Aratohu whakahaere
Implementation guide
We’ve created this guide to help your organisation understand and apply the requirements of the Information and records management standard.
Information and records management standard
The Chief Archivist issued the Information and records management standard (16/S1) (the Standard) on 22 July 2016.
The purpose of the Standard is to ensure that business is supported by sound, integrated information and records management in complex business and information environments. This approach better reflects the way most organisations now manage their information assets.
Formats covered by the Standard
The Standard covers information and records in any format. It’s designed to support digital recordkeeping as the public sector continues transitioning to digital business processes.
Earlier standards
This Standard is the result of consolidating and streamlining requirements from these Archives New Zealand standards:
Records Management Standard for the New Zealand Public Sector 2014
S4 Access Standard 2006
S5 Digital Recordkeeping Standard 2010
AS/NZS ISO 13028: 2012, Information and documentation – Implementation Guidelines for digitization of records.
These standards have been revoked as standards issued by the Chief Archivist and incorporated into this Standard. Note: this does not mean revoked as an International Standards Organisation (ISO) standard or any other standard issued by another authority or legislation.
Further requirements for local authorities and approved repositories
Local authorities and approved repositories must also follow the:
How to implement the Standard
The Standard sets out 3 principles.
Principle 1: Organisations are responsible for managing their information and records.
Principle 2: Information and records management supports business.
Principle 3: Information and records are well managed.
Under each principle are listed:
the minimum compliance requirements
an explanation for each requirement, and
key guidance for implementing the requirements.
This guidance will be regularly added to.
Other guidance to use
Public offices and local authorities should use our Information Management Maturity Assessment and user guide to assess the strengths and weaknesses of their information and records management programmes. This helps determine where improvements are most needed.
Key guidance
1.2 Information and records management must be the responsibility of senior management. Senior management must provide direction and support to meet business requirements as well as relevant laws and regulations
Ultimate responsibility for information and records management lies with your organisation’s Administrative Head and senior management. They must provide clear direction and support, and ensure the following:
Information and records management meets business requirements, the law and regulations.
Responsibility for information and records management cascades down throughout your organisation, through various levels of management
Roles and responsibilities for staff at all levels of your organisation are identified and assigned in the strategy and policy. Strategic governance should also provide a foundation for information and records management procedures.
This requirement mirrors legislative obligations — for example, in the Public Service Act 2020 (s.52) and the Local Government Act 2002 (s.42(2)). It also reinforces the need for the Administrative Head and senior management to provide high-level direction and support — including ensuring adequate resourcing for information and records management.
Key guidance
1.3 Responsibility for the oversight of information and records management must be allocated to a designated role (the Executive Sponsor)
This requirement clarifies what was implicit in the previous standards.
Your Executive Sponsor oversees information and records management. They must be a senior manager with organisation-wide influence and appropriate strategic and managerial skills. Their role is to:
provide oversight of information and records management within your organisation— including monitoring of information and records management — to ensure it meets the needs of the organisation
ensure responses to monitoring and reporting requests from us.
The Executive Sponsor’s role and responsibilities should be included in your organisation’s IM strategy and policy. Your organisation must advise us of your Executive Sponsor, including:
when they’re appointed, and
when the role changes hands.
Key guidance
1.4 Organisations must have information and records management staff, or access to appropriate skills
Your organisation must have staff with information and records management skills — or be able to access this expertise.
Each organisation’s information and records management programme will likely need a range of different levels of responsibility and skills.
You must be able to access appropriate information and records management skills through recruitment, service providers and by networking with other organisations.
Your organisation must identify and assign staff responsibilities through the IM strategy and policy, job descriptions, performance plans and/or service agreements.
Key guidance
1.5 Business owners and business units must be responsible for ensuring that information and records management is integrated into business processes, systems and services
This requirement clarifies what was implicit in the previous standards.
Your organisation must identify business and system owners who are responsible for ensuring information and records management is included in all systems and processes used.
Those owners must be aware that information and records management requirements are needed when your organisation:
moves to a new service environment
develops new business processes, systems or services, or
changes existing business processes, systems or services.
These responsibilities must be identified and assigned in your IM policies and documented in job descriptions, performance plans and/or codes of conduct for all staff and contractors.
Business owners must demonstrate that they’ve considered information and records management requirements and assessed risks as part of any migration, development or improvement of systems or processes.
This requirement places responsibilities more broadly within your organisation. It reflects the need for business managers to have a detailed understanding of the information and records produced by — and necessary to perform — their work, and their role in ensuring its management.
Cascading responsibility to different business areas of your organisation enables business unit staff and information and records staff work together to ensure information and records management is integrated into all business processes, systems and services.
