Defence Records Management Policy Manual

(POLMAN 3)

back to contents

Chapter 1
Introduction

Aim

1.1 the purpose of this Manual is to outline the principles that everyone working for Defence needs to know about managing Commonwealth records. The Manual has been updated and structured to be consistent with or otherwise adopt the Commonwealth records management processes detailed on the National Archives of Australia (NAA) website http://www.naa.gov.au/ and the Australian Standard International Organisation for Standardisation (AS ISO) 15489.1—Records management (2002).

1.2 AS ISO 15489.1 has been relied on by the NAA, which is responsible for defining all Commonwealth Government recordkeeping policies, determining standards, and providing advice. Defence records management policy meets AS ISO 15489.1 and NAA record management requirements.

1.3 There is a clear business need for agencies to encourage and support good recordkeeping of their work. Records are valuable assets and good recordkeeping supports improved productivity because it enables easy access to all relevant and available information needed to make informed decisions.

1.4 Effective recordkeeping assists all personnel to quickly and accurately respond to requests from ministers, the Parliament and the public.

1.5 Retaining the corporate memory of Government, in the form of records, helps all Defence personnel, make consistent decisions and or will set out in detail the rationale for a particular decision.

Audience of the Manual

1.6 The policy in this Manual applies to all persons undertaking relevant functions for or on behalf of Defence. This obligation extends to:

1. all persons employed under the Public Service Act 1999 (Australian Public Service employees);
2. all members of the Australian Defence Force;
3. a person on exchange with or on loan to Defence; and
4. any individual or firm contracted by Defence where there is a contractual requirement to comply with all Commonwealth and Defence policies.

Sponsor of the Manual

1.7 Deputy Secretary Strategy is the sponsor and Enterprise Process Owner for records management policy.

back to contents

Chapter 2
Framework

Records management principles

2.1 The National Archives of Australia (NAA) is responsible for managing the Commonwealth records, and has adopted Australian Standard International Organisation for Standardisation (AS ISO) 15489.1 —Records management (2002) ^{ch2 note 1}. This standard applies to all Commonwealth records produced and used in Defence, regardless of format. Defence uses the definitions of Commonwealth record and record as provided for in the Archives Act 1983 and the AS ISO 15489.1.

2.2 This Manual is consistent with and complies with the AS ISO 15489.1. The AS ISO 15489.1 defines records as the ‘field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use and disposal of records, including processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records’.

2.3 In accordance with the AS ISO 15489.1 standard, the policy principles are:

1. to capture complete, accurate, reliable and usable objects and documentation as records of Defence activities to meet legal, evidential and accountability requirements;
2. to promote and support efficiency and economy, both in the management of records and in Defence activity as a whole, through sound practices;
3. to provide a service for the management of records that meets the needs of and protects the interests of Defence and its personnel;
4. to ensure that every Defence record is managed correctly throughout its continuum from capture or creation through to disposal and preservation; and
5. to manage records as valuable Defence assets and information resources.

2.4 For policy on the life cycle or continuum management of records see the following chapters:

1. chapter 3—‘Create, capture and describe’;
2. chapter 4—‘Keep, destroy or transfer’;
3. chapter 5—‘Secure, store and preserve’; and
4. chapter 6—‘Access’.

What is a record?

2.5 By way of overview the NAA is of the view all information you create, send and receive in the course of carrying out your job is potentially a record. Whether something is a record or not depends on the information and the context. Basically if it is related to the business of Defence then it is a record.

2.6 The Freedom of Information Act 1982 (FOI Act) does not contain an exhaustive definition of what constitutes a ‘document’. However, section 4 states that ‘document’ includes any of, or any part of any of, the following things:

1. any paper or other material on which there is writing;
2. a map, plan, drawing or photograph;
3. any paper or other material on which there are marks, figures, symbols or perforations having a meaning for persons qualified to interpret them;
4. any article or material from which sounds, images or writings are capable of being reproduced with or without the aid of any other article or device;
5. any article on which information has been stored or recorded, either mechanically or electronically;
6. any other record of information;
7. any copy, reproduction or duplicate of such a thing; or
8. any part of such a copy, reproduction or duplicate.

2.7 Library material maintained for reference purposes and Cabinet notebooks are not ‘documents’ for the purposes of the FOI Act.

2.8 Plainly speaking, records come in paper, electronic and other formats and include documents and information objects (eg emails, maps, plans, databases, datasets, website pages and photographs, film, video and DVD) created, received and maintained as evidence of business communications, decisions and actions.

2.9 The value of a record is not dictated by its format, but its content (ie it’s business-related and whether it is trivial or important), its scarcity (eg whether it is unique, or one of many copies), and its context (eg the considerations that prompted its creation). Some records are considered vital to Defence being able to achieve its goals and continue conducting its business (for vital records see chapter 5). Not every piece of paper or email written or received has to be kept, and the legislation governing recordkeeping is not prescriptive. A decision must be made to create Commonwealth records and where to store them (for creation see chapter 3).

2.10 A document of an agency (such as Defence) is a document in the possession of the agency, whether it was created in the agency or received by the agency from another agency or from a source outside the Government.

2.11 Documents recorded electronically, such as on a computer server, a hard drive or on a disk, are included in the definition of ‘document’ for the purposes of the FOI Act. Each extant version of a document that provides context to a decision is a separate document for the purposes of the FOI Act and each may be the subject of a request under the FOI Act.

2.12 Defence’s records are created and captured in a range of formats or objects, and may be electronic or physical.

2.13 Records are created when people perform processes, transactions and/or activities and document the facts about the action or event. Defence generates a diverse range of record types for administrative, functional and operational reasons which need to be captured as records for the Commonwealth. The range of record types used in Defence includes, but is not limited to:

1. business emails and Defence military messaging;
2. incoming and outgoing correspondence;
3. transcripts;
4. reports;
5. posters and pamphlets;
6. manuscripts;
7. records of conversation;
8. minutes of meetings;
9. manuals (technical and administrative);
10. instructions;
11. management and preservation of paintings or other artworks;
12. artworks of historical significance;
13. imaged documents and graphical images;
14. database transactions;
15. webpages (planning, snapshot and design);
16. maps, charts, plans or models;
17. combat system data;
18. video and photographic images; and
19. optical, magnetic and other media formats (eg sound recordings) that comply with the Defence Standard Operating Environment.

2.14 Files are collections of business records and/or objects on the same topic or business activity and should be stored together and be retrievable at a single point of search to ensure context and the chain of evidence is preserved. Documents and objects that are useful or important business information should be registered as a record on electronic or physical files. Until that occurs, even important business documents and objects remain unmanaged Defence information.

What is not a record?

2.15 All objects in any format, including email messages ^{ch2 note 2} , created using Australian Government systems in the course of your work and that relate to the business of the Agency must be managed in accordance with the Archives Act 1983 (ie these Commonwealth records are subject to legislation and legal processes). However, personal items (eg job resumes, and private correspondence) are not required to be captured in a Records Management System.

2.16 In accordance with Defence workplace agreements, personal or other documents that are not business-related may be stored in the personal workspace on the Defence Restricted or Secret Networks. These items are not intended to be placed on Agency files as they do not provide evidence of business activity, and are not a Defence record, irrespective of where they were created. These items are not subject to any recordkeeping controls and may be moved or deleted from Defence networks under the normal administrative practice (NAP) process (See chapter 4, annex A).

2.17 Defence allows its personnel to use corporate email services for limited personal email traffic. Personal or social emails can be destroyed under NAP but while retained on the agency’s electronic messaging system they are subject to legislation and legal processes, such as discovery orders.

2.18 In some cases personal email may constitute business records; for example, if they relate to or provide evidence of harassment or breach of Human Rights legislation. Any such personal emails should be retained as records.

Governance and Accountability

Accountability

2.19 All Defence personnel are accountable for the actions and decisions they make for Defence during the course of business.

2.20 Defence is required to keep full and accurate records ^{ch2 note 3} as evidence of the decisions and activities undertaken. To facilitate this governance mechanisms are to be in place to ensure that it is possible to scrutinise the business or operations of Defence. Defence has or will:

1. develop a corporate recordkeeping policy to ensure that the agency’s business need for evidence, accountability and information about its activities is met;
2. adopt and endorse the policy at the highest decision-making level and promulgate it throughout the organisation;
3. provide the corporate systems necessary to support Defence personnel to implement policy;
4. assign specific leadership responsibility and accountability for recordkeeping within the agency;
5. define and assign recordkeeping responsibilities to all Defence personnel; and
6. audit and monitor the implementation of the policy for compliance and to provide improvements.

Best practice recordkeeping

2.21 Implementation of best practice records management in Defence relies on the following;

1. compliance with this Manual, which details Defence records management policy. This sets out what Defence personnel must do regarding records management to ensure that Defence is compliant with the legislative and regulatory frameworks;
2. implementing electronic recordkeeping and undertaking a change management education process; ^{ch2 note 4}
3. ensuring all records are managed on corporate or personnel files whether electronic or physical;
4. unit-level Standard Operating Procedures, describing how staff should carry out the local records management processes complying with the policies set out in this Manual;
5. Defence uses an Objectives application as the basis for its electronic Document Records Management System (DRMS). For the purpose of this Manual DRMS includes both DRMS on the Defence Restricted Network (DRN) and Electronic Document Management System (EDMS) on the Defence Secret Network (DSN). DRMS is Commonwealth recordkeeping compliant, meaning it implements the Defence Recordkeeping Metadata Standard Set and an efficient set of tools to support Defence records management policy and procedures across the Defence networks;
6. using NAA authorised disposal authorities and an agreement with the Australian War Memorial for disposal. NAA provides a comprehensive framework for the legal disposal of Defence records;
7. using the Defence Business Classification Scheme which describes Defence’s functions, activities and transactions to enable Defence personnel to link records to Defence business functions and facilitate easy disposal of records. The scheme reflects functions described in the Commonwealth-wide Administrative Functions Disposal Authority and in NAA-authorised Records Authorities; and
8. developing and implementing a training strategy to provide programs to improve Defence-wide understanding of records management, and provide specialised training for recordkeeping service delivery personnel.

Legislative obligations

2.22 Important legislation that Defence must comply with includes but is not limited to:

1. Archives Act 1983 —regulates when records can be destroyed or if they must be retained as national archives.
2. Freedom of Information Act 1982 (FOI Act)—ensures Government actions can be scrutinised by providing for public access.
3. Privacy Act 1988 —the Act regulates how and for what purpose Commonwealth agencies may use personal information.
4. Veterans’ Entitlement Act 1986 —the Act enables access to records for the payment of pensions and other benefits and to provide medical and other treatment for veterans.
5. Military Rehabilitation and Compensation Act 2004 —the Act enables access to military records to provide rehabilitation, compensation and other entitlements for veterans, members and former members of the Defence Force.
6. Safety, Rehabilitation and Compensation Act 1988 —the Act relates to investigating workplace incidents and accessing records for the rehabilitation of employees of the Commonwealth and to workers’ compensation for those employees.
7. Evidence Act 1995 —a court may need to examine records as evidence of an organisation’s decisions and actions.
8. Electronic Transactions Act 1999 —the Act provides for the recognition of electronic signature and/or a unique identification of the originator. It also places obligations on agencies in relation to the preservation and disposal of Commonwealth records.
9. Financial Management and Accountability Act 1997, Auditor-General Act 1997 and Commonwealth Authorities and Companies Act 1997 —these three Acts, and in particular the Auditor-General Act 1997, provide the ANAO with wide ranging powers over compliance with, and evidence of, efficient and proper practices across the range of accountable and ethical business transactions.

Responsibilities

2.23 The Minister for Defence. The Minister for Defence holds authority and delegation responsibilities in accordance with the provisions of the Archives Act 1983 and its regulations.

2.24 Secretary and Chief of the Defence Force (CDF). In Defence, the Secretary and CDF are jointly accountable to the Minister and Parliament for Defence records management.

2.25 The Secretary and CDF are responsible for ensuring that Defence records management policy and procedures are implemented and compliant with NAA requirements.

2.26 Defence Corporate Information Management Improvement Committee (DCIMIC). The DCIMIC, which is chaired by First Assistant Secretary Ministerial Support and Public Affairs (FASMSPA) is the forum responsible for oversight of the implementation of the Defence Records Management Strategy.

2.27 The objective of the DCIMIC is to monitor and report on progress achieved in implementing the Defence Records Management Strategy Action Plan. The DCIMIC:

1. operates as a high-level advisory forum for Defence records management initiatives;
2. provides advice on new policies, strategies and projects;
3. briefs the Defence Committee, and other Senior Defence Committees as appropriate, on the DRMS and related initiatives; and
4. provides advice on the way ahead in establishing a viable whole-of-Defence documents and records management and enterprise content management system.

2.28 FASMSPA. FASMSPA is the senior adviser to the Secretary on all policy and administrative aspects of FOI within Defence. FASMSPA is assisted in this by the Assistant Secretary, Freedom of Information and Information Management and by the Director FOI. FASMSPA also has powers, conferred by the Secretary, to make decisions on FOI requests and may review decisions made by subordinate staff in relation to FOI application fees and processing charges. FASMSPA also ensures that classified records requested under the Archives Act 1983 are appropriate for public release.

2.29 Directorate of Records Management Policy (DRMP). The DRMP in Ministerial Support and Public Affairs Division is responsible for both electronic and physical records policy. This Directorate has the following responsibilities:

1. developing records management policy and communicating it through this Manual and corporate records management procedures for both electronic and physical records;
2. assessing records management systems for records management compliance and monitoring industry and regulatory changes to maintain recordkeeping best practice principles;
3. technical authority for electronic records;
4. benchmarking DRMS on behalf of Defence and DRMS users;
5. providing policy input and advice to the business units developing records management training programs (though not for the delivery of training);
6. administering Records Authorities, the Defence Business Classification Scheme, and Defence Recordkeeping Metadata Standard set;
7. promoting implementation of best practice policies within Defence; and
8. approving the destruction of Commonwealth records both physical and electronic, and maintaining Defence control records on behalf of the NAA.

2.30 Defence Legal. Defence Legal provides legal advice regarding Defence records management.

2.31 Defence Support Group (DSG). DSG is accountable to the Secretary for the provision and maintenance of infrastructure and support services for the management of physical records where it has assumed that responsibility. DSG is responsible for the creation of physical records and the management of physical records stored in DSG repositories.

2.32 Within DSG, the product manager for physical records managed by DSG is the Directorate of Records Archive and Mail Services (DRAMS). The DRAMS is responsible for the design and standardisation of DSG support services for physical records owned and archived by DSG.

2.33 DSG regions are responsible for:

1. management of DSG repositories;
2. storage, maintenance, sentencing, preservation and disposal of records held in DSG repositories;
3. analysis of records held in DSG repositories to determine archival status and to provide responses to specific questions in accordance with legislation;
4. facilitating the transfer of records deemed to be ‘Retain National Archives’ to NAA for records in DSG custody. If the records are still stored in the business unit, the business unit is responsible for transferring their records to NAA and DSG is available to provide guidance to business units;
5. responding to requests for access to records held in DSG custody in accordance with relevant legislation including the FOI Act; Veterans’ Entitlement Act 1986, Military Rehabilitation and Compensation Act 2004, Safety Rehabilitation and Compensation Act 1988, Privacy Act 1988, and Archives Act 1983; and
6. lending records held in DSG repositories.

2.34 Defence Groups and the single-Services. Defence Groups and the single-Services are accountable to the Secretary and CDF for the provision of infrastructure and support services for the management of physical records (including the maintenance of repositories) where they have assumed that responsibility.

2.35 Defence Groups and the single-Services are responsible for implementing electronic recordkeeping strategies, including compliance with scanning and copying policy.

2.36 Defence Groups and Services should consider conducting internal audits to satisfy their own governance requirements. Auditors should where reasonably practicable, having regard to all the circumstances, be independent from the Group, however, audits may be conducted by any appropriately qualified business unit (eg the Inspector-General’s Office).

2.37 Business units. Business units are responsible for monitoring, managing and allowing access to the physical and electronic records in the custody of their section, including the processes of sentencing and disposal and ensuring appropriate training is available and undertaken by staff to achieve this.

2.38 Further, business units are responsible for:

1. the development and implementation of local processes and procedures which must comply with the mandatory policies and practices set out in this Manual;
2. the procurement of DRMS in their area to enable electronic recordkeeping;
3. creating and capturing business unit records in accordance with the mandatory requirements in this Manual;
4. providing appropriate storage for documents and records with respect to security and preservation requirements;
5. retrieval and disposal of physical records stored in their area/custody including protecting records against unauthorised destruction;
6. providing access to records held in the business units custody in accordance with relevant legislation including the FOI Act; Veterans’ Entitlement Act 1986; Military Rehabilitation and Compensation Act 2004; Safety Rehabilitation and Compensation Act 1988; Privacy Act 1988; and Archives Act 1983;
7. vetting and authorising the release of records in their area and/or created by their area;
8. enforcing records management policies which impact on their business;
9. ensuring their staff have access to training and that their staff comply and act in accordance with records management policy and procedures by creating, using and maintaining current business information as records; and
10. proposing changes to record management tools and systems.

2.39 Chief Information Officer Group (CIOG). The CIOG ensures an integrated information environment to support Defence business and provides the authorised technological solution for document and records management. The Directorate of Document and Records Management Systems (DDRMS) is the records management application support area responsible for the operational support, including training, of DRMS on the Restricted network and EDMS on the Secret network.

2.40 Contractors. Contractors ^{ch2 note 5} are responsible for Commonwealth records management for

contracted functions and activities. These responsibilities should be clearly specified in the contract between the provider and Defence. All Commonwealth records created and/or stored as a result of services provided by a contractor on behalf of the Commonwealth are owned by the Commonwealth. Regardless of the contractor used, Defence remains responsible and accountable for the standard of the work performed and the supervision of any project.

2.41 Contractors are responsible for ensuring that their recordkeeping activities and their own systems comply with this policy.

2.42 Defence business owners who are managers of the contract must:

1. ensure that the skills and resource levels of the contractor’s staff are adequate to the task;
2. monitor the contractor’s performance to ensure that the necessary skills and resource levels specifically identified within the contract remain satisfactory throughout the duration of the contract; and
3. ensure that proper recordkeeping controls and practices are explicitly included in the agreement with the service provider.

2.43 Defence personnel. All Defence personnel must comply with the mandatory principles and practices governing records management. Their mandatory responsibilities include:

1. correctly creating, capturing and maintaining Defence business information as Commonwealth records on the DRMS;
2. creating, storing and accessing business records in compliance with this Manual;
3. assigning appropriate access restrictions for the business related records;
4. ensuring the documents and records management system is up-to-date and accurate, for example, when changes are made to the custody or location of a record; and
5. forwarding requests for records to the appropriate area of Defence when received.

2.44 Intelligence and Security Group (I&S Group). The Defence I&S Group records and related Special Compartmented Information (SCI) records are managed within the Group.

2.45 The Defence Intelligence Agencies within the I&S Group, including the Defence Imagery and Geospatial Organisation (DIGO), the Defence Intelligence Organisation (DIO) and the Defence Signals Directorate (DSD), are responsible for the life cycle of the records including creation, registration, maintenance, access, disposal and storage, as well as designing recordkeeping systems.

2.46 DSD has overall responsibility for the management of Defence records referred to as Special Series Files or SCI codeword following the disbandment of the Special Compartmented Information Management Office.

2.47 Section 29 of the Archives Act 1983 allows Defence to determine that certain Defence records should not be transferred to or be accessed by the NAA. The concurrence of the Director-General NAA is not required for making a determination for DIGO, DIO or DSD records.

2.48 Section 7 of the FOI Act establishes DIGO, DIO and DSD as exempt agencies from the operation of the Act. Furthermore, an agency is exempt from the operation of the Act in relation to a document that has originated with, or has been received from DIGO, DIO or DSD.

2.49 All recordkeeping enquiries should be directed to the individual Defence Intelligence agencies or to DSD if it relates to SCI records.

Interagency accountability

2.50 Defence may share information systems with other government agencies, private organisations or international bodies. ^{ch2 note 6} Defence may be responsible for creating or manipulating the information within the system or maintaining the system as a whole.

