Shopping cart

Your shopping cart is empty.
  1. Government Recordkeeping
  2. Rules
  3. Retention & Disposal Authorities
  4. General retention and disposal authorities
  5. Local government records (GA39)
  6. Part 2: The General retention and disposal authority (GA39)
  7. INFORMATION TECHNOLOGY (GA39)
INFORMATION TECHNOLOGY (GA39)

TOC

The function of developing or acquiring, testing and implementing hardware infrastructure, and applications and databases to support the business needs of an organisation to capture, store, retrieve, transfer, communicate and disseminate information through automated systems.

See CORPORATE MANAGEMENT for records of conferences arranged and attended by the organisation or staff, and for standards, meetings, procedures and reports concerning the acquisition and management of communications and information technology.

See INFORMATION MANAGEMENT for records relating to the management of information resources.

See INFORMATION MANAGEMENT - Publications for records relating to the updating of the content of websites.

ACQUISITION

The process of gaining ownership or use of technology and telecommunications equipment and systems required for the conduct of business through purchase or requisition.

No Description of records Disposal action
17.1.1 Records relating to the acquisition of services for the development of systems or the acquisition of off-the-shelf systems where the system is proceeded with and is acquired through a tendering or contracting-out process. Includes systems acquired through period contracts that involve tendering. Retain minimum of 7 years after system is superseded, then destroy
17.1.2 Records relating to the acquisition of technology and telecommunications equipment or systems through any means (purchase, acquisition, requisition etc) where there is no tender or contracting-out process, i.e. where the cost of the acquisition is below the threshold for tendering. Records include:

  • requests for quotes
  • orders
  • correspondence and records of negotiations
  • minutes or notes of meetings.
 Retain minimum of 7 years after action completed, then destroy
17.1.3 Records relating to investigations into the acquisition of technology and telecommunications equipment or systems not proceeded with. Retain until administrative or reference use ceases, then des

APPLICATION DEVELOPMENT & MANAGEMENT

The activities associated with developing software and programming codes to run business applications and managing them over time. Includes specifications, testing, pilot testing or studies, prototyping and metadata requirements.

See INFORMATION TECHNOLOGY - Evaluation for records relating to the establishment of user requirements, development of specifications and feasibility studies and evaluation of potential solutions prior to purchase.

No Description of records Disposal action
17.2.1 Records relating to the design and development of systems which are proceeded with. Records include:

  • background research
  • project proposals and project management records
  • notes of meetings or reports analysing issues and the outcomes of consultations
  • systems documentation
  • information regarding the source code and the source code itself
  • records of establishment of system logs
  • records of application and allocation of metadata
  • records of business rules
  • records of system specifications and configurations
  • records of rectification of developmental problems
  • records of requests for system changes during development
  • records of final signoff by parties.
 Retain minimum of 7 years after system is superseded, either through upgrade or major modification, and any data supported is migrated or destroyed, then destroy
17.2.2 Records relating to proposals for the development and modification of specific applications which are not proceeded with. Retain minimum of 2 years after action completed, then destroy
17.2.3 Records relating to testing of applications. Records include records of testing strategies, e.g. user testing, Result forms and test reports. Retain minimum of 5 years after system goes live, then destroy
17.2.4 Records relating to the configuration or customisation of off-the-shelf packages to meet the needs of the organisation. Retain minimum of 7 years after system superseded, then destroy
17.2.5 Records relating to enhancements and upgrades to systems, and system-changing maintenance and problem management. Retain minimum of 7 years after system superseded, then destroy
17.2.6

Records relating to the maintenance of system logs which are used to show a history of access or change to data, e.g. system access logs, Internet access and activity logs, system change logs, audit trails etc.

Note: The Government Chief Information Office (GCIO), Information Security Guidelines for NSW Government Agencies indicates that the minimum retention period for audit logs should be at least sufficient to support the investigation of accidents (page 97). System logs may be required for accountability purposes or as evidence in investigations to trace who accessed what records. The length of retention will be dependent on the organisation, the system and the nature of the risks faced.

Retain in accordance with the organisation's requirements, then destroy
17.2.7

Records relating to the maintenance of system logs which are not used to show a history of access or change to data, e.g. backup logs.

