Records management practices and standards are delineated in many federal regulations. Also, there are a number of state statutes that have passed and in some cases they actually supersede federal regulations; therefore it is crucial to understand compliance within the state or states where an organization operates.
On the federal level, public companies must be vigilant in verifying, protecting, and reporting financial information to comply with requirements under Sarbanes-Oxley and the Gramm-Leach-Bliley Act (GLBA). Healthcare concerns must meet the requirements of HIPAA, and investment firms must comply with a myriad of regulations by the Securities and Exchange Commission (SEC) and National Association of Securities Dealers (NASD).
Following is a brief description of current rules, laws, regulators, and their records retention and corporate policy requirements. (Note: This is an overview, and firms should consult their own legal counsel for interpretation and applicability.)
The Financial Institution Privacy Protection Act of 2001 and Financial Institution Privacy Protection Act of 2003 (Gramm-Leach-Bliley Act) was amended in 2003 to improve and increase protection of nonpublic personal information. Through this Act, financial records be properly secured, safeguarded, and eventually completely destroyed so that the information cannot be further accessed.
HIPAA requires that security standards be adopted for: (1) controlling who may access health information; (2) providing audit trails for electronic record systems; (3) isolating health data, making it inaccessible to unauthorized access; (4) ensuring the confidentiality and safeguarding of health information when it is electronically transmitted to ensure it is physically, electronically, and administratively secure; and (5) meeting the needs and capabilities of small and rural healthcare providers.
The PATRIOT Act: (1) requires that the identity of a person opening an account with any financial institution is verified by the financial institution, and they must implement reasonable procedures to maintain identity information; and (2) provides law enforcement organizations broad investigatory rights, including warrantless searches.
The key provisions of SOX require that: (1) public corporations implement extensive policies, procedures, and tools to prevent fraudulent activities; (2) financial control and risk mitigation processes be documented and verified by independent auditors; (3) executives of publicly traded companies certify the validity of the company's financial statements; and (4) business records must be kept for not less than five years.
SEC Rule 17A-4 requires that: (1) records that must be maintained and preserved and be available to be produced or reproduced using either micrographic media (such as microfilm or microfiche) or electronic storage media (any digital storage medium or system); and (2) original copies of all communications, such as interoffice memoranda, be preserved for no less than three years, the first two in an easily accessible location.
CFR Title 47, Part 42 requires that telecommunications carriers keep original records or reproductions of original records, including memoranda, documents, papers, and correspondence that the carrier prepared or that were prepared on behalf of the carrier.
CFR Title 21, Part 11 requires: (1) controls are in place to protect content stored on both open and closed systems to ensure the authenticity and integrity of electronic records; and (2) generating accurate and complete electronic copies of records so that the Food and Drug Administration (FDA) may inspect them.
The National Archives and Records Administration (nara.gov):
NARA regulations affecting Federal agencies and their records management programs are found in Subchapter B of 36 Code of Federal Regulations Chapter XII.1,2
In the Code of Federal Regulations there are over 5,000 references to retaining records. The Code can be found online at: www.ecfr.gov.
