Records management (RM) is a key impact area of information governance (IG)—so much so that in the RM space, IG is often thought of as synonymous with or a simple superset of RM. But IG is much more than that. We delve into the details of RM here—a sort of crash course on how to identify and inventory records, conduct the necessary legal research, develop retention and disposition schedules, and more. Also, we identify the relationship and impact of IG on the RM function in an organization in this chapter.
The International Organization for Standardization (ISO) defines (business) records as “information created, received, and maintained as evidence and information by an organization or person, in pursuance of legal obligations or in the transaction of business.”1 It further defines RM as “[the] field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use, and disposition of records, including the processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records.”2
The U.S.-based Association of Records Managers and Administrators (ARMA) defines records as “evidence of what an organization does. They capture its business activities and transactions, such as contract negotiations, business correspondence, personnel files, and financial statements.”3
Records and information management (RIM) extends beyond RM (although the terms are often used interchangeably) to include information—that is, information such as data, electronic documents, and reports. For this reason, RIM professionals must expand their reach and responsibilities to include policies for retention and disposition of all legally discoverable forms of information, such as e-mail, social media posts, mobile data and documents held on portable devices, cloud storage and applications, and other enterprise data and information.
Electronic records management (ERM) has moved to the forefront of business issues with the increasing automation of business processes and the vast growth in the volume of electronic documents and records that organizations create. These factors, coupled with expanded and tightened reporting laws and compliance regulations, have made ERM essential for most enterprises—especially highly regulated and public ones.
E-records management has become much more critical to enterprises with increased compliance legislation and massively increasing volumes of electronic information.
ERM follows generally the same principles as traditional paper-based records management: There are classification and taxonomy needs to group and organize the records, and there are retention and disposition schedules to govern the length of time a record is kept and its ultimate disposition (destruction, transfer, or long-term archiving) destruction or long-term archiving. Yet e-records must be handled differently, and they contain more detailed data about their contents and characteristics, known as metadata. (For more detail on these topics see Appendix A.)
E-records are also subject to changes in information technology (IT) that may make them difficult to retrieve and view and therefore render them obsolete. These issues can be addressed through a sound ERM program that includes long-term digital preservation (LTDP) methods and technologies.
ERM is primarily the organization, management, control, monitoring, and auditing of formal business records that exist in electronic form. But automated ERM systems also track paper-based and other physical records. So ERM goes beyond simply managing electronic records; it is the management of electronic records and the electronic management of nonelectronic records (e.g., paper, CD/DVDs, magnetic tape, audio-visual, and other physical records).
Most electronic records, or e-records, originally had an equivalent in paper form, such as memos (now e-mail), accounting documents (e.g., purchase orders, invoices), personnel documents (e.g., job applications, resumes, tax documents), contractual documents, line-of-business documents (e.g., loan applications, insurance claim forms, health records), and required regulatory documents (e.g., material safety data sheets). Before e-document and e-record software began to mature in the 1990s, many of these documents were first archived to microfilm or microform/microfiche.
Not all documents rise to the level of being declared a formal business record that needs to be retained; that definition depends on the specific regulatory and legal requirements imposed on the organization and the internal definitions and requirements the organization imposes on itself, through internal IG measures and business policies. IG is the policies, processes, and technologies used to manage and control information throughout the enterprise to meet internal business requirements and external legal and compliance demands.
ERM follows the same basic principles as paper-based records management.
ERM includes the management of electronic and nonelectronic records, such as paper and other physical records.
ERM is a component of enterprise content management (ECM), just as document management, Web content management, digital asset management, enterprise report management, and several other technology sets are components. ECM encompasses all an organization's unstructured digital content, which means it excludes structured data (i.e., databases). ECM includes the vast majority—over 90 percent—of an organization's overall information that must be governed and managed.
ERM extends ECM to provide control and to manage records through their life cycle—from creation to destruction. ERM is used to complete the life cycle management of information, documents, and records.
