Martyn Killion 0:48
Good morning, everyone and welcome to this Records Managers online Forum during Privacy Awareness Week. My name is Martyn Killion, I'm the Executive Director of State Records NSW and as I mentioned, this week is Privacy Awareness Week from the 16th to the 22nd of June.As many of you will be aware, Privacy Awareness Week is a campaign that is intended to highlight the importance of privacy and raises awareness for public sector agencies about how to protect personal information of our citizens.
And I'm thrilled that to mark this week, we have with us our special guest, Sonia Minutillo, who's the Privacy Commissioner for NSW.
I'll introduce Sonia in a moment, but I would like to start by acknowledging the traditional owners of the lands on which we are all meeting today. For me at the Western Sydney Record Centre, it's the Dharug people and I pay respects to Elders past, present and emerging.
As usual with our Records Managers Forum, we've got a fairly packed agenda. So, I'll shortly introduce Sonia as one of our two guest speakers. We'll also have Andrew Warland speaking about Microsoft 365 and the work that he's been doing with us. We'll then have updates from State Records NSW and updates from Museums of History NSW.
Throughout today's session there will of course be opportunities for you to ask any questions. We do encourage you to do that via the chat, but if you prefer to ask a question verbally, please do just raise your hand and you will be unmuted.
All right, without further ado, let's make a start. So, as I said, I'm delighted and thrilled that Sonia Minutillo, who's the NSW Privacy Commissioner, has agreed to join us and present to us at this morning's Forum.
As many of you will be aware, Sonia was appointed as the Privacy Commissioner early this year, a position that she had been acting in since August of 2023. But Sonia will be known to many of us here today as having been at the Information and Privacy Commission, as the Director of Investigation and Reporting, overseeing the Commission's regulatory functions. So, I'm delighted that Sonia could join us today, and Sonia, I'll hand over to you.
Sonia Minutillo 3:39
Good morning, everyone, and thank you, Martyn, for the warm introduction and the invitation to speak at this morning's Records Forum.
I too would like to begin by acknowledging the Dharawal people, the traditional custodians of the land from which I'm joining you from here in Wollongong, and pay my respects to the Elders past, present and emerging. I'd also like to extend my respects to the traditional custodians of the lands from which everyone is joining in from here today.
I'm actually really excited to have this opportunity to present today on what is the first day of a notable week for privacy. Today marks the start of Privacy Awareness Week, and as Martyn said, it's an annual event to raise awareness of privacy issues and the importance of protecting personal information.
Privacy Awareness Week, or PAW as we fondly refer to it, is run in conjunction with State and Territory Privacy Regulators and the Asia Pacific Privacy Authorities Forum and this week it's been marked and recognised across many of the Australian jurisdictions with many events to highlight and mark the importance and recognition of privacy in our lives.
This year the theme for PAW is privacy. It's everyone's business and as records managers, you all play an important and not insignificant role in the preservation of privacy. And why? Because records, records management and privacy are interconnected and they're interdependent.
I know that all of you here today share a keen interest in these issues of records management and the desire to advance the practise of information and records management, and from my perspective, as a result, preservation of privacy. So, I want to take a minute to acknowledge that and to thank you all for the important role that you all play in preserving privacy through the records management work that you all do.
I want to emphasise the importance of collaborative efforts in tackling privacy challenges, because if we collaborate and work together, we create a safe and more secure environment for both managing records and protecting personal information. And so, this forum provides an excellent platform for sharing those insights, best practises and innovative solutions that can help all of us to inform our approach to privacy, but also to how we manage our records.
As developments in digital technology and cybercrime have continued to accelerate, the risks to privacy have also accelerated, and so in my presentation today, I want to focus in particular on one of these key risks, the risk of keeping too much; privacy retention and the cost of holding on.
As we delve into the significance of privacy, it's crucial to understand the fundamental connection between records management and privacy protection. Effective records management is not merely about organising and storing information, but it's also about ensuring that this information is safeguarded against unauthorised access and from breaches that may occur.
In our increasingly digital world, the challenges of preserving privacy have become more complex than ever, and so we need to consider various factors when it comes to records management and preserving privacy, and that includes cybersecurity threats, data retention policies, and the responsibilities that go with managing this data.
Each record that we create, and we hold is a potential gateway into confidential information, and so it comes with a duty to protect that information with both vigilance and care. Recent data breaches have highlighted the critical importance of records management and the necessity of a comprehensive approach to privacy, and that means robust privacy protection measures need to be integrated within data governance frameworks. Effective records management is as crucial to ensuring privacy today as it's ever been before.
I want to outline for you all a real experience to highlight the fundamental connection between records management and privacy.
Not that long ago, a reasonably sized agency found themselves subject to a data breach. That data breach was a cyber incident that had compromised their systems and accessed their drives and folders. The threat actor came across a trove of records that dated from the time of the breach and which included personal information. Amongst the records was identity information, tax file details, bank account information, medical information, superannuation records, performance records, contact details, dates of birth. That's a reasonable sized list, and there was more.
So, take a minute and place yourself in the shoes of someone whose information has been caught by this breach. It's a real story and it wasn't that long ago.
Martyn Killion 8:54
Sonia, could I interrupt you? Are we meant to be seeing your slides at the moment?
Sonia Minutillo 8:58
No, there are no slides
Martyn Killion 8:59
All right. Thank you.
Sonia Minutillo 9:03
No data breach is ever welcome, but this data breach dated back to the late 1980's. The records had been kept untouched without a retention programme being applied.
In practice, there'd been no formal owner taking responsibility for the management of those records, and in many cases those records were well dated. They no longer served any meaningful purpose, hadn't been accessed for a while, but yet they'd never been deleted. That cyber incident compromised the Agency systems, and all of those records became discovered, and the size and the scope of the records and individuals affected by this incident was in the many, many thousands.
Now, while that breach was discovered relatively early, it's come at a significant cost, one in which the Agency is still trying to recover from. And those costs? Of course there's costs in the remediation, costs in the breach response, there are costs to the agency's reputation, there's resourcing costs both in the time and the effort, including the redirection of staff from other responsibilities while they respond to the incident.
There were extensive apologies that needed to be issued, and there were other activities that the Agency needed to undertake. But in my view, the most significant cost and the worst of all is what is the fundamental loss of public trust that has occurred, something that's really hard to earn, but it's even harder to regain when it's broken. And all because those records, that in reality should have been destroyed years ago, had not been, and that was something that was absolutely within the control of the agency to effect.