Key guidance
1.6 Staff and contractors must understand the information and records management responsibilities of their role. They must understand relevant policies and procedures
All staff of your organisation — including contractors — must understand their information and records management responsibilities.
Policies, business rules and procedures must include clear requirements for staff when creating and managing information and records.
Your organisation may contract external service providers to perform specified tasks. Information and records produced and managed in the performance of the contracted services need to be covered by your organisation’s policies and procedures. And contractors must know their information and records management responsibilities and the relevant policies and procedures.
Information and records management responsibilities must be identified and assigned in policies. Skills, capabilities and responsibilities must be assigned in job descriptions, performance plans and/or codes of conduct.
Key guidance
1.7 Information and records management responsibilities must be identified and addressed in all outsourced and service contracts, instruments and arrangements
This requirement clarifies what was implicit in the previous standards.
Your organisation must ensure information and records management is addressed in all service contracts, instruments and arrangements.
Your organisation’s strategy and policy must include responsibilities to ensure information and records requirements are identified and addressed. You must undertake risk assessments and address information and records management requirements in contracts, instruments and arrangements your organisation agrees to.
Service contracts, instruments and arrangements may include:
functions, activities, or services outsourced to an external provider
functions, activities, or services moved to cloud services or other service providers (internal or external to the New Zealand public sector).
You must ensure the portability of your organisation’s information and records and associated metadata is assessed and appropriately addressed in any outsourced and service contracts, instruments and arrangements.
Key guidance
- Outsourcing business ⟩
- Cloud services ⟩
- Information and records management strategy ⟩
- Information and records management policy development ⟩
- Artificial intelligence and public and local authority records ⟩
- Microsoft 365 ⟩
- Read the care records definition ⟩
- Temporary care records protection instruction ⟩
-
Standard for information sharing with third parties ⟩
-
data.govt.nz — New Zealand Data and Information Management Principles ⟩
-
NZ Digital Government: Cloud services ⟩
-
NZ Digital Government: Security ⟩
-
NZ Digital Government: Privacy ⟩
-
NZ Government Procurement ⟩
1.8 Information and records management must be monitored and reviewed to ensure that it is accurately performed and meets business needs
To ensure your organisation is meeting its business needs and conforming to any legislative requirements, you must regularly monitor its:
information and records management activities
systems and processes, including outsourced activities, systems and processes.
You must address any issues identified through this monitoring in a corrective action plan.
You must monitor activities such as process and system audits of systems that are high risk, high value, or both. You should integrate any system of assurance for information and records management into your wider organisational assurance processes.
Your Executive Sponsor has responsibility for overseeing this monitoring.
Key guidance
Principle 2: Information and records management supports business
Information and records management ensures the creation, usability, maintenance and sustainability of the information and records needed for your organisation’s business operations. It also ensures these operations meet government and community expectations.
By analysing or appraising your organisation’s business activities, you can define its key information and records requirements. Appraisal is an analysis process used to plan, design and embed information and records management into business processes and systems.
Taking a planned approach to information and records management means:
considering all operating environments
ensuring all service and systems arrangements consider the creation and management of information and records needed to support business.
2.1 Information and records required to support and meet business needs must be identified
This requirement provides the foundation for managing information and records in all environments.
By analysing your organisation’s functions, activities and risks, you can identify what information and records it needs to support business. This analysis can also identify other requirements, including te Tiriti o Waitangi | Treaty of Waitangi obligations, and government and community expectations.
This analysis work provides the foundation for understanding what information and records your organisation needs to create and maintain. It identifies what systems and business processes are high-risk and high-value for your organisation, and the information and records required to support these.
You should incorporate this analysis into comprehensive and authorised disposal authorities for your organisation’s information and records.
Decisions about what information and records are needed now and in the future should be documented in your organisation’s business rules, policies and procedures. These decisions must also be reflected in specifications for systems and metadata schema.
Key guidance
- High-value and high-risk information and records ⟩
- Appraisal of information and records ⟩
- Information assets overview ⟩
- Information assets: Management ⟩
- Information assets: Identification ⟩
- Minimum requirements for metadata ⟩
- Disposal authorisation ⟩
-
Appraisal statement ⟩
- Public sector archival selection statement ⟩
- Read the care records definition ⟩
- Temporary care records protection instruction ⟩
- Taonga Tuku Iho ⟩
- Te Tiriti o Waitangi settlements and government records ⟩
-
ISO 15489-1 Information and documentation: Records management Part 1 — Concept and principles, section 7 ⟩
-
Association of Local Government Information Management (ALGIM): Information Management Toolkit ⟩
2.2 High-risk and high-value areas of business, and the information and records needed to support them, must be identified and regularly reviewed
Your organisation must identify the areas of high-risk, high-value, or both of its business. This allows you to better prioritise how you manage, maintain the information and records they need.