ERM adds the functionality to complete the management of information and records by applying business rules to manage the maintenance, preservation, and disposition of records. Both ERM and ECM systems aid in locating and managing the records and information needed to conduct business efficiently, to comply with legal and regulatory requirements, and to effectively destroy (paper) and delete (digital) records that have met their retention policy time frame requirement, freeing up valuable physical and digital space and eliminating records that could be a liability if kept.
Historically, highly regulated industries, such as banking, energy, and pharmaceuticals, have had the greatest need to implement RM programs, due to their compliance and reporting requirements.4 However, over the past decade or so, increased regulation and changes to legal statutes and rules have made RM a business necessity for nearly every enterprise (beyond very small businesses).
Notable industry drivers include:
With these changes in the business environment and in regulatory, legal, and IG influences comes increased attention to RM as a driver for corporate compliance. For most organizations, a lack of defined policies and the enormous and growing volumes of documents (e.g., e-mail messages) make implementing a formal RM program challenging and costly. Some reasons for this include:
Implementing ERM is challenging because it requires user support and compliance, adherence to changing laws, and support for new information delivery platforms, such as mobile and cloud computing.
An investment in ERM is an investment in business process automation and yields document control, document integrity, and security benefits.
A number of business drivers and benefits combine to create a strong case for implementing an enterprise ERM program. Most are tactical, such as cost savings, time savings, and building space savings. But some drivers can be thought of as strategic, in that they proactively give the enterprise an advantage. One example may be the advantages gained in litigation by having more control and ready access to complete business records, which yields more accurate results and more time for corporate attorneys to develop strategies while the opposition is wading through reams of information, never knowing if it has found the complete set of records it needs. Another example is more complete and better information for managers to base decisions on.
Implementing ERM represents a significant investment. An investment in ERM is an investment in business process automation and yields document control, document integrity, and security benefits. The volume of records in organizations often exceeds employees' ability to manage them. ERM systems do for the information age what the assembly line did for the industrial age. The cost/benefit justification for ERM is sometimes difficult to determine, although there are real labor and cost savings. Also, many of the benefits are intangible or difficult to calculate but help to justify the capital investment. There are many ways in which an organization can gain significant business benefits with ERM.
More detail on business benefits is provided in Chapter 7, but hard, calculable benefits (when compared to storing paper files) include office space savings, office supplies savings, cutting wasted search time, and reduced office automation costs (e.g., fewer printers, copiers, cutting automated filing cabinets).
In addition, implementing ERM will provide the organization with:
ERM benefits are both tangible and intangible or difficult to calculate.
The U.S. Environmental Protection Agency (EPA), a pioneer and leader in e-records implementation in the federal sector, lists some additional benefits of implementing ERM:
Thus, there are a variety of tangible and intangible benefits derived from ERM programs, and the business rationale that fits for your organization depends on its specific needs and business objectives.
Improved professionalism, preserving corporate memory, and support for better decision making are key intangible benefits of ERM.
According to the U.S. National Archives and Records Administration (NARA), “In records management, an inventory is a descriptive listing of each record series or system, together with an indication of location and other pertinent data. It is not a list of each document or each folder but rather of each series or system”9 (emphasis added).
Conducting an inventory of electronic records is more challenging than performing a physical records inventory, but the purposes are the same: to ferret out RM problems and to use the inventory as the basis for developing the retention schedule. Some of the RM problems that may be uncovered
include inadequate documentation of official actions, improper applications of record-keeping technology, deficient filing systems and maintenance practices, poor management of nonrecord materials, insufficient identification of vital records, and inadequate records security practices. When completed, the inventory should include all offices, all records, and all nonrecord materials. An inventory that is incomplete or haphazard can only result in an inadequate schedule and loss of control over records.10
The first step in gaining control over an organization's records and implementing IG measures to control and manage them is to complete an inventory of all groupings of business records, including electronic records,11 at the system or file series level.
