• No results found

OPERATIONAL CIRCULAR

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "OPERATIONAL CIRCULAR"

Copied!
10
0
0

Loading.... (view fulltext now)

Download now ( 10 Page )

Full text

(1)

OP 1877/04 1

OPERATIONAL CIRCULAR

Enquiries to: Maureen Bradford - Tel: 9222 4300 Number: OP 1877/04

Supersedes: Date: 25 November 2004

Superseded by: File No: 95-00175

Subject: IT SERVICE CONTINUITY AS RELATED TO THE MANAGEMENT OF ELECTRONIC RECORDS POLICY

The State Records Act was formally proclaimed in the Government Gazette on the 30th November 2001.

Under the Act a State record is defined as any record of information (in any form) created, received or maintained by a government organisation or parliamentary department in the course of conducting its business activities. State records can come in any format on which information can be stored including maps, plans, photographs, films, and magnetic and optical media.

A cornerstone of the legislation is an instrument of accountability called the "recordkeeping plan", a document to be formulated by every government organisation. The Department of Health’s plan sets out the matters about which records are to be created, how those records are to be managed in the context of the organisation's functions, and for how long those records are to be kept.

Several recordkeeping policies have been developed in concert with the recordkeeping plan. The IT Service Continuity as Related to the Management of Electronic Records Policy addresses the protection from unintended loss of all electronic records that are created and maintained in record keeping systems and business application systems so as to ensure that they satisfy record keeping requirements for operational and archival purposes over the medium to long term.

This Policy is available from the Records Services Homepage on HOLII at URL http://intranet.health.wa.gov.au/Records/policies.cfm.

Des Hutchinson ACTING DIRECTOR INFORMATION POLICY

(2)

IT SERVICE CONTINUITY

AS RELATED TO THE MANAGEMENT OF

ELECTRONIC RECORDS

(3)

IT Service Continuity

______________________________________________________________

File 95-00175 2

Document Control

Date Version Notes Author

10/11/2003 0.1 Initial draft Geoff Graham (InfoHEALTH) 12/11/2003 0.2 Updated after review Geoff Graham (InfoHEALTH)

21/01/2004 1.0 Modified S. 4 Gopal Warrier

6/2/2004 Final Principal Information Officer

Previous Editions: Nil

Revision due: November 2005 Format: Microsoft Word 2000

Authorisation

This policy has been authorised

by-Mike Daube Director General Department of Health

(4)

Date-CONTENTS

1. PURPOSE...4

2. POLICY STATEMENT...4

3. SCOPE...4

4. STRATEGIES...5

5. LEGISLATION AND STANDARDS...6

6. GLOSSARY...6

7. RESOURCES...7

(5)

IT Service Continuity

______________________________________________________________

File 95-00175 4

1. PURPOSE

The Department has an obligation to ensure that electronic records are preserved and kept accessible for as long as they are required. Part of this requirement is that the records be protected from loss, either by disaster, human error or technical failure.

This paper describes the Department’s policy regarding the protection from unintended loss of all electronic records that are created and maintained in record keeping systems and business application systems so as to ensure that they satisfy record keeping requirements for operational and archival purposes over the medium to long term.

2. POLICY STATEMENT

The Department shall maintain the Information Technology systems and processes to ensure that any electronic record of continuing value remains available and accessible and may be completely recovered in the event of its loss.

3. SCOPE

This Policy applies to:

All business application systems and records keeping systems that capture, create and store records as defined in the State Records Act 2000 and the Freedom of Information Act 1992.

Employees of the WA government health sector, ultimately reporting through to the Minister for Health. This includes Department of Health (DoH) entities, public hospitals, public community health services, public pathology

laboratories, public health and mental health clinics and services, public nursing homes, DoH contracted services and any other WA government health sector organisational entities.

Administrative records should be managed in accordance with the Sate Records Office of Wester Australia General Disposal Authority (GDA) for Administrative Records see: http://www.sro.wa.gov.au/pdfs/gdaadmin.pdf

Patient records in accordance with the Patient Information Retention and Disposal Schedule see:

http://intranet.health.wa.gov.au/hic/Statistics/hiconsu/PIRDSV22000.pdf

This policy does not prescribe specific technological solutions for the availability and recovery of electronic records over the long term.

(6)

4. STRATEGIES

Three requirements are demanded by this policy: Continued Availability

The IT systems holding and making available the electronic records must have backup systems in place so that the records can continue to be available following a disaster.

This requirement is addressed by building into the IT systems redundancy or backup systems that can take over in the event of failure of the primary systems. These systems must be capable of providing access to the vital records within a reasonable time following a failure of the primary system. Both the terms “vital records” and “reasonable time” must be assessed for each system with their values dependent on the criticality of the information held by the system and the consequences of its non-availability, including its impact on other record keeping systems.

Record Recovery

Any record that is lost, either through human error, technical failure or other factor, must be capable of being recovered in its entirety.

This requirement is addressed by regularly copying (backing up) the records onto storage systems that are technically and physically separate from the original data. This must allow for the recovery of records that have been lost through any event from accidental erasure through to total catastrophic destruction.

Standard IT practice must be followed to ensure that various generations of the copied data (backups) are retained over time to address the risk of error in the copied data

How often the data is backed up and the time that backup generations are held must be assessed for each system and will depend on the volatility of the data and the risk of its loss.

