Records Management Policy

On this page

Purpose | Scope | Principles Policy statements Roles and responsibilities Definitions Approval information Version history References

1. Purpose

1.1 The Records Management Policy (the policy) provides a framework to ensure full and accurate records are created, captured and managed for all UTS activities in support of UTS’s business requirements and compliance obligations, including compliance with the State Records Act 1998 (NSW) (State Records Act).

2. Scope

2.1 This policy applies to all UTS staff and affiliates (hereafter staff).

3. Principles

3.1 UTS recognises the importance of managing all records and information across all operating environments and formats to: 

  1. support and enhance the university’s activities 
  2. facilitate decision-making 
  3. protect the interests of the university 
  4. protect community and public interests, including privacy and information access obligations 
  5. comply with the State Records Act, and 
  6. preserve UTS records that require ongoing retention for future reference, in particular those records identified as state archives (refer State Records Act).

3.2 Records management requirements and practices are embedded into UTS business activities, data governance, cybersecurity and information systems and processes.

3.3 Records management practices are sustainable (refer Sustainability Policy), efficient and effective within the limits of legislative obligations, ensuring that accountability and compliance requirements are satisfied.

4. Policy statements

UTS records management program

4.1 All records created or received by UTS and its staff in the course of the university’s functions and activities, including where an activity is outsourced or supported by a service provider, are owned by UTS and are state records under the State Records Act.

4.2 UTS will: 

  1. maintain a records management program (the program) that complies with the State Records Act and its associated standards, policies and guidelines to support the university’s functions and activities 
  2. maintain processes to monitor the program and compliance with this policy 
  3. cooperate and liaise with State Records NSW on compliance monitoring and reporting as required.

4.3 All faculties, institutes, centres, units and similar areas of the university (hereafter units) under their relevant head (for example, deans and directors) must:

  1. implement the program in consultation with University Records 
  2. be aware of the records management requirements outlined in this policy, the program and the approved recordkeeping systems used by the unit 
  3. embed records management in relevant business processes and procedures 
  4. assign and maintain appropriate administrative support and records contact roles in line with this policy and the program 
  5. regularly monitor records and information management practices through mandatory self-assessments and ensure identified risks are managed or mitigated 
  6. develop and implement a local records management plan (refer Records and archives hub: Planning and assessing recordkeeping (SharePoint)) 
  7. consult University Records in advance of organisational restructure to plan and facilitate the proper management, transfer, archiving or disposal of records.

4.4 Staff must ensure appropriate storage, access and security settings, and data retention and destruction actions, are applied to all records (including drafts and copies).

Recordkeeping systems

4.5 Records relating to current activities are captured and managed digitally. Paper records are scanned for digital capture in line with the university’s procedures, except where there is a legal or other genuine business requirement to retain records in their original paper format (refer Records and archives hub: Scanning paper records (SharePoint)).

4.6 Records of the university must be captured as soon as practicable in a university recordkeeping system (refer Definitions).

4.7 Information systems used to store and manage records must be: 

  1. assessed as a suitable recordkeeping system by the information system steward and tested to identify and address any issues affecting the integrity, useability or accessibility of records (refer Records and archives hub: Recordkeeping in information systems (SharePoint))
  2. reassessed for recordkeeping compliance if they undergo major upgrades or changes in functionality or content, including the addition of new activities or where a system may move from UTS to a service provider or to a new service provider.

4.8 Data stewards are responsible for approving and communicating procedures or guidance that outline specific recordkeeping requirements for the operation and management of records held in information systems.

4.9 When migrating or transferring records, the integrity, accuracy and context of the records and associated metadata must be maintained at all times. Records migration must be clearly documented.

4.10 Final records of activities, decisions and business processes must not be altered or removed from recordkeeping systems unless in line with the university’s procedures (refer Records and archives hub: Archiving and destroying records (SharePoint)) and/or as required by law.

Using service providers

4.11 Where a service provider creates, captures, uses, stores, retains and/or disposes of records on behalf of the university, including where a service provider may host an information system (including cloud storage), the relevant data steward must ensure that: 

  1. UTS retains ownership of records and right of access to its records 
  2. records are captured, stored and managed in line with this policy for as long as they are required to be retained 
  3. relevant recordkeeping obligations equivalent to the requirements outlined in this policy are imposed on the external party through an enforceable contract and the service provider’s compliance is monitored 
  4. for hosted information systems, they are assessed for recordkeeping compliance in line with statement 4.7 of this policy.

