CAARA Policy 13 – Recordkeeping Issues associated with Outsourcing and Privatisation of Government Functions

Adopted: 14 August 2002 Revised: 13 March 2007

Table of Contents

Introduction

Purpose
Scope
Policy statement
Guiding concept
Controls over the process
The use of legislation
The use of a contract
Glossary
Acknowledgments

Principle 1 – Planning

Explanation
Examples of compliance
Outsourcing
Privatisation

Principle 2 – Ownership

Explanation
Examples of compliance
Outsourcing
Privatisation

Principle 3 – Control

Explanation
Examples of compliance
Outsourcing
Privatisation

Principle 4 – Disposal

Explanation
Risk Management
Examples of compliance
Outsourcing
Privatisation

Principle 5 – Access

Explanation
Risk Management
Examples of compliance
Outsourcing
Privatisation

Principle 6 – Storage

Explanation
Examples of compliance
Outsourcing
Privatisation

Principle 7 – Contract Completion

Explanation
Examples of compliance
Outsourcing

Introduction

This policy has been developed to provide a set of principles to CAARA members concerning records management issues inherent in the privatisation of government functions or the performance of government functions by external organisations, consultants or other entities on behalf of government.

Circumstances in which government functions may be performed outside of government may include outsourcing arrangements such as joint ventures, public private partnerships and the engaging of non-government organisations. Such arrangements may cover the performing of government functions by an external service provider under contract or functions performed by a non-government organisation where government retains some input. Government functions may also be delivered under privatisation arrangements where functions are transferred to a privatised entity.[1]

This policy contains examples of compliance specific to either a privatisation or outsourcing exercise. The compliance examples may be used by members as basis for ensuring that agencies in their jurisdictions adhere to the principles defined in the policy.

Purpose

The purpose of this document is to provide a best-practice guide to CAARA members which can be used as a minimum standard when determining recordkeeping requirements for government functions performed outside of government.

Specifically, the following requirements must be met:

  • Ownership of records is agreed upon both during the performance, and following completion of, the outsourcing or privatisation arrangement (refer to Principle 2);
  • The responsibilities for creation and management of records are agreed upon during the planning stage of performing government functions (refer to Principle 3);
  • Records are controlled in accordance with the requirements of the controlling agency as defined in the contracts or agreements covering the outsourcing or privatisation process (refer to Principle 3);
  • Records are disposed of in accordance with the relevant legislation or other instrument in force in the relevant jurisdiction (refer to Principle 4);
  • Access to records is regulated and controlled in accordance with the relevant standards and legislation (refer to Principle 5); and
  • Storage of records during any agreement is agreed upon and implemented in accordance with specific storage standards (refer to Principle 6).

Scope

The principles and related examples are suitable for adoption by all ‘agencies’ and for all ‘records’ as defined by CAARA members’ archival legislation or other standards and instruments.

These principles DO NOT override any provisions in existing legislation or standards relating to the management of government records by non-government entities.

Policy statement

CAARA promotes the principles discussed in this document as comprising a guiding concept that ensures agency recordkeeping requirements are satisfied when government functions are performed outside of government.

Guiding concept

CAARA members shall adopt the following guiding concept when providing advice to agencies in relation to the performance of government functions outside of direct government control:

  • Recordkeeping requirements are to be promoted clearly to, and understood by, all parties involved in the process, and must comply with the current applicable legislation, and industry and jurisdictional standards.

This concept will be addressed in detail by the provision of advice consistent with the  principles outlined in this policy.

Controls over the process

Exercises involving the performance of government functions outside of government may be authorised by various means. They may happen through the use of a legislative or administrative instrument or through a contract with a third party entity.

The use of legislation

CAARA members should advise any agency participating in outsourced records management to establish whether it is taking place as a result of specific legislation. If so, the participating agency should be advised to check the legislation, as it may contain specific provisions relating to records. Such provisions may specifically exclude or include certain categories of records as part of the exercise. These provisions must be considered when developing the contract or agreement.

