Auditor-General Report 11 (2019-20), Implementation of the Digital Continuity 2020 Policy, found that the National Archives of Australia (NAA) had been largely ineffective in monitoring, assisting and encouraging Commonwealth entities to meet the targets of the Digital Continuity 2020 (DC2020) policy.
Given that a successor policy, the Building Trust digital policy, commenced in January 2021, the Committee considers that NAA should address a range of matters, including reporting back on:
the performance framework and risk management plan for the Building Trust policy
the assurance framework for verifying the accuracy of reported data in entity self-assessments from annual surveys
the implementation review of the Building Trust policy
Background and audit findings
Chapter 2 sets out the findings of the Committee’s inquiry into Governance in the Stewardship of Public Resources, based on Auditor-General Report 11 (2019-20). Commonwealth entities included in the audit were NAA; the Attorney-General’s Department (AGD); the Civil Aviation Safety Authority (CASA); and the Office of the Inspector-General of Intelligence and Security (IGIS).
The audit objective was to examine the extent to which three Commonwealth entities—AGD, CASA and IGIS—had implemented the DC2020 policy, and NAA’s effectiveness in monitoring, assisting and encouraging entities to meet the specified targets of the policy. The Australian National Audit Office (ANAO) made seven recommendations (agreed by relevant entities) in response to the following audit findings:
The Australian Government is unlikely to achieve the objectives of the Digital Continuity policy by the end of 2020, and the National Archives of Australia has been largely ineffective in monitoring, assisting, and encouraging entities to meet the targets of the policy.
The Archives’ arrangements to administer the Digital Continuity 2020 policy are limited in effectiveness …
The effectiveness of the arrangements for monitoring and evaluating the implementation of the Digital Continuity 2020 policy are limited …
AGD has fully implemented or made substantial progress against all of the targets [of the Digital Continuity 2020 policy due by 31 December 2018]. CASA has partially implemented all targets except for one. IGIS has not implemented a number of targets ...
Under the Public Governance, Performance and Accountability Act 2013 (PGPA Act) and the Archives Act 1983, Commonwealth entities are legally required to manage information in a manner that properly records and explains their performance. Effective information management supports accountability and transparency, and enables informed decision making. The PGPA Act also requires entities to measure and assess their performance in achieving their objectives, function and role, and keeping accurate and complete records is an important part of this.
The DC2020 policy is central to providing a whole-of-government approach to digital information governance. The policy was launched in October 2015 under the Archives Act and applies to all Commonwealth entities, with NAA responsible for overseeing its implementation. To achieve set objectives, the policy established three principles for entities to implement by 31 December 2020: information is valued; information is managed digitally; and information, systems and processes are interoperable. In order to embed these principles, the policy included 10 recommended actions, with associated dates for implementation. NAA’s implementation guidance accompanying the policy, Digital Continuity 2020—Agency Implementation Targets and Pathways, allocated these recommended actions across 29 targets, with due dates ranging from 30 June 2016 through to 31 December 2020. NAA highlighted the importance of digital policy to effective governance:
Good governance is underpinned by the creation and management of records. Accurate records must be created and managed for as long as needed to ensure continued accessibility to support sound governance, transparency and accountability. Without proper records, public resources may not properly be identified, valued, managed, accessed or maintained.
A new digital policy, Building Trust in the Public Record: Managing Information and Data for Government and Community (the Building Trust policy), succeeded the DC2020 policy on 1 January 2021 and will remain in place until 2025.
Chapter 2 focuses on:
Performance reporting, measures of success and data assurance
Commonwealth records and broader digital policy
Commonwealth entities and digital policy—implementation and performance reporting
NAA and digital policy
The audit concluded that the Australian Government was ‘unlikely to achieve the objectives’ of the DC2020 policy by the end of 2020, and that NAA had been ‘largely ineffective in monitoring, assisting, and encouraging entities to meet the targets of the policy’. In its submission to the inquiry, NAA stated that its ‘2019 survey identified a number of gaps in capability and an estimated one-third of agencies were not expected to meet all requirements of the policy by December 2020’. Asked about the broad reasons for this outcome, NAA pointed to the ‘inadequate resourcing available for records and information management within agencies’—the ‘financial sustainability’ of NAA as the lead agency also ‘needs to be considered by Government’. On 1 July 2021, subsequent to NAA’s evidence, the Australian Government announced funding of $67.7 million to NAA to provide a funding boost for its critical functions as the custodian of Australia’s history through the preservation of Commonwealth records.
NAA also noted that the ‘absence of appropriate systems, insufficient prioritisation, cultural issues such as not valuing information as an “asset”, and the lack of professionally skilled staff’ were further hindering the ‘effective management and governance of the Commonwealth’s information assets’. NAA observed that part of this is about making information governance ‘a natural part of corporate governance, which is an organisational culture’—‘we have to instil in public servants that a sense of their own professionalism also comes from how accountable they are and what sort of corporate knowledge … they are creating for the future generations’. As to whether a renewed focus on record keeping would help to drive cultural change that in turn would assist with implementation of digital policy, NAA responded:
Right now we are in discussion with the Public Service Commissioner on this very topic to see if we at the National Archives can work with the APSC on this professional streams strategy that the APSC has adopted … to instil this culture, not record keeping you do as something on a Friday afternoon when you’ve finished all your other work but as a natural by-product of your official conduct … We don’t ever say you should keep every record. Ninety per cent of records can be deleted. It’s that 10 per cent—the core important records … … … The better records are not just about creating a dead document that will prove to somebody that you did something; they’re the fuel for future policymaking, future decisions.