High-risk and high-value records

4.12 Staff responsible for high-risk or high-value records must report these records to University Records.

4.13 Records of long-term value (including state archives), regardless of format, must be transferred to University Records when no longer required for current business purposes. This is to ensure safeguarding, ongoing management and preservation in line with the university’s procedures (refer Records and archives hub: Archiving and destroying records (SharePoint)).

4.14 Original vital records (refer Definitions) must be lodged with University Records within one month of the record and/or variation being signed, approved or received in line with the university’s Vital records program (SharePoint).

Record and information security

4.15 All records, including paper and digital records, unstructured data, as well as corporate data as defined under the Data Governance Policy, must be allocated one of 4 information security classifications appropriate to the content as outlined in the Information Security Classification Standard (available at Records and archives hub: Information security (SharePoint)):

  1. Public
  2. Internal
  3. Sensitive
  4. Confidential

4.16 An information security classification must not be lowered to avoid security controls.

4.17 All records (including drafts and copies) regardless of format (including physical and digital): 

  1. must not be kept or otherwise stored outside UTS’s control, noting that staff must comply with recordkeeping and security obligations if they require access to records while working remotely or on personal devices (refer Bring Your Own Device CIO Information Security Directive available at Beyond the Firewall: Information Security Policy Framework (SharePoint)) 
  2. if created or received via personal devices or programs, must be moved into the appropriate university recordkeeping system as soon as practical and deleted from personal non-UTS devices 
  3. must be stored securely and protected from loss or unauthorised access, alteration, disclosure or deletion (refer also the Information Security Policy, the Acceptable Use of Information Technology Resources Policy and the Privacy Policy).

4.18 Staff must follow the Information Security Classification User Handling Guide (available at Records and archives hub: Information security (SharePoint)) for the storage, handling and transmission of information.

4.19 Staff must avoid unnecessarily making copies of records that are not required for reasonable UTS business.

Access to records

4.20 Staff must only access and use the university’s records for legitimate business purposes, with appropriate approvals where required. 

4.21 Staff access to records is provided in line with the information security classification applied. For information systems, refer to the Access Control and Authentication CIO Information Security Directive available at Beyond the Firewall: Information Security Policy Framework (SharePoint). 

4.22 Records that are classified as internal or above must not be provided to external parties unless appropriately authorised (refer also the Delegations, the Privacy Policy, the Privacy Management Plan (available at Privacy regulations) and the Data Governance Policy). 

4.23 Access to records requested under a subpoena, legal warrant or court order must be managed by the Office of General Counsel. Such requests must be directed to their attention immediately on receipt. 

4.24 When responding to external requests, original versions of records must not leave the university’s control. Only copies may be provided to external parties where approved (unless originals are required to be provided by law). 

4.25 Records that are 20 years old or more are considered to be open to public access under the State Records Act, except where UTS has issued an access direction to close records for a longer timeframe.

Right to information

4.26 Access to information under the Government Information (Public Access) Act 2009 (NSW) (the GIPA Act) will be managed in line with the university’s GIPA delegations and procedures (refer Records and archives hub: GIPA and right to information (SharePoint)).

4.27 Data about contracts required to be reported by UTS under the GIPA Act are published on the UTS website at Register of contracts. Staff must provide University Records with the required contract information within one month of contract commencement and/or variation in line with the procedures issued by University Records (refer Records and archives hub: Contracts and GIPA (SharePoint)).

Storage of physical records

4.28 Staff storing physical records must:

  1. maintain an up-to-date list of their physical records and where they are located (for example, by registering physical records in Content Manager) 
  2. use secure and safe storage locations, including where records are on loan from University Records archives, and seek approval from University Records to store physical records outside UTS standard office spaces 
  3. safeguard physical records and take responsibility for the recovery of damaged records in the event of a disaster (refer Records and archives hub: Disaster plan for physical records (SharePoint)).

4.29 Staff must not engage their own service providers for the storage of their physical records. Use of external service providers for the storage of UTS’s physical archived records is managed by University Records.

4.30 Records that are no longer active or in current use, but are not ready for destruction, can be transferred to University Records for ongoing storage in line with the university’s procedures (refer Records and archives hub: Archiving and destroying records (SharePoint)). Refer also High-risk and high-value records.

Retention and disposal of records

4.31 Records must be retained in an accessible and usable form for long enough to satisfy: 

  1. minimum retention periods specified in current retention and disposal authorities issued under the State Records Act and normal administrative practice guidelines, and 
  2. any other retention obligations specified in legislation that applies to a particular business activity, or a direction from any court or tribunal, statutory body, commission or governing agency. 

4.32 Records may be kept longer than minimum retention periods where they are: 

  1. still required for legitimate ongoing administrative, contract, audit, financial or business requirements of the university, or 
  2. deemed to have ongoing historical or research value. 