The use of a contract

Similarly, CAARA members should advise any agency participating in such an exercise to examine the terms and definitions in a contract closely. Records may not be mentioned specifically in the contract, but be intended by those drafting the contract to be included within the scope of the term ’assets’. Without precise clarification of what constitutes assets, the opportunity could arise for ambiguity in the treatment of records. In the absence of consideration of records as ‘assets’, the agency should be advised to ensure that the contract specifically clarifies the rights and responsibilities of all parties with respect to records.

Glossary

For the purposes of this policy the following definitions are used:

  • agency– An agency, or more than one agency, as defined by the archival legislation or  instrument of the relevant CAARA member.
  • authorised disposal – The process by which the custody or ownership of records is transferred; or by which records are destroyed, abandoned, sold or delivered through the use of a retention and disposal schedule as required by archival legislation, or other instrument.
  • external service provider – An entity that performs a function on behalf of a government agency, including ‘public private partnerships’, ‘shared services’, ‘joint ventures’ or organisations in the not-for-profit sector. An external service provider can be either a government or non-government entity.
  • joint venture – A joint venture is a legal entity that has been created for the purpose of undertaking business activity. Two or more parties may establish a business relationship to undertake a joint venture.
  • non-government organisation – A service provider receiving recurrent or once-off funding from the government to provide a service.
  • outsourcing – The engagement of external service providers, by
  • regulation of a contract or agreement, to perform government functions and activities.
  • public private partnerships – A partnership formed between the public and private sectors for the purpose of delivering a service formerly provided by government. A public private partnership may involve government and one or more private sector entities.
  • privatisation – The transfer of entire functions and activities of an agency, or a part thereof, to the private sector.
  • privatised entity – An organisation or individual that performs a function (previously carried out by a government entity) which has been privatised.
  • record – A record as defined by the archival legislation or other instrument of the relevant COFSTA member.
  • record retention and disposal Schedule – A legal document issued by a government/archival authority to authorise the disposal of government records. It specifies classes of records and defines the retention periods and consequent disposal actions. Also known as a records disposal authority.

Acknowledgments

The Council of Australasian Archives and Records Authorities (CAARA) recognises the following agencies for participating in the CAARA Working Group on Contractor Records for the purpose of reviewing Policy Statement 13 – Recordkeeping Issues Associated with Outsourcing and Privatisation of Government Functions:

  • Archives New Zealand;
  • Archives Office of Tasmania;
  • Northern Territory Archives Service;
  • Public Record Office Victoria;
  • Queensland State Archives;
  • State Records of South Australia; and
  • State Records Office of Western Australia.

Principle 1 – Planning

Statement of principle: Outsourcing and privatisation activities include provisions for making, maintaining and disposing of records to limit government/agency exposure to risk.

Explanation

Careful planning in relation to records when outsourcing or privatising is necessary to ensure the safe keeping and proper preservation and use of records. To ensure adequate planning does occur the following seven principles of planning, ownership, control, disposal, access, storage and contract completion should all be considered prior to the finalising of any contractual or privatisation arrangements.

It is necessary to undertake complex and legal processes to outsource or privatise an agency (or an activity or function of an agency). However, with both outsourcing and privatisation the basis of the relationship between the parties to any such arrangement is the official documentation of the agreement between them. How the records of these functions and activities are managed is crucial to the successful management of the finalisation of any contractual or privatisation agreement.

When planning such an activity, consideration should be given to any legislation or policies produced by the relevant archives authority in relation to records management. Any other records management requirements in other relevant legislation should also be taken into consideration. In the event there is a legislative conflict, appropriate legal advice should be sought.

When undertaking any planning for a contracting or privatisation exercise agencies must also be careful to not make the requirements of the contract too restrictive, as this may unduly limit the field of potential contractors or purchasers.

