guidance, and training to staff on information and records management practices, policies, procedures, and systems.
- Maintaining communication and awareness with university staff on all matters relating to information and records management and promoting compliance.
- Leading the development and implementation of strategies and policies to enable sound information and records management practices.
- Assisting with the development of university recordkeeping and information systems as appropriate.
- Monitoring information and records management processes, procedures and systems as required, including the retention and disposal of university business information.
- Advising senior leadership of any risks associated with non-compliance and reporting on records and information management as appropriate.
- Coordinating the transfer of university information and records of permanent archival value to the Hocken Library and the control of the Chief Archivist.
- The Corporate Records Services team are responsible for providing business support for, and liaising with staff on, the promotion and implementation of information and records management best practice. This includes:
- Providing advice, user support, training, and guidance as appropriate.
- Coordinating with relevant staff on the transfer, storage, retrieval, sentencing and archiving of information and records.
- Assisting in the identification of long-term value information and records in recordkeeping and information systems.
- Undertaking the appraisal and disposal of information and records in accordance with standard procedures.
- Implementing practices that allow for the auditing and monitoring on the compliance and effectiveness of information and records management at the University.
- Project Managers and Project Steering Committees are expected to plan and budget for the identification, design and integration of information and records management compliance requirements when the following activities are undertaken:
- When new systems are implemented into the University.
- As part of decanting and new-build processes. This may include planning and budgeting for the digitisation of hard copy records in lieu of assigning space for hard copy record storage.
- If changes to existing systems or practices occur, such as enhancements or upgrades, in which case a pragmatic approach should be taken to addressing compliance requirements.
- Managers (e.g. Heads of Departments) are expected to:
- Demonstrate support for, and adherence to, this policy by promoting a culture of compliant information and records management.
- Ensure staff are inducted into the University's information and records management policy and practices, and additionally that staff are trained and inducted into any specific information and records management procedures relevant to their team.
- Ensure that Business Continuity Plans for their area identify any vital information, data, and records, and that there are strategies in place to ensure they can be accessed in the event of failure or disaster.
- All staff have responsibility for the appropriate management and handling of information and are expected to follow advice and directives from their managers, information custodians and relevant staff that have Specialist Information Portfolio Responsibilities (as outlined in the University's Information Framework) about information management and handling in relation to this policy.
Related policies, procedures and forms
Legislation and standards
- The Public Records Act 2005
- Information and Records Management Standard
- Disposal Authority for NZ Universities
- Cyber Security Policy
- Email Policy
- Intellectual Property Rights Policy
- Intellectual Property Rights of Graduate Research Students Policy
- Policy on Access to, and use of, Personal Information
- Web Policy
- Access Framework for University of Otago Records
- Authorisation of Access to Student Information Procedure
- Digitisation of Records Procedures
- Information Security Classification Procedure
Code of Conduct
Contact for further information
If you have any queries regarding the content of this policy or need further clarification, contact:
Corporate Records Services