Records and information management (RIM) is a key impact area of information governance (IG)—so much so that in the records management (RM) space, IG is often thought of as synonymous with or a simple superset of RM. But IG is much more than that. We will delve into the details of RM here—a sort of crash course on how to identify and inventory records, conduct the necessary legal research, develop retention and disposition schedules, and more. Also, we identify the relationship and impact of IG on the RM function in an organization in this chapter.
The International Organization for Standardization (ISO) defines (business) records as “information created, received, and maintained as evidence and information by an organization or person, in pursuance of legal obligations or in the transaction of business.”1 It further defines RM as “[the] field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use, and disposition of records, including the processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records.”2
RIM extends beyond RM (although the terms are often used interchangeably) to include information—that is, information such as e-mail, electronic documents, and reports. For this reason, RIM professionals must expand their reach and responsibilities to include policies for retention and disposition of all legally discoverable forms of information, RIM professionals today generally know that “everything is discoverable” and that includes e-mail, voicemail, social media posts, mobile data and documents held on portable devices, cloud storage and applications, and other enterprise data and information.
Electronic records management (ERM) has moved to the forefront of business issues with the increasing automation of business processes and the vast growth in the volume of electronic information that organizations create. These factors, coupled with expanded and tightened reporting laws and compliance regulations—most especially the EU General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA)—have made ERM essential for most enterprises, especially highly regulated and public ones.
ERM follows generally the same principles as traditional paper-based records management: There are classification and taxonomy needs to group and organize the records; and there are retention and disposition schedules to govern the length of time a record is kept and its ultimate disposition, which is usually destruction but can also include transfer (e.g., U.S. federal agency records sent to the national Archives and Records Administration for archiving and safekeeping) or long-term archiving. Yet e-records must be handled differently, and they contain more detailed data about their contents and characteristics, known as metadata. (For more detail on these topics see Appendix A.)
E-records are also subject to changes in information technology (IT) like file formats and protocols that may make them difficult to retrieve and view and therefore render them obsolete. These issues can be addressed through a sound ERM program that includes long-term digital preservation (LTDP) methods and technologies for digital records needed to be maintained 10 years or more.
ERM is primarily the organization, management, control, monitoring, and auditing of formal business records that exist in electronic form. But automated ERM systems also track paper-based and other physical records. So ERM goes beyond simply managing electronic records; it is the management of electronic records and the electronic management of nonelectronic records (e.g. paper, CD/DVDs, magnetic tape, audio-visual, and other physical records).
Most electronic records, or e-records, originally had an equivalent in paper form, such as memos (now e-mail), accounting documents (e.g. purchase orders, invoices), personnel documents (e.g. job applications, resumes, tax documents), contractual documents, line-of-business documents (e.g. loan applications, insurance claim forms, health records), and required regulatory documents (e.g. material safety data sheets). Before e-document and e-record software began to mature in the 1990s, many of these documents were first archived to microfilm or microform/microfiche.
Not all documents rise to the level of being declared a formal business record that needs to be retained; that definition depends on the specific regulatory and legal requirements imposed on the organization and the internal definitions and requirements the organization imposes on itself, through internal IG measures and business policies. IG is control of information to meet legal, regulatory, business and risk demands. In short, IG is security, control, and optimization of information.
ERM is a component of enterprise content management (ECM), just as document management, Web content management, digital asset management, enterprise report management, workflow, and several other technology sets are components. ECM encompasses all an organization's unstructured digital content, which means it excludes structured data (i.e. databases). ECM includes the vast majority—typically 80 to 90%—of an organization's overall information that must be governed and managed. Structured information held in databases makes up the remainder; however, due to its structured and consistent nature it is more easily managed.
ERM extends ECM to provide control and to manage records through their life cycle—from creation to destruction. ERM is used to complete the life cycle management of information, documents, and records.
ERM adds the functionality to complete the management of information and records by applying business rules to manage the maintenance, preservation, and disposition of records. Both ERM and ECM systems aid in locating and managing the records and information needed to conduct business efficiently, to comply with legal and regulatory requirements, and to effectively destroy (paper) and delete (digital) records that have met their retention policy time frame requirement, freeing up valuable physical and digital space and eliminating records that could be a liability if kept.
In the last few years, the term content services has been used to supplant and expand the definition of ECM, mostly to include cloud-based platforms that offer Software-as-a-Service tools to manage content. This renaming effort has been led by Gartner, and many see it as a necessary recharacterization of a market that has evolved.
Historically, highly regulated industries, such as banking, energy, and pharmaceuticals, have had the greatest need to implement RM programs, due to their compliance and reporting requirements. However, over the past decade or so, increased regulation and changes to legal statutes and rules have made RM a business necessity for nearly every enterprise (beyond very small businesses).
Notable industry drivers fueling the growth of RM programs include:
With these changes in the business environment and in regulatory, legal, and IG influences comes increased attention to RM as a driver for corporate compliance. For most organizations, a lack of defined policies and the enormous and growing volumes of documents (e.g. e-mail messages) make implementing a formal RM program challenging and costly. Some reasons for this include:
A number of business drivers and benefits combine to create a strong case for implementing an enterprise ERM program. Most are tactical, such as cost savings, time savings, and building space savings. But some drivers can be thought of as strategic, in that they proactively give the enterprise an advantage. One example may be the advantages gained in litigation by having more control and ready access to complete business records. This yields more accurate results and more time for corporate attorneys to develop strategies while the opposition is placing blunt legal holds on entire job functions and wading through reams of information, never knowing if it has found the complete set of records it needs. Another example is more complete and better information for managers to base decisions on. Further, applying the principles of infonomics may help organizations find new value or even to monetize information.
Implementing ERM represents a significant investment. An investment in ERM is an investment in business process automation and yields document control, document integrity/trustworthiness, and security benefits. The volume of records in organizations often exceeds employees’ ability to manage them. ERM systems do for the information age what the assembly line did for the industrial age. The cost/benefit justification for ERM is sometimes difficult to determine, although there are real labor and cost savings. Also, many of the benefits are intangible or difficult to calculate but help to justify the capital investment. There are many ways in which an organization can gain significant business benefits with ERM.
More detail on business benefits is provided in Chapter 7, but hard, calculable benefits (when compared to storing paper files) include office space savings, office supplies savings, cutting wasted search time, and reduced office automation costs (e.g. fewer printers, copiers, and automated filing cabinets).
In addition, implementing ERM will provide the organization with:
The US Environmental Protection Agency (EPA), a pioneer and leader in e-records implementation in the federal sector, lists some additional benefits of implementing ERM:
Thus, there are a variety of tangible and intangible benefits derived from ERM programs, and the business rationale that fits for your organization depends on its specific needs and business objectives.
