View Current

Records and Information Management Policy

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Audience

(1) This policy applies to all University staff, contractors, volunteers, students, work experience participants, members of advisory and governing bodies as well as staff of controlled entities of the University.

Top of Page

Section 2 - Executive Summary

(2) The University of Newcastle’s (University) records, information and data provide evidence of teaching, research and administration and are a critical asset to the University. They provide the foundation to support business activity, decision making, document rights and entitlements, make up the corporate memory, drive collaboration and communication, preserve knowledge, and provide stakeholders with transparency and accountability for University operations.

(3) Having the capacity to strategically plan, readily identify, securely store and manage records, information and data is essential to the efficient and effective operation of the University.

(4) The University has responsibilities for record, information and data management as per the State Records Act 1998 (NSW), as well as reporting responsibilities to the NSW State Archives and Records Authority (SARA) in accordance with the objectives outlined in their Regulatory Framework (2021-2024). This Framework includes mandatory annual self-monitoring activities for the University to assess how they comply with the State Records Act 1998 and relevant standards that are legislated under the Act.

(5) The University is also obligated under a range of legislation to maintain appropriate records, reproduce records, or retrieve documents. This includes, but is not limited to:

  1. Independent Commission Against Corruption Act 1988 No 35;
  2. Public Interest Disclosures Act 1994;
  3. Tertiary Education Quality and Standards Agency Act 2011;
  4. Work Health and Safety Regulation 2017;
  5. Evidence Act 1995;
  6. Electronic Transactions Act 2000;
  7. Government Sector Audit Act 1983;
  8. Government Information (Public Access) Act 2009
  9. Privacy and Personal Information Protection Act 1998 No 133; and
  10. Health Records and Information Privacy Act 2002 No 71.
Top of Page

Section 3 - Purpose

(6) This policy identifies how the University will meet its obligations under the State Records Act 1998 (NSW), the principles of the Standard No 12: Standards on Records Management, State Records Regulations 2015, and SARA’s Regulatory Framework (2021 -2024). This policy outlines how the University will govern the management and minimise risk relating to records, information and data and preserve assets of corporate and community significance.

Top of Page

Section 4 - Scope

(7) This policy applies to records, information and data in any format that is created, received or maintained by the University, and that documents research, deliberation, advice or actions undertaken in the course of carrying out a University function or activity (called herein ‘University Records’).

(8) This policy does not apply to University records that:

  1. can be destroyed in accordance with the Normal Administrative Practice (NAP) provision;
  2. are classified as State Archives and are under the current control of State Archives in the University's Special Collections unit. These records are bound by the Art and Special Collections Management Framework; or
  3. are created and retained at the University of Newcastle Singapore (UONS) campus and are not under the control of the University of Newcastle, unless stipulated in a UONS agreement or constitution. 
Top of Page

Section 5 - Policy Specific Definitions

(9) In the context of this policy:

