«Disaster preparedness and response for public records A guideline for Queensland public authorities Queensland State Archives December 2012 Security ...»
Disaster preparedness and
response for public records
A guideline for Queensland public authorities
Queensland State Archives
Security classification: PUBLIC
Department of Science, Information Technology and Innovation
Security Classification PUBLIC
Date of review of security classification December 2012
Authority Queensland State Archives
Author Queensland State Archives Document Status Final version Version Version 1.0 Contact for enquiries
All enquiries regarding this document should be directed in the first instance to:
Government Recordkeeping unit Queensland State Archives firstname.lastname@example.org Copyright Disaster preparedness and response for public records Copyright © The State of Queensland (Department of Science, Information Technology, Innovation and the Arts) 2012 Licence Disaster preparedness and response for public records by Queensland State Archives is licensed under a Creative Commons Attribution 3.0 Australia Licence. To view a copy of this licence, please visit http://creativecommons.org/licenses/by/3.0/au/.
Information security This document has been security classified using the Queensland Government Information Security Classification Framework (QGISCF) as PUBLIC and will be managed according to the requirements of the QGISCF.
Page 2 of 38 Disaster preparedness and response for public records Table of contents Introduction
Disaster preparedness and response for public records
Stage 1: Planning - Assessing risk
Stage 2: Prevention - Reducing risk
Stage 3: Response - Initiating the plan
Stage 4: Recovery - Commencing restoration
Appendix A - Legislative and regulatory requirements
Appendix B – Risk assessment templates
Appendix C – Critical recordkeeping identification checklist
Appendix D – Sample records policy template
Appendix E – Resource list / Incident response kit content
Appendix F – Sample content for a public authority’s disaster preparedness and response plan
Appendix G – Risk treatment and schedule template
Appendix H – Damaged Records Documentation List
Appendix I – Example salvage procedures for drying a small quantity of water-damaged records
Introduction Purpose This guideline is designed to assist public authorities in developing disaster preparedness and response plans for public records and related recordkeeping systems. An appropriately designed and implemented disaster preparedness and response plan will help to protect and recover records to ensure their preservation for as long as they are required for business, legislative, accountability and cultural purposes.
Further benefits of disaster planning include:
vital record and information asset identification and preservation
This guideline aims to protect and recover public records in the instance of a disaster by:
increasing awareness of public authorities recordkeeping responsibilities providing records management advice and tools to prepare for and respond to disasters.
This document provides direction and links to tools for public authorities to draw on when preparing their disaster preparedness plan for public records and recordkeeping systems in line with their organisation’s broader business continuity, Information Communication Technology (ICT), emergency plans and risk management activities.
Audience The guideline is for Queensland public authorities as defined in Schedule 2 of the Public Records Act 2002 to assist in the development and/or review of disaster management plans for the protection and recovery of public records in the event of a disaster.
The intended audience includes public authority staff with responsibility for developing records disaster preparedness and response plans. This may include: records management staff, chief information officers, auditors, consultants, and other public authority staff responsible for the management of public records.
Authority The State Archivist has issued this advice in accordance with section 25(1)(f) of the Public Records Act 2002 (the Act), which enables the State Archivist to make policy, standards, and guidelines about the making, keeping, preserving, managing and disposing of public records in any format.
See Appendix A for a summary of the associated legal and regulatory framework.
1Council of Australian Governments (2011) National Strategy for Disaster Resilience: Building our nation's resilience to disasters http://www.coag.gov.au/node/81.
Public authorities are responsible for determining which of their records are to be included in their
disaster preparedness plan. The records selected should include those:
deemed permanent for retention under an approved Retention and Disposal Schedule vital to business continuity.
Scope The Disaster preparedness and response for public records guideline is intended to assist public authorities to develop a disaster preparedness plan specifically for public records. This guideline is intended for Queensland public authorities, as defined in Schedule 2 of the Act. It applies to all
that are in the custody of a private entity or Commonwealth agency by way of contractual agreements with a Queensland public authority.
This guideline is not intended to be a definitive or exhaustive set of rules to be applied in any situation, nor does it endorse any specific tools or products to manage, salvage or restore public records.
Definitions The following key terms relate to disaster preparedness planning and are used throughout this
Business continuity plan (BCP) Business continuity addresses organisational recovery following a disaster. It assumes preventative measures have failed and an incident has occurred interrupting normal business to the extent corrective action is required. The Business Continuity Plan (BCP) describes actions, and the responsible parties for carrying out those actions, in response to an incident with the objective of restoring normal business operation as soon as possible2.
Disaster A disaster is a condition or situation of significant disruption, destruction, and/or distress to a particular community3.
Disaster preparedness and response plan Disaster preparedness and response plans for public records, as described in this guideline, provide step-by-step processes for protecting, preparing for, and recovering public records from disaster events4. This plan should complement, and be integrated with a public authority’s broader 2 http://www.qgcio.qld.gov.au/qgcio/resources/glossary/Pages/glossaryb.aspx 3 http://www.em.gov.au/Documents/Manual01-EmergencyManagementinAustralia-ConceptsandPrinciples.pdf 4 National Archives of Australia (2000), Disaster Preparedness Manual for Commonwealth Agencies.
