Last updated:

May 6, 2020

Working remotely and recordkeeping

Whether working remotely occasionally or for a prolonged period, your recordkeeping obligations remain the same.

You must continue to create and manage records appropriately, so that information about decisions and actions is kept and can be accessed and understood. This is critical for the continued functioning of government and will ensure you, your managers and the public have the information they need now and into the future.

This can be challenging, particularly if you are not able to access your work systems or communication channels. Both you and your department or agency needs to consider and determine the most effective ways to meet your recordkeeping obligations.

The recordkeeping obligations of staff, managers and department/agency heads are set out below. We know that meeting these requirements will be challenging when working remotely so we have included tips and guidance on this page.

 

Remember - A public record is all information created, sent and received by a Victorian public sector employee in the course of carrying our their work.

This includes, but is not limited to, emails (including attachments), databases, system-generated records, mobile device generated records, websites, social media posts, and physical documents and files.

 

Recordkeeping obligations

All Victorian public sector staff must:

  • Create full and accurate records of their work decisions and activities
  • Apply proper naming and version control to those records
  • Store records in a location where they can be found and used for authorised purposes
  • Place records into the appropriate department/agency system as soon as practicable
  • Keep records secure and confidential - particularly those with any sensitive information
  • Only share records with authorised people using approved communication channels
  • Keep records for as long as they must lawfully be retained - records must not be destroyed without authorisation
  • Comply with their department/agency's recordkeeping policies and procedures.

When staff are working remotely, their managers must:

  • Ensure staff understand their recordkeeping responsibilities, in compliance with the department/agency's established recordkeeping policies and procedures
  • Ensure there are protocols for creating and saving records remotely, including consistent naming and version control conventions
  • Identify the key records created and used by their team and provide direction on how their staff should be managing them while working remotely - this may include assigning responsibility to individual people for creating and saving particular records (e.g. committee agenda, papers, minutes etc.)
  • Ensure that staff who need access to specific systems and applications have access (wherever possible).

The head of every Victorian public sector department/agency is responsible for ensuring compliance with the PROV Standards and Specifications. Each department/agency must determine and give clear direction on the most effective way to achieve this when some or all staff are working remotely.

Tips and guidance for working remotely

You need to create and keep records about the decisions you make and the activities you undertake as part of your work. Any information which may be needed later to explain what happened, why particular decisions were made or actions undertaken need to be recorded. This is especially important when you are committing your workplace to an action or decision, or when there will be an impact on the public.

The types of records you need to create and keep will vary depending on your role. Most records are created automatically as part of a work process (e.g. creating policy drafts, adding data to a system, sending emails etc.), but sometimes it is necessary to deliberately create a record. For example, a file note documenting an important telephone conversation or an email to people detailing the course of action you have all agreed to. In this case, it is important to create the record while your memory is fresh, including background and contextual information. Set information out clearly and comprehensively.

To explain and justify your decisions and actions you may need authorisation. If you're working remotely you may not be able to receive authorisation via your normal systems or processes (e.g. authorisation workflow within a system or a physical signature). If you receive authorisation:

  • By email - retain the email and any attachments
  • Verbally - create and retain a file note of it with the date, details of the authoriser and what has been authorised
  • Using an application or tool which does not allow capture of the interaction any other way - screenshot the authorisation and retain the screenshot.

Save the documented authorisation into the appropriate organisational system (i.e. EDRMS, CMS) as soon as you can.

If you're participating in a meeting with people who are working remotely, predetermine who is going to take minutes and ensure they are saved. Also, decide where they are going to be stored so that they can be accessed by everyone who needs them.

When creating and saving some types of records, the author needs to provide a name. Consistent naming and version control conventions should be used to assist in finding and understanding records later.

Most workplaces already have established conventions, buy if your workplace doesn't, use the following as an example:

Name Version Number Author Initial Date
Brief but meaningful description of the content

Initial version is V.01 with .1 increments for subsequent drafts (V.02, V0.3, V0.4).

Finalised version is V1.0 with .1 increments for subsequent minor versions (V1.1, V1.2).

Major new version is V2.0 with .1 increments for subsequent minor versions (V2.1, V2.2).

Identify primary author

Year, Month, Day

(YYYYMMDD)

 

Example 1: Remote Working Policy V.03 JR 20200416

Example 2: Remote Working Policy V1.0 JR 20200416

 

Avoid using acronyms, abbreviations and underscores between words.

Trying to understand a chain of events and decisions can be difficult if good quality records do not exist. It can also be a problem if records exist but cannot be trusted or relied upon. For example, if it is uncertain whether a document is the final approved version or whether it could have been altered by an authorised person.

Good quality records:

  • Fully and accurately explain what happened, when, who was involved and who authorised any action or decision
  • Include enough background and contextual information to allow people to look back in the future and understand the whole story
  • Can be trusted and relied upon.

Tips for creating good quality records which remain meaningful overtime:

  • Include sufficient details about participants to allow them to be identified (name, position, title, name of agency they work for)
  • Avoid acronyms or state the full words the first time it is used, with the acronyms in brackets
  • Include references to related projects or initiatives
  • Include background and contextual information
  • Include any relevant dates.

Use the appropriate official work system to create and save records wherever possible (e.g. your agency EDRMS, CMS or shared drive). However, if you do not have access to some systems when working remotely, save records into the best environment you have available as a temporary solution. As soon as possible, when the system is accessible, move the record/s into the appropriate official system.

Examples of temporary solutions:

  • Official agency Microsoft Office cloud-based storage application
  • MS Office 365 Teams site
  • An agency approved and controlled file sharing solution
  • If you have nothing better available, an agency issued USB drive or your computer hard drive.