And while I'm not going to engage in a debate about whether the data breach was inevitable or within the Agency's control to stop, it's important to highlight that actually it's the magnitude of the impact that has been significantly amplified because of excessive data retention, and that's the aspect that was certainly within the Agency's control and it could have been better managed.
And so that brings me to the risk of over retention.
As privacy Commissioner, I hear a lot about the need to keep information because we might need it at a later point in time, often a time we don't yet know of, or for a purpose we don't yet know of, or could even articulate. And sometimes the issue of over retention started well before that, at the point of collection, because we collect more than we need, because we think we might need it, not because we know to need it for the purpose that we're collecting it.
We don't spend enough time talking and thinking about the real risk, and maybe it's an invisible risk, the risk of keeping too much or collecting too much, i.e., over retention and over collection. It's not just a compliance issue, it's actually much more than a compliance issue, it's actually a real privacy risk. And in the wrong circumstances, as in the example that I just highlighted, its impact and its damage can be irreparable because as I described, in terms of the data that was exposed in that data breach, there was a whole suite of information that could lead to identity theft, financial theft and much more.
So, in practice, I suspect that over retention is likely to be more common than we all realise, appreciate, would care to try and acknowledge. And how does it happen? I suspect over retention happens for a whole raft of reasons, but some of the ones that I've heard of include: unclear ownership; uncertainty about who has the authority to determine the end of a records life cycle; a fear of deletion because of a tendency to retain records out of caution because we prefer to keep them just in case; poor access controls; inadequate sense of security measures that lead to a false sense of security regarding where the records are stored and who can access them; insufficient or ineffective systems for managing those records and maybe perhaps the most important, because it's actually just become really easy in a digital world.
In the past, with physical records, storage space was expensive, and it was visible. I remember my time when I started in the Public Service of the collection of records that we would pull together and send off to State Archives for archiving in physical space. It was a physical presence. But today, in a time of digital storage, it's cheap, it's fast, it's easing and it's seemingly without limit. So, it's incredibly easy to store records today and therefore keep just about everything forever and at almost minimal or no visible cost. And that's because costs for digital storage are likely captured within broader digital costs of IT more generally or amongst other IT costs, and so therefore the cost of retention feels like zero. But in reality, the real cumulative cost comes in risk, in complexity, and eventually for consequences which are very real and growing today. And for me, those consequences often manifest themselves in a real form of risk to privacy and individual privacy.
So, what does that mean for the real value of retention and disposal authorities and all of you as records managers? This is where records management, in my view, plays a critical but often underestimated role.
Retention and disposal authorities are more than just an administrative tool. They're actually called governance frameworks, and they provide the mechanism to translate our records responsibilities into clear and actionable rules for life cycle management. They also support and contribute to the preservation and protection of privacy.
As records managers, you are stewards and leaders in the goal of data minimization. From my perspective, you are record keepers, but you are also risk mitigators, your compliance enablers and your privacy protectors and that means we need to champion the operationalisation of retention and disposal authorities into systems, into workflows, but also into our culture. We need to actually get on board and give effect to them. They need to be integrated into our IT and our cybersecurity efforts as part of a broader system of privacy risk management, because the over retention creates privacy risks, cyber risks, legal risks, reputational risks and operational risks. And if a record no longer serves a business purpose or a legal purpose and its retention period has been met, then the question for you all is, what's its value and to who is it of value? I can tell you from my experience, there is someone out there to who it is of great value. Perhaps not who you would like it to be, often a threat actor or an attacker. And as a Privacy Commissioner, my question when data breaches occur and people come and tell me that a data breach has happened is, so why was the information still there to begin with? It's often the same question the public is asking, and we saw that in some of the most significant data breaches that have happened and been reported in the media, the likes of Latitude and Optus, only a few.
The public expects all of us to handle their data with due care, and part of that care involves knowing where our data is, not keeping it longer than we need to, and acting when it's time to delete those records. And maybe some of you might be thinking we haven't had a data breach and so it's all good, it's not going to happen, we've got nothing to be worried about. But from my perspective and my lens, there isn't a day where we don't see a report about data breaches. Not all of them necessarily happening in the state of NSW or Agencies within my remit, but they're happening every day. Their size and scale and impact all variable. And just because it hasn't happened, it doesn't mean it won't.
And like a data breach, the risk of over retention doesn't announce itself in advance, it accumulates quietly. Over retention is like storing flammable material out of sight and out of mind. It becomes front and centre of mind when that fire starts.
The good news for you all today is that privacy is a strategic enabler and privacy aligned records management is about more than simple risk avoidance. It reduces an Agency's threat service, and it creates clarity, confidence, control and trust.
I doubt that there is anyone here today attending this Forum that would disagree about the value of a smart retention schedule that improves data quality through timely disposal, that reduces noise and supports business response. But it's also important for privacy fundamental that contributes to the reduction of personal information being exposed in the event of the data breach. The link between better privacy outcomes and records retention is real. It means more than now, more than ever, you need to know what is being held, where it lives, who owns it, who has responsibility for it, and you need to include and embed the review and application of disposal practises into your business, as a BAU. You need to link retention to risk. You need to treat data past its retention period as a risk and not just an archival question. And we all need to promote shared responsibility.
The circumstances and that story, an example that I gave at the beginning, isn't really all that unique. And I would ask you, do you or does your agency have an old drive somewhere, a forgotten database? And be honest with yourselves, because if you do, each one holds not just data, but it also holds risk, risk for your agency and to the individuals to whom that information is likely to involve.
So, privacy awareness is not just about protecting what we collect, it's definitely about that, but it's also about letting go of what we no longer need.
Privacy doesn't end at the point of the collection process. It extends to the storage, the access and critically, to disposal. So responsible retention is privacy in practise.
As records managers, you play an indispensable role in safeguarding privacy by ensuring the meticulous management of data through its life cycle. Your dedication to implementing robust retention and disposal authorities, not only supports compliance and risk medication, but you also foster a culture of accountability and trust.
I want to thank you all for your unwavering commitment this Privacy Awareness Week to protecting the privacy of individuals and upholding the integrity of our data systems and in turn, of privacy.
I'm going to leave you with one final reflection. This Privacy Awareness Week, today, the first day, I urge you to actively participate in Privacy Awareness Week by engaging within your Agencies and asking yourselves what are we holding on to and what might it cost us? Because privacy is a matter of significance to all of us. And after all, yes, I'm the Privacy Commissioner and it is my business, but it's also your business, so, it's all of our businesses and that means it's everyone's business.
Thank you for today's opportunity to present and to speak about what is close to my heart, privacy and the importance of data minimisation and not retaining more than you need.