According to the US National Archives and Records Administration (NARA), “In records management, an inventory is a descriptive listing of each record series or system, together with an indication of location and other pertinent data. It is not a list of each document or each folder but rather of each series or system”6 (emphasis added).
Conducting an inventory of electronic records is more challenging than performing a physical records inventory, but the purposes are the same: to ferret out RM problems and to use the inventory as the basis for developing the retention schedule. Some of the RM problems that may be uncovered
include inadequate documentation of official actions, improper applications of recordkeeping technology, deficient filing systems and maintenance practices, poor management of nonrecord materials, insufficient identification of vital records, and inadequate records security practices. When completed, the inventory should include all offices, all records, and all nonrecord materials. An inventory that is incomplete or haphazard can only result in an inadequate schedule and loss of control over records.7
The first step in gaining control over an organization's records and implementing IG measures to control and manage them is to complete an inventory of all groupings of business records, including electronic records,8 at the system or file series level.
The focus of this book is on e-records, and when it comes to e-records, NARA has a specific recommendation: inventory at the computer systems level. This differs from advice given by experts in the past.
The records inventory is the basis for developing a records retention schedule that spells out how long different types of records are to be held and how they will be archived or disposed of at the end of their life cycle. But first you must determine where business records reside, how they are stored, how many exist, and how they are used in the normal course of business.
There are a few things to keep in mind when approaching the e-records inventorying process:
These knowledge workers are your best resource and can be your greatest allies or worst enemies when it comes to gathering accurate inventory data; developing a workable file plan; and keeping the records declaration, retention, and disposition process operating efficiently. A sound RM program will keep the records inventory accurate and up to date.
The tsunamic rise in electronic information and increasing complexity in information management10 has resulted in newly created or redefined roles tasked with creating order out of chaos. Information professionals attempt to control their domains in roles described as content management, knowledge management, e-discovery, data management, data security, records management, privacy management, and IG. Due to an increased focus on privacy rights in the EU, as well as in individual US states, potential enforcement actions have had an alarming impact on all of these roles, often causing intraorganizational conflict as enforced silos inhibit compliance with expanding and complex privacy laws.
Other than prohibitively expensive e-discovery disasters or unexpected regulatory audits leading to fines, in the past, there has been no real accountability in the United States as to how an organization maintains, organizes, creates, and/or disposes of its information. However, data breaches of private information, as well as the hacking of business and trade secrets, have become commonplace. 11 Corporations have scrambled to determine the what, where, when, and ownership of information that has been compromised, often racing against the clock to notify law enforcement and impacted individuals in time to avoid financial damages. C-level executives have lost their jobs over their company's mishandling of breaches.12 A court allowed a class action by credit card holders against Neiman Marcus,13 and the FTC acted against Wyndham Resorts for failure to protect the data of its customers.14 The potential for fines imposed by the FTC or state attorney generals based on state data-breach laws, damages in private lawsuits, or the untimely loss of highly placed executives increases the potential costs of a future breach. In addition, as reflected in the Neiman Marcus case, damage to a company's reputation due to the glaring scrutiny of its inadequate IG program serves to motivate others to remedy inadequate IG frameworks.15
Meanwhile, the EU has the right to fine US organizations collecting data on EU residents up to 20 million euros, or 4% of global sales, for the mishandling of personal data pursuant to the GDPR, which became effective on May 25, 2018. Records management is at the core of information management, since it is the gatekeeper to all information of ongoing value to the organization (a record is defined as information that has business value or meets regulatory or litigation requirements); it is even more obvious in privacy management now that private data being maintained is required to be held for a specified time in a specified manner. Personal data must be capable of easy access and any data maintained on a protected individual must be accurate. In addition, when private data no longer has business value, the risk of maintaining it becomes prohibitive and it must be deleted in a manner that ensures continued privacy protection. As records managers assess their own domains, they realize that many of the obligations created by new privacy laws can only be met if they understand the new laws’ effects on how they manage personal data pursuant to laws that impact their organization. Some erroneously assumed that privacy managers/attorneys/directors would expand their roles by learning the RIM world and addressing the changes required by privacy laws, but instead, they refer the details of maintaining privacy-related records to their records staff. While their willingness to delegate the legal duties of access, scheduling, deletion, and reliability of personal data is laudable, it creates new dynamics and an increased level of responsibility within the RIM framework that might not be thoroughly understood by the organization.
Since the GDPR has taken effect, many corporate attorneys have instructed the RIM staff to reassess records retention schedules based on the GDPR. Overworked professionals from all domains have developed plans to meet compliance requirements, often attempting to make the law fit into how they have always handled their duties in the past. As an example, the RIM “big bucket” approach, utilized to create records retention schedules for global records containing personal data of EU residents, could lead to fines in the millions. When an EU country requires employment records’ retention of 30 years, while another country requires disposal of the same record types three months after termination of employment, a default to a 30-year schedule for all EU employment-related data is simply an unsound practice. Likewise, deletion of all EU employment data three months after employment termination would leave an organization open to an inability to meet the legal obligations of other jurisdictions, and to the inability to defend the organization in the event of litigation. In this instance, each country needs to be addressed individually. If there is a legitimate basis for maintaining personal data (e.g. potential litigation relating to employment), the data can be maintained under GDPR solely for that purpose, even if there is a privacy-related requirement of a shorter retention period for that specific data. In these “conflict of laws” situations, the data maintained for the interim retention period based on legitimate business interests requires heightened security as well as restricted access. Retention schedules relating to records containing personal data have their own rules, often involving a conflict of laws, that require a new data-scheduling framework within the RIM environment.
In the RIM domain, managing information that contains personal data is an example where less is more. Less information makes it easier and faster to retrieve relevant information (in this case, personal data), costs less to maintain, and limits liability to those whose information is deleted as soon as it no longer has business value. Until recently, the decision to “keep it all” was based on an assessment of return on investment that considered the risks worth taking compared to the cost of ensuring compliance through the creation of a long-term IG roadmap. The lack of calculated routine disposition was defended as a strategic decision to maintain data for marketing or business planning using increasingly sophisticated analytical software.
However, attempting to meet GDPR requirements while maintaining large data pools or warehouses of information that have not been identified, much less classified (the unknown unknown), creates an extremely difficult environment for compliance. For companies that do business with European residents, enforcing defensible disposition has become a critical mission. While scheduling records disposition has become more complex under GDPR, meeting a defensibility standard relating to disposition has become easier.
