Commonwealth entities have a range of obligations related to information and records management. Information management is the responsibility of a number of entities.
Topics covered in the section of the guide:
- Intellectual Property
- Privacy Act and Privacy Code
- Freedom of Information Act
- Information, records and data management.
Useful resources and contact information are available in the tables below.
Intellectual Property
- Government policy for the management of Intellectual Property
- Government use of copyright material
Intellectual Property (IP) generated, procured and licensed by Australian Government agencies is valuable asset and resource. Under the Intellectual property principles for Commonwealth entities, all agencies under the Public Governance, Performance and Accountability Act 2013 are responsible for ensuring it is used, managed and protected appropriately. IP should be handled in a manner that complies with relevant legislation, policies and guidelines while at the same time being consistent with organisational objectives and broader government objectives, including maximising any benefit to the Australian community as a whole.
The Australian Government provides guidance on how Commonwealth entities should manage their IP, and how different types of IP should be used. For information on the Australian Government's policy and framework for the management of IP, please see the Attorney-General's Department website.
Key Tasks
Task | Explanation | Resources | Contact |
---|---|---|---|
Understand your obligations and responsibilities under the Australian Government's IP framework | Your entity will need to ensure that it has relevant frameworks and processes in place to manage IP in its control or custody in an effective, efficient and ethical manner, and that these processes are consistent with the Australian Government’s IP management framework.
| Information on the Australian Government's policy and framework for the management of IP is available on the Attorney-General's Department website. IP Australia administers IP rights for trade marks, patents, designs and plant breeder's rights. The Attorney-General's Department is responsible for copyright policy. Contact:
| |
Understand your obligations and responsibilities under the Copyright Act 1968 (Copyright Act) | Your entity will need to consider the types of copyright materials it uses, and whether it needs to enter into any licensing arrangements with rights holders or the relevant copyright collecting societies for those uses.
| Copyright Trade and Government team |
Privacy Act
Commonwealth entities have obligations under the Privacy Act 1988 (Cth) and the Privacy (Australian Government agencies – Governance) Code 2018. These obligations outline how an agency must handle personal information and the governance arrangements they must have in place to build a consistent, high standard of personal information management.
Personal information is information about someone that identifies, or could reasonably identify that person. This could include a person’s identity information, medical information, financial or employment details.
The Office of the Australian Information Commissioner (OAIC) is responsible for the privacy functions conferred by the Privacy Act.
Australian Privacy Principles
The Privacy Act contains 13 Australian Privacy Principles, which set out standards, rights and obligations in relation to the collection, use and disclosure and security of personal information. The Australian Privacy Principles also provide individuals with rights to access and correct personal information an agency holds.
Data breaches
The Notifiable Data Breaches scheme requires agencies to notify affected individuals and the OAIC when a data breach is likely to result in serious harm to an individual whose personal information is involved.
Using contractors
When an agency engages a contractor to undertake services that require the contractor to collect and handle personal information on the agency’s behalf, the agency is required to meet certain obligations under the Privacy Act and the Australian Privacy Principles. This includes putting contractual measures in place that ensure that the agency cannot use the contract to avoid its own obligations under the Australian Privacy Principles.
Australian Government Agencies Privacy Code
Agencies are required to comply with the Australian Government Agencies Privacy Code, which sets out the key practical steps that agencies must take to comply with APP 1.2.