If you're looking for more information about, or guidance around privacy, the IPC website has a wealth of information about responsibilities of Agencies, its processes throughout the whole of the life cycle with respect to personal information.
I'm happy to take any questions, Martyn, and I also want to wish everyone all the very best for the rest of the agenda this morning.
Martyn Killion 22:14
Thank you, Sonia, thank you so much.
That was a presentation that I know resonated with the people that are here today and was incredibly insightful, particularly showing that link and the interconnectivity between records, record keeping and privacy. I think this is a message that so many people here today will really take home and mull over within their own Agencies, so thank you very much.
I think it also really brought home to me the value of the discussions that we've been having over the last few months of the interrelationship between our two Agencies as well, and certainly a relationship that I know we're both keen on building and growing, so thank you so much for that presentation.
Can I open up the floor for any questions? If anyone does have any questions or comments for Sonia, can I get you to pop them in the chat, or if you'd like to raise your hand we can unmute you. Anything at all from anyone?
Martyn Killion 22:35
Emily has asked about the difficulties of getting messages across at executive level and whether you have any tips on that?
I think your whole presentation around trust, risk, all of that was fundamentally that message, but anything in addition to that, Sonia?
Sonia Minutillo 23:56
Thanks for the question. It's a really good question and an important one.
I think leadership at the top and setting that tone and the culture for how you see privacy is really important. In terms of getting that buy in, I think we need to be thinking about it in the context of risk and in the context of what is the cost if we don't do this. So turning the conversation into not just about privacy, i.e., you need to do it (records management), but rather talking about it in the sense of if we don't do this, this is the cost of what might occur, this is what it might mean in relation to our customers (the people who we provide services to) the impact and our reputation. Because when it goes wrong, it's really very, very expensive in terms of the recovery, and that's in terms of the things that you can quantify for e.g., records disposal and supports that you might put in place, but it doesn't account for the impact and the cost of reputation, which is great. So that's the first thing, and I think the second thing is to try and champion within, take opportunities like this to talk about records retention and privacy and engage with your IT divisions so that it's being built into systems. Because as we move more and more into the digital space, our records are in digital land, and if we're not doing the things that we used to do, then we're not actually managing those records the way we should be.
Martyn Killion 25:51
Thanks, Sonia, and look that sort of question around resonating the message at senior levels is one that's been reiterated by a number of other questions and comments that have been put into the chat.
People have also been asking about any material, any collateral, that the IPC may issue around over retention that might be of assistance in terms of getting that message across as well.
Sonia Minutillo 26:26
So, look, there is information across many of our resources, and I think the question is a good one, because much of the material that we produce is not directly about over retention. It's caught amongst all the various messages that we are talking about, so we'll have something around collection that says don't collect more than you need, only collect it for the purpose you need, or don't hold on to it unless you need it. So perhaps that's something we can be thinking about collectively with State Records, and how we create that messaging to reinforce it as a reference point.
Martyn Killion 27:07
Absolutely. I think that it's one of the many areas of possible collaboration between us that we could look at for sure.
Just to pick up on a couple of the other comments, Sarah has asked about creating a working group regarding privacy awareness and data across the organisation. And I think, Sarah, that's possibly also one of the key messages from Sonia's presentation around those relationships across the organisation and building those, regardless of whether that's with IT, with sort of a governance area, a risk area and so on but that is certainly all part of the secret, the secret recipe for success, and I guess in lots of ways, Sonia, I would agree.
Look, I think that I've pretty much encapsulated all the questions and comments that we've had, apart from the great appreciation, Sonia, for your presentation, for which I'd also like to add my own voice, particularly on day one of PAW. We really appreciate you taking the time to speak with us today. It’s very, very much appreciated and I know that everyone here today would join me in thanking you.
Sonia Minutillo 28:35
Thank you. My pleasure and thank you very much for having me.
And I thank you all for the important work that you do and wish you well for the rest of the agenda.
Martyn Killion 28:45
Thanks so much, Sonia, and by all means, if you have time, you're very welcome to stay.
Sonia Minutillo 28:49
I'm going to leave you but thank you for the offer. All the best everyone.
Martyn Killion 28:55
Thanks, Sonia.
Martyn Killion 28:57
All right, let's move on to our next agenda item.
Our next speaker is Andrew Warland, who is an Information Management and Microsoft 365 and SharePoint specialist and has been for over 4 decades and really through his practise providing practical advice, practical knowledge around records management, information management and content management, particularly in respect of digital record keeping.
We've asked Andrew to speak with us here today at the Records Managers Forum because we have recently engaged with Andrew to provide some guidance on behalf of State Records NSW on Microsoft 365 and record keeping within Microsoft 365.
That guidance is being finalised and will be issued very soon, but that will be a tailored version of other iterations of that guidance that Andrew has already developed for our colleagues at the Public Record Office of Victoria and so on.
So, Andrew, I'll hand over to you with thanks again for your time this morning.
Andrew Warland 30:18
You're very welcome. Thank you very much for the lovely introduction.
I will be sharing some slides and the assumption here is that as this meeting is recorded, you'll be able to watch all of these and look at them again if you watch the recording.
So, I will be going through some of these very, very quickly because of the short period of time that we've got.
Just before I start though, two things, first of all, acknowledge the Bunurong people as the traditional custodians of the land where I live in Southwest Melbourne and pay my respects to the ancestors and Elders. I'd also like to say thank you so much to Sonia for that wonderful presentation because a couple of things she pointed out, if not all of the things she pointed out, are going to be covered in some of the slides and information I'm covering today, particularly just for all of the information across Microsoft 365.
Just some quick takeaways first, that you can all read for yourself, but really just to cover those off quickly. Microsoft 365 is obviously complex. Governance is essential, as we'll see towards the end of this presentation.
You may need to be thinking about whether or not you need a third-party product or you can do it out-of-the-box. It's a question that comes up almost every day in my world and Microsoft change is constant, but for most end users there's not really a lot of care about records and record keeping, sorry to say, but that's often the case. They'll come into work, they'll turn on Office, they'll turn on Teams, which has now become such a popular thing. Five years ago, I was not saying that I was explaining what Teams was, but now everyone's using Office and Outlook and Teams. They’re probably accessing it by their mobile device, using the various Office applications, saving content by File Explorer (typically). They may have some idea of Copilot (in some organisations) and may have a vague idea of what SharePoint is in Teams and OneDrive, but the focus primarily is on Outlook and Teams and the Office applications. So that is not a lot of care there about what's happening. They're creating the content and storing it in places where they can find it. Again, they know where it's stored.
