Digital Recordkeeping Guide
Download the Digital Recordkeeping Guide.
The purpose of this guide is to ensure the New South Wales Government’s approach to the preservation and proper destruction of digital records is undertaken at the University of Newcastle.
Digital state records must be properly preserved so that they survive in authentic and accessible forms over the lifecycle of their existence – from a few years, or forever, in the case of digital State archives.
Digital state records must be properly destroyed to ensure:
- The disposal of records is authorised and risks relating to inappropriate retention and destruction of records are minimised.
- Records of continuing value are identified and protected.
- Storage and retrieval costs are reduced and available storage space is utilised more efficiently.
If digital records are not preserved, there is a risk that the Government will lose essential evidence of its business, that staff, students and the public will not be able to access records documenting rights and legal obligations and that there will be a significant gap in the body of records documenting the society and communities of NSW in the State’s archives.
This Guide should be read in conjunction with State Records Guideline 3 Destruction of Records: A Practical Guide and Recordkeeping in Brief 48: Disposal at a glance the UoN - Information Security Classification Policy 000814.
1. What is a Digital Record?
A digital record is digital information, captured at a specific point in time that is kept as evidence of business activity. Digital records means 'born digital' records such as emails, web pages, digital photographs, digital audio files, GIS files or database records, as well as scanned versions of paper records that have been digitised in business processes
2. What are the Digital Recordkeeping Requirements?
The University is required to create and maintain full and accurate records of its business activities, regardless of whether records are in hard-copy or digital formats. Where official records are retained digitally, whether they were 'born-digital', or scanned, the systems that manage the record must be an approved Digital Recordkeeping Systems.
A digital Recordkeeping System is defined in the Standards on Digital Recordkeeping as either:
- a business system with recordkeeping functionality, or
- a business system linked with a dedicated records management/information asset management system, or
- a dedicated records management / information asset management system
3. Do Existing Digital Systems Need to Comply?
Systems that have existed since 30 June 2009
Where a system has existed since 30 June 2009, system owners are required to identify whether the system supports critical business processes. This may be identified in a Business Units Business Continuity Plan. The Records Management Office will assist system owners to identify which systems are required to be compliant as per defined within the Standard on Digital Recordkeeping. The deadline to identify systems that support risk business processes is June 2011.
When a system is identified as supporting a high risk business processes, system owners will be responsible for ensuring the system can be demonstrated to be a digital recordkeeping system. This must be achieved by the June 2012 deadline as defined in the Standard on Digital Recordkeeping Compliance Timetable.
4. What Happens if the System is Upgraded or Changes it's Use?
Existing systems will need to be re-assessed when:
- a compliant system is upgraded or used for a new purpose. The system will need to be re-assessed to ensure it still complies with recordkeeping requirements.
- a system was not previously required to be compliant, but the business process has changed, new functionality has been included, and or the system has taken over the recordkeeping requirements of another system. Such changes will require the system to be re-assessed.
5. Are New Systems Required to Comply?
The following decisions will need to be made regarding proposed new systems:
- Is there a recordkeeping requirement?
It will be the responsibility of the system owners to ensure that systems used to capture official records are compliant, including digital systems created locally. Additionally, where an existing system has been changed, or the use has been modified to include additional business processes, it will need to be reviewed to identify whether the system is still complaint.
6. How Do I Assess a Systems Compliance?
System owners can assess the compliance of their system at anytime by completing the following tools:
- The Digital Recordkeeping Identification Tool - This will assist system owners to identify whether their system needs to be complaint with digital recordkeeping requirements; and
- The Digital Recordkeeping Assessment Tool - This will assist system owners to identify whether their system is compliant. The tool will provide a gap analysis between the compliance requirements and the system's functionality.
Any work that is required to make a system compliant, whether that be changing the system itself, or linking it to TRIM, is the responsibility of the system owner to facilitate and resource in consultation with the Records Management Office.
For further advice, information or assistance, please contact the Records Management Office.
7. What are the Requirements for Destroying Digital Records?
The method of destroying digital records is different to the destruction of hardcopy records. In particular, simply pressing 'delete' does not necessarily mean that the records are completely gone. While the link used to access them may be removed, they may still exist in a data store or on a server. In other words, the deletion of a file or the reformat of a hard drive may not always be adequate. As far as possible the destruction of records should be irreversible with no reasonable risk of the information being recovered again.
Methods of digital records media 'sanitisation' have been devised to help organisations to implement digital records destruction.
