View Document

Records Management Policy

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Background and Purpose

(1) The purpose of this Policy is to outline the framework which ensures that full and accurate records of all University activities and decisions are created, managed, retained or disposed of appropriately and in accordance with relevant legislation.

(2) The Policy:

  1. is fundamental in establishing compliance with the Public Records Act and all associated Public Record Office of Victoria Standards and the Australian Standard for Records Management, AS ISO 15489-2002;
  2. provides the framework for the University’s records management guidelines and procedural material and clearly identifies the responsibilities and accountabilities for creating and managing records;
  3. assists with the provision of reliable information and records to enable staff to make informed decisions and have confidence in the integrity of the records that are available to them through their day-to-day work; and
  4. enables access to reliable records and documents which facilitates information sharing and underpins collaborative work across all areas and systems.
Top of Page

Section 2 - Scope

(3) This Policy applies to:

  1. all staff
  2. all campuses
  3. all aspects of University business including any services that the University has outsourced with the inclusion of recordkeeping clauses in the contracts of such services that are outsourced and provided
  4. all records created in all aspects of the University business transactions, and all business applications used which create records including emails, database applications and websites
  5. all records in any format, created or received by the University in support of its business activities, transactions and decisions
Top of Page

Section 3 - Policy Statement

(4) The University is committed to creating, managing, retaining and/or appropriately disposing of all records and decisions that fully and accurately reflect its business activities. The University will comply with the Public Record Office of Victoria Standards and align its practices to the Australian Standard for Records Management, AS ISO 15489-2002.

(5) The University will:

  1. follow sound standardised processes for the capture; management, storage, transfer, destruction; and archiving of records;
  2. follow sound procedures for the security, privacy and confidentiality of all information and records, and ensures that systems containing records protect the records’ authenticity;
  3. follow sound procedures for the storage of all information and records, including those in electronic format. This includes the development and implementation of appropriate disaster preparedness planning, identifying high risk and high value records and a heritage program;
  4. follow sound procedures for the retention and disposal of all information and records, including those in electronic format;
  5. not condone the falsification, alteration, damage, or removal of records;
  6. not condone the destruction of records, except in accordance with PROV Standards;
  7. ensure records reasonably likely to be required as evidence in current or future legal proceedings are not destroyed, concealed, rendered illegible, undecipherable, or incapable of identification;
  8. ensure record disposal is documented with reference to authorised University retention authorities;
  9. ensure the transfer of University records to archives is done in accordance with the set processes;
  10. ensure records requiring permanent retention are transferred into the custody of the University Archives in accordance with authorised retention authorities;
  11. ensure that records of long-term value are identified and protected for historical purposes; and
  12. ensure records identified as permanent are transferred to the PROV in due course to become part of the state archives.
Top of Page

Section 4 - Procedures

Part A - Capture of Records

(6) The University must ensure:

  1. Full and accurate records, irrespective of format, of all University activities and decisions are systematically captured by authorised staff or systems to meet business needs, accountability requirements and community expectations.
  2. Authentic records of all University activities and decisions are consistently captured in compliant business systems that maintain the integrity of the records as evidence, protecting them from undetected and unauthorised alteration.
  3. Records created and/or received by University staff, or by individuals acting on the University’s behalf, are the property of the University and subject to its control.
  4. Records are correctly and clearly associated to the relevant times, people, systems, processes, and events to ensure they are reliable as evidence of what occurred.
  5. Business records are accurately tracked using systems that create, capture, and maintain information about the movement of and actions made to, and on the records.

Electronic Document and Records Management System

(7) The University’s Electronic Document and Records Management System (EDRMS) is used across the university to capture records, irrespective of format.

(8) Areas that do not use the EDRMS must ensure that their day-to-day business activities and decisions are captured in a standardised way, utilising University business systems to capture records and information.

(9) The following systems and/or tools do not provide adequate recordkeeping functionality and should not be used to store University records:

  1. Email folders
  2. Local PC drives, portable storage devices; and
  3. Shared (network) drives
  4. SharePoint
  5. MS Teams
  6. One Drive
  7. Third party services where there is no official University contract, such as Dropbox

Digitising Physical Records

(10) Where possible, physical records should be digitised and stored in line with this policy. The digitisation of physical records does not automatically mean they can be destroyed.

(11) The University is obligated to meet a set of measurable requirements which define the criteria for the digitisation of records which includes the development on an approved digitisation plan. For details please see the Records and archiving intranet page.

Accountabilities and Responsibilities

(12) All University Staff:

  1. must ensure that records of business activities are systematically created, captured, and maintained in the University’s EDRMS, or a compliant business system;
  2. must capture and maintain the integrity of the records as evidence and protect them from undetected and unauthorised alteration;
  3. must assess and apply the appropriate protection and security requirements of their records as part of capturing and creating records;
  4. must ensure that a certified digitisation plan is in place prior to scanning and destroying physical records.

(13) University Data Stewards, Business Managers and Deans of School:

  1. must ensure all staff in their area have access to appropriate systems for storing records;
  2. must ensure that records are created for:
    1. any approvals or authorisation given
    2. guidance, advice or direction provided
    3. information relating to projects or activities
    4. formal business communications to and from external parties, students and other staff.