However, behind the scenes, things are a little bit more complicated, and I won't try and talk to all of this, just to simply say that there are broadly speaking there are three broad layers in Microsoft 365. There's that apps layer at the top, the ones that the end uses (all of us) engage with every day. That's the applications that we open, that we work with. Behind that, there's a services and admin layer that where certain things are set up, configuration and other things have been set up. At the very bottom, we have the storage layer where the records, where the digital content is actually stored in Microsoft 365. And this really needs to be understood when we think about storing stuff, whether we're doing it via Teams and via SharePoint or saving content, creating new emails, all of that content is stored in the storage layer, down at the bottom, there's a substrate. And in between the services layer, the storage layer, and the apps layer, the ones the end users deal with, is what we call the Microsoft 365 Graph. Now, almost every application's got a graph. Facebook's got a graph; Google's got a graph. They've all got a graph. Basically, the graph watches what you do. It connects what you do with other things, with various applications, with conversations, with Teams, with Word. It starts to understand who you are and what your relationship is with other things, and so at the apps layer, you might do a simple search and say, I'm looking for… and what comes back from that storage layer via the graph is information that not only meets your search requirements but is also possibly relevant to your search requirements. So, you may not have thought about looking for it, but the search layer will bring it back to you because of that graph that sits in between. And if you're using Copilot, Copilot pulls stuff in from large language models from that data layer via the graph and presents information as you may have seen if you're using Copilot, it’s not necessarily always accurate and it may be bringing you back content that you probably should not be looking at.
Now, I hate to always have to explain this, but this is probably the most misunderstood part of Microsoft 365 since I've been working with this product for more than 10 years now. The understanding of Microsoft 365 groups and how they connect to Teams is very low. Generally speaking, and just to explain this really quickly, every Microsoft 365 group always has a mailbox and always has the SharePoint site. When you create a team, the team basically is pulling on, is drawing on the resources of that Microsoft 365 group. So, if you've got a team and a Teams channel, as we all know, the shared tab in a team's channel is pointing to the group's SharePoint site. The posts that you create in the channels are being stored in a hidden folder in the group's mailbox. So, this diagram is just a quick one to say that that understanding of what Microsoft 365 groups is, is very low, but it's important because as we'll see in the next slide, where are the records? And this comes to the point that Sonia raised before, there are records in so many different locations. You might think in Microsoft 365, but for the most part, most of your records in public offices are going to be stored in Outlook or Exchange mailboxes. That is the personal mailboxes, or the mailboxes connected with a Microsoft 365 group, or on the right-hand side in SharePoint slash OneDrive. And you can see these various lines that point all over the place here on this diagram points to where that content is going to be stored if you're using Teams. So, if you're in the chat part of Teams or perhaps in a Teams channel, or you're in a private channel, where is that content actually being stored that you're creating there? So, we have what are called compliance copies going into hidden folders in mailboxes, and the hidden folders, there are approximately 550 plus hidden folders in a typical Exchange mailbox. So, while we might think, oh, it's all in the mailbox, what you're often thinking about is the emails in the mailbox.
Microsoft discovered that, not discovered, but realised that mailboxes are really great place to store stuff. So, there's a vast amount of content stored in hidden folders in mailboxes that you can't see that you can't access it. It can't access either directly. It's there for storage purposes. Microsoft put it in that place. Some of this content you can pull out through Purview, as we'll see a bit later on, but just to let you know that mailboxes have got a lot of content in them, much more than you think. So, when you think I need to keep the mailbox, I'm going to be saying keep the mailbox plus the team's content in those mailboxes, plus all the other content. Like how much content do you really want to keep in those mailboxes? They're huge, the content. So, you could largely say, just to summarise this, the chats, channel, posts, calendar items, all are in the mailboxes. The documents, OneNote whiteboard, Teams recordings in most cases are going to be over in the SharePoint side of things. So, if you're wondering, you know, what's the split between those two, That's a simple version of that.
Now we have to address compliance requirements. All government agencies need to address compliance requirements. Different jurisdictions have slightly different requirements, but they're all kind of similar, and usually compliance in Microsoft 365 is achieved through one of two, you could almost say three methods. One is to have an EDRMS and keep using your EDRMS and assume that end users are going to be willing to continue to put content into your EDRMS, your traditional content manager objective and so on. Or you buy a third, one of these third-party products. And I'll explain that point, RecordPoint, there's a couple of others out there, Castle Point, Encompass, there's a number of products out there that will say, buy our product that will help you to meet your compliance requirements. But keep in mind that even if you have these third-party products with EDRMS, most of the content still remains in Microsoft 365 and Microsoft Purview still exists. It's an important point. I've heard some people say to me, oh wait, we didn't buy Purview, we don't have licences for Purview, we're just using a third-party product. Well, actually Purview's there always with Microsoft 365, it doesn't go away, you don't pay extra for it. If you've got those basic licences, you can see Purview. The other option is to try and manage the records in place using the Microsoft 365 tools, including Purview, but there are gaps in that model that still need to be managed, and that's a problem. So, either way, you've still got a bit of a problem, and you still need to figure out how to manage the gaps.
I won’t talk through this slide, just because you'll get a copy of this, but SharePoint in many respects looks very much like a traditional EDRMS, like a content manager in the sense it's got all of this functionality that allows you to manage the records. However, and I have to emphasise this, SharePoint is not an EDRMS. It's one of several systems of record in Microsoft 365. As we saw before, we have mailboxes, and we have SharePoint slash OneDrive that are used to store the content. SharePoint itself is not an EDRMS and it's a mistake to think that SharePoint is the only place where records are going to be stored. There are probably just as many records in your Outlook mailboxes, including in those hidden folders as there are volume wise in your SharePoint environment. So, one of the biggest problems, and this comes to Sonia's point, in some respects, one of the biggest issues for compliance with Microsoft 365 and SharePoint is sprawl.
Now most of us will know that during the pandemic, people could create Teams, and they created thousands of teams. One Victorian government agency just last week told me that they've got about 7 1/2 thousand teams that were all created during that pandemic period, and they have no idea really what's in them. So, they've got a big job of trying to figure out what's in them. So, we've got oversharing, likely because no one really kept eye on what was being shared. There's heightened information and privacy risks, especially relevant if you're using Copilot.
I've heard so many agencies say we've introduced Copilot and then discovered that people can see stuff they shouldn't be seeing, so they've turned off Copilot because it was a danger.
There's content that should have been destroyed long ago. Often, it's been brought in from a network file share or an old version of SharePoint and it should have been destroyed, but it wasn't. All that redundant, outdated, trivial content, all the rot is still there, and it needs to be cleaned up, but it's been brought in and it's a mess.