Key Tasks
Task | Explanation | Resources | Contact |
---|---|---|---|
Develop a clearly expressed, up-to-date privacy policy | Required under the Australian Privacy Principles. | Office of the Australian Information Commissioner Enquiries: 1300 363 992 Enquiries (Online Form) | |
Develop a privacy management plan | Required under the Australian Government Agencies Privacy Code. | Office of the Australian Information Commissioner Enquiries: 1300 363 992 Enquiries (Online Form) | |
Appoint a Privacy Officer and a Privacy Champion, and notify the OAIC of the appointment and subsequent changes to the appointment | Required under the Australian Government Agencies Privacy Code. |
| Office of the Australian Information Commissioner Enquiries: 1300 363 992 Enquiries (Online Form) |
Develop a data breach response plan | The Notifiable Data Breaches scheme requires agencies to notify affected individuals and the OAIC when a data breach is likely to result in serious harm to an individual whose personal information is involved. | Notifiable Data Breaches scheme Data breach preparation and response guide
| Office of the Australian Information Commissioner Enquiries: 1300 363 992 Enquiries (Online Form) |
Develop collection notices, containing information about proposed collections of personal information by your agency | When an agency collects personal information about an individual, it must take reasonable steps to notify the individual of certain matters, or to ensure the individual is aware of those matters. | Office of the Australian Information Commissioner Enquiries: 1300 363 992 Enquiries (Online Form) | |
Develop systems and processes to enable Privacy Impact Assessment (PIA) for high privacy risk projects | Required under the Australian Government Agencies Privacy Code. | Guide to undertaking PIAs | Office of the Australian Information Commissioner Enquiries: 1300 363 992 Enquiries (Online Form) |
Freedom of information
The Freedom of Information Act (FOI Act) is the legislative basis for open government at the Australian Government level.
The FOI Act applies to official documents of Australian Government ministers, documents of most Australian Government agencies, and in some circumstances, contractors providing services to the Australian government.
Agencies and ministers must have regard to the Information Commissioner’s FOI Guidelines when making decisions or exercising powers under the FOI Act.
The OAIC publishes information to help agencies make decisions on FOI requests, including a checklist to identify key processing steps, guidelines to which regard must be held when making decisions under the FOI Act, and resources to help agencies understand and comply with the FOI Act including the FOI Essentials Toolkit.
Mandatory publishing requirements
The FOI Act requires agencies to publish specified categories of information under the Information Publication Scheme, including an agency’s organisational structure, functions and decision-making powers, statutory appointments, annual reports, arrangements for comment on policy proposals, information routinely released in response to FOI requests and provided to Parliament and operational information.
Agencies must also publish a plan that explains how they will implement and administer their Information Publication Scheme.
Requests for access to documents
Each person has a legally enforceable right under the FOI Act to obtain access to government documents, except if the documents are exempt or conditionally exempt from disclosure. Individuals can also apply for amendment or annotation of their personal information.
Agencies and ministers generally have 30 days to process an FOI request but this can be extended in certain circumstances.
Publication on disclosure log
Documents released in response to an FOI request must be published on a disclosure log within 10 working days of release to the FOI applicant. Exceptions apply if the documents contain personal or business information that it would be unreasonable to publish.
Review of decisions
A person who is unhappy with an FOI decision can apply for internal review by the agency or external review by the Information Commissioner. Third parties affected by a decision to grant access to documents can also ask for internal review. Timeframes apply.
Reporting
Agencies must report FOI statistics to the OAIC at the end of each quarter. See the FOI stats Guide for more information.
Key Tasks
Task | Explanation | Resources | Contact |
---|---|---|---|
Develop processes and procedures to ensure FOI requests are responded to within statutory timeframes | Under the FOI Act agencies must respond to FOI requests within 30 days (or as extended under the FOI Act). Staff and resources must be delegated under s 23 of the FOI Act to enable compliance with the FOI Act. | Processing and deciding on requests for access | Office of the Australian Information Commissioner Enquiries: 1300 363 992 Enquiries (Online Form) |
Develop processes to ensure applications for internal review are responded to within statutory timeframes | The FOI Act provides for internal review of all FOI decisions and imposes a 30-day timeframe to conduct the review. | Internal agency review of decisions | Office of the Australian Information Commissioner Enquiries: 1300 363 992 Enquiries (Online Form) |
Publish mandatory information under Information Publication Scheme (IPS), including IPS plan | The FOI Act requires agencies to publish specified categories of information under the IPS. Agencies must also publish a plan that explains how they will implement and administer their IPS. | Information Publication Scheme | Office of the Australian Information Commissioner Enquiries: 1300 363 992 Enquiries (Online Form) |
Report FOI statistics | Agencies must report FOI statistics to the OAIC at the end of each quarter. | FOIstats Guide | Office of the Australian Information Commissioner Enquiries: 1300 363 992 Enquiries (Online Form) |
Maintain a disclosure log of released documents | Documents released in response to an FOI request must be published on the agency’s disclosure log within 10 working days of release. | Disclosure log | Office of the Australian Information Commissioner Enquiries: 1300 363 992 Enquiries (Online Form) |
Information, records and data management
New entities have responsibilities for ensuring that records and information are properly managed.