(14) Digital Records:

  1. coordinates the University records management program by providing training programs, advice and supporting staff in the handling of records through the record lifecycle stages; and
  2. assists with the development and certification of digitisation plans.

Part B - Management of Records

Active Records

(15) Records which are required for regular business use are considered to be active records and must be accessible across the University, unless there are restrictions required by legislation or policy.

(16) All records must be secured and protected from unauthorised use and access and so that their value and integrity is not compromised.

(17) Records that are part of outsourced arrangements or contracts, and held in systems, or in storage (digital and physical) must be managed in accordance with University policies. These requirements must also be included in any contractual arrangements with third parties.

(18) When using records, staff should only access the records required to make informed decisions and perform their work.
If staff need to share records, they should avoid emailing or distributing records in an uncontrolled manner or to third parties without permission. Where possible, it is safer to use a hyperlink to share a document rather than attaching the record to the email.

(19) Extracting or removing records from University premises or systems can compromise the integrity, value and privacy of the records. Records transferred outside of the University must be encrypted in transit.

Inactive Records

(20) Records which are no longer required for regular business use are considered to be inactive records.
Inactive records must be organised and managed to preserve their integrity and context so that they are a source of information for evidence, justification or reference to past decisions and actions.

(21) All records must be accessible and usable for the duration of their retention period and in a format that allows the records to be stored safely and maintain their integrity.

Accountabilities and Responsibilities

  1. all staff must protect records when using and accessing personal and confidential information;
  2. all Directors, Managers and Coordinators must ensure that their staff understand and comply with records management policies and procedures and report any identified compliance breaches or incidents directly to Digital Records ;
  3. the owners and users of systems which hold records, must ensure that the records are protected and remain accessible for as long as lawfully required.

Part C - Storage of Records

(22) Most University records used in day-to-day business are electronic and are located in many different systems and applications. All University records, irrespective of the system they are stored in, must be managed and stored in accordance with all Public Record Office of Victoria Standards.

Electronic Records:

  1. New Systems - when introducing or implementing a new system, the University Data Custodian, University Data Steward and Business Manager must consider the ongoing requirements and management of the records.
  2. Replacing Systems – When a system is being replaced, the records in the system(s) being replaced will need to be appraised by Digital Records.
  3. Records in systems which undergo a transition or significant upgrade must have strategies in place to ensure that the records are protected and remain accessible for as long as lawfully required.
  4. Records in systems that are being decommissioned must be assessed to determine whether the records in the system need to be retained and accessible or how expired records are to be managed.

Physical Records:

(23) Work areas are responsible for storing all physical records to preserve the integrity and security of the records.

Part D - Transfer of Records

Electronic Records:

(24) Records that are stored in business systems and have a long-term retention requirement should be transferred to Digital Records for storage in the EDRMS.

Physical Records:

(25) Work areas that have inactive physical records are responsible for arranging the records to be transferred to Digital Records at an agreed time and method of transfer.

(26) All records that are transferred to records storage remain under the control of the originating department until the retention period of the records expires.

Accountabilities and Responsibilities

(27) Digital Records will:

  1. assist with identifying records that may need to be retained; and
  2. completing a records appraisal with accompanying recommendations on actions to be taken

Part E - Destruction of Records

(28) Retention and Disposal Authorities are issued by the Keeper of Public Records and are a legal instrument authorising the destruction or transfer of public records. The University must only destroy or dispose of records in accordance with Public Record Office of Victoria Standards.

(29) All expired records (hard copy or electronic) that are due for disposal must be approved for destruction by the relevant Business Manager and then submitted to Digital Records for authorisation prior to arranging destruction.

(30) Records under the following criteria cannot be destroyed:

  1. Disposal freeze – where there is a temporary restriction on the disposal of a designated set of records due to a specific reason (e.g., Royal Commission, FOI application). A disposal freeze may be initiated from within the University or by an external authority.
  2. Records hold - is applied to preserve evidence when legal proceedings, investigations, enquiries, or other related matters are underway. Material that is subject to a records hold, must not be destroyed and cannot be accessed or altered.

(31) All record destructions must be supported by evidence that they have been destroyed and included on the University Destruction Register which is managed by Digital Records.

(32) As part of the records destruction process, a Certificate of Destruction issued by the University’s Secure Document Destruction vendor, is legal evidence that the destruction of records has been undertaken and completed in a compliant manner and is to be forwarded to Digital Records.

(33) When disposing of physical records that have been authorised for destruction:

  1. small volumes of records can be placed in a secure document destruction bin, with a Certificate of Destruction provided after the bin is emptied;
  2. large volumes of boxed records can be arranged to be collected, with a Certificate of Destruction provided after the records have been collected;
  3. rubbish or recycling bins must not be used to dispose of University records.

(34) Electronic records that have been destroyed also require written confirmation, from the vendor or internal resource who was responsible for destroying the records, as evidence that the destruction has been completed. This confirmation is to be forwarded to Digital Records for inclusion in the University Destruction Register.

