Digital standards Victoria Protect your users , security, privacy

Manage online records

 

Before you begin

This How-to guide is a general introduction to managing online records for government departments and agencies. It’s written for you if you have no experience with formal record keeping. It outlines the key record keeping requirements and what you need to consider.

In all cases, we recommend you start with what your organisation says you should do, usually published on your intranet, or contact your records management or information management specialist directly.

Your organisation should be able to provide clear direction on how to manage online records, in order to ensure compliance with the mandatory Standards set by the Public Record Office Victoria (PROV). If this direction isn't available to you, the Recordkeeping for Government section on the PROV website provides comprehensive guidance.

Why you need to manage online records

Departments and agencies have a legal obligation to create and maintain full and accurate records of their activities, transactions and decisions. This includes their online records, whether these are in the form of web pages, social media communications, content within online applications etc. Where online records are not replicated offline, they're the primary record of your organisation's business activities and communications.

This means these online records need to be retained:

  • in an accessible and readable format
  • for a minimum retention period authorised by PROV
  • based on their administrative, evidential and historical value

These online records may be required for Freedom of Information requests, for formal inquiries such as royal commissions or by your agency or clients as evidence of past decisions or transactions.

A small percentage of your online records, which are considered to have very high value, will be required for permanent retention as State Archives. This means they'll need to be transferred to PROV’s Digital Archive when no longer current. 

What does the Victorian Government recommend?

All Victorian Government departments and agencies are legally obliged to keep full and accurate records of their online activities, including interactions, transactions and communications. They must ensure these are captured when appropriate, retained for as long as legally required and accessible when needed.

This will help WoVG to meet the digital design principle ‘aware of history’, which means to be able to provide a record of past interactions and ensure compliance with legislative requirements and the mandatory Standards established by the Keeper of Public Records, PROV.

What standards must be met?

Your local approach to managing online records will be based on these obligatory standards.

The Public Records Office of Victoria Framework and standards

Record keeping for government on the Public Records Office Victoria website explains each in detail:

  • access
  • capture
  • control
  • disposal
  • operations management
  • storage
  • strategic management
  • Victoria’s Electronic Records Strategy (VERS)

Victorian Public Service (VPS) code of conduct

You must also comply with the VPS code of conduct (Section 5.4: Open to Scrutiny VPS): ‘Public sector employees implement government policy in an open and transparent manner.

They maintain accurate and reliable records as required by relevant legislation, policies and procedures. Records are kept in such a way as to ensure their security and reliability and are made available to appropriate scrutiny when required.’

Other relevant federal and state laws

Some or all of these may apply to your organisation. Use this page on the PROV website if you need to check which apply to your organisation:

  • Freedom of Information Act 1982
  • Privacy and Data Protection Act 2014
  • Evidence Act 2008 (Vic)
  • Crimes Act 1958 (Vic)
  • Electronic Transactions Act 2011 (Vic)

Privacy

Comply with the Privacy and Data Protection Act 2014, and only collect information you’re legally entitled to collect. You’ll need to craft and publish a privacy ‘collection notice’ (refer to the How-to guide, How to manage privacy or the Commissioner for Privacy and Data Protection website.)

If your digital presence collects personal information, then the physical location of the servers where it’s stored must have the same level of legal protection for private data as we offer citizens in Victoria.

Security

Comply with the Privacy and Data Protection Act 2014. Refer to the How-to guide, How to manage security, and standards on the Commissioner for Privacy and Data Protection website.

 

Getting it approved

Check your approach to managing records with your records management specialist or information manager.

Step 1: Understand online records

Anything that records your organisation’s activity, including transactions, decisions, communications and how others interact with you, is a record. An online record is a record of your organisation’s activity in the online space.

Online records include:

  • web pages, including the documents and the database content accessible from them
  • online forms
  • tweets or posts on other social media, such as your Facebook page or YouTube channel
  • online financial transactions
  • content in online applications

Step 2: Make sure the necessary contextual information (metadata) is created and kept

When creating and managing online records, it is important to consider what metadata will be required to ensure the content is meaningful over time. Metadata is the contextual information that allows data to be categorised, searched, retrieved and managed effectively, often referred to as ‘data about data’. For example, the metadata collected for a published document might be its title, author, date created, date published, version number.

An example of metadata is the fields (mentioned above) the web publisher adds to as they get ready to publish a HTML page in their Content Management System (CMS). The data doesn’t appear on a published page, but is used by a search engine to classify content. It's also used as the source of the descriptive 'snippet' the search engine displays in its list of search results.