You must identify likely or potential risks to high-risk or high-value information and records and manage or mitigate them. This includes protecting the systems that manage these information and records from misuse, loss and damage.
You should set up appropriate security measures. You also need preservation, disaster recovery and business continuity strategies and plans.
By identifying high-risk and high-value information and records at creation, your organisation can better manage and use these core information assets.
Key guidance
- High-value and high-risk information and records ⟩
- Disposal of information and records ⟩
- Information assets: Management ⟩
- Integrated information and records systems ⟩
-
SA/SNZ HB 436 Risk management guidelines: Companion to AS/NZS ISO 31000 ⟩
-
AS/NZS 5050 Business continuity: Managing disruption-related risk ⟩
-
ISO 15489-1 Information and documentation — Records Management Part 1: Concepts and principles ⟩
-
SA/SNZ TR 18128 Information and documentation: Risk assessment for records processes and systems ⟩
-
Association of Local Government Information Management (ALGIM): Information Management Toolkit ⟩
2.3 Information and records management must be design components of all systems and service environments where high-risk/high-value business is undertaken
This requirement clarifies what was implicit in the previous standards.
In complex business and systems environments, it is important to consider information and records management requirements from the start. This is particularly important where the business involved is high-risk, high-value, or both.
Your organisation must include information and records management requirements when designing or updating business systems and service environments which create high-risk and/or high-value information and records. This will enable you to manage and use the information and records appropriately.
Your organisation must also consider how to make systems development, maintenance, migrations and decommissioning easier. In taking a ‘by design’ approach, you can ensure systems specifications include:
requirements for managing information and records that are high-risk, high-value, or both
requirements for minimum metadata necessary to support information and records identification, usability, accessibility and context
adequate documentation about the systems design, configuration and any changes made over time.
Migrating and decommissioning systems can be expensive and time-consuming. Your organisation may hold insufficient documentation about:
the information and records held in the systems
the configuration of the systems
the disposal requirements for information and records held in the systems.
Key guidance
2.4 Information and records must be managed across all operating environments
Physical information and records are only part of your organisation’s ‘operating environment’ and this requirement widens the Standard to better cover digital information and records.
If you know what information and records assets your organisation has — and where they’re located and managed — you can better control them. By maintaining visibility of information and records, no matter what system is used or where the information and records are stored, your organisation can better protect these assets.
Information and records assets can be held in diverse systems environments, including third-party systems in the cloud, by service providers, and in a range of physical locations.
By identifying where your information and records are held, you can better manage them across diverse systems, storage environments or physical locations. You can also control their appropriate sharing, access and preservation.
Your organisation must have clear controls and processes when migrating information and records and their associated metadata from one system to another. This includes proper testing.
You need to manage these processes to deliver information and records that are:
accessible
reliable, and
trustworthy.
Maintaining appropriate system documentation will help ensure:
information can be accessed and shared
systems can integrate and work well together.
Key guidance
- Cloud services ⟩
- Best practice guidance on digital storage and preservation ⟩
- Text messages and other communications ⟩
- Storage of physical records ⟩
- Information assets: Management ⟩
- Managing websites as records ⟩
- Physical storage and preservation of protected information ⟩
- Using public cloud services ⟩
- Microsoft 365 ⟩
- Audiovisual storage ⟩
- Care of motion picture film ⟩
-
Data.govt.nz: New Zealand Data and Information Management Principles ⟩
-
NZ Digital Government: Security ⟩
-
NZ Digital Government: Privacy ⟩
-
Association of Local Government Information Management (ALGIM): Information Management Toolkit ⟩
2.5 Information and records management must be designed to safeguard information and records with long-term value
This requirement ensures that your organisation identifies which systems and service environments hold information and records with long-term business value or permanent archival value. This requirement builds on Requirements 2.1 and 2.2.
Once you know what information and records your organisation needs long-term and where they’re kept, you can safeguard and manage them.
Information and records required for the long term will outlive both the systems in which they’re managed, as well as any outsourcing arrangements or contracts with service providers. You must ensure you plan for and manage the protection of long-term value or archival value information and records during any system transitions or service changes.
Your organisation must also protect these information and records during changes in administration and through changes in the machinery of government. This includes when information and records are transferred between organisations with functions.
To help with identifying long-term value or archival value information and records, you should refer to your organisation’s authorised disposal authorities.