Accountabilities and Responsibilities

(35) All University Staff:

  1. who own or recognise that there are expired records which are due for destruction, must engage with Digital Records to have the records appraised and prepared for transfer or disposal.

(36) Digital Records:

  1. coordinates the authorisation of all disposal actions prior to the destruction of records by the established records disposal processes.

Part F - Archiving of Records

(37) The University Archives holds a varied collection of records and artefacts relating to the activities of the University and a number of its antecedent institutions, dating as far back as the late 1800's.

(38) The University reserves the right to retain records as part of the historical collection.

(39) The University Archives is interested in any collections that relate to the University, staff who have taught at the University, business partners of the University and any antecedent institutions of the University.

Top of Page

Section 5 - Definitions

(40) For the purpose of this Policy:

  1. Access (AS ISO 15489.1-2002, s3.1): Right, opportunity, means of finding, using, or retrieving information.
  2. Appraisal (AS 4390-1996, Part 1, 4.3): The process of evaluating business activities to determine which records need to be captured and how long the records need to be kept, to meet business needs, the requirements of organisational accountability and community expectations.
  3. Archive (AS 4390.1 -1996, s. 4.4): The whole body of records of continuing value of an organisation or individual. Sometimes called 'Corporate Memory'
  4. Artefact: An object or piece of equipment manufactured for a practical purpose.
  5. Capture (AS 4390.1 -1996, s.4.7): a deliberate action which results in the registration of a record into a recordkeeping system. For certain business activities, this action may be designed into electronic systems so that the capture of records is concurrent with the creation of records.
  6. Destruction (AS ISO 15489.1-2002, s3.8): process of eliminating or deleting records, beyond any possible reconstruction.
  7. Digitising (PROS 11/07 G1): The process of converting a physical record to a digital representation.
  8. Disposal (PROV Master Glossary): A range of processes associated with implementing appraisal decisions which are documented in disposal authorities or other instruments. These include the retention, destruction or deletion of records in or from recordkeeping systems. They may also include the migration or transmission of records between recordkeeping systems, the transfer of ownership or the transfer of custody of records, e.g. to Public Records Office of Victoria (PROV).
  9. Document (Freedom of Information Act 1982, s.5, Interpretation of Legislation Act 1984, s.38, Evidence Act 1958, s.3): includes, in addition to a document in writing-
    1. any book, map, plan, graph or drawing; and
    2. any photograph; and
    3. any label marking or other writing which identifies or describes anything of which it forms part, or to which it is attached by any means whatsoever; and
    4. any disc, tape, sound track or other device in which sounds or other data (not being visual images) are embodied so as to be capable (with or without the aid of some other equipment) of being reproduced therefrom; and
    5. any film, negative, tape or other device in which one or more visual images are embodied so as to be capable (as aforesaid) of being reproduced therefrom; and
    6. anything whatsoever on which is marked any words figures letters or symbols which are capable of carrying a definite meaning to persons conversant with them; and
    7. any copy, reproduction or duplicate of any thing referred to in paragraphs (i) to (vi); and
    8. any part of a copy, reproduction or duplicate referred to in paragraph (vii)
    9. - but does not include such library material as is maintained for reference purposes;
  10. Preservation (AS ISO 15489.1-2002, s3.14): The processes and operations involved in ensuring the technical and intellectual survival of authentic records through time. Preservation encompasses environmental control, security, creation, storage, handling, and disaster planning for records in all formats, including digital records
  11. Records (AS ISO 15489.1-2002, s.3.15): Information created, received, and maintained as evidence and information by an organisation or person, in pursuance of legal obligations, or in the transaction of business.
  12. Records System (AS ISO 15489.1-2002, s3.17): Information system which captures, manages and provides access to records over time.
  13. Registration (AS ISO 15489.1-2002, s.3.18): Act of giving a record a unique identifier on its entry into a system.
  14. Retention and Disposal Authorities (RDAs) (PROV Master Glossary):
    1. Standards issued by the Keeper under section 12 of the Act that defines the minimum retention periods and consequent disposal action authorised for classes of records which are described in it. RDAs provide continuing authorisation for the disposal of these classes of records. RDAs may be specific to an agency or applicable to more than one agency.
  15. Retention Period (PROV Master Glossary): ‘Period of time that records should be retained in their offices of origin or in records centres before they are transferred to an information and documentation organisation or otherwise disposed of’
  16. Retrievable (PROV Master Glossary): ‘Process of recovering specific documents from a store’. This requires accurate identification of the record, including its location, access status, and that the information contained on the record is readable
  17. Storage Area (PROV Master Glossary): A vault, cupboard, room, shelves, or compactus whose primary purpose is to store current and semi-current records
  18. Transfer (AS ISO 15489.1-2002, s.3.20 - 3.21):
    1. (custody) change of custody, ownership, and/or responsibility for records.
    2. (movement) moving records from one location to another.
Top of Page

Section 6 - Related Documents

  1. Data Governance Policy
  2. Information Security Policy
  3. Privacy Policy
  4. Research Data Management Policy
Top of Page

Section 7 - Resources and Enquiries

Intranet: Records and Archiving intranet