It may be useful to use a model or framework to guide your records inventorying efforts. Such frameworks could be the DIRKS (Designing and Implementing Recordkeeping Systems) used in Australia or the Generally Accepted Recordkeeping Principles® (or “the Principles”) that originated in the United States at ARMA International. The Principles are a “framework for managing records in a way that supports an organization's immediate and future regulatory, legal, risk mitigation, environmental, and operational requirements.”16 More detail can be found in Chapter 3.
Special attention should be given to creating an accountable, open inventorying process that can demonstrate integrity. The result of the inventory should help the organization adhere to records retention, disposition, availability, protection, and compliance aspects of the Principles.
The Generally Accepted Recordkeeping Principles were created with the assistance of ARMA International and legal and IT professionals who reviewed and distilled global best practice resources. These included the international records management standard ISO15489–1 from the American National Standards Institute and court case law. The principles were vetted through a public call-for-comment process involving the professional records information management … community.17
If your organization has received a legal summons for e-records, and you do not have an accurate inventory, the organization is already in a compromising position: You do not know where the requested records might be, how many copies there might be, or the process and cost of producing them. Inventorying must be done sooner rather than later and proactively rather than reactively.
E-records present challenges beyond those of paper or microfilmed records due to their (electronic) nature:
The completed records inventory contributes toward the pursuit of an organization's IG objectives in a number of ways: It supports the ownership, management, and control of records; helps to organize and prepare for the discovery process in litigation; reduces exposure to business risk; and provides the foundation for a disaster recovery/business continuity plan.
Completing the records inventory offers at least eight additional benefits:
With respect to e-records, the purpose of the records inventory should include the following objectives:
NARA's guidance on how to approach a records inventory applies to both physical and e-records.
The steps in the records inventory process are:
The goals of the inventorying project must be set and conveyed to all stakeholders. At a basic level, the primary goal can be simply to generate a complete inventory for compliance and reporting purposes. It may focus on a certain business area or functional group or on the enterprise as a whole. An enterprise approach requires segmenting the effort into smaller, logically sequenced work efforts, such as by business unit. Perhaps the organization has a handle on its paper and microfilmed records but e-records have been growing exponentially and spiraling out of control, without good policy guidelines or IG controls. So a complete inventory of records and e-records by system is needed, which may include e-records generated by application systems, residing in e-mail, created in office documents and spreadsheets, or other potential business records. This is a tactical approach that is limited in scope.
The goal of the inventorying process may be more ambitious: to lay the groundwork for the acquisition and implementation of an ERM system that will manage the retention, disposition, search, and retrieval of records. It requires more business process analysis and redesign, some rethinking of business classification schemes or file plans, and development of an enterprise-wide taxonomy. This redesign will allow for more sharing of information and records; faster, easier, and more complete retrievals; and a common language and approach for knowledge professionals across the enterprise to declare, capture, and retrieve business records.
The plan may be still much greater in scope and involve more challenging goals: That is, the inventorying of records may be the first step in the process of implementing an organization-wide IG program to manage and control information by rolling out ERM and IG systems and new processes; to improve litigation readiness and stand ready for e-discovery requests; and to demonstrate compliance adherence with business agility and confidence. Doing this involves an entire cultural shift in the organization and a long-term approach.
Whatever the business goals for the inventorying effort, they must be conveyed to all stakeholders, and that message must be reinforced periodically and consistently, and through multiple means. It must be clearly spelled out in communications and presented in meetings as the overarching goal that will help the organization meet its business objectives. The scope of the inventory must be appropriate for the business goals and objectives it targets.
“With senior-level support, the records manager must decide on the scope of the records inventory. A single inventory could not describe every electronic record in an organization; an appropriate scope might enumerate the records of a single program or division, several functional series across divisions, or records that fall within a certain time frame” [emphasis added].22 Most organizations have not deployed an enterprise-wide records management system, which makes the e-records inventorying process arduous and time-consuming. It is not easy to find where all the electronic records reside—they are scattered all over the place and on different media. But impending (and inevitable) litigation and compliance demands require that it be done. And, again, sooner has been proven to be better than later. Since courts have ruled that if lawsuits have been filed against your competitors over a certain (industry-specific) issue, your organization should anticipate and prepare for litigation—which means conducting records inventories and placing a litigation hold on documents that might be relevant. Simply doing nothing and waiting on a subpoena is an avoidable business risk.
A methodical, step-by-step approach must be taken—it is the only way to accomplish the task. A plan that divides up the inventorying tasks into smaller, accomplishable pieces is the only one that will work. It has been said, “How do you eat an elephant?” And the answer is “One bite at a time.” The inventorying process can be divided into segments, such as a business unit, division, or information system/application.
It is crucial to have management support to drive the inventory process to completion. There is no substitute for an executive sponsor. Asking employees to take time out for yet another survey or administrative task without having an executive sponsor will likely not work. Employees are more time-pressed than ever, and they will need a clear directive from above, along with an understanding of what role the inventorying process plays in achieving a business goal for the enterprise, if they are to take the time to properly participate and contribute meaningfully to the effort.
During the inventory you should collect the following information at a minimum:
Removable media should have a unique identifier and the inventory should include a list of records on the particular volume as well as the characteristics of the volume, for example, the brand, the recording format, the capacity and volume used, and the date of manufacture and date of last update.
Laying out the overall topology of the IT infrastructure in the form of a network diagram is an exercise that is helpful in understanding where to target efforts and to map information flows. Data mapping is a crucial early step in compliance efforts, such as GDPR. Creating this map of the IT infrastructure is a crucial step in inventorying e-records. It graphically depicts how and where computers are connected to each other and the software operating environments of various applications that are in use. This high-level diagram does not need to include every device; rather, it should indicate each type of device and how it is used.
The IT staff usually has a network diagram that can be used as a reference; perhaps after some simplification it can be put into use as the underpinning for inventorying e-records. It does not need great detail, such as where network bridges and routers are located, but it should show which applications are utilizing the cloud or hosted applications to store and/or process documents and records.
In diagramming the IT infrastructure for purposes of the inventory, it is easiest to start in the central computer room where any mainframe or other centralized servers are located and then follow the connections out into the departments and business unit areas, where there may be multiple shared servers and drives supported a network of desktop personal computers or workstations.
SharePoint is a prevalent document and RM portal platform, and many organizations have SharePoint servers to house and process e-documents and records. Some utilities and tools may be available to assist in the inventorying process on SharePoint systems. This process has been made easier with the introduction of cloud-based SharePoint services.
Mobile devices (e.g. tablets, smartphones, and other portable devices) that are processing documents and records should also be represented. And any e-records residing in cloud storage should also be included.
