Shopping cart

Your shopping cart is empty.
  1. Government Recordkeeping
  2. Advice and Resources
  3. Storage and Preservation
  4. Solutions for Storage
  5. 8. Security
8. Security (Solutions for Storage)

TOC

Records are protected against theft, misuse, unauthorised access or modification. (Principle 6)

All records require a basic level of security to ensure their authenticity and integrity, to prevent misuse and unauthorised access. Records with security classifications (e.g. protected, secret, top secret), or containing sensitive information, should be handled, protected, stored and disposed of according to NSW Government requirements and the Australian Government Protective Security Policy Framework.

Access to buildings and storage areas must be controlled in order to prevent unauthorised access, which may result in the alteration, destruction, damage or theft of records. Only authorised users should be able to access records.

All staff and contractors working in storage areas/facilities used by the public office (including commercial storage facilties), should be aware of their responsibilities regarding security and have appropriate security clearances.

8.1  Building security

Every building poses its own problems for security, as requirements will differ for each building, depending on the nature of the organisation, resources, and the records being stored.

Building security risk assessment should be undertaken to identify and mitigate security risks and to develop a security plan for the storage facility and storage areas. Public offices may be able to request site visits from the local fire brigade and police to assist in security audits and risk assessments. At a minimum, records storage areas and facilities should be intruder resistant, monitored with perimeter alarms and ‘back to base’ systems, CCTV, and access controls. This can be achieved by using entry controls, perimeter and intruder detection alarms, and security guards.

It is important that security monitoring of storage areas and facilities is audited or monitored, to ensure that security measures are working correctly.

Breaches of security should be documented and captured into the organisation’s recordkeeping system, and the mitigation of risks addressed through the risk register. Shortcomings of the building, staff, records storage procedures and the security equipment should be highlighted in the report and addressed by the organisation.

Entry controls

The exterior doors and windows of the storage area and facility should be lockable, and unnecessary or redundant doors and windows should be blocked. Vulnerable windows can be secured with roll down shutters, bars, grills or intruder resistant glass. The suitability of these measures should be discussed with a crime prevention officer or risk management people within the organisation.

Entry to the storage building or facility should be controlled through either electronic access systems or locks. Passes or keys should only be issued to approved personnel, security personnel, building managers and emergency services. A register of access passes or keys should be maintained and policies should be in place regarding duplication of keys, reporting losses and changing the keys or codes when a staff member or contractor moves to another position. Provision should be made for emergency situations and a master set of keys, pass holders’ code numbers or other necessary details should be kept in a secure place away from the records facility.

Intruder detection alarms

Intruder detection alarms should be installed at all storage facilities. Procedures and details of security systems should be subject to rigorous security.

A ‘back-to-base’ alarm system which sounds at the organisation’s security room or the offices of the security firm responsible for the premises is recommended.

The organisation needs to adopt rules for responding to the storage facility’s alarm, including the minimum response time. The security firm should be furnished with the names and after hours telephone numbers of designated records staff members who should be alerted if the alarm activates, and will be expected to attend the premises in the case of an emergency. The organisation is responsible for seeing that this list is kept up-to-date.

Security guards/patrols

Organisational policy and the types of records being stored will determine whether to employ security staff and after hours patrols.If security classified records or records with sensitive information are being stored, then the organisation will need to increase the level of security measures.  For further information see the NSW Government requirements and the Australian Government  Protective Security Policy Framework.

Security staff may be required for records storage facilities unoccupied by staff. This need may be determined by considering:

  • the nature and importance of the materials held in the storage facility
  • the location of the facility and surrounding risks (See Section 3 Location of storage areas and facilities)
  • recent incidences of burglary or arson in the area, and/or
  • the adequacy of alarm systems.

Security patrols might replace malfunctioning alarm systems for a short time.

Good perimeter surveillance and lighting may deter potential intruders.

8.2  Records storage area security

Only authorised staff should have access to the records storage areas within buildings or to locked storage equipment or secure storage zones (e.g. sections of the compactus that contain more sensitive or confidential records, or zones within the storage area which contain security classified records).

