Skip links and keyboard navigation

Help shape the For government website by joining our user research panel.

Register now

Maintain digital records

Use digital rights management and encryption

Encryption or digital rights management technology (DRM) can be used to control access to information. This is different from access restrictions placed on digital public records when or after they're captured.

DRM and encryption may be beneficial when information is highly confidential, or if intellectual property is involved, but risks accompany their use. Read on to find out how to manage these risks.

Digital rights management

What is digital rights management?

DRM is usually part of the software or technology used to make information (e.g. using the password protection tool in MS Word to restrict access to a document).

It works by applying rules to information you make, such as:

  • who can view, modify, print, copy, forward, and/or save
  • when usage/access rights expire
  • automatic deletion dates.

DRM restrictions are attached to digital public records and remain attached no matter where you move the information or what you do with it. This differs from restrictions placed on a digital public record once it's in a system, which allow you to move or change the digital public record.

Illustration of digital rights management restrictions versus system based restrictions
Illustration of digital rights management restrictions versus system based restrictions

It is difficult to determine if DRM restrictions have been placed on a document as there is no global technical standard. Some programs will tell you depending on the restriction and the file.

Note: If intellectual property is involved, see the Creative Commons Australia to allocate and understand the legally permitted uses of information products.

Encryption

Encryption can protect information when storing or transferring digital public records between different network environments or devices.

It is not a long-term solution for restricting access to or protecting information due to its level of risk.

You must manage encrypted digital public records to ensure their ongoing readability.

You should document the encryption and decryption of digital public records under appropriate security controls, and carefully manage the required decryption keys and certificates.

Note: Digital rights management controlled information is usually encrypted.

Risks to digital public records

Certain features of DRM technologies and encryption increase the risks to digital public records.

Expiration dates/auto-deletion

  • Early disposal of digital public records may occur when the expiration rule conflicts with the relevant retention period.

Auto-deletion

  • Disposal of digital public records may occur without considering their value beyond the prescribed retention period. Setting up an automatic deletion may mean digital public records still required for business or legal purposes are inadvertently lost.
  • Some eDRMS won't allow digital public records controlled by DRM to be deleted.
  • Required information and metadata about the destruction of digital public records may not be captured.

Print disabling

  • Some DRMs restrict or disable printing, which can affect how you keep digital public records (e.g. if you have to keep it as a paper record).

Prohibition of saving/ forwarding

  • You may be unable to capture and keep a record if forwarding or saving is restricted.
  • Some eDRMS won't allow you to capture records controlled by DRM, or restrict actions like deleting or accessing.

Prohibition of viewing

  • You may be unable to capture and keep a digital public record if forwarding or saving is restricted.
  • Some eDRMS won't allow you to capture digital public records controlled by DRM, or restrict actions like deleting or accessing.

Prohibition of copying/modifying/saving

  • Management and preservation of digital public records may be restricted. If digital public records are not preserved, they may not remain accessible for the full retention period.
  • Usability of digital public records may be restricted, particularly if situations change, functions or activities are outsourced, or if a machinery-of-government change occurs. You need to ensure that digital public records remain usable and accessible for as long as required, regardless of where the digital public records are located or who is responsible for them.
  • Your ability to re-use information may be reduced. For example, copying or using information to make a new document may not be possible if restrictions have been applied to the original version.

Encryption

  • Digital public records may become inaccessible, unreadable or lost if the encryption and decryption process is not appropriately managed, or if the keys and certificates required to decrypt the information are lost.

Remote attestation

  • Remote attestation means that each time protected information is accessed, there is communication between the DRM system and external servers. Personal data is at risk of being collected by the external server, and that information may not be stored securely or appropriately managed. The collection and use of information must be consistent with the Queensland Government privacy requirements, and explicitly supported through contractual agreements.
  • Access can be compromised if the DRM technology needs to communicate with an external server to verify access restrictions or rules. This connection to an external server may also affect how and when you can access the digital public record and how you can use it.

Use DRM and encryption

Before using encryption or DRM technology, you should:

  • assess the need to encrypt digital public records or use DRM technologies based on records' security classification and type, and the business requirements
  • look at how the digital public record may need to be used now and in the future, including access, preservation, right to information requests, auditing, legal purposes
  • think about alternative methods–this depends on how much the digital public record is used, how long you need to keep it and the available safeguards (e.g. restricted access privileges, auditable events history checks, activity logs and network firewalls)

If you are going to use DRM or encryption, you will need to:

  • assess the risks to digital public records and the business
  • ensure DRM restrictions or encryption is removed before capturing digital public records
  • put strategies in place to minimise risks and ensure that your public authority's digital public records can be kept for as long as necessary
  • include a process for identifying, treating, capturing and managing digital public records that have been encrypted or had DRM restrictions applied
  • consider the information access requirements and how you would ensure digital public records remain accessible for as long as they need to be kept
  • develop a documented position on accepted scope and use of the technology
  • decide who can use the technology (i.e. who can have software installed)–you might be able to link it to your public authority's staff directory to limit the use of DRM to specific groups or people
  • decide what digital public records the technology can't be used for (e.g. high-risk/high-value public records)
  • maintain formal encryption/decryption key or password management regimes
  • only store security classified information in encrypted form or with DRM restrictions applied for as long as that level of security is required, then decrypt the information/remove the restrictions for subsequent storage.

Note: Check the technologies you use for DRM technology and whether it needs to be enabled or if it can be disabled or configured for your public authority.

More information

For more about security classifications and the use of encryption technologies in state government, refer to:

Contact the Government Records Innovation team

Last updated:
5 December 2024