Back To Blog

Would Your Organisation Pass a Sensitive Record Management Audit?

Would Your Organisation Pass a Sensitive Record Management Audit?

Local governments are charged with providing the best, most-efficient and highly transparent service to their local residents. Rules and policies often are put in place to ensure these governments comply.

Unfortunately, these efforts fall short all too often, costing taxpayer dollars, leading to less-informed decisions from elected officials and even potentially exposing residents’ private information.

A recent audit of Western Australian local governments’ record keeping exposed widespread failure to properly maintain records, particularly digital records, which are the most susceptible to security threats.

The Western Australian Auditor General’s Report, “Records Management in Local Government,” outlines how local governments need to improve policies and procedures for record keeping, increase staff training and monitoring regarding record keeping, handle disposal of records in a more-timely fashion and provide adequate protection of digital records.

About the Audit

The 137 local governments and 9 regional councils in Western Australia have complied with state regulations to have a record-keeping plan, approved by the State Records Commission, in place and properly updated. The auditors reviewed four governments:

City of Canning

Eastern Metropolitan Regional Council

Shire of Toodyay

Town of Mosman Park

Auditors examined human resource records, planning approval records and health inspection records. For EMRC, sampled records included complaints and waste management records.

The Findings

The audit’s key findings were:

The local governments did not have adequate policies and procedures in place to support the plans

Record-keeping implementation is poor because of lack of ongoing training, monitoring of employees and failure to delete records in a timely manner.

Important records frequently were difficult or impossible to find, particularly digital records, and records were stored outside record management systems.

While protection of physical records generally was good, protection of digital records was lacking.

Lack of Policies and Procedures

Though all four entities had records management policies, they where inadequate and often had not been updated to reflect the current record-keeping plan.

None of the policies clearly assigned the role and responsibility of record keeping within various departments. This frequently leaves decisions about record keeping up to the individual, so they can vary greatly and stray from the plan. Also the policies do not directly address different business practices of various agencies.

The growing use of social media by government organisations and digitisation of records also are not reflected in the policies.

Implementation Weaknesses

While all four governments provide record-keeping training for new employees, none offer or require any ongoing training. Only 1 of the four offers job-specific training in record keeping, which is important because different departments will have differing record-keeping requirements. None of the governments kept adequate records on which employees had received training.

Of even greater concerns is that none of the governments have regular, periodic monitoring of their employees record keeping. Three of the four were found to do a limited monitoring, which was deemed to be inadequate, and the fourth did no monitoring. Without monitoring, governments have no way to determine if their training is sufficient and if record keeping is in compliance.

Governments also were hanging on to records beyond the requirements set down by the state. Only two of the four governments had a system in place to dispose of physical records on a regular schedule, and none of the four had a system for disposal of digital records. Maintaining records past their prescribed dates slows records searches, risks exposure of personal data and costs money, even for digital storage.

Record Mismanagement

Three of the four governments had records that could not be located when auditors requested them. All four had records stored outside their record managements systems.

Among the documents that were unavailable during spot checks were contract documents; human resources records such as required background checks, reference checks and job description; property planning materials such as assessments and copies of certificates of titles; and complaint correspondence.

Keeping well-maintained records improves decision-making and saves precious staff time when records can be found quickly.

All four governments stored records on business systems that were outside their record keeping systems identified in their plans. These business systems did not have the search capabilities to quickly find records. In one instance, sensitive human resource records were stored on a system without proper access security.

Record Protection

All four entities had generally good protection of their physical records, with keyed or code restricted access, good climate control, fire protection and suppression and disaster recovery kits.

The governments were at various stages in the development of disaster recovery plans for their records, however, none had adequate plans for disaster recovery for digital records. And though most were doing regular backups of their digital records, none had implemented testing to ensure those backup records were functioning. Without that testing, agencies have no idea how quickly they will be able to recover digital records in the case of a disaster.

Better Practice Principles

The auditors outlined six principles they believe local governments should follow to create a better record-keeping system. They describe the principals as:

Proper and Adequate Records: Create proper records, and have the storage system to quickly retrieve the records.

Policies and Procedures: Have up-to-date policies and procedures to match your record-keeping plan and match specific jobs.

Language Control: Have a system to identify and name records.

Preservation: Protect and preserve records, both physical and digital, and implement and test your disaster recovery plan.

Retention and Disposal: Retain record properly and schedule disposal at regular intervals to meet state guidelines.

Compliance: Provide refresher training and monitor staff to ensure record-keeping compliance.

You also can see the State Record Office’s Recordkeeping Standards and Policies.

Get a Handle on Social Media Records

If your local government has taken advantage of social media to open new channels of communication to your local residents, you too might be struggling with the record-keeping challenge. Brolly offers all the features you need to maintain compliance.

Brolly allows you to connect unlimited social media accounts and stores your data securely on Australian-based servers.

Brolly captures your content in real-time, recalls deleted posts and ensures all edits are easy to reference. Brolly takes embedded link screenshots and original source screenshots to provide full context of each engagement.

And Brolly’s powerful search functions make record searches fast and accurate. Contact us today to start developing a customised plan for your organisation.