The focus of this book is on IG and more granually e-records, and when it comes to e-records, NARA has a specific recommendation: Inventory at the computer systems level. This differs from advice given by experts in the past.
The records inventory is the basis for developing a records retention schedule that spells out how long different types of records are to be held and how they will be archived or disposed of at the end of their life cycle. But first you must determine where business records reside, how they are stored, how many exist, and how they are used in the normal course of business.
There are a few things to keep in mind when approaching the e-records inventorying process:
NARA recommends that electronic records are inventoried by information system, not by record series.
These knowledge workers are your best resource and can be your greatest allies or worst enemies when it comes to gathering accurate inventory data; developing a workable file plan; and keeping the records declaration, retention, and disposition process operating efficiently. A sound RM program will keep the records inventory accurate and up to date.
See Chapter 3 for more detail on applicable principles in IG. To summarize: It may be useful to use a model or framework to guide your records inventorying efforts. Such frameworks could be the D.I.R.K.S. (Designing and Implementing Recordkeeping Systems) used in Australia or the Generally Accepted Recordkeeping Principles® (or “the Principles”) that originated in the United States at ARMA International. The Principles are a “framework for managing records in a way that supports an organization's immediate and future regulatory, legal, risk mitigation, environmental, and operational requirements.”13
Special attention should be given to creating an accountable, open inventorying process that can demonstrate integrity. The result of the inventory should help the organization adhere to records retention, disposition, availability, protection, and compliance aspects of The Principles.
The Generally Accepted Recordkeeping Principles were created with the assistance of ARMA International and legal and IT professionals who reviewed and distilled global best practice resources. These included the international records management standard ISO 15489–1 from the American National Standards Institute and court case law. The principles were vetted through a public call-for-comment process involving the professional records information management … community.14
If your organization has received a legal summons for e-records, and you do not have an accurate inventory, the organization is already in a compromising position: You do not know where the requested records might be, how many copies there might be, or the process and cost of producing them. Inventorying must be done sooner rather than later and proactively rather than reactively.
E-records present challenges beyond those of paper of microfilmed records due to their (electronic) nature:
What are The Principles? They are guidelines for information management and governance of record creation, organization, security, maintenance, and other activities used to effectively support the recordkeeping of an organization.
The completed records inventory contributes toward the pursuit of an organization's IG objectives in a number of ways: It supports the ownership, management, and control of records; helps to organize and prepare for the discovery process in litigation; reduces exposure to business risk; and provides the foundation for a disaster recovery/business continuity plan.
Completing the records inventory offers at least eight additional benefits:
With respect to e-records, the purpose of the records inventory should include the following objectives:
The completed records inventory contributes toward the pursuit of an organization's IG objectives in a number of ways.
NARA's guidance on how to approach a records inventory applies to both physical and e-records.
The steps in the records inventory process are:
The goals of the inventorying project must be set and conveyed to all stakeholders. At a basic level, the primary goal can be simply to generate a complete inventory for compliance and reporting purposes. It may focus on a certain business area or functional group or on the enterprise as a whole. An enterprise approach requires segmenting the effort into smaller, logically sequenced work efforts, such as by business unit. Perhaps the organization has a handle on its paper and microfilmed records but e-records have been growing exponentially and spiraling out of control, without good policy guidelines or IG controls. So a complete inventory of records and e-records by system is needed, which may include e-records generated by application systems, residing in e-mail, created in office documents and spreadsheets, or other potential business records. This is a tactical approach that is limited in scope.
The goal of the inventorying process may be more ambitious: to lay the groundwork for the acquisition and implementation of an ERM system that will manage the retention, disposition, search, and retrieval of records. It requires more business process analysis and redesign, some rethinking of business classification schemes or file plans, and development of an enterprise-wide taxonomy. This redesign will allow for more sharing of information and records; faster, easier, and more complete retrievals; and a common language and approach for knowledge professionals across the enterprise to declare, capture, and retrieve business records.
Whatever the business goals for the inventorying effort are, they must be conveyed to all stakeholders, and that message must be reinforced periodically and consistently, and through multiple means.