Note: Backup logs are maintained by backup software to report the status of backups performed and information such as devices and tapes used, errors encountered, systems and lists of files backed up etc. Backups (e.g. backup tapes) are different: they store the actual backed up data and their disposal is covered by Normal Administrative Practice (NAP) as they are facilitative records. It is not good practice to rely on backups as official records of business as they are not considered to be reliable recordkeeping systems. There should be established and documented routines for the destruction of backups in accordance with NAP.

 Retain until administrative or reference use ceases, then destroy

COMPLIANCE

The activities associated with complying with mandatory or optional accountability, legal, regulatory or quality standards or requirements. Includes compliance with legislation and with national and international standards.

No Description of records Disposal action
17.3.1 Records relating to managing applications:

  • made by the organisation to use portions of software developed by another organisation or individual, or
  • from the public or other organisations for permission to reproduce portions of software developed by the organisation

where permission has been granted.

 Retain minimum of 7 years after action completed or permission expires, whichever is later, then destroy
17.3.2 Records relating to rectification plans, reports, remediation processes and testing of systems for year 2000 (Y2K) compliance. Retain minimum of 5 years after action completed, then destroy
17.3.3 Records relating to managing applications:

  • made by the organisation to use portions of software developed by another organisation or individual, or
  • from the public or other organisations for permission to reproduce portions of software developed by the organisation

where permission has not been granted.

 Retain until administrative or reference use ceases, then destroy
17.3.4 Records relating to the organisation's compliance with mandatory or optional standards or statutory requirements regarding technology and telecommunications, e.g. AS/NZS ISO/IEC 17799: 2001, Information Technology: Code of practice for information security management. Includes records of assessment and certification of compliance with standards. Retain minimum of 6 years after action completed, then destroy

DATA MANAGEMENT

The activities associated with maintaining and using the data that is held in a system, either automated or manual. Includes the maintenance of data dictionaries and the application of vital records and counter disaster plan objectives to safeguard against data loss or corruption.

No Description of records Disposal action
17.4.1 Records relating to the recovery of data, e.g. data lost during disasters, data corrupted by viruses etc. Records include records of testing for data recovery and post-incident reviews. Retain minimum of 7 years after system is superseded, then destroy
17.4.2 Records relating to the maintenance of organisation-wide data dictionaries. Retain until administrative or reference use ceases, then destroy

DISPOSAL

The process of disposing of technology and telecommunications equipment no longer required by the organisation by sale, transfer, termination of lease, auction or destruction.

No Description of records Disposal action
17.5.1 Records relating to the disposal of technology and telecommunications equipment through any means including sale, transfer, auction, exchange, return or destruction. Records include:

  • correspondence with leasing companies or vendors
  • handover reports
  • valuation certificates
  • quotes etc.
 Retain minimum of 7 years after disposal of asset, then destroy
17.5.2 Records relating to arrangements for the disposal of technology and telecommunications equipment that do not proceed. Retain minimum of 2 years after action completed, then destroy

EVALUATION

The process of determining the suitability of potential or existing programs, items of equipment, systems or services in relation to meeting the needs of the given situation.

See INFORMATION TECHNOLOGY - Acquisition for records relating to evaluations that proceed to purchase.

No Description of records Disposal action
17.6.1 Records relating to the evaluation of potential or existing technology and telecommunications programs, equipment, services and systems that do not proceed to purchase. Records include:

  • notes of meetings or reports analysing issues and the outcomes of consultation with employees, stakeholders etc
  • records establishing requirements for systems, including analysis of business processes and systems analysis
  • records of development and issue of specifications, including statements of requirements, requests for proposals, expressions of interest and business cases, initial pilot testing
  • records of evaluation of commercial off the shelf products and services and whole of government solutions (including shared systems suites and endorsed suppliers) against user requirements
  • records of investigations into the feasibility of contracting-out technology and telecommunications activities.
 Retain minimum of 5 years after action completed, then destroy

IMPLEMENTATION

The activities associated with carrying out or putting into action plans, policies, procedures or instructions, all of which could be internally or externally driven.

No Description of records Disposal action
17.7.1 Records relating to the implementation of technology and telecommunications strategies, projects, equipment and systems. Systems can include off-the-shelf products or internally developed applications. Records include:

  • notes of meetings or reports analysing issues and the outcomes of consultation with employees, stakeholders etc
  • project management documentation
  • records of implementation strategies and pilots
  • records of implementation testing
  • records of migration strategies and quality assurance checks for migration
  • records of allocation of technology and telecommunications equipment to individuals or organisational units as part of implementation roll-outs
  • records of monitoring of implementation.
 Retain minimum of 5 years after action completed, then destroy

MAINTENANCE

The activities associated with the upkeep, repair, servicing and preservation of technology and telecommunications equipment and the maintenance of systems.