Suitable Processes

A number of processes must be in place to ensure that the organisation maintains the efficiency of the technical systems defined above and is capable of restoring access to electronic records. These are:

(7)

IT Service Continuity

______________________________________________________________

File 95-00175 6

Backup Test Process Defines the process for testing backups including the schedule and reporting requirements.

Disaster Process Defines a plan for management of a disaster situation including roles and responsibilities during the disaster, rules for declaring a disaster, notification, escalation, alternative facilities and recovery tasks.

Disaster Test Process Defines the process for periodic testing of the Disaster Plan. The test should exercise the relevant roles and responsibilities and the infrastructure provided for recovery during a disaster situation.

Audit/Review Process Defines the process for periodic auditing and review of the continuity provisions (processes and infrastructure) and the corresponding changes to the continuity provisions to maintain the required level of assurance regarding

continuous service delivery. 5. LEGISLATION AND STANDARDS

The following legislation and Standards apply to the management of electronic records over time:

Evidence Act 1906 State Records Act 2002

Electronic Transactions Act 2003 Freedom of Information Act 1992 Public Sector Management Act 1994

International Standard on Records Management AS ISO15489

Refer to the Department of Health’s Record Keeping Plan and Records Management Policy for further detailed information regarding electronic records.

The definitive definition of the IT Service Continuity process is provided by the ITIL best practice framework (“ITIL Service Support”, ISBN 0 11 330015 8).

6. GLOSSARY

For a full glossary of terms used for records and electronic records see the Depart of Health’s Record Keeping Plan:

(8)

Additional terms are defined below:

Disaster or Disaster Situation: An event that could not be normally be expected or anticipated and which disables the IT systems to the extent that prevents normal access to the electronic records.

Data Backup: A copy of electronic records made for the purpose of safeguarding the data in the case of loss.

7. RESOURCES

Electronic Records, The Impact of the Digital Age – National Archives of Australia

http://www.naa.gov.au/recordkeeping/er/summary.html

Corporate Memory in the Electronic Age – Statement of a Common Position on Electronic Records Keeping

http://www.naa.gov.au/recordkeeping/er/manage_er/append_1.html

e-Government Policy Framework for Electronic Records Management

http://www.pro.gov.uk/recordsmanagement/erecords/e-gov-framework.pdf

Practical Experiences in Digital Preservation Conference 2003

http://www.pro.gov.uk/about/preservation/digital/conference/default.htm

State Records Standard 5: Management of Electronic Documents in Networked Computer Environments

http: //www.sro.wa.gov.au/src/policies.html

State Records Standard 6: Management of Electronic Documents in Stand-Alone Computer Environments

http://www.sro.wa.gov.au/src/policies.html

Public Records Policy : 8 – Policy for the ongoing management of electronic records designated as having archival value.

Retention of Laboratory Records and Diagnostic Material – National Pathology Accreditation Advisory Council 2002

Standard on Recordkeeping in the Electronic Business Environment – State Records NSW

(9)

IT Service Continuity

______________________________________________________________

File 95-00175 8

APPENDIX A – ELEMENTS OF A DISASTER RECOVERY PLAN

The following headings list the essential elements of a comprehensive Disaster Recovery Plan. Depending on the scale of the IT systems some, or all, of the following subjects should be addressed in the plan.

Applications

Each applications supported should be listed and allocated a priority so that, following an outage, the first effort can be given to recovering the most important applications first.

The name of the group or organisation which has the responsibility to provide the main support for each application is also required to be listed.

Computer System Components

List the hardware and software components of each computer system used for the processing of the applications. Along with listing the vendor or supplier of the components, it is wise to list any alternative suppliers who may be approached if there is a need for urgent acquisition of replacement components or parts.

Computer Room and Network Diagrams

Copies of computer room diagrams and communication network diagrams in order to expedite recovery, replacement or reconstruction should some disastrous event occur.

Computer System Security

Description of the relevant features of the computer system security. Application and System Software Backup and Recovery

Details of all relevant aspects of the recovery of backup data. Hardware and Software Maintenance Contracts

Details of any hardware and software maintenance contracts including the vendor’s name and contact details.

Insurance Cover

The details of any insurance cover for system components, communications equipment or the physical environment (although it must be understood that insurance cover is, by no means, an adequate alternative to a DRP).

Arrangements for Replacement Equipment

Description of any pre-arranged strategies (formally agreed) in place to make alternative equipment available should the normally-used equipment unavailable.

(10)

Description of any pre-arranged strategies in place to relocate critical equipment, staff and supplies.

Disaster Recovery Personnel Contact List

Being able to contact key people at any time 24 hours a day, seven days a week may mean the difference between continuing business or failing to do so. Key people may be members of staff, equipment vendors, support people, air conditioning engineers, etc.

Maximum Acceptable Computer System Outages

Key users must justify the maximum time they can tolerate an outage of each application. The size of each tolerable outage provides the ‘window’ for recovery. Any recovery procedure must be developed to fit within this window. It is not justifiable to develop recovery strategies which cost more than the cost of the outage.

Recovery Elapsed Time Estimates

A listing of the likely timing of a recovery (to be compared with the figures listed above).

Limp-along Procedures

Limp-along procedures are sometimes known as Downtime Procedures. They refer to alternative procedures, which users will invoke should the availability of the computer system be lost for any period of time. These procedures typically involve manual systems or PC based processing and should be developed and maintained by the business units.

References

Download now ( PDF - 10 Page - 41.45 KB )

Related documents