The plan may be still much greater in scope and involve more challenging goals: That is, the inventorying of records may be the first step in the process of implementing an organization-wide IG program to manage and control information by rolling out ERM and IG systems and new processes; to improve litigation readiness and stand ready for e-discovery requests; and to demonstrate compliance adherence with business agility and confidence. Doing this involves an entire cultural shift in the organization and a long-term approach.
Whatever the business goals for the inventorying effort, they must be conveyed to all stakeholders, and that message must be reinforced periodically and consistently, and through multiple means. It must be clearly spelled out in communications and presented in meetings as the overarching goal that will help the organization meet its business objectives. The scope of the inventory must be appropriate for the business goals and objectives it targets.
“With senior-level support, the records manager must decide on the scope of the records inventory. A single inventory could not describe every electronic record in an organization; an appropriate scope might enumerate the records of a single program or division, several functional series across divisions, or records that fall within a certain time frame.” [emphasis added.]19 Most organizations have not deployed an enterprise-wide records management system, which makes the e-records inventorying process arduous and time-consuming. It is not easy to find where all the electronic records reside—they are scattered all over the place, and on different media. But impending (and inevitable) litigation and compliance demands require that it be done. And, again, sooner has been proven to be better than later. Since courts have ruled that if lawsuits have been filed against your competitors over a certain (industry-specific) issue, your organization should anticipate and prepare for litigation—which means conducting records inventories and placing a litigation hold on documents that might be relevant. Simply doing nothing and waiting on a subpoena is an avoidable business risk.
An appropriate scope might enumerate the records of a single program or division, several functional series across divisions, or records that fall within a certain time frame.
A methodical, step-by-step approach must be taken—it is the only way to accomplish the task. A plan that divides up the inventorying tasks into smaller, accomplishable pieces is the only one that will work. It has been said, “How do you eat an elephant?” And the answer is “One bite at a time.” So scope the inventorying process into segments, such as a business unit, division, or information system/application.
It is crucial to have management support to drive the inventory process to completion. There is no substitute for an executive sponsor. Asking employees to take time out for yet another survey or administrative task without having an executive sponsor will likely not work. Employees are more time-pressed than ever, and they will need a clear directive from above, along with an understanding of what role the inventorying process plays in achieving a business goal for the enterprise, if they are to take the time to properly participate and contribute meaningfully to the effort.
During the inventory you should collect the following information at a minimum:
Removable media should have a unique identifier and the inventory should include a list of records on the particular volume as well as the characteristics of the volume, e.g., the brand, the recording format, the capacity and volume used, and the date of manufacture and date of last update.20 (Emphasis added.)
Additional information not included in inventories of physical records must be collected in any inventory of e-records.
Laying out the overall topology of the IT infrastructure in the form of a network diagram is an exercise that is helpful in understanding where to target efforts and to map information flows. Creating this map of the IT infrastructure is a crucial step in inventorying e-records. It graphically depicts how and where computers are connected to each other and the software operating environments of various applications that are in use. This high-level diagram does not need to include every device; rather, it should indicate each type of device and how it is used.
The IT staff usually has a network diagram that can be used as a reference; perhaps after some simplification it can be put into use as the underpinning for inventorying e-records. It does not need great detail, such as where network bridges and routers are located, but it should show which applications are utilizing the cloud or hosted applications to store and/or process documents and records.
In diagramming the IT infrastructure for purposes of the inventory, it is easiest to start in the central computer room where any mainframe or other centralized servers are located and then follow the connections out into the departments and business unit areas, where there may be multiple shared servers and drives supported a network of desktop personal computers or workstations.
Microsoft's SharePoint® is a prevalent document and RM portal platform, and many organizations have SharePoint servers to house and process e-documents and records. Some utilities and tools may be available to assist in the inventorying process on SharePoint systems.
Mobile devices (e.g., tablets, smartphones, and other portable devices) that are processing documents and records should also be represented. And any e-records residing in cloud storage should also be included.