There's reduced efficiency and productivity, a sense of siloisation and hard to find content. Because of this sprawl, so many different SharePoint sites, nobody really has a handle on who's got access to what and what exists. There's poor collaboration, communication, and there's obviously increased cost to address this. But you know, which is the better one to spend, the money on fixing the problem or the money that you will have to spend to address privacy breaches or information security breaches?
So, fixing it, you need a good information architecture, you need ideally, a control creation process for Teams and SharePoint sites, but I get that not every agency will want to go down that path - makes sense, and you need to monitor and review the environment to clear up the clutter that exists. So, some examples. Here's a model architecture, just as a simple design of a high-level intranet with divisional, divisional level sites and other sites linked via hub arrangement. What do we mean by hub arrangement? This is an example of two hub arrangements, so we've got one on the left is the human resources, one on the right is information technology. They're the business areas or the divisions if you like, depending on how big your organisation is. And around that hub are logically grouped content. These are the content that relates to that hub site. So, you don't put human, you don't put property, you don't mix property or legal records with human resources records. You know, that's a different hub. That's a different part of different grouping of content. It's important to keep the content together in a way that makes sense.
The second issue, as I mentioned before, was that hidden content records are very likely to be stored in inaccessible locations. From a record keeping point of view, you can't access mailboxes, can you? You can't access people's OneDrive directly. I've mentioned already how much contents in those personal mailboxes. The emails are visible to the user, but not the content in the hidden folders. OneDrive contains huge amounts of content, typically often regarded as personal, but there's a great deal of concern that when someone leaves, there are probably records in that OneDrive account and that OneDrive may be destroyed. So, what are you doing in an organisation to ensure that there's no records in those OneDrive, no personal, no sensitive content in that OneDrive and that it is properly managed, particularly when someone leaves. So, we need to be careful about that.
So, Purview, just come on to what is Purview? Purview is, as Microsoft called it, a family of data governance, risk and compliance solutions. Now all of the solutions that are relevant to records management are the ones that I've highlighted in red on the left-hand side there. So, audit compliance manager, data life cycle management, which is where you create your retention policies and retention labels, E discovery to find content across the organisation, Information protection for information sensitivity labels, records management if you've got an E5 licence and you want to have additional functionality with retention labels. It's not records management like we know it; it's additional functionality that you can apply to retention labels. And we also have data life cycle management, sorry, data loss prevention that links to information protection and other things. But in there we also have data security posture management for AI, and that that's an interesting one because if you're introducing Copilot, you really want to know what are the risks, what are the potential issues you've got with your Microsoft 365 environment in terms of the risks of the content that you may have. Down the bottom at the far left, we have insider risk management as well too, and that's a really interesting one, that insider risk management is looking to detect by AI methods people who are doing things they probably shouldn't be doing. So, while Sonia talked about threat actors, threat actors can come from within. The insider risks can be just as equally dangerous as risks from externals as well too.
Microsoft 365 includes 2 key pay-as-you-go options. In other words, you've got to pay for the usage. One of those is Microsoft Syntex, a really, really interesting set of tools, autofill Columns. autofill metadata columns is a really interesting tool that you can use, and it's got some other options there too.
SharePoint Advanced Management, particularly if you're introducing Copilot, but even if you don't, it has a whole lot of capability in SharePoint Advanced Management to allow to allow you to assess your environment and the risks associated with oversharing in particular and poor permission controls and so on across your environment. So, SharePoint Advanced Management, both of those two are valuable, but they're both pay-as-you-go options you've got to pay extra for.
And all of this leads to governance for Microsoft 365. We have all these records sitting in the middle here. There are there are eight key admin centres surrounding those records. These eight key admin centres all have different controls that can impact the management of records which we see here. So all of admin centres, it's not easy to read on the screen, I understand, but all of these different admin centres have different settings and different configuration capabilities that can impact the management of records. We're not just talking about SharePoint here; we're talking about a change that's made to Microsoft Entra or a change that's made even in Exchange Admin Centre that can affect the management and the outcome of what happens to the records that are stored in various locations. So, you need to be conscious that we're not just focused on that SharePoint, but we're focused on the bigger picture here, and this means that records managers in particular do need to try and get a seat at the governance table, do need to be collaborating with IT about how records are managed in Microsoft 365. Even if you have a third-party solution, you still need to know what's going on behind the scenes in that Microsoft 365 tenancy, particularly in SharePoint and mailboxes.
So, my final thoughts here. It's possible to manage records out-of-the-box, but you need to: have good governance, understand what the substrate is, what the records are, what the graph is, know where the records are, as I've just said, establish a good information architecture, establish processes and practises to deal with the gaps. This is out-of-the-box, but if you do go with a third-party provider, all of the above points still apply. And remember, even with a third-party product, all the underlying Microsoft 365 ecosystem, including Purview, is still there and can still be used to support the management of records. You've still got access to the audit logs, you still can do content searches. You've got the ability to use the AI, the data classifiers, and all the explorers sitting in Purview that can help you understand where the records are. Some of the third-party product’s surface that Purview functionality by their own tools, but they also have their own tools that extend that functionality. So, it's important to understand what Purview has before you think, oh, we don't need to use Purview. Purview is all a very, very rich functionality that will help you to manage all records, not just those in SharePoint.
And the final slide for me to say thank you, but also just to note, as John noted earlier, the records, the document managing records in Microsoft 365, the guide from NSW public offices should be coming soon and I'm happy to receive any feedback on it. Some people have said it's a very long document. Well, Microsoft 365 is a very complex environment, so that might help explain why it is such a long document. But I do hope you find it interesting once you see it and always happy to get feedback and comments that may help you. So thank you.
Martyn Killion 48:40
Andrew, thank you very much.
The screen is being overwhelmed by thumbs up, heart and applause emojis, as you can see
Andrew Warland 48:40
People are so kind.
Martyn Killion 48:52
There's been various comments in the chat about the great value of that overview that you've presented and the great value particularly of people not necessarily understanding of where material is or unintentional creation within Microsoft 365. So, I think you've really brought those points out incredibly well, and I would like to thank you for that.
There's been a couple of questions that we might just go to.
Duncan has asked about whether Power BI also has similar risks associated with its uses Copilot?
Andrew Warland 49:37
Yeah, I think so. I think, there are no end of risks potentially in Microsoft 365, the ability to pull content out of your environment and there not being proper controls over that content. You don't really know what you're going to see. If you're doing Power BI reports, perhaps the information might be skewed a bit because of content that shouldn't have come out. I think that's the answer to the question, but happy to refine that further, Duncan.
Martyn Killion 50:09
OK, thank you, Andrew.