The record inventory survey form must suit its purpose. Do not collect data that is irrelevant, but, in conducting the survey, be sure to collect all the needed data elements. You can use a standard form, but some customization is recommended. The sample records survey form in Figure 9.1 is wide-ranging yet succinct and has been used successfully in practice.
Department Information |
|
|
|
Record Requirements |
|
|
|
|
|
|
|
|
|
|
When an employee changes jobs/roles or is terminated? |
|
|
|
|
|
□ Fiscal Year □ Calendar Year □ Other |
|
|
|
|
Online? Near Line? Offline? On-site? Off-site? One location? Multiple locations? |
|
Technology and Tools |
|
|
|
Disposition |
|
|
|
|
Records Holds |
|
|
|
Figure 9.1 Records Inventory Survey Form
Source: Charmaine Brooks, IMERGE Consulting, e-mail to author, March 20, 2012.
If conducting the e-records portion of the inventory, the sample form may be somewhat modified, as shown in Figure 9.2.
Identifying Information |
|
|
|
|
|
|
|
|
System Inputs/Outputs |
|
|
|
|
|
|
|
Record Requirements |
|
|
|
|
|
|
|
|
|
□ Fiscal Year □ Calendar □ Year Other _______________________________ |
|
|
|
|
Online? Near line? Offline? On-site? Off-site? One location? Multiple locations? |
|
Disposition |
|
|
|
|
Records Holds |
|
|
|
Figure 9.2 Electronic Records Inventory Survey Form
Source: Adapted from www.archives.gov/records-mgmt/faqs/inventories.html and Charmaine Brooks, IMERGE Consulting.
Typically, a RM project team is formed to conduct the survey, often assisted by resources outside of the business units. These may be RM and IT staff members, business analysts, members of the legal staff, outside specialized consultants, or a combination of these groups. The greater the cross-section from the organization, the better, and the more expertise brought to bear on the project, the more likely it will be completed thoroughly and on time.
Critical to the effort is that those conducting the inventory are trained in the survey methods and analysis, so that when challenging issues arise, they will have the resources and know-how to continue the effort and get the job done.
The inventory process is, in fact, a surveying process, and it involves going physically out into the units where the records are created, used, and stored. Mapping out where the records are geographically is a basic necessity. Which buildings are they located in? Which office locations? Computer rooms?
Also, the inventory team must look organizationally at where the records reside (i.e., determine which departments and business units to target and prioritize in the survey process).
Several approaches can be taken to conduct the inventory, including four basic methods:
Creating and distributing a survey form is traditional and proven way to collect e-records inventory data. This is a relatively fast and inexpensive way to gather the inventory data. The challenge is getting the surveys completed and completed in a consistent fashion. This is where a strong executive sponsor can assist. The sponsor can make the survey a priority and tie it to business objectives, making the survey completion compulsory. The survey is a good tool, and it can be used to cover more ground in the data collection process. If following up with interviews, the survey form is a good starting point; responses can be verified and clarified, and more detail can be gathered.
Some issues may not be entirely clear initially, so following up with scheduled in-person interviews can dig deeper into the business processes where formal records are create and used. A good approach is to have users walk you through their typical day and how they access, use, and create records—but be sure to interview managers too, as managers and users have differing needs and uses for records.
You will need some direction to conduct formal observation, likely from IT staff or business analysts familiar with the record-keeping systems and associated business processes. They will need to show you where business documents and records are created and stored. If there is an existing ERM system or other automated search and retrieval tools available, you may use them to speed the inventorying process.
When observing and inventorying e-records, starting in the server room and working outward toward the end user is a logical approach. Begin by enumerating the e-records created by enterprise software applications (such as accounting, enterprise resource planning, or customer relationship management systems), and work your way to the departmental or business unit applications, on to shared network servers, then finally out to individual desktop and laptop PCs and other mobile devices. With today's smartphones, this can be a tricky area, due to the variety of platforms, operating systems, and capabilities. In a bring-your-own-device environment, records should not be stored on personal devices, but if they must be, they should be protected with technologies like encryption or information rights management.
Explore any potential software tools that may be available for facilitating the inventorying of e-records. Some software vendors that provide document management or e-record management solutions offer inventorying tools.
There are always going to be thorny areas when attempting to inventory e-records to determine what files series exist in the organization. Mobile devices and removable media may contain business records. These must be identified and isolated, and any records on these media must be recorded for the inventory. Particularly troublesome are thumb or flash drives, which are compact yet can store 20 gigabytes of data or more. If your IG measures call for excluding these types of media, the ports they use can be blocked on PCs, tablets, smartphones, and other mobile computing devices using data loss prevention (DLP) technology. A sound IG program will consider the proper use of removable media and the potential impact on your RM program.23
The best approach for conducting the inventory is to combine the available inventorying methods, where possible. Begin by observing, distribute surveys, collect and analyze them, and then target key personnel for follow-up interviews and walk-throughs. Utilize whatever automated tools that are available along the way. This approach is the most complete. Bear in mind that the focus is not on individual electronic files but rather, the file series level for physical records and the file series or system level for e-records (preferably the latter).
Interviews are a very good source of records inventory information. Talking with actual users will help the records lead or inventory team to better understand how documents and records are created and used in everyday operations. Users can also report why they are needed—an exercise that can uncover some obsolete or unnecessary processes and practices. This is helpful in determining where e-records reside and how they are grouped in records series or by system and ultimately, the proper length of their retention period and whether they should be archived or destroyed at the end of their useful life.
Since interviewing is a time-intensive task, it is crucial that some time is spent in determining the key people to interview: Interviews not only take your time but others’ as well, and the surest way to lose momentum on an inventorying project is to have stakeholders believe you are wasting their time.
You need to interview representatives from all functional areas and levels of the program or service, including:
The people who work with the records can best describe to you their use. They will likely know where the records came from, if copies exist, who needs the records, any computer systems that are used, how long the records are needed, and other important information that you need to know to schedule the records.
As stated earlier, it is wise to include a cross-section of staff, managers, and frontline employees to get a rounded view of how records are created and used. Managers have a different perspective and may not know how workers utilize electronic records in their everyday operations.
A good lens to use is to focus on those who make decisions based on information contained in the electronic records and to follow those decision-based processes through to completion, observing and interviewing at each level.
For example, an application is received (mail room logs date and time), checked (clerk checks the application for completeness and enters into a computer system), verified (clerk verifies that the information on the application is correct), and approved (supervisor makes the decision to accept the application). These staff members may only be looking at specific pieces of the record and making decisions on those pieces.
