High-value, high-risk and vital records
High-value and high-risk records
Policy requirement 4 in the Records governance policy requires all agencies to treat permanent, high-value and high-risk records as a priority.
Permanent records are the records produced or received by your agency that are of enduring value to Queensland. Find out how to identify permanent records.
High-value records are the records that the agency could not or would have great difficulty operating without.
High-risk records are the records that pose a significant risk to the agency if they were misused, lost, damaged or deleted prematurely.
While all high-value records are also high-risk, not all high-risk records are high-value.
Find out how to assess and prioritise risks.
Vital records
Knowing what and where your agency's vital records are will help your agency maintain or re-establish operations during or after a disruption.
Vital records plan
You should include a vital records plan with your agency's business continuity and disaster management plans.
A vital records plan ensures critical records:
- have been identified and registered
- are easily accessible in the event of a service disruption
- are suitably stored and maintained, including regular review for currency and disposal.
Identify vital records
We recommend identifying and monitoring your vital records so you can prioritise protecting and accessing them.
Your vital records should be identified as part of your records governance framework.
Only a small percentage of records are likely to be considered vital (approximately 5–10%). They will include all permanent records identified under an approved retention and disposal schedule. Others may include:
- your disaster management or business continuity plan (which should include a vital records plan)
- records relating to core business operations (i.e. critical client services)
- employee details, including contact information and payroll details
- delegations of authority
- current customer and stakeholder records or registers
- contracts, titles, and other signed original legal records
- licences, leases, or permits which enable the public authority to operate or perform a particular action
- insurance records
- financial information (e.g. current or unaudited accounting and tax records)
- infrastructure plans, operational policies and procedures
- records relating to current or potential litigation
- records protecting the legal and financial rights of clients for which the public authority is responsible.
Vital records may be temporary or permanent and exist in any format (e.g. physical, digital, audiovisual tapes, microfiche).
You can use a number of approaches to identify vital records including:
- reviewing the disaster management or business continuity plan for activities and records needed during or after an exceptional event
- reviewing risk assessments
- examining organisational structures, policies and procedures
- consulting with business managers and legal advisors
- reviewing your agency's statutory and regulatory responsibilities
- considering business activities and related records included in an approved retention and disposal schedule.
When identifying vital records, remember:
- to assess all of your agency's records, regardless of location and format
- not all 'important' records are vital to recovering core business operations.
When you assess records, risk management principles may help to distinguish between vital records, important records, useful records and non-essential records.
Document and track vital records
The easiest way to identify and document these records is through a vital records register. For each record include:
- brief description of record type
- explanation (e.g. brief explanation of why the record is considered vital, its critical purpose, consequences of loss)
- location (e.g. on-site, off-site, of original, of duplicate, server, data centre, backups, mirror sites)
- date for review, update and disposal
- format (e.g. hard copy, digital, audiovisual tape)
- accessibility requirements (e.g. position, authorisation, access to storage if off-site, recovery protocols for systems).
Fields and entries in a vital records register can include:
- Record type and description: public authority's revenue, expenditure, debt recovery, contracts, licences, legal documents, and records scheduled for permanent preservation in an approved retention and disposal schedule
- Explanation: why the records would be of high risk if they were not available (e.g. accounting records would be considered vital records when current and/or unaudited)
- Location: off-site, storage facility, data centre
- Date for review: date scheduled for disposal–retain minimum of 7 years after end of financial year in which transaction was completed, then destroy
- Format: paper, microfilm, tape, digital
- Accessibility requirements: who is authorised to access the records; will the records be required in the event of a service disruption
- Responsible department or work area (e.g. Corporate Services–financial management)
- Application location (if digital): PDF, network drive, eDRMS
- Title or unique identifier: if applicable
- Frequency of update: how often this document will need to be updated to remain effective in the recovery of business operations.
How to manage vital records
Vital records should be easily accessible, up-to-date, and identified as critical to the recovery of business operations.
Vital records need to be stored so that they are protected and accessible. This can be:
- onsite using data backups, a fire- and flood-proof safe or storage area
- offsite in a data centre or storage facility with a high level of hazard protection (against fire, theft, flood, power failure)
- across a variety of secure secondary locations.
Storage needs to be suitable for the record format and identified risks.
You may need to duplicate or backup vital records (marking as 'copy') in a variety of formats.
Backups or duplicates should be stored offsite to ensure they will not be affected by the same disaster, but are still accessible.