Todd has just asked about confirmation of his understanding that Purview doesn't allow applying retention at a folder level and whether you think that that's a weakness of the product?
Andrew Warland 50:24
To be really clear here, you can technically apply, and I'll use that term loosely, a retention label to a folder, but it technically doesn't apply it to the folder. It applies it to the items sitting in the folder, so under the folder. So, if you've got 10 documents in that folder, you apply it at the folder level, it applies it to the items. What happens eventually is that those items will be disposed of, but not the folder. The folder will just remain in place without anything in it.
Martyn Killion 51:01
Kathy has asked about persistent identifiers and whether there's identifiers for items and aggregations in any of the product suite?
Andrew Warland 51:11
So, the most common identifier is the document IDs that have to be enabled on SharePoint sites and ideally configured so that the prefix (the four-to-12-character prefix for the document IDs) reflects the name of the site that it's come from. Ideally, it'd be the same as the URL, but some URLs are much longer than 12 characters, so it'd be ideal if people could use that. Now document IDs can be used for individual documents as well as document sets, but they can't be applied to folders.
Martyn Killion 51:43
Great, thank you.
People have also asked about when the guidance will be published. We’re finalising that guidance now and we would hope in the next few weeks we'll have that guidance published on the State Records NSW website, and people will be notified in the next issue of our e-newsletter For the Record.
And having had a review of it, Andrew, yes, it is a long and complex document, but I think the way that it is structured means that it's almost like a problem solving structure that when you've got a particular issue, you can jump in at a particular area and you know, sort of find those solutions. So, I think that people will find it enormously valuable and thank you again for all your work on it.
Andrew Warland 52:29
Thank you, Martyn
Martyn Killion 52:33
I might just go for one more question before we let you go and that's from Matthew stating that there's a lot of complexity for those cluster state government Agencies with a shared single tenant, and as each Agency doesn't get direct access to the sort of centralised admin centre. Any thoughts or advice that you can provide for Agencies that find themselves, as we all do, in clusters?
Andrew Warland 52:59
Yeah, look, this is a serious problem for even Victorian government Agencies. The Victoria Government tenant is to be honest, I find, a bit of a problem for those Agencies that are in that environment because it's not the easiest thing to manage. You don't have access to the functionality, you don't have access to Purview, you don't have access to any of the admin centres. You have no idea really what your admins are doing because you don't see the audit logs to see what the admins are doing. There's a lot of trust there, but you also ended up with a bit of a watered-down environment in some respects.
I've seen some Victorian government Agencies, at least one that I'm aware of, that shoots its information across to a record point system, also in the cloud. So yes, it's part of the Victoria Government tenancy, but its information gets bounced over to the record point system where it manages it there, but the original information is still sitting in there Microsoft 365, that part of the Microsoft 365 tenant. I think it's not a great model, particularly for organisations that have got different functions and different legislative requirements to manage information. Mixing that content into a single tenant, I just don't agree with that model, but you've got it. Those of you who've got it, it's a challenge, that's all I can say, and I feel for you as it's not an easy model to deal with.
Martyn Killion 54:26
Yeah, indeed, fair call.
Look, we might stop the questions there, but Andrew, again, our heartfelt thanks for your time this morning, but also in all of the work that you've been doing with the State Records NSW team on the guidance. I know it will be eagerly lapped up once published and will be incredibly valuable. So thank you very much. And if you also would like to join us for the rest of the Forum, you're very, very welcome to, to continue to join us.
Andrew Warland 55:04
I'm happy to stay on Martyn. Thanks everyone.
Martyn Killion 55:10
Wonderful.
Thanks everybody.
All right, we're now going to turn to updates from State Records, and I'll hand over to Jo Carlos, our project officer within State Records. Jo, over to you.
Joanne Carlos 55:27
Hello and good morning, everyone. Two very hard acts to follow, so I'll keep this brief.
We've had a busy run throughout this planning year in 2025. It's allowed us to refresh the Records Management Assessment Tool or the RMAT to reflect changes to the standards and our regulation. And it's also allowed us time to consider our options going forward regarding how we want to run the RMA so that it best serves all of us.
As you may have read in the May issue of For the Record, the RME will resume in March 2026. We have also received approval from our board to hold the RME every second year starting in 2026. Feedback from our Public Sector Advisory Committee indicated that this change would increase the capacity of Public Offices to develop and implement improvement programmes, while also ensuring that attention towards records and information management from your senior decision makers continues. This new two-year cadence is also in line with the timing of similar exercises in other jurisdictions and it also recognises the steady improvement across our jurisdictions since 2022. However, the intervening years between each REM will not be silent. These years will give State Records the chance to engage with you to provide some more targeted guidance and assistance.
As I mentioned in the last Records Managers Forum, we've also been at work revising the RMAT. So, a draught went out for consultation with PSAC as well as several individuals who were involved in the initial development of the RMAT. For most of you, you will find that the questions themselves haven't changed. There are still 19 questions. Their purpose? It's still the same, but some wording has been tweaked or refined to enable us to gather better data from the responses being submitted. I guess ultimately none of the changes to the RMAT should or will disable any of us from mapping previous data to data that will then be gathered in 2026 onwards. In saying that, we aim to release the finalised revised RMAT by the end of this month and it will be released to all of you in a documented Word or Excel version. Both will be made available on our website and will replace the existing versions of the current RMAT that are up in case it is not usual practise for your public office already. These documented versions of the RMAT will allow you to start preparing early and to use it as a working and collaborative document that you can circulate among relevant colleagues and business units, and this will make the process much more seamless.
When March comes around and you are required to submit your assessments via the service portal, an accompanying RMAT guide will also be provided. As for the 2026 RME, we encourage you to start preparing and rest assured, we will be providing further information in the coming months to help you all. That's about it.
Martyn Killion 59:24
Great thanks so much, Jo, and thanks from us all for all of your work and Catherine Robinson's work on the revised RMAT. Particularly in terms of Board papers and so on, which have got us to the point of the new cadence for the RME, which I know will be appreciated, but still retaining the enormous value of that exercise for our public office stakeholders. So, thank you very much for that.
All right, I'll now hand over to John Vineburg to talk about the results of our recent satisfaction survey. And I'll just preface this discussion by saying we had a very low response rate to our satisfaction survey and I would, albeit in about a year's time, encourage you all, when we submit the satisfaction survey for completion, to let us know your thoughts because these sorts of surveys do have concrete actions based on the results of them. And we would like to make sure that we're representing the directions but also the needs of our stakeholders as much as possible. So, please do, we'll be reminding you about the next survey when it goes out next year, but please do bear it in mind.
