Managing Access The organisation should then be able to •identify ways to mitigate the risks identified •identify ways to measure the success of access services •identify the resources required to carry out access controls and procedures. Assigning Responsibility Finally, the organisation should •assign responsibility for the management of access protocols within the business unit or agency •document all policies and procedures so that an accountable access framework is established for the business unit •train and orient all appropriate personnel in the business area so they are aware of their roles and responsibilities for providing access and protecting privacy. Key Components of an Access Policy All access policies should include the following components: •statements outlining the objectives, purpose and scope of the policy •information about related laws, regulations or policies that may affect access provisions in the organisation or business area •statement of how the organisation intends to respond to those laws and regulations •identification of who is responsible for overseeing the overall implementation of the policy and/or fulfilling the detailed requirements of the policy •an explanation of the sanctions in place for non-compliance with the policy The policy may also include reference to the resources needed to execute the policy successfully. A sample access policy is shown in Figure 9 below.
MANAGING THE CREATION,USE AND DISPOSAL OF ELECTRONIC RECORDS 58 Figure 9: Sample Public Access Policy Purpose This policy provides people with the opportunity to access certain categories of public records created by [the government] without having to submit a formal application under the Access to Information and Protection of Privacy Act (ATIPOP Act). This policy shall be administered according to the following principles: •Protection of personal privacy: public records containing personal or protected information shall not be disclosed except in accordance with the ATIPOP Act. •[The government] will respond to routine access requests within a reasonable time, according to the guidelines established in the ATIPOP Act. •[The government] shall be entitled to charge fees for the reproduction and delivery of records, as authorised by policies and as per the guidelines established in the ATIPOP Act. Purpose The purpose of this policy is to make certain records routinely accessible to the public, in order to facilitate access for those people requesting information and in order to support the intention of the ATIPOP Act to support openness and accountability in government. Scope •This policy covers records in all formats, created in the course of [the government’s] business, including records in electronic, video, audio or other formats.