One rule to consider is this: Be considerate of other people's work time. Since they are probably not getting compensated for participating in the records inventory, the time you take to interview them is time taken away from compensated tasks they are evaluated on. So, once the interviewees are identified, provide as much advance notice as possible, follow up to confirm appointments, and stay within the scheduled time. Interviews should be kept to 20 to 60 minutes. Most of all—never be late!
Before starting any interviews, be sure to restate the goals and objectives of the inventorying process and how the resulting output will benefit people in their jobs.
In some cases, it may be advisable to conduct interviews in small groups, not only to save time but also to generate a discussion of how records are created, used, and stored. Some new insights may be gained.
Try to schedule interviews that are as convenient as possible for participants. That means providing participants with questions in advance and holding the interviews as close to their work area as possible. Do not schedule interviews back to back with no time for a break between. You will need time to consolidate your thoughts and notes, and, at times, interviews may exceed their planned time if a particularly enlightening line of questioning takes place.
If you have some analysis from the initial collection of surveys, share that with the interviewees so they can validate or help clarify the preliminary results. Provide it in advance, so they have some time to think about it and discuss it with their peers.
You'll need a guide to structure the interview process. A good starting point is the sample questions presented in the questionnaire shown in Figure 9.3. It is a useful tool that has been used successfully in actual records inventory projects.
What is the mandate of the office? |
What is the reporting structure of the department? |
Who is the department liaison for the records inventory? |
Are there any external agencies that impose guidelines, standards, or other requirements? |
Is there a departmental records retention schedule? |
Are there specific legislative requirements for creating or maintaining records? Please provide a copy. |
What are the business considerations that drive recordkeeping? Regulatory requirements? Legal requirements? |
Does the department have an existing records management policy? Guidelines? Procedures? |
Please provide a copy. |
Does the department provide guidance to employees on what records are to be created? |
What is the current level of awareness of employees their responsibilities for records management? |
How are nonrecords managed? |
Does the department have a classification or file plans? |
What are the business drivers for creating and maintaining records? |
Where are records stored? On-site? Off-site? One location? Multiple locations? |
Does the department have records in sizes other than letter (8½ × 11)? |
What is the cutoff date for the records? |
□ Fiscal Year □ Calendar □ Year Other |
Are any tools used to track active records? Excel, Access, and so forth? |
Does the department use imaging, document management, and so forth? |
Is the department subject to audits? Internal? External? Who conducts the audits? |
Are any records in the department confidential or sensitive? |
Are there guidelines for destroying obsolete records? |
What disposition methods are authorized or required? |
How does disposition occur? Paper? Electronic? Other? |
What extent does the department rely on each individual to destroy records? |
□ Paper □ Electronic □ Other ____________________________________________ |
What principles govern decisions for determining the scope of records that must be held or frozen for an audit or investigations? |
How is the hold or freeze communicated to employees? |
Figure 9.3 Sample Interview Questionnaire
Source: Charmaine Brooks, IMERGE Consulting, e-mail to author, March 20, 2012.
Once collected, some follow-up will be required to verify and clarify responses. Often this can be done over the telephone. For particularly complex and important areas, a follow-up in person visit can clarify the responses and gather insights.
Once the inventory draft is completed, a good practice is to go out into the business units and/or system areas and verify what the findings of the survey are. Once presented with findings in black and white, key stakeholders may have additional insights that are relevant to consider before finalizing the report. Do not miss out on the opportunity to allow power users and other key parties to provide valuable input.
Be sure to tie the findings in the final report of the records inventory to the business goals that launched the effort. This helps to underscore the purpose and importance of the effort, and will help in getting that final signoff from the executive sponsor that states the project is complete and there is no more work to do.
Depending on the magnitude of the project, it may (and should) turn into a formal IG program that methodically manages records in a consistent fashion in accordance with internal governance guidelines and external compliance and legal demands.
Part of the process of determining the retention and disposition schedule of records is to appraise their value. Records can have value in different ways, which affects retention decisions.
Records appraisal is an analysis of all records within an agency [or business] to determine their administrative, fiscal, historical, legal, or other archival value. The purpose of this process is to determine for how long, in what format, and under what conditions a record series ought to be preserved. Records appraisal is based upon the information contained in the records inventory. Records series shall be either preserved permanently or disposed of when no longer required for the current operations of an agency or department, depending upon:
- Historical value or the usefulness of the records for historical research, including records that show an agency [or business] origin, administrative development, and present organizational structure.
- Administrative value or the usefulness of the records for carrying on [a business or] an agency's current and future work, and to document the development and operation of that agency over time.
- Regulatory and statutory [value to meet] requirements.
- Legal value or the usefulness of the records to document and define legally enforceable rights or obligations of [business owners, shareholders, or a] government and/or citizens.
- Fiscal value or the usefulness of the records to the administration of [a business or] an agency's current financial obligations, and to document the development and operation of that agency over time.
- Other archival value as determined by the State [or corporate] Archivist.24 (Emphasis added.)
The inventorying process in not a one-shot deal: It is useful only if the records inventory is kept up to date, so it should be reviewed, at least annually. A process should be put in place so that business unit or agency heads notify the RM head/lead if a new file series or system has been put in place and new records collections are created. There are emerging approaches that utilize file/content analytics tools to automate this process.
Following are some tips to help ensure that a records management program achieves its goals:
The growth of information challenges a company's ability to use and store its records in a compliant and cost-effective manner. Contrary to current practices, the solution is not to hire more vendors or to adopt multiple technologies. The key to compliance is consistency, with a unified enterprise-wide approach for managing all records, regardless of their format or location.
Therefore a steady and consistent IG approach that includes controls, audits, and clear communication is key to maintaining an accurate and current records inventory.
A relatively new concept in IG is the development of an Information Asset Register (IAR). An IAR is a sort of “general ledger of information assets” that lists all information assets, structured and unstructured, their lifecycle retention, privacy and security requirements, where they are housed, and even what hardware is used. Dennis Kessler, Data Governance Lead at the European Investment Bank states, “This asset-based approach to managing information helps to reveal:
Briton Reynold Leming has been developing IAR software for several years. He has created a comprehensive list of benefits that an IAR provides:26
Allied to this is tagging assets to a business classification scheme of the functions and activities of your organization. This allows the assets to be categorized to a vocabulary of business activity that is neutral to and more stable than organizational structures (which can change more often than what an organization actually does), provides a collated corporate view of assets maintained based upon their purpose (e.g. many departments will hold invoice, staff, policy, and contract records), and supports cross-cutting processes involving different teams. It also allows the consistent inheritance and application of business rules, such as retention policies.
