Last updated:

Shared platforms, tenancies and recordkeeping

Shared platforms and tenancy environments support collaboration and data sharing across the Victorian Public Sector. Records created in shared environments (whether shared platforms or tenancies) are subject to the same legal and regulatory requirements as any other business system.

Public offices are responsible and accountable for records created, received and managed within these environments, regardless of who owns, hosts, or administers the platform.

 

Key principles:

  • Shared platforms are business environments where public records may be created
  • Each public office remains responsible for its own records, even in shared or tenancy arrangements
  • Arrangements and agreements must be in place to ensure public records in shared platforms and tenancies are effectively managed in accordance with PROV Standards.

 

Key concepts

💻 Shared platforms

Collaboration tools (e.g. Teams, SharePoint, Microsoft 365)

Not inherently recordkeeping systems.

 

💭 Shared tenancy

Shared cloud infrastructure used by multiple public offices.

Often centrally managed.

 

🗂️ Public records in shared environments

Information created or received in shared technology environments may be public records, depending on the business function or activity to which it relates.

Must be managed in accordance with the Public Records Act 1973 and applicable PROV Standards.

 

📄 Public record

The Public Records Act 1973 defines public records as any records created or received by a public officer in the course of their duties, regardless of format.

Applicable to any person employed in a public office.

 

🔄 Data sharing and access

The exchange, access or provision of information between public offices to support service delivery, collaboration, decision-making, or public benefit outcomes.

Recordkeeping obligations apply to both the sending and receiving public office.

 

Figure 1: Shared platform, tenancies and data sharing definitions (developed by PROV)

Recordkeeping in shared environments

The use of shared environments does not change the legal or regulatory obligations that apply to records created, received and managed by public offices. Shared environments can also introduce unique risks to the confidentiality, integrity and availability of the information stored or used.

Effective recordkeeping ensures:

  • accountability for decisions and actions
  • compliance with legal, regulatory and administrative obligations
  • maintenance of the confidentiality, integrity and availability of records
  • consistent retention and lawful disposal.

Failure to manage records appropriately in shared environments increases the risk of:

  • compromise of the confidentiality, integrity and availability of the records
  • difficulty demonstrating accountability for decisions and actions
  • inability to meet legal, regulatory and administrative obligations
  • inconsistent or unlawful disposal.

Public offices remain responsible and accountable for the secure creation, capture, management, and lawful disposal of their records, regardless of where those records are created or stored.

The responsibility does not transfer to:

  • platform owners
  • shared service providers
  • other public offices.

Public offices must ensure that records are:

  • identifiable
  • securely captured and managed
  • accessible and usable for as long as required
  • managed in a way that maintains their confidentiality, integrity and availability.

They must also:

Public offices must actively manage records created in shared collaborative tools.

Identify records

Records created by your public office must be identified. These may include:

  • documents and correspondence
  • approvals and decisions
  • meeting notes
  • project materials
  • information created in chat, comments, collaboration tools.

Capture records

Records should be:

  • captured in an approved system; or
  • managed within the platform where it meets recordkeeping requirements.

Manage records

Where records remain within the platform, public offices must ensure:

  • clear structure and naming conventions
  • retention of metadata (author, date, version history in line with Minimum Metadata Requirements Specification)
  • version control
  • defined roles and responsibilities
  • the ability to apply retention and disposal requirements.

Shared tenancies provides infrastructure but does not change accountability.

Public offices must ensure:

  • clear ownership and accountability for records
  • appropriate separation between public offices
  • access controls aligned to business and security requirements
  • records remain accessible and usable for their required retention period
  • secure retention and disposal requirements can be applied.

Where environments are centrally managed, recordkeeping requirements must be clearly understood and supported within those arrangements.

See also Joint statement: PROV and Cenitex.

Public offices retain full responsibility for the lawful disposal of their records, including those managed in shared environments.

Under the Public Records Act 1973, the Head of the Public Office (CEO, Director - for Departments, the Secretary) is ultimately responsible for ensuring records are disposed of lawfully and in accordance with approved Retention and Disposal Authorities.

The responsibility applies regardless of:

  • where the records are stored
  • whether systems are centrally managed
  • whether a third party undertakes recordkeeping activities (such as another public office or an outsourced supplier) on behalf of the public office.