Examples of compliance

Outsourcing

The following outcomes apply to outsourcing activities:

  1. Any applicable principles outlined in any recordkeeping documentation and requirements specific to the agency’s jurisdiction must be considered. The relevant archive authorities should be consulted.
  2. All relevant bodies, and all other appropriate stakeholders, must be consulted, including but not limited to, the jurisdictional procurement body or purchasing unit, the Crown Solicitor, and relevant procurement staff.
  3. A comprehensive risk assessment should be undertaken with specific consideration given to the type and complexity of the contract and the sensitivity of the information. Expert advice should be sought if required.
  4. Discovery or identification of any documents and corporate experience that may assist agencies in drafting the contract, including but not limited to, the Crown Solicitor or other appropriately qualified legal representatives and jurisdictional procurement or purchasing units.
  5. Ensuring adequate consideration is given to the implications of trans-border dataflows when contracting with companies which may result in the offshore transfer of personal information, intellectual property or copyright material, including the risk of information sent to regimes where the protection for the information may be less rigorous. Agencies should also consider the development of procedures to handle any issues arising from this kind of information transfer with reference given to any jurisdictional model terms and conditions. Note: In some jurisdictions there is a requirement for special consideration for trans-border dataflow of personal information. Legal advice should be sought for contracts requiring clauses of this kind.
  6. Ensuring transition plans are in place to manage the following occurrences:
    • where one of the parties ceases to exist during the term of the contract;
    • where records management issues (related to the management of records at the completion or termination of the contract) arise.
  7. Agencies should also make any arrangements necessary to manage any intellectual property issues that may arise during the term of the contract.
  8. In the event a sub-contractor is employed by the contractor during the term of the contract, the contract should include terms and conditions which ensure the sub-contractor is bound by the same requirements as the initial contractor.
  9. Roles and responsibilities for records management within the agency should be assigned to appropriately skilled staff members in order to manage any ongoing records management issues that may arise as a result of or during the term of the contract.

Privatisation

The following outcomes apply to privatisation activities:

  1. Any applicable principles outlined in any recordkeeping documentation and requirements specific to the agency’s jurisdiction must be considered. (Relevant archive authorities should be consulted).
  2. The participating agency should check the legislation for specific provisions relating to records. Such a set of provisions may specifically exclude or include certain categories of records as part of the privatisation.
  3. Records management requirements are included in the event of privatisation via a contract of sale. Alternatively, if records are not specifically mentioned their inclusion may have been intended under the scope of the term ‘assets’.
  4. All relevant bodies and all other appropriate stakeholders must be consulted, including the Crown Solicitor.
  5. A comprehensive risk assessment should be undertaken, with specific consideration given to the type and complexity of the privatisation exercise and the sensitivity of the information to be transferred to the new owner. Expert advice should be sought if required.
  6. Discovery or identification of any documents and corporate experience that may assist agencies in drafting the contract of sale where the privatisation exercise is not occurring as a result of legislation. (Advice from other jurisdictions who have undertaken like exercises could also be sought).
  7. Ensuring adequate consideration is given to the implications of trans-border dataflows when selling information as part of the sale of an asset to a company which may result in the offshore transfer of personal information, intellectual property or copyright material. Note: In some jurisdictions there is a requirement for special consideration for trans-border dataflow of personal information.
  8. Ensuring transition plans are in place to manage the following occurrences:
    • transferral of ownership of the information;
    • where issues related to the management of records at the completion or finalisation of the privatisation exercise may arise.
  9. Roles and responsibilities for records management within the agency should be assigned to appropriately skilled staff members in order to manage any ongoing records management issues that may arise as a result of, or during, the privatisation arrangement.

Principle 2 – Ownership

Statement of principle: Ownership of records that result from an activity performed by an external service provider is addressed and resolved through legislation or contract/agreement.

Explanation

In contractual or other agreements involving the performance of a government function by an external service provider or privatised entity, it is important to clarify issues surrounding the ownership of records and the information they contain. Failure to do so can severely restrict the business capabilities of the parties involved and expose the government/agency to considerable risks.

The issue of ownership extends not only to records of the agency that may be transferred to the external service provider or privatised entity, but also to records created by the external service provider or privatised entity during the life of the agreement or contract.

For records generated as a result of such activity, agencies may have obligations to manage them as if the agency was performing the work itself, and to manage these records for the life of the agreement and beyond. For this reason it is important that agencies ensure contractual arrangements define ownership and management of records.