To further explore the audit finding regarding NAA’s administration of the DC2020 policy, the inquiry focused on the following matters: governance structures; guidance material and stakeholder engagement; and risk management.
The audit found that NAA arrangements to administer the DC2020 policy were ‘limited in effectiveness’. Since the launch of the policy, NAA made ‘several attempts’ to establish effective internal arrangements to coordinate its administration of projects directed at supporting entities in implementing the policy—however, ‘appropriate program governance, oversight, and reporting arrangements were not maintained’. In January 2019, an internal audit commissioned by NAA found that a project management approach had not been utilised to administer implementation of the policy. The ANAO emphasised that ‘what was missing was the energy around the governance structures that could have been put in place’:
This was a long-term agenda. Many times we’ve seen a lot of effort going in at the beginning and then it dropping off … … … there’s a real lesson in here for agencies that have long-term policy responsibilities … ‘Stay on top of your governance and stay interested in it. It isn’t a waste of time’ … … … good planning and good governance usually help people get a good result.
Accordingly, the audit recommended that NAA establish effective internal arrangements to administer implementation of the DC2020 policy, and any successor policies, with these arrangements to include appropriate governance structures and a strategy to guide administration of the policy as a coordinated program of work. NAA provided an update on implementation of the audit recommendation, confirming that it had ‘implemented revised governance and administrative arrangements for the DC2020 policy’, with a project management plan having been approved and a Project Control Group established. NAA further noted that ‘we managed it as a project with regular reporting and reviews and assessment’:
If we go back to the audit observation, where we were ineffective in managing the policy ourselves, we see that, when the DC2020 was initially released, we released the policy and then it became business as usual. Then our resources were reduced, so we were really on policy delivery and we couldn’t do all that value-added service that we used to. But we did note that as a business-as-usual process, it probably wasn’t checked as often as we would have liked. So we did implement a project management approach. For the last year of the DC2020 we developed a project management plan, which was recommended by ANAO, and that was approved.
The audit recommendation also applied to the new digital policy, Building Trust, which commenced in January 2021, with NAA confirming that ‘sound governance procedures are in place to oversee the policy delivery, including the adoption of a project management approach with supporting project documentation, overseen by a project board’. As NAA further stated, ‘with the new policy … we really did take on a full project management approach. With that came proper project management plans and a suite of documents’:
We have a project assurance committee as one of our governance committees in National Archives. Through that development of the policy we reported to the regular meetings of the project advisory committee. We took advice, changed the approach, looked at what we were and weren’t doing well, and measured where we were at during the delivery. We also reported to our executive board on a regular basis. As part of that whole suite of governance arrangements we’ve been able to monitor, deliver and manage more effectively.
NAA also explained that, for the new policy, it had implemented a three-phase project management approach. Phase 1 involved scoping, phase 2 involved development and delivery of the policy, and NAA is now ‘heading into phase 3, which is the implementation across a five-year period, with a range of products and released guidance that we provide on a regular basis through a range of forums … we’re now channelling our resources to focus on the implementation’.
Guidance material and stakeholder engagement
The audit found that the products, advice and guidance issued by NAA to support entity implementation of the DC2020 policy were largely fit for purpose. However, there were ‘some deficiencies in the consistency of terminology within the guidance, and timeliness in relation to the delivery of supporting products’, as well as concerning whether targets in the implementation guidance were mandatory, recommended or optional. NAA’s engagement activities with stakeholders were also ‘limited in effectiveness’—there was ‘no communications or stakeholder engagement strategy in place for the implementation of the policy’.
Accordingly, the audit recommended NAA implement a stakeholder engagement and communication strategy that ensures entities are consulted about the policy targets and that the targets are clearly identified as mandatory, suggested or optional. NAA provided an update on implementation of the audit recommendation, noting that a stakeholder engagement and communication strategy had been ‘endorsed and implemented’ and target actions had been ‘reviewed’ to clearly identify them as mandatory, suggested or optional, with this outcome having been communicated to all entities in February 2020. NAA further confirmed that it had established ‘advisory groups of practitioners’, as well as an ‘SES roundtable’—it also used a forum of government agency information managers to communicate and provide case studies, and liaised with ‘low-maturity agencies through roundtables’. In addition, guidance had been developed to assist agencies in implementing the new policy and to ‘build on the maturity levels achieved at the end of DC2020’.