John, over to you.
John Vineburg 1:00:53
Thank you, Martyn.
Well, as Martyn mentioned, as you can see in the middle of that right column there, we had a very small sample size given the number of people who are on this call. We had 33 in 20-24 and only 27 in 24-25.
Taking that into consideration, the Survey results did show significantly improved satisfaction in key areas, including more access to our web pages across both Museums of History NSW and State Records, and increased satisfaction with those pages.
There's also increased satisfaction with our service to public officers across both agencies and increased satisfaction with the Museums of History service portal transfer process and retrieval process.
Now some of those improvements were from a relatively low base and given the sample size considerations, we have to ask ourselves the questions as Martyn was saying, are the views that we picked up in the survey widely held? And we've consulted the Public Sector Advisory Committee on this, who've kindly given us some feedback, and we want to take the opportunity at this Forum to also sense check the results.
So probably the best use of your time is to have a look at some of those points that we had, and we'll give you the opportunity to put into the chat or e-mail us whether they reflect your views, or if there's something we're missing. Are you really satisfied with our services? Are you just being nice?
So going through the list of priority actions identified by survey respondents for State Records, it was consistent and unequivocal advice.
One of the points of feedback was, well it depends on agency-by-agency circumstances, and people are asking for that to be clear or whether that can ever be unequivocal is an issue. We now have two websites between State Records and Museums of History NSW, and the issue was raised about easier navigation between those two sites, easier access to record retention disposal schedules, longer notification of RME time and enhanced search functionality, noting it is better on the new website, but there are possibly some things we could do there.
In terms of when we say training, things for us to focus on in the future, managing business systems was the top one and you can see the other ones on the list from shared drives, responsibilities under the State Records Act and records and information risks and so on for Museums of History NSW.
The actions identified, and as I said, this may be only one or two people making this feedback, include simplified transfer process, better estimates of transfer times, improved guidance and documentation, greater clarity on the website.
One person also mentioned reduced labelling and physical preparation requirements.
And in terms of things that you want to hear about based on the Survey, the highlights were transfer preservation of digital records, responsibilities under the State Records Act for the Museums of History NSW side of things, transfer plans and conservation of records.
So having seen the feedback, and as Martyn was saying, you’ve got an opportunity to participate in the next Survey, and we think you should. Please drop in your suggestions for consideration in the chat or reach out to us anytime through govrec@staterecords.nsw.gov.au
So back to you, Martyn, in terms of leading any feedback that people may have.
Martyn Killion 1:05:25
Thanks very much, John.
And look, I think at least on the Museums of History NSW side, I think our next agenda item will start addressing those matters around transfer and the transfer process and so on.
Does anyone have any thoughts or comments on any of the survey results that John has been through? As John said, if not now, then you're very welcome to contact us in some other way in order to be able to send us those messages.
So, I can see someone has their hand up.
Ron, you have your hand up.
Hi, Ron.
Ron Holla 1:06:20
Hi there. Some years ago, they used to have a Digital Implementers Forum, which was quite useful. I, believe it got wound up because it was the same people going and it got a bit repetitive. But if we could see something like that coming back again, I think that'd be very handy, particularly for things like 365, which has become more prevalent since those Forums.
Martyn Killion 1:06:20
Good point, Ron, and certainly we're keen on gathering together our stakeholders as much or as the need arises, and today's Forum is kind of an example of that as well.
While we haven't really had the opportunity for some really in-depth discussion, there's no reason why another Forum like this couldn't sort of focus on a particular area and help that. So thank you for that suggestion.
Emily has also suggested sort of historical mapping tables for inactive retention authorities, so that's good, thank you.
All right, well, in light of the time, we might move on.
John, thank you for your presentation and for the information of this group.
Just to let you know that John is actually leaving State Records NSW at the end of this month, and I would like to publicly acknowledge and thank John's contribution to State Records over the last couple of years. It has been wonderfully valuable and a delight to work together and I would like to join so many people, John, in thanking you for all of your work.
No tears!
John Vineburg 1:08:01
No tears. Thank you.
Martyn Killion 1:08:06
All right, let's move on and we'll get an update from Museums of History NSW from Kristy Tiberi. So, Kristy, over to you.
Kristy Tiberi 1:08:16
Hi, Martyn. Hi, everybody. Thank you very much.
I too am working out of the Western Sydney Record Centre today alongside Martyn. So, I'd like to acknowledge the Dharug people on the lands on which we are both working and acknowledge the lands on which all of you are joining us from today.
So, we've asked everybody to provide their transfer plan during 2024, and as I said, we've been very thankful for the response rate that we got for that.
I thought it would be timely just to do a bit of a refresher on actually how to start transferring physical records into the State Archives Collection. Sometimes people see it as a complex process. So, I thought this might help to demystify that process a bit.
A lot of people have identified physical records to be transferred into the collection, and we have had some first-time people transfer into the collection as well. So, I thought this might be just a good opportunity to give everybody a bit of an overview of the process.
So, first step is you actually have to have identified the records that you have that are required as state archives first. So, obviously you need to have undertaken some sort of assessment or appraisal or sentencing programme and once you've identified those state records that are required as state Archives, that's your first step.
The second step of the process is to have a look and see if you have got a series registered within the State Archives Collection. So, this might be a continuation of records that have been transferred previously into the collection, or this might be the first time that this particular set of records is actually going to be transferred into the State Archives Collection. So, you can check the series that are registered through the service portal when you log in. Alternatively, you can have a look at our online catalogue on our website. But that's the next step, have a look and see if there's a series registered. If there's not a series registered, you'll need to register one. And that will give us and researchers into the future just some information about why the records were created, what sort of information is contained within them.
We have got a fact sheet that we issued with our last for the record item, so that's available on our website as well. That gives you an indication of the sort of record, of the sort of information you need to provide in your transfer plan, not transfer plan, in your series request. So, you do that through the portal, and we'll register a new series for you.
The next step is you've got your records; you've had a look and seen if there's a series of records that already exist in the collection. If not, you've registered a series for them to go into. Have a think about the access for those records, which is timely in light of the conversations that we've been having today.
You can register additional access directions if needed if there's sensitivity around the records, but have a think about, can these records be open to the public after 20 years once they're transferred? Can they be made available early or immediately? We've had a lot of people transfer their annual reports, which usually are already available on your website. So, can they be made available immediately or do they need to be closed for a specific period of time? So, that's the next thing to have a think about.
And then I think the bit that people get a bit scared about is the list listing the records and packing them. Each item that you're transferring does need to be identified on our consignment list, which you can grab off our website. That being said, I did get the question the other day, do I need to list every single entry in a register that somebody had? And no, you don't. We're not asking you to document every single document in the folder. We're just asking you to list every folder or every book that's going into your box.