Delegation and formal arrangements

Recordkeeping activities, including secure disposal, may be undertaken by:

  • a central platform owner
  • a shared service provider
  • another public office or outsourced supplier under formal agreement.

Where this occurs:

  • arrangements must be formally documented (contracts, MOUs, service agreements)
  • roles, responsibilities, and authority must be clearly defined
  • governance structures must provide oversight and control.

Delegation does not remove accountability.

Disposal by service providers

Service providers may undertake disposal activities where appropriate controls are in place. However, the public office remains responsible for:

  • ensuring disposal is lawful
  • ensuring appropriate authorisation is in place
  • maintaining oversight and assurance
  • ensuring evidence of lawful disposal is captured and retained.

Risk management and assurance

Public offices must ensure:

  • disposal processes are authorised, documented and transparent
  • roles and approvals are clearly defined
  • monitoring and auditing mechanisms are in place
  • systems support retention and disposal requirements
  • risks are identified and managed based on the sensitivity, significance and security value of the records.

 

Shared environments often support data sharing between public offices. The Victorian Public Sector Data Sharing Policy encourages responsible data sharing where there is a public benefit.

When information is shared:

  • each public office remains responsible for the records it creates, receives and manages as part of its functions
  • recordkeeping obligations apply to both sending and receiving parties.

Public offices must ensure:

  • decisions, actions and approvals relating to data sharing are documented
  • records of what was shared, with whom, why it was shared, and the lawful basis for sharing are retained
  • responsibilities for managing shared information are clearly defined
  • governance arrangements (such as agreements or protocols) are in place
  • security requirements applying to shared information are documented and maintained
  • records are retained and disposed of in accordance with approved requirements.

See also Victorian Public Sector Data Sharing Policy.

Public offices must establish governance arrangements that support recordkeeping accountability and compliance with the Public Records Act 1973 and PROV Standards.

The Head of the Public Office retains ultimate responsibility for records. Governance must reinforce this through clear roles, controls and oversight.

1. Accountability and ownership

  • define ownership of records and shared workplaces
  • clearly assign recordkeeping responsibilities
  • ensure accountability aligns with the Head of Public Office.

2. Control of environments

  • establish processes for creating, managing and closing shared workplaces
  • apply appropriate security controls based on the risks and sensitivity of information
  • ensure separation between public offices.

3. Embedding recordkeeping requirements

  • ensure platforms support identification, secure management, retention and disposal of records
  • align platform use with PROV Standards
  • ensure retention and disposal controls can be applied.

4. Formal arrangements

  • document roles, responsibilities, security requirements and recordkeeping obligations in agreements
  • ensure service providers can meet recordkeeping obligations.

5. Monitoring and assurance

  • identify and mitigate risks and review risk and mitigation strategies regularly
  • regularly review access, ownership and workspaces (both active and inactive)
  • implement auditing and reporting mechanisms, including oversight of third-party service providers, where applicable.

Common risks and mitigation

RiskMitigation
Treating shared platforms as informal or transitory spacesEstablish governance and guidance that shared platforms are business environments. Provide training and reinforce responsibilities.
Unclear ownership and accountabilityAssign ownership of records and workspaces. Document responsibilities and align accountability with the Head of the Public Office.
Storing key decisions only in informal channelsRequire key decisions and approvals to be captured in an approved system or managed with sufficient context and metadata.
Assuming responsibility is transferred in shared environmentsReinforce through policy, governance and training that responsibility remains with each public office.
Recordkeeping not addressed in shared arrangementsFormalise arrangements with clearly defined recordkeeping responsibilities, including retention and disposal.
Service providers unable to meet requirementsEnsure providers understand PROV obligations and that systems support recordkeeping requirements.
Inadequate control over workspace lifecycle and accessImplement controls over creation, access, permissions and review of workspaces.
Platform default settings misaligned with retention requirementsConfigure and validate system settings to align with approved Retention and Disposal Authorities.
Unauthorised or inappropriate disposalEnsure disposal is authorised, documented and subject to oversight and audit.
Lack of monitoring and assuranceImplement monitoring, auditing and reporting to ensure compliance.

Material in the Public Record Office Victoria archival collection contains words and descriptions that reflect attitudes and government policies at different times which may be insensitive and upsetting

Aboriginal and Torres Strait Islander Peoples should be aware the collection and website may contain images, voices and names of deceased persons.

PROV provides advice to researchers wishing to access, publish or re-use records about Aboriginal Peoples