2.51 Where more than one party shares an information system, a formal agreement between the parties should be reached, defining:

1. who owns the system;
2. who is responsible for managing the system;
3. who is responsible for the ownership of records produced within the system;
4. who is responsible for custodianship (management) of the records held by the system; and
5. what responsibilities users have in relation to the system.

2.52 The party with the responsibility for managing the records must also ensure that these records are disposed of in accordance with correct disposal authorities.

Outsourcing

Outsourcing recordkeeping

2.53 Outsourced recordkeeping means that the storage, management and retrieval of records are contracted out to a service provider.

2.54 Outsourced function means the management and delivery of a Defence activity and associated recordkeeping are contracted out to a service provider. The staff of contractors who create, manage and dispose of Defence records under an outsourcing agreement are expected to have express contractual obligations to comply with the policies and procedures set out in this Manual. In addition the contract should provide that their employees will be subject to similar obligations within their individual employment/service contracts.

2.55 Contracts defining the arrangements for outsourced records must include the maintenance of proper recordkeeping controls and practices in accordance with this policy Manual, NAA directives, and the electronic Defence Security Manual (internal link) . Copies of these documents should be made available to the contractor and its staff or copies should be annexed to the contract.

2.56 Outsourced storage facilities must comply with NAA requirements and the AS ISO 15489.1 —Records Management storage criteria ^{ch2 note 7} and offer a service-level agreement.

2.57 Mandatory requirements for the management and storage of Defence records by service providers are that:

1. unsentenced records should not be stored by service providers unless they are part of an active sentencing program; ie a program based on disposal authorities;
2. national security classified records must be stored in accordance with the requirements set out in the eDSM;
3. Defence business owners should ensure that, as their records held by service providers become due for destruction, they are promptly destroyed to avoid unnecessary costs to the Commonwealth; and
4. where records are stored with service providers, Defence remains responsible for meeting the requirements of legislation such as the Archives Act 1983, Freedom of Information Act 1982 and Privacy Act 1988.

2.58 Outsourced records must be reviewed by the owning business area to determine if any information needs to be expunged due to its sensitive nature and to comply with eDSM policy before it is issued to a service provider (for more information see Expunging and exempting records and Information from public access).

2.59 The Directorate of Mail and Records Management on behalf of DSG is required to be advised of all arrangements that require service providers to store Defence records.

2.60 Service provider (contractor) systems may be used to manage tasks, documents and outputs related to the contract where it is inappropriate or inefficient to use a Defence system, as determined by reference to the published NAA outsourcing provisions and records management. ^{ch2 note 8}

2.61 Contractors managing Defence business off site on their own systems are required under the terms of their contract to retain custody of Defence records until end of contract or by arrangement or when otherwise called upon by Defence to deliver up the records.

2.62 Contractors undertaking Defence business, other than outsourced recordkeeping or functions, are obliged by the terms of their contract to keep records when undertaking Defence business. Contractors should where practical and as provided in the contract use the Defence Records Management System. However, if this is not possible and where Parties agree in advance, they should use a commercially available Industry Standard Contractor System. (See Information and recordkeeping systems.)

2.63 Contractors undertaking outsourced Defence records management are required by the terms of their head and individual contracts to comply with the systems policy and outsourcing conditions in this Manual.

2.64 Defence records in existence at the start of a contract and that are reasonably required to be accessed or held by the contractor may be transferred into the custody of the contractor.

2.65 Copies of Commonwealth and Defence manuals, procedures, guidelines, publications and handbooks required under the terms of the contract may be transferred to the contactor for the express use of the contractor on their system and all copies must be returned or properly disposed of by the contractor in a manner and to standards agreed by Defence at the end of the contract.

2.66 Short-term working papers, draft reference copies and transitory records (further described in chapter 4, annex A ) managed on the contractor system may be destroyed under normal administrative practice, as notified to the contractor, as required.

Outsourcing functions

2.67 Records management functions should be expressly agreed and set out in detail within the terms of the contract where a contractor, who is not an outsourced records management contractor, undertakes Defence business.

2.68 When functions that include recordkeeping responsibilities have been outsourced to a service provider, the contractor’s staff must have and at all times throughout the term of the contract retain appropriate skills, proficiencies, and resource levels. This requirement will need to be included within the terms of the contract.

2.69 Defence personnel developing and managing outsourced functions for Defence are to refer to and comply with the mandatory requirements of NAA, Defence and Australian National Audit Office (ANAO) documentation on outsourcing. These include, but are not limited to:

1. General Disposal Authority (GDA) 25, Records Issues for Outsourcing including General Disposal Authority 25, NAA, 1998;
2. ANAO, Audit Report No 7 2003–2004, Recordkeeping in Large Commonwealth Organisations; and
3. Defence Chief Executive Instruction 1.6 —Retention and Disposal of Accounts and Records.(internal link)

Monitoring and Audit

2.70 Monitoring includes reviews of recordkeeping activities undertaken at organisational, business unit or group levels, and implementing results as recordkeeping policy and procedures.

2.71 Audits include investigations to reinforce the importance of effective management of records in public administration and highlight areas for improvement. ^{ch2 note 9}

2.72 The above activities establish benchmarks for quantitative and qualitative reporting arrangements which are intended to assist in the measuring of successful systems, and provide evidence of follow-up action based on the findings.

2.73 Recordkeeping is undertaken within the legislative and policy framework and must be examined periodically to ensure that the recordkeeping processes are compliant, and to identify areas for improvement.

2.74 Recordkeeping monitoring, auditing and compliance activities should be undertaken in a planned and systematic fashion to ensure that all policies, procedures and guidelines are implemented uniformly across Defence.

2.75 Across Defence, monitoring should include:

1. external audits of Defence’s recordkeeping practices and standards (endorsed and/or undertaken by the NAA);
2. recordkeeping audits as part of the Management Audit Branch (MAB) audit work program (it should be noted that MAB does not perform specific recordkeeping audits but may audit recordkeeping when performing audits of other functions eg when performing a financial audit, financial records may be audited);
3. internal oversight of the business unit recordkeeping practices by the business unit managers, eg using the NAA Checkup tool;
4. internal oversight by the business unit managers to ensure that local procedures comply with the policies set out in this Manual;
5. measurement of the business unit records management operations against benchmarked expectations and/or requirements; ^{ch2 note 10}
6. checking for compliance with the policies set out in this Manual, locally-defined procedures, and the eDSM; and
7. ensuring that appropriate quality assurance mechanisms are in place.

2.76 The Australian Public Service Commission, the Management Advisory Committee and the ANAO are authorised to conduct a series of audits across Commonwealth Agencies to assess the extent to which Government entities meet their recordkeeping responsibilities. ^{ch2 note 11}

Recordkeeping policy change control

2.77 Defence records management policy is required to be reviewed regularly by DRMP to ensure that changes and updates to legislation and industry standards (including NAA policy and AS ISO 15489.1 ) are incorporated.

2.78 Proposals and requirements for policy improvement, and input to policy development, should be submitted to DRMP. These will be reviewed and, where appropriate, incorporated in regular updates.

Recordkeeping Education and Training

2.79 Records management education and training is the provision of simple and clear information that may be relied upon by Defence personnel in order to gain a consistent level or record management skills and proficiencies.

2.80 Appropriate training is required to be undertaken to enable all Defence personnel to develop the skills and proficiencies necessary to perform records management functions successfully.

2.81 Records management training is a part of all Defence personnel induction and ongoing training and development. Where appropriate undertaking records management training should be integrated into job descriptions and performance assessment processes.

2.82 Records management training should:

1. reflect the Defence Skilling Strategy endorsed by the Defence Committee;
2. utilise national recordkeeping competencies where they are appropriate; and
3. utilise multiple delivery methods (face-to-face and online) to facilitate the adoption and application of endorsed policies and procedures.

2.83 To accommodate different responsibilities and skill levels, records management training should be offered in the following categories:

1. records management policy awareness training,
2. records management specialist training, and
3. records management application training.

Records management policy awareness training

2.84 ‘Responsible Recordkeeping’ is an online course available through CAMPUS (internal link) . This is a basic recordkeeping awareness program which outlines core recordkeeping requirements and can be completed within 45 minutes. All Defence personnel should participate in this training course to increase their records management understanding. Please note, this course does not cover any specific archiving, sentencing and disposal or using the Document Records Management System application.

2.85 All Defence personnel are responsible for completing the online records management awareness course ‘Responsible Recordkeeping’.

2.86 ‘Keep the knowledge—make a record’ was developed by the NAA and explains the recordkeeping responsibilities of Commonwealth employees. It includes instruction on when and how to make and keep records and is available by contacting DRMP.

2.87 There is currently no internal face-to-face records management training within Defence. The NAA does offer a number of short half to one-day courses at a small cost in the areas of:

1. introduction to Records Management in the Australian Public Service (an outline of basic records management knowledge);
2. introduction to Sentencing (an outline on how the sentencing process is completed); and
3. NAP training (how to interpret the new normal administrative guidelines for disposal).

Records management specialist training

2.88 Further records management qualifications can be gained from various education and professional training facilities.

Contact DRMP.policy@defence.gov.au for further details.

Records management application training

2.89 Users will only be granted access to DRMS when they have completed the required training for the system. DRMS training is provided by the DDRMS in the Chief Information Officer Group. For more information on DRMS training please see the following link (internal link) .

Recordkeeping Advice and Support

2.90 Records management advice and support ensures Defence personnel are able to get on with business and comply with recordkeeping obligations.

2.91 Records management process advice should not be requested from NAA directly. In all instances, due to individual implementation of records management policy in agencies, NAA will return advice requests to Defence.

2.92 Advice to enable Defence personnel to perform records management functions successfully is provided:

1. in this Manual and its associated web link procedures and tools;
2. on the DRMP and individual Group and Service websites; and
3. in local Standard Operating Procedures.

2.93 Records management advice should:

1. repeat or supplement with greater detail, the policy in this Manual and associated tools; and
2. utilise learning strategies including face-to-face and online deliveries to facilitate the understanding, adoption and application of endorsed policies and procedures.

Information and Recordkeeping Systems

Information and Communications Technology

2.94 Information and recordkeeping or Information and Communication Technology (ICT) systems include:

1. Defence Business Information Systems that may be updated for records management compliance;
2. DRMS (including DRMS on the DRN and EDMS on the DSN);
3. Defence compliant records management systems; and
4. commercial industry contractor systems that may manage Defence records related to contract requirements.

2.95 All systems are to comply with Defence ICT policy and procedures.

Defence Business Information Systems

2.96 A Business Information System is an information reporting and transaction system used within Defence. Business Information System are not automatically records management compliant. Corporate information and transaction systems contain structured data that is potentially part of the Commonwealth record but does not contain the contextual information which ensures reliability, authenticity and usability.

2.97 A Business Information System can store and manage records in situations where:

1. it is impractical or impossible to transfer the records held in the Business Information System to DRMS and the information is essential to the business process;
2. the system can manage transactions as well as the supporting documentation; and
3. the system is maintained and is upgradeable and able to interoperate with Defence ICT solutions (eg web portals, and email).

2.98 An integral part of ensuring compliant records management of the data in these systems is to implement records management capability and practices to ensure that Defence has access to full and accurate records of all its business or operational activities, transactions and decisions.

2.99 DRMP on receipt of notification from the business area will analyse the system to determine the records management implementation required to make the system records management compliant.

Defence compliant records management systems

2.100 Defence uses an Objective application as the basis for its electronic DRMS on both the DRN and DSN. While DRMS is the sole Defence approved system, there are several other records management systems in use within Defence that may still be required and need to be assessed by DRMP for Commonwealth and Defence records management compliance in order to manage Defence records.

2.101 Because DRMS is only endorsed to SECRET there is also the requirement to assess records management systems on TOP SECRET networks for Defence records management compliance. DRMP will work with the DSD when assessing records management systems for compliance.

2.102 Defence records management compliance approval will be given by DRMP when DRMP is satisfied of the following criteria:

1. the system is maintained and has the ability to be upgraded and is able to interoperate with Defence ICT solutions (eg web portals, email). This will be assessed in consultation with CIOG;
2. the system ensures authenticity, reliability, usability and integrity over time for physical and digital objects;
3. the appropriate metadata as defined in the Defence recordkeeping metadata standard (for metadata see Describing records using metadata ) is captured and managed for the records. The metadata must include sentencing data, such as functions and disposal schedules;
4. the system is able to dispose of records in accordance with relevant legislation and disposal authorities; and
5. the system has been identified by the owner of the system as an essential system and requires an assessment for records management compliance. The system owner will be required to submit a business case to the DRMP requesting an assessment. Please contact DRMP for more information.

2.103 It should be noted that having system assessed as compliant does not eliminate the requirement to interoperate with or move to DRMS in the future. Any compliant system may be required to have records migrated to DRMS.

Commercial industry contractor systems

2.104 A contractor system is a transaction, reporting or records management system used by a contractor to Defence to manage tasks, documents and outputs related to the contract (See Contractors for further information). Contractor systems may be used for:

1. contractors undertaking Defence business other than records management;
2. outsourced Defence records management; and/or
3. outsourced Defence functions. (See Outsourcing for further information.)

2.105 Contractor systems must comply with the following criteria:

1. records may be destroyed or otherwise disposed of in accordance with appropriate disposal authorities with express permission of the relevant Defence business and the DRMP, and a control record is registered in the DRMS;
2. the system can manage transactions as well as supporting documentation as records;
3. all Defence records are returned at completion or termination of contract in a format capable of uploading to a Defence records management system;
4. the contractor must ensure that records are appropriately managed and maintained;
5. the security of the records is protected;
6. personal information is protected in accordance with the requirements of the Privacy Act 1988;
7. unauthorised disclosure of information is prevented in accordance with the provisions of the Crimes Act 1914 or other agency legislation;
8. standards mandated for the contract tasks are implemented;
9. the system must meet the Defence records management metadata standard when undertaking records management on behalf of Defence;
10. access and need-to-know principles and strategies are implemented; and
11. the contractor allows reasonable access to Defence, as required.

back to contents

Chapter 3
Create, Capture and Describe

Creating and capturing records

3.1 Creating electronic and physical records, capturing them in a recognised system, describing their contents and controlling their history preserves information about business activities and transactions. Electronic recordkeeping is (adopted by Defence as) best practice and includes digital creation and capture and scanning, copying, converting or migrating records into digital form. To enable records to be found and managed over time, their content and context, and the processes that manage and maintain them, must be described. This description is called recordkeeping metadata (or structured data about other data). Metadata ensures records can be found, read and understood. Controlling ownership, custody and versions and tracking changes facilitates the authentication of records as evidence. Functionally classifying files from the Defence Business Classification Scheme (DBCS) (and Thesaurus) links records to the relevant business they are documenting and enables disposal of records in compliance with legislative obligations. Control tools (metadata, DBCS, and disposal authorities) are maintained and governed to ensure consistent records management over time.

3.2 Creating records is the process of creating or receiving information concerning a business-related item or in pursuance of legal obligations, in any format or media, and making it a Commonwealth record.

3.3 Creating records:

1. supports all Defence personnel because it enables easy access to all relevant and available information needed to make informed decisions as well as documents the information personnel need to make and justify business decisions;
2. facilitates network-centric warfare practices by enabling military commanders to locate and share the information they require for planning and managing operations in an information rich environment; and
3. enables Defence to effectively respond to external and internal requests for information, which for example, can take the form of legal discovery orders from the courts, parliamentary and ministerial inquiries, military boards of inquiry requests, and access through the Freedom of Information Act 1982 and Archives Act 1983.

3.4 Capturing records means registering a business-related item as a record ^{ch3 note 1} by filing it either

electronically in a virtual file on the Document Record Management System (DRMS) or in a physical file. Registered records:

1. can be demonstrated to be genuine;
2. are likely to be reliable and to that extant may be trusted;
3. are likely to be complete and unaltered;
4. are secure from unauthorised access, alteration and deletion;
5. can be found when needed; and
6. may be related to other records.

3.5 All Defence personnel are required to create and/or register their own records and manage their business information. As soon as practical after creation or receipt of business related information, Defence personnel must capture (register) a record in a Registered File—either as an electronic record in a file in the DRMS or place the record on a physical file registered on the DRMS. There are several triggers that indicate the need to create records. These trigger events can include:

1. receipt of correspondence, policy, instructions or directives by mail, email, internet (web), signal or facsimile;
2. participation in discussions, meetings and/or face-to-face briefings or by video, telephone, radio or internet conference;
3. participation in business (administrative) or operational (military) activities; and
4. for personal non-business items see ‘What is not a record’.

3.6 Record capture includes:

1. entering data into the DRMS then saving into an electronic file (automatic);
2. registering a business email in a file in the DRMS;
3. printing an electronic document and placing it on a paper file (manual);
4. placing a photocopy of an original signed letter sent by Defence on a paper file (manual); and
5. scanning an incoming paper business document and registering it in a file in the DRMS.

3.7 Physical items which cannot be placed in a file (such as a book or chart) must have a marker placed in the appropriate file with details of the item, such as description and physical location.

3.8 Registered Files should be functionally classified at creation or disposal by selecting the appropriate function and activity from the DBCS or disposal schedule. Records associated with the file automatically inherit the functional classification and disposal schedule. (For functional classification see Functionally classifying.)

Figure 3–1: Creating and capturing records workflow

Capturing records in records management systems

3.9 All Defence records must be captured in a file in DRMS (or Defence complaint records management system, including a physical file). (See chapter 2, paragraph 2.100.)

Physical recordkeeping for personnel without access to the Document Record Management System

3.10 Where Defence personnel have no direct access to the DRMS or Defence records management compliant system, and therefore need to maintain physical files, the following policy applies to ensure records are accessible, retrievable, and to minimise the opportunity for records to be lost or misplaced.

3.11 In maintaining physical files, Defence personnel are responsible for:

1. creating a physical file for each topic of information, through an Outlook file request to the Regional Service Centre or the records management area of the business unit. The file must be given a title which represents the context of the information within the file, and be given an appropriate classification for the information that will be placed on it;
2. printing all documents, emails, spreadsheets and other important information and placing them on the relevant physical file;
3. ensuring that Defence records are placed on file as they are created or received—not at the conclusion of the project or when an employee leaves a position; and
4. storing files locally within the business unit and returning files for storage if no longer required to the relevant Defence Support Group (DSG) repository. DSG will prioritise the receipt of files based on factors such as: type of records being transferred, volume of records, physical condition of records, and the storage type and capacity of the current DSG repository.

Capturing records in registered files

3.12 There are two overarching categories of files used by Defence:

1. corporate files (including case files); and
2. personnel files.

3.13 Corporate files contain a range of material (eg policy, project, fiscal, administrative and operational information). They should be limited to a set time frame to enable disposal. Time frames should:

1. reflect the life cycle of a particular set of tasks (eg a project);
2. cover the financial year for finance-related files; and
3. not exceed 25 years unless there is a valid administrative business case.

3.14 Corporate files created without a specified time frame should be set as a default to one-year from the date of creation.

3.15 Case files are a particular type of corporate file created to contain case history and management information for a specific action (eg incident, accident), event, person (eg client, patient), place; project; organisation; or other subject (eg pay, legal, and welfare, medical or environmental issues).

3.16 Case files should be managed in the DRMS. Access and security controls should be implemented to as far as practicable ensure only the relevant business units can see the files (including sensitive titles).

3.17 Personnel files cover the management and history of all Defence personnel. They contain service records, civilian employment history, reviews of actions, overtime, salaries, superannuation and working hours.

3.18 Personnel files for individuals should be managed in the DRMS. PMKeyS Self Service is a personnel transaction-only system and not a compliant records management system.

3.19 Unit or ship personnel files should be regarded as records for the purpose of recordkeeping compliance and normal recordkeeping practices and procedures should apply. These files can contain both originals and copies of members’ service records. On discharge, original or master service records must be forwarded to the central repository.

Registered file formats

3.20 All Defence files must be managed in the DRMS. There are three file formats:

1. physical files for physical file management and storage of markers for physical record items;
2. electronic files for file management and storage of electronic records; and
3. mixed mode files are comprised of a physical (ie paper) file and physical contents, as well as an electronic file in the DRMS containing electronic records.