The record inventory survey form must suit its purpose. Do not collect data that is irrelevant, but, in conducting the survey, be sure to collect all the needed data elements. You can use a standard form, but some customization is recommended. The sample records survey form in Figure 9.1 is wide ranging yet succinct and has been used successfully in practice.
If conducting the e-records portion of the inventory, the sample form may be somewhat modified, as shown in Figure 9.2.
Typically, a RM project team is formed to conduct the survey, often assisted by resources outside of the business units. These may be RM and IT staff members, business analysts, members of the legal staff, outside specialized consultants, or a combination of these groups. The greater the cross-section from the organization, the better, and the more expertise brought to bear on the project, the more likely it will be completed thoroughly and on time.
Critical to the effort is that those conducting the inventory are trained in the survey methods and analysis, so that when challenging issues arise, they will have the resources and know-how to continue the effort and get the job done.
Source: Charmain Brooks, IMERGE Consulting, e-mail to author, March 20, 2012.
Source: Adapted from: www.archives.gov/records-mgmt/faqs/inventories.html and Charmaine Brooks, IMERGE Consulting.
The inventory process is, in fact, a surveying process, and it involves going physically out into the units where the records are created, used, and stored. Mapping out where the records are geographically is a basic necessity. Which buildings are they located in? Which office locations? Computer rooms?
Also, the inventory team must look organizationally at where the records reside (i.e., determine which departments and business units to target and prioritize in the survey process).
Several approaches can be taken to conduct the inventory, including three basic methods:
There are three ways to conduct the inventory: surveys, interviews, and observation. Combining these methods yields the best results.
Creating and distributing a survey form is traditional and proven way to collect e-records inventory data. This is a relatively fast and inexpensive way to gather the inventory data. The challenge is getting the surveys completed in a consistent fashion. This is where a strong executive sponsor can assist. The sponsor can make the survey a priority and tie it to business objectives, making the survey completion compulsory. The survey is a good tool, and it can be used to cover more ground in the data collection process. If following up with interviews, the survey form is a good starting point; responses can be verified and clarified, and more detail can be gathered.
Some issues may not be entirely clear initially, so following up with scheduled in-person interviews can dig deeper into the business processes where formal records are create and used. A good approach is to have users walk you through their typical day and how they access, use, and create records—but be sure to interview managers too, as managers and users have differing needs and uses for records.21
You will need some direction to conduct formal observation, likely from IT staff or business analysts familiar with the recordkeeping systems and associated business processes. They will need to show you where business documents and records are created and stored. If there is an existing ERM system or other automated search and retrieval tools available, you may use them to speed the inventorying process.
When observing and inventorying e-records, starting in the server room and working outward toward the end user is a logical approach. Begin by enumerating the e-records created by enterprise software applications (such as accounting, enterprise resource planning, or customer relationship management systems), and work your way to the departmental or business unit applications, on to shared network servers, then finally out to individual desktop and laptop PCs and other mobile devices. With today's smartphones, this can be a tricky area, due to the variety of platforms, operating systems, and capabilities. In a bring-your-own-device environment, records should not be stored on personal devices, but if they must be, they should be protected with technologies like encryption or information rights management.
There are always going to be thorny areas when attempting to inventory e-records to determine what files series exist in the organization. Mobile devices and removable media may contain business records. These must be identified and isolated, and any records on these media must be recorded for the inventory. Particularly troublesome are thumb or flash drives, which are compact yet can store 20 gigabytes of data or more. If your IG measures call for excluding these types of media, the ports they use can be blocked on PCs, tablets, smartphones, and other mobile computing devices. A sound IG program will consider the proper use of removable media and the potential impact on your RM program.22
The best approach for conducting the inventory is to combine the available inventorying methods, where possible. Begin by observing, distribute surveys, collect and analyze them, and then target key personnel for follow-up interviews and walk-throughs. Utilize whatever automated tools are available along the way. This approach is the most complete. Bear in mind that the focus is not on individual electronic files but rather, the file series level for physical records and the file series or system level for e-records (preferably the latter).