The Senior Responsible Officer for records management should authorise which personnel have access to records in the records storage areas. Staff working in storage areas containing security classified or sensitive information will need to have appropriate security clearances.

Entry to storage areas should be controlled through electronic access systems, locks or other access controls. These access controls should be monitored and audited.

The retrieval and return of material should only be undertaken by staff members who are authorised to be in the storage areas.

External clients or visitors to the storage facility should always be registered and supervised. Security measures should be in place to protect the records and to detect breaches. Any routine maintenance work in records storage areas, such as cleaning or repairs, should not be permitted unless there is an authorised staff member to supervise the contractor.

8.3  Records with security classification

Records requiring additional security or protection include records with security classifications or containing sensitive information. These types of records must be handled, protected and stored appropriately. The NSW Government requirements and the Australian Government Protective Security Policy Framework should be implemented.

It is usual to store security classified or sensitive information in separate areas or zones segregated from the main records storage. This segregation of records allows for added protections and risk mitigation to be implemented including:

  • lockable storage such as strongrooms for large quanities of records, safes and vaults
  • security approved containers and cabinets, and
  • alarms and CCTV monitoring of the storage area to detect unauthorised access.

Only authorised staff with appropriate security clearances should have access to secure storage zones.

Ensure that records with security classifications or containing sensitive information are transported in appropriate containers and encryption is used if transporting digital records on physical carriers (i.e. portable hard drives, USB sticks etc.).

For further information see the Australian Government Protective Security Policy Framework, particularly 16 Entity facilities.

8.4  Staff responsibilities

All staff and contractors working in storage areas/facilities used by the public office (including commercial storage facilties), should be aware of their responsibilities regarding security and have appropriate security clearances.

Policy and procedures should cover the:

  • importance of security within storage areas and facilities
  • responsibilities of staff and contractors, including the confidentiality agreements that all staff should sign
  • requirements for only authorised staff, with appropriate security clearances, to access secure storage zones
  • handling of security classified records or sensitive records
  • safe transport of records and secure transport arrangements, and
  • processes for providing access to records.

All staff should be encouraged encouraged to report any unauthorised access, damage or security breaches observed. Serious breaches of security should be reported to the Senior Responsible Officer and to the public office’s Chief Information Officer. All breaches should be assessed and rectification action taken.

8.5  Policies and procedures for access to records

Public offices routinely provide access to records, under legislation such as the Government Information (Public Access) Act 2009 or the Privacy and Personal Information Protection Act 1998, and other legislation and administrative arrangements. Under the State Records Act, public offices also become ‘access providers’ for records over thirty years old that are in their custody.

Staff involved in providing access to the organisation’s records should understand the organisation’s role as an access provider and any policies and procedures that exist to governing access. Other policies and procedures governing access may include:

  • obtaining client names and addresses and viewing their identification to ensure that clients are who they claim to be
  • asking clients to acknowledge the rules for the protection of the records
  • asking clients to record their name and signature in a register so there is a record of who was accessing the organisation’s records on a given day
  • asking clients to fill in a request form for items so that there is documentation of who was issued with particular items on a given day. These forms should include the signature of the client and a copy should be available both for the organisation and for the client, and/or
  • checking returned documents and returning them promptly to the records storage area.

See Appendix B for an example of access rules.

8.6  Keeping records about security

It is important to keep records about security for records in storage areas and facilities. Examples of the types of documentation the organisation may have are:

  • storage plans and assessment reports which include details of security measures implemented to protect records storage areas and facilities, and records in transit
  • access monitoring and reporting
  • access logs which record all entry to the storage areas and facilities
  • documentation of staff security clearances
  • incident reports regarding any unauthorised access to any storage areas or facilities
  • incident reports regarding any theft of records in transit
  • storage plans and assessment reports include details of appropriate handling and storage of security classified reports
  • contracts with storage providers include specific security, confidentiality, and authorised access requirements
  • procedures which detail how to store information with different security classifications.