Identifying and managing high-value and high-risk records, information, and data
Compliance requirements 2.2 and 2.3 of the standard on records management guide public offices to focus on high-value and high-risk business areas. These requirements ensure that:
- records, information, and data that are high-value/high-risk or required as State archives are prioritised, protected, and managed
- records and information management is integrated into the most valuable and critical information and systems
- strategies and initiatives for records and information management align with the organisation’s key business priorities
- resources (time, money, and staff) allocated are appropriate to the business value of the records, information, and data.
This approach to identifying and prioritising high-value and high-risk records matches the methods used in cybersecurity to protect the organisation's most critical information assets.
Defining high-value and high-risk (HVHR) records, information, and data
High-value records, information, and data are assets that help organisations to:
- carry out their functions
- provide services to clients
- respond to inquiries, audits, investigations, and legal issues.
A small percentage of these high-value records have lasting importance to the state and the people of NSW, and they are required as State archives. (Consult relevant retention and disposal authorities for details on what needs to be kept as State archives.)
High-risk records, information, and data are assets that:
- are created or received in high-risk areas of the business or high-risk processes
- pose a significant risk to the organisation if misused, released inappropriately, accessed and altered incorrectly, lost, damaged, or destroyed too early.
High-risk records must be managed with the same care as high-value records while they are needed, although high-risk records may not always have long retention periods.
Identifying HVHR records, information, and data
High-value and high-risk records, information, and data are usually created or received in areas involving:
- core and statutory functions of the organisation
- significant investment from the NSW Government or major contributions to the NSW economy
- direct contact with individuals (such as in regulatory, enforcement, health, or welfare activities where disputes may arise)
- development of policies or services that impact individuals and communities or their rights
- management of natural resources, culturally significant places, and the protection of state infrastructure in NSW
- processes that are prone to corruption or have the potential for corrupt behaviour
- major programs of international, national, or state importance
- collection and use of personal and health information (as defined by the Privacy and Personal Information Protection Act 1998 and the Health Records and Information Privacy Act 2002)
- policies, decisions, or services that are closely monitored by the public, media, or oversight bodies.
Examples of HVHR records, information, and data
The examples below are selected for illustration purposes only. Note that the business value and risk to records, information, and data can change over time depending on the organisation’s context.
Information Assets | Category | Additional information |
---|---|---|
Enterprise data sets managed by the organisation | High-value | Data sets which are mandated and used for performance reporting are of high-value as they inform decision making, in program analysis and evaluation, and in research. Please note that the value of data sets is subjective and may change over time depending on the organisation’s context, its intended use, data quality, etc. |
Scanned ID documents used for verification purposes | High-risk | These are considered supporting documentation and are of low value as soon as the verification has been completed. Howveer, records, information and data which contain personal information are generally considered of high-risk as they pose specific risks to individuals, such as, identity theft or fraud, reputational damage, loss of confidentiality or financial loss. |
Briefing notes to ministers in relation to portfolio programs | High-value and high-risk | These records are of continuing value to the State and are required as State archives as they are advice about substantive aspects of a major program, service delivery, legislation, etc. These records are considered high-risk as they document decisions that may be subject to public or media scrutiny. |
Patient records and information in clinical information systems | High-value and high-risk | These records are high-value as they relate to core function of provision of health care to patients and clients. These records are of high-risk as they pose specific risks to individuals. Clinical information systems are usually considered high-risk as it would have a huge impact on the organisation if access to the systems were lost or compromised. |
Client case management records | High-value and high-risk | These records are of high-value as they document direct contact with individuals and may relate to specific or core services, or individual rights or entitlements. These records are high-risk as they contain personal, sensitive and/or confidential information and pose specific risks to individuals. |
Records applied with dissemination limiting markers (DLM) or security classification | High-risk | These records may be assessed as high-risk depending on the value, importance or sensitivity of information they contain, and the potential damage to government, national interests, organisations or individuals, that would arise if the information’s confidentiality was compromised. |
Budget records and information | High-value and high-risk | These records are high-value as they contain the budget decisions of the State. These are considered high-risk due to their confidentiality and potential consequences of leakage. |
Council meeting minutes | High-value and high-risk | These records are high-value as they document significant decisions that have a far-reaching impact on communities and are therefore required as State archives. A local council meeting is a high-risk activity as it enables transparency and scrutiny, or direct participation from members of the community. Also, the loss of public access to council meeting minutes may have potential consequences to the well-being of the community. |
Financial and human resource records | High-value and high-risk | These records are high-value as they are essential to the continued operations of the organisation. These records are considered high-risk as they relate to processes where they may be open for corruption or fraud. The digital format of these records is usually considered high-risk for cyber-attacks. |
Approaches to determining HVHR records, information, and data
There are various ways of determining HVHR records, information, and data.
Analysis of documentation
Conduct a desktop review and analysis of current documentation.
Examples of documentation to review include:
- retention and disposal authorities (records required as State archives and those with 30+ years retention periods are HVHR)
- risk-related records such as corporate risk registers, business continuity plans, ICT incident management plans, or business impact analysis reports
- cyber security attestation or information security planning
- responses to audits, inquiries, or litigation
- systems audits or IT asset inventories
- information asset registers
- open data planning, reporting, and data sharing agreements
- privacy impact assessments
- Government Information (Public Access) Act 1998 review or investigation reports
- annual reports, including internal and external audit reports
- reports of incidents or complaints, including findings and recommendations which may have been publicised.