Agencies should ensure that no existing record of permanent value is transferred to the ownership of an external service provider or privatised entity. Temporary custody may be allowed provided that the agreement or contract contains specific guarantees for the proper management, and eventual return of the permanent value records to the custody of the relevant archival authority.

Agencies should be made aware that their ability to remove records from storage with their archival authority or to transfer their own records to an external service provider or privatised entity may be limited by archival legislation, or other instruments.

Examples of compliance

Outsourcing

The following outcomes apply to outsourcing activities:

  1. The agreement or contract specifies existing records that will be copied or loaned to the external service provider. The agreement or contract specifies when and how these arrangements are to take place, and includes specific guarantees for the proper management and eventual custody of the records.
  2. The agreement or contract specifies which records remain the property of the agency, and when. For example, which records remain the property of the agency at the time of completion or termination of the agreement or contract.
  3. The agreement or contract specifies which records become the property of the external service provider, and when. For example, which records become the property of the provider at the time of completion or termination of the agreement or contract.
  4. The agreement or contract specifies the mechanism for transfer of records between the agency and the external service provider. For example, a schedule of transfers to occur on or at particular dates or milestones.
  5. The agreement or contract ensures that no existing record of permanent value is transferred to the ownership of the external service provider.
  6. The agreement or contract specifies who owns the intellectual property in the records.
  7. The agreement or contract defines any limitation on the external service provider on the use of records and disclosure of information contained therein, consistent with relevant statutory obligations (e.g. Freedom of Information (FoI), Privacy).
  8. The agreement or contract defines any rights of the agency for the use of records created by the external service provider during the life of the contract or agreement, consistent with relevant statutory obligations (e.g. FoI, Privacy).

Privatisation

The following outcomes apply to privatisation activities:

  1. The agreement or contract specifies which records remain the property of the agency, and when. For example, which records remain the property of the agency at the time of completion or termination of the agreement or contract.
  2. The agreement or contract specifies which records become the property of the privatised entity, and when. For example, which records become the property of the privatised entity at the time of completion or termination of the agreement or contract.
  3. The agreement or contract specifies the mechanism for transfer of records between the agency and the privatised entity. For example, a schedule of transfers to occur on or at particular dates or milestones.
  4. The agreement or contract ensures that no existing record of permanent value is transferred to the ownership of the privatised entity.
  5. The assigning of records as property takes place using such disposal schedules or authorities that may be required under archival legislation, or other instrument.
  6. The agreement or contract specifies who owns the intellectual property in the records.

Principle 3 – Control

Statement of principle: Third party entities comply with the records management controls determined by the controlling agency.

Explanation

Regardless of whether an agency, function or activity has been outsourced, privatised, or shared in a public private partnership it is likely that a controlling agency will retain some degree of responsibility for oversight and control over the function(s) performed by the external service provider or privatised entity. This control will be best supported by the controlling agency, ensuring full and accurate records management practices are observed by the external party.

To make this possible the agency should require the external party to create or manage records in a manner specified by the agency. The agency may also require that the external party comply with legislation, policies and standards that were binding upon the agency prior to, or after, the re-assignment of that particular function or activity.

There are a number of issues that must be addressed in contracts or agreements to ensure that the agency has a full and accurate record of the activities that relate to the delivery of the service. The agreement should specify the records the external service provider or privatised entity is expected to create, capture and maintain during the performance of the agreed work, and how those records are to be managed.