4.33 Where a decision is made to retain records longer than minimum retention requirements, the following must be considered: 

  1. cost and resource impacts, such as ongoing conservation, migration and storage costs 
  2. contractual commitments on retention and destruction/deletion obligations that may apply to the records, and 
  3. privacy obligations (if relevant to the information contained) and associated risks that longer retention may pose to individuals (refer Privacy Policy). 

4.34 An information system holding records must have a retention plan developed, implemented and maintained in line with this policy and the university’s procedures (refer Records and archives hub: Archiving and destroying records (SharePoint)). 

4.35 The destruction of records, including records held in information systems at UTS or with service providers, or records in information systems pending decommissioning, must be undertaken in line with the records destruction procedures (refer Records and archives hub: Archiving and destroying records (SharePoint)).

4.36 The destruction of records and associated recordkeeping metadata requires written authorisation of the head or senior manager of the relevant unit, or data steward where applicable, and the Head, Corporate Information (or nominated delegate).

4.37 The Head, Corporate Information may develop and issue pre-approved authorisations to facilitate approvals under statement 4.36 for the ongoing destruction of specific classes of records (refer Records and archives hub: Archiving and destroying records (SharePoint)).

4.38 The destruction of records must be undertaken in a secure manner as appropriate to the format and relevant information security classification applied.

4.39 Records classified as a state archive will be:

  1. listed on the university’s 5-year transfer plan in line with the State Records Regulation 2024, and 
  2. scheduled for transfer to Museums of History NSW for the State Archives when they are no longer in use for official UTS purposes.

4.40 Records donated to UTS, that are not records of UTS business, will only be taken and managed by UTS in line with the UTS Archives Collection Guidelines (available at Records and archives).

Policy breaches

4.41 Breaches of this policy and the UTS records management program will be managed under the Code of Conduct and relevant Enterprise agreement. A breach of any requirements of the UTS records management program constitutes a breach of this policy.

4.42 A loss of records before their minimum retention periods have expired (for example, through premature destruction/deletion) must be reported to University Records.

4.43 Data breaches must be reported and managed in line with the Data Breach Policy.

5. Roles and responsibilities

5.1 Policy owner: The Director, Governance Support Unit (GSU) is delegated the role of senior responsible officer under the Standard on records management issued under the State Records Act.

The Director, GSU is responsible for policy enforcement and compliance, general oversight of records, information and privacy management at UTS and oversight of the UTS records management program, ensuring that recordkeeping systems support organisational and public accountability by:

  1. implementing this policy and the UTS records management program
  2. approving the Information Security Classification Standard and the Information Security Classification User Handling Guide (available at Records and archives hub: Information security (SharePoint)), which is developed and maintained in consultation with the Chief Information Officer and the Chief Data Officer
  3. reporting on UTS’s records and information management compliance to the State Records Authority as required under the State Records Act, and
  4. approving access directions.

5.2 Policy contacts: The Head, Corporate Information coordinates and maintains the UTS records management program and approves associated procedures and guidelines. This includes:

  1. publishing and maintaining recordkeeping policies and procedures, standards and guidelines
  2. assisting new or restructuring units to implement the records management program
  3. monitoring the performance of units against records management standards and procedures and this policy
  4. providing recordkeeping-related education programs and advice on recordkeeping practices and issues
  5. administering Content Manager
  6. coordinating the authorisation of record destruction activities
  7. coordinating the development and maintenance of access directions and transfer plans
  8. managing the UTS archives, including storage of and access to archives held centrally, and facilitating the transfer of records to the State Archive where required, and
  9. planning disaster prevention, response and recovery operations for physical records.

5.3 Implementation and governance roles:

The Vice-Chancellor has overall responsibility for the university’s compliance with the State Records Act.

The University Leadership Team is responsible for ensuring units under their portfolio follow the requirements of this policy.

Deans, directors, chief officers and other heads of areas must provide direction and support for records and information management and implement the requirements of the UTS records management program for their area of responsibility, ensuring:

  1. unit records and information are captured appropriately in suitable information and/or recordkeeping systems (including taking remedial action where records and information are found to be stored inappropriately)
  2. awareness of recordkeeping requirements and advocating good recordkeeping practices within the unit 
  3. recordkeeping is addressed in business processes and procedures and that all staff under their direction comply with UTS recordkeeping policies and procedures 
  4. compliance with contract reporting obligations and information requests under the GIPA Act 
  5. scheduled records assessment and planning activities are completed and agreed action plans are supported and implemented, and 
  6. records contact roles are appropriately assigned within their unit.