The GDPR contains many obligations that require a thorough understanding of what personal data you process and how and why you do so. Many requirements for keeping records as a data controller for GDPR Article 30 can be supported by the information asset inventory. For example, the asset attributes can describe the purposes of the processing, the categories of data subjects and personal data, categories of recipients, envisaged time limits for erasure of the different categories of data, and a general description of the technical and organizational security measures.
It will also help data processors keep a record of the categories of processing, transfers of personal data to a third country or an international organization, and a general description of the technical and organizational security measures.
Much of the information about personal data required for Article 30 compliance is also useful to meet obligations under Article 13 and Article 14 on information to be provided, for example, via privacy notices or consent forms.
Under Chapter 3 of the GDPR, data subjects have a number of rights. Understanding things such as the location, format, use of, and lawful basis of processing for different categories of personal data will enable will support responses to rights and requests.
Under Article 25 of the GDPR there are requirements for Data Protection by design and by default. Additionally, under Article 35 there are requirements relating to Data Protection impact assessments. The inventory can provide insight into which processes and systems need to be assessed based upon, for example, the nature, scope, context, and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing.
As aforementioned, it is important to identify who the personal data is shared with. The inventory can support this as well as specifically enable monitoring of the existence or status or suitable agreements. For example, under Article 28 of the GDPR, processing by a processor shall be governed by a contract or other legal act under Union or Member State law.
Article 32 of the GDPR covers security of processing, with requirements to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Then, using the inventory you can assess the security measures in place for assets against their level of confidentiality. It also can help with identifying the data sets where, if anything unfortunate were to happen, there are considerations regarding Article 33 Notification of a personal data breach to the supervisory authority and Article 34 Communication of a personal data breach to the data subject.
To help carry out Mr. Leming's approach to implementing and IAR, Mr. Kessler provided this succinct sample IAR survey, as shown in the following section.
Of note: To truly have an IAR that stays up-to-date on a daily basis, file analysis software must be implemented on the back end to monitor and update the status of information assets.
A series of basic principles common to all retention schedules, include:29
A records retention schedule defines the length of time that records are to be kept and considers legal, regulatory, operational, and historical requirements.32 The retention schedule also includes direction as to how the length of time is calculated (i.e. the event or trigger that starts the clock [e.g. two years from completion of contract]). Legal research and opinions are required, along with consultation with owners and users of the records. Users typically overestimate the time they need to keep records, as they confuse the legal requirements with their own personal wishes. Some hard questioning has to take place, since having these records or copies of records lying around the organization on hard drives, thumb drives, or in file cabinets may create liabilities for the organization.
Disposition typically means destruction of a file series once it has met its lifecycle retention requirements. However, it can mean not just destruction but also archiving, or transfer and a change in ownership and responsibility for the records (such as is often done in the US federal government when records are transferred to NARA). The processes of archiving and preserving are an example where records may be handed over to a historical recordkeeping unit. At this time, the records may be sampled and only selective parts of the group of records may be retained.
A retention schedule allows for uniformity in the retention and disposition process, regardless of the media or location of the records. Further, it tracks, enforces, and audits the retention and disposition of records while optimizing the amount of records kept to legal minimums, which saves on capital and labor costs and reduces liability (by discarding unneeded records that carry legal risk).34 The Generally Accepted Recordkeeping Principles state the critical importance of having a retention schedule (see the section “Generally Accepted Recordkeeping Principles” in Chapter 3 for more details) and provides guidelines for open collaboration in developing one. In the public sector, holding records that have passed their legally required retention period also can have negative ramifications and liabilities in meeting information service requests made during litigation, compliance actions, or, for example, under the US FOIA, or similar acts in other countries.
A retention schedule consists of these components:
A sample of a simple records retention schedule is shown in Figure 9.4.
If you already have existing retention schedules but are revising and updating them, there may be useful information in those schedules that can serve as a good reference point—but be wary, as they may be out of date and may not consider current legal requirements and business needs.
According to the US National Archives, some key steps are involved in developing retention schedules:
Inventory and classification are prerequisites for compiling a retention schedule. Before starting work, develop an information map or data map that shows where information is created, where it resides, and the path it takes. What records are created, who uses them, and how is their disposition handled? Questions like these will provide key insights in the development of the retention schedule.36 Confirm that the information map covers all the uses of the records by all parts of the organization, including use for accountability, audit, and reference purposes.
In the absence of a formal information map, at a minimum you must compile a list of all the different types of records in each business area. This list should include information about who created them and what they are used for (or record provenance), which parts of the organization have used them subsequently and for what purpose (its usage), and the actual content.
In the absence of any existing documentation or records inventory, you will need to conduct a records inventory or survey to find out what records the business unit (or organization) holds. Tools are available to scan e-records folders to expedite the inventory process. A retention schedule developed in this way will have a shorter serviceable life than one based on an information map because it will be based on existing structures rather than functions and will remain usable only as long as the organizational structure remains unchanged.
Once a records inventory or survey is complete, building a records retention schedule begins with classification of records.37
This basic classification can be grouped into three areas:
Business functions are basic business units such as accounting, legal, human resources, and purchasing. (See Appendix A, Information Organization and Classification: Taxonomies and Metadata for details on the process of developing classifications.) It basically answers this question: What were you doing when you created the record?
Business activities are the tasks performed to accomplish the business function. Several activities may be associated with each function.
A records series (or file series) is a group or unit of identical or related records that are normally used and filed as a unit and that can be evaluated as a unit or business function for scheduling purposes.
A document type is a term used by many software systems to refer to a grouping of related records. When the records are all created by similar processes, then the document type is equivalent to the business functions or activities mentioned previously. However, “document type” often refers to the format of the record (e.g. presentation, meeting minutes). In this case, there is not enough information to determine a retention period, because it is ambiguous regarding what type of work was being done when that document was created. Retention schedules require that record series be defined by business function and activity, not by record format or display type.
Records are grouped together for fundamental reasons to improve information organization and access. These reasons include:
After completing a records inventory including characterizing descriptive information about the records such as their contents, use, file size, and projected growth volumes, you will need to interview staff in those target areas you are working with to determine more information about the specific organizational structure, its business functions, services, programs, and plans.38
In the course of business, there are several different types of records series. There are case records, for example, which are characterized as having a beginning and an end but are added to over time. Case records generally have titles that include names, dates, numbers, or places. These titles do not provide insight into the nature of the function of the record series. Examples of case records include personnel files, mortgage loan folders, contract and amendment/addendum records, accident reports, insurance claims, and other records that accumulate and expand over time. Although the contents of case files may be similar, you should break out each type of case record under a unique title.