The audit also noted that there had been ‘no formal process’ undertaken by NAA to identify entities experiencing difficulties in implementing the DC2020 policy and provide ‘targeted assistance’. To address this gap, in July 2019, NAA commenced analysis of data from its annual surveys to prioritise entities requiring additional support, to drive improvement. At the time of the audit, NAA had completed an analysis of survey data from 2014 to 2018. NAA provided an update on its response to this audit finding, noting that, ‘following the 2019 survey, an agency implementation support project was developed with the aim of providing specific assistance to agencies in the final year of the policy’:
A critical part of the monitoring function will be the identification of entities that might require additional assistance. This will be based on the National Archives’ regular agency surveys, agency enquiries, and periodic outreach activities such as Government Agency Information Network meetings and agency roundtable discussions. The Agency Advisory Group established to guide policy development will also play a key part in implementation and provide further advice in relation to agency requirements.
The Commonwealth Risk Management Policy, established under the PGPA Act, requires Commonwealth entities to establish and maintain systems and appropriate internal controls for the oversight and management of risk. The audit found that risks to implementation of the DC2020 policy were ‘not being effectively identified, managed, or reported’ by NAA, and that a risk management plan for implementing the policy as a coordinated program of work was ‘not established’. Accordingly, the audit recommended that NAA develop and implement a risk management plan for the successful implementation of the DC2020 policy, and any successor policies. NAA provided an update on implementation of the audit recommendation, noting that ‘existing risk management arrangements were reviewed and a comprehensive and coordinated risk management plan was developed’ for implementation of the DC2020 policy. NAA further confirmed that ‘we have looked at our risk management. We have risk management plans. We review our risks regularly as well’.
Performance reporting, measures of success and data assurance
Performance reporting and measures of success
The Commonwealth performance framework, established under the PGPA Act, requires Commonwealth entities to measure and assess the performance of the entity in achieving its purposes. The audit found that the effectiveness of NAA’s arrangements for monitoring and evaluating implementation of the DC2020 policy was limited. Priorities, objectives and targets used to measure NAA performance in overseeing policy implementation had ‘not been designed to appropriately align with the policy’s objectives’, and required ‘improvement in relation to relevance, reliability, and adequacy’. Due to the varying questions, measures and rating scales in its surveys, NAA had ‘not obtained consistent and comparable data’ to enable accurate analysis of entity progress in implementing the policy over time. Further, NAA had ‘not taken action to define clear and consistent measures of success’ to evaluate and accurately report on entity progress in policy implementation.
Accordingly, the audit recommended that NAA establish appropriate monitoring and evaluation arrangements for the DC2020 policy, and any successor policies, that include relevant, reliable and adequate performance measures to enable accurate assessment of performance against policy objectives and of entity performance in implementing targets, and clearly define how success will be measured and reported. At the time of the audit, NAA advised that it would identify performance measures to assess the effectiveness of policy delivery and revise its survey to assess progress against policy principles. NAA provided an update on implementation of this audit recommendation, confirming that ‘agency targets were reviewed’ and that ‘reporting on the 2019 Check-up survey included progress against DC2020 recommended actions’. As NAA further stated:
When the audit was finalised we had a year to go with the policy. We have an established check-up survey … What we did there was realign a lot of the questioning to link back to the … actions in the policy so we could measure the success of agencies. It’s a self-reporting tool as well. We took on board the recommendations in the audit. When the policy was originally implemented we had a regime of questioning that didn’t totally tie back to the recommended principles of the policy one to one, so we’ve improved that.
In terms of the new Building Trust policy, NAA further confirmed that ‘we do have a draft evaluation and monitoring plan which is to go to our project board … which is how we want to measure our delivery, the agency implementation and then how we measure the success of the policy’. NAA also plans to ‘consultatively review’ implementation of the new policy, after the first 12 months of its release, ‘to ensure its relevance, practicality and effectiveness’. NAA stated that it was ‘in the process of considering how we redesign the questioning in our check-up survey … to see if we can get better, reliable data to come through’.
NAA uses a survey tool to assess Commonwealth entities against core information management requirements, as well as to some extent DC2020 principles. The survey process over the three years since the policy was released has required that entities self-assess their progress in implementing recommended actions and associated targets of the policy. As part of the survey process, NAA ‘requests that “agency heads” approve their entity’s responses prior to final submission’, with the audit noting that NAA ‘relies on this process to assure the accuracy of the relevant submission’. The audit found that the ‘absence of any processes in 2017 and 2018 to verify the accuracy of entity self-assessments’ meant there was ‘minimal assurance regarding the accuracy of these results’. ANAO analysis of a selection of questions from the 2018 survey (which could be linked to the policy) indicated that a large portion of entities were at lower levels of maturity against the policy principles.
