It is important to preserve the structural and informational integrity of records so they can be used with confidence for as long as required, and to protect and realise the upfront investment in them as information assets. Maintaining the integrity of records means:
• protecting them from alteration, damage or destruction, whether intentional or unintentional
• preventing their deterioration, and
• ensuring they remain usable.
Factors threatening the integrity of records include:
• uncontrolled or unauthorised access and use
• poor storage conditions
• inappropriate handling practices
• large- and small-scale environmental hazards
• degradation of storage media, and
• technological obsolescence.
Assessing and mitigating the impact of these risk-factors is normal, prudent business practice. In most cases, protecting the content and structure of records is more important than preserving them in a pristine state.
Digital records are particularly vulnerable to some of these risk-factors, including inappropriate access (see principle 4), degradation of storage media and technological change. It is prudent therefore to make early plans for their protection and ongoing maintenance, including the likely need to migrate them between file formats and applications, and from one storage location to another.
REQUIREMENTS
6.1 Records must be secure
Guidance
Assess security risks to records and plan and implement protective security arrangements for them. Align these with organisational security protocols. These arrangements may include measures relating to personnel, physical, communications, computer and technical security. Include records stored on-site and off-site, including in cloud-based services, and records being created and maintained by contractors.
Identify sensitive or security classified records and follow applicable security guidelines for them, such as those in the Security in the Government Sector (SIGS) manual (pdf file) and the New Zealand Information Security Manual (NZISM). Establish reasonable safeguards to protect personal information in line with Principle 5 of the Privacy Act .
Manage the security of your organisation’s IT systems in line with best-practice requirements, such as those set out in the ISO 27000 series of Standards.
6.2 Records must be protected from natural and man-made hazards
Guidance
Assess and reduce the risks of damage and destruction to both your organisation’s physical and digital records. Take into account:
• general environmental factors: light, heat, humidity, dust, pollutants, insects, rodents, mould and power outages
• building location: vulnerability to floods, earthquakes, fires and volcanic eruptions
• location in building: vulnerability to flammable finishes or furnishings, chemicals, water leaks, and electromagnetic interference generated by power plants, elevator shafts, power cables and lighting conductors.
6.3 Records must be stored on appropriate media or hardware, and in suitable containers and locations
Guidance
When choosing storage media or hardware factor in the value of records, their retention periods and their level of use. Determine baseline stability and reliability requirements and select media and hardware meeting those requirements.
Place records and media in containers such as cases, covers and boxes, to protect and preserve them.
When choosing appropriate storage media for records, factor in the availability and longevity of hardware needed to access that media.
Choose suitable storage locations for records, media and hardware, taking into account the hazards described in requirement 6.2 above. Store copies of high-value or vital records in a different location to minimise the risks posed by these hazards.
6.4 At-risk records must be identified and managed appropriately
Guidance
Promote awareness of vital organisational records, records with long-term value, records older than 25 years, and records stored close to hazards, in sub-optimal conditions, or on media with known stability issues, such as acetate film and low quality CDs. Take action to reduce or eliminate significant risks to the integrity of records (see requirement 6.7).
6.5 Business continuity and disaster management planning must address the protection and salvage of records
Guidance
Incorporate records management requirements into your organisation’s business continuity and disaster management planning. Focus on prevention, preparedness, hazard identification, response and recovery.
Set appropriate response times and salvage actions in the event of a disaster. Prioritise the protection and salvage of high-value records. Regularly review and test your organisation’s plans and make staff familiar with them (see also requirement 4.2 ).
6.6Physical records and digital records held on removable media must be stored in conditions that ensure their safe care and custody .
These records must be:
• stored in buildings with fire protection systems and equipment compliant with the New Zealand Building Code
• stored above floor-level using shelving or equipment appropriate to the format of the records or the size of the storage media
• stored away from sunlight and artificial light
• stored away from magnetic interference, if they are digital records held on removable media
• arranged in an orderly manner, and
• retrieved, handled and re-shelved in accordance with set procedures.
Guidance
Contact Archives New Zealand for further advice on the storage of physical records and digital records held on removable media.
Make best-practice arrangements for the networked storage of digital records. Use recognised IT service management or governance frameworks, such as ITIL and COBIT , and emphasise data integrity objectives.
6.7 Inactive physical records and inactive digital records held on removable media must be identified and stored in a dedicated storage area
Guidance
Inactive records are those no longer required for the conduct of business. Storing inactive records in a suitable storage area, such as a sole-purpose room or separate building or with a commercial storage provider, will:
• make it easier to manage records through to disposal
• reduce the risk of losing records
• improve the security of records
• make it easier to manage environmental hazards
See also requirement 6.8.
6.8 Dedicated storage areas for inactive physical records or for inactive digital records held on removable media must ensure the preservation of those records in a usable form
These storage areas must:
• be located in buildings which comply with the provisions of the New Zealand Building Code in force at time of construction and with any associated codes and standards
• have adequate floor loading capacity
• have drainage systems adequate to prevent flooding or must be located in buildings with drainage systems adequate to prevent flooding
• be insulated from the outside climate
• be protected from internal hazards
• be maintained over time in accordance with a documented maintenance programme
• be intruder resistant and have an alarm system or be located within buildings that are intruder resistant and have an alarm system, and
• be kept clean and free of pests such as rodents and insects.
Store your organisation’s inactive physical records and inactive digital records held on removable media in dedicated areas that are designed and maintained to:
• provide a safe and secure environment for records, and
• mitigate the risks associated with storing large volumes of records closely together.
For further information refer to the following pages: Public Records Act , Local Authorities and Resources and Guides .