To determine which web records need to be captured and how long they should be retained, agencies need to appraise them according to:
- the function(s) and activities carried out or documented by the website records
- risk management
- web content format and context.
Functions and activities
Agencies need to be aware of what business activity their website (or its parts) are performing or recording to determine which records should be captured and retained for the appropriate period of time.
This can be a challenging process, as websites usually span more than one functional area in an organisation, sometimes including functions with quite different levels of importance.
Agencies should refer to PROV’s Retention and Disposal Authorities (RDAs). These identify the functions and activities performed by public offices and assign appropriate periods that records must be kept for.
See Retention and Disposal Authorities (RDAs) for further information.
See our Document Library for a full list of current RDAs.
Agencies should conduct a risk assessment of their website records involving the:
- business owner/content creator, who can provide information about the content type and value of the web records
- website manager, who can provide information about the site infrastructure, back-end databases, audit logs, publishing process
- records manager, who understands the business and legal requirements for records and provides an organisation-wide perspective on existing recordkeeping systems and processes.
The risk assessment should consider:
- litigation and legal disputes (and the need to prove what information was published at a certain time)
- political consequences (the “Herald-Sun test” – how will a breach with negative consequences read on the front page of the daily newspapers?)
- business discontinuity or increased costs if important website information is inaccessible
The following questions could also be explored when conducting the risk assessment:
- What are the functional areas of the content?
- What part of the business of the organisation does the content document or support?
- What risks are associated with the information? (e.g. a section showing the office's opening hours would be lower risk than one providing information for tenderers)
- What is the likelihood these risks will occur?
- What would be the consequences if they did?
Web content format and context
It is also important to consider whether the website is the only, primary or a secondary means of delivering the information or providing the function or activity. If content on the website mirrors offline content, it may be the case that the website itself is, in recordkeeping terms, a copy, and may not require lengthy retention even if the function to which it relates is a long-term one.
PROV advises that agencies adopt the approach that will deliver the most complete record and best protect from any risks.