The National Standards of Canada for electronic records management are: (1) Electronic Records as Documentary Evidence CAN/CGSB-72.34–2005 (“72.34”), published in December 2005; and, (2) Microfilm and Electronic Images as Documentary Evidence CAN/CGSB-72.11–93, first published in 1979 and updated to 2000 (“72.11”).3 72.34 incorporates all that 72.11 deals with and is therefore the more important of the two. Because of its age, 72.11 should not be relied upon for its “legal” content. However, 72.11 has remained the industry standard for “imaging” procedures—converting original paper records to electronic storage. The Canada Revenue Agency has adopted these standards as applicable to records concerning taxation.4
72.34 deals with these topics: (1) management authorization and accountability; (2) documentation of procedures used to manage records; (3) “reliability testing” of electronic records according to existing legal rules; (4) the procedures manual and the chief records officer; (5) readiness to produce (the “prime directive”); (6) records recorded and stored in accordance with “the usual and ordinary course of business” and “system integrity,” being key phrases from the Evidence Acts in Canada; (7) retention and disposal of electronic records; (8) backup and records system recovery; and (9) security and protection. From these standards practitioners have derived many specific tests for auditing, establishing, and revising electronic records management systems.5
The “prime directive” of these standards states: “An organization shall always be prepared to produce its records as evidence.”6 The duty to establish the “prime directive” falls upon senior management:7
5.4.3 Senior management, the organization's own internal law-making authority, proclaims throughout the organization the integrity of the organization's records system (and, therefore, the integrity of its electronic records) by establishing and declaring:
Being the “dominant principle” of an organization's electronic records management system, the duty to maintain compliance with the “prime directive” should fall upon its senior management.
Because an electronic record is completely dependent upon its ERM system for everything, compliance with these National Standards and their “prime directive” should be part of the determination of the “admissibility” (acceptability) of evidence and of electronic discovery in court proceedings (litigation) and in regulatory tribunal proceedings.8
There are 14 legal jurisdictions in Canada: 10 provinces; 3 territories; and the federal jurisdiction of the Government of Canada. Each has an Evidence Act (the Civil Code in the province of Quebec9), which applies to legal proceedings within its legislative jurisdiction. For example, criminal law and patents and copyrights are within federal legislative jurisdiction, and most civil litigation comes within provincial legislative jurisdiction.10
The admissibility of records as evidence is determined under the “business record” provisions of the Evidence Acts.11 They require proof that a record was made “in the usual and ordinary course of business,” and of “the circumstances of the making of the record.” In addition, to obtain admissibility for electronic records, most of the Evidence Acts contain electronic record provisions, which state that an electronic record is admissible as evidence on proof of the “integrity of the electronic record system in which the data was recorded or stored.”12 This is the “system integrity” test for the admissibility of electronic records. The word “integrity” has yet to be defined by the courts.13
However, by way of sections such as the following, the electronic record provisions of the Evidence Acts make reference to the use of standards such as the National Standards of Canada:
For the purpose of determining under any rule of law whether an electronic record is admissible, evidence may be presented in respect of any standard, procedure, usage or practice on how electronic records are to be recorded or stored, having regard to the type of business or endeavor that used, recorded, or stored the electronic record and the nature and purpose of the electronic record.14
There are six areas of law and records and information management (RIM) applicable to paper and electronic records:
These six areas are closely interrelated and are based upon very similar concepts. They all make demands of records systems and of the chief records officer or others responsible for records. Therefore, a failure to satisfy the records management needs of any one of them will likely mean a failure to satisfy all of them. Agencies that manage these areas of law look to the decisions of the courts to determine the requirements for acceptable records.
Each of these areas of law affects records and information management, just as they are affected by the laws governing the use of records as evidence in legal proceedings—the laws of evidence. These relationships make mandatory compliance with the “prime directive” provided by the national standards, which states: “an organization shall always be prepared to produce its records as evidence.”21
“The following Acts and Statutory Instruments of the UK and Scottish Parliaments contain provisions that are relevant to records retention and disposal:”22
Acts of the UK Parliament
Acts of the Scottish Parliament
Statutory Instruments of the UK Parliament
Other Provisions
The Archives Act 1983 empowers the Archives to preserve the archival resources of the Australian Government—those records designated “national archives.” Under the Act, it is illegal to destroy Australian Government records without permission from the Archives unless destruction is specified in another piece of legislation or allowed under a normal administrative practice.
The Act also establishes a right of public access to nonexempt Commonwealth records in the “open access period” (transitioning from 30 years to 20 years over the period 2011 to 2021 under amendments to the Act passed in 2010). Different open access periods exist for Cabinet notebooks (transitioning from 50 years to 30 years over the period 2011 to 2021) and records containing Census information (99 years).