Examples of compliance

Outsourcing

The following outcomes apply to outsourcing activities:

  1. The agreement or contract stipulates any recordkeeping requirements that must be followed to enable the agency and the service provider to fulfil their statutory and service obligations. This could include requirements around content, creation, capture, management, description, control, disposal, or format of records. For example, a prescribed records classification system or metadata standard.
  2. The agreement or contract binds the service provider to comply with relevant records management legislation and standards.
  3. The agreement or contract binds the service provider to comply with relevant statutory obligations (e.g. FoI, Privacy).
  4. The agreement or contract specifies any technical standards needed to ensure interoperability between documents, records and/or information management systems used by the service provider and by the agency. For example, specifications about formats for electronic records.
  5. Agencies establish mechanisms for monitoring the service provider’s compliance with contractual arrangements, including compliance with records management standards, procedures and guidelines.
  6. The agreement or contract defines the processes to be followed if the service provider fails to comply with records management provisions in the contract.
  7. The agreement or contract establishes a mechanism to ensure that all required records are transferred between the service provider and the agency, in a prescribed manner and at defined intervals. This mechanism should include the details of the classes of records to be transferred, triggers for transfer, acceptable formats and timelines.

Privatisation

The following outcomes apply to privatisation activities:

  1. The agreement or contract stipulates any recordkeeping requirements that must be followed to enable the agency and the privatised entity to fulfil their statutory and service obligations. This could include requirements around content, creation, capture, management, description, control, disposal, or format of records. For example, a prescribed records classification system or metadata standard.
  2. The agreement or contract binds the privatised entity to comply with relevant records management legislation and standards.
  3. The agreement or contract binds the privatised entity to comply with relevant statutory obligations (e.g. FoI, Privacy).
  4. The agreement or contract specifies any technical standards needed to ensure interoperability between document, records and/or information management systems used by the privatised entity and systems specified by the agency. For example, specifications about formats for electronic records.
  5. The agreement or contract stipulates that at the point of privatisation, no records of permanent value are transferred to the ownership of the privatised entity, and if necessary, copies are made of required records to meet the needs of the privatised entity.
  6. The agreement or contract stipulates that arrangements are made by the agency prior to privatisation to transfer all records of permanent value to the appropriate archival authority.

Principle 4 – Disposal

Statement of Principle: Records that provide evidence of government functions and activities held by external service providers or transferred to a privatised entity must be disposed of in accordance with relevant archival legislation, or other instrument.

Explanation

The concept and definition of ‘disposal’ is not limited to the physical or electronic destruction of records, (i.e. by shredding, pulping, electronic over-writing, or other means). This expanded or functional definition of disposal may include, but is not restricted to, the transfer of ownership, custody or sale of records; damaging or abandoning of records; donating or giving away (discharging) of records, and may refer to a part of a record or where electronic records are not migrated forward or maintained over time.

This expanded concept of disposal is particularly relevant where a function or activity of a government agency is being carried out by an external service provider. The physical custody may be transferred to an external service provider , however the legislative disposal requirements remain with the originating or controlling government agency unless specific provision has been made and agreed otherwise. It is equally applicable where a function or activity is transferred to a privatised entity and public records may move outside their originating or controlling government agency or legislative jurisdiction. An agreement must specify the responsibilities binding upon an external service provider or privatised entity before any disposal function or authority is conferred upon that entity or provider.

Dependent on jurisdiction, the creating or controlling government agency and/or the external service provider or privatised entity may need to be made aware that transfer of ownership, custody, or sale of public records is considered to be a disposal action and that they must exercise equal control over such disposal activities as those that involve the physical destruction of records (see the expanded definition of ‘disposal’ above).

Any disposal action carried out interstate, overseas, or at a remote site or location, must meet the compliance requirements of the legislation, or other instrument, of the jurisdiction of the originating government agency, not the jurisdiction of the external location. This circumstance may require that any disposal action be carried out in the record’s originating jurisdiction. Agencies should ensure that any disposal function undertaken can be legally carried out interstate or overseas; these considerations are especially significant where records are stored in electronic format (and more easily moved across jurisdictions), or where there may be a national security or other security issues (e.g. Privacy, FoI).

Risk Management

Risk management considerations should determine whether any disposal action is undertaken without the originating government agency. Any conferral of disposal function or responsibilities must be fully recorded, and be made compliant with any relevant legislation, or other instrument, and embedded within any contract or agreement before any disposal processes are considered. Provision must be made for the disposal and retention of public records held by an external service provider or privatised entity. The contract or agreement with an external service provider or privatised entity must state that public records should be returned to the originating or controlling government agency if the contract or agreement is terminated for any reason.