Accordingly, the audit recommended that NAA undertake appropriate assurance of the accuracy of reported data in terms of entity progress in implementing the DC2020 policy. In response to the audit recommendation, NAA noted that ‘options for reviewing agency reported data’ were being considered as part of planning for the completion of the agency survey, which closed on 31 March 2021. NAA also explained that ‘we have the requirement that the agency head or the accountable authority sign off on the policy, so … that gives some form of assurance that the information is accurate’. NAA noted that its service provider also runs ‘algorithms and sense checks’ to quality assure survey data with regards to the policy—and ‘if it doesn’t make sense they then contact back the relevant agency to correct that’. NAA stated that it had thought sign-off from the accountable authority was a ‘good measure’—‘we’re hoping the agencies are reporting appropriately to their accountable authority. Our survey contractor does some quantitative assessments of the answers … if they don’t add up, they contact the agencies’. NAA further added: ‘in terms of the assurance with agencies ... If we had more resources, we could get out and work with agencies a lot more. So we are operating as efficiently as we can with the resources that we have’. In particular, NAA observed that:
we don’t have coercive powers as such. Our function powers don’t extend to overseeing the record keeping going on in the government entity … Our role is very much to produce, promulgate and impose record-keeping obligations on the Commonwealth. That’s what it says in the act. It is very much a soft power, not a hard power, that we exercise … … … what we have done … since the ANAO’s report is divert far more of our internal resources within the Archives into this. We’ve now created … the Government Data and Policy Branch … dedicated to promoting this … … … it’s a maturity model, not so much a prescriptive, pass-fail set of deadlines. We’ve adopted this practice to make this approach more successful.
On this matter, the Deputy Auditor-General emphasised the importance of the policy owner, as the internal regulator, undertaking assurance of the accuracy of reporting data on implementation progress in terms of entity self-assessment processes:
At a simple level, policy owners need to find a way to make sure that their policy’s effective, or else why have it? Effectiveness can come through many approaches. I don’t dispute the director-general’s view about coercive powers. But influence is a really strong regulatory power and influence often comes through reporting and transparency. If you’re going to report and be transparent, you want to have assurance that your data is good.
As the ANAO further observed, ‘we found that the self-assessment process is flawed and that people overstate their progress’, and relying on the accountable authority has proven ‘not to be as reliable as the policy owner would like’—‘the data should be assured further’. In particular, the Deputy Auditor-General noted that, ‘with internal regulation, policy owners need to drive change’—‘can you only drive change through this supply of information and collection of self-assessed data? I think it would be fair to say publicly not’:
So what is the internal regulator doing about reporting the state of play of the implementation of important policy? What’s the impact of risk to the Commonwealth if these important policies aren’t being implemented? We hear a lot from regulators internal to government doing what you might describe as passive regulation, but we would highlight that, if you’re going to have a policy, you should be able to measure its success, you should be able to report on it and you should be able to raise issues of risk to the Commonwealth if you are a policy owner … … … Should there be a much more active role for the policy owner in implementing the regulation, the change in behaviour that they’re seeking through the policy, than just this kind of model that we’re seeing again in the public service?
Commonwealth records and broader digital policy
There was discussion at the public hearing about whether the development of messaging services such as WhatsApp, Signal and Telegram had created ambiguity about the definition of a Commonwealth record. NAA explained that the Archives Act defines a ‘Commonwealth record’ as being ‘a record that is the property of the Commonwealth’ but noted that ‘WhatsApp is not the property of the Commonwealth; Facebook is not the property of the Commonwealth’. As the NAA Director-General further emphasised, ‘it is a pressing issue for us—the increasing use of third-party, non-government, non-Australian platforms for the conduct of official business’:
I would like to see our legislation modernised, first and foremost, to embrace a more 21st-century definition of a Commonwealth record, one that incorporates a message sent on WhatsApp, for example … when you create a record it has to meet those standards such that it is known, that it is incorporated into an approved government information management system, be it third-party or government owned.
As to whether government business conducted by text message or a messaging service could be defined as a Commonwealth record, the NAA Director-General explained that its guidelines require ‘public servants to keep a record of what they’ve done’:
If you’ve conducted official business with a tweet then you are obliged to give a record. If that record should be kept under our guidelines, then really the obligation is on you to make sure a record of that tweet is kept. And leaving it on Twitter is not good enough. As we’ve seen, Twitter, the company, can pull down records at will … … … Twitter, YouTube et cetera are not archives, they are businesses. So a record for a particular legal process may well be anything that can be produced as evidence of something that has happened. But the Archives Act carries quite a specific definition of a record being the property of the Commonwealth.
The NAA Director-General confirmed that advice had been sought on the definition of the Commonwealth record: ‘we have sought advice on a better formulation for the definition. I’m being quite narrow in my answer because I'm talking about “as defined in the Archives Act” … the powers in my office, under the Archives Act, are limited to those records which are the property of the Commonwealth’. The NAA Director-General confirmed NAA had provided advice to the Attorney-General’s Department on this matter, and further noted that ‘we are in active discussion about this and a range of amendments to the Archives Act to bring it into the 21st century … the definition of a record is definitely high on that list’. The ANAO agreed that these definitional issues are important for the NAA Director-General’s role in setting out APS record-keeping requirements, and emphasised that ‘better record keeping is going to enhance our job’. However, the ANAO noted that it has powers to ‘gather information beyond the Commonwealth. We have powers to gather information that is not defined as a record … We can, using our section 32 powers, seek information from any person. If we chose to seek information on … messages, we could do that through that process’. Nevertheless, the ANAO pointed to a possible difficulty—‘would we be able to get things that are not stored on servers through these companies’:
We haven’t at this point sought that sort of information … … … We’re more likely to interview a person, who will be interviewed under oath, to get the information, because it is more efficient and, quite often, we’re interested in not just the message but conversations and any other information around it. But we think it is important for the Commonwealth to resolve whether those kinds of applications meet the requirements of record keeping … people do pick up on technology and start to use it and it can cross over from private life to public life, and in public life we have responsibilities.
