Agencies should ensure that the requirements of this Information Standard are applied within the general context of the due diligence, accountability and probity outlined in:

• Public Sector Ethics Act 1994
• Public Sector Ethics Regulation 1999
• Financial Management Standard 1997
• State Procurement Policy
• Public Records Act 2002
• current Information Standards
• any other legislation that the individual agency operates under.

The Crime and Misconduct Commission also provide a number of publications which include checklists of legislative requirements in terms of asset disposal which may be useful when determining ICT resource disposal strategies.

Regardless of ICT resource support or provision arrangements, for example, equipment may be leased, owned or provided by a Shared Service Provider (SSP) it is critical that the agency plans for and provides strategies to ensure that maintenance and disposal requirements are monitored and managed.

For example agencies should ensure that where ICT resources are leased, the sensitivity of data, maintenance and removal of data at the conclusion of leasing arrangements are considered in the establishment and planning of lease arrangements.

When planning strategies for managing ICT resources agencies should refer to the following resources for direction:

• The provisions of the Financial Management Standard
• State Procurement Policy
• Agency Financial Management Practice Manual
• Queensland Audit Office Better Practice Guides
• Treasury, Financial Management Resource Centre;
• ICT Resources Planning (IS2)
• Information Security (IS18)
• Recordkeeping (IS40)
• Managing Technology Dependent Records (IS41).

Detailed information regarding planning for ICT resources can be sourced through Queensland Purchasing Better Purchasing Guidelines.

To ensure effective implementation ICT resource management, appropriate and regular training should be provided to staff involved in the maintenance and disposal of ICT resources. With the increasing prevalence of multi-functional devices agencies should also monitor training to ensure that it continues to take into account the various types of devices used in storing and transmitting information.

Queensland Purchasing, provide a number of purchasing training programs which address these issues.

Agency staff involved in the acquisition, maintenance and disposal of ICT resources should also have a general understanding of the terms and conditions contained within GITC.

• ICT Resources Strategic Planning (IS2)
• ICT Procurement (IS13)
• Recordkeeping (IS40)
• Retention and Disposal of Public Records (IS31)
• Managing Technology Dependent Records (IS41)
• Information Security (IS18)
• Information Privacy (IS42)

Maintenance processes cover a wide range of activities including preventative, repair and upgrade maintenance, which may be the result of scheduled or non-scheduled activities. Agencies need to ensure that adequate policies and processes are in place to protect agency ICT resources and the information, which is contained on them during any maintenance process. Processes should also be reviewed on an ongoing basis to ensure that when new technologies are introduced that maintenance processes are in place.

When assessing and developing maintenance processes agencies should refer to:

• Information Security (IS18) and the accompanying Information Security Best Practice Supplement
• Information Privacy (IS42) and accompanying Privacy Guidelines
• Recordkeeping (IS40)
• Managing Technology Dependent Records (IS41).

All contract maintenance service providers must be Government Information Technology Conditions (GITC) signatories. Government buyers who purchase from a supplier who does not have GITC accreditation, are not protected by the provisions of the GITC.

Detailed information on GITC arrangements including confidentiality, terms and conditions is available on the Government Information Technology Conditions website.

Maintenance contracts are normally considered as insurance against high repair costs and long down time should an item fail. The agency should base its decision to enter into a maintenance contract on consideration of cost justification vs. risk. Further information regarding the variations that agencies need to consider in managing maintenance contracts can be found in the Warranties and Maintenance Reference Sheet located in the ICT Resource Maintenance & Disposal Toolbox.

Warranties may be offered as an extension of warranty arrangements on ICT products at time of purchase. Although this may increase the initial purchase price of the item, there may be longer-term savings by not having to pay an annual maintenance fee. Further information regarding the variations that agencies need to consider in managing warranties can be found in the Warranties and Maintenance Reference Sheet located in the ICT Resource Maintenance & Disposal Toolbox.

Service or Operating Level Agreement (SLA/ OLA) are essential in ensuring that both agency and service providers have a clear understanding of their respective commitments associated with the terms and conditions of any ICT maintenance agreement.

Information relating to any warranty/maintenance agreements could be held as part of the Agency's resource register. Further details regarding the variations that agencies need to consider in developing and managing service agreements can be found in the Warranties and Maintenance Reference Sheet located in the Maintenance & Disposal Toolbox.

• ICT Procurement (IS13)
• Recordkeeping (IS40)
• Retention and Disposal of Public Records (IS31)
• Managing Technology Dependent Records (IS41)
• Information Security (IS18)
• Information Privacy (IS42)

To ensure information and records are appropriately managed, agencies should refer to the Recordkeeping (IS40), Managing Technology Dependent Records (IS41) and Retention and Disposal of Public Records (IS31) before undertaking ICT resource disposal processes.

Destruction is the only method, which will completely remove all traces of data by memory devices (including volatile storage such as Random Access Memory (RAM)) or magnetic media. However, there are a small number of sanitisation methods that will reduce the risk of information being recovered. Agencies should refer to the Australian Communications-Electronic Security Instruction 33 (ACSI 33), for the sanitisation of magnetic media for these methods.

Agencies should also refer to Information Security (IS18) and the accompanying Information Security Best Practice Supplement when assessing and developing processes for the removal of information from ICT resources before disposal or re-use of the equipment. Agencies should also ensure that the provisions of Information Privacy (IS42) and accompanying Information Privacy Guidelines are also used to guide the development of processes for disposal.

Agencies should refer to the FMS and local agency delegation policy to determine agency processes for the disposal of ICT resources. Under the provisions of the FMS responsibility for the disposal of surplus resources rests with the Accountable Officer or delegate of the department/agency. Surplus resources should only be sold, traded-in or otherwise disposed of with the approval of the Accountable Officer and in the manner specified by that officer or delegated officer.

To ensure that resources and any residual information contained on ICT resources is rendered inoperable or retained as required, procedures should be developed to verify that the appropriate action is satisfactorily completed. Agencies should refer to Information Security (IS18) and the accompanying Information Security Best Practice Supplement when assessing and developing such processes.

ICT products represent a considerable investment and require special consideration when disposing of these items. Generally, the time to assess disposal options should coincide with forward procurement planning. Agencies should consider a number of options including:

• disposal within government
• trade in
• disposal outside government.

Where appropriate agencies should consider publishing information about disposals to provide access to members of the public wishing to tender for the ICT assets.

Further advice and information on a range of resource disposal options and a downloadable Guide to the Disposal of Government Plant and Equipment is available via Queensland Purchasing Disposals website or in the Disposal Reference Sheet located in the ICT Maintenance and Disposal Toolbox.

The Crime & Misconduct Commission (CMC) also provides a guideline and checklist for disposal of assets, which agencies should consult when developing strategies for disposal.