Examples of compliance

Outsourcing

The following outcomes apply to outsourcing activities:

  1. Arrangements for the disposal of records are made during the planning process and these processes are recorded in the enabling contract, or agreement, before any disposal processes are undertaken and carried out.
  2. The transfer of custody of records to an external service provider occurs in accordance with an approved records retention and disposal schedule or other instrument, as required by the relevant archival legislation, or other instrument.
  3. Records held by the external service provider are only disposed of in accordance with an approved records retention and disposal schedule and with the approval, or authorisation, of the responsible originating or controlling government agency, as required by the relevant archival legislation, or other instrument. The relevant disposal schedule should be referred to, or cited as the source of approval for the disposal of records, in the contract or agreement governing the outsourcing arrangement with an external service provider. The contract or agreement should also include provision for:
    • any transfer of ownership of records;
    • any transfer of custody of records to the external service provider for a specified period of time; and
    • the return of public records to the government agency or relevant archival authority at the conclusion of any specified period of time of external custody.
  4. The enabling contract, or agreement, has provision for the retention and disposal (or secondary review process) for records upon completion of the contract or agreement, or if the contract is terminated for any reason, or the external service provider ceases to be able to fulfil the disposal function for any reason. Disposal can take the form of:
    • destruction;
    • transfer to another external service provider;
    • transfer back to the originating government agency; and
    • transfer to the relevant archival authority.
  5. The contract or agreement binds the external service provider to complete any notifications of intention to destroy records as required by the government agency and/or the relevant archival authority, including any process of public comment or exposure. The government agency and/or the relevant archival authority should have final sign-off for ultimate disposal or permanent archival retention of public records.:
  6. Government agencies ensure that no existing record of permanent value is transferred to the ownership of an external service provider. Custody on a temporary basis may be included in a contract or other agreement, provided that it contains specific assurances and guarantees for the management of and eventual return of any records of permanent value to the originating or controlling government agency.
  7. All instances of disposal action are undertaken to an appropriate level of security and are compliant with the requirements of any relevant legislation, or other instrument (e.g. Privacy, FoI).

Privatisation

The following outcomes apply to privatisation activities:

  1. Arrangements for the disposal of public records, or ultimate archival custody of public records of permanent value, are incorporated into the contract of sale, or other transfer mechanism, and these processes are explicit in the conditions of sale or transfer.
  2. The contract of sale or other transfer mechanism of public records occurs in accordance with an approved records retention and disposal schedule, or other instrument, as required by the relevant archival legislation. This disposal arrangement is incorporated into the conditions of transfer, or the contract of sale or other mechanism, when authorising the transferral of the disposal function to a privatised entity.
  3. Public records transferred to a privatised entity are only destroyed in accordance with an approved records retention and disposal schedule and according to the legislative requirements of the originating jurisdiction. The relevant disposal schedule should be referred to, or cited, as the source of authorisation or approval for the disposal of records as agreed in the contract of sale or other transfer mechanism. Disposal includes:
  4. destruction of records;
  5. transfer of ownership of records;
  6. transfer of records to the relevant archival authority;
  7. return to the originating government agency; and
  8. the re-sale of records.
  9. The contract of sale or other transfer mechanism states that, if for any reason (including insolvency, winding up, liquidation, receivership, etc.) the privatised entity ceases to be able to fulfil the disposal function, public records should be returned to the relevant archival authority, or to the originating government agency.
  10. The contract of sale or other transfer mechanism binds the privatised entity to complete any notifications of intention to destroy public records as required by the relevant archival authority, including any process of public comment or exposure.
  11. All instances of disposal action are undertaken to an appropriate level of security and are compliant with the requirements of any relevant legislation, or other instrument (e.g. Privacy, FoI).

Principle 5 – Access

Statement of principle: Responsibility for ensuring the same level of access to public records is available to the public regardless of who is delivering the service.