All staff must:

  1. be aware of the UTS records management program and their responsibilities
  2. ensure that records supporting and documenting their business activities are created, captured and protected in line with this policy and its procedures, regardless of format
  3. contact University Records if they require further information or training.

6. Definitions

These definitions apply for this policy and all associated procedures. These are in addition to the definitions outlined in Schedule 1, Student Rules. Definitions in the singular include the plural meaning of the word.

Affiliate is defined in the Code of Conduct.

Archive means a record that has continuing value but is no longer required for current use. This includes permanent university and state archives.

Corporate data is defined in the Data Governance Policy.

Data breach is defined in the Data Breach Policy.

Data steward is defined in the Data Governance Policy.

Information Security Classification Standard is the official university tool used to assign levels of protection for data and records based on their content (available at Records and archives hub: Information security (SharePoint)).

Information system is defined in the Data Governance Policy.

Information system steward is defined in the Data Governance Policy.

Normal administrative practice (NAP) refers to records that can routinely be destroyed without approval. NAP guidelines are defined in Schedule 2, State Records Regulation 2024.

Record means any document or other source of information that is compiled, recorded or stored, in written form, on film, by electronic process, or in any other format or through any other means (as defined under the State Records Act). This includes but is not limited to data (including corporate data) and information held in fields in an information system, documents, emails, folders, messages, chat and posts. See also state record.

Recordkeeping metadata means metadata (data elements captured or used to describe information, such as date created, author and title) required for the appropriate management of records. Refer Recordkeeping metadata standard (PDF, SharePoint).

Records management program (the program) means a university-wide set of procedures and guidelines that enforce the requirements of this policy and the State Records Act.

Recordkeeping system means a subset of an information system that is designed to control information as required by this policy and the State Records Act. The primary recordkeeping system implemented at UTS as part of the records management program is Content Manager.

State archive means a state record that falls under the control of Museums of History NSW. A record may be designated as a state archive based on retention and disposal authorities issued under the State Records Act.

State record means any record made or received by UTS and its staff in relation to their official duties and/or the function and activities of UTS.

Vital record means a record that is essential for the ongoing business of the university, without which UTS could not continue to function effectively or protect its interests. These include, but are not limited to, contracts and associated variations, deeds, memoranda of understanding, licences, evidence of ownership of physical and intellectual property, and other records documenting the legal authority or rights of the university.

Approval information

Policy contactUniversity Secretary
Approval authorityVice-Chancellor
Review date2029
File numberUR07/1205
Superseded documentsRecords Management Vice-Chancellor’s Directive

Version history

VersionApproved byApproval dateEffective dateSections modified
1.0Vice-Chancellor20/12/201703/04/2018New policy.
1.1Vice-Chancellor18/03/202018/03/2020Amendments to reflect name change of record keeping system from TRIM to Content Manager, minor changes to retention archiving and disposal controls and additional Staff Connect links.
2.0Vice-Chancellor17/05/202128/05/2021Amendments as a result of a scheduled three-year review and to reflect updates resulting from the Policy Impact Project (2020).
2.1Director, Governance Support Unit27/10/202101/11/2021Changes to reflect portfolio realignment under Fit for 2027 project.
2.2Deputy Director, Corporate Governance (Delegation 3.14.2)22/02/202222/02/2022Minor change to reflect portfolio realignment under Fit for 2027 project.
2.3Deputy Director, Corporate Governance (Delegation 3.14.2)12/04/202312/04/2023Changes to reflect new unit title of Office of General Counsel.
2.4Deputy Director, Corporate Governance (Delegation 3.14.2)13/11/202328/11/2023Minor update to reflect the new Data Breach Policy.
2.5Deputy Director, Corporate Governance (Delegation 3.14.2)20/06/202408/07/2024Minor update to reflect new Acceptable Use of Information Technology Resources Policy.
3.0Vice-Chancellor26/11/202406/12/2024Compliance and clarification changes as part of a scheduled review.

References

Acceptable Use of Information Technology Resources Policy

Code of Conduct

Data Breach Policy

Data Governance Policy

Enterprise agreements

Government Information (Public Access) Act 2009 (NSW) (GIPA Act)

Information Security Policy

Privacy Policy

Privacy Management Plan (available at Privacy regulations)

Records and archives hub (SharePoint)

State Records Act 1998 (NSW)

State Records Regulation 2024 (NSW)

Sustainability Policy

UTS Delegations

Acknowledgement of Country

UTS acknowledges the Gadigal people of the Eora Nation, the Boorooberongal people of the Dharug Nation, the Bidiagal people and the Gamaygal people, upon whose ancestral lands our university stands. We would also like to pay respect to the Elders both past and present, acknowledging them as the traditional custodians of knowledge for these lands.