As to whether there is guidance for Commonwealth public servants on keeping records from the use of messaging apps such as WhatsApp, Signal and Telegram, NAA responded:
We have published guidance on this at the National Archives. We regularly deliver it through our fora … and it is published on our website under our general guidance. We remind all public servants of their obligation, under the Public Service Act and under the PGPA Act, to maintain a record, to maintain a level of accountability and transparency. Our advice is that, if you are using these other platforms and you are conducting important business on those and creating records, you need to keep those records in your information governance regime.
There was further discussion about messaging services and encrypted messages, with NAA emphasising that it had ‘issued a specific records authority advice on this matter … it is it is something which we take very seriously … the encryption is not so great an issue for us; it really is capturing those records off those social media platforms so that they can be preserved as some sort of record to hold all of our processes accountable’. In particular, NAA referred to its General Records Authority 38 for Ministers of State, ‘where it uses the example of WhatsApp, Signal and Telegram and says the responsibility is on the user to make sure that they keep a copy that is saved without encryption and put back into the Commonwealth record-keeping system’:
It is their accountability to make sure that any record that they’re creating on another platform comes in and is preserved in the Commonwealth record-keeping system, as a Commonwealth record … We give very clear guidance to agencies on social media use, on their responsibilities, on what is a record and on what needs to be preserved.
Asked whether there is a ‘clear message’ to Commonwealth public servants that either they should not be using WhatsApp or Signal for government business or, if they are permitted to use such applications, they should be taking a screenshot and keeping a record, the NAA Director-General responded: ‘Yes, I would say that is the clear message. The question remains: how well is that message being received and what penetration are we achieving in getting that message across?’
NAA confirmed that it had ‘not yet received any transfers of social media records from Commonwealth government agencies or ministerial offices, however initial planning discussions are underway with some agencies’.
Asked about the penalties in place for entities, public servants and ministers who failed to supply encrypted messages and keep a record as required, the NAA Director-General responded that, ‘under the Archives Act, the only breach is to engage in conduct which leads to the deterioration, loss or alteration of a Commonwealth record … If the record is never made in the first place then I don’t think there is any penalty available through the Archives Act’. As the NAA Director-General further emphasised:
The Archives Act makes it an offence to destroy or alter Commonwealth records without proper permission. … There’s nothing in the Archives Act that makes it an offence not to create a record … I personally think that the legislation would be strengthened if there was a provision that would empower the National Archives to issue mandatory standards about record keeping as opposed to guidelines … If there were mandatory standards, that’s where it would therefore become something legally enforceable if you’re performing a function as a part of the executive.
In terms of penalties, the ANAO pointed out that ‘accountable authorities need to set their record-keeping authorities and their accountable authority instructions and reinforce the obligations of public servants to do things’—‘for those public servants engaged under the Public Service Act … the APS Act itself would have in the code that people act according to the law’, and NAA, the policy owner that administers the relevant law with regards to archiving records, ‘has … said it’s the law’.
The NAA described the implementation of appropriate policies around record-keeping, regardless of the medium on which the record was made, as: ‘the core mission of the National Archives’:
Right now we are in discussion with the Public Service Commissioner on this very topic to see if we at the National Archives can work with the APSC on this professional streams strategy that the APSC has adopted as part of the overall workforce strategy to do everything you just said—to instil this culture, not record keeping you do as something on a Friday afternoon when you've finished all your other work but as a natural by-product of your official conduct. So the things you do create a record. The systems that we have across the APS are smart and nuanced enough to recognise a record to be kept and let the others go. We don't ever say you should keep every record. Ninety per cent of records can be deleted. It's that 10 per cent—the core important records.
Another matter discussed as part of the inquiry was Australian Government digital records policy (and the definition of a Commonwealth record under the Archives Act) with regards to documents held in the UK relating to the governance of the Commonwealth, and correspondence between Her Majesty The Queen and Australian Government officials in Australia (such as Governors-General). It was noted that NAA seeks to acquire the personal records of Governors-General and Prime Ministers of Australia as part of the archival resources of the Commonwealth, and that these records may contain correspondence received from and copies of correspondence sent to Her Majesty The Queen. However, the NAA Director-General ‘operates in the understanding that he does not have jurisdiction over the official records held by Her Majesty The Queen, including The Royal Archives and The National Archives (United Kingdom)’, with relevance to the Commonwealth—that is, ‘while Her Majesty The Queen may choose to donate records held by them to the National Archives of Australia, the statutory powers and functions of NAA do not compel them to do so’.