Explanation

Official records owned by an agency contain information that may be accessed for the current operational needs of the agency, for research by the agency and members of the public. Some records may include sensitive information which needs to be appropriately managed, especially in terms of who can access the information. It is therefore important that consideration be given to how access to public records will occur both during and after the life of an outsourcing or privatisation arrangement. Questions of ownership and custody of records may also arise during a reversal of privatised entities back to the control of the public sector.

When contemplating outsourcing or privatisation arrangements, an agreement needs to be reached between the parties involved that ensures compliance with the provisions of relevant legislation, including FoI and Privacy, that require or restrict access. Access conditions established under the contract should then be applied consistently and equitably.

The accessibility of public records in terms of having a useable format or system for record preservation is discussed in Principle 6 (storage).

Risk Management

Although public records access may be given to the external service provider or privatised entity, ownership of those records in many cases will remain with the agency (see Principle 3 – control). To manage risk, access to public records of an agency must be managed as if the records were in the custody of the agency.

The risk of being unable to provide appropriate public access to public records is minimised for agencies when access to public records is carefully considered and documented in a contract between an agency and an external service provider or privatised entity.

Examples of compliance

Outsourcing

The following outcomes apply to outsourcing activities:

  1. Outsourcing requirements relating to access of public records by all parties have been included in a written contract or agreement.
  2. Full and accurate records of an outsourced function or a project being conducted under public private partnership arrangements are made, kept and held accessible as required under legislation and as per a written agreement between the public authority and the external service provider.
  3. The agency clarifies in a written agreement which records (created by a non-government organisation (NGO)) are considered public records, and also that the NGO will be required to provide the agency with access to the records as required.
  4. Restrictions on how an agency’s records are accessed by an external service provider may need to be considered. Such restrictions may be necessary for the preservation of a record, for administrative purposes, or for FoI or Privacy purposes.
  5. Provision is made in the contract so that records generated by an external service provider which contain sensitive, personal or confidential information, are securely stored to control access.
  6. Where an agency might hold a record that an external service provider requires access to and the record contains sensitive information (e.g. information about national or state security), the agency may wish to make arrangements for the external service provider to receive a copy of the record with the sensitive information expunged.
  7. Procedures relating to FoI and Privacy matters should be detailed in contracts and agreements so that the recordkeeping requirements that support FoI and Privacy legislation principles are met by the external service provider.
  8. The agency and the external service provider should negotiate whether a fee will be charged by each party when it accesses the other party’s records. This needs to be included in any contract between the parties.
  9. If an agency engages an external service provider to index, organise, store, preserve, secure, destroy or carry out other records management activities on behalf of the agency that may affect the accessibility of records, the provision to manage these activities needs to be included in the contract between the parties.
  10. Access by an agency to undertake inspections to assess compliance with the recordkeeping requirements of the contract is documented in the contract.
  11. Contracts should include details of how the agency can access records for the purposes of arranging the return of the records once a contract terminates.

Privatisation

The following outcomes apply to privatisation activities:

Where a public sector entity has been privatised, a contract between the agency and the privatised entity includes provisions for the privatised entity to access public records in the custody of the agency for business continuity purposes and, if the records are borrowed by the privatised entity, the return of the records once the contract expires.

Principle 6 – Storage

Statement of principle: Appropriate records storage requirements are addressed in contractual arrangements.

Explanation

Archival authorities have spent much time establishing arrangements for the storage of records of government agencies. These arrangements have been designed to meet the needs of agencies and to fulfil the requirements of existing archival legislation, or other instruments. It is important that these gains are preserved where an agency is privatised or a function or activity is being carried out by an external service provider.

Inadequate decisions over the storage arrangements for records, particularly electronic records, may result in the loss of records of evidential value. Agency staff and members of the public may lose confidence in the integrity of the records, and the agency could expose itself to unacceptable levels of risk and potentially costly consequences. This may also lead to unnecessary duplication of effort. Agencies must therefore ensure that storage arrangements are included in any relevant contractual agreements. If the records are held overseas or interstate, storage must meet the requirements of the legislation, or other instrument, of the jurisdiction of the originating agency, not the jurisdiction of the remote site or location.