No Description of records Disposal action
17.8.1 Records relating to the maintenance of technology and telecommunications equipment. Records include:

  • project management documentation
  • notes of meetings or reports analysing issues and the outcomes of consultation
  • correspondence and records of advice from vendors, suppliers, consultants etc
  • records of maintenance inspections
  • records of requests for maintenance
  • documentation of minor maintenance action.
 Retain minimum of 5 years after action completed, then destroy
17.8.2 Records relating to arrangements for the routine installation or relocation of technology and telecommunications equipment including software and hardware when they are not part of stand-alone projects, e.g. installation of a few PCs or printers. Retain minimum of 2 years after action completed, then destroy

MONITORING

See INFORMATION TECHNOLOGY - Implementation for records relating to monitoring of IT systems.

PLANNING

The process of formulating ways in which objectives can be achieved. Includes the determination of services and needs, and the solution to those needs.

No Description of records Disposal action
17.10.1 Records relating to the development and review of the organisation's strategic plans for information technology and telecommunications. Records include:

  • background research
  • notes of meetings or reports analysing issues and the outcomes of consultation
  • final and significant draft versions of plans
  • correspondence indicating who the plans apply to and responsibilities for their implementation.
 Retain minimum of 5 years after superseded, then destroy

SECURITY

The activities associated with measures taken to protect technology and telecommunications equipment from theft, accidental or intentional damage or from unauthorised access.

See INFORMATION TECHNOLOGY - Compliance for records relating to demonstrating compliance with security standards.

See PERSONNEL - Discipline for records relating to disciplinary action taken against personnel for security breaches.

See PROPERTY MANAGEMENT (COUNCIL PROPERTY) - Security for records relating to building security arrangements, e.g. control of access to computer rooms.

No Description of records Disposal action
17.11.1 Records relating to the security of information technology and telecommunication systems. Records include:

  • minutes or notes of meetings
  • records of authentication and encryption measures
  • records of advice/approval from other organisations regarding security issues
  • records of maintenance of firewalls
  • records of security testing and audit
  • records of sanitisation of technology equipment prior to disposal, e.g. wiping of hard disks.

Note: Disposal of backups is covered by Normal Administrative Practice (NAP) as they are facilitative records. It is not good practice to rely on backups as official records of business as they are not considered to be reliable recordkeeping systems. There should be established and documented routines for the destruction of backups in accordance with NAP.

 Retain minimum of 7 years after action completed, then destroy
17.11.2 Records relating to suspected or proven breaches of security arrangements for technology and telecommunications systems. Records include:

  • reports on security leaks
  • records of investigations into alleged security breaches
  • records of referral of breaches to law enforcement authorities.
 Retain minimum of 7 years after action completed, then destroy
17.11.3

Records relating to requests and permissions for employees to access or connect to technology and telecommunications systems, e.g. local area networks, Internet, function specific systems etc.

Note: Records are related to system logs (see APPLICATION DEVELOPMENT & MANAGEMENT 17.2.6) as they provide permissions to access systems, and logs show what systems are accessed and by whom. They may be required for accountability, but the length of retention is dependent on the system, the organisation's specific practices and risks. Each organisation will need to conduct risk assessments to determine suitable retention periods for these records.

Retain in accordance with the organisation's requirements, then destroy

USER SUPPORT

The activities associated with administering user support services.

No Description of records Disposal action
17.12.1 Records relating to the administration of customer services relating to technology and telecommunications, e.g. help desks, request logs, and advice and assistance to internal business units. Retain minimum of 2 years after action completed, then destroy
17.12.2 Records relating to the development and review of charters, standards or guarantees relating to the provision of technology and telecommunications services to clients. Records include:

  • background research
  • reports analysing issues and the outcomes of consultation
  • final and significant draft versions.
 Retain minimum of 2 years after superseded, then destroy
17.12.3 Records relating to the routine usage of technology and telecommunications equipment, e.g. bookings to use laptops, videoconferencing facilities, data projectors etc. Retain until administrative or reference use ceases, then destroy