A further matter of interest was NAA’s cyber resilience in terms of its digital records management, noting NAA is a central depository of Commonwealth records. NAA stated that it has ‘a top-secret system’ to keep digitised records, and is working towards a ‘protected-level network’, with its current corporate network being at the ‘official sensitive level’. With regards to highly sensitive digital records, NAA confirmed that it is ‘working with the Australian intelligence community on how we establish that connectivity’. As to its compliance with the Australian Government Essential Eight strategies to mitigate cyber security incidents (including the Top Four), NAA stated that ‘we always said it would be achieved within the affordability of our budget, and currently we do have a funding injection, and our current plan is to make sure we do get to level 2 maturity’. NAA pointed to ‘a specific measure’ on investment in cybersecurity in the July 2021 Australian Government NAA funding announcement. NAA also confirmed that it has ‘a cyber-resilience road map … we have made very solid progress along that resilience road map. We’ve made significant investments and implemented resilience improvements’. NAA provided additional information on its milestones for Top Four compliance and related funding matters—in particular, it was noted that:
National Archives developed a cyber resilience framework and a comprehensive supporting plan to effectively implement the Essential Eight and all of the Australian Cyber Security Centre … recommended controls required for managing cyber threats … Progressing maturity across all of the Essential Eight was a priority and two independent external audits … recognised the positive progress made by the NAA since the ANAO [cyber] audit.
The March 2021 Functional and Efficiency Review of the National Archives of Australia (the Tune Review) recommended further funding for NAA cyber resilience. NAA emphasised that the Tune Review had qualified this recommendation ‘by saying that was subject to a developed business case’—‘it is upon us to develop a full business case with a greater degree of granularity in those costings, and … we’re working very closely with the ACSC and other competent government agencies to make sure that we’re getting that right’.
Commonwealth entities and digital policy—implementation and performance reporting
To achieve its objectives, the DC2020 policy established three principles for entities to implement by 31 December 2020. In order to embed these principles, the policy included 10 recommended actions, with associated dates for implementation. NAA’s implementation guidance accompanying the policy, Digital Continuity 2020—Agency Implementation Targets and Pathways, allocated these recommended actions across 29 targets, with due dates ranging from 30 June 2016 through to 31 December 2020. Seventeen of these targets were due by 31 December 2018. The audit examined the extent to which AGD, CASA and IGIS had implemented the DC2020 policy, focusing on implementation of these 17 targets.
AGD, CASA and IGIS
The audit found that AGD had effective arrangements to monitor and report on progress against the DC2020 policy targets, having established specific reporting arrangements within existing governance structures. AGD had fully implemented or made substantial progress against all of the policy targets due by 31 December 2018. AGD had fully implemented all eight targets under principle 1; fully implemented four targets under principle 2 and partially implemented one target associated with evaluating information assets; and fully implemented two targets under principle 3 and partially implemented two targets associated with ensuring minimum metadata standards and addressing information management functionality requirements. (No audit recommendations were directed at AGD.) AGD provided an update on implementation of these DC2020 policy targets, noting that it had ‘developed a workplan to address these findings’ and ‘made significant progress to ensure they are fully implemented’—work included a ‘review of the department’s records authority’ and ‘updating the department’s information and records management policy’. Asked about lessons for other entities in terms of implementing the DC2020 policy targets, AGD emphasised the importance of its governance committees and ‘senior executive buy-in’:
We considered it important from the outset. We had sufficient resources to commit to it. Because information is a crucial element of the nature of the department’s purpose and its mission we had strong engagement through governance committees. We were able to use our existing governance committees to pick up these additional responsibilities, so we had senior executive buy-in. There was accountability through the senior executive to the survey results … we were deliberately pessimistic in saying where we were with respect to the advancement of policy … to be able to demonstrate the basis on which we had come to that particular self-assessment.
The audit also recommended CASA update its electronic transactions policy to include guidance around adoption of digital workflows and authorisation; and complete its assessment of existing business systems and processes to ensure that information created and stored meets minimum metadata standards and functional requirements for information management. CASA provided an update on implementation of the audit recommendation, noting that an updated electronic transactions policy had now been incorporated into CASA’s information management directive, effective from November 2019, with the directive to be reviewed every two years. The directive provides staff with further guidance on the management of information throughout its life cycle, and ‘confirms CASA supports electronic business’, including ‘implementation of a digital signature model’. CASA further stated that it had ‘enhanced its information management guidance’ and implemented the Business Systems Assessment Framework, to ensure all business systems meet functional requirements for information management.
At the time of the audit, the ANAO noted that ‘implementation of the expansion’ of IGIS and ‘planned changes’ to its operating environment were pending, subject to amendments to the Inspector-General of Intelligence and Security Act 1886, following the 2017 Independent Intelligence Review—accordingly, IGIS did not have ‘formal arrangements in place to internally monitor or report on progress’ against the DC2020 policy targets. IGIS had ‘partially implemented’ the targets of the policy due by 31 December 2018, with the audit accepting that ‘there are instances where IGIS is subject to policy direction by an originating entity to retain particular information in hard copy only’. As IGIS further explained, the audit ‘acknowledged [IGIS’s] progress in implementing aspects of DC2020, and noted some of the external security requirements that limit IGIS’s ability to satisfy fully certain principles of DC2020’. IGIS stated that ‘as an oversight agency we recognise the importance of records and record keeping. Where we found some slight challenges is in the digital space where we run across three separate systems, many of which relate to highly classified information. We are working through how we might digitise some of those parts’. However, IGIS advised that, ‘as the ANAO report acknowledges there are some aspects of the security parts of our work which mean that some records just never will be able to be digitised. We are working to see how that might be operating across those three systems’.