Key guidance
2.6 Information and records must be maintained through systems and service transitions by strategies and processes specifically designed to support business continuity and accountability
This requirement makes the Standard’s focus more explicit to include both physical and digital information and records.
Your organisation must ensure that information and records are managed appropriately through system migrations and service transitions — including upgrades of systems and services offered in cloud environments.
You must have documented migration strategies and appropriate planning and testing processes. These must ensure information and records are not ‘left behind’ or disposed of unlawfully.
You must use a managed process to migrate information and records and associated metadata from one system to another. The process must be managed to deliver information and records that are accessible, reliable and trustworthy. Maintaining appropriate system documentation will help to make migration strategies successful.
You must use migration and decommissioning processes that ensure information and records are kept for as long as needed for business, legal requirements (including in line with authorised disposal authorities), and government and community expectations.
This requirement builds on requirements 2.2 and 2.5. These require that information and records that are high-risk, high-value and/or of long-term value are supported and migrated appropriately.
The portability of information and records and associated metadata must be assessed in any outsourced or service arrangements your organisation has. Such arrangements must include provisions for transferring the information and records back to your organisation.
Key guidance
Principle 3: Information and records are well managed
Effective management underpins trustworthy and reliable information and records that are accessible, usable, shareable and maintained. This management extends to information and records in all:
formats (and associated metadata)
business environments
types of systems
locations.
3.1 Information and records must be routinely created and managed as part of the normal business practice
Policies, business rules and procedures must inform staff in your organisation about their responsibilities for creating, capturing and managing information and records.
Your organisation must regularly monitor and assess or audit its information and records management practices to demonstrate that these business rules, procedures and systems are compliant and operating routinely.
You must identify, resolve and document any exceptions affecting the integrity, accessibility or usability of your organisation’s information and records.
Your organisation’s staff and contractors must conform to these policies, business rules and procedures, to ensure information and records are routinely created and managed.
The Executive Sponsor is responsible for overseeing this monitoring. This requirement builds on the earlier principles in the Standard, particularly requirement 2.1.
Key guidance
- Effective information and records management ⟩
- Information and records management policy development ⟩
- Integrated information and records systems ⟩
- Monitoring ⟩
- Executive sponsor: Roles and responsibilities ⟩
- Courts Sponsor role and responsibilities ⟩
- Artificial intelligence and public and local authority records ⟩
-
ISO 15489-1 Information and documentation — Records Management Part 1: Concepts and principles ⟩
-
Association of Local Government Information Management (ALGIM): Information Management Toolkit ⟩
3.2 Information and records must be reliable and trustworthy
Your organisation’s information and records must have enough available metadata to ensure they are complete, reliable and trustworthy.
Information and records must be accurate, authentic and reliable as evidence of your organisation’s transactions, decisions and actions. This requirement ensures information and records have appropriate minimum metadata to provide meaning and context, including te reo Māori terms. It also ensures that this metadata remains persistently associated or linked with the information and records.
You must undertake regular assessments or audits to demonstrate your management controls of business rules, procedures and systems are operating correctly. This provides assurance of the integrity of the information and records created and managed by your organisation.
This requirement builds on the earlier principles in the Standard.
Key guidance
- Metadata for information and records ⟩
- Minimum requirements for metadata ⟩
- Checksums overview ⟩
- Monitoring ⟩
- Taonga Tuku Iho ⟩
-
AS/NZS 5478 Recordkeeping metadata property reference set ⟩
-
ISO 15489-1 Information and documentation — Records Management Part 1: Concepts and principles ⟩
-
ISO 23081-1 Metadata for records: Principles ⟩
-
AS/NZS ISO 23081-2 Metadata for records: Conceptual and implementation issues ⟩
-
AS/NZS ISO 23081-3 Managing metadata for records: Self assessment method ⟩
-
Association of Local Government Information Management (ALGIM): Information Management Toolkit ⟩
3.3 Information and records must be identifiable, retrievable, accessible and usable for as long as they are required
Your organisation’s information and records must be identifiable, retrievable from storage (physical or digital), and accessible, usable and reusable for as long as required.
To maintain the accessibility and usability of physical information and records, you must store them in appropriate storage areas and conditions.
To maintain the accessibility and usability of digital information and records, you must ensure they are regularly migrated or moved from one system or platform to another.
Members of the public, your staff and partner organisations need to find the information and records they need, when they need them. To make this happen, information and records must be easy to access and easy to find.
You must ensure appropriate minimum metadata (including te reo Māori terms) for your information and records is in place. This ensures their context, content and structure can be identified, retrieved and shared through time.
