Outsourcing arrangements, third party and shared service providers
When outsourcing or engaging a service provider to deliver a function or activity on behalf of your public authority, they will make, receive and manage public records relating to that function.
Your public authority remains responsible for managing any public records that are made, received and managed when outsourcing a function or engaging a service provider. You need to ensure you can continue to meet your recordkeeping obligations.
This applies to outsourcing or service arrangements for core and administrative functions (e.g. recordkeeping, IT, finance, software-as-a-service arrangements). Arrangements may be with private organisations including non-government organisations, shared service providers or other public authorities.
It also includes public private partnerships and cloud based services and storage.
It does not include the privatisation of functions or the provision of a grant.
Determine the status of public records
When outsourcing or using a shared service provider, you need to determine:
- what public records are made, received and managed on your behalf by the service provider
- which public records are your public authority's public records and which belong to the service provider
- how public records should be managed.
This will depend on who made the public records and why.
Use the status of public records during outsourcing cheat sheet to help you.
Service agreements
There are specific recordkeeping considerations when using a service provider.
The service agreement should:
- require the service provider to make and keep complete and reliable public records of the activities they perform on behalf of your public authority
- require that any public records are returned to you at the end of the agreement unless lawfully disposed
- ensure recordkeeping responsibilities and requirements associated with the function being outsourced can continue to be met (e.g. access restrictions, privacy, preservation)
- clearly indicate who is responsible for which public records
- clearly indicate who is responsible for the actions needed to manage those public records, including endorsing the transfer or disposal of public records
- ensure each party has access to the public records that they need.
Note: If you are supplying a copy of a public record to a service provider, consider whether or not you need to remove any confidential or personal information, including from the metadata (e.g. author details). Information should only be removed from a copy of a public record, not the original source public record.
Sentencing public records made, received and managed by a service provider
Public records made, received or managed by a service provider on behalf of your public authority should be sentenced against your core retention and disposal schedule or the GRDS.
The service provider does not need permission from QSA to use the retention and disposal schedules you use.
Any public records about the management of the service arrangement should also be sentenced against the most appropriate class in retention and disposal schedules you use.
Any service provider that is a Queensland government public authority should sentence the public records against their retention and disposal schedules as normal.
Private service providers can manage any private records (i.e. their core and administrative records) as per their normal practices.