  1. “high risk records” means those University records, information and data that are created in high-risk business processes or functions or received in high risk areas of the business that would be considered at a level of risk that is outside the University’s risk appetite if they were misused, released inappropriately, or inappropriately accessed and altered, lost damaged or destroyed prematurely;
  2. “high value records” means those University records, information and data that enable the University to continue their functions, provide a service, and respond to Royal Commissions, inquiries, audits, investigations and legal issues;
  3. University function or activity” means any decision, action, or risk assessment undertaken by or on behalf of the University to further its statutory objectives, including but not limited to research, research administration, teaching, strategic and business planning, ensuring health and safety, student administration, alumni administration, human resource management, financial management, governance and administration of the University, and commercial activities;
  4. “University records” refers to physical and digital records that are created whilst performing a University function or activity, including but not limited to paper based records; databases; emails; scanned documents; records created in collaboration sites such as (but not limited to) MS365-Teams, Sharepoint, document libraries and OneDrive; completed on-line forms; actioned workflows; records created in cloud based third party applications; microfilm; tape; photos; video footage; webpages; social media content; maps; and research data;
  5. “State Archives” means those University records that are appraised by the University in accordance with the statutory framework as having historical, long term continuing value, and that the State Records Authority has control of under the State Records Act 1998. Examples of State Archives include, but are not limited to:
    1. master sets of by-laws, rules, and policies;
    2. master sets of Senate, Council, Health and Safety and similar governing bodies meeting papers;
    3. annual reports;
    4. registers of graduates, scholarships, and final academic transcripts;
    5. final approved curricula;
    6. records of ownership of intellectual property;
    7. research project final reports; and
    8. strategic plans;
  6. “disposal” refers to processes and decisions associated with record and information retention, destruction or transfer which are documented in disposal authorities;
  7. “University Records Management System” is an approved information system that has the capability to compliantly manage records. This system (TRIM) is controlled by Records Governance Services;
  8. “University Approved Information Systems” are systems supported by the University that have been assessed by Records Governance Services for suitable record keeping functionality, and Information Technology Services for acceptable security functionality. Refer to Information Security Policy for more information;   
  9. “data subjects” under the General Data Protection Regulation (GDPR) is anyone within the borders of the European Union (EU) at the time of processing of their personal information;
  10. “records management” refers to the efficient and systematic control of the creation, receipt, maintenance, use and disposal of records, including people, processes, and systems used to capture and maintain evidence of and information about business activities and transactions in the form of records;
  11. “retention period” refers to the minimum period of time for which records should be kept to meet regulatory, business, audit, legal and financial requirements before they can be destroyed;
  12. “Normal Administrative Practice (NAP)” refers to the provision under the State Records Regulation 2015 to routinely destroy certain types of facilitative and duplicate records that have limited or incidental relevance to the performance of a University function and are usually not required for on-going business or accountability purposes. Examples include:
    1. working papers that are primarily facilitative, and the capture of the final version will meet business, accountability, and recordkeeping requirements;
    2. drafts that are routine in nature and do not contain significant information or document significant decisions, discussions, reasons, and actions and are not intended for further use or reference;
    3. facilitative records that do not provide continuing value and are routine in nature;
    4. computer support records that do not support significant functions or required for ongoing business purposes;
    5. published or reference material; and
    6. personal emails not relating to University functions or activities.
  13. “Access Directions” refers to the framework for regulating public access to State records which have been in existence for at least 30 years (the ‘open access period’). Records can be subjected to open public access (OPA) or closed public access (CPA) directions; 
  14. “Information Users” refers to individuals who have been granted explicit authorisation by the relevant Information owner to access, use, alter, or destroy information within a University approved information system;
  15. “sentencing” refers to the process of classifying records to determine how long they need to be kept and in accordance with the disposal authorities. Sentencing ordinarily takes place upon creation of a record; and
  16. “inactive records” refers to those records that are not required to meet immediate business needs, but which must be kept (in accordance with retention and disposal authorisation) to support business activities, legal or regulatory requirements, or societal expectations.
Top of Page

Section 6 - Principles

University Records and Information Management Program

(10) The University's records and information management program will satisfy the requirements of the State Records Act 1998 NSW, and any associated standards, policies and guidelines.

(11) The program, including policies, procedures, people, and systems required to manage University records will be monitored and evaluated for risk management, continuous improvement, and assurance that the needs of the University, community and the regulatory requirements are met.

Ownership, control and custody of University Records

(12) All University records created or received while performing a University function or activity are owned by the University, unless otherwise specified under contract, and must be managed in accordance with this policy.

Creation and Management of University Records

(13) Information owners must:

  1. assess, document and review the University records that will be created and captured as part of a process that they are responsible for, and determine how long these University records need to be kept to meet the requirements of this policy;
  2. ensure that the University records they are responsible for are reliable, accurate, usable, stored and appropriately protected within a University Approved Information System or a compliant storage area (for physical records); and
  3. ensure sensitive, personal, and confidential University records are:
    1. protected against unauthorised access;
    2. not kept for any longer than necessary; and
    3. destroyed in line with the relevant disposal authorities.

(14) Prior to entering into arrangements with third party providers to store and manage University records outside of NSW, an evaluation must occur in line with NSW State Archives and Records GA35 - Transferring Records out of NSW to determine and mitigate risks associated with storing University records outside NSW jurisidictions.

(15) Email folders, shared drives, personal drives, external storage media or unsupported cloud-based storage services (e.g. drop-box) must not be used to store University records as these lack the necessary record-keeping functionality to protect the records. University records held in these systems must be incorporated into the University's Approved Information System to prevent them from being inaccessible, lost, leaked, prematurely deleted or over-retained. Records with a high or medium risk rating (refer to the “Records and Information Risk Assessment Guide”) must be stored in the approved University's Records Management System.

Retention and Disposal of University Records 

(16) Retention periods for University records are set by the SARA NSW in the NSW State Archives and Records - Retention and Disposal Authorities. Disposal Authorities are legislated under the State Records Act 1998 (NSW) and take into account the needs of the business, legal and accountability requirements, and community expectations.

(17) The University uses a number of General and Functional Disposal Authorities to manage retention requirements of University records. University records must be sentenced according to the disposal authorities when the records are created, or prior to the records being disposed of or destroyed.

