Skip links and keyboard navigation

Records on mobile and smart devices

Mobile and smart devices are capable of creating, storing and deleting records. Find out what to do if your agency or staff use mobile and smart devices for work purposes.

Find out how to manage records created by mobile devices (e.g. body cameras) for surveillance and monitoring purposes.

See also portable storage devices and information privacy.

Recordkeeping considerations

If your agency or staff use mobile and smart devices for work purposes, consider:

  • what to capture and how to capture it
  • the risks and how to mitigate them
  • the access, use, storage, downloading or editing of records on devices
  • the security implications if sensitive or confidential records are created, used and/or stored on devices
  • the format records may be in–emails, files and documents, text messages, social media content, audio recordings, photographs, video recordings, geolocation information and other types of data
  • what the devices are capable of–editing, downloading, accessing, sharing, creating, storing, and/or deleting information
  • the level of risk for each type of device
  • how to separate personal from work related records and information
  • if staff can use their own devices.

Using mobile and smart devices

Arrangements may be in place for staff to use organisation issued devices or their own devices for work purposes. This will depend on what people need to be able to do (e.g. access or capture information in an external meeting, work on the go, remote access, and work from home)

Staff need to be aware of the recordkeeping obligations when using any devices.

Your agency should have policies and procedures in place for any staff using devices, particularly personal devices used for work purposes. This should cover the security, access and storage of the data, what records need to be kept and how they are captured in the agency's recordkeeping system.

Which records to capture

You must capture any records that document a decision or action taken, or records that are created, received or kept for other business and community requirements.

You don't need to capture any records that are purely personal or any records that are transitory (e.g. copies, drafts).

How to capture

How to capture records will depend on what device is being used, the format of the record and how you manage records in your agency. Records may not always be captured at the time of creation or receipt.

Decide how to capture records from devices based on the context, purpose and format of the records.

Any decisions you make around appropriate methods of capture of records from mobile and smart devices should be documented in your agency's policies and procedures.

How long to keep them

Records should be sentenced based on the function and activity they relate to regardless of the format of the record.

For example, advice provided via text message or email from your iPhone would need to be kept for the same amount of time as if you had sent the email from your work computer.

Risk management

Risks to records from using mobile and smart devices will depend on:

  • what devices are used and how
  • the number and variety of devices
  • what records are involved and your business–that is, the activities and functions you perform would directly impact on what records you create and the sensitivity of information.

You need to be aware that using mobile and smart devices can reduce:

  • access to records and information
  • knowledge of what records are available and accessible
  • control over agency information.

This may have implications when and if you need to know exactly what records you have (e.g. during legal discovery, right to information requests).

Most of the risks to records can be split into two groups–data theft or loss and compromises in the security of information.

Data theft/loss

  • devices can be used to steal, corrupt or extract data and information
  • records, information and data can unintentionally be transferred to private computers or other devices
  • lack of capture of public records, resulting in inadequate or incomplete business records
  • potential for unlawful disposal of public records
  • loss of information due to lack of knowledge of what is on devices and what devices are actually being used
  • accidental or deliberate data loss if the device fails, is lost or stolen, including loss of intellectual property
  • loss of public records if an employee leaves the public authority and has not previously captured the information into a recordkeeping system
  • loss of sensitive information from mobile and smart devices due to lack of data classification.

Security compromise

  • devices can be used to infect agency networks and computers with spyware, malware and viruses, extract data, introduce other software to agency computers
  • potentially greater exposure to malware, viruses and other infections
  • exposure of credentials, breaches in privacy etc. from loss or theft of devices
  • unauthorised access/exposure to data and sensitive information previously stored on the mobile and smart device due to inadequate disposal of devices and/or information
  • inadequate and inappropriate storage of information
  • increased risks of loss of information and compromises in security through access to private or other WiFi, networks etc.
  • security of information stored on devices may require encryption, password protection, access controls
  • inability to control, manage, track and monitor mobile and smart devices as well as control, capture, access, and destroy information copied onto devices (particularly for BYOD)
  • lack of control of information and the device (including security and access requirements from the perspective of the public authority), especially if people are using informal BYOD arrangements
  • potential for privacy and other legal issues if agencies need to access or capture information on personal devices used for work (e.g. BYOD).

Reducing risks

You will need to assess the risks based on the devices used and the potential information that is going to be accessed, created and stored on the device.

Reduce potential risks by:

  • talking to your IT area to see what measures they can put in place
  • incorporating recordkeeping requirements into the devices people will be using (e.g. including them in permission of use forms)
  • doing a risk assessment to identify the highest security classification for records that is able to be accessed by mobile and smart devices
  • using security measures and other strategies to reduce the risk of losing information (e.g. use encryption or password protection or other security for records that are accessed on mobile devices)
  • ensuring staff are aware of the recordkeeping implications–some of the higher risk issues are significant enough that they would be included elsewhere (e.g. code of conduct) but staff may need to be reminded of the minor risks.

Disposal

Records must be destroyed securely. Records captured in your agency's recordkeeping system can be managed and disposed of in the same ways as other digital records.

Before an entire device can be disposed of, you need to check that all records have been captured and that any remaining information on the device has been destroyed.

Devices can be digitally wiped of all information if they are going to be re-used.

If a device is to be disposed of, other methods may be required to ensure all information has been securely destroyed–in some cases this may be complete destruction of the device.

Remote wipe is a feature that can be installed on some mobile and smart devices. This is an effective method for preventing data from being compromised on devices which may be lost or stolen. Using it can mean that you might lose records that have not yet been captured.

Remote wipe may or may not work on removable media such as memory cards and the device needs to be connected to the internet for it to work.

See also Procurement and disposal of ICT products and services (IS13) policy.