Subject records (also referred to as topic or function records) “contain information relating to specific or general topics and that are arranged according to their informational content or by the function/activity/transaction they pertain to.”39 These types of records accumulate information on a particular topic or function to be added to the organization's memory and make it easier for knowledge workers to find information based on subject matter, topics, or business functions. Records such as those on the progression of relevant laws and statutes, policies, standard operating procedures, and education and training have long-term reference value and should be kept until they are no longer relevant or are displaced by more current and relevant records. In a record retention schedule, the trigger event often is defined as superseded or obsolete. Records of this type that relate to “routine operations of a [project], program or service” do not have as much enduring value and should be scheduled to be kept for a shorter period.
Are e-mail messages records? This question has been debated for years. The short answer is no, not all e-mail messages constitute a record. But how do you determine whether certain messages are a business record or not? The general answer is that a record documents a transaction or business-related event that may have legal ramifications or historic value. Most important are business activities that may relate to compliance requirements or those that could possibly come into dispute in litigation. Particular consideration should be given to financial transactions of any type.
Certainly evidence that required that governance oversight or compliance activities have been completed needs to be documented and become a business record. Also, business transactions, where there is an exchange of money or the equivalent in goods or services, are also business records. Today, these transactions are often documented by a quick e-mail. And, of course, any contracts (and any progressively developed or edited versions) that are exchanged through e-mail become business records.
The form or format of a potential record is irrelevant in determining whether it should be classified as a business record. For instance, if a meeting of the board of directors is recorded by a digital video recorder and saved to DVD, it constitutes a record. If photographs are taken of a groundbreaking ceremony for a new manufacturing plant, the photos are records too. If the company's founders tape-recorded a message to future generations of management on reel-to-reel tape, it is a record also, since it has historical value. But most records are going to be in the form of paper, microfilm, or an electronic document.
Here are three guidelines for determining whether an e-mail message should be considered a business record:
Managing e-mail business records is challenging, even for technology professionals. According to an AIIM and ARMA survey, fully two-thirds of records managers doubt that their IT departments really understand the concept of electronic records life cycle management. That is despite the fact that 70% of companies rely on IT professionals alone to manage their electronic records.
Although the significance of e-mail in civil litigation cannot be overstated (it is the leading piece of evidence requested at civil trials today), one-third of IT managers state that they would be incapable of locating and retrieving e-mails that are more than one year old, according to Osterman Research.40
There are different schools of thought on e-mail retention periods and retention schedules. The retention and deletion of your electronic business records may be governed by laws or regulations. Unless your organization's e-mail and ESI records are governed by law or regulations, your organization is free to determine the retention periods and deletion schedules that are most appropriate for your organization.41 If your organization's e-mail retention periods are not specified by law or regulation, consider keeping them for at least as long as you retain paper records. Many software providers provide automated software that allows e-mail messages to be moved to controlled repositories as they are declared to be records.
A destructive retention program is an approach to e-mail archiving where e-mail messages are retained for a limited time (say, 90 days), followed by the permanent manual or automatic deletion of the messages from the organization network, so long as there is no litigation hold or the e-mail has not been declared a record.
E-mail retention periods can vary from 90 days to as long as seven years:
The most common e-mail retention period traditionally has been seven years; however, some organizations are taking a hard-line approach and stating that e-mails will be kept for only 90 days or six months, unless it is declared as a record, classified, and identified with a classification/retention category, and tagged or moved to a repository where the integrity of the record is protected (i.e. the record cannot be altered and an audit trail on the history of the record's usage is maintained).
Inactive records that have historical value or are essential for maintaining corporate memory must be kept the longest. Although they are not needed for present operations, they still have some value to the organization and must be preserved. When it comes to preserving electronic records, this process can be complex and technical. (See Chapter 17 for details.) If you have a corporate or agency archivist, his or her input is critical.
A key consideration in developing retention schedules is researching and determining the minimum time required to keep records that may be demanded in legal actions. “A limitation period is the length of time after which a legal action cannot be brought before the courts. Limitation periods are important because they determine the length of time records must be kept to support court action [including subsequent appeal periods]. It is important to be familiar with the purpose, principles, and special circumstances that affect limitation periods and therefore records retention.”43
Legal requirements trump all others. The retention period for a particular records series must meet minimum retention requirements as mandated by law. Business needs and other considerations are secondary. So, legal research is required before determining retention periods. Legally required retention periods must be researched for each jurisdiction (state, country) in which the business operates, so that it complies with all applicable laws.
In order to locate the regulations and citations relating to retention of records, there are two basic approaches. The first approach is to use a records retention citation service, which publishes in electronic form all of the retention-related citations. These services usually are bought on a subscription basis, as citations are updated on an annual or more frequent basis as legislation and regulations change.
Figure 9.5 is an excerpt from a Canadian records retention database product called FILELAW®. In this case, the act, citation, and retention periods are clearly identified.
Another approach is to search the laws and regulations directly using online or print resources. Records retention requirements for corporations operating in the United States may be found in the Code of Federal Regulations (CFR), the annual edition of which
is the codification of the general and permanent rules published in the Federal Register by the departments and agencies of the federal government. It is divided into 50 titles that represent broad areas subject to federal regulation. The 50 subject matter titles contain one or more individual volumes, which are updated once each calendar year, on a staggered basis. The annual update cycle is as follows: titles 1 to 16 are revised as of January 1; titles 17 to 27 are revised as of April 1; titles 28 to 41 are revised as of July 1, and titles 42 to 50 are revised as of October 1. Each title is divided into chapters, which usually bear the name of the issuing agency. Each chapter is further subdivided into parts that cover specific regulatory areas. Large parts may be subdivided into subparts. All parts are organized in sections, and most citations to the CFR refer to material at the section level.44
There is an up-to-date version that is not yet a part of the official CFR but is updated daily, the Electronic Code of Federal Regulations (e-CFR). “It is not an official legal edition of the CFR. The e-CFR is an editorial compilation of CFR material and Federal Register amendments produced by the National Archives and Records Administration's Office of the Federal Register (OFR) and the Government Printing Office.”45
Event-based disposition is kicked off with the passage of an event, such as hiring or firing an employee, the end of a project, or the initiation of a lawsuit.
Event-based disposition can have an associated retention schedule, and the clock starts running once the event occurs. The required retention period begins only after the triggering event occurs. The length of the retention period may be regulated by law, or it may be determined by IG guidelines set internally by the organization. So, when an employee is terminated, and personnel files are destroyed after (say) five years, the retention schedule entry would be “Termination + 5 years.”