An emergency management plan is a range of policies, procedures and information outlining actions to be taken to manage risks to a particular community and the surrounding environment5.
ICT disaster recovery plans are concerned with restoring ICT services when a disruptive incident occurs6. ICT enabled public records should be an element of these plans.
Vital records are those that an agency could not continue to operate without. They are irreplaceable, or would require significant resources to recreate, and contain information needed to re-establish the agency in the event of a disaster and satisfy ongoing core business responsibilities. Vital records are those which protect the assets and interests of the agency as well as those of its clients and shareholders and are usually associated with legal and fiscal matters.
Further records and information management terms are defined in Queensland State Archives’ Glossary of Archival and Recordkeeping Terms.
Related resources A toolkit of resources is available to accompany this guideline, including attached appendices and
the following advices available on the QSA website:
These resources contain more targeted information on key messages covered within this guideline.
5 Ibid 6 http://www.qgcio.qld.gov.au/qgcio/resources/glossary/Pages/glossaryi.aspx
Acknowledgements Queensland State Archives (QSA) acknowledges the extensive work undertaken by National Archives Australia, State Records New South Wales, and State Records of South Australia, of which QSA has drawn substantial information from in developing this guideline.
Background Disasters, whether natural or man-made, occur regularly across Australia and can pose a significant risk to public records. For example, in late 2010 to January 2011 flooding was widespread across Queensland due to severe rain events which caused local rivers to flood.
During this event, several public authorities suffered water damage and losses to some public records.
In 1994 a transformer exploded at an electricity substation in Victoria, causing fires under a records archive facility which was located on the floor above. While the fire did not spread to the record holdings, soot and smoke caused damage to records. A professional salvage company was called in to clean and remove the soot from over 25,000 records7.
A more regularly occurring disaster in records management is pest infestation which can have catastrophic impacts on public records. In 2009 a large Australian collection experienced a major infestation of cigarette beetles in hundreds of bound records. This required a vast quantity of records to be frozen and cleaned page by page in an effort to salvage affected material8.
Public authorities are also at risk of other potential disasters impacting on records including but not limited to pipe breakages, electrical malfunctions, and technology failures9. Such disasters have the ability to irreparably damage public records. However, disaster preparedness and response planning as part of an organisation’s broader business continuity plan, can work to mitigate the risks of such disasters on public records.
Disaster preparedness and response for public records There are numerous definitions for ‘disasters’. However, for the purpose of this guideline ‘disasters’ will be viewed as a situation of disruption and/or significant destruction, to public records and/or related recordkeeping systems.
A disaster is considered to be dependent not on the scale of damage, but on the effect it creates.
For example, a water leak affecting one shelf of a public authority’s records may only be a smallscale event, but would be considered a ‘disaster’ if the material affected were vital records and may result in financial loss or legal action if the records were unsalvageable10.
7 State Records of New South Wales (2002) Guidelines on Counter Disaster Strategies for Records and Recordkeeping Systems.
8 http://www.abc.net.au/local/stories/2009/07/21/2632267.htm 9 Ibid; State Records South Australia (2007) Records Management Disaster Planning Guideline.
Page 7 of 38Department of Science, Information Technology and Innovation
The actions of analysing and mitigating potential risk, planning for response and recovery, is referred to as disaster preparedness and response planning. Disaster preparedness and response planning for public records should be undertaken in conjunction with a public authority’s broader business continuity, ICT and emergency plans as these processes are inextricably linked11.
Disaster preparedness and response planning for public records should address the four stages of
general disaster preparedness planning as follows:
Plan - identify public records across the organisation, both physical and digital, and identify potential risks to these records and related recordkeeping or business systems Prevent – examine the likelihood of those risks occurring and reduce the possible impact should
those risks occur by undertaking necessary activities to reduce their likelihood and/or impact:
establish a disaster preparedness plan to protect and recover public records in the event of a disaster Response - initiate the disaster preparedness and response plan and deploy resources to protect and secure public records from significant impact Recovery – salvage and restore any affected records and recordkeeping operations to allow business operations to resume as usual12.
This guideline explores these four stages and provides practical advice on how to undertake risk assessment, planning, vital records identification and management, response and recovery activities, in order to prepare for disasters and minimise their impact on public records and related recordkeeping systems. This plan should complement and integrate with a public authority’s broader ICT disaster recovery plan, to include any ICT enabled public records and recordkeeping systems.
11National Archives of Australia (2000), Disaster Preparedness Manual for Commonwealth Agencies.
12State Records of New South Wales (2002) Guidelines on Counter Disaster Strategies for Records and Recordkeeping Systems.
Stage 1: Planning - Assessing risk A public authority’s disaster preparedness and response plan for public records and recordkeeping systems should complement the organisation’s larger BCP, ICT and emergency response plans
and risk management activities. The disaster preparedness plan should be supported by:
a clear policy mandating the plan and defining responsibilities