Can you do good records management if you don’t do good security management?

The New South Wales Audit Office has just criticised 40 of the largest NSW government agencies for failures in their information governance. The Department of Education, NSW Police, Treasury and Service NSW were all found to have shortfalls in both records management and the security management of their high-risk data.

Two of the findings common across agencies were:

• poor record keeping and document retention
• incomplete or inaccurate centralised registers or gaps in these registers

These issues actually go hand in hand. We can’t sentence and dispose of records if we don’t understand their risk and value. And we can’t manage risk and value if we can’t measure it – we need information asset registers for this purpose.

Good records management is good risk management. Why, after all, do we have different retention schedules? Because some data is more valuable than others, and losing it would detrimentally affect our business or stakeholders. And why do we do disposition at all? Because the cost and risk of retaining some types of information longer than necessary is too high.

And most large NSW agencies are not managing their information risk. They can’t identify, comprehensively, where their sensitive information is in order to apply correct records management to it:

Of the 68% of agencies that had conducted an exercise to find sensitive data, most did it by manual review and analysis. A smaller percentage undertook network or system scanning in support of creating sensitive data inventories. However, the Auditor-General found that “these inventories are not always complete and risks may be overlooked”.

It’s not possible for humans to stay across the sheer number of information assets we have in an organisation. Yet, it’s vital that we have comprehensive information asset registers, because you can’t manage what you can’t measure. We need to use our records control systems to automate the process of finding, classifying, tracking and alerting on high-risk and high-value data, in order to meet the expectations of our auditors and the wider community.

The Report stated that:

Agencies can improve processes to manage sensitive data by:
• identifying and maintaining an inventory of sensitive data through a comprehensive and structured process
• assessing the criticality and sensitivity of the data so that protection of high risk data can be prioritised.

And this is a task for records managers. Security is a core part of the records team’s role. We can’t do good records management if we don’t do good security management, and vice versa.