Movement of items (folios) in files

3.21 Folios (ie individual items on a file) can be added to or removed from an open (active) file. Folios cannot be added to or removed from an inactive (closed) file, irrespective of whether the file is physical, electronic or mixed mode.

3.22 Physical folios. Folios which have been placed on a physical file in error can be transferred to the correct file if the folios have not been numbered. Numbering folios creates an audit trail of the folios’ addition to the file and must not be altered if used. Folio numbering sheets or folio transfer sheets are not legally required for the creation of new files.

3.23 A numbered physical folio cannot be removed from a classified file unless it was placed there erroneously. In that case, the erroneous folio must be removed and placed on the correct file, and a note must be put in place of the incorrectly attached folio.

3.24 Form AR 083 ^{ch3 note 2}—Folio Removal Advice can be used as a precedent for a folio removal note.

3.25 Electronic folios. Folios can be moved between any open files. The DRMS keeps a compliant metadata audit trail of folio movement between files.

Altering records over 25 years old

3.26 Registered and closed records over 25 years old should not have their file numbers replaced (top numbered), be added to, amended, altered, or have their custody changed without reference to Directorate of Records Management Policy (DRMP). Personnel records and control records are special case records and are active for service or employment life. Disposal authorities allow alteration to these records after 25 years.

3.27 Section 26 of the Archives Act 1983 states that records over 25 years old may not be altered or added to unless such action is:

1. required by any law; or
2. done in accordance with the express permission or authorisation of the National Archives of Australia (NAA) (as specified in disposal authorities) or in accordance with a practice or procedure approved by the Archives.

3.28 This is generally known as the 25-year rule. Unauthorised addition or alteration of a Commonwealth record is an offence.

Registered file titling

3.29 Files should contain records that are related contextually. The file title is required to indicate the nature and purpose of the business, activity, transaction or decision that the file collates. The careful and appropriate selection of a file title greatly aids the intelligent collection and future retrieval of records.

3.30 If there is no file with an appropriate title available, then a new file must be created.

3.31 Each file’s title should as far as practicable enable the users to identify the file’s content and be associated with DBCS function/activity pair to enable disposal.

3.32 The file must have the same title and number (except part number in the case of physical files) as the file parts grouped under it and the records contained within must all relate to the same function, activity and a single subject matter. If, over time, the function, activity or subject of the file changes, additional files must be created and linked to the original. A new file part must never be created as a way of contextually or functionally dividing a file. A new file part can however, be created if the physical file becomes too big, meaning the content exceeds the capacity of the file cover.

3.33 The file title should be used to identify the time frame of corporate files. For example, it is inappropriate to create a file relating to ongoing administrative or business activities and simply continue to add parts to the file year after year. Rather, a new file should be created each year (eg ‘The Defence Legal Service Budget—FY2009–2010’).

3.34 While all acronyms should be spelled out when titling files, this is not always possible due to size limitations with the recordkeeping system. It is therefore acceptable to use acronyms when titling files provided these acronyms are listed in the Australian Defence Glossary (see (internal link) ).

3.35 Where possible, file titles should be unclassified in accordance with the electronic Defence Security Manual  (eDSM). Where this is not possible, appropriate title grading markings should be used in accordance with the eDSM.

3.36 Personnel files. When titling a personnel file, the following conventions and order should be observed:

1. person’s PMKeyS or Service number;
2. name (surname; first and other); and
3. file category (see Glossary).

3.37 Case files. Defence has numerous legal obligations to be able to identify records. The unrestricted use of case file titling may in the absence of compliance with detailed protocols operate to prejudice or otherwise restrict the Department’s ability to meet its legal obligations to identify records and should therefore only occur in exceptional circumstances with DRMP approval. Business units without access to the DRMS or who consider they cannot properly title their files due to privacy or other considerations should contact DRMP for advice. In these situations DRMP will consult with Defence Legal in considering whether case file titling is appropriate in all the circumstances and whether approval should be granted for that specific business unit to create a case file or series of case files.

3.38 Like all files, case files should be managed in the DRMS. Access and security controls must be implemented to only the relevant business units and approved user access profiles (such as administrators) can access information as appropriate.

3.39 The following case file titling convention shall be used:

1. directorate;
2. person’s name or case file number;
3. case file type; and
4. year.

3.40 Corporate files. The title of a corporate file provides the opportunity to limit the range of records collated by the file. The more specific the file title and range of records collated, the quicker and easier future retrieval and file management actions will be. Accordingly, it is recommended that limitation to the active life span be included in the title.

3.41 Defence personnel should select the relevant functional classification (ie identifying the appropriate DBCS function/activity pair) for that file when creating a new file. As each DBCS function/activity pair is associated with specific disposal authority retention classes/entries, this will link the appropriate sentence and disposal authority to the file.

3.42 The retention classes/entries in the DBCS provide the tools to limit the naming, scope and date range of records collated on a file. This ensures that Defence personnel can create files with records of the same value for efficient disposal.

3.43 File title sensitive marking. Policy and administrative files created in Canberra are subject to the Senate Standing Order for an indexed list of departmental or agency files (the Harradine Report). This report requires, that every six months, a listing of all file titles that are not sensitive be placed on the Defence internet site. Business units must vet file titles for sensitivity, national security classified information, and appropriateness for publication under the Harradine Report. A file title is sensitive if it includes the ability to identify a person (but not an officials position), commercially confidential information, or national security information. This includes file titles that use title classification grading as prescribed by the eDSM.

Registered file numbering

3.44 When a new file is created, it must be assigned a file number and a registered series number. Two file number systems are in use in Defence, one for corporate files (including case files) and one for personnel files. Business units may choose to use an additional local identifier system, provided it is not used as the primary file numbering system.

3.45 File numbers should not be changed from the assigned number as this can disrupt the corporate and personnel primary numbering systems.

3.46 Corporate and case files. Corporate and case files are numbered in compliance with the Commonwealth Record Series (CRS) approved by the NAA. For corporate and case files, Defence personnel must use a primary file number comprising the calendar year, a single file number, and usually the file part number. This primary file number should be captured in the format 2006/123456/1.

3.47 Personnel files. For personnel files, Defence personnel must use a primary file number comprising an alphabetic character (representing the file type), the person’s PMKeyS number, an abbreviated file category, and for physical files, the file part number. The file type can be an ‘A’ for Army Personnel File, ‘C’ for Civilian Personnel File, ‘N’ for Navy Personnel File or ‘R’ for Air Force Personnel File (see Glossary). These sets of characters are separated by a slash and the file number should be captured in the format A/123456/PRP/1.

3.48 Assigning file numbers. The DRMS automatically assigns a file number when a new file is created. Defence personnel unable to access the DRMS must request a block of file numbers from DRMP when creating corporate and case files.

Registered file series (Commonwealth Record Series and special series)

3.49 Defence files use NAA registered file series called CRS to comply with NAA policy for the identification of Commonwealth records and for transfer of Retain National Archives records into NAA custody. The CRS system ^{ch3 note 3} is the archival control system the NAA uses to link records with the agencies that recorded them and the agencies that control them. When creating new files, Defence personnel must assign a CRS number in addition to a file number. The CRS number serves a different role to the file number.

3.50 Defence has a number of series registered with the NAA (eg Defence Corporate File series, Defence Personnel File series) and special series files (eg some Defence Science and Technology Organisation reports).

3.51 The DRMS automatically assigns the CRS series.

3.52 Special series. For policy on Defence Special Compartmented Information (SCI) Special series (Codeworded) files which manage SCI codeword records, refer to Departmental Security Instruction 2/2004 —Defence Special Compartmented Information—codeword recordkeeping.

Creating and capturing records overseas and during deployment

3.53 For records generated in the deployed environment, it is the responsibility of deployed units to capture and store records as follows:

1. for electronic recordkeeping, when connected to the Defence networks, as for fixed environment;
2. for electronic recordkeeping, when permanently or partially disconnected from the Defence network, store records locally using available systems. Synchronise detached system’s database to that of the DRMS when next connected (which may be at the end of the deployment);
3. for physical records management (ie where no DRMS is available, or when an electronic system is inappropriate), maintain physical files in the deployed unit. At the end of the deployment, the files are to be transferred to the business owner’s home base and managed in accordance with this policy; and
4. a control record should be created to ensure all files are accounted for and all transfer details are captured and managed.

3.54 Deployed business units must ensure that every file has an appointed custodian to ensure security during operations and exercises.

Electronic Recordkeeping

3.55 In compliance with the Australian Government Information Management Office (AGIMO) guidelines for Government e-business and best practice principles, electronic recordkeeping is best practice for new business. Creating digital images of current paper or physical records (scanning, copying, converting or migrating records into digital form) is also an efficient way to:

1. store large volumes of physical records,
2. retrieve and use poor or degraded standard records,
3. achieve a paperless work environment, and
4. preserve the content of fragile documents.

3.56 Scanning and copying applies to any records that are transferred to another medium (ie scanning or copying between formats) for business reasons. Scanned or copied records are electronic images of physical documents or records (including paper and microform) captured into an electronic file in the DRMS:

1. Electronic recordkeeping is best practice and should be used for all new Defence business. Business owners are to include and promote this policy in authorising instructions and manuals, eg financial records policy.
2. Physical storage should not be used for new business, unless specifically required for business or legal reasons, or if there is no access to the DRMS.
3. Source business documents required in physical form for business or legal requirements will be stored in mixed mode files, and their records managed electronically. This includes cases where signed or original physical records are required, eg contracts and contract amendments and original records that, following a risk assessment, are considered too valuable to destroy.

Scanning, copying, converting or migrating records into digital form

3.57 In compliance with electronic recordkeeping principles, replacing physical or other media source records with a new digitised record is good business practice where it is cost-effective to do so.

3.58 Where practical, all incoming paper documents are to be scanned and registered on the DRMS, and the resulting copied images distributed instead of the original paper. This is subject to:

1. business correspondence —these must be deemed a record, such as letters and reports. Items such as trade journals, circulars etc should not be included;
2. protective markings —it may not be feasible to distribute highly classified items electronically;
3. economics, and geography —it may not be cost-effective to implement this policy in small or highly distributed business units;
4. exceptions —items too large or too long to scan cost-effectively (maps, plans, large reports), business documents that are not legible when scanned (eg green ink on green paper), and other exceptions that may be identified; and
5. business or legal requirements to retain the original paper on a mixed mode file.

3.59 Any source record can be legally reproduced electronically as a working copy for business purposes.

3.60 The source physical record can only be copied and destroyed in accordance with the exclusions and destruction classes identified in the ‘General Disposal Authority (GDA) for source records which have been copied, converted or migrated’ if:

1. the reproduced record becomes the new principal record, provided conditions set out in the ‘General Disposal Authority for source records that have been copied, converted or migrated’ are in place;
2. the new principal record is managed in either an electronic or mixed mode file in the DRMS;
3. the new principal record is sentenced and disposed of under relevant Administrative Functions Disposal Authority and Records Authority classes; and
4. business owners evaluate the legality, risk, cost benefit and business reasons for implementing a program of reproducing their current or new physical records and destroying originals.

3.61 Requests for exceptions are to be directed to the DRMP for submission to the NAA.

3.62 All scanning should be carried out in compliance with the scanning standards (see Scanning standards). The principal exception will be scanning for the purpose of re-using artwork or similar (eg scanning a logo or a photo for inclusion in a newsletter). In cases such as this, there is no need to comply with scanning standards or to index the resulting images; the eventual record is subject to this policy.

3.63 Business units must implement business or operational processes and procedures to authenticate the resulting images which registers acceptance of them as true reproductions of the original physical documents or records, and must place them in a file. ^{ch3 note 4}

3.64 Recommended digital formats are:

1. PDF, TIF or equivalent for text with XML scripts for metadata;
2. PNG or equivalent for images; and
3. XML open preservation format such as ‘docx’.

3.65 Recommended document output formats are:

1. black and white text—output type greyscale; DPI resolution 75; or
2. colour documents—output type ‘true colour’; DPI resolution 200.

3.66 The business decision to scan physical records and retain both formats is made on a case-by-case basis (eg where the Minister has manually annotated a business document and the annotations are important enough for the annotated document to be kept as a record).

3.67 Business units can scan and copy Retain as National Archives (RNA) records created prior to 2002 for ease of business use only. Converting original records into digital form for RNA records can help improve the longevity and aid rapid search and retrieval of those records. The source records created prior to 2002 must not be destroyed and should be transferred to the NAA at the completion of the conversion project.

3.68 Classified records may be copied or scanned to electronic media in accordance with the eDSM.

Disposal of source records (originals) after scanning

3.69 Business units must retain the source originals until the image is authenticated as a true reproduction (see Scanning standards). The images are admissible as source records for evidence purposes; however, the weight placed on them as evidence by a court may depend on the business unit being able to prove that the transfer to an image format is a routine business or operational process supported by policy and procedures. The resulting image becomes an electronic record and is managed according to the policies presented in this framework.

3.70 It is important to note that the scanned images must be placed in a file in the DRMS, before any of the source records can be destroyed. Storing the scanned copies on shared or local drives, or even within the DRMS but not on a file, will leave the images uncontrolled and not compliant with this policy.

3.71 The following items can be scanned for ease of business use, however, due to legal and business requirements the source document can not be destroyed and must be retained in its original format:

1. signed contracts, agreements and arrangements;
2. military personnel birth certificates, marriage certificate, and qualification; and
3. military attestation forms.

3.72 All paper and microform records, once they have been scanned to the standards stipulated by the relevant legislation, should be destroyed in accordance with the GDA (internal link) for source records that have been copied, converted or migrated. There may be exceptions to this guideline, including:

1. documentation that has to be returned to the sender;
2. items with an intrinsic value; eg, those containing watermarks or seals; and
3. other exceptions that may be identified (all exceptions must be documented).

3.73 If source records are not destroyed, arrangements must be made to ensure that physical records are stored in a compliant repository.

3.74 Where whole registered files are scanned, the original file may be destroyed as a single unit and a control record must be created for the file in the DRMS. Where single documents are scanned, the original may be destroyed in accordance with conditions and exceptions and when scanning process is authenticated.

3.75 Individual destruction certificates are not required for individual classified source documents copied, provided the copied documents and scanning or copying action is recorded in the Classified Document Register List and stored in the DRMS. This policy must comply with the eDSM.

Scanning standards

3.76 To ensure the legality and acceptable evidential weight of images and their ongoing reliability over time, Defence business units using scanning should implement the following measures as part of their normal operation:

1. use good quality equipment to maximise reproduction accuracy maintain it to the manufacturer’s standards and keep records of the maintenance documentation;
2. develop and institute a written quality-control procedure for the scanning process (eg to ensure that source documents are not missed and scanning errors are detected) and keep records of the procedures that staff followed (it may become important to be able to reproduce the procedures that were followed at the time a record was scanned, sometimes years or decades after it was scanned);
3. ensure staff are trained in the procedures;
4. routinely implement quality assurance testing to ensure that the processes and systems used to scan are based on recognised commercial industry standards and procedures, test more thoroughly for a period after changes are made to previously established settings, and keep records of the test results;
5. use standard compression and decompression algorithms to ensure no data is lost during the process of saving the scanned image;
6. keep a description of any image enhancement techniques in the documentation of the system and/or the metadata for images (depending on how it is applied);
7. adopt stringent security provisions to prevent alteration of images and improper access;
8. use an industry standard for imaging applications (eg write-once-read-many media for imaging applications); and
9. authenticate that each image is an accurate reproduction of the original in all relevant respects. Attach or append a note of authentication to the image or file. Procedures for the process of authentication should be documented in local procedures.

3.77 If an image is converted into textual format through an optical character recognition (OCR) process, the original image must be retained as the original version of the record. The subsequent OCR version must become a unique record in its own right (in many cases, the textual version will be produced for temporary use, typically to copy a section of text for re-use, and so the textual version will be an ephemeral document that is not retained).

Admissibility and evidential weight of copied records in litigation

3.78 In accordance with the Evidence Act 1995 and Electronic Transactions Act 1999, copied records are admissible as evidence regardless of age, provided that originals have been destroyed under the GDA for copied records. Advice from the NAA and the Australian Government Solicitor to date indicates there is low risk of fraud in copies in an approved recordkeeping system.

3.79 Under the Evidence Act 1995, copies are admissible provided it can be proven that they were produced under digital imaging standards.

Electronic signatures

3.80 Under the Electronic Transactions Act 1999, electronic signatures are legally defensible and can be used as evidence when the following four conditions are met:

1. confidentiality—only the intended recipients can read the communications;
2. data integrity—electronic communications cannot be changed either during transit or once the data is at rest without detection;
3. authentication—the authenticity of the parties involved with the transaction can be verified; and
4. non-repudiation—parties involved with a transaction cannot deny their involvement.

3.81 There are various types of electronic signatures:

1. Digital signatures which are a subset of electronic signatures are a cryptographic technique that encrypts a hash or digest of a document with a users private key. This creates a unique and unforgeable identifier that can be checked by the receiver to verify authenticity and integrity and provide non-repudiation.
2. A digitised signature should not be confused with a digital signature. A digitised signature is a computerised image of the written signature of an entity. It may be attached to a word processing document as an image of the original written signature, and it can be copied, altered and is not bound to the document. Digitised signatures do not meet the requirements in paragraph 3.80.
3. A signature on a physical document which has been scanned is acceptable as evidence under the Electronic Transactions Act 1999 and the Evidence Act 1995 when the following conditions are met:
   • (1) the record is stored in the DRMS;
   • (2) the scanning standards in chapter 3 are meet; and
   • (3) the record is managed in accordance with the General Disposal Authority for source records copied, converted or migrated.

Managing emails, messages and mobile device data as records

3.82 Relevant and important business-related emails and Defence formal messages must be managed in the DRMS. Printing to physical form and filing the hard copy should be an exception arising only when there is no access to the DRMS:

1. handwritten comments or other additions are added subsequently to a physical copy and need to be preserved (when possible scan and place in the DRMS file); or
2. they are emails sent to the Minister’s Offices.

3.83 In some cases, the key information is contained in the body of the email or message. In others, the email or Defence formal message serves only as a ‘cover’ for one or more attachments (such as office documents or scanned images) that contain the information that truly constitutes the Defence record. It is suggested that the coversheet may provide the context to the importance of the other documents.

Email and Defence formal message attachments

3.84 Where the email or Defence formal message body contains information which qualifies it as a record separately to its attachments, then the email or Defence formal message must be captured as a linked record. The associated metadata of the email or message must also be captured to assist with retaining the context of the information.

3.85 Storing related emails or messages on the same file also provides the business context.

Email and Defence formal message threads

3.86 When replying to or forwarding an email or message, the threads (or history trail) must be left intact in the body of the new email or message. Do not delete or modify any previous email or messages in the sequence (or their dates, senders or recipient lists). This is necessary to preserve the full, sequential audit trail of the discussion engendered by the original email or message.

3.87 When incorporating a portion of another person’s email or Defence formal message, ensure the text is modified to demonstrate a different meaning to that of the original author.

Emails in Outlook personal folders files on shared, public or personal drives

3.88 The storage of.PST Outlook personal files for email management in shared, public or personal drives is not records management compliant. Outlook does not comply with the Defence and Commonwealth records management standard. Emails as business transactions should be registered on files in the DRMS as soon as possible after creation. Where DRMS is in use, emails should be dragged and dropped onto relevant files or printed and registered.

3.89 Using Archived.PST files in email systems as the only business source, the mixed subjects in.PST files and inability to search for emails in.PST files increases the risk of poor accountability, retrieval and loss of business context and continuity. Storing.PST files in DRMS should occur only where full search and retrieval features are implemented.

Constraints on using email and Defence formal messaging

3.90 Defence Information Management Policy Instruction (DIMPI) 4/2005 —Standard Defence Email Markings and Handling outlines two occasions when emails are not to be used:

1. when either the Defence Formal Messaging System or the Australian Government Cable System is available and appropriate for sending time-sensitive operational or ministerial messages that require a high level of communications reliability and information assurance; and
2. for ‘Advice to the Minister’. A formal, written Ministerial Submission addressed to the Minister ‘For Approval’ or ‘For Noting’, must be sent to the Minister’s Office as soon as possible after any informal correspondence, such as email. A printed copy of the email must be placed on the appropriate physical corporate file and the electronic email stored in an approved records management system with the correct metadata applied.