Step 3: Work out which online records you need to keep and for how long

You need to assess the value of the information to all stakeholders and the level of risk if the online record is not available. PROV works with departments and agencies to develop Retention and Disposal Authorities, which are established as mandatory Standards by the Keeper of Public Records. These set out which records are of permanent value and set out the minimum legal retention periods for temporary value records.

However, disposal is not allowed, even if authorised under one of these Standards, if it's reasonably likely that the record will be required in evidence in a current or future legal proceeding or formal inquiry. In addition, if other legislation requires longer retention, then the longer retention period must apply.

Questions to ask when considering value and risk are:

  • is the record available and accessible offline? If identical information is captured in an offline business or document management system, then the online records may not need to be captured or retained at all
  • what is the risk and impact for all stakeholders if the record isn't available?

You need to think your assessment through carefully – if it is possible the online content was used by someone to make an important decision, then you may need to be able to show exactly what appeared at a specific point in time and any interactions or transactions in relation this. Something which appears pretty minor can be critical evidence at a later period of time.

Step 4: Work out when and how to capture and store online records

Once the required retention period has been determined, you need to ensure that the online records (and the associated metadata) created will be preserved and accessible for the entirety of that period. For online records which need to be retained, you will need to work out:

  • how often and when to capture them
  • how to capture and store them in a way which ensures they remain meaningful and can be accessed (there is a tendency to assume backups are sufficient, but they don’t properly preserve the context or allow easy access)

There'll be cases where it's important to show the exact information which appeared online at any point in time. In these cases, every minor change will need to be captured, so you have evidence of what appeared at any specific time. In other cases, it might be enough to capture major changes only. Work with your records or information management specialist to decide your approach.

Once you decide which online records need to be retained, how often, and when to capture them, you need to work with your technology specialist to determine the best way to do this.

For any online records you identify as having permanent value, you need to make sure to capture them in a way that allows them to be transferred to the PROV Digital Archive. Your records or information specialist and PROV can provide you with information on this.

It's sometimes thought that back-up arrangements are enough to capture online records that need to be retained for a temporary period. At best, back-up technology is effective for short-term recovery but isn't an effective way to make sure online records, with the contextual information that makes them meaningful, are captured adequately.

The section below adds detail for how to manage specific kinds of online records, such as social media. Note your local records or information management specialist may have detailed instructions on how to go about these, so check with them first.

Capturing websites

You need to decide whether to capture entire websites or specific sections only. Not all content, pages or transactions on websites require capture and retention. For practical reasons you might find archiving entire sites is easier than separating ephemeral content from essential records. Also, given the changing nature of website content, you need to carefully consider how often to capture it, how, and when.

This template covers the steps for decommissioning a website: Website decommissioning.docx Website decommissioningDOC (339.06 KB)

Capturing social media

In most cases, it is unnecessary to capture every post and response made on social media. It is perfectly acceptable to download your Twitter archive, Facebook information or YouTube archive periodically. Scheduling incremental extraction works particularly well for social media. For example, if your agency’s official Facebook page attracts new followers every day, and there are dozens of new posts it would be too time-consuming to record every post or interaction, so periodic extraction and capture into the appropriate departmental system would be a good solution.

The exception may be where Facebook posts or other social media you’ve unpublished because of its unacceptable content becomes, or is now part of a legal action, or there is risk of it escalating to a Director, Minister or the media. It’s important to understand that downloading your social transactions every six months won’t include content you deleted, for example, three weeks ago.

Therefore, before you delete the offensive content, record it as a screendump (aka screengrab) or simply copy and paste into a log of the content you’ve deleted.

While some argue social media accounts on Facebook and Twitter act as recordkeeping systems themselves, it assumes these platforms will always be in business. To avoid data loss, it is safer to ensure any online records which need to be retained are captured into another system.

Capturing online records stored in the cloud or where transactions are completed by service providers

Your online records are often stored in the cloud on your provider’s servers and transactions (for example, financial) are often completed by third parties. No matter where they are stored, every department and agency must ensure that full and accurate records of their activities, transactions and decisions are captured, retained for as long as legally required and accessible when needed. So agreements made with service providers, including cloud solution providers, need to ensure that this happens.

Seek expert guidance

If in doubt always consult with local records management staff on local guidelines first.

Related how-to guides

How to manage security

How to use social media

How to design and develop a digital presence

Other good reads and resources

Enterprise Victoria's WoVG Information Management Framework

Join the conversation on digital

Get advice and share your insights about this topic with other digital practitioners on the WoVG Digital Group on Yammer (VPS access only).

Can’t access Yammer? Contact us by email: contact@dpc.vic.gov.au. (We may post your comment on Yammer for general discussion. Please tell us if that’s not OK.)