Your organisation must regularly check all storage environments and test all systems holding information and records. You must also perform assessments or audits to demonstrate these systems can locate and produce information and records that people can read and understand.
This requirement builds on the earlier principles in the Standard.
Key guidance
- Care of motion picture film ⟩
- Audiovisual storage ⟩
- Storage of physical records ⟩
- Best practice guidance on digital storage and preservation ⟩
- Metadata for information and records ⟩
- Minimum requirements for metadata ⟩
- Maintenance of public archives ⟩
- Web archiving ⟩
- Using public cloud services ⟩
- Cloud services ⟩
- Microsoft 365 ⟩
- Physical storage and preservation of protected information ⟩
-
Standard for information sharing with third parties ⟩
-
ISO 15489-1 Information and documentation — Records Management Part 1: Concepts and principles ⟩
-
Association of Local Government Information Management (ALGIM): Information Management Toolkit ⟩
3.4 Information and records must be protected from unauthorised or unlawful access, alteration, loss, deletion and/or destruction
Your organisation must secure and protect its information and records.
You must implement an information security policy and appropriate security mechanisms. The policy must cover information and records held physically and digitally.
Security measures must include:
access and use permissions in all systems that manage information and records
processes to protect information and records no matter where they are located — including in transit and outside the workplace
secure physical storage facilities.
Undertaking regular risk assessments or audits will help you verify that access controls have been implemented appropriately and are working.
To manage the storage of your organisation’s information and records, you should develop a storage plan that covers all types of information and records and where they are located.
Information and records stored in data centres, digital repositories and the cloud have specific requirements to ensure the same level of security and protection as those held onsite. Ensure your storage plan includes off-site storage management and how to mitigate risks associated with outsourcing.
Key guidance
- Maintenance of public archives ⟩
- Physical storage and preservation of protected information ⟩
- Access decisions ⟩
- Public access to information and records ⟩
- Storage of physical records ⟩
- Best practice guidance on digital storage and preservation ⟩
-
NZ Digital Government: Security ⟩
-
NZ Digital Government: Privacy ⟩
-
Ombudsman: Official information guides ⟩
-
ISO 15489-1 Information and documentation — Records Management Part 1: Concepts and principles ⟩
-
Association of Local Government Information Management (ALGIM): Information Management Toolkit ⟩
3.5 Access to, use of, and sharing of information and records must be managed appropriately in line with legal and business requirements
This requirement builds on the requirements in Part 3 of the Act.
Your organisation must ensure that access to, use and sharing of information and records, wherever located, are in line with legal requirements. This includes:
the Official Information Act 1982
the Local Government Official Information and Meetings Act 1987
the Privacy Act 2020
the Health Information Privacy Code 1994
organisational policies, business rules and procedures.
Regularly assessing or auditing systems that manage your organisation's information and records will help verify that access to, use, reuse and sharing of this information and records is managed in line with:
business requirements
relevant legal obligations.
Under the Act, all public information and records that are 25 years old or more must be declared as either ‘open access’ or ‘restricted access’. This applies no matter what their value is or where they are held.
If your organisation transfers information and records to us that have been appraised as having archival value before the 25-year limit, you must declare their access status. This is part of our transfer requirements.
Key guidance
3.6 Information and records must be kept for as long as needed for business, legal and accountability requirements
Your organisation must implement policies, business rules and procedures to ensure information and records are kept for as long as required — and to identify how their disposal or final fate is managed.
These policies, business rules and procedures must be in accordance with the requirements of the Act and authorised disposal authorities.
Your physical and digital information and records must be ‘sentenced’. This means using a disposal authority to decide whether to keep, destroy or transfer them. Disposal must be in line with the instructions set out in disposal authorities authorised under the provisions of section 20 of the Act. This includes information and records located in:
business systems
outsourced or service arrangements, or
off-site storage.
When authorised and no longer needed for business purposes, information and records of archival value must be transferred to:
Archives New Zealand
an approved repository, or
a local authority archive.
Key guidance
3.7 Information and records must be systematically disposed of when authorised and legally appropriate to do so
This requirement builds on the earlier principles in the Standard.
Your organisation must implement policies, business rules and procedures that identify how the disposal or final fate of information and records is managed. This includes:
assigning responsibility for sentencing and disposal of information and records
applying disposal authorisation processes
implementing disposal actions
deleting metadata
decommissioning systems
documenting the disposal of information and records.
Your organisation must be able to track and explain how it disposes of its information and records in:
business systems
outsourced arrangement
off-site storage.
You must maintain evidence that all disposal is permitted and authorised under current, approved disposal authorities. Disposal must also follow all legal requirements, including the Act.