IGIS had fully implemented seven targets under principle 1 and partially implemented one target associated with information governance frameworks; not implemented five targets under principle 2 associated with working digitally and migrating information in analogue formats; and partially implemented three targets under principle 3 associated with addressing information management functionality requirements, and not implemented one target associated with ensuring minimum metadata standards. Accordingly, the audit recommended that IGIS establish a plan for implementation of the DC2020 policy, with a particular focus on targets due on or before the end of 2018 and clear processes for monitoring and reporting of progress. In providing an update on this matter, IGIS pointed to its ‘current status and how this has evolved since the 2017 Independent Intelligence Review and its associated injection of funds’, as ‘this context is important to understanding IGIS’s approach’ to implementing the recommendation and the DC2020 policy. In particular, IGIS explained that, ‘until 2017 IGIS was very small, with limited resources. Since that time, we have grown quickly, doubling in size between 2018 and 2020’. Following an appropriation of funds to implement recommendations from the 2017 Independent Intelligence Review, IGIS gained resources to ‘dedicate to the implementation of DC2020 targets’.
At the public hearing, IGIS confirmed that it had made ‘good progress’ in implementing the audit recommendation. IGIS had developed a DC2020 Implementation Plan, containing the following key actions:
Develop an Information Governance Framework for IGIS. This is in train and due for completion by May 2021.
Ensure IGIS’s risk framework addresses information management. This action is being addressed through a review of IGIS’s risk management framework that is under way.
Establish a reporting mechanism to manage compliance, risk and business needs. This is being developed as part of the Information Governance Framework, and other processes already under way.
Update all relevant policies so they are fit for purpose for a digital environment. This includes both internal policies and external agreements.
Nurture a culture that values knowledge management. This includes training to ensure IGIS staff know what is required of them in terms of information management. This work has already commenced, and will be ongoing.
IGIS further explained that it had engaged KPMG in October 2019 to ‘design a governance framework suitable for an expanded agency, to replace the legacy and ad hoc arrangements (including those relating to information governance) then in place’. Following a December 2020 restructure, IGIS now has a dedicated area focusing on information governance and has also engaged ‘an experienced information governance specialist’. In particular, the Information Governance Framework will ‘address any outstanding obligations IGIS has in relation to DC2020 … and positions the Office to quickly begin implementation of the Building Trust policy’.
The Committee was concerned to note that NAA’s administration of DC2020 policy lacked effectiveness, including in terms of monitoring and assisting Commonwealth entities to meet policy targets. As a contributing factor to the audit findings, NAA pointed to resourcing issues which have since been addressed - on 1 July 2021, the Australian Government announced a funding boost of $67.7 million to NAA.
The Committee reinforces the need for Commonwealth entities to implement effective information governance frameworks and maintain a focus on record keeping, to drive the necessary cultural change that in turn will assist with implementation of digital policy. The Committee is also cognisant of numerous prior ANAO reports and JCPAA reports identified repeated general deficiencies in record-keeping. The Committee is aware that, at the time of the inquiry, NAA was in discussion with the Australian Public Service Commission on matters related to this area.
The Committee recommends that:
the Australian National Audit Office consider undertaking an audit of information governance frameworks in selected Commonwealth entities, with a focus on organisational culture, implementation of digital policy and/or record keeping
the Australian Public Service Commission provide an update on how it is working to foster a digital information management and record-keeping culture in the Australian Public Service.
The Committee notes that, in response to the audit recommendation regarding administration of DC2020 policy, NAA had implemented revised governance, oversight and reporting arrangements. In particular, for the new Building Trust policy, which commenced in January 2021, NAA had established a phased project management approach, overseen by a project assurance committee, including stakeholder consultation. The Committee emphasises the need for NAA to maintain its focus on these governance structures throughout the five-year implementation of the Building Trust policy.
In response to other audit recommendations regarding the Building Trust policy, the Committee understands that NAA has implemented a stakeholder engagement and communication strategy, established advisory groups of practitioners and developed improved guidance. NAA further confirmed that analysis of data from its annual surveys would assist in prioritising entities requiring additional support, to assist with implementation of the new policy. The Committee emphasises the need for NAA to maintain this focus on entity implementation of digital policy. NAA also confirmed that it had established a risk management plan in order to implement the DC2020 policy as a coordinated program of work. The Committee reminds NAA that the Commonwealth Risk Management Policy, established under the PGPA Act, requires Commonwealth entities to establish and maintain systems and appropriate internal controls for the oversight and management of risk.
The Committee emphasises the need for NAA to improve the effectiveness of its arrangements for monitoring and evaluating implementation of digital policy. The Committee notes NAA’s progress in this area, including a draft monitoring and evaluation plan for the Building Trust policy, with performance measures and measures of success, being due for finalisation at the time of the Committee’s inquiry. The Committee also understands that implementation of the new policy will be reviewed in a year’s time, in consultation with stakeholders. The Committee sees merit in NAA reporting back on these important matters.
