Last updated:

About websites

Victorian Government websites play a crucial role in digital service delivery, serving as platforms for publishing information, facilitating transactions and providing personalised services to clients.

 

Managing websites as records 

Where government websites perform function as primary sources of business activity, service provision, or unique information, they become critical records that must be managed according to PROV Standards and legislative requirements. Public offices are obligated to: 

  • ensure that all staff and management involved in the creation, maintenance and operation of the website are fully aware of their responsibilities for managing public records
  • determine which website content constitutes records and establish processes for capturing and retaining them based on functional assessment and risk analysis
  • ensure appropriate retention of records
  • design and operate websites in a manner that supports effective recordkeeping
  • select appropriate technical methods for capturing and preserving web records. 

Effective management of government websites as records hinges on robust risk management practices and the adoption of suitable technical approaches for capturing and preserving web content. By conducting thorough risk assessments and selecting appropriate capture methods, public offices can ensure compliance with legal requirements, mitigate operational risks and maintain the integrity and accessibility of valuable public information over time.

How to manage website records

To determine which web records to capture and for how long, public offices should appraise* them based on: 

  • Functions and Activities: Identify the business activities documented by the website to ascertain the necessary retention periods, referencing PROV's Retention and Disposal Authorities (RDAs)
  • Risk Management: Conduct risk assessments of the web records to evaluate legal, operational and reputational risks associated with the content. Ensure to involve content creators, website managers and records managers in the process
  • Web Content Format and Context: Consider whether the website serves as the primary or secondary source, which influences retention decisions.

*Appraisal is the process of assessing business functions and activities to identify which records should be created and captured, as well as how long they need to be retained to fulfill business requirements, organisational accountability and community expectations. In some cases, websites may be evaluated as having permanent value and must be preserved as State Archives.

Public offices must understand the business activities being conducted or recorded by their websites (or the individual parts of the site) in order to determine which records need to be captured and retained. RDAs specify the minimum lawful retention period and identify those records which must be transferred to PROV at the appropriate time.

This can be a complex task as websites often support multiple functions within an organisation, some of which may vary significantly in terms of their value.

For more information, visit the Appraisal topic page.

Not all content, pages or transactions on websites need to be captured and kept as records.

For practical reasons, for accountability purposes, some public offices may find it easier to preserve entire websites rather than try to separate temporary content from essential records. However, preserving entire sites can be challenging, especially for those using multiple systems to manage web content and dynamic activity.

If an office decides to capture only specific parts of its website after reviewing its web resources or the nature of its online activity, it will need to identify which content should be included in the record and where it is located. To ensure the record is complete, the following elements must be included:

  • the content itself
  • metadata (contextual information) 
  • management and policy information that explains the framework in which the website was created and published.

All three elements are crucial for creating a full, accurate and useful record of web activity. 

PROV advises that public offices adopt an approach that will deliver the most complete record and offers the best protection against potential risks.

Capture frequency should align with risk assessments and operational needs, supported by appropriate technical solutions such as web content management systems or automated archival tools.

Public offices should also have appropriate procedures and processes in place to facilitate the capture of website records.

Managing decommissioned websites involves assessing which content requires preservation based on continuity of information, adherence to RDAs, and ensuring that the meaning, relevance and accuracy of the content are preserved when it is moved or stored offline (no longer available on the live web).

Determining what to preserve from websites that are no longer in use can be both logistically and practically challenging for good recordkeeping.

Public offices should consider the following questions when managing decommissioned sites: 

  • How much of the content from the old site will be transferred to the new sites?
  • Is the content covered by an RDA? 
  • Does the site make logical sense (and does it retain sufficient context to be meaningful) in an offline environment? 

Answering these questions will help ensure that the minimum necessary records are captured before the decommissioned site loses accessibility.

Public offices are advised to use long-term preservation formats for web records retained beyond seven years, to ensure data integrity and accessibility over time. These formats can include: 

  • HyperText Markup Language (.htm, .html) or Extensible Markup Language (.xml), together with supporting files (.css, .xsd, .dtd)
  • Web ARChive format (.warc)
  • Internet archive (.arc)

Risk management for website records

Risk assessment is essential for identifying and managing potential threats to website records. It requires collaboration between key stakeholders:

  • Business owner/content creators: Offer insights into the nature and value of web content
  • Website managers: Understand the site's infrastructure, back-end databases, audit logs, applicable integrations to other systems and publishing processes
  • Records managers: Understands the business and legal requirements for records and provides an organisation-wide perspective on existing recordkeeping systems and processes.