Pack them up. Our preferred method is for them to come in a standard type 1 archive box, which you can purchase from places like Archival Survival or the Government Records Repository. Oversized records can come in loose depending on what they are, but you can always ask us about them and send us some photos.
We're happy to come and visit if possible or set up a Teams meeting if you're a regional Agency. So, if you have got records and you're not sure about how to pack them or how to list them, please reach out to us and we can arrange a Teams call or we can come out to you and visit if you're in the Sydney metro area and the surrounds.
Once you've done all that, you submit your request through the service portal.
Once you've submitted your request, you provide that list of the items that you're proposing to transfer into the collection. It comes to the Agency Services Team. We have a look at it; we have a look at the disposal authorities. We check that these records are actually required as a state archive and that you've provided all the information we've asked for in the consignment list. If we've got questions, we'll come back to you and ask for more clarification.
Sometimes we might ask you to take some photos and send them through to us so we can verify that these are going into the correct series that you've identified as well.
Once we're happy with all of that, we will authorise the transfer, so you'll get an official e-mail authorising the transfer into the State Archives Collection. We then pass that along to our Logistics Team. So, our Logistics Team will arrange barcodes to be sent out to you to attach to the records you're transferring. If it's coming in boxes, the barcodes will go on the front of each box. If you're sending in loose volumes, the barcodes will go on the volumes.
That team will then also arrange the collection of the records from your offices if you're in the Sydney Metro or outer areas.
If you're from a regional public office, you will need to arrange the delivery of the records either to the Western Sydney Record Centre or to a Regional Archive Centre if that's been agreed to.
If you are wanting to transfer into a Regional Archive Centre, please let us know as part of the transfer request and we'll coordinate with them and see if they have the ability to take those records.
The records will be collected or delivered to us and then the next steps in the process are our point of receipt team will actually check that you said you were transferring ten boxes and yes, ten boxes were delivered, so you'll get a receipt emailed to you so that you know that the boxes have arrived safely.
And then there is some checking by our clerical team who will go through and just do some spot cheques and check that the records that have been listed are in the boxes.
That is all you need to do and that is the end of the process.
I think if anybody has any questions, Martyn, I'm happy to answer any questions, but I'd encourage people to, if you would like us to set up a call, if you're doing your first transfer, we recommend you start with something small and we're happy to come and visit you or set up a meeting to guide you through that first time because I know it can seem a bit daunting, but it is quite simple once you get into the swing of it.
So, Martyn, I don't know if we've got any questions today?
Martyn Killion 1:15:32
Yeah, thanks very much Kristy for that, and I dare say that we'll get a number of inquiries as a result of that, which is a good thing.
Shelley has asked about whether the Agency, and I note that Shelley seems to be from Southern NSW Local Area Health District, whether the Agency can request that the records be kept at a regional repository rather than in Sydney?
Kristy Tiberi 1:15:58
So you can. The different regional repositories do have collection zones, and ultimately the decision is theirs whether or not they have the space to accept a transferring of state archives material into their repository. But yes, by all means you can ask us, and we'll coordinate with them and let you know if that's possible. Thanks, Shelly.
Martyn Killion 1:16:20
I trust that that's helpful, Shelley.
That's about all unless anyone has any other questions that they'd like to pop in the chat or raise your hand.
And Kristy, I know there's also further guidance on the MHNSW website and the Teams available, of course, to help, as you've said a number of times. So yeah, that's great.
Kristy Tiberi 1:16:45
So we can be contacted by transfer@mhnsw.au if anybody needs our e-mail address.
Martyn Killion 1:16:50
I'm sure it's on lots of collateral that we sent out in the past, but just a reminder in case you need us. So, yeah, but we do have a couple of other questions.
What if the records are in a different offset storage provider such as Grace? Will the logistics team link in with them for collection or would the organisation have to do this?
Kristy Tiberi 1:17:00
So it would have to be one of those things where you would have to give Grace the heads up. We have collected records from Grace before, but I would just highlight that you need to be fairly confident that the information that you're capturing about the records to be transferred is accurate. Sometimes the records go off to offsite service providers and this includes the Government Records Repository as well. This is not specific to a particular commercial entity.
We have found recently that people have registered physical, old legacy physical records in their systems, but that doesn't actually match the actuality of the record when it turns up at Kingswood. So, I just highlight you to be careful about just doing a reliance on old lists and you might need to do a bit of sense checking.
But yes, we can definitely collect records, but it would be on the Agency to advise Grace and let them know that we'd be coming to collect those records from you.
Martyn Killion 1:18:12
Great. And look, I might just take one more question from Alex about if they're transferring volumes or books that have individual titles to these still need to be somehow numbered either with a barcode or a handwritten number.
Kristy Tiberi 1:18:28
So it depends if they're coming in a box, depends on if they're oversized. So, if they're in a box, then no. If they're coming loose, then yes, they do because we need some way of identifying them and the barcodes can peel off. So, it sort of depends on that methodology.
I know, Alex, we've had conversations in the past about some of those challenging titles. So, our preference would be if you can do it, if you can number them, that would be great from a future retrieval process, It must be done if they're coming in as loose volumes, but if they're coming in boxes, it's not so critical.
Martyn Killion 1:19:04
Indeed.
Kristy Tiberi 1:19:05
I would also just like to add, we know that people are looking for more guidance on born digital transfers into the collection. So that's what we're sort of planning on thinking about for our next Forum item as well.
Martyn Killion 1:19:19
Yeah, that's great, Kristy.
I think we'll leave it there.
There has been a comment from Jason at Nepean Blue Mountains Health District just shouting out the great customer service and help that you and the team have provided. So, thanks Jason for that feedback. Not surprising feedback but always appreciated feedback. So, thanks so much, Jason.
Kristy Tiberi 1:19:35
Thanks Jason.
Martyn Killion 1:19:46
Again, the screen, has gone wild with applause and love heart symbols, so thanks very much, Kristy.
Martyn Killion 1:19:51
Alright, let's wrap up today's meeting.
Thank you all for your attendance today. I hope that you've found it of value. Again, my thanks to our two guest presenters, Sonia and Andrew.
I think today has been a particularly valuable Forum, and I hope that it has set us all up for a valuable opportunity to sell the importance of records in relation to information management and privacy management during this Privacy Awareness Week.
Our next Forum will be around September, October, so keep an eye out for notification of that, but for now, we will say goodbye.
Thanks very much everyone.
Cheerio.