3.91 Defence Communications Facility (DCF) provides formal messaging services to Defence. These services include Command and Control military messaging (ACP127/128) and international messaging via the Department of Foreign Affairs and Trade (DFAT). The DCF provides a range of services, which include:

1. Defence Formal Message distribution and transmission;
2. managing the message interface into the Defence Integrated Secure Communications Network;
3. DFAT Cablegram distribution;
4. unclassified and Secure facsimile services;
5. Special Handling Instructions services; and
6. monitoring the national COMPUCAT messaging exchange Restricted Server Network Out-of-hours.

3.92 The DCF also provides and controls Communications Security equipment, publications and material on behalf of many Australian Defence organisations worldwide.

3.93 DCF determines how the Defence messaging systems comply, interface or are interoperable with the DRMS and implement the Defence recordkeeping metadata requirements.

Instant messaging, short message service, voicemail and related technologies

3.94 Where there is no automated transaction capture, messaging technologies, eg mobile telephones, Blackberrys and personal digital assistant, used to conduct Defence business must be analysed for business content and notes of conversation or transactions recorded in the DRMS. ^{ch3 note 5}

3.95 Where there is automated transaction capture, messaging technologies used to conduct Defence business must be assessed to evaluate any recordkeeping requirements and solutions for input on recordkeeping policy when assessing technical solutions.

3.96 In accordance with NAA advice, ^{ch3 note 6} decisions need to be made as to whether messages and data

are short-term, low-value records which can be destroyed according Normal Administrative Practice or whether they are important business records.

3.97 Currently most messaging exchanges are informal, short-term and facilitative. If Defence transacts business or receive requests from the public using these technologies, the exchanges are records that should be managed in the DRMS.

3.98 There are two options for recording this information—technical and procedural:

1. technical solutions involve software, transfers and downloads which can create logs and records of conversations. Where possible mobile device records should be captured by downloading or transfer; and
2. creating a note for file and saving it in the DRMS as soon as possible. The note for file should include information on the parties involved and any decisions or agreements made.

3.99 Discarded mobile devices must be cleared of personal data and records where possible before destruction or change of owner. Data on mobile devices is subject to Defence security and privacy provisions. For security requirements for information on mobile devices see advice from AGIMO. Defence complies with Blackberry use policy from the Defence Signals Directorate  (DSD). ^{ch3 note 7}

3.100 Custodians of Defence mobile devices are responsible for removing personal data and transferring records to the DRMS, where possible.

Describing Records using Metadata

3.101 Metadata is ‘data about data’ and describes the context, content and structure of records, and their management through time. ^{ch3 note 8} Metadata includes information such as the origin and usage of the item, and usually a unique identifier assigned and used by the DRMS in which the record is held.

3.102 The Defence Recordkeeping Metadata Standard (DRKMS) is compliant with the NAA Australian Government Recordkeeping Metadata Standard (AGRKMS). The AGRKMS is compliant with AS ISO 23081.1 —Information and documentation—Records management processes—Metadata for records.

3.103 All recordkeeping systems in Defence must comply with the mandatory elements in the DRKMS. The optional and conditional elements may be applied to records depending on requirements.

3.104 Where a Defence Business Information System is designated as a recordkeeping compliant system, it must be compliant with the DRKMS.

3.105 Defence Business Information System owners whose systems are not designated as recordkeeping compliant must develop policy addressing the use of recordkeeping metadata and define the relationship, ie interface or interoperability with the DRMS.

When to use recordkeeping metadata

3.106 The DRKMS must be applied to all records at capture or creation in the DRMS, depending on level of aggregation (ie business document/object or corporate or personnel file level).

3.107 Most recordkeeping metadata in the DRMS is captured automatically at the creation of electronic documents, electronic files, and physical files. The metadata is kept permanently and is classed Retain as National Records.

3.108 When creating a record external to the DRMS (eg in a Defence Business Information System) Defence metadata elements should be applied where possible. This can be in the form of files and document registers, indexes, file movement logs and file content descriptions on the file cover.

What recordkeeping metadata to use

3.109 The following table sets out the mandatory and other metadata elements of the DRKMS. Some elements are required for all records while others are only required at the file level and are inherited by the records within that file.

3.110 Some elements are designed to hold values with differing meanings. For example, the element ‘Agent’ stores not just one Agent identifier, but can store the values of several ‘sub-elements’ such as ‘Organisation’, ‘Author’, ‘Addressee’ etc. This is a common convention for metadata definition.

Table 3–1: Mandatory Defence recordkeeping metadata standard elements table

Ser	Element	AGRKMS entity	Obligation	Description
1	Agent	Agent Record	Mandatory at all levels	A corporate entity, organisational element or system, or individual responsible for the performance of some business activity, and action on records. Includes: category, identifier, name (corporate, person, section), position, contact, email, digital signature or authentication of signature. Organisation: an organisational element at the Director/O–6 level or lower; Author, originator, or individual using or actioning the object: resource discovery point for users; Signed by: the person who has signed the document (especially in the case of correspondence); Sender: if the object has been received from elsewhere, the person from the other area who created or sent it; Custodian #1–n: the person who currently has responsibility for the object; there may be several custodians over time, eg in tracking the movement of documents such as correspondence (#1 is the original custodian); Addressee: the person to whom correspondence is addressed; Information Addressee: any person to whom correspondence is addressed ‘for information’. Nationality (for AUSTEO use)
2	Rights management	Record Agent Mandate	Mandatory at all levels	Policies, legislation, caveats and/or classifications governing access to or use of objects. Relevant national security classifications, code words and caveats should be recorded. Includes: security classifications, caveats (mandatory on secret network) and clearances, access rights, usage conditions, encryption details, code words and releasability indicators.
3	Title	Record Agent Business Mandate Relationship	Mandatory at all levels	Name given to an object to assist identification, discovery and description of the functions documented in the object. If the document has been received from elsewhere, a title reflecting the same principles as mentioned in creation. Usually the subject line on incoming correspondence. Includes; title words, alternative name and classification scheme name and type if included in title.
4	Coverage (Defence)	Record Mandate	Mandatory at file levels	The content characteristics of the boundaries of jurisdiction, location, and time. Coverage should be recorded as the ‘content from’ and ‘content to’ dates of an object. Includes: jurisdiction, place and period names.
5	Function (Defence)	Business Record	Mandatory at file levels	The general or agency-specific business or operational functions and activities documented by the object (based on the DBCS and Thesaurus). Includes: keyword, function, activity, transaction if used.
6	Date	Record Agent Business Mandate Relationship	Mandatory at all levels	Dates and times when fundamental records management actions of creation, transaction and registration occur. Includes: registration date/time: when the object was registered; publication date/time: when the object was published; creation date/time: when the object was created; signature date/time: when the object was approved/signed off; date range; date/time transacted; date/time transferred out: when the object was transferred out to another custodian and/or location (for use in tracking); date/time returned: when the object was returned (for tracking); date/time effective: when the object comes into effect (for version control); date/time received: when the object was received; date/time published: when the object was published (for version control); date/time reviewed: when the object was reviewed (for version control); date/time of expiry: when the relevance of the object expires (for version control); date/time issued: when the object was issued (for distribution control), or the correspondence sent; date/time transferred in: the date the object was transferred in.
	Format	Record	Conditional—recommended for record levels	Mandatory for long-term preservation records. Includes: document form and name, media, data, medium and extent of format.
7	Type (Defence)	Record	Mandatory at record levels	The form an object takes which governs its internal structure and relates to its transactional purpose. Helps users to interpret information by identifying the object’s internal structure. Examples of type are agenda, guideline, instruction, letter, message, minute, memorandum, presentation, procedure, report.
8	Aggregation level	Record Agent Business	Mandatory at file levels	The level at which the object or objects are described and controlled. Can be: item (document); file (grouped documents); series (grouped files (corporate etc)/items with similar characteristics). See ‘Relation’ for non-records management specific applications.
	Relation	Relationship Record Agent Business Mandate	Mandatory at file levels	Mandatory in Defence Business Information System designated as records systems or non-records management specific applications. To establish contextual relationships between records, agents, business and mandates for chain of evidence purposes; eg relating a record series to an organisation such as Defence. Includes related entity, category, name, change history.
	Subject	Record	Optional—if implemented	Includes ‘subject’ keyword scheme type.
9	Identifier	Record Relationship	Mandatory at all levels	Unique identifier (often a number) for the object. Acts as an access point to more information. If the object has been received from elsewhere, the point at which an identifier is allocated. The version number (for versioning see ‘Version and Distribution Control’) will also form part of this field.
10	Management and use history	Relationship Record Agent Business Mandate	Mandatory at file levels	Dates and descriptions of all records management actions on an object from initial registration to disposal; in particular this may include: Reason for change: why a new version was created; Approval #1–n: details of the particular approval of the document (with #1 being the first); Event and use change time, date, type and history. Preservation history.
	Preservation History	Relationship or Record Agent Business Mandate	Recommended at file levels	Event history, eg for long-term digital preservation. Excludes original creation event. Includes action dates (and next action due), time, type and description.
11	Location (Defence)	Record Agent	Mandatory at file levels	Current (physical or system) and home location of the object. Objects should have a home location and a current location (if the object is located elsewhere temporarily). NB not custodian (if the object is the custody of a person), as custodian is stored as agent. May include the file number of the file where a physical object (such as correspondence) is stored. Includes storage details.
12	Disposal	Record	Mandatory at file levels	Information about policies and conditions which pertain to, or control, the authorised disposal the object. Includes disposal authorisation, sentence, trigger, disposal authority, class identifier (ID), disposal action due and status.

Web page metadata

3.114 Web page metadata must comply with the Australian Government Locator Service (AGLS) standard, and NAA policy on archiving web resources.

3.115 To provide sustainable legal proof of web-based services and transactions, full and accurate records of these transactions must be captured in the DRMS that can guarantee the authenticity, reliability and accessibility of the records.

3.116 Web pages, which include original records or published documents and their contents, need to be kept to meet any legal obligations and community expectations for evidence of present and past positions, advice, guidance, transactions or instructions on particular matters delivered over its public website.

3.117 Information that sets out the processes, planning, designing and content of the web page must also be captured as records.

3.118 Web portal sites, which are mainly composed of links to other online resources which hold little content, need only be retained while the site remains active and continues to be referenced. When reference ceases they can be disposed of under normal administrative practice.

3.119 For sites requiring user interaction, business units must determine within the parameters of full and accurate recordkeeping whether:

1. to keep records of individual clients and their transactions, within the parameters outlined in the Privacy Act 1988; or
2. to capture as records the objects that comprise the content of the site at any given time.

Internet web pages Australian Government Locator Service metadata requirements

3.120 Internet web page snapshots must be captured over time, so that it is possible to reliably establish the content of the website at any particular point in time from the past. They should be captured when a major change occurs or a new page is added and retained as high-value records for transfer as national archives.

3.121 A web page snapshot includes capturing:

1. the records that make up the content of the web page, if they are not already captured as records;
2. the final web page as it appears to users; and
3. collection of links that can be generated upon request.

3.122 Internet web pages that meet the Government online description of a resource must be compliant with AGLS requirements and have AGLS metadata elements assigned in the Hypertext Mark-up Language header as tags. The capture of quality AGLS metadata will ensure that Defence meets its Online Information Services Obligations (OISO) with respect to visibility of its internet sites for the Government online program. Refer to ‘Metadata’ section for the AGLS metadata elements to be applied.

3.123 The following categories contain a minimum set of resources for which it is essential to create AGLS metadata in order to comply with OISO:

1. home pages;
2. topics/services in high demand by the target community the organisation serves;
3. information required by agency clientele to understand their entitlements to Government assistance and the requirements of Government that apply to them;
4. pages that provide an online service to the public;
5. pages required to meet a prescribed community/legal/service obligation by the organisation;
6. entry points to specific online services and indexes;
7. major formal publications;
8. media releases;
9. major entry points or indexes and menus to a range of closely related topics, programs or policies;
10. information about agency powers affecting the public, and manuals and other documents used in decision-making affecting the public; and
11. substantial descriptive or marketing information about agencies, their services, activities and collections.

Australian Government Locator Service elements for Defence web pages table

3.124 Listed below are the AGLS elements for Defence web pages compliant with NAA Australian Government Implementation Manual : AGLS Metadata (May 2006) updated by the AGRKMS metadata standard set. ^{ch3 note 9}

Table 3–2: Australian Government Locator Service Defence web pages metadata table

AGLS elements	AGRKMS property	Obligation	Qualifiers (sub-elements)
Creator	Agent	Mandatory	created: the creation date of the resource (not the metadata record); modified: the date the resource was last modified; valid: the date the resource becomes valid or ceases to be valid, or the date range for which the resource is valid; and issued: the date on which the resource was made formally available.
Date	Date range	Mandatory	None
Description	Description	Optional	None
Title	Name	Mandatory	alternative: when the resource is also known under a different title, or has recently changed and is still known by its previous title.
Type	Category	Mandatory	Aggregation level qualifier category: specifies the actual type of resource being described (there are only three values for this qualifier: service, document, agency); aggregation level: specifies the level of aggregation of the resource being described (there are only two values possible: item or collection); document type: describes the form of the resource where category = document (document is used in its widest sense); and service type: describes the type of service being offered where category = service.
Function or Subject	Keyword	Conditional	Subject or function schemes, eg AGIFT9 for internet sites, and DBCS for internet and intranet sites.
Format (extent qualifier)	Extent	Mandatory	Provides specific level of granularity.
–	Disposal	Mandatory	Mandatory for web-based records as prime records.
Availability or Identifier	Identifier	Mandatory	Identifier scheme.
Publisher	Agent		None
Audience (when the audience of the resource is not ‘All’)			None
Coverage (when coverage is not all of Australia)	Coverage	Optional	jurisdiction: the territory over which a Government exercises its authority; spatial: refers to locations or areas covered in the content of the resource; temporal: the time periods covered in the resource; and postcode: relevant to the geographical coverage of the resource.
Language	Language	Conditional	None

Intranet web pages Australian Government Locator Service metadata requirements

3.125 Intranet web page snapshots may be captured over time, so that it is possible to reliably establish the content of the website at any particular point, as required. Snapshots should be captured when a major change occurs or a new page is added and retained as long as business requires. ^{ch3 note 10}

3.126 If virtual private networks and extranet sites are used as a means of conducting official business or operations between Defence and other Commonwealth organisations, or between Defence and its business or operational partners, suppliers or vendors, then accurate records of transactions must be created and kept, including records related to site security.

3.127 Intranet web pages recording business transactions, activities, decisions or publications must comply with the Defence AGLS standard and be captured and stored in the DRMS, or an approved records management system.

3.128 Wherever the posted record is maintained, it should include the following metadata:^{ch3 note 11}

1. title or naming of posting,
2. version number,
3. author or content manager responsible for creation of the object,
4. links embedded in the posting,
5. date of initial posting,
6. date of modification,
7. date of replacement or withdrawal, and
8. disposal information.

Paper correspondence metadata

3.129 Incoming paper correspondence should be scanned and managed electronically where possible. If incoming paper correspondence is registered, the following mandatory information items must be collected:

Table 3–3: Incoming paper correspondence table

Signed by or digital signature if record scanned	details (name and role) of the person who has signed the document.
Originator	details (name and role) of the author of the document.
Addressee(s)	details (name(s) and role(s)) of the person(s) to whom the correspondence is addressed.
Information addressee(s)	details (name(s) and role(s)) of any person(s) to whom the correspondence is addressed ‘for information’.
Date received	the date the correspondence was received.
Subject/title	the main subject covered by the content of the correspondence, usually identified by the subject line on incoming correspondence.
Type	the type of correspondence.
Custodian	details (name and role) of the person responsible for the correspondence once it is received.
Classification and caveats	details the classification of the correspondence and any caveats applied.

3.130 Outgoing paper correspondence should be created electronically or be scanned and managed electronically. When registering outgoing paper correspondence the following mandatory information items must be collected:

Table 3–4: Outgoing paper correspondence table

Signed by or digital signature if record scanned	details (name and role) of the person who has signed the document.
Author	details (name and role) of the person who wrote the document.
Addressee(s)	details (name(s) and role(s)) of the person(s) to whom the correspondence is addressed.
Information addressee(s)	details (name(s) and role(s)) of any person(s) to whom the correspondence is addressed ‘for information’.
Date issued	the date the correspondence was sent.
Subject/title	the main subject covered by the content of the correspondence.
File Number (mandatory at file level)	the file number of the file where the correspondence is stored.
Type	the type of correspondence (eg letter, facsimile).
Custodian	details (name and role) of the person responsible for the correspondence once it is received.
Classification and caveats	details the classification of the correspondence and any caveats applied.

Email and messaging metadata

3.131 The email metadata set for Defence is based on NAA, Australian Government Email Metadata Standard (December 2005) (AGEMS), DIMPI 4/2005 (internal link) —Standard Defence email markings and handling (10 November 2005) and the eDSM.

3.132 Defence Formal Message systems should comply with standard email metadata.

3.133 SMS and voicemail records if captured must comply with metadata standards.

Defence email metadata standard elements table

3.134 Email metadata standards include:

1. Mandatory—element must be captured.
2. Conditional—element must be captured in certain circumstances. Circumstances are described.
3. Desirable—element should be captured where possible.
4. Optional elements and sub-elements are not shown.

Table 3–5: Email standard metadata table

Email metadata element	Sub-element and description	Sub-element obligation for Defence
Originator	From: message creator or author—person(s) or system(s) responsible for writing the message.	Mandatory
	Sender: message sender—agent responsible for the actual transmission of the message.	Mandatory
	Drafter: name and contact details of drafting officer. (a)	Conditional—record if appropriate and is different from the message creator or author
Destination Addressee	To: primary or action addressee—person(s) or system(s) responsible for performing actions in response to the message.	One destination addressee sub-element is mandatory
	Cc: Information addressee—others who are to receive the message, although the content of the message might not be directed at them for action.
	Bcc: blind copy addressee.
Security	Security classification	Mandatory
	Codeword	Conditional—record if the sub-elements are applied to the email
	Source codeword
	Releasability indicator
	Special-Handling caveat
	Encryption details, including: algorithm used: name of the algorithm used in the encryption; key size: the size of the key expressed in terms of bits used; and key details: details (or a pointer to details) about keys used in the encryption.	Conditional—record if the email is encrypted and is being stored in its encrypted form (for un-encryption and transfer see chapter 4—‘Keep, destroy or transfer’)
Use condition	Disclaimer clause: text stating the email is property of the Department of Defence. (a)	Mandatory
Message ID	None. A unique ID for the email message, by which it can be referred and tracked within and across domains.	Mandatory
Subject	None. A descriptive title for the email message, indicating its topic or content. Words are entered by the email creator, usually as free text.	Mandatory
History (Date/Time)	Sent date/time: date/time creator or sender ‘sends’ the message.	Mandatory
	Received date/time: date/time the message received at destination server gateway.	Mandatory
	Reply by date/time: date/time by which a reply is required.	Conditional—record if reply by date/time is applied to the email
	Acknowledgement requested: request for acknowledgement that the email has been read and understood by the recipient.	Conditional—record if acknowledgement is of the email requested
	Acknowledged reply date/time: date/time action addressee(s) reply to an email requesting acknowledgement. (a)	Conditional—record if email is in reply to an acknowledgement request
Relationship	In reply to: message being replied to.	Conditional—record if in reply to is applied to the email
	In reference to: previous messages/items to which this one relates.	Conditional—record if in reference to is applied to the email
	Attachment: message attachment.	Conditional—record if email has attachments
	My file reference: a business file or container into which a message sender places or links a copy of the email.	Desirable
	Your file reference: a business file or container reference given in an email message to which a reply is being sent.	Desirable
Precedence	None. The time sensitiveness of a message is flagged. It may be used as the basis of internal organisational approaches to dealing with messages that require urgent attention and action.	Conditional—record if email precedence is not ‘routine’
Importance	None. The importance of the content of a message is flagged.	Conditional

 

Note
(a) These elements are in addition to those outlined in the NAA AGEMS and are set out for Defence use in DIMPI 4/2005.