Interviews are a very good source of records inventory information. Talking with actual users will help the records lead or inventory team to better understand how documents and records are created and used in everyday operations. Users can also report why they are needed—an exercise that can uncover some obsolete or unnecessary processes and practices. This is helpful in determining where e-records reside and how they are grouped in records series or by system and ultimately, the proper length of their retention period and whether they should be archived or destroyed at the end of their useful life.23
Since interviewing is a time-intensive task, it is crucial that some time is spent in determining the key people to interview: Interviews not only take your time but others' as well, and the surest way to lose momentum on an inventorying project is to have stakeholders believe you are wasting their time.
You need to interview representatives from all functional areas and levels of the program or service, including:
The people who work with the records can best describe to you their use. They will likely know where the records came from, whether copies exist, who needs the records, any computer systems that are used, how long the records are needed and other important information that you need to know to schedule the records.
As stated earlier, it is wise to include a cross-section of staff, managers and frontline employees to get a rounded view of how records are created and used. Managers have a different perspective and may not know how workers utilize electronic records in their everyday operations.
A good lens to use is to focus on those who make decisions based on information contained in the electronic records and to follow those decision-based processes through to completion, observing and interviewing at each level.
For example, an application is received (mail room logs date and time), checked (clerk checks the application for completeness and enters into a computer system), verified (clerk verifies that the information on the application is correct), and approved (supervisor makes the decision to accept the application). These staff members may only be looking at specific pieces of the record and making decisions on those pieces.
One rule to consider is this: Be considerate of other people's work time. Since they are probably not getting compensated for participating in the records inventory, the time you take to interview them is time taken away from compensated tasks they are evaluated on. So, once the interviewees are identified, provide as much advance notice as possible, follow up to confirm appointments, and stay within the scheduled time. Interviews should be kept to 20 to 60 minutes. Most of all—never be late!
Before starting any interviews, be sure to restate the goals and objectives of the inventorying process and how the resulting output will benefit people in their jobs.
In some cases, it may be advisable to conduct interviews in small groups, not only to save time but to generate a discussion of how records are created, used, and stored. Some new insights may be gained.
Try to schedule interviews that are as convenient as possible for participants. That means providing participants with questions in advance and holding the interviews as close to their work area as possible. Do not schedule interviews back to back with no time for a break between. You will need time to consolidate your thoughts and notes, and, at times, interviews may exceed their planned time if a particularly enlightening line of questioning takes place.
If you have some analysis from the initial collection of surveys, share that with the interviewees so they can validate or help clarify the preliminary results. Provide it in advance, so they have some time to think about it and discuss it with their peers.
You'll need a guide to structure the interview process. A good starting point is the sample questions presented in the questionnaire shown in Figure 9.3. It is a useful tool that has been used successfully in actual records inventory projects.
Once collected, some follow-up will be required to verify and clarify responses. Often this can be done over the telephone. For particularly complex and important areas, a follow-up in person visit can clarify the responses and gather insights.
Once the inventory draft is completed, a good practice is to go out into the business units and/or system areas and verify what the findings of the survey are. Once presented with findings in black and white, key stakeholders may have additional insights that are relevant to consider before finalizing the report. Do not miss out on the opportunity to allow power users and other key parties to provide valuable input.
Be sure to tie the findings in the final report of the records inventory to the business goals that launched the effort. This helps to underscore the purpose and importance of the effort, and will help in getting that final signoff from the executive sponsor that states the project is complete and there is no more work to do.
Depending on the magnitude of the project, it may (and should) turn into a formal IG program that methodically manages records in a consistent fashion in accordance with internal governance guidelines and external compliance and legal demands.
Be sure to tie the findings in the final report of the records inventory to the business goals that launched the effort.
Source: Charmaine Brooks, IMERGE Consulting, e-mail to author, March 20, 2012.