8. What is Digital Record Sanitisation?
Digital records sanitisation or media sanitisation is the process of erasing or overwriting data stored on digital media. Sanitisation is implemented both nationally and internationally and the extent of sanitisation used generally depends on the classification of the record. For example if a record is classified as 'Highly Protected’ then the media on which the record is stored must undergo the most extreme sanitisation (complete physical destruction) so that reconstruction is deemed impossible.
9. Why is Digital Record Sanitisation Necessary?
Any record stored on digital media is particularly vulnerable to abuse and illicit collection. Appropriate methods need to be taken to ensure that when a record that is stored on digital media is ready to be legally disposed of, it is safeguarded against potential misuse.
Not all media can be sanitised. Some media must be destroyed.
Media that is suitable for sanitisation includes:
- magnetic media,
- erasable programmable read only memory (EPROM),
- electronically erasable programmable read only memory (EEPROM),
- volatile memory and non-volatile memory devices such as USB removable media, pen drives, thumb drives, flash drives and memory sticks,
- electrostatic memory devices within printers and photocopiers and video screens.
The University of Newcastle has a destruction approval process in place for the disposal/destruction of records (whether they be paper, email or other digital type records). A Record Destruction Authorisation Form must be completed by the requesting staff member, signed by the Head of the Department or owner of the digital information and forwarded to the Records Management Office. Once the request has been assessed and approval granted the records can be disposed/destroyed.
Information can be subject to GIPA Act applications, discovery orders, subpoena and standing orders. However, if the University correctly destroys digital records, time and resources can be saved on searching and reconstituting as it is assumed that as the record was irrevocably sanitised or destroyed according to proper procedures and methods, it cannot be reproduced.
Penalties may be imposed by State Records NSW if the University deletes/destroys information without the proper authorisation and before record have satisfied the minimum legal retention requirements.
10. What are the Sanitisation Methods?
|Clear Overwrite||Using a method that clears records from media protects the record stored on that media from a keyboard attack (a keyboard attack is the search for data from resources available to the normal system users by an unknown entity). Simple deletion is not the same as clearing as it is usually only removing the link within the system rather than removing the record. For media to be cleared the record must not be able to be retrieved through disk or file recovery utilities. A typical and widely used example of clearing media is overwriting.|
|Purge||Purging the media ensures that the information cannot be recovered in a laboratory attack (a laboratory attack is a means of reconstructing information from digital media using nonstandard systems operating outside the media's usual working environment). Purging differs from clearing, in that clearing is hiding the data under layers of nonsensical data (often new data can then be placed on top of the nonsensical data) whereas purging is randomising data so that it is no longer readable. Some disk drives, especially those manufactured after 2001 may be sufficiently purged by using a clearing method such as overwriting. Degaussing is an acceptable method of purging media which involves the exposure of magnetic media to a strong magnetic field in order to disrupt the recorded magnetic domains.|
|Destruction||Destruction is the most extreme form of sanitisation and ensures that the media is drastically altered and can never be reused. There are various methods of destruction including shredding, disintegration, incineration, and pulverisation and melting.|
11. How to Determine Which Method to Use
It is important to remember that the issue of digital records destruction is not driven by the media on which the record is stored, but by the information that forms the record that has been placed on the media. In this regard, deciding which method to use to dispose of the media should be done through a risk assessment of the record itself.
A risk assessment will determine the sensitivity of the record and align the classification with a sanitisation technique. For more information on labelling sensitive information, refer to the Department of Commerce - Government Chief Information Office guideline - Guide to Labelling Sensitive Information.
The Australian government has listed some sensitisation products on the evaluated product list (EPL). The EPL is a list of products that have been evaluated against set criteria and rated accordingly. Where possible it is recommended that a sanitisation product is selected from this list. For more information please refer to the Australian Government Defence Signals Directorate Evaluated Product List.
|Sensitivity Classification Based on NSW Department of Commerce Guidelines||Recommended Sanitisation (Including Destruction) Levels|
12. What are the Risks Relating to Sensitive Classifications?
Public information is the least controlled information in the realm of everyday use. This classification applies to information which:
- requires no special protection or rules for use, and
- may be freely disseminated without potential harm.
For public digital records generally overwriting is sufficient. Media containing unclassified information that is to be considered for reuse must be overwritten at least three times.
This classification applies to information:
- that is related to business unit or faculty operations, but is not available outside the unit or faculty - and
- whose unauthorised disclosure - while against policy - is not expected to seriously or adversely impact the University its employees, its students and/or its partner organisations
Note: The ‘X’ refers to the staff of the University, or a business unit or faculty. e.g. Staff – In Confidence or Human Resource Services – In Confidence.