The Freedom of Information Act 1982 gives individuals the legal right to access documents held by Australian Government ministers, departments, and most agencies, including Norfolk Island Government agencies. From November 1, 2010, the FOI Act also applies to documents created or held by contractors or subcontractors who provided services to the public or third parties on behalf of agencies.
The FOI Act applies to records that are not yet in the open access period under the Archives Act unless the document contains personal information (including personal information about a deceased person). The Archives Act regulates access to records in the open access period.
When a member of the public requests information, your agency must identify and preserve all relevant sources, including records, until a final decision on the request is made. The FOI Act also sets out how agencies may correct, annotate, or update records if a member of the public shows that any personal information relating to them is incomplete, incorrect, out of date, or misleading.
The FOI Act also establishes the Information Publication Scheme (IPS), which requires agencies subject to the FOI Act to take a proactive approach to publishing a broad range of information on their website. The IPS does not apply to a small number of security and intelligence agencies that are exempt from the FOI Act.
The Australian Information Commissioner Act 2010 established the Office of the Australian Information Commissioner. The OAIC has three sets of functions. These are:
As part of its government and information policy function, the OAIC is committed to leading the development and implementation of a national information policy framework to promote secure and open government. It aims to achieve this by driving public access to government information and encouraging agencies to proactively publish information.
The Privacy Act 1988 regulates the handling of personal information by Australian Government agencies, ACT government agencies, ACT government agencies, Norfolk Island Government agencies, and a range of private and not-for-profit organizations. The Privacy Act regulates the way in which personal information can be collected, its accuracy, how it is kept secure, and how it is used and disclosed. It also provides rights to individuals to access and correct the information that organizations and government agencies hold about them. Records in the open-access period as defined in the Archives Act 1983 are not covered by the Privacy Act. The Privacy Act also sets out requirements that may apply when an agency enters into a contract under which services are provided to the agency.
The Evidence Act 1995 defines what documents, including records, can be used as evidence in a Commonwealth court.23
All agencies need to take account of evidence legislation. A court may need to examine records as evidence of an organization's decisions and actions. General advice on the impact of the Evidence Act is given in the publication Commonwealth Records in Evidence (pdf, 418kb).
The Electronic Transactions Act 1999 encourages online business by ensuring that electronic evidence of transactions is not invalidated because of its format. This Act does not authorize the destruction of any Australian Government records, whether originals or copies. The obligations placed on agencies under the Archives Act 1983 for the preservation and disposal of Commonwealth records continue to apply.
The Financial Management and Accountability Act 1997 states that an APS employee who misapplies, improperly disposes of, or improperly uses Commonwealth records may be in breach of the Financial Management and Accountability Act (s. 41). Regulation 12 of the Act requires that the terms of approval for a proposal to spend money be recorded in writing as soon as practicable.
Australian Government records fall within the meaning of “public property” as defined in this Act.
The Crimes Act 1914 outlines crimes against the Commonwealth. Several parts of the Act relate to records. For example, section 70 prohibits public servants (or anyone working for the Australian Government, including contractors and consultants) from publishing or communicating facts, documents, or information that they gain access to through their work unless they have permission to do so. This includes taking or selling records that should be destroyed.
This Act also makes it an offence for someone to intentionally destroy documents that they know may be required as evidence in a judicial proceeding.
Your agency [or business] needs to be aware of the legislation governing its own records practices.
Some legislative requirements apply to many agencies [and businesses]. For example, occupational health and safety legislation requires an organization to keep certain types of records for prescribed periods of time. Requirements that apply to all agencies are included in the National Archives’ Administrative Functions Disposal Authority.
Other legislative requirements may apply only to the particular business of one or a number of agencies.
Recordkeeping requirements may be stipulated in your agency's enabling legislation (legislation that established the agency) or in specific legislation that your agency is responsible for administering.24
18.224.95.38