Part of the process of determining the retention and disposition schedule of records is to appraise their value. Records can have value in different ways, which affects retention decisions.
Records appraisal is an analysis of all records within an agency [or business] to determine their administrative, fiscal, historical, legal, or other archival value. The purpose of this process is to determine for how long, in what format, and under what conditions a record series ought to be preserved. Records appraisal is based upon the information contained in the records inventory. Records series shall be either preserved permanently or disposed of when no longer required for the current operations of an agency or department, depending upon:
Records appraisal is based on the information contained in the records inventory.
The inventorying process in not a one-shot deal: It is useful only if the records inventory is kept up to date, so it should be reviewed, at least annually. A process should be put in place so that business unit or agency heads notify the RM head/lead if a new file series or system has been put in place and new records collections are created.25
[Five] tips can help ensure that a records management program achieves its goals:
The growth of data challenges a company's ability to use and store its records in a compliant and cost-effective manner. Contrary to current practices, the solution is not to hire more vendors or to adopt multiple technologies. The key to compliance is consistency, with a unified enterprise-wide approach for managing all records, regardless of their format or location.26
So a steady and consistent IG approach that includes controls, audits, and clear communication is key to maintaining an accurate and current records inventory.
We discussed records retention briefly in Chapter 8, mostly as it relates to legal research and determining retention and limitation periods. In this section we go more in depth.
A series of principles is common to all retention schedules:27
A records retention schedule defines the length of time that records are to be kept and considers legal, regulatory, operational, and historical requirements.30 The retention schedule also includes direction as to how the length of time is calculated (i.e., the event or trigger that starts the clock [e.g., two years from completion of contract]). Legal research and opinions are required, along with consultation with owners and users of the records. Users typically overestimate the time they need to keep records, as they confuse the legal requirements with their own personal wishes. Some hard questioning has to take place, since having these records or copies of records lying around the organization on hard drives, thumb drives, or in file cabinets may create liabilities for the organization.
Disposition means not just destruction but also can mean archiving and transfer and a change in ownership and responsibility for the records. The processes of archiving and preserving are an example where records may be handed over to a historical recordkeeping unit. At this time, the records may be sampled and only selective parts of the group of records may be retained.
Records retention defines the length of time that records are to be kept and considers legal, regulatory, operational, and historical requirements.31
Disposition means not just destruction but can also mean archiving and a change in ownership and responsibility for the records.
A retention schedule allows for uniformity in the retention and disposition process, regardless of the media or location of the records. Further, it tracks, enforces, and audits the retention and disposition of records while optimizing the amount of records kept to legal minimums, which saves on capital and labor costs, and reduces liability (by discarding unneeded records that carry legal risk).32 The Generally Accepted Recordkeeping Principles® state the critical importance of having a retention schedule (see the section “Generally Accepted Recordkeeping Principles” in Chapter 3 for more details) and provide guidelines for open collaboration in developing one. In the public sector, holding records that have passed their legally required retention period also can have negative ramifications and liabilities in meeting information service requests made during litigation, compliance actions, or, for example, under the U.S. FOIA, or similar acts in other countries.
A retention schedule consists of these components:
A sample of a simple records retention schedule is shown in Figure 9.4.
If you already have existing retention schedules but are revising and updating them, there may be useful information in those schedules that can serve as a good reference point—but be wary, as they may be out of date and may not consider current legal requirements and business needs.
A retention schedule allows for uniformity in the retention and disposition process, regardless of the media or location of the records.
Source: IMERGE Consulting, Inc.
According to the U.S. National Archives, some key steps are involved in developing retention schedules:
An information map is a critical first step in developing a records retention schedule. It shows where information is created, where it resides, and who uses it.
Inventory and classification are prerequisites for compiling a retention schedule. Before starting work, develop an information map that shows where information is created, where it resides, and the path it takes. What records are created, who uses them, and how is their disposition handled? Questions like these will provide key insights in the development of the retention schedule.34 Confirm that the information map covers all the uses of the records by all parts of the organization, including use for accountability, audit, and reference purposes.