Custodian, ownership and tracking metadata

3.135 The following tracking metadata is required for all records irrespective of form or location. It is required for records imported to the DRMS and records managed external to the DRMS.

3.136 The following metadata is automatically applied at capture into the DRMS, where available:

1. Title: as set at the time of registration/creation;
2. Identifier: as set at the time of registration/creation;
3. Author: the person who created the record;
4. Custodian: the person who currently has responsibility for the record;
5. Location: the current (physical or system) and usual location of the record; and
6. Dates: several dates may be relevant for the business or operational requirements, but they generally include one or more of the following:
   • (1) date moved;
   • (2) date created/captured;
   • (3) date modified; or
   • (4) date returned.

3.137 Business correspondence exchanged with external entities are records. The following must be collected for the tracking of incoming correspondence:

1. Custodian: details of the person(s) responsible for the correspondence in originating and receiving unit; and
2. Date transferred: the date the correspondence has been transferred in.

3.138 The DRMS provides a tracking facility for records to provide location and process monitoring.

Local and specific domain metadata

3.139 If required, business units may need additional metadata fields included in the standard set of metadata elements for specific local business uses. All such additions must also be in accordance with the AGRKMS, and are referred to as ‘local metadata’.

3.140 In addition to recordkeeping metadata compliance, Defence also complies with domain-specific metadata requirements; eg imagery metadata and metadata required for interoperability purposes and security purposes. The metadata and data elements should also be compatible with the following instructions and standards required by Defence:

1. Australian communications—electronic security standards (ASCI33);
2. hand-held imagery metadata standard ( Defence Instructions (General) (DI(G)) ADMIN 10–09 —Control and management of hand-held imagery );
3. Digital geographic information exchange standards and data ( DI(G) OPS 20–3 —Digital Geospatial Information Exchange Standards and Geospatial Data Product Specifications );
4. quality management standards ( AS/NZS ISO 9001:2000 —Quality management systems—Requirements );
5. interchange formats data elements ( AS ISO 8601–2003 —Data elements and interchange formats—Information interchange—Representation of dates and times );
6. information security management ( AS/NZS ISO/IEC 17799:2001 —Information technology—Code of practice for information security management); and
7. open archival information systems Blue Book ( Consultative Committee for Space Data Systems (CCSDS) 650.0–B1 —Reference Model for an Open Archival Information System).

Controlling Ownership, Custody, Versions and Tracking

Ownership

3.141 The Archives Act 1983 states that records created by Commonwealth agencies are the property of the Commonwealth. When changes are made to the machinery of Government through Administrative Arrangements Orders, responsibility for managing the records relating to affected business moves to the agency. (See chapter 4 after an administrative change.)

3.142 Ownership of records that will be created and/or maintained by contractors will be determined by the contract under which the contractor is engaged.

3.143 A transfer of ownership pertains to records being acquired by or leave the Commonwealth legal ownership. With a transfer of ownership, the Commonwealth relinquishes all its legal, physical and intellectual property rights over the records, after which the records are no longer subject to the Archives Act 1983.

3.144 If a decision is made to privatise or corporatise some business previously undertaken by the Australian Government, any transfer of ownership of the associated records must be authorised by the National Archives.

3.145 Custody is an aspect of the physical management of documents or records, and refers to where the documents or records are stored, and who is responsible for them.

3.146 Tracking refers to creating, capturing and maintaining information about the movement, use and handling of records. ^{ch3 note 12} Capturing information regarding the use and movement of a record permits the generation of an audit trail. In the DRMS, the audit trail records any access to the record within the system and may be used to identify unauthorised actions in relation to the records (eg modification, deletion, or addition).

3.147 Version and distribution control is the prevention of duplication and unregistered versions or copies of documents proliferating across Defence in an uncontrolled manner:

1. Each Commonwealth record must have a named custodian who is responsible for its management and protection. Defence records management policy requires compliance with the eDSM when undertaking transfer of Defence records ownership or custody.
2. The custodian of a record is accountable to the Group Head for the correct management of that record; ie that it is managed in a manner compliant with this policy and with relevant Defence and local procedures.
3. Where evidence is to be given (eg as the result of court order) on the authenticity and accuracy of the records management procedures for the management of Defence file(s), it is the responsibility of the custodian of the file(s). Where evidence is to be given on the content of records, this is the responsibility of the owner/creator of the file(s). Where evidence is to be given on the storage management of files in repositories, this is the responsibility of the repository that has custody of the records. In some cases, a legal or other delegate may be appointed.
4. Transfer of custody and/or ownership can only be conducted in accordance with:
   • (1) AS ISO 15489.1 —Records Management—General;
   • (2) National Archives Advice 12—Outsourcing, accountability and recordkeeping, August 2002; and
   • (3) the eDSM.
5. Access to and changes and uses of Defence records must be tracked in compliance with the recordkeeping metadata standard. An audit trail of access and use for Defence records must be created and stored securely, showing an appropriate level of detail. Where possible this should be recorded in the DRMS.
6. Audit trails must be secure, unalterable, and retained for as long as any record to which they refer is retained, where applicable.

Tracking file custody and movements (file musters)

3.148 File musters are conducted by the business owner, and includes an inspection of a business unit’s work area and its storage area to produce a catalogue of the files held. File musters are used for:

1. monitoring records management functions and quality control;
2. determining custody, ownership and location;
3. determining disposal actions needed;
4. identifying lost and misplaced records;
5. assessing future records management and storage requirements; and/or
6. determining requirements for document and record migration to the DRMS.

3.149 File musters should be conducted when there has been a significant change to the organisation or business unit. This could include physical change of location or closure of the business unit.

3.150 Reasonable attempts are required to be made to recover lost or missing files and all of the steps taken to locate the records, as well as the results must be recorded in detail in the DRMS. (See also File musters of classified records in chapter 5—‘Secure, store and preserve’.)

Version and distribution control

3.151 Version control covers the correct approach to creating new versions of records. Distribution control covers copying existing registered records, and how those records may be distributed and/or published.

3.152 Version control is the process which ensures that business documents evolve as records in compliance with records management policy. Version control allows all users of a document (typically, members of a business unit) to be clear about its status and content, and minimise unintentionally working with a superseded version.

3.153 Distribution control is the process of registering and monitoring the distribution of drafts of documents to ensure that:

1. the document owner is always aware of who has access to it,
2. all personnel have access to the information they need, and
3. information is unlikely to be accessible to those not authorised to see it.

3.154 Version control must be applied when business documents are authored and reviewed collaboratively.

3.155 Record versions must be numbered manually if not on the system drive; eg a major release number, and a minor draft number, conventionally separated by a dash: version 4–2, representing draft 2 of release 4.

3.156 Version numbers should apply to:

1. major drafts; and
2. significant releases (whether to colleagues for peer review, the first draft for the work sponsor, or any subsequent published release).

3.157 Version and distribution metadata elements in the DRMS are controlled at the system level.

3.158 Business units must ensure adequate manual management controls are also in place to avoid duplication and ensure tracking of restricted documents.

3.159 Final versions of business documents, and significant drafts, need to be placed on file to ensure they are managed and controlled for recordkeeping compliance.

3.160 Physical items which cannot be placed in a file (such as a book or chart) must have a marker placed in the appropriate file with details of the item, such as description and physical location (for metadata see paragraph 3.101).

3.161 Personal items and storage in Defence networks are not subject to version control.

3.162 DRMS and network administrators must manage the limit on the storage quota for personal usage in Defence systems (eg personal space in email and records management systems).

3.163 All Defence personnel must ensure that:

1. distribution of any published document is controlled,
2. unregistered versions of business records are not distributed outside Defence, and
3. published versions and associated information are stored on a registered file either electronically or in hard copy.

Functionally classifying

3.164 In accordance with NAA requirements, Defence has adopted functional classification as the basis by which Defence files are sentenced and disposed.

3.165 Functional classification is implemented in Defence as the DBCS. It is applicable across Defence, and provides the prime classification for all records. It is incorporated into the current DRMS as Primary Keywords.

3.166 The DBCS is developed as a product of the NAA Designing and Implementing Recordkeeping Systems (DIRKS) ^{ch3 note 13} and the Records Authority Process (RAP).

3.167 The DBCS:

1. provides a link to the available disposal authorities in the DRMS;
2. may assist categorisation of folders in Defence Business Information Systems, containing business transactions to be stored, and managed;
3. provides a standard vocabulary when describing the functions of business units; and
4. simplifies business category searching.

3.168 The DBCS also satisfies the NAA ‘function’ recordkeeping metadata element. It is used for all Defence records created (for metadata see paragraph 3.101 ):

1. The DRMS must support functional classification from the DBCS.
2. The DBCS or the disposal authorities must be used to functionally classify all Defence files (corporate etc) for disposal purposes.
3. The DBCS supersedes single-Service and organisation specific classification schemes. Local or individual schemes may continue to be used only under the umbrella of the corporate DBCS.
4. Defence personnel should assign an appropriate function and activity category from the DBCS when creating a file.
5. Defence personnel may use the DBCS for local use by adding lower-level transactions or subjects. However, requests for formal changes to the DBCS must be submitted to the DRMP for consideration (DRMP.policy@defence.gov.au).
6. The DBCS is available at (internal link) .
7. The DBCS is centrally managed by DRMP on behalf of Ministerial Support and Public Affairs Division. Requests for variation must comply with Defence change management policy and be submitted to DRMP.

Defence Business Classification Scheme

3.169 The DBCS is a hierarchical model of Defence business activities. This methodology examines the functions and activities that the agency performs and groups records according to transactions within that framework, rather than according to the internal agency structures. It is based on Defence functions and activities. The DBCS is also a controlled language with specific terms used to identify and manage records in Defence consistently. The thesaurus format identifies ‘broader’, ‘narrower’, ‘related. and ‘see’ references.

3.170 The DBCS is a product of, and a necessary step in, developing and maintaining disposal authorities in accordance with the NAA e-permanence policy and framework (ie it contains the functions and activities control language for the disposal authorities). This allows simple and/or automatic identification of records which are ready for disposal or retention action.

3.171 In compliance with the NAA DIRKS methodology, business classification is the process of analysing an organisation’s core business processes, categorising them, and identifying the sub-components. In Defence, this analysis has identified two hierarchical category levels which are referred to as ‘functions’ and ‘activities’ and defined as:

1. Core business (functions)—functions are the top high-level category of business processes and represent the major responsibilities that are managed by Defence to fulfil its goals. Defence functions tend to remain fairly static.
2. Activities—activities are the second-level category and represent the major tasks performed by Defence to accomplish each of its functions. Several activities may be associated with each function.

3.172 Core business functions are mutually exclusive to other functions, are consistent, and cover all the main business processes of Defence. Similarly, activities are mutually exclusive to other activities.

Recordkeeping tools management (metadata, Defence Business Classification Scheme, and Records Authorities)

3.173 Tools or controls associated with Defence records management include:

1. Defence mandatory metadata standard set,
2. DBCS,
3. disposal authorities and Australian War Memorial agreement, and
4. disposal authorities implemented in DRMS.

3.174 The NAA is authorised to approve changes to the DBCS, metadata and RAPs under section 24 of the Archives Act 1983. The NAA will authorise changes to the Records Authorities and DBCS based on changes submitted in accordance with DIRKS:

1. DRMP manages changes to Records Authorities and the DBCS. Changes are endorsed by First Assistant Secretary Ministerial Support and Public Affairs.
2. Changes may be made for the following reasons:
   • (1) ad hoc requests—made as a result of incomplete Records Authorities development, anomalies, omissions and inconsistencies;
   • (2) framework changes—result from directives relating to legislative, standard, business functions, activity and changes to recordkeeping requirements. Either the NAA or Defence can propose a review of Records Authorities in the event of administrative changes; and/or
   • (3) compliance reviews—as part of the DIRKS methodology, the NAA recommends that agencies should make arrangements for post-implementation review both directly after implementation and over the next four to 10 years as updates can be expected. This includes reviewing policy and systems.

Annex:

1. Categories of Defence Records

back to contents

Chapter 4
Keep, Destroy or Transfer

4.1 Disposing of records by keeping, destroying or transferring records out of Defence or Commonwealth custody or ownership is regulated by section 24 of the Archives Act 1983.

4.2 Records disposal by sentencing is the process of using authorised disposal authorities and normal administrative practice to retain, destroy or transfer a record.

4.3 Records disposal implementation is the process of carrying out sentences. The National Archives of Australia (NAA) may place a freeze or Defence may place an embargo on the destruction or unauthorised alteration of records for a particular reason.

4.4 Transfer of records is the process of internal and external change of custody of the records. This can include the transferring of records to:

1. a new location within Defence such as a business unit or repository, and
2. the NAA or the Australian War Memorial (AWM).

Sentencing

4.5 Commonwealth records can only be disposed of in accordance with the Archives Act 1983 and the associated regulations.

4.6 The NAA has the power to permit the disposal of Commonwealth records in accordance with approved practices and procedures known as disposal authorities.

4.7 The unlawful destruction or other disposal of Commonwealth records is an offence under the Archives Act 1983, and a breach of the Australian Public Services Code of Conduct. Anyone who misapplies, improperly disposes of, or improperly uses Commonwealth records may also be in breach of the Financial Management and Accountability Act 1997.

4.8 Sentencing is the process of associating a disposal action to corporate or personnel file-level records with a valid disposal authority. The disposal authority’s entry or class descriptions describe the transactions covered and the retention period for a file:

1. In Defence, disposal classification and sentencing are undertaken at the container (ie file) level. Business documents cannot be functionally classified for individual disposal. All files must be in a registered file series. The NAA accepts transfer consignments of Retain as National Archives (RNA) files only in registered series.
2. Sentencing of Defence records may be done at any time provided that the records are associated correctly and accurately with the applicable class or classes in the disposal authority.
3. During sentencing, all records at the corporate and personnel file-level are assigned a disposal status from the disposal authorities. For efficiency, this status should be assigned when a file is created.
4. Defence disposal of records is authorised by the following disposal authorities:
   • (1) Defence implementation of Administrative Functions Disposal Authority;^{ch4 note 1}
   • (2) General Disposal Authorities to 2008;
   • (3) General Record Authorities from 2008; and
   • (4) Defence specific Records Disposal Authorities (RDAs) and Records Authorities.
5. Disposal is also authorised under the provisions of normal administrative practice.
6. Disposal freezes are authorised by the NAA and Defence has the capacity to impose internal embargos on access and disposal.
7. Disposal of individual business documents on a file (in the general record series eg corporate or personnel records) is not permitted. Individual documents lack context or chain of evidence that a file container and title provide. Disposal of individual business documents in special record series (eg Defence Science and Technology Organisation Reports), is assessed case-by-case and disposal may be approved.

Disposal authorities and assigning disposal classes

4.9 Disposal authorities will be implemented in Document Records Management System (DRMS) as disposal schedules. Disposal authorities enable disposal classes to be selected at record creation or at record closure.

4.10 Disposal authorities in Defence are based on the Defence Business Classification Scheme (DBCS), which documents the functional analysis of Defence and is Defence’s approved tool for classifying Defence files for disposal.

4.11 Assigning functional classification is the process of selecting and applying the appropriate function and activity in the DBCS to a file in the records management system.

Disposal status identification

4.12 Identifying disposal is determining the disposal status of a record (ie sentencing) in compliance with the implementation within Defence of NAA-approved disposal authorities. It is the range of procedures associated with implementing records retention, destruction or transfer decisions which are documented in disposal authorities or other instruments. ^{ch4 note 2}

4.13 Archiving and disposal actions are to be applied at the file level, and scheduled subject to appropriate review of sentencing on execution.

4.14 Wherever possible, applying the disposal class number and disposal date should be done when the file is first created, irrespective of whether the file is electronic, physical or mixed mode.

4.15 In accordance with NAA requirements, records must be reviewed before disposal. This is the responsibility of the business unit with custody of the records. A file must be reviewed when its retention period has elapsed. There may be three possible outcomes from the review. It may be decided that:

1. the file is still needed, so it is re-sentenced and a new retention period is set;
2. the file is no longer needed and so should be destroyed; or
3. the file is no longer needed by Defence, but is of historical importance and may be retained or transferred to the NAA or the AWM.

4.16 In the case of physical records, the file and all of its parts should usually be sentenced together. If individual parts have differing sentence periods, the longest sentence applies to the file in its entirety.

4.17 All sentencing decisions must be separately documented by creating a Control Record, if not implemented in the DRMS. Defence must be able to prove that any records that have been disposed of have been done so in accordance with the correct disposal authority.

4.18 Records may be sentenced using a RDA if routine and administrative records are of non-permanent value. Permanent value Defence core records covering procurement, combat, peacekeeping, operations, strategy, policy and technical matters should not be sentenced under legacy RDAs. They will require re-sentencing under current valid Records Authorities.

Administrative records sentenced prior to the Administrative Functions Disposal Authority

4.19 If records have already been sentenced for destruction before the issue of the AFDA in 2000, or new Defence Records Authorities, the sentences may remain and the records do not need to be re-sentenced. However, all records held by Defence which were sentenced for RNA and records required to be kept for more than 30 years (eg civilian personnel history files, and compensation case files) must be re-sentenced using functional Records Authorities.

Normal administrative practice

4.20 Normal administrative practice allows for the destruction of certain types of records in the course of normal business. It allows Defence staff to dispose of low-value records as soon as they are no longer useful. This leads to better efficiency in the areas of storage. (For normal administrative practice guidelines see chapter 4, annex A.)

Managing low-value records

4.21 All business-related documents in any format, including email messages ^{ch4 note 3} created using Australian Government systems must be managed in accordance with the Archives Act 1983. However, low-value business-related items are not captured in the DRMS or filed in physical files. These may be stored on Defence networks temporarily and deleted under normal administrative practice when they are no longer needed.

4.22 Normal administrative practice can also be used to destroy an entire file registered in the DRMS if the file:

1. is of low value (eg file covers created in error and telephone message slips);
2. has ‘for information’ copies and duplicate documents;
3. contains working papers and drafts;
4. contains no Defence business transactions; or
5. comprises normal administrative practice category documents.

4.23 For these files, a control record is required for the disposal process.

4.24 The NAA has formally advised Defence that national security classified records that have been registered on a Classified Document Register and/or incorporated into a file cannot be disposed of under the normal administrative practice provisions of the Archives Act 1983 (AA A92/0297 dated 21 July 1995).

4.25 Document and records categories eligible for destruction under normal administrative practice are listed in chapter 4, annex A.

Sentencing cancelled files

4.26 All files which are created and have had records placed on them must be disposed of under the appropriate RDA. Files which have been created in error and have never had records placed on them can be cancelled and are eligible for destruction under normal administrative practice.

Disposal freezes

4.27 A disposal freeze is a ban on disposal action, which applies to certain groups of records as designated by the NAA.

4.28 A freeze may be imposed when a particular topic or event gains prominence or becomes controversial. After assessing the situation, the NAA may amend the relevant disposal authorities to prevent agencies from destroying significant records. Disposal freezes in force are published on the Directorate of Records Management Policy (DRMP) website (internal link) .

4.29 Records that are subject to a disposal freeze can be sentenced but cannot be changed, destroyed or transferred until the NAA:

1. lifts the freeze, or
2. issues new instructions on disposal actions.

Disposal embargos

4.30 An embargo is an order prohibiting a particular activity.

4.31 Defence places an embargo on access to and/or disposal of particular subject matter due to impending policy changes, litigation (including court-issued discovery orders), public controversy or community interest. Embargos are an entirely internal matter and are subordinate to instructions from the NAA. An embargo may be implemented by a particular business unit or division, or may be Defence-wide. Embargos, like freezes, halt any disposal action that may be due until the embargo is lifted.

4.32 Any business unit that wishes to apply an embargo should notify the DRMP which will assess the request and may as part of its decision authorise the imposition of an embargo. Embargos in force are published on the DRMP website. A comprehensive procedure is being developed to identify and safeguard records covered by embargos and will be promulgated in the first revision of this Manual. All inquiries in the interim should be directed to DRMP.