NAA’s survey process requires Commonwealth entities to self-assess their progress in implementing recommended actions and associated targets of digital policy. NAA then requires agency heads to approve their agency’s responses prior to final submission of the survey. The Committee points to concerns about the accuracy of such self-assessment processes, as reinforced by audit testing of NAA survey results. While sign-off from the accountable authority in such surveys is a necessary measure, the Committee emphasises that the policy owner (as the internal regulator) needs to undertake robust assurance of the accuracy of data on implementation progress in terms of entity self-assessment, to ensure that the policy is effective and maintain accountability to the Parliament. NAA confirmed that options for reviewing agency reported data were being considered for the survey that closed in March 2021. The Committee requires NAA to report back on this matter.
The Committee notes the ANAO’s observation as part of the inquiry that it has found some self-assessment processes to be ‘flawed’ as entities overstate their progress, with policy owner (as the internal regulator) needing to take a more active role in providing assurance of the accuracy of data on implementation progress and driving the change in behaviour being sought through the policy—‘if you’re going to have a policy, you should be able to measure its success, you should be able to report on it and you should be able to raise issues of risk to the Commonwealth’ if the policy is not implemented. The ANAO may wish to provide the Committee with further information about the use of such self-assessment frameworks across the Commonwealth (aside from cyber and digital policy).
The Committee recommends that the National Archives of Australia (NAA) report back:
with details of its risk management plan for the Building Trust digital policy, and on how NAA is identifying, managing and reporting risks to implementation of the policy
on its monitoring and evaluation plan for implementation of the Building Trust policy, including details of:
how the performance measures it has established are relevant, reliable and adequate; are consistent with the policy objectives, to enable accurate assessment of NAA performance against objectives and accurate analysis of Commonwealth entity performance in implementing targets; and clearly define how success will be measured and reported
how its annual surveys have been redesigned to reflect the objectives of the Building Trust policy and gauge entity progress in implementing the policy, to enable direct comparison of survey results with policy targets, and ensure consistent and comparable data is collected
the findings of its review of implementation of the policy (due in 12 months), including performance reporting on NAA’s effectiveness in monitoring and assisting entities to meet the targets of the policy
on its assurance framework for verifying the accuracy of reported data in Commonwealth entity self-assessments from annual surveys, in terms of implementation of the Building Trust policy.
The inquiry considered APS record keeping with regard to messaging apps, including encrypted messages. The Committee emphasises that, under the PGPA Act, the Archives Act and the Public Service Act, there is an obligation for Commonwealth officials to maintain a record of government business. The Committee notes that NAA has published guidance for Commonwealth public servants on keeping records from the use of messaging apps. The Committee points to the need for information management governance to continue to reinforce that when a record is created for the conduct of official government business—including through social media platforms and (encrypted) messaging apps—it must be duly incorporated into an approved government information management system as a Commonwealth record. The Committee highlights that information management governance must continue to ensure that there is clarity on the definition of a Commonwealth record, consistent with technological developments.
NAA indicated that it was in discussion with the Attorney-General’s Department regarding possible amendments to the Archives Act, regarding such matters. The Committee believes it would be useful to seek an update on this important matter.
The Committee recommends that the Attorney-General’s Department, in consultation with other relevant departments and agencies as required, report back to the JCPAA on how the relevant information management and archives legislation provides clarification on record-keeping obligations when creating records that are the property of the Commonwealth (those with the relevant characteristics of official documents and decisions) – regardless of the technology and method used to create the record - in relation to record-keeping obligations when conducting official business, ie. specifically in reference to records which are the property of the Commonwealth.
The Committee notes NAA’s significance as a central depository of Commonwealth records, and that the aggregation of Commonwealth records in the NAA collection necessitates that it maintain high cyber resilience, encompassing compliance with the Australian Government Essential Eight strategies to mitigate cyber security incidents (including the Top Four). The Committee has undertaken past inquiries into cyber resilience of Commonwealth entities and will continue to focus on this matter in future inquiries, including with regard to NAA’s cyber resilience.
The Committee notes the sound progress made by AGD, IGIS and CASA in implementing the DC2020 policy targets—acknowledging also that IGIS is subject to external security requirements that limit its ability to fully satisfy DC2020 principles and that, at the time of the audit, implementation of the expansion of IGIS and changes to its operating environment were still pending, subject to legislative amendments.
The Committee further notes the sound progress made by the three entities in implementing the audit findings and recommendations, with these entities now being well positioned to begin implementing the new Building Trust policy. In particular, the Committee recognises that AGD had established effective arrangements to monitor and report on progress against the DC2020 policy targets, and had fully implemented or made substantial progress against all of the policy targets due by 31 December 2018. CASA and IGIS provided a comprehensive update on implementation of the audit recommendation directed at each respective agency. CASA had updated its electronic transactions policy and addressed functional requirements for information management. IGIS had developed a DC2020 Implementation Plan, including an Information Governance Framework, to address any outstanding obligations regarding the DC2020 policy and position IGIS to implement the Building Trust policy.