One other definition of event-based disposition comes from the US e-records standard, Department of Defense 5015.2, which states that a disposition instruction in which a record is eligible for the specified disposition (transfer or destroy) upon or immediately after the specified event occurs. No retention period is applied and there is no fixed waiting period, as with “timed” or combination “timed-event” dispositions. Example: “Destroy when no longer needed for current operations.”46
Some hardware vendors provide solutions that assist in executing event-based disposition with assistance from firmware (fixed instructions on a microchip). The firmware-assisted solution should be considered if your RM or IG team aims to perform a complete and thorough retention solution analysis. These hardware-based solutions can potentially streamline the event-based disposition process.47
Triggering events may be record-related, “such as supersession or obsolescence.” This is common to a policy statement. For example, if a group of policies are to be destroyed five years after superseded or obsolete, the old policy would be held for five years after the new policy has been created.
Sounds simple. But in an attempt to meet retention requirements, organizations handle event-based triggers in different ways, ways that often are problematic. For instance, the trigger events often are not captured electronically and fed directly into the retention scheduling software or records repository to start the clock running, or the event itself is not well documented in the retention schedule so it is not consistently being applied and tracked. In other cases, the organization simply does not have the ERM functionality it needs to manage event-based triggers.
This causes many organizations to simply overretain and keep the records indefinitely, or until disk storage is full, which means that those records are retained for an incorrect—and indefensible—time. The period is either too long or possibly too short, but it always is always inconsistent. And inconsistent means legally indefensible.
The only prudent and defensible approach is to implement the proper IG policies to manage and control the implementation of event-based disposition.
Three key prerequisite tasks must be completed before event-based disposition can be implemented:
What is needed is an agreement as to what the definition is, so that the retention period will be uniform among the record series in question, providing a defensible policy.
To gain this agreement on these blurry areas, the RM lead/manager or team will need to work with the relevant business unit representatives, IT, compliance, risk management, and any other stakeholders.
The event triggers must be clear and agreed on so that they may kick off a retention period and disposition process.
In a number of cases, the answer to these questions will rely on trigger points, such as one year after completion or four months after the board of directors’ meeting. It is important to choose a trigger point that you can implement. For example, there is no point in saying that records should be kept until an individual dies, if you have no reliable way of knowing the person is alive. Instead, choose a trigger point based on the information you have about the individual; in this case, the 100th birthday might be a suitable trigger point.
To accomplish clarity and agreement on event-based triggers requires close consultation and collaboration among RM staff, business units, IT, legal, compliance, risk management, and other stakeholders, as relevant.
After completing the records values analysis and legislative and legal research, you must determine the closure criteria and final disposition (e.g., destroy, transfer, archive) for each records series. To minimize costs and litigation risk, retention periods should be kept as short as possible while meeting all applicable regulatory, legal, and business requirements.48
For e-records, retention periods may be segmented into active and inactive, or online and offline. Offline may be segmented further into on-site and off-site or archival storage.
Going back and combing through records retrieval requests and usage logs may provide helpful insights as to the needs of records users—but bear in mind that these logs may be misleading as users may have (in the past, before a formal IG program was implemented) kept shadow copies of files on their local hard drives or backed up to flash drives or other storage devices.
A clear closure start date is required to kick off a retention period for any record, whether the retention is scheduled for on- or off-site. Calendar or fiscal year-ends are typical and practical closure dates for subject or topical records. The date used to indicate the start year is usually the date the file closed or the date of last use or update. In a university setting, school year-end may be more logical. Still, a reasoned analysis is required to determine the best closure start date for subject records in your organization.
Case records are different; logically, their closure date is set when a case record is completed (e.g. the date when an employee resigns, retires, or is terminated).
Future dates may be used, such as an employee promotion date, student graduation, or project completion. After consulting those who create and handle the records series you are analyzing, apply good business judgment and common sense when determining closure dates.
There may be some vital, historical, or other critical records that, in the best interests of the organization, need to be retained permanently. This is rare, and storing records long term must be scrutinized heavily. If certain electronic records are to be retained indefinitely or permanently, then LTDP policies and techniques must be used. (See Chapter 17 for more details.)
Transitory documents usually do not rise to the level of becoming a record; they are temporary and are useful only in the short term, such as direct mail or e-mail advertising (brochures, price lists, etc.), draft documents (although not all are transitory, and some may need longer retention periods, such as draft contracts) and work in progress, duplicates, external publications (e.g. magazines, journals, newspapers, etc.), and temporary notices (e.g. company picnic, holiday party, or football pool). You must consider transitory records in your master records retention schedule.
Automated programs that interpret these retention periods are the best way to ensure that records are disposed of at the correct time and that an audit trail of the disposition is maintained.
Upon completion of the records retention schedule, project management best practices dictate that it be signed off by an executive or project sponsor, to indicate it has been completed and there is no more work to be done on that phase of the project. In addition, you may want to gain the sign-off and acceptance by other key stakeholders, such as senior representatives from legal, IT, the board of directors or executive committee, and perhaps audit and information governance. The schedule should be updated when new record types are introduced and, in any case, at least annually.
It is much easier to time or schedule the disposal of e-records than of paper or physical records, but true and complete destruction of all traces of a record cannot be done by hitting a simple “delete” key. There must be a process in place to verify the total destruction of all copies of the record. (See Chapter 17 for more details.) Records destruction can occur daily, routinely, or be scheduled at intervals (i.e. monthly or quarterly).
ERM systems typically are capable of automatically executing a record deletion when a record has reached the end of its life cycle. Often these systems have a safety feature that allows an operator who has the authority to review deletions before they are performed.
To make a retention schedule change, such as extending the life of a record series, IG controls must be in place. So, usually, ERM systems require that a person of higher authority than the system operator make these approvals. Every subsequent delay in destroying the records often requires an escalation in approval period to extend the time that records are kept past the destruction date.
In some environments, especially in the public sector, a certificate of destruction or other documentation is required to prove that a record and all its copies have been completely deleted (including its metadata—although at times it is beneficial to retain metadata longer than the record itself; see Appendix A “Information Organization and Classification” for more details). ERM systems can be configured to keep an audit trail and prove that destruction has occurred.
Records series are not static; they change, are added to, and are amended. New record functions emerge, based on changes in business, acquisitions, and divestitures. So it is necessary for organizations to review and update—at least annually—their records retention schedule.
In addition, retention requirements change as legislation changes, lawsuits are filed, and the organization refines and improves its IG policies. Development of a records retention schedule is not a one-time project; it requires attention, maintenance, and updating on a regular schedule, and using a controlled change process.
Once your organization establishes records retention schedules for business units, or a master retention schedule, there must be IG policies in place to audit and ensure that policies are being followed. This is a key requirement of maintaining a legally defensible retention schedule that will hold up to legal challenges.
18.189.180.244