National Archives of Australia—Australian War Memorial Agreement

4.33 The AWM is empowered by the Australian War Memorial Act 1980 to develop a collection of historical material relating to Australian service in wars and warlike operations. ‘Warlike operations’ includes all peacekeeping operations conducted by the Australian Defence Force (ADF) or its predecessors.

4.34 In discharging this function, the AWM has always been recognised as the custodian of certain records created by agencies of the ADF and its predecessors.

4.35 Defence records classed as RNA in this category must be transferred to the AWM, not the NAA, in accordance with procedures in the agreement guidelines published on the DRMP website.

Records Disposal

4.36 Disposal is the implementation of the records sentence. Disposal can happen in three ways:

1. the retention of records,
2. the destruction of physical records or the deletion of electronic records, and
3. the transfer of records.

4.37 Transfers include removal of records from the custody of Defence—such as transfer to an external agency for long-term retention (ie the NAA or the AWM)—and change of custody within Defence. ^{ch4 note 4} (For transfer policy see chapter 4—‘Keep, destroy or transfer’.)

4.38 Disposal of records can only be undertaken on records owned by Defence, in accordance with:

1. the Archives Act 1983 and associated regulations,
2. disposal authorities and the AWM Agreement, and/or
3. another overriding law requiring a particular disposal action.

4.39 Non-Defence records in the custody of or on loan to Defence must not be destroyed without the authorisation of the owner. Records on loan must be returned to the owner:

1. Loose Defence documents that have yet to be registered on files can be assessed against the normal administrative practice categories for destruction, and if suitable can be destroyed without prior authorisation or creation of a control record. If the documents are not suitable for normal administrative practice they must be registered as a record and attached to a file. This applies to both physical and electronic records.
2. Files must be disposed of as a whole unit. The practice of culling or stripping folios from closed files is a breach of the Archives Act 1983. The NAA can impose penalties under section 24 of the Act.
3. Records identified for long-term retention in Defence are migrated/converted to ‘open format’ at point of disposal to ensure continuous accessibility and retrieval.
4. Records identified as RNA should be transferred to the NAA by arrangement.
5. Execution of the sentencing process requires reviewing the file and executing the assigned disposal schedule in the DRMS.
6. A control record must be created and registered in the DRMS.

Destruction of records

4.40 Records must only be destroyed when the following requirements have been met:

1. It has been authorised by a current and valid disposal authority.
2. A control record of destruction is registered in the DRMS.

4.41 Defence records, identified as ‘to be destroyed’, must always be destroyed in accordance with the electronic Defence Security Manual  (eDSM). Destruction or transfer must always be authorised by the custodian. ^{ch4 note 5}

4.42 The control record for all destroyed records must indicate when, how, where and under what disposal authority/authorities the records were destroyed. Control records should be created by the business unit carrying out the disposal process, registered in the DRMS and a copy sent to DRMP for review before destruction (unless other arrangements have been made with DRMP). DRMP will keep a copy of the control record as RNA on behalf of the NAA. Control records should not be forwarded directly to the NAA.

4.43 Records relevant to a criminal investigation, pending or actual litigation, or the subject of discovery orders made by a court must not be destroyed for the duration of the legal process.

4.44 Records must not be destroyed if they are subject to a disposal freeze or an embargo.

4.45 Great care should be taken before undertaking large-scale destruction proposals where there is potential community sensitivity, in particular military personnel records, including unit history and case files. If in doubt, business units should consult DRMP.

4.46 Special considerations apply to the destruction of national security classified records (see paragraph 5.33 —Disposal, transfer and destruction of classified records).

4.47 For destruction of encrypted records created in online security processes, refer to the general disposal authority for encrypted records.

4.48 For destruction of mixed mode records, ensure the physical part is confirmed as destroyed prior to the electronic. Destroyed electronic records should include the entire contents, alternative renditions, markers, shortcuts and aliases, unless the destruction results in change to another record.

4.49 Business units are responsible for assessing destruction of their time-expired records in NAA custody. DRMP will notify business units and other stakeholders (eg the Directorate of Classified Archival Records Review, history units, Legal Service) of notification by the NAA of destruction of Defence records in their custody.

4.50 Destruction process must be authorised by custodian of records prior to destruction, in accordance with NAA guidelines.

4.51 The method of destruction of classified records must comply with the eDSM.

4.52 For altering records and moving documents between files see chapter 3—‘Create, capture and describe’.

Records disposal in overseas posts and during deployment

4.53 Australian overseas posts and deployed units may have to increase retention periods of some of the disposal requirements to meet any statute of limitation periods in their host country. Similarly, normal operating instructions and procedures may have to be waived at times of hostile assault or potential security breach. At such times, personnel safety and security is paramount and records may have to be disposed of without recourse to disposal authorities. In summary, the records of the highest sensitivity should be destroyed first. Ideally, a record should be kept of what has been destroyed, although it is recognised that this may not be feasible in an emergency. The eDSM provides guidelines regarding the procedure to follow when an overseas post is under threat. Hardship posts or war zones should digitise their records if practicable as a security measure in case the post has to be evacuated.

4.54 Under normal operating environments, records may be sentenced and destroyed on site in compliance with Records Management policy and in-country requirements, if applicable. At overseas diplomatic posts, records disposal may be undertaken by the Department of Foreign Affairs and Trade.

Changes in custody or ownership mandated by the disposal authority

4.55 In the AFDA, under some functions (equipment and stores, fleet management, information management, property management, publication and technology and telecommunications) the transfer of custody and ownership of Commonwealth records is directed in the disposal action. The AFDA authorises transfer of the records under section 24(2)(b) of the Archives Act 1983. Such transfers are subject to the record no longer being required for further Defence or Commonwealth purposes. If there are any doubts in relation to this requirement, copies should be made of the records before they are transferred.

Closing records after a change of government

4.56 Records regarding advice given to ministers should be closed after a change of Government, and should not be made available to incoming ministers if they are from a different political party.

4.57 Cabinet memoranda, discussion papers, minutes and related documents provided by Defence should be handled in accordance with Cabinet Handbook (http://www.pmc.gov.au/guidelines/ docs/cabinet_handbook.pdf ) and instructions from the Department of Prime Minister and Cabinet. The creation, retention and disposal of these records must comply with AFDA function, Government Relations Class 1345.

Transfer of Records

4.58 This includes the internal or external transfer of records in any format by transferring custody or ownership.

4.59 When records are transferred, the transfer must be reflected in and recorded by the DRMS or in compliance with recordkeeping metadata.

4.60 When a record is to be transferred, it is the custodian’s responsibility to verify that:

1. the transfer actions are properly authorised and documented (especially where disposal is carried out by contractors); and
2. a formal agreement between Defence and the receiving organisation is in place (outlining any continuing obligations to maintain, manage and make accessible the records).

4.61 The system copies of electronic records transferred to another agency under a disposal class must only be destroyed after confirmation of successful transfer.

4.62 Control metadata must be retained in the DRMS for all records transferred as electronic exports, imports or physical transfer. For mixed mode (combined physical and electronic) records transfer, metadata for both formats must be confirmed and the links between the files checked prior to transfer.

4.63 Electronic records may be bulk or singly imported and exported from the DRMS using native format, common interface formats (eg XML and CSV) or in digital preservation formats (eg PDF or equivalent, or open or XENA formats).

4.64 Transfer of records to another Commonwealth agency. Transfer of custody of Defence records to another Commonwealth agency can occur through:

1. special arrangements with other agencies (eg the AWM);
2. administrative changes occurring through changes in functions of Government, promulgated through Administrative Arrangement Orders; and
3. transfer of RNA records to the NAA.

Internal transfers

4.65 During a business unit’s day-to-day activities, it may be necessary to access records that are in the custody of another business unit. When these records are electronic, this can be accomplished without transfer of records using the search and retrieval facilities of the DRMS. However, sometimes it may involve an internal transfer of custody of those records, especially when the records are available in only hard copy form. Common examples of the need to make internal transfers of records include:

1. reorganisation of business units, including geographic relocation;
2. the addition, deletion or merging of functions; or
3. the transfer of inactive records to Defence repositories.

4.66 On occasions, the transfer may be of a more temporary nature when specific areas of Defence may need access to records to assess a particular case; for example:

1. Directorate of Honours and Awards (DHA) —DHA may need to access Defence records, such as personnel records, on a temporary basis to assess a particular honour or award. DHA will approach the appropriate business unit or repository directly, and that business unit must then transfer the record(s) to DHA;
2. Defence Legal (DL) —DL may need to access Defence records on a temporary basis to assess a particular case. DL Division will approach the appropriate business unit directly, and that business unit must then transfer the record to DL; or
3. Inspector-General (IG) —IG may need access from time to time.

4.67 When records are transferred internally, the location details must be changed on the DRMS to reflect the new internal custodian.

4.68 Internal transfer on return of overseas posting or deployment —home units should negotiate the transfer of records from the deployed location to the appropriate Defence records storage repository.

Temporary internal file transfer

4.69 When records are to be transferred internally on a temporary basis:

1. the losing business unit is required to annotate the metadata so as to reflect the change in internal custody. This should include the business unit name, the records management system and the duration of the transfer; and
2. the gaining business unit is also required to annotate the metadata so as to reflect the change in internal custody. This should include the business unit name, details of the DRMS and the duration of the transfer.

Permanent internal file transfer

4.70 When records are to transfer internally on a permanent basis, the losing business unit is required to:

1. close and sentence the inactive files;
2. transfer open (active) files if the business has been transferred; and
3. annotate the metadata to reflect the change in internal custody. This should include the gaining business unit name, details of records management system, and the date of the transfer.

4.71 The gaining business unit is required to:

1. create a new file if new business is created;
2. manage any transferred active files; and
3. annotate the metadata to reflect the change in internal custody. This should include the losing business unit name, the records management system and the date of the transfer.

4.72 Where the internal transfer of records utilises the DRMS, the losing business unit must change the location details to reflect the new internal custodian. If the transfer involves a different records management system, the losing business unit will need to coordinate the transfer ensuring that the appropriate custodian information is changed.

Internal transfers of records when business units relocate to other regions

4.73 When units transfer to different geographic locations, the business owner of the record should undertake the following before relocating to another region:

1. Close any inactive files, sentence them and input them into the DRMS before sending them to the local repository for storage. Inactive records should not be transferred to the new geographical location. Records stored in a different location to the business owners must be retrievable via a DRMS.
2. For files that are still active and open—they should go with the unit (to be moved as part of the sections relocation, not through the mail system). The business owner should change custody/location/transfer details on the DRMS.

Transfer of Retain as National Archives Records to the National Archives of Australia

4.74 Records sentenced as RNA under functional disposal authorities (Records Authorities) are transferred to the NAA as soon as administrative use has ceased, by arrangement with the NAA. Records sentenced as RNA under non-functional legacy RDAs cannot be transferred to the NAA. Records that are to be retained as national archives will only be accepted for transfer to the NAA if they are no longer encrypted. ^{ch4 note 6}

4.75 Transfers of physical records to the NAA are organised through the local Defence Support Group (DSG) repository. If DSG is unable to facilitate the transfer contact DRMP.

4.76 If a business unit has electronic RNA records that can be transferred, they must notify DRMP.

4.77 Because of their content, some Defence records are considered exempt from transfer to the NAA under section 29 of the Archives Act 1983. Business units that are required to house RNA records that are not to be transferred to the NAA because of their exemption status should refer to the NAA document that details storage facility criteria, and to the Archive Advices regarding the protection of particular record media.

Transfer of records to the Australian War Memorial

4.78 The AWM is a legitimate custodian of Defence records, which are identified as historical material as defined in the Australian War Memorial Act 1980. Such records are usually of an operational nature. Under an administrative arrangement between the NAA, the AWM and Defence, records that relate to ‘warlike operations’ include:

1. unit war diaries;
2. squadron records;
3. documents created by official military historians;
4. aerial photographs;
5. maps, plans, charts, and
6. military uniforms.

4.79 These records should be transferred to the AWM rather than the NAA for longer term storage.

4.80 The transfer of Defence records to the AWM is currently subject to negotiation between the AWM, NAA and Defence case-by-case. All records transfer applications should be referred to DRMP.

Changes in business or operational function

4.81 When a business or operational function is transferred from Defence to another agency, the records associated with that function must also be transferred. Such a transfer constitutes a transfer in custody of the Commonwealth records. If a change in custody is appropriate, the usual protocol is for the custody of the records (current and RNA) to be transferred to the gaining organisation. If Defence then requires access to records held by the NAA, Defence, like all other Commonwealth agencies, must apply for official access through normal administrative processes provided by the Archives Act 1983.

4.82 Records that are transferred because of changes to Government administrative functions may have a continuing value to Defence. Defence can therefore seek special arrangements with the gaining organisation for continued access to RNA records held by the NAA. If this is necessary, Defence and the gaining organisation must negotiate these arrangements and provide a copy to the NAA. Such negotiations should be conducted through DRMP.

Receiving records from other agencies

4.83 The losing agency must provide a list of all records supplied, and Defence staff must check all records received against these lists. All records must be recorded into the DRMS, retaining (where possible) the original record series for all records to ensure that the original context of the records will not be changed. The losing agency must provide all details of any records that may be held by the NAA or other service providers, including information about charges, contracts and outstanding debts for which Defence may become responsible.

Transfer of records outside the Commonwealth

4.84 The transfer of records outside the Commonwealth can occur through:

1. the privatisation of a Government agency,
2. the corporatisation of a Government agency or part thereof,
3. changes in ownership of property or plant, and
4. outsourcing.

4.85 When records are transferred, the transfer must be reflected in and recorded by the DRMS. Any of these forms of transfer requires the authorisation of the NAA.

4.86 A transfer of custody is about records moving from the possession and responsibility of the Commonwealth to another organisation. In such a case, the Commonwealth retains intellectual and other property rights over the records, but an organisation outside the Commonwealth holds the physical records and is responsible for their security and integrity. A transfer of custody does not change the Commonwealth’s legal ownership of a record, it is still subject to Commonwealth law, such as the access and disposal provisions of the Archives Act 1983.

4.87 A transfer of ownership is about records leaving Commonwealth legal ownership. With a transfer of ownership, the Commonwealth relinquishes all its legal, physical and intellectual property rights over the records. The records are no longer subject to the Archives Act 1983 and other related legislation that protects the use of Commonwealth records. This may be appropriate when the Commonwealth and the Australian community as a whole have no further need for the records.

4.88 Where the Commonwealth makes an outright sale of property or plant, the resulting contract should include clauses dealing with the transfer of ownership of Commonwealth records pertaining to that property or plant.

Transfer of Personal Security Files to State and Territory Government agencies

4.89 Personal Security Files (PSFs) of Australian Public Service employees or contractors engaged by State, Territory or police services may be transferred to the employing body on request. Transfer includes custody and ownership in compliance with general record authority 2008/00174731—Transfer of Custody and ownership.

4.90 PSFs of Defence military personnel are not transferred.

Transfer of records for outsourced functions

4.91 When functions are outsourced, the ownership of the records that exist or that arise from the outsourcing activity and their continued control and management is not transferred from the Commonwealth. Refer to Records Issues for Outsourcing—General Disposal Authority 25 for more information on outsourcing disposal issues.

Transfer of long-term temporary records back to Defence

4.92 From March 2000, the NAA no longer accepted the transfer of ‘long-term temporary’ records. Those long-term temporary records that are currently stored with the NAA can remain in its custody. Business units may regain custody of long-term temporary records previously held by NAA if they choose to do so. If a business unit wishes to have these long-term temporary records transferred back to it, then it should contact DRMP in the first instance.

Annex:

1. Examples of normal administrative practice items

back to contents

Chapter 5
Secure, Store and Preserve

5.1 Defence is obliged to keep records safe and accessible over time. Securing records includes assigning national security classifications, need-to-know and caveats, protecting records from unauthorised access and interference, putting plans in place to ensure business continuity and disaster recovery. Physical storage and preservation is about keeping physical records in accessible, controlled environmental conditions. Electronic storage and preservation is about ensuring accessibility and retrieval of records in compliant record management systems for their lifetime.

Security Classifications and Caveats

5.2 Securing Defence records involves applying national security classifications and caveats. Caveats are additions to the security classification of a document warning that special handling is required for security purposes. They provide a record with safeguards that ensure the confidentiality, integrity and availability of Defence information, regardless of format. This is in compliance with the electronic Defence Security Manual (eDSM) guidelines for classification.

5.3 Classified records are documents or objects assigned classification and caveat markings and managed in appropriately classified records management systems and registered in a Classified Document Register (CDR) in compliance with the eDSM.

5.4 Defence personnel must not attempt to access records for which they do not have an appropriate clearance.

5.5 Defence personnel have a duty to share information where and when required within security guidelines.

5.6 Aggregation can cause a security risk. Certain compilations of security classified information may require a higher classification than its component parts because the combination of the information creates a greater value and risk of compromise. This is known as an aggregation. The responsibility for an aggregation’s security classification rests with its business owner.

Assigning and maintaining security classifications

5.7 Business units must ensure national security classification is assigned to records as follows:

1. grading of titles occurs when it is not possible to generate an unclassified title for the record;
2. grading of text occurs when the document covers multiple national security classifications that the business owner should highlight to other Defence personnel; and
3. grading must be indicated in compliance with eDSM requirements. Wherever possible, titles should be unclassified to enable more efficient search and retrieval of records.

5.8 Internally generated records may have a National Security Classification (NSC) assigned.

5.9 Items that are received from external entities may include:

1. documents or correspondence received from other agencies or organisations that have been given a NSC. In these cases the NSC cannot be changed without the consent of the business owner; or
2. documents or correspondence received that have no NSC assigned. The content and context of these items will determine the appropriate security classification, which will be applied by the recipient and/or subsequent custodian.

5.10 The NSC applicable to a record must be recorded during capture.

5.11 If a record collated on a file requires a change to the assigned NSC (upgrade or downgrade), then the business unit should arrange for the NSC of the file to be changed also.

Reviewing classification of Defence records

5.12 NSC material should be regularly reviewed to ensure that the material maintains an appropriate NSC.

5.13 Business owners of TOP SECRET material should review the material every six months including that material transferred to Defence Support Group repositories. SECRET material should be reviewed annually.

Review and reclassification of records that originated from a Government agency

5.14 Records and files originating from another Commonwealth agency cannot be reclassified without the approval of that agency.

Review and reclassification of records that originated from a non-Government agency

5.15 Sometimes records and files received by Defence from an organisation other than another Commonwealth agency may have been given a security classification by that organisation. An example would be a job application or tender which has been marked CONFIDENTIAL. These records must be given a security classification in keeping with Defence security guidelines.

Declassification of classified records

5.16 When an open period record is examined and determined not to be an exempt record in accordance with the Archives Act 1983, the security classification ceases to have effect for any purpose. However, the security classification on the original document must not be altered in any way. Wherever possible, all Retain as National Records (RNA) records should be declassified before being transferred to the National Archives of Australia (NAA) or Australian War Memorial (AWM), even if they are still in the closed-access period.

5.17 The declassification of records is to be recorded (in the metadata of a record in the Document Records Management System (DRMS), or on Form XC 21 —Downgrading or Declassification of Classified Documents for a physical record).

Management of classified records

5.18 All records must be stored according to their security classifications in the DRMS (noting that DRMS is only endorsed to manage records up to RESTRICTED and Electronic Document Management System only endorsed to manage records up to SECRET). This applies to both electronic and physical records.

5.19 Defence personnel access to security classified records must be matched to their level of security clearance equivalent at the highest level of classified information to which they have access.

5.20 Appropriate authority is required for access where caveats, code words or special handling indicators apply, and have a justifiable need to access both the information and the system in which it is held.

5.21 When physical security classified records are not in use, they must be stored in the appropriate Security Construction and Equipment endorsed security container in compliance with the eDSM.

5.22 Removal of any classified record from a Defence premises, whether to another Defence location or a private residence, requires a signed authorisation (on a Form XC 19 —Permit to Remove Classified Matter ) from the business unit head, in order to provide an audit and accountability trail for the movement of classified records in compliance with the eDSM.

5.23 At the close of business each day, staff should take precautions to ensure that security classified records are protected from unauthorised access. A clear desk policy also ensures protection of classified records.