A high-value, high-risk (HVHR) approach should be used to prioritise records for effective management. Records classified as high risk will need stricter management protocols than lower-risk records.

Consideration of obligations for public offices around privacy and data protection and information need to be included in any risk assessments. 

See Office of the Victorian Information Commissioner for further information.

Risk assessments should evaluate several factors to determine the significance of web records:

  • Litigation and legal disputes: The ability to substantiate online content in legal proceedings
  • Reputational risks: The impact of negative publicity arising from breaches or inaccuracies
  • Operational continuity: The potential costs and disruptions if critical web information is inaccessible
  • Impact on the public or organisations: Impacts to the public or organisations if information is not accurate or not available, or if services delivered through the website are not working properly.

When conducting risk assessments, public offices should address the following questions:

  • Functional areas: Which business functions rely on website content?
  • Risk likelihood: What is the likelihood of risks associated with specific web content?
  • Consequence evaluation: What would be the impact if these risks were realised? For example, a section showing office opening hours would be lower risk than one providing detailed information to tender applicants.

Effective risk management for website records requires a comprehensive approach to identifying and addressing risks throughout their lifecycle, with a focus on both security and availability.

  • Security risks primarily concern the protection of records from unauthorised access, cyberattacks and potential threats to confidentiality and integrity
  • Availability risks on the other hand, focus on ensuring the accessibility, usability and readability of records during their retention period.

To mitigate these risks, organisations should implement robust technical measures such as encryption, multi-factor authentication and regular security audits. Importantly, organisations should establish strong content governance practices, ensure compliance with legal and regulatory requirements and store records on supported platforms equipped with modern backup and extraction systems.

In addition to these technical safeguards, effective risk management must also address people and process-related risks. This includes ensuring adequate staff training, establishing clear recordkeeping procedures and promoting a culture of accountability. It is equally important to ensure the integrity of the records, and the transparency and access to records, as required by law, particularly under the Public Records Act 1973 and associated PROV Standards.

Organisations must carefully manage vendor relationships to ensure that third-party services comply with necessary recordkeeping, security and privacy standards, and other legal requirements.

Technical approaches for capturing web records

Selecting an appropriate technical approach for capturing web records depends on factors such as:

  • Content complexity: Simple or dynamic content that requires different capture methods
  • Retention requirements: Long-term or short-term preservation needs
  • System integration: Compatibility with existing IT infrastructure and recordkeeping systems.
OptionSuitable
Retain in web content management system (CMS)
  • Suitable for short-term retention needs
  • CMS with basic recordkeeping functionalities (e.g. metadata capture) to ensure both content and context is captured
Automated capture into Electronic Document and Records Management System (EDRMS)
  • Ideal for simple web content not requiring preservation of all links
  • Ensures long-term retention with automated archival capabilities
Manual capture into EDRMS or digital/physical files
  • Appropriate for small volumes of web content but labour-intensive
  • Simple web content that does not need links preserved
  • Web content that requires long term retention
Web harvesting
  • Useful for capturing interconnected web content with few updates
  • Ensures comprehensive preservation of web objects and context
Capturing transactions (use product to capture HTTP requests made to web server and consequent responses)
  • Focuses on capturing interactions (HTTP requests and responses) rather than entire websites
  • Useful for auditing and legal compliance purposes
Capturing from back-end (system captures the data that provides the web content)
 
  • Targets capturing data generated by web applications or CMS back-ends or business application with a website front end (system should also have recordkeeping functionality so both content and context is captured)

 

Consideration needs to be given as to when it is appropriate to use Artificial Intelligence (AI) tools for websites that contain public records.

The use of AI must be in line with Victorian Public Sector (VPS) guidelines and PROV Artificial Intelligence (AI) Technolgies and Recordkeeping Policy. It is important to disclose the use of AI where practicable.

Public offices must comply with all relevant laws and regulations when using Generative AI tools, including those related to privacy, data protection, public records, human rights and intellectual property.

This includes adhering to the Privacy and Data Protection Act 2014, the Victorian Charter of Human Rights and Responsibilities Act 2006, the Public Records Act 1973, the Codes of Conduct for public sector employees, and other applicable legislation governing public sector operations.

See: