Outsourcing the business of NTG public sector organisations - recordkeeping issues

Expand all | Close all

Policy statement

Northern Territory (NT) Government agencies must include clauses in contracts when outsourcing business functions and activities to external service providers to ensure the management of records meets legislative, accountability, business and community expectations.

Overview

NT Government agencies are regularly engaging in outsourcing arrangements for functions and activities to be performed by external organisations, consultants or other entities on their behalf. This may include outsourcing arrangements such as joint ventures and the engaging of non-government organisations.

Compliance and monitoring requirements for the management of these public records must still be assured. This guideline highlights recordkeeping obligations and provides assistance on the issues associated with outsourcing that need to be considered in contracts.

Purpose

This guideline has been developed by the NT Records Service to assist agencies to comply with the NTG Records Management Standards issued under Part 9 of the Information Act 2002. The guideline provides a series of principles concerning recordkeeping issues inherent in exercises involving the outsourcing of government services. It is also designed to assist NTG agencies in addressing obligations for managing government records associated with outsourcing activities, reflect best practice methodology, and ensure chief executive officers discharge their responsibilities under s 134 of the Information Act 2002.

For example:

  • records are adequately controlled for the duration of contracts relating to the outsourcing of agencies' functions and activities
  • records are disposed of legally during the outsourcing of agencies' functions and activities
  • access to records is regulated and controlled following the outsourcing of agencies' functions or activities
  • questions surrounding the storage of records are clarified during outsourcing exercises
  • prior to commencement, ownership of records for the duration of contract, and following its completion, are clearly stated.

Scope

This guideline applies to all NT Government agencies as defined under the Information Act engaging external service providers by contract to perform services on their behalf.

Responsibility

The Records Service of the ICT Policy Section, Department of Corporate and Information Servces is responsible for developing and maintaining information and records management policies and guidelines for use across the NT Government.

All NT Government chief executives are responsible for ensuring all aspects of this policy are applied within their agency.

All NT Government officers and employees directly creating and managing outsourcing contracts to conduct government business must adhere to this policy.

Related documents

This guideline supports the current Records Management Standards for public sector organisations in the NT.

Conditions of tendering and contract processes are available on the Contract and Procurement Services (CAPS) website.

Acknowledgements

The Records Service acknowledges that material produced by the Public Records Office Victoria (PROV), Queensland State Archives, Archives Office of Tasmania, New South Wales State Records, and the Council of Australasian Archives and Records Authorities (CAARA) was used in the development of this guideline.

Definitions

For the purpose of this guideline the following definitions are used:

  • Agency - has the same meaning as a “public sector organisation” as defined in s 5 of the Information Act 2002.
  • Contract - means the document that constitutes or evidences the final and concluded agreement between the NT Government/agency and an entity concerning the performance of the services. This may be in the form of a written notice or an official order, operating level agreement, service level agreement, services agreement or other written agreement between an agency and another entity.
  • External service provider – means an entity that performs a service on behalf of an agency.
  • Government information – means a record held by or on behalf of a public sector organisation and includes personal information.
  • Joint venture – means a legal entity that has been created for the purpose of undertaking business activity. Two or more parties may establish a business relationship to undertake a joint venture.
  • Outsourcing – means the engagement of external service providers by regulation of a contract to perform government functions.
  • Personal information – means government information from which a person's identity is apparent or is reasonably able to be ascertained.
  • Record – means recorded information in any form (including data in a computer system) that is required to be kept by a public sector organisation as evidence of the activities or operations of the organisation, and includes part of a record or a copy of a record.
  • Recordkeeping – means the systematic creation, use maintenance and disposition of records to meet administrative, legal, financial and societal needs and responsibilities.

For more information of records management terminology see the Definitions for Records Management Standards for public sector organisations in the NT.

What is outsourcing?

Outsourcing is defined as the engagement of external service providers, by virtue of a contract, to perform functions and activities on behalf of an agency.

Outsourcing arrangements include:

  • joint ventures and alliances
  • publically funded research
  • the engagement of organisations for specific purposes.

Agencies sometimes are responsible for activities of other agencies (e.g. Department of Corporate and Information Services is responsible for recruitment on behalf of all agencies). The records of these second-party agencies are covered by the Information Act 2002 and the Records Management Standards. Notwithstanding this, it would be prudent for agencies to clarify recordkeeping responsibilities in these arrangements.

Examples of outsourcing:

  • records storage services provided by a commercial provider
  • IT systems development by a commercial provider
  • management of client services outsourced to a commercial provider
  • development of websites for agencies by a commercial provider.

Responsibility for outsourced services

Agencies are responsible for ensuring that their clients receive appropriate and effective services regardless of whether the services have been outsourced to an external service provider. They are also accountable to the community for ensuring that public funds are expended appropriately. In order to monitor, control and report on the delivery of services, adequate records must be created and made available. The agency is therefore responsible for ensuring that the records of their outsourced activities are managed appropriately.

Legal advice may need to be sought on the implication of legislation impacting on an outsourced service.

Records management responsibilities

Records management is an essential activity that supports the operation of all agencies. Records should document all activities and decision making of the agency. Accurate and comprehensive recordkeeping is therefore critical to an agencies accountability, risk management and legal compliance. Under s 134 of the Information Act 2002 an agency must keep full and accurate records of its operations and activities.

Identifying records

In any outsourcing or shared services arrangements, the agency must identify records for which it has ultimate responsibility to manage on behalf of the NT Government. Records which will be needed for ongoing business and accountability purposes, or by another external services provider at the end of a contract, should be identified as an NT Government-owned record. From a regulatory perspective, records contain information that could be:

  • subject to discovery in litigation
  • used during an audit or official investigation
  • used to correct information that is inaccurate, incomplete or out of date
  • used to investigate a complaint about a breach of privacy, or used to determine the extent to which an agency is complying with the privacy provisions of the Information Act 2002.

There may be three sets of records involved in any outsourcing arrangement:

  1. Records created by the agency that document the process of establishing and managing the outsourced arrangements. These would always be agency records and form part of the agency's routine recordkeeping regime.
  2. Records generated or received by the external service provider in delivering the function or service being provided under the contract. Although created by the external service provider, these may be public records and fall within the definition of government information and the responsibility of the relevant agency to identify and make provision for their control in the contract.
  3. Records generated or received by the external service provider during the course of the contract that are the records of the external service provider and do not relate to the function or service of the agency.

For more information on identifying a record see Records Management Standard 1 – Governance.

Outsourcing contracts

If an agency fails to ensure the effective creation and management of records by an external service provider they are vulnerable to the following risks:

  • the inability of the agency to meet their legislative obligations
  • poor decision making as a result of incomplete or inaccurate information
  • loss of personal information/personal history of members of the community
  • unsatisfactory service provision to clients
  • exposure to public and regulator criticism for the failure to adequately manage public records
  • loss of public accountability and transparency
  • loss of the Territory's history
  • increased legal liability.

To ensure that the accountability and efficiency of the agency is not undermined as a result of outsourcing, the agency must ensure that critical requirements are specified in the contract between the NT Government and external service provider. This is particularly true with respect to records management.

Records management clauses in the outsourcing contract should seek to ensure that:

  • the ownership of records developed and maintained by external service providers is clear
  • all records are appropriately created, maintained and controlled in accordance with agency requirements
  • accurate information is stored within the records
  • access to records is appropriately regulated and controlled
  • records are appropriately stored
  • records are only disposed of in accordance with contractual requirements.

Tendering

When tendering or seeking quotes to award contracts to provide services, contract managers should ensure that the procurement documents define the recordkeeping requirements of the service provider and the types of records the service provider may be obliged to create, capture and maintain.

For example:

  • detailed plans of a building
  • maintenance records of equipment
  • financial transactions documents.

Sub-contracting

Some outsourcing contracts make provisions for the external service provider to sub-contract services (wholly or in part). It is important that if sub-contracting is permitted, the external service provider should contract with the sub-contractor on the same terms as specified in their contract with the agency.

Compliance and monitoring

Agencies are responsible for ensuring that external service providers comply with all requirements specified in contracts. A process for monitoring compliance should be included to ensure that all the recordkeeping requirements are progressively met throughout the term of the contract. The contract should also include provisions for dispute resolution if there is any conflict with regard to meeting the requirements of the contract, including recordkeeping requirements.

Engaging with external service providers

In addition to engaging with an external service provider as part of the formal contract negotiation process, It is important that the assigned contract manager makes contact with staff in the external service provider shortly after the contract has been signed. Discussing recordkeeping issues early in the life of the contract will help prevent breaches of contract clauses.

Depending on the type and nature of the activity being outsourced, this engagement could be achieved in a number of different ways. When determining how to engage with an external service provider consider the type of activity being performed, the records that will need to be kept (and how vital they are), the scope and duration of the contract, and the size and maturity of the external service provider. For more complex activities, a higher level of engagement may be required. Agencies will also need to consider how many external service providers they have contracts with and the level of resources available to engage with each of them.

Some of the ways an agency could engage with the external service providers to ensure positive recordkeeping outcomes are:

  • including an information sheet in information packs to new external service providers
  • providing external service providers with copies of relevant records management procedures
  • conducting group briefing sessions with representatives from new external service providers
  • holding meetings with relevant staff in an external service provider to discuss recordkeeping requirements.

Agencies should encourage and, where possible, support the implementation of sound recordkeeping systems within external service providers.

Grant funded records

Agencies are accountable for funding disbursed through grants and accordingly must create and maintain records of how grants are distributed. It is recommended that agencies also ensure grant funded entities create and maintain records of how the grant is utilised.

Controls over outsourcing

Agencies participating in an outsourcing exercise should examine the terms and definitions of the contract closely. Records may not necessarily be mentioned directly in the contract, but be intended by those drafting the contract to be included within the scope of terms 'assets' or 'contract material'. Without precise clarification of what constitutes an asset or contract material there is risk that the treatment of records could be excluded and therefore not appropriately dealt with under the contract.

If those drafting the contract do not consider that records are assets or contract material, then the agency must ensure that the contract clarifies the rights and responsibilities of the parties to the contract with regard to records.

The following information is based on the seven principles developed by the Council of Australasian Archives and Records Authorities (CAARA).

Principle 1 – Planning

Responsibilities for making, maintaining and disposing of records of outsourced functions and activities, are included in the planning process and subsequent contracts.

All documents relating to outsourcing should incorporate provisions for the creation, maintenance and disposal of records. It may be useful to ensure that the consideration of recordkeeping issues is added to agency procurement and contract processes, procedures or checklists. It is also advisable to consult with relevant officers who can assist in the development of the records management provisions.

For example:

  • chief information officer (CIO) or a senior member of their unit
  • an authorised freedom of information (FOI) officer
  • senior member of the records management unit
  • legal advisor
  • contract managers.

Principle 2 – Ownership

Ownership of outsourced functions is addressed and resolved during outsourcing exercises.

Failure to clarify issues surrounding the legal ownership of records, and the information they contain, in outsourcing contracts can severely restrict the business capabilities of the external service provider during the life of the contract.

Please note: if the external service provider operates in an international jurisdiction or uses information technology which is located overseas (eg due to the use of cloud computing), the legal requirements of other jurisdictions may need to be taken into account when drafting ownership clauses. It is recommended in such cases that legal advice is sought.

Principle 3 – Control

External service providers must comply with the records management controls determined by the controlling agency.

Even though an agency function or activity has been outsourced, it is likely that a controlling agency will retain some degree of responsibility for oversight and control over the function(s) performed by the external service provider. This control will be best supported by the controlling agency ensuring good recordkeeping practices are observed by the external service provider.

To make this possible the agency must require the external service provider to create or manage the records in any manner specified by the agency. The agency may also require that the external service provider follow particular policies and standards that bind the agency prior to, or after, the outsourcing of the particular agency service, function or activity.

Principle 4 – Disposal

Records of outsourced functions and activities of the agency are disposed of in accordance with the provisions of the Information Act 2002.

Disposal includes the transfer of ownership or custody of records and is not limited to the physical destruction of records. Agencies must exercise equal control over such disposal activities as those that involve the physical destruction of records, particular in exercises where an agency function or activity is outsourced and the relevant records may move outside the custody of the originating agency.

Principle 5 – Access

Agreement is reached between the agency and the external service provider concerning the provision of access to records of outsourced functions and activities.

Within agencies, records are not only retained for their administrative use, they are also retained to meet legal requirements and community expectations. This access is established in legislation.

This dual access role of records is easy to establish and maintain whilst the records remain in the custody of the creating agency. It is vital therefore, that agencies ensure that when a function or activity is outsourced that issues of access to records held by the external service provider are addressed.

Failure to do so will make it extremely difficult for the agency (or other compliance authorities with a legitimate interest) to inspect and validate the service delivery being performed by the external service provider. It may also raise, or heighten, community concerns regarding the control of personal information outside government hands.

Principle 6 – Storage

Storage of records of outsourced functions and activities is addressed and resolved during outsourced exercises.

Agencies must ensure that the parties to the outsourcing arrangement conform to best practice in the storage and handling of the records. Poor or no decisions over the storage arrangements will result in the loss of records of evidential value. Agencies must therefore ensure that storage arrangements are included in the contracts governing outsourcing exercises.

It is also vital that the contracts include arrangements for the storage of records at the expiry or termination of the contract. Failure to do so may result in records being destroyed through the perception that they are no longer the concern of the external service provider, or material being misplaced in the changed circumstances at the conclusion of the contract.

Principle 7 – Contract completion

Recordkeeping issues are addressed upon completion of contracts.

Upon completion, expiry or termination of contracts it is imperative that a well planned exit strategy for the records has been documented. Agencies must therefore ensure that appropriate advanced planning for the management of recordkeeping issues at the completion of the arrangement have been addressed prior to execution of the contract.

For example:

  • contracts have clearly identified which entity will have custody of the records
  • contingency plans have been put in place for records to be transferred when an external service provider becomes insolvent and a new external service provider is contracted
  • post-contractual requirements for disposal, migration, storage and format of records have been stipulated in the contract.

An orderly end of the contract process will result in goods records management for both the external service provider and the agency. It will also substantially reduce both the agency and external service provider's exposure to risk.

References

  1. Council of Australasian Archives and Records Authorities (CAARA) Policy 13: Recordkeeping Issues Associated with Outsourcing and Privatisation of Government Functions
  2. Northern Territory of Australia, Department of the Attorney-General and Justice: Information Act 2002
  3. Northern Territory of Australia, Department of Corporate and Information Services: Records Management Standards for Public Sector Organisations in the Northern Territory
  4. Public Record Office Victoria (PROV), PROS 10/10 Guideline 2: Managing Records of Outsourced Activity
  5. Queensland State Archives, Custody and Ownership Guideline: Managing Public Records During Outsourcing or Privatisation
  6. New South Wales State Archives, Guideline 16: Accountable Outsourcing - Recordkeeping Considerations of Outsourcing NSW Government Business
  7. Archives Office of Tasmania, State Records Guideline No. 10: Outsourcing of Government Business - Recordkeeping Issues

Appendix 1 – Checklist of minimum requirements

1. Planning

Responsibilities for making, maintaining and disposing of records of outsourced functions and activities are included in the planning process and subsequent contracts.

  • 1.1 Recordkeeping requirements are analysed and documented.
  • 1.2 Relevant authorities are contacted for advice on recordkeeping issues for inclusion in the contract.
  • 1.3 Authorisation to transfer custody of records to external service provider is addressed.
  • 1.4 No existing agency records are transferred to ownership of a third party entity by the external service provider.
  • 1.5 Agreement is reached between the agency and the external service providers regarding ownership of the records created by the external service providers during the life of the contract.
  • 1.6 Determine any interoperability requirements between the electronic document, information and/or records management systems used by the external service providers and any other systems used by the agency.
  • 1.7 Records storage contracts are reached between the agency and the external service providers for records in the custody of the external service providers.
  • 1.8 Access rules are established between the agency and external service providers concerning access to the records. These rules should address: agency access, public access, access by other compliance authorities and restrictions.

2. Contract

Responsibilities for making, maintaining and disposing of records of outsourced functions and activities are included in contracts.

  • 2.1 Existing agency records that will be transferred to the custody of the external service providers are specified in the contract.
  • 2.2 The contract specifies that existing agency records transferred to the custody of the external service providers are covered by the Information Act 2002 and binds the external service providers to comply with the Act.
  • 2.3 The contract specifies who owns the records created by the external service providers during the life of the contract.
  • 2.4 The contract specifies who owns the intellectual property in the records.
  • 2.5 Records storage arrangements for records in the custody of external service providers as specified in the contract conform to the storage principles specified in the Records Management Standards for public sector organisations in the NT.
  • 2.6 Any recordkeeping requirements that must be followed to enable the agency and the external service providers to fulfil their statutory and service obligations relating to the management of the records are specified in the contract.
  • 2.7 The contract specifies that public records held by the external service providers are only destroyed in accordance with an approved records retention and disposal schedule.
  • 2.8 Any technical standards needed to ensure interoperability between the electronic information and/or records management systems specified by the agency are specified in the contract.
  • 2.9 Access rules established between the agency and external service providers are specified in the contract.
  • 2.10 Any restrictions on the external service providers using information from records for commercial profit and other purposes, during or upon completion of the project are stipulated in the contract.
  • 2.11 The orderly transfer of records between entities when one external service provider is replaced by another is stipulated in the contract.
  • 2.12 Recordkeeping issues to be addressed upon completion are stipulated in the contract. These include storage of records, records disposal and transfer of records.
  • 2.13 The contract stipulates sufficient lead time for recordkeeping issues to be adressed during the final stages of a contract.

3. Compliance

External service providers comply with the records management controls determined by the controlling agency.

  • 3.1 Compliance with contractual arrangements is monitored including compliance with Records Management Standards for public sector organisations in the NT.
  • 3.2 The agency ensures that public records held by the external service providers are only destroyed in accordance with an authorised records retention and disposal schedule.
  • 3.3 Access rules established under the contract are equitably and consistently enforced.
  • 3.4 The agency ensures that the external service provider conforms to best practice in records storage principles specified in the Records Management Standards for public sector organisations in the NT.

4. Contract completion

Recordkeeping issues are addressed upon completion of contracts.

  • 4.1 Recordkeeping issues are well monitored during the final stages of an outsourcing contract.
  • 4.2 There is appropriate sign off on reports of records management activities at the expiry or termination of an outsourcing contract.

Last updated: 29 July 2019

Share this page:

Was this page useful?

Describe your experience

More feedback options

To provide comments or suggestions about the NT.GOV.AU website, complete our feedback form.

For all other feedback or enquiries, you must contact the relevant government agency.