5.24 Lost or missing classified records must be registered in an investigation report and permission obtained to write them off.

5.25 Handling of classified physical records must be controlled. Security classified physical records should not be circulated uncovered or loose, and should be placed in an appropriate file cover that is clearly marked with the protective marking of the highest level of security classified information it holds. Under no circumstances is national security classified information to be placed on a non-national security file.

Classified document register

5.26 Documents classified CONFIDENTIAL or above must be registered in a CDR. TOP SECRET information sources are recorded in a separate CDR used only for TOP SECRET material. The CDR is classified according to actual content. The CDR, as a master control record of classified destruction is classed as RNA (Administrative Functions Disposal Authority (AFDA) entry 1490). Business units must ensure that the CDR is stored on an appropriate long-term (permanent) medium, and is captured as a unique record in its own right. Form XC 40 —Classified Document Register must be used to create a manual CDR.

5.27 The use of an electronic CDR is not consistent with security policy. In order to use an electronic CDR a dispensation from the Defence Security Authority (DSA) is required. Information on dispensations can be found at the following link: (internal link) .

File musters of classified records

5.28 Musters and checks of classified records should be conducted by the business owner when there has been a significant change to the organisation or business unit and in accordance with requirements in the eDSM. This could include physical change of location or closure of the business unit. File muster ensure that:

1. all files classified SECRET and above are currently registered in a classified file register and are physically accounted for; and
2. individual records classified SECRET and above are correctly registered, physically present, complete and correctly amended, in accordance with CDR holdings.

Classified records metadata in a records management system

5.29 Records captured in the DRMS must match classifications as shown in the following table.

Table 5–1: Classification metadata map table

Record/File classification	Metadata classification
UNCLASSIFIED	UNCLASSIFIED
Up to and including RESTRICTED	UNCLASSIFIED
Up to and including SECRET	UNCLASSIFIED
Up to and including TOP SECRET	UNCLASSIFIED

5.30 A file must inherit the classification level for the highest level of classification it contains.

5.31 The metadata relating to a record or file should always be UNCLASSIFIED regardless of the files contents.This enables searching across the system.

Managing classified records overseas (including deployed and operational forces)

5.32 When managing classified documents during operations (including deployment), exercises and trials, custodians must ensure:

1. accountability of the classified records is transferred from the regular custodian to the operation/exercise security officer, and appropriate steps are taken to document this transfer;
2. the records are entered on a CDR, approved by DSA and in accordance with the eDSM; and
3. audits at the beginning and end of the operations are conducted to ensure the business unit is accountable for the classified records in their care, in accordance with the eDSM. For disposal of classified records overseas, see below.

Disposal, transfer and destruction of classified records

5.33 Disposal of records with a classification higher than CONFIDENTIAL must be registered on a CDR.

5.34 Classified documents should always be registered in classified files. These files must be disposed of under disposal authorities or normal administrative practice and in compliance with security provisions in the eDSM.

Disposal of classified records overseas (including deployed and operational forces)

5.35 Where possible, deployed units should take classified information to an Australian controlled area, such as an Australian Embassy or High Commission, for destruction.

5.36 If there is a need to destroy information due to the risk of uninvited entry of unfriendly forces, the unit’s Unit Security Officer is responsible for preparing a plan for emergency destruction of classified documents in accordance with the eDSM. This plan must:

1. identify the order and method of destruction of all classified documents, and
2. ensure that the most sensitive documents are destroyed first.

Destruction of classified records

5.37 If the records are to be destroyed:

1. the destruction should be registered in an appropriate destruction register (in the metadata of the record in the DRMS, or on Form XC 24 —Certificate of Destruction for Classified Material for a physical record);
2. Business units must liaise with their regional security office to ensure an appropriate standard of destruction is performed;
3. the destruction must be performed under the supervision of two Defence personnel (or approved security personnel) who have been suitably briefed and possess the appropriate security clearances, regardless of the method of destruction and regardless of whether Defence facilities or the facilities of a contractor are used; and
4. in accordance with eDSM, the destruction of classified material must ensure that the content is no longer decipherable by any means.

Transfers of classified records

5.38 Care must be taken during the processes of transfer and destruction of classified files and records that the classified material is only dealt with by those who hold the appropriate security clearance.

5.39 Where possible, records should be declassified before transfer. However, when classified records need to be transferred to the NAA, other agencies, service providers, or from one business or operational unit to another, they must be transported in accordance with the eDSM.

Copying classified records

5.40 Security classified material must only be reproduced when it is strictly necessary to do so to meet operational requirements, and permission from the business owner must be sought.

5.41 Each copy made of a document classified CONFIDENTIAL and above must be recorded in the CDR, cross-referenced to the original record’s registration, and marked with the relevant serial number and notations.

5.42 Copying of classified records is permissible under the following conditions:

1. only authorised persons must undertake copying;
2. permission must be obtained from the originator;
3. copies must be copy numbered; and
4. records must be copied on a reproduction machine appropriate to the record’s classification.

Business Continuity and Disaster Recovery

5.43 Loss of records disrupts business, as information about decisions and outcomes is no longer available. The responsibility for the safe guardianship of Defence records falls on the custodian of the record. Business continuity plans list the actions to be taken in the event of a disaster.

5.44 In accordance with NAA policy and Australian Standards International Organisation for Standardisation (AS ISO) 15489.2 —Record Management—Guidelines, business units must comply with disaster preparedness plans for the records held, either as a distinct set of guidelines or as part of the business unit’s business or agency level disaster recovery plan.

Risk management and contingency plans

5.45 From the broadest perspective Defence has determined that the risk associated with not having full and accurate records is high and warrants the cost associated with storing and administering those records.

5.46 Defence business units should put in place group or agency planning and contingency measures to ensure that records which are vital to the continued functioning of Defence are identified as part of the risk analysis, protected, and made accessible when needed. The assessment should be repeated periodically and the risk management plan reviewed accordingly. ^{ch5 note 1}

5.47 Defence recordkeeping risk management must be conducted in accordance with the Defence Risk Management Policy and Procedures. The most important risks to assess are those that threaten to interrupt business continuity; compromise Defence capability; and/or expose Defence to litigation or cause Defence to be in breach of records management regulations.

5.48 There is a high risk that poor records management will lead to compromised records and increase the likelihood that:

1. Defence will be unable to meet its goals;
2. Defence will be in breach of relevant legislation and/or regulation(s);
3. Defence’s ability to defend itself from litigation will be compromised;
4. Defence’s ability to bring litigation will be compromised;
5. Defence will be exposed to litigation (because it will not be able to access the records it needs to mount a defence); and
6. in litigation, greater penalties than necessary will be imposed because of an impaired defence.

5.49 Defence Legal Division can provide guidance on these risks.

Vital records

5.50 These are records critical to continuing business operations. Business continuity actions should refer explicitly to any vital documents and records that are essential to enable business operations to continue effectively. This plan should identify a range of vital Defence records and plans for how they will be protected, and should include a plan of action for recovering any lost information.

5.51 The plan of action must enable vital records to be identified, maintained, retrievable and managed in the DRMS. Vital records are usually also retained as national archives; that is, they are to be kept indefinitely. Vital records include significant policy documents; records of significant decisions (including Cabinet decisions, documents on major events or public issues) and items of research value (such as historical or public interest). All operational and wartime records created by Defence are RNA and kept at the NAA or the AWM.

5.52 Categories of vital records are defined as RNA records in the AFDA and Defence-specific Records Authorities.

Storage

5.53 The decision to capture a record implies an intention to store it (whether electronically or physically). Appropriate storage conditions ensure that records are protected, accessible and managed in a cost-effective manner. The purpose served by the record, its form, its use and its value will dictate the nature of the storage facility and services required to manage the record for as long as the record needs to be preserved. ^{ch5 note 2}

5.54 All Defence records must be stored in a manner that ensures their retrieval and accessibility, and provides national security classification, need-to-know and appropriate environmental protection (as indicated by NAA storage standards and guidelines ^{ch5 note 3} ).

5.55 To ensure ongoing accessibility, stored records should:

1. not be encrypted,
2. not be password protected, and
3. be stored without any digital rights management features that restrict access or limit the lifespan of a record.

5.56 Business units must consider the following when deciding on storage options:

1. retention period of records;
2. storage availability—short and long-term;
3. media formats;
4. security and access needs; and
5. disaster recovery planning.

5.57 The determining factors when deciding storage solutions are frequency of access and immediacy of access. For physical files (corporate etc), the size of a file or file part is limited by physical restrictions. For electronic files (corporate etc), size is limited only by electronic storage constraints and access.

5.58 Because of their content, some Defence records are considered exempt from transfer to the NAA under section 29 of the Archives Act 1983. Business units that are required to store RNA records that are not to be transferred to the NAA because of their exemption status must comply with the NAA storage standard.

5.59 Information and Communication Technology (ICT) system administrators must ensure that any records management system repository (and its audit trails, metadata etc) or storage device is appropriately protected and backed up.

Storage of electronic records

5.60 Electronic records must be stored in the DRMS. In the electronic environment, the processes of ‘capture’ and ‘registration’ are integrated in the process of storing records in the records management system. ^{ch5 note 4}

5.61 Defence active (current business) electronic records originally created (not scanned copies) in the DRMS, may be managed in propriety formats (eg Microsoft Word and Microsoft Excel) until they become inactive, are closed and converted to a format for long-term preservation.

Records on shared, public or personal drives and in email folders

5.62 Defence records (irrespective of format) stored in shared drives, personal drives, email folders, local applications, cabinets, workstations and on backup disks or drives are not compliant with Defence’s recordkeeping obligations. This business information remains non-compliant until it is registered as a record, ie placed on a file.

5.63 These drives and locations do not capture sufficient metadata to meet the legal recordkeeping retention and disposal requirements, and do not allow records to be widely searchable or accessible. They are not accessible to all who need them, are not authenticated and are not secure from alteration or deletion.

5.64 Electronic records are to remain accessible and retrievable until they are appropriately disposed of. Records that are not yet due for disposal must be maintained either online or near-line (including a put away volume of media) depending on the storage requirements of the DRMS.

5.65 Electronic records should be regularly backed up to avoid data loss and the storage location for backup copies should be physically separate from that of the original records. Defence Business Information Systems not currently approved as records management compliant that house records (such as PMKeyS, ROMAN, Electronic Warfare systems, email, SharePoint instances and combat/control systems) should ensure that appropriate system backup regimes are in place to ensure the day-to-day accessibility, retrieval and integrity of records.

Digital media muster

5.66 A digital media muster may be held by a business unit to determine the amount of unused and excess digital media. These musters are usually run Defence-wide. It is crucial that each record on the located media is reviewed and sentenced for disposal either under Normal administrative practice or the relevant Records Disposal Authorities.

Electronic records in folders

5.67 Records organised in folders in the DRMS must also be registered against a file. Folders of records may also be migrated to or converted into registered files.

5.68 Folders of documents not in a corporate file are not compliant with Defence’s recordkeeping obligations. This business information remains non-compliant until it is registered as a record, ie placed on a registered file.

5.69 Folder of records must be converted to registered files as soon as practical. All folders of registered files, eg temporary transition repositories, files for destruction etc must be assigned to a business owner, workgroup, or system administrator. Folders do not capture sufficient metadata to meet the legal recordkeeping requirements.

Encrypted records

5.70 Defence manages encrypted data in information and Defence formal messaging systems that must be stored as records.

5.71 In compliance with records management principles and NAA requirements, records must be unencrypted for storage and continuing access and retrieval. ^{ch5 note 5}

5.72 Records that are to be retained as national archives will only be accepted by the NAA in an unencrypted state.

5.73 To store and manage encrypted records in the DRMS, the records must be converted to an unencrypted state. If it is necessary that records remain encrypted, business units must develop a business case and submit it to Directorate of Records Management Policy.

5.74 Records should be captured or created in unencrypted form where possible.

5.75 Encrypted records created in online security processes which are not retained do not require decryption.

Restrictions on access to email and message records

5.76 The NAA does not endorse the use of technologies that place restrictions on electronic messages that impede corporate recordkeeping practices. Digital Rights Management is an information protection technology that allows users to place additional restrictions on who can view, print, forward or copy emails or messages.

5.77 These restrictions can include the automated self-deletion of email, ie the sender of an email can stipulate the lifespan of a message and force the deletion of the message from the system at a predetermined time. Automatic deletion of messages in this manner may constitute unauthorised disposal.

5.78 Records that contain embedded digital rights management protections should have all rights protections controls removed from them before they are stored as records in the DRMS.

Data migration, bulk capture and superseded systems

5.79 Data migration or bulk capture can result from:

1. implementation of a new system,
2. decommissioning of a superseded system,
3. software version upgrades,
4. changes in storage format technology,
5. inheritance of functions and records from another entity, or
6. drag and drop from shared drives in Business Information System and email systems.

5.80 When a business unit is introducing a new, changed or upgraded system, the migration of records should form part of the system implementation plans.

5.81 Migration in this context means the transfer of the authentic and full record, including contextual information (metadata) between access/recording systems. Migration must be done in a regulated and planned manner to ensure authenticity, accessibility and retrieval of the records. Bulk imports include:

1. predefined batch file transactions,
2. edit rules to customise automatic registration of records,
3. data integrity validation processes,
4. input queues for different types of objects, and
5. email messages relating to the same transaction.

5.82 It is best practice to sentence records before they are moved.

5.83 To accommodate legislative requirements for longevity of Defence records, it is advised that system owners ensure that they can implement backward compatibility for at least two versions.

Migration from superseded systems

5.84 When the DRMS is implemented, the following should be migrated to the new system from any existing system(s):

1. all unstructured electronic records, with their metadata and audit trails;
2. all electronic records, with their metadata and audit trails; and
3. all information about physical records.

5.85 In all cases, it is essential that the information be migrated in a way that preserves the integrity and authenticity of the above, and also their organisation into files (corporate etc) and other aggregations.

Legacy records in superseded or manual systems

5.86 Legacy records exist in manual and computer systems applications which have become obsolete. These legacy records must be migrated to or captured into the DRMS to ensure the records are reliable and accessible in the future.

Storage and conservation of physical (paper and physical media) records

5.87 Physical records must be:

1. a.created using suitable storage formats for their retention and use,
2. b.stored in the most appropriate environments for their retention according to NAA standards and guidelines, and
3. c.either destroyed or transferred to storage facilities when they become inactive.

5.88 Storage of Defence physical records falls into four groups:

1. a.active records;
2. b.inactive long-term temporary records;
3. c.records retained permanently and held in Defence; and
4. d.RNA transferred to the NAA—because of their enduring value, RNA records should be created on an appropriate medium according to NAA guidelines.

5.89 Records should be stored in controlled environmental conditions according to NAA guidelines and conserved to ensure their survival for the time period over which they are expected to be retained.

5.90 Records that are critical for business continuity (ie vital records) may require additional methods of protection, conservation and duplication to ensure accessibility in the event of a disaster. ^{ch5 note 6}

5.91 In accordance with NAA advices, media storage and preservation should comply with the following storage principles and minimum standards: ^{ch5 note 7}

1. a.location—approved and away from risks;
2. b.environmental control;
3. c.shelving and packing—occupational health and safety (OHS) and capacity;
4. d.maintenance and security—monitored and inspected;
5. e.protection from disaster—management plans in place;
6. f.careful handling—OHS and codes of practice; and
7. g.accessibility—easy access and retrieval.

5.92 Any record not required in physical form for legal or business reasons can be scanned into the form of a digital image and managed in compliance with electronic storage as an electronic record and the original destroyed under the appropriate disposal authority. ^{ch5 note 8}

External storage outsourcing

5.93 At times it may be more cost-effective to use an external storage provider. Any such facility (like those owned by Defence) must comply with NAA policy and AS ISO 15489.1 storage criteria and offer a service-level agreement. (For more information see chapter 4—‘Keep, destroy or transfer’.)

Defence physical repositories

5.94 Storage in Defence repositories should be undertaken in compliance with NAA policy and AS ISO 15489.1 ^{ch5 note 9} storage criteria. The records must be closed and registered in the DRMS.

Storage of long-term physical (optical, magnetic or digital) media records

5.95 To ensure that media format remain reliable and accessible for long periods, records must be stored:

1. in appropriate conditions to ensure their ongoing accessibility;
2. on media which can be read with existing commissioned hardware and software (ie media which are not obsolete);
3. in environmental conditions which are suitable for those media, and which will not result in unacceptable media degradation over the timescales during which the records are to be retained; and
4. in compliance with Defence ICT strategy, NAA physical storage standards ^{ch5 note 10} and electronic records storage.
   ^{ch5 note 11}

5.96 Strategies to guard against format obsolescence in Defence must be promulgated and monitored throughout Defence. ^{ch5 note 12} This must include ^{ch5 note 13} the development and maintenance of adequate business continuity plans for digital records to prevent, prepare for, and recover from a disaster, in compliance with Defence ICT policy.

5.97 Digital storage devices on which records are stored online, offline, or near-line should be maintained and stored in suitable physical surroundings. Records should be periodically transferred from obsolete or ageing storage devices to suitable replacements.

5.98 Procedures must be introduced at all electronic repositories to periodically inspect media storage conditions and the reliability of digital storage devices.

5.99 Some large-scale storage systems are able to check media automatically and continuously for errors caused by media degradation, using either bespoke application software or system software features. If the risk of loss of data in a collection of records is totally unacceptable, application of one of these techniques should be considered.

5.100 Long-term preservation of magnetic and optical media for continuous accessibility and readability requires regular copying or data migration, eg magnetic to CD–ROM, and optical to write-once-read-many or new formats as developed.

Storage of records in overseas posts and during deployment

5.101 Military operational records may be electronic or physical.

5.102 Where possible, records should be stored with the same methods as used by home units.

5.103 All records should be managed in the DRMS where possible. Records should not be stored on separate DVDs or shared drives.

Storage and Preservation of Long–Term Electronic Records

5.104 Digital or electronic record preservation ensures long-term accessibility and readability of active (open) and inactive (closed) electronic records. It addresses both ongoing access to electronic records that are kept online, and long-term preservation of offline records (physical media and electronic).

5.105 All business units must ensure long-term accessibility and readability of their electronic records in any Defence Business Information Systems. Electronic records should be migrated to and managed in the DRMS.

5.106 The management of long-term electronic records in non-Records Management (RM) compliant Defence Business Information System must comply with Defence ICT policy and address the following risks:

1. loss due to obsolete media ^{ch5 note 14}—for example, paper tape and punched cards are obsolete; magnetic tape is obsolescent; and with the introduction of DVDs, CD–ROMs will soon fall out of use. Accessing records held in any of these media will become increasingly difficult;
2. loss due to media degradation —for example, magnetic media degrade rapidly if kept in conditions where the temperature and/or humidity are unsuitable;
3. loss due to obsolete file format —for example, few organisations still have the ability to read formats used by early word processing packages such as WordStar or MultiMate Advantage; and
4. loss due to non-records management compliance —for example, records reliability, authentication and integrity is better guaranteed in the DRMS.

5.107 For storage requirements for magnetic, optical, digital and physical records (see chapter 5)

eXtensible Mark-up Language open preservation format

5.108 Defence active (current business) electronic record documents created by scanning or copying from hard copy documents should be converted to or created in searchable PDF or equivalent eXtensible Mark-up Language (XML) open preservation format such as ‘docx’ and have the appropriate metadata attached. This specifically applies to records for long-term active use (eg personnel record documents). These records should be managed in the DRMS.

eXtensible Mark-up Language Electronic Normalising of Archives

5.109 Defence inactive (closed and sentenced for long-term preservation) electronic records managed in the DRMS, may be converted to searchable PDF or equivalent XML open preservation format using the XML Electronic Normalising for Archives (XENA) tool. XENA is a piece of software developed by the NAA to aid in the long-term preservation of digital records. It performs two tasks, detecting the file formats of digital objects and converting digital objects into the open fully documented formats used for archival preservation by the NAA.

5.110 The open format standard complies with Defence ICT policies where it includes a portfolio-level policy on long-term accessibility and readability of electronic records.

Annex:

1. Portable Document Format/Archive Standards

back to contents

Chapter 6
Access

6.1 Access is the right of public access to Defence records. Access control provisions refers to the policy by which Defence will enable access by Defence personnel, contractors, the public, and State, Territory or Commonwealth Government agencies or authorities. The policy on access to Defence records will allow the public under certain conditions access to:

1. use the reference facilities of Defence, National Archives of Australia (NAA) and Australian War Memorial (AWM) archives;
2. examine and study individual personal records or collections held by Defence, NAA and AWM archives;
3. extract information from Defence records for the purpose of research or publication;
4. read, modify, or dispose of Defence records; and
5. read and modify records metadata.

6.2 Defence Groups/business units must undertake searches in satisfaction of public access requests under the provisions of the Archives Act 1983 or the Freedom of Information Act 1982 (FOI Act).

6.3 The following Commonwealth legislation provides specific rights of access to Commonwealth records.

Freedom of Information Act 1982 access

6.4 Members of the public are entitled to access to a document of an agency or an official document of a Minister, subject only to the exemptions and exceptions provided for in the FOI Act, and to the settlement of any application fees and charges. A person who claims that a document of an agency or an official document of a Minister to which the person has had lawful access contains personal information about that person that is incomplete, incorrect, out of date or misleading and that has been used, is being used or is available for use by the agency or by the Minister for an administrative purpose, may apply under the FOI Act to have the record of such information amended or annotated.

Archives Act 1983 access

6.5 The Archives Act 1983 imposes an obligation on the NAA to make available public access to the Commonwealth record which is in the care of the Archives or in the custody of a Commonwealth institution in the ‘open access period’ unless the record is exempt from such release by a provision in the Act.

6.6 Subsection 3(7) of the Archives Act 1983 provides that a record is in the open access period if 30 years have elapsed since 31 December in the year in which the record came into existence.

6.7 The Archives Act 1983 and associated regulations also provide for:

1. official access under section 30;
2. accelerated access under subsection 56(1);
3. special access under section 56; and
4. exemptions from mandatory release to the public under section 33.

Access under other legislation

6.8 Several other legislative instruments allow other agencies access to records held by Defence. Access through these statutory means is normally effected through the administrative functioning of a Commonwealth, State or Territory agency and is consistent with the provisions in the Archives Act 1983 and the FOI Act that provide for disclosure of records otherwise than as required by those Acts. However, there are other laws relating to the disclosure or publication of information. Secrecy provisions in other legislation may also apply. (For more information on relevant legislation, see Legislative obligations.)

6.9 Defence will assess and make a decision to grant or refuse all requests for access to its records which are properly lodged in accordance with the relevant governing legislation. Applicants shall be notified of decisions made in relation to requests for access to Defence records:

1. Relevant access control metadata is assigned in the Document Records Management System (DRMS). Other systems managing records must comply (ie impose restrictions on access by the prevention of create, modify, execute, read or delete actions by unauthorised personnel).
2. Unless specifically stated otherwise, access policy applies equally to electronic and physical records. Access to physical archives may be restricted or withheld to prevent physical damage to original records.
3. Requests for access to Defence records that are made under the provisions of the Archives Act 1983, but that do not meet the conditions for administration by Directorate of Classified Archival Records Review (DCARR), must be forwarded to Directorate of Records Management Policy (DRMP). Request for access to personnel records must be recorded on the individual’s personal record. This is a requirement as per the Military Personnel records disposal authority.
4. Business units must ensure that, when granting access to records of deceased members to requests lodged by next of kin, it is confirmed that next of kin have been accurately notified of the details of work-related deaths. If business units are considering releasing records of a person who has died in a work-related incident, they should consider the need to inform near relatives of the deceased about the disclosure prior to release into the public domain.
5. Before allowing access to sensitive information, the custodian must ensure that it has been reviewed for a redacted version and any possible exemptions (vetting the file) in line with relevant legislation and that it complies with electronic Defence Security Manual (eDSM) policy. A redacted record and its original record must be assigned appropriate metadata.
6. Defence makes the decision that a record is an exempt record if it contains material that could damage national security or be a breach of confidence owed to a foreign government within the meaning of section 33(1) of the Archives Act 1983. NAA then makes the decision to refuse access to the record on the grounds that it is an exempt record. However, the NAA will determine all other exemptions mentioned in section 33 of the Archives Act 1983, including the exemption for unreasonable disclosure of personal affairs, without consulting Defence.
7. The access decision on open period records is always made by the NAA even though at the time of the application the record was held in Defence custody. The Freedom of Information and Information Management Branch provides advice on access to Defence records, including documents.

Public Access

Public access to personnel records held by Defence

6.10 Where a request by a member of the public is made to the NAA for an open period personnel record (30 years old) that is still in Defence custody, the record is to be transferred to the NAA by the recordkeeper for the NAA to make the access decision. If the request is made direct to Defence and a decision to refuse access is made, the applicant should be advised that they can apply for the record under the Archives Act 1983 through the NAA.

6.11 Personnel records may be disclosed through the FOI Act, sections 15A. Section 15A defines ‘Personnel records’ as ‘documents containing personal information about an employee or former employee of an agency that are, or have been, kept by the agency for personnel management purposes’. In Defence, the terms ‘employee’ and ‘former employee’ include current and former civilian and Australian Defence Force (ADF) personnel.

6.12 Section 15A of the FOI Act provides that requests for personnel records of employees or former employees should first be made through procedures which have been established within the agency for this purpose. FOI should not be used for the first request in this case.

6.13 If the applicant is not satisfied with the outcome of the request, or is not notified of the outcome within 30-calendar days of making the request, they can apply for them through the FOI Act.

6.14 Serving and ex-serving members of the ADF and current and former civilian employees of Defence wishing to have access to their personnel records should apply directly to the office that has custody of the records. If such a request is made through the FOI Act it will be referred to the relevant office for consideration outside the FOI Act unless the conditions for having the request dealt with have been satisfied.

6.15 The Directorate of Freedom of Information (DFOI) (internal link) is responsible for administering requests made by members of the public for access to Defence documents under the provisions of the FOI Act. DFOI is also responsible for developing policy and procedures regarding FOI matters within Defence. For detailed information regarding policy and procedure for FOI requests, refer to DFOI.

Public access to Defence records held by the National Archives of Australia

6.16 The public may apply to the NAA to obtain access to Commonwealth records (other than exempt records), where 30 years have elapsed since the record was created. In accordance with the Archives Act 1983 sections 33 and 40, and on behalf of Defence, DCARR is responsible for reviewing all Defence and Defence-related archival records that may have continuing sensitivity.

6.17 For details regarding the administration and processing procedures for requests administered by DCARR, refer to Defence Instruction (General) (DI(G)) ADMIN 27–2 —Access to Defence and Defence-related archival records under the Archives Act 1983.

6.18 DCARR is responsible for reviewing all requested records that contain any of the above material, and providing advice to the NAA as to whether or not the record should be disclosed.

6.19 DRMP should be notified for all requests for access to Defence records that are made under the provisions of the Archives Act 1983 but that do not meet the conditions for administration by DCARR.

Accelerated access to Defence records

6.20 Accelerated access (Archives Act 1983 section 56) occurs when a class of records are examined to determine if they can be released to the public within the 30-year period since the record was created.

6.21 The NAA should be consulted if there is a requirement to conduct an accelerated access program for a class of Defence records.

6.22 DCARR is responsible for facilitating Ministerial authorisation of public access to Commonwealth records not in the open access period in accordance with arrangements approved by the Prime Minister under the Archives Act 1983.

Third–Party (Directed) Public Access

Third-party access to personnel records held by the National Archives of Australia

6.23 Disclosure of a record in response to a request under section 40 of the Archives Act 1983 is disclosure to the public at large. The identity of the person requesting access is not a relevant consideration in deciding whether or not to disclose a record. However, a person can opt to use the Archives Act 1983 if the record has come into the open period.

6.24 Third-party access to records in the custody of the NAA containing information about individuals is treated in the same manner as all other records (Archives Act 1983 sections 33(1)(g) and 58) and the applicant should be directed to apply using the FOI Act for records not yet in the open access period and the Archives Act 1983 for open access period records.

6.25 Defence advice will be sought by the NAA for public access requests received by the NAA for closed period records held in its custody. A Service Chief or Defence Group Head with functional responsibility for a class of records can authorise release of records outside the provisions of the FOI Act and Archives Act 1983 see paragraph 6.54.

Third-party access to Defence records in Defence custody

6.26 This is where a member of the public accesses records under official directive. The FOI Act and other legislation allow external access to Defence records in records management systems.

Department of Veterans’ Affairs access to Defence records in Defence custody

6.27 The Department of Veterans’ Affairs (DVA) request access to health and/or particulars of service information pertaining to serving and discharged members of the ADF from Defence to determine claims for compensation and entitlements by these members. A Service Level Agreement (SLA) was signed in December 2007 by Defence and in January 2008 by DVA defining the responsibilities and performance standards for Defence and DVA relating to the provision of ADF serving and ex-serving member information to DVA.

6.28 The release of this information from Defence to DVA is governed by:

1. the SLA,
2. relevant legislation, and
3. DVA having a signed consent form from the service or discharged member.

6.29 The type of information disclosed to DVA is determined by what Act the member has made the claim under:

1. Veterans’ Entitlements Act 1986;
2. Military Rehabilitation and Compensation Act 2004 (MRC Act); and
3. Safety Rehabilitation and Compensation Act 1998 (SRC Act), to respond to DVA’s request.

Single Access Mechanism

6.30 The establishment of the DVA Single Access Mechanism (SAM) and the Defence SAM was one of the deliverables of the SLA for the Provision of Health Records and/or Particulars of Service of Serving and Ex-serving Members; and provides a single point of access for the transfer of records between the departments. DVA requires these records under legislation to enable them to determine if a member is entitled to make a claim for compensation.

6.31 All requests to Defence from DVA must come through the DVA SAM. The DVA SAM submits requests for information on an official PDF DocTracker form. This form quotes the relevant legislation that binds Defence to respond to the request. Defence personnel who receive this request must ensure they are entitled to respond to the request:

1. a.that they are the business unit responsible for the record, and
2. b.that they hold the record.

6.32 If they are not the business owner of the record or can not locate the record, they must inform DVA as soon as practical.

6.33 The Defence SAM sits within the Directorate of Mail and Records Management and performs the following services:

1. a.locating compensation files and forwarding DVA requests for compensation files to the relevant Defence repository;
2. b.monitoring and tracking the progress of all DVA requests to ensure they are completed within the agreed time frames;
3. c.expediting incomplete requests;
4. d.monitoring and reporting on performance and issues relating to the provision of records to DVA;
5. e.liaising with DRMP for Third-party DVA Contracted Researcher Requests; and
6. f.liaising with the DVA SAM to ensure that all requests are clear and relate directly to the claimant.

6.34 DRMP, in consultation with the relevant Defence work group with the functional responsibility for the information within the record, will grant and authorise the Defence repository to allow the researcher access to specific material.

6.35 DRMP will authorise the NAA/AWM official access forms for individual researchers for each DVA request.

6.36 If the DVA contracted researcher requires access to information through an interview process with a current Defence employee, the information required will need to be:

1. a.provided by DVA, and
2. b.approved by DRMP in consultation with DCARR.

6.37 DRMP will advise the Defence employee and DVA (through the Defence SAM) if approval is granted for the DVA contracted researcher to approach the Defence employee for an interview.

6.38 DRMP is responsible for approving access to contracted researchers and sponsoring applications for security clearances through the Defence Security Authority.

Expunging and exempting records and Information from public access

6.39 Expunging is removing (blacking out) exempt information from a copy of a record in order to make the remainder of the record available for public access. The expunged data is quarantined and has a caveat added. It should not be destroyed. Normally, exemption is applied by the NAA for Retain as National Archives (RNA) records (permanent records in their custody), but is also applied by agencies for long-term records in their custody.

6.40 Expunged or exempt information includes:

1. privacy information (personal)—personal information may require exemption for at least the lifetime of the individual (eg medical histories or details of personal relationships); and
2. security information (information about the security of the Commonwealth and its residents)—information is withheld if its disclosure could adversely affect Australia’s defence, security or international relations (eg details of the design and construction of weapons, records about intelligence gathering, or information passed to the Australian Government in confidence by a foreign government).

Open period expunging

6.41 After 30 years, the file or envelope will be reassessed by the NAA.

6.42 Under the Archives Act 1983, all records are available for public access after 30 years unless they contain information in exemption categories under section 33 of the Act. The NAA applies the policy that most personal information has lost sensitivity after 30 years, but some may require exemption for at least the lifetime of the individual (eg medical histories or details of personal relationships).

6.43 Exempt information is sensitive information which may be withheld from public access beyond 30 years.

Closed period expunging

6.44 Access to records in the closed period (under 30 years of age) is subject to internal Defence ‘need-to-know’ provisions, in accordance with the eDSM and privacy provisions.

6.45 For digital records, including audio and video, the creation of an extract must be noted in the metadata of the original digital record, indicating the date, time, creator and reason for creation of the extract, and registered as a linked record in its own right, in accordance with NAA Electronic Records Management System guidelines.

6.46 For hard copy records, the creation of the extract may be managed electronically and copied physically to the hard copy record if required.

Official Access

Official access to Defence records

6.47 Official access (Archives Act 1983 section 30) authorises a person to have access to records of a Commonwealth agency for a purpose supported by an agency. This might be access to facilitate the needs of day-to-day business, internal investigations into past events, discovery exercises in relation to litigation, research projects, or to assist agency inquiries (See also paragraph 6.68).

6.48 DCARR manages requests for access to Defence records held at the NAA or AWM. See DI(G) ADMIN 27–2.

6.49 Forms for official access to records held by the NAA or the AWM are available from DCARR (dcarr.admin@defence.gov.au).

6.50 Requests for official access to records still held in the ADF or the department is the responsibility of the workgroup who manages the records or DRMP.

6.51 Requests for access to Defence records that are made under the provisions of the Archives Act 1983 but that do not meet the conditions for administration by DCARR are to be notified to DRMP. These requests can apply to open and closed period records.

6.52 RNA records held by the NAA but required by a member of Defence for official purposes may be accessible in the following circumstances:

1. If the RNA record has been in existence for more than 25 years, access is facilitated on NAA premises unless the record is required to leave the custody of the NAA ‘as necessary for the proper conduct of the business of’ Defence subsection 30(2) of the Archives Act 1983.
2. If the RNA records are not yet 25 years old, Defence can make a request to borrow the records in accordance with subsection 30(1) of the Archives Act 1983  while an action or some research is being conducted.

6.53 Defence Support Group coordinates the borrowing of Defence RNA records from the NAA.

Discretionary access to Defence records

6.54 Section 58 of the Archives Act 1983 and FOI Act section 14 provide that nothing in the Archives Act 1983 prevents a person from publishing or otherwise giving access to records (including exempt records) otherwise than in pursuance of the Archives Act 1983 where they can properly do so or is required by law to do so. This would allow any person, including ministers and agencies to release records otherwise than as required by the Act, where they may properly do so or are required by law to do so.

6.55 This form of access is granted through normal administrative channels and may be subject to conditions and attract charges. However, where access to records is given otherwise than in pursuance of the Archives Act 1983, the specific immunities in section 57 of the Archives Act 1983 against legal action for defamation, breach of confidence or infringement of copyright and criminal prosecution will not apply.

6.56 Decisions on discretionary access can not be appealed under the review process provided for in the Archives Act 1983.

6.57 Service Chiefs and Group Heads with functional responsibility for the records are responsible for approving discretionary access.

6.58 The NAA in limited circumstances, may approve discretionary access, without consulting Defence, where the record is in the open period and the information is personal information that relates directly to the applicant.

6.59 DRMP is responsible for approving requests for access for the performance of a normal business or operational function of another Commonwealth agency.

Commonwealth or State agencies access to Defence records

6.60 Access (other than through the NAA) is normally managed through the administrative functioning of a Commonwealth or State agency and is enabled through section 58 of the Archives Act 1983.

6.61 If Defence requires access to records originated by Defence but now in the custody of another agency because of a change in functional responsibilities, there are two access options:

1. If the record is in the open access period, Defence can seek access through the Archives Act 1983 in the same manner as any member of the public, or by administrative means, by contacting the custodial agency direct.
2. If the RNA record has not yet come into the open access period, Defence will have to negotiate access with the agency that holds or controls the record.

National Archives of Australia access to Defence records

6.62 Section 28 of the Archives Act 1983 entitles the NAA to full and free access, at all reasonable times, to all Commonwealth records in the custody of Defence, not just to RNA records.

6.63 Section 29 of the Archives Act 1983 allows Defence to determine that certain Defence records should not be transferred to, or be accessed by, the NAA. The concurrence of the Director General National Archives of Australia is required unless the Minister or the head of an intelligence agency has made the determination.

6.64 When the record is in the open period, NAA staff with appropriate security clearances will be entitled to access on Defence premises.

6.65 A determination under section 29 that the record should not be transferred to the NAA does not prevent the public from requesting access to an open period record. If access is subsequently denied, the applicant will be entitled to appeal the access decision.

Discovery orders and subpoenas

6.66 The Directorate of Litigation (DLIT) is the access authority if a discovery order or subpoena is received. Access to records is managed by DLIT in consultation with DRMP and DRMS. Business units must notify DRMP and DLIT on receipt or notification of discovery orders or subpoenas.

6.67 Discovery orders or subpoenas can apply to all information in a Government system, including personal data, documents and records.

Special Access

Special access to Defence records

6.68 The Prime Minister has set in place arrangements for special access to closed period records to be granted to a limited group of people. Those eligible to apply for special access are:

1. former Governors-Generals, former Ministers, former Departmental Secretaries or other persons authorised by the Prime Minister who wish to refresh their memories of events that they dealt with while in office;
2. authorised biographers of those mentioned above;
3. persons who have lodged Australian Government records with the NAA; and
4. persons preparing major works of national importance for publication.

6.69 DCARR manages special access requests for Defence records. The Minister, the Secretary or Deputy Secretary Strategy approves special access for Defence records. The heads of Defence statutory authorities approve special access to records of their agencies.

Internal Access

6.70 Access to Defence records in the closed period is provided for all Defence business units, subject to the provisions of ‘need-to-know’, security requirements and the Privacy Act 1988 (refer to the eDSM for detailed security access requirements).

6.71 Access privileges applicable to a record must be identified when it is created. One of the key access privileges must be the national security classification of the file. Custodians will be responsible for ensuring that the appropriate access controls are applied to allow all Defence personnel with appropriate security clearances to see them.

6.72 DRMS provide timely and efficient access to, and retrieval of, records needed in the continuing conduct of business. This is strictly in accordance with the access privileges of the record and satisfies related accountability requirements.

6.73 Access controls and audit trails must be provided and maintained to monitor all authorised access and any unauthorised access to, alteration or destruction of records or their metadata.

6.74 Access to physical records may require the physical transfer of records between the two business units, in which case an internal transfer of custody will occur. These transfers must be recorded in the DRMS.

Access responsibilities table

Requestor	Record age	Record type	Access authority	Legislation
Public	From 01 December 1977	Any— document of agency or ‘official document of Minister’	DFOI registers FOI request; the relevant business unit determines access	FOI Act
Public	Less than 30 years	Any	The relevant business unit determines access	Privacy Act 1988
Defence	Any	Any	Relevant business unit if the records are still with Defence	Discretionary Archives Act 1983 (section 30) and other relevant legislation
Public Commonwealth agency Defence	More than 30 years	Any	NAA	Archives Act 1983 Public Access (section 40) Official Access (section 58) Records available to Commonwealth institutions (section 30)
Department of Veterans’ Affairs (DVA)	All records	Any	Relevant business unit, Defence repositories, DRMP depending on the type of record requested DRMP assists the relevant business unit to negotiate access arrangements where the record is held in Defence, and can provide advice regarding records management policy. Defence Legal can provide advice on access to Defence records	Archives Act 1983, Veterans’ Entitlements Act 1986, MRC Act and SRC Act and other Acts in DVA/Defence SLA
Public Commonwealth agency	All records	Any	DLIT if a discovery order or subpoena is received	Not applicable
Current or ex-employee	Less than 30 years	Personnel	Relevant business unit for current or ex-employee	FOI Act and Privacy Act 1988