Note - consumer cloud-based storage solutions such as Google Drive, Personal OneDrive, Dropbox, Box or other unsupported technologies should not be used as a records repository or an archiving solution.

Ensure that you move records from any temporary solution to the official work system as soon as practicable. Once the records have been placed into the appropriate official system, delete any drafts or copies held in temporary locations.

Consider establishing champions with responsibility for saving records into the appropriate official systems, especially if some people have remote access and others don't. If you have access to your official government email account you could use that to send final versions of records to the champion, if allowable under your agency's security policies. Or, if used by your department/agency, it could be obtained from the Office 365 Teams site.

When working outside the normal official systems, it can be hard to keep track of documents. To assist with this:

  • Ensure you provide the necessary descriptive information (metadata) when adding or updating information in systems
  • Ensure you apply naming and version control to documents and track where you have stored them
  • If possible, create folders for documents on the same topic. Create PDFs of related emails and any screenshots you take and save them into the folder so that you are storing all of the information together.

At the end of each work session, ensure documents are updated with the correct versioning and backed up if necessary. Some people or teams may find it useful to keep a log of the documents they have created which will need to be placed into official systems as soon as possible.

Take some time to think about what you are doing - this will save you losing work in the short term and protect you and your team in the long term!

Many areas of government are using Office 365. The recordkeeping implications of Office 365 vary depending on the software services obtained and implemented, type of licence held and whether it has been integrated with an EDRMS ot CMS.

Services can include groups in Teams, Stream or Yammer, Delve Boards or One Drive for Business. It is essential that you follow your department/agency's records management policies, processes and requirements while using these different services.

Examples of using Office 365 when working remotely:

  • Where network access is limited, it has been decided that records which are not confidential or sensitive will be placed into Teams/Sharepoint. These records will be treated as the official record. The version in the EDRMS will be 'quarantined', with a temporary change to the document title signalling to other users to not change that version. The EDRMS is periodically updated by a nominated person with appropriate access and permission
  • Records with higher security value are stored on their own system by the author. They are only shared with colleagues via official government email accounts. Once finalised, they are emailed to a designated officer's official government email account. This officer bears responsibility for placing them into the organisational EDRMS when possible
  • Microsoft Teams enables multiple ways to communicate and collaborate, the most commonly used being video call (within calendar meetings) and chats. Documents such as (but not limited to) agendas, minutes, instant messaging chats and video recording of meetings can be created within Teams by nominated individuals and the document subsequently moved to the appropriate business system such as the EDRMS, as a task designated to a nominated person. Where a video call is the primary method of communication, ensure that at least one person is using 'Chat' window to record key decisions. This can then be sent to their inbox and saved as per the recommended naming conventions, matching the recording and chat when saved.

When staff will be working remotely, departments/agencies may decide to scan incoming physical mail and make the scan available to staff (e.g. within a system such as an EDRMS or via email). Meeting the requirements of PROV's Digitisation Specification will ensure the scanned document can be used as the official record and that it is readable and useable.

Most departments and agencies have Multi Function Devices (MFDs) for printing, scanning and copying which have been calibrated to ensure the scanned records will meet PROV's Digitisation Specification. When working remotely, you should be aware that any scans or images (e.g. photos from your phone) you create are unlikely to meet the requirements of PROV's Digitisation Specification. The scans can be used as temporary facilitative records but should not be used as official records.

While working remotely you must:

  • Protect records from unauthorised access or modification
  • Meet security requirements set by your department/agency, plus any other obligations your agency is subject to (e.g. the Victorian Protective Data Security Framework.

This can be challenging when you are sharing workspaces or devices with outher household members. If possible, particularly if working remotely for an extended period of time, set up a private workspace for yourself.

For digital records:

  • Lock your screen whenever you move away from it
  • Only share digital records using systems and applications which have been approved for use by your department/agency, as many online applications and tools are not secure
  • If temporarily storing digital records on an agency approved USB, lock the USB away when not in use.

For physical records:

  • Obtain permission before taking any official registered files from your department/agency. Ensure a record of the files you have borrowed is kept by your department/agency. When returning files, ensure department/agency records are updated to reflect this
  • Protect physical files and documents from loss, theft, unauthorised access and damage when moving them between work and your remote location (particularly if using public transport)
  • Keep physical files and documents in a designated area of your remote working location. If possible, keep them in a locked area, particularly if they are confidential or contain sensitive information. Do not allow anyone to view them
  • Protect physical files and documents from damage (e.g. from liquids, food, dust, children, pets).

Immediately report any missing, lost or damaged records, or devices containing records, to your manager and/or records management team. Any events involving a possible privacy breach or near-miss must also be reported and investigated according to your department/agency's local procedures.

To explain:

  • A breach or possible breach is an action or omission that results in loss, theft, misuse or unauthorised access to or disclosure of personal information or has the potential to do so
  • Near misses are situations where a breach would have occurred without intervention. This includes situations where a privacy incident has occurred without any actual disclosure of personal information.

Authorisation must be obtained before records can be destroyed. Guidance about retention and disposal of records can be found on the Disposal topic page.

If in doubt, it is better to keep records unnecessarily than destroy records which may be needed later.

Further advice and assistance

In the first instance, discuss any issues with your manager. It is important to determine how you and your team will ensure records are properly created, captured and shared when working remotely.

If your agency has a records management team, they will be able to assist and advise you. You must ensure that you comply with your organisation's policies and requirements when working remotely.

Remember that your agency may also be subject to other government requirements such as the Victorian Protective Data Security Framework and Freedom of Information obligations set by the Office of the Victorian Information Commissioner.