This classification label applies to all other information that does not clearly fit into the previous two classifications.
Where records are determined to be X-in-confidence the sanitisation method recommended is to clear.
To clear digital media, hardware or software products must be used that will overwrite the storage space on the media with non-sensitive data. The most widely used method is to overwrite once using only 0s and once again using only 1s and finally overwrite using random data to the entirety of the media. This goal of overwriting is to replace written data with random data.
For 'X-in-confidence' records, the media itself does not need to be destroyed and may be reused.
Records stored on digital media that are deemed 'Restricted’ should be sanitised using the purging method.
The most common method of purging media is through degaussing. Degaussing involves exposing the media to a strong magnetic field in order to randomise the data on the media. A degausser is a device that delivers this magnetic field usually through using a strong magnet or electromagnetic coil.
Some firmware (firmware is a program that is sometimes embedded in hardware) for overwriting is acceptable as purging. Please see the manufacturer's recommendations. Often this method will render the media unusable. Therefore it should only be used for media on which all the records are due for destruction.
6.4 Highly Restricted
Digital records that are ‘Highly Restricted should be destroyed without any chance of reconstitution. This means that the media is completely unusable and any information is beyond recovery.
Destruction methods include disintegration, melting, pulverisation, shredding and incineration and are usually carried out by licensed organisations. It is recommended that a member of the University witnesses the destruction of highly protected records and that a certificate is issued. This also applies in cases where the destruction is carried out by a third party such as a commercial records storage provider.
13. What Media Cannot be Sanitised?
If records are recovered from media that was not appropriately sanitised there is a risk that the University will be held negligent under State and Commonwealth law. The University may also be liable to in regards to the Privacy Personal Information Protection Act 1998 if digital records that are no longer in use are not properly destroyed and personal information is inadvertently or advertently released into the public domain.
The University must provide evidence that documented, consistent and routine procedures for the destruction of digital records is in place. Documentation of destruction processes are stored in the University’s (Electronic Document Management System - TRIM) and can be used in response to discovery requests. This will eliminate the potential exertion of time and effort in locating or reconstructing records, saving time and money.
It is also important to note that although records are no longer in use they must still satisfy minimum retention requirements according to the State Records Act and hence must still be accessible.
14. Special Media Formats
According to the Australian Government Information and Communications Technology Security Manual, it is recommended that some media, regardless of sensitivity labelling, be destroyed rather than using other sanitising methods. This is because certain media cannot be sanitised due to their nature and hence must be destroyed. This media includes:
- Optical disks, including CDs and DVDs
- Printer ribbins
- Programmable read-only memory
- Read-only memory
For more information on sanitisation and destruction methods please refer to the Australian Government Information and Communications Technology Security Manual (ASCI33).
15. Tips for Destroying Digital Records
- It is recommended that all media that is to be reused in a new environment be sanitised appropriately. This includes media that is being reused for a higher classification of record.
- The clearing of media must match the highest level of classification assigned to information stored on that media.
- Before any media is sanitised the Record Destruction Authorisation Form must be completed. This form includes a process of gaining authorisation from the Head of Department/Business owner of the information, the Manager RMO and the Associate Director, Complaints and Information Management (as per the UoN delegation authority).
- Digital technologies are constantly changing especially in regards to processing speeds and storage capabilities. These new technologies may require new clearing and purging methods not listed here.
- It is recommended that the authorised destruction of digital records is done in a timely manner. Retaining accumulations of digital records that are no longer for business purposes and are eligible for destruction, on the basis that the storage media is cheap, may be a false economy. Dealing with the destruction of digital records in a planned and systematic way will reduce risks to the organisation of digital record ending up in the wrong hands.
16. For More Information
Australian Government Department of Defence - Defence Signals Directorate, Australian Government Information and Communications Technology Security Manual (ASCI33), 2007
Australian Government Department of Defence - Defence Signals Directorate, Evaluated Product List, 2007
Department of Commerce - Government Chief Information Office, Guide to Labelling Sensitive Information, 2002
Department of Culture and the Arts, Government of Western Australia State Records Office of Western Australia Guidelines Sanitizing of Hard Disks and Magnetic Media, 2008
National Institute of Standards and Technology, Computer Security Division, Guidelines for Media Sanitization, 2006 (US)
NSW State Records Guideline No. 3 Destruction of Records: A Practical Guide, 1996 revised 2000, 2003, 2005