It is also vital to include arrangements for the appropriate storage of records at the expiry or termination of the agreement. Failure to do so may result in records being destroyed through the perception that they are no longer the concern of the external service provider or privatised entity, or material being misplaced in the changed circumstances or inappropriately stored at the conclusion of the agreement.

Examples of compliance

Outsourcing

The following outcomes apply to outsourcing activities:

  1. Record storage agreements are reached between the agency and the external service provider for records in the custody of the external service provider regardless of their format or storage location.
  2. Record storage agreements are reached with the external service provider where permanent and temporary value records, that remain the property of the agency, are in the temporary custody of the external entity. Agencies should ensure records are returned in a timely manner at the end of the contract.
  3. The agency ensures that record storage agreements are reached between the relevant public authority and the external service provider covering permanent value records in the temporary custody of the entity.
  4. Records storage requirements should be authorised through an approved records disposal authorisation or other instrument (such as a contract) as required by the relevant archival authority to ensure that the parties to the arrangement comply with appropriate standards.
  5. Record storage agreements should ensure the following:
    • environmental controls are appropriate to record formats and retention periods;
    • sites for record storage are located away from known hazards, and reasonable steps are taken to identify unknown hazards proximate to storage sites;
    • record shelving, equipment and packaging are appropriate;
      storage areas for magnetic media are protected from magnetic fields and electrical grounding problems;
    • security measures are in place to protect the areas or systems in which the records are stored;
    • the condition of the records is regularly monitored and maintained; including migration or conversion and continued accessibility of equipment/technology dependent records;
    • management and monitoring of records storage services should be undertaken by staff with the relevant skills, knowledge and level of authority;
    • appropriate documentation of records held in the records storage area or systems is maintained; and
    • current disaster prevention and disaster recovery management are in place including the timely reporting back to agency of any incidents that may affect the integrity or longevity of the records.
  6. Agencies specify that the external service provider provides periodic reports concerning the location of records, if required by the relevant archival authority.

Privatisation

The following outcomes apply to privatisation activities:

  1. Where a function of government is privatised there is an agreement at the time of privatisation about the ownership of the records. Any records of the agency before it was privatised remain public records.
  2. The contractual arrangements must specify appropriate standards of storage for any public records, either temporary or permanent, which are in the temporary custody of the privatised entity.
  3. The contractual arrangements must ensure the agency has continuing rights to access public records held by the privatised entity.

Principle 7 – Contract Completion

Statement of principle: Recordkeeping issues are addressed upon completion of contracts or agreements.

Explanation

It is unlikely that the external service provider will want to devote time and effort to records of an activity that it is no longer performing, unless there is a contractual requirement to do so.

Agencies must ensure that the completion and post-completion stages of the contract are well regulated, monitored, and specified in the contract. Failure to do so could result in lost information and increased risk of exposure to legal liabilities.

Records returned by an external service provider to an agency at the completion of a contract need to be accessible and useable. This means that records in electronic format will need to be transferred/migrated to an agency-compliant system.

Transfer of permanent value records to the jurisdictional archive authority must be done in accordance with the requirements of that jurisdiction.

A well-planned end to the contract or agreement will result in substantial reduction in the likelihood of exposure to risk for both the agency and external service provider.

Examples of compliance

Outsourcing

The following outcomes apply to outsourcing activities:

  1. Agencies should consider the issue of records storage upon expiration or termination of the contract or agreement until the records are returned to the agency.
  2. Agencies should determine when the records will be returned; either at the completion of the contract or periodically over the course of the contract.
  3. Agencies should determine the process for returning the records, including issues of boxing, listing, sentencing and disposal, and transportation.
  4. Agencies should determine the process for the safe return and migration of all equipment/technology dependent records, including electronic copies of agency records on networks, disks and tapes.
  5. The agreement or contract includes provisions for transfer or disposal of records between entities when a third party entity is replaced by another to perform the same function.

The contract or agreement includes any restrictions on the external service provider using information from records for commercial profit or other purposes, during, and at termination or


[1] See glossary for further details