Accessible and secure records

Making records accessible

University records and data should be available and retrievable when needed for business, legal and accountability purposes, while also being protected from unauthorised access.

  • When records cannot be accessed, this can compromise staff’s ability to undertake their work. There are also compliance and legal implications if the University cannot fulfill requirements to locate records for subpoenas and Freedom of Information requests.

    • Apply meaningful file naming to records
    • Classify and clearly label documents to indicate their status and purpose
    • Use appropriate metadata to support discovery and access
    • Keep digital records within centralised University systems (ie avoid storing any University records on physical devices such as portable hard drives and USB sticks)
    • Keep a register of holdings for hardcopy records, where appropriate.

Securing records

University records and data should be protected from loss, unauthorised activity and access.

  • When keeping digital records and data in systems that are not University-approved, or storing hardcopy records within Faculty or Chancellery work units, it is important to consider risks and protect information from:

    • Misuse, including unauthorised access, sharing, alteration, destruction or theft
    • Loss, deterioration, degradation or damage.
  • Controls should be designed and applied to processes and systems to ensure records and data are protected from unauthorised activity, to maintain record integrity and authenticity. This is critical when records and data contain sensitive and personal information.

    Physical access

    When storing records in work units, ensure they are secure and only accessible to the people who are authorised to access them. For example, use lockable filing cabinets or store within secure offices.

    If your Faculty or Chancellery work area does not need to use the records on a regular basis and the present storage does not provide adequate access controls, consider storing the records with the University’s offsite storage provider until they are time-expired. Records & Information can arrange ad hoc return of records, as needed. See Storage of temporary records for guidance.

    Digital access

    When implementing systems, ensure that access to records is controlled through appropriate permissions and access groups. Ideally, Role-Based Access Controls (RBAC) should be applied. If the system will manage personal information, complete a Privacy Impact Assessment (PIA). The PIA assessment process will include details and advice on managing access to records and data, including RBAC.

    When working within SharePoint or shared drives, ensure staff understand:

    • Who should have access to the records
    • How records are to be accessed and appropriately shared
    • Which SharePoint access groups are in use in the site(s), and how to use them.

    Ideally Faculty and Chancellery work units should conduct regular audits to ensure access remains appropriate and up to date, particularly when staff change roles, or leave the University.

    Privacy guidance

    The University’s Privacy office has developed a suite of guidance on Staff Hub to assist staff in protecting information. Refer to the Privacy Knowledge Base.

Protecting records over time

The University has a responsibility to ensure records and data can be maintained for their required retention period. This will help ensure the records can be accessed and used for as long as they are needed.

Retention requirements are outlined in the University Records Retention and Disposal Authority (RDA).

  • Storage environments should be regularly checked and maintained to ensure records are protected from water, fire, mould, pests and dust.

    The areas should also have operational fire detection and protection systems and storage shelving. Equipment and containers should be properly maintained.

  • All technology becomes obsolete over time. Most physical storage devices (eg portable hard drives and USB sticks) have a limited life expectancy of around 5 to 10 years.

    Faculty or Chancellery work units should avoid storing records on physical storage devices and instead leverage centralised University systems. These systems are maintained by expert information technology staff with effective backup and restoration arrangements.

  • Digital University records and data should be created and maintained in formats which are expected to survive and be readable for their minimum required retention period, as outlined in the University Records RDA. This is especially important for records that are classified as permanent, or that have long-term retention requirements (10 or more years).

    The University’s Digital Preservation Program provides advice regarding sustainable file formats.

Further information

If you require further information or advice on making University records accessible and secure, please submit a ServiceNow request.