Engage with staff
Engage staff within the organisation to understand core functions, services, and business processes. Business owners should be engaged to assess and classify assets based on business risk.
Specifically, consult with the organisation’s:
- audit and risk committee or risk manager
- cyber and information security officer (CISO) or team
- business managers of areas under transition/change or implementing new policies, processes, and systems
- business managers of areas where they collect, use, or store personal information
- other stakeholders such as internal audit teams or officers.
Analyse information
Use various techniques to gather and analyse information such as:
- surveys
- brainstorming exercises or focus group discussions
- strengths, weaknesses, opportunities, and threats (SWOT) analysis
- business impact analysis
- bow tie analysis
- cost-benefit analysis
- cause-consequence analysis.
Tips for managing HVHR records, information, and data
Develop an understanding of the organisational context
This includes:
- gathering information about the organisation using the sources mentioned above
- identifying and analysing recordkeeping requirements
- consulting or collaborating with business units to identify what records, information, and data are needed to support core functions and services. This includes identifying impacts from business disruptions or risks to records, information, and data.
List the organisation’s records, information, and data as information assets
Having this list enables:
- identification of HVHR records, information, and data
- identification and assessment of information assets that pose significant risk
- identification of people and positions responsible for information assets
- compliance with minimum compliance requirements 2.2 and 2.3 of the standard on records management. A complete view of HVHR information assets is one of the indicators used in Q1 of the Records Management Assessment Tool (RMAT).
For each asset, consider the following information:
- size and scope of the records and information held
- size and scope of the system
- software and hardware critical for the maintenance of the asset
- any dependency on other records/information assets
- format of the records (if paper, include volume and storage information; if digital, include title or name of the data set or file, description, modification date, license, and file format)
- business owner and users of the system
- policies and processes that govern them, including statutory and regulatory obligations
- business value
- retention periods, including records required as State archives
- level of criticality of the business activities that the system supports (that is, the potential impact of an interruption to critical business operations).
View the standard information asset register template (XLSX 133.73KB).
Apply the organisation’s risk management framework to assess and mitigate risks to HVHR records, information, and data
Use the NSW Risk Management Toolkit to develop and implement a risk management framework over HVHR records, information, and data.
Risks may include:
- loss or reduction in the ability to access records due to technological obsolescence, system migrations, disasters, corruption of information, or changes in government and administration
- unauthorised access leading to deletion, manipulation, or disclosure of sensitive information due to outdated or ambiguous policies and procedures
- loss of government information, corporate memory, and/or documentary heritage of NSW.
Risk assessment examples
Below are examples of risk assessment for HVHR records, information and data. The risks and causes identified, including mitigation activities are selected for illustration purposes only. The risk likelihood and impact depend on the organisation’s context.
Information assets | Risk | Cause | Mitigation activities |
---|---|---|---|
Enterprise data sets shared by the organisation | Unauthorised access or disclosure of information | Outdated or ambiguous policies and procedures, or due to machinery of government (MOG) changes | Use a standard MOU agreement. Implement a consistent, agreed approach to data sharing. Review default access provisions applied to data sets when MOG changes happens. |
Patient records & information in clinical information systems | Loss of access | System outage or unstable platform | Put controls in place and regularly monitor to mitigate the threat or risk, and perform risk analysis as required. Perform regular system health checks, including backup systems. |
Briefing notes to ministers in relation to portfolio programs | Failure to locate and retrieve within scheduled time frames | Multiple content repositories | Put processes and systems in place to enable comprehensive search functionality to simplify retrieval operations. Implement a consistent procedure in managing briefing notes, including where they are stored. |
Records applied with DLMs or security classification | Information leak, unauthorised access or disclosure of information | Outdated system or human error | Put controls in place and regularly monitor to mitigate the threat or risk. Implement cyber security education for staff, including information classification, labelling and handling. |
Scanned ID documents used for verification purposes | Information leak, unauthorised access or disclosure of information | Outdated or ambiguous policies and procedures | Review current procedures and assess whether there is a need to have a scanned copy of ID documents. If there is an identified need, put controls in place and regularly monitor to mitigate the risk. Update policies and procedures to mitigate or eliminate this risk (Check FAQs: Recordkeeping and personal information). |
Budget records and information | Information leak and misuse of information | Outdated system or human error | Put controls in place and regularly monitor to mitigate the threat or risk. Implement cyber security education for staff, including information classification, labelling and handling. |
Council meeting minutes posted on the website | Loss of access | System outage | Put controls in place and regularly monitor to mitigate the threat or risk. |
Client case management records | Loss of information | Natural disasters | Put controls in place and regularly monitor to mitigate the risk. For physical formats, read our guidance solutions for storage for more information. For digital, regularly monitor current disaster recovery/incident management processes, procedures and systems. |
Collaborate with the CISO and cybersecurity team and/or relevant teams or committees
Work together with relevant teams to ensure all HVHR records, information, and data, both physical and digital, are classified as ‘crown jewels.’ Including these records in the organisation’s crown jewels list helps prioritise their management and security.
Develop and implement a plan for managing HVHR records, information, and data
The plan should consider:
- information management needs of high-risk areas or functions
- strong migration and export strategies to maintain records during transitions
- the metadata that makes the information clear and trustworthy.