(18) University records that are inactive and no longer required to meet immediate business needs but are required to be retained until they have met the minimum retention requirements, can be moved to approved semi-active or long-term storage repositories.

(19) Destruction of University Records prior to completion of the minimum retention period is prohibited under the State Records Act 1998 (NSW) which also prescribes penalties and exceptions for early destruction. Records having limited or incidental relevance can be destroyed in accordance with Normal Administrative Practice (NAP).

(20) Destruction of University records must be authorised, secure, timely and documented to minimise risks associated with records being accessible beyond their requirements; to reduce costs associated with record storage; and comply with the State Records Act 1998 and Privacy Legislation.

(21) Destruction of paper based records after they have been scanned/digitised is acceptable providing the conditions outlined in the Original or Source records that have been coped (GA45) are met, and the digital outputs are stored in a University Approved Information System.

(22) Destruction of digital records must be in accordance with the guidelines outlined by SARA NSW, Destruction of Records and must include:

  1. the date of the destruction;
  2. identification of who/what undertook the destruction;
  3. the disposal authority reference for the destruction (e.g. GA27 1.2.3; By Court Order); and
  4. the title of the record or identifier (e.g. student, staff or client/partner name).

(23) The Vice-Chancellor has sub-delegated the authority for approving the destruction of records and information (please see Delegations Register). The destruction authorisation process is managed by Records Governance Services.

University Records and Information Management Systems

(24) Information owners must consult with Records Governance Services prior to implementing new or upgrading existing University Approved Information Systems to ensure record management requirements and obligations can continue to be met. In particular, information systems that capture and store high value records and high risk records must comply with the requirements of the NSW State Archives and Records Standard No 12 Standard on Records Management or be linked to the approved University Records Management System (TRIM).

(25) University Approved Information Systems must include minimum metadata requirements to support identification, usability, accessibility and context of University records in accordance with Standard No 12: Standard on Records Management.

(26) System Owners and System Administrators must ensure that appropriate design and maintenance documentation is developed to assist with monitoring, auditing, and ensuring records and information management systems operate as expected.

Access to University Records 

(27) Information owners and System Administrators must ensure that the University records for which they are responsible for are protected from unauthorised access, disclosure, modification, loss, or damage. Particular attention must be given to restricting access and securing sensitive, personal, health, and confidential records and information.

(28) Information owners must periodically review access to systems that they are responsible for to ensure information user’s access is relevant, and to remove information user’s access to systems when it is no longer required.

(29) The Information Security PolicyPrivacy and Information Access Policy and Privacy Management Plan and their associated documents must be complied with when accessing records and information.

(30) Access to research data/primary material must follow the Research Data and Primary Materials Management Procedure.

(31) Access to University records that are not made publicly available by the University may be provided to external parties if authorised by the information owner and considered permissible under all relevant University policies, or where required by law.

(32) The information owner is responsible for ensuring that the University records they are responsible for and that are older than 30 years are subject to Access Directions based on NSW Attorney General guidelines. Closed Public Access (CPA) directions means all records are closed to public access until the record reaches a certain age. Open Public Access (OPA) directions provides public access to records once the record is 30 years old. 

Security of University Records 

(33) University Approved Information Systems must meet the requirements of the University's Information Technology Security policies, procedures, guidelines, and manuals so that the University records are protected and available wherever they are located.

(34) Security classifications must be applied to all University records in accordance with the Information Security Data Classification and Handling Manual. Security classifications are based on sensitivity, risk and potential impact on the University in the event that the records or information is disclosed, misused, misinterpreted or lost. 

(35) Physical University Records must be stored securely and have appropriate environmental controls in place, consistent with Standard 11: Standard on Physical Storage of State Records.

(36) System Owners and System Administrators must ensure the implementation of established information security policy and procedures, in the system they are responsible for. For more information please refer to the Information Security Policy.

Out-sourcing University Records 

(37) Information owners must assess out-sourced information systems prior to their use to ensure recordkeeping requirements meet the requirements of Standard No 12: Standard on Records Management and risk management meets the requirements of the University's Risk Management Framework

(38) Records that have the potential to be classified as State Archives that are older than 25 years must not be stored outside NSW without first seeking the approval of Records Governance Services.

(39) Physical records must not be stored with off-site storage providers other than with the current University contractor. Records Governance Services are the single point of contact for the University off-site record storage contractor.

