Records management obligations for NSW Government entities 02: are encrypted messages a State Record?

By Dr Ashley Tsacalos, Elizabeth Forbes and Ethan Tindall
04 Mar 2021
To ensure compliance with their legislative obligations, NSW Government entities should implement a robust information management policy that contains specific guidance on retention policies for messages sent or received using encrypted messaging platforms (including on personal devices).

Encrypted messaging platforms such as WhatsApp and Signal have increasingly been adopted as a primary means of electronic communication: including by NSW Government employees who commonly utilise these platforms for work related communications.

The importance of having good recordkeeping practices in this context cannot be understated. Recently, there have been a number of inquiries which have examined messages sent by Government employees using these platforms, for example the Victorian COVID-19 Hotel Quarantine Inquiry, which examined WhatsApp messages between the employees of the Department of Jobs, Precincts and Regions as well as the recruitment of security personnel using WhatsApp.

This article builds on the principles outlined in our first article in this series on the obligations for NSW Government entities under the State Records Act 1998 (NSW), and focuses on "State records" arising from encrypted instant messaging platforms, in particular:

  1. are encrypted instant messages "State records"?;
  2. what obligations arise in relation to instant messages that are "State records"?; and
  3. best practice tips for compliance.

We consider each in turn below.

1. Are encrypted instant messages "State records"?

If a message is made, sent or received in the course of the exercise of an official function by a Government entity (namely, by an employee), it is likely to be a "State record" and must be managed in accordance with the Act. A "record" is defined in section 3 of the Act as: "any document or other source of information compiled, recorded or stored in written form or on film, or by electronic process, or in any other manner or by any other means". The Act further defines a "State record" as (section 3):

"any record made and kept, or received and kept, by any person in the course of the exercise of an official function in a "public office", or for any purpose of a "public office", or for the use of a "public office", whether before or after the commencement of this section."

This broad definition includes email correspondence and all other forms of electronic communication such as text messages, instant messaging platforms (for example, WhatsApp and Signal) as well as those on social media platforms (for example, Instagram and Facebook). An explanation of the term "public office" can be found in our first article in this series.

Further, the State Records Regulation 2015 (NSW) define "messages" as including of email, voice mail, SMS (short message service) messages, instant messaging, facsimiles, telephone messages, transmission reports or similar records (clause 4). Instant messages can be "State records" even when they are made, received, sent or kept on personal devices.

2. What obligations arise in relation to instant messages that are "State records"?

While the use of messaging platforms is not contrary to the Act or Regulation, problems arise when these messages are deleted. This may give rise to a possible contravention of the Act if "State records" have not been retained in accordance with the legislative obligations.

Clause 21 of the Regulations requires that messages must not be disposed of if they have a "continuing value". Clause 2 of the Regulations defines "continuing value" as meaning a record that has "administrative, business, fiscal, legal, evidential or historic value to the public office". An assessment of the "continuing value" of a message must be based on the information it contains and the context in which it was sent or received, whereas the platform used for the message is not relevant.

In contrast, messages may be disposed of if they are:

  • an "ephemeral" record; or
  • "those of which a copy has been placed on the relevant file or captured in an appropriate way within a public office record-keeping system."

"Ephemeral" messages will be those that are (clause 2):

"records of little value that only need to be kept for a limited or short period of time. Records that are ephemeral have no continuing value to the public office and, generally, are only needed for a few hours or a few days.

Retention and disposal obligations for records are specific to their content and context, and can be found in the "Retention and Disposal Authorities" issued by the State Archives and Records Authority of New South Wales. For example, for financial, personnel and other administrative records, the General retention and disposal authority: administrative records is relevant.

3. Best practice tips for compliance with the State Records Act 1998 (NSW)

To ensure compliance with their legislative obligations, NSW Government entities should implement a robust information management policy that contains specific guidance on retention policies for messages sent or received using encrypted messaging platforms (including on personal devices). This policy should comply with the Authority's Digital Records Preservation Policy and ensure that all records that fall within the definition of a "State Record" are captured and retained according to the mandatory minimum retention periods under the "Retention and Disposal Authorities" issued by the Authority. According to the Authority, the types of messages that should be captured include those:

"(a) providing advice, instructions or recommendations

(b) giving permissions and consent, and

(c) making decisions, commitments or agreements, including reasons for decisions or recommendations."

The method used to capture these "State Records" may involve utilising the functionality of your messaging platform to download the message or simply taking a screenshot of the message, sending it to your work email and saving it to your organisation's document management system. When creating such records, you should include:

  • the content of the message;
  • the sender and recipient of the message;
  • the time and date the message was sent or received; and
  • any other relevant metadata.

It is also vitally important to educate employees to promote an organisation-wide understanding of document management and retention obligations and to employ IT solutions which reflect these obligations.

Get in touch

Disclaimer
Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.