Recordkeeping requirements and the Government Information (Public Access) Act 2009

Details on requirements

Informal release and proactive release of information

Under the GIPA Act, organisations may release information via informal requests or decide to proactively release information.

Organisations should have business rules and procedures informing staff about how to manage informal access and proactive release of information, and the types of records that must be made of the assessment and decision-making process, authorisations and any conditions attached.

See Documenting the proactive and mandatory release of Government information below on this page for further information.

Formal release of information

Organisations should have business rules and procedures informing staff about managing GIPA applications. The business rules and procedures should inform staff about managing applications, and the types of records that must be made at each decision point in the GIPA process, beginning with the application assessment.

Application assessment

Throughout the assessment, it is important to document reasons and supporting actions that informed decisions to proceed, refuse or re-scope applications, for example if a decision is being made about the validity of an application or that the application may constitute an unreasonable and substantial diversion of resources:

If the applicationDocument
Is not valid…
  • Reasons why the application is not valid
  • Actions taken to clarify the request, including attempts to telephone the applicant
  • Communication with the applicant e.g. emails and notes of telephone calls
  • Outcome of action taken
Is too broad in scope…
  • What informed the assessment?
  • How was the assessment undertaken? Details of the assessment process
  • Details of searches for information undertaken during the assessment
  • Internal discussions and/or discussions with third party stakeholders that led to this conclusion
  • Communication with the applicant e.g. emails and notes of telephone calls
  • How decisions to amend/narrow the scope of the application were reached
  • Consent to proceed with a reduced scope or refusal to deal with the application (note: GIPA requires consent in writing)
Constitutes an unreasonable and substantial diversion of resources…
  • What informed the assessment?
  • How was the assessment undertaken? Details of the assessment process
  • Internal discussions that informed the decision
  • Details of searches for information undertaken during the assessment
  • Any actions taken to re-scope the request, including communication with the applicant e.g. emails and notes of telephone calls
  • Resources needed to be diverted/cost to the organisation
  • Assessment of the demonstrable importance of the information to the applicant such as whether it is the applicant’s personal information, or that it could assist the applicant to exercise a right under an Act or a law.

Thorough documentation will be beneficial during any external review of an application by eitherthe Information and Privacy Commission or the NSW Civil and Administrative Tribunal (NCAT).

Communication

There are a number of points through the GIPA process where the ‘Right to Information’ officer (or person dealing with the application) may need to contact the applicant, internal stakeholders, business units, or third parties in relation to an application. For example, to clarify or re-scope a request, assess disclosure interests, or confirm holdings related to the information sought.

If the communication does not automatically generate a record (e.g. a telephone conversation) then a note of the discussion should be created and captured into the records management system. If the communication does create a record (e.g. an email) it should be captured into the records management system.

Verbal communication such as telephone calls, meetings, and discussions

Records should be created to document verbal communications, including:

  • telephone calls
  • meetings
  • face to face discussions/conversations

between:

  • the organisation and the applicant,
  • the organisation and internal stakeholders, and
  • the organisation and third parties.

To be full, accurate and reliable, records need to document:

  • Who? - who participated in the meeting, discussion or telephone conversation, and their position/role
  • When? – date/time that the communication occurred
  • What? - what was discussed? what advice or instruction was communicated? what was decided or recommended? what commitments or agreements were made? including any permissions/consent granted
  • Why? - include reasons for decisions or recommendations.

Records need to be detailed enough to enable others to understand what was communicated, negotiated or agreed. Records made should be captured into the records management system.

Written communications

Written correspondence such as emails or messages should be captured into the organisation’s records management system. When capturing records, controls should be applied to ensure records are discoverable to authorised persons in the future.

Follow business rules to determine and apply:

  • titling /naming conventions
  • folder/file structure
  • records classification
  • taxonomies
  • metadata (usually applied automatically).

Paper documents created or received through the process should be scanned and saved into the records management system through a digitisation process.

Capturing records at the time of creation or receipt, or as close to as possible, will reduce the risk of records being missed or lost.

Searches and search results

The GIPA Act requires that "an agency must undertake such reasonable searches as may be necessary to find any of the government information applied for that was held by the agency when the application was received".

The creation and capture of records ensures that your organisation has the records it needs to demonstrate and validate that searches for information/records under GIPA are reasonable and adequate. The request for a search to be conducted by an identified officer(s) should be documented.

Records should outline how records holdings (both physical and electronic) were searched, including:

  • What systems and locations were searched?
  • What search methods were used? (e.g. was metadata used to filter search results?)
  • What keywords/terms, alternative spelling and Booleans were applied during the search?
  • What dates ranges were searched?
  • Which officers, divisions, business units and offices were consulted, contributed to or participated in the search?

Organisations should also document the results of the search, including:

  • Details of any relevant records found (including which business unit created them).
  • A description of paper records found and how they were searched (e.g. were they scanned/manually assessed).
  • Retrieval and checking of any documents that are the subject of the request
  • Certification by officers conducting the search.

Analysis of search results

Records should also be created to document the review/analysis of search results.

If search results:Document:
Show information is already available to the applicant
  • Where this information is available
  • Communications with the applicant e.g. emails and notes of telephone calls
  • Notifications to the applicant
Show information is not held by the organisation
  • Internal decisions and/or discussions with other organisations that led to this conclusion
  • Reasons why the organisations would not hold such information
  • Communication with other organisations that are believed to hold information
  • If the application is transferred, document the agency the request was transferred to, and the date of referral
  • Communications with the applicant e.g. emails and notes of telephone calls
  • Notifications to the applicant
Show the organisation has information and can continue to process the application
  • The decision to proceed
  • How fees and charges will be applied, if applicable
  • Activities and time taken to process the request
  • Communications with the applicant
  • Notifications to the applicant

For more information refer to Information and privacy commission: Knowledge update – reasonable searches under the GIPA Act

Upon release

When releasing information organisations should document:

  • date of release
  • what information was released
  • who it was released to
  • decisions relating to the reduction or release of personal information
  • overriding public interest against disclosure, and/or wavier of
  • if the information can/will be open access now onwards.
Processing time and charges applied

Organisations will also need to document the processing of fees and charges and decisions to relating to the final costing.

In many cases processing of GIPA applications is costed by the hour, therefore the organisation needs to ensure that they can account for the time spent processing applications.

Document:

  • Contributing factors to the calculation of estimated processing times.
  • The activities undertaken for which charges may be made.
  • Actual time taken to complete the each phase/chargeable activity of the GIPA process.
  • Activities where charges were not applied (handling of free of charge information).
  • Decisions to reduce charges, for example to accommodate financial hardship.
  • Review of decisions and granting of refunds.
  • Handling of money, deposits received, refund issued etc.

For more information refer to the Information and Privacy Commission's GIPA Act Fees and Charges

Print this page

Request accessible format of this publication.

Previous
Recordkeeping requirements for processing GIPA requests
Page 4 of 6
Next
Documenting the proactive and mandatory release of government information
Top of page