State Archives - Transfer of University Records 

(40) Digital State Archives must be migrated to the University’s Records Management System in a suitable long-term format once they are inactive and no longer required for business legal or audit purposes (Please see SARA – Digital Records Preservation Policy). Digital State Archives must be transferred to SARA NSW when they are at least 25 years old.

Decommissioning and Migration of IT Systems and Data

(41) Decommissioning of information systems and legacy data must be planned and documented, and the plan must comply with the retention and disposal requirements outlined in the Disposal Authorities.

(42) Migration and conversion processes must be planned, documented, and tested to ensure that the University records that are migrated and/or converted remain accurate, reliable, and  useable, and that metadata remains associated with the records. (Please see SARA – GA48 Source Records that have been migrated).

Risk and Business Continuity

(43) The University will ensure its Business Continuity Plans for critical processes identify the risks to high risk records and high value records, and will implement processes to monitor and manage these risks in line with the University's Business Continuity Management Framework. This includes, but is not limited to, appropriate back-ups and disaster recovery strategies.

(44) Information owners must follow the Records and Information Risk Assessment Guide to determine the level of risk associated with the records that they are responsible for and apply a risk-based approach when considering the best way to manage and store records.

(45) High risk records and high value records must have more rigorous records management processes applied, whereas low risk and low value records have more flexibility in their record management provided that key recordkeeping and privacy obligations are met.

(46) Staff must plan and facilitate the transition of records to the most appropriate person or business unit to minimise disruption of operations and loss of information prior to a staff member leaving the University, moving divisions, business units, or premises; or when there is a restructure.

Monitoring

(47) Regular assessment of the effectiveness and efficiencies of recordkeeping processes is required to ensure that they support the functions and activities of the University as well as compliance requirements. This may include, but is not limited to:

  1. benchmarking against Standard No 12 – Standards on Records Management using the Records Management Assessment Tool (RMAT);
  2. assessment against plans, goals and objectives of the business unit records management program;
  3. auditing of recordkeeping and/or management of records;
  4. conducting detailed reviews of high-risk business areas to confirm that records are being created and captured into the recordkeeping system;
  5. assessing compliance against the State Records Act 1998; and
  6. assessing records management system and business systems that create and capture records.

General Data Protection Regulation – GDPR

(48) University records relating to data subjects within the European Union (EU) and related to University core functions or activities are to be retained with the State Records Act 1998 (NSW).  

(49) Requests to alter personal information in University records must be undertaken in accordance with the University's Privacy Management Plan.

Top of Page

Section 7 - Roles and Responsibilities

All staff

(50) All staff are responsible for the management of University records in accordance with this policy. All new staff to the University must complete the relevant on-line record-keeping training which details the record-keeping requirements for the University. Additional responsibilities for certain staff are listed below.

Vice-Chancellor

(51) The Vice-Chancellor is responsible for ensuring the overall management of University records complies with the requirements of the State Records Act 1998 (NSW).

Senior Staff

(52) Senior staff are responsible for ensuring adherence to this policy by supporting and implementing comprehensive records management programs and promoting a culture of compliance records management that meets the requirements of the University and its stakeholders.

Senior Responsible Officer

(53) The University Secretary is the senior responsible officer, as required by SARA NSW, and has oversight of records and information management at the University.

Records Governance Services

(54) Records Governance Services is responsible for overseeing the management of University records at the University, consistent with the requirements described in the policy, including the provision of advice, training, approving the disposal of University records, and the assessment of proposed new and existing information systems.

Chief Information Officer

(55) The Chief Information Officer is responsible for maintaining the technology for the University's information systems in accordance with State Records legislation and this policy. This includes routine testing or audit of systems to ensure that there are no issues affecting information integrity, usability, confidentiality or accessibility.

Managers and Supervisors

(56) Staff who have responsibility for the management or supervision of divisions, units, teams or other employees are responsible for ensuring they maintain a detailed understanding of this policy, that records and information management are integrated into work processes and systems, and that their staff (including contract staff), are aware of and are supported to follow the requirements of this policy.

Information Owners

(57) Information owners must ensure that record management requirements are identified and managed and that the development and implementation of any new University Approved Information Systems that they are responsible for are managed in accordance with this policy.

System Owners and System Administrators

(58) System Owners and System Administrators must ensure that the systems they are responsible for meet the requirements of Standard No 12: Standard of Records Management and configuration and system design documents are relevant and up-to-date. 

Contract Owners of Managed Service Providers

(59) Staff responsible for the approval of the procurement of IT managed services must ensure that suitable contract provisions require the provider to comply with the provisions of this policy. Contract owners, as defined by the Procurement Policy, must ensure compliance by the provider throughout the contract term.