- Create and maintain full and accurate records of their business.
- Develop and implement agency specific information and records management policies and procedures, including comprehensive and accountable disposal programs.
- Establish clear lines of responsibility for records management and ensure that staff are trained to carry out their records management responsibilities.
- Work in consultation with the National Archives to develop Records Authorities.
- Provide adequate resources for records management activities.
Data sharing
The Public Data Policy Statement commits Commonwealth entities to a range of actions to improve the use and re-use of public sector data, release non-sensitive data as open by default and collaborate with the private and research sectors to extend the value of public sector data for the benefit of the Australian public.
The Office of the National Data Commissioner web page assists agencies holding Australian Government data to safely and effectively share the data they are responsible for by using five Data Sharing Principles.
The Data Sharing Agreement template embeds the use of the Data Sharing Principles, and provides a consistent approach to sharing data for the APS.
The Foundational Four provides guidance for agencies on how they can start improving their data practices and address the technical and cultural challenges that can limit their ability to get the most out of their data.
Information management
The National Archives of Australia sets standards for the management of Commonwealth information assets. It provides advice and support to Australian Government agencies to enable them to appropriately manage information and data and integrate information governance principles into their workplace practices. The Archives' Building Trust in the public record policy: managing information and data for government and community policy identifies key information management requirements for all Australian Government (Commonwealth) agencies.
Need help and support?
The Agency Service Centre can help you with advice on information management-related issues.
The information in the tables below will help further explain your entities roles and responsibilities and provide links to resources on the National Archives website.
Information management legislation, standards and policy | |
---|---|
Information management legislation | Key laws that have an impact on the information management responsibilities of most Australian Government agencies, including the Archives Act 1983. |
Information management standards | Information management standards help Australian Government agencies to create and manage business information effectively. Know which standards apply to your agency and how to implement them. |
Information management policies | Policies and strategies help agencies develop sound information management practices. Your agency must implement these to the appropriate level (known as 'required practice'). |
Establishing an information governance framework | An information governance framework is the structure an organisation uses to manage its information assets in legal, regulatory and business contexts. Documenting and assessing your agency's legal, regulatory and business requirements is an essential step in implementing an effective information governance framework. |
Roles and responsibilities | In the Australian Government context, both agencies and the National Archives have responsibilities for ensuring that records and information are properly managed. This is supported by the Government's legislative framework. |
Records authorities | |
---|---|
Types of records authorities | The two common types of records authorities for Australian Government agencies are agency-specific records authorities and general record authorities. |
Records authorities | A records authority is a legal instrument that allows agencies to make decisions about keeping, destroying or transferring Australian Government records. Records authorities are used to determine how long to keep records and provide permission for the destruction of records once this time has passed. |
Developing a records authority | Developing a records authority is a practical and flexible process which allows your agency to focus on information and records from one or several business areas. |
General Records Authority 34 | Establishing and winding up entities and companies. |
Getting started with information management | |
---|---|
Getting started with information management | Information that you create, send or receive as part of your work for the Australian Government business is a record. It provides evidence of what your agency has done and why. Topics include creating, capturing, describing, preserving, storing, protecting and disposing of information. |
GAIN Australia | The Government Agencies Information Network (GAIN) Australia is a national network supporting agency information and records managers in the Australian Government. Join the network for forums and regular e-bulletins. |