In the absence of a formal information map, at a minimum you must compile a list of all the different types of records in each business area. This list should include information about who created them and what they are used for (or record provenance), which parts of the organization have used them subsequently and for what purpose (its usage), and the actual content.
In the absence of any existing documentation or records inventory, you will need to conduct a records inventory or survey to find out what records the business unit (or organization) holds. Tools are available to scan e-records folders to expedite the inventory process. A retention schedule developed in this way will have a shorter serviceable life than one based on an information map because it will be based on existing structures rather than functions and will remain usable only as long as the organizational structure remains unchanged.
Once a records inventory or survey is complete, building a records retention schedule begins with classification of records.35
This basic classification can be grouped into three areas:
Business functions are basic business units such as accounting, legal, human re-sources, and purchasing. (See Appendix A, Information Organization and Classification: Taxonomies and Metadata, for details on the process of developing classifications.) It basically answers this question: What were you doing when you created the record?
Tools are available to scan e-records folders to expedite the inventory process.
Business activities are the tasks performed to accomplish the business function. Several activities may be associated with each function.
A records series is a group or unit of identical or related records that are normally used and filed as a unit and that can be evaluated as a unit or business function for scheduling purposes.36
A document type is a term used by many software systems to refer to a grouping of related records. When the records are all created by similar processes, then the document type is equivalent to the business functions or activities mentioned previously. However, “document type” often refers to the format of the record (e.g., presentation, meeting minutes). In this case, there is not enough information to determine a retention period because it is ambiguous regarding what type of work was being done when that document was created. Retention schedules require that record series be defined by business function and activity, not by record format or display type.
Records are grouped together for fundamental reasons to improve information organization and access. These reasons include:
After completing a records inventory including characterizing, descriptive information about the records such as their contents, use, file size, and projected growth volumes, you will need to interview staff in those target areas you are working with to determine more information about the specific organizational structure, its business functions, services, programs, and plans.37
In the course of business, there are several different types of records series. There are case records, for example, which are characterized as having a beginning and an end but are added to over time. Case records generally have titles that include names, dates, numbers, or places. These titles do not provide insight into the nature of the function of the record series. Examples of case records include personnel files, mortgage loan folders, contract and amendment/addendum records, accident reports, insurance claims, and other records that accumulate and expand over time. Although the contents of case files may be similar, you should break out each type of case record under a unique title.
After completing an inventory, developing a retention schedule begins with records classification.
Subject records (also referred to as topic or function records) “contain information relating to specific or general topics and that are arranged according to their informational content or by the function/activity/transaction they pertain to.”38 These types of records accumulate information on a particular topic or function to be added to the organization's memory and make it easier for knowledge workers to find information based on subject matter, topics, or business functions. Records such as those on the progression of relevant laws and statutes, policies, standard operating procedures, education and training have long-term reference value and should be kept until they are no longer relevant or are displaced by more current and relevant records. In a record retention schedule, the trigger event often is defined as “superseded or obsolete” Records of this type that relate to “routine operations of a [project], program or service” do not have as much enduring value and should be scheduled to be kept for a shorter period.
Are e-mail messages records? This question has been debated for years. The short answer is no, not all e-mail messages constitute a record. But how do you determine whether certain messages are a business record or not? The general answer is that a record documents a transaction or business-related event that may have legal ramifications or historic value. Most important are business activities that may relate to compliance requirements or those that could possibly come into dispute in litigation. Particular consideration should be given to financial transactions of any type.
Certainly evidence that required governance oversight or compliance activities have been completed needs to be documented and becomes a business record. Also, business transactions, where there is an exchange of money or the equivalent in goods or services is documented are also business records. Today, these transactions are often documented by a quick e-mail. And, of course, any contracts (and any progressively developed or edited versions) that are exchanged through e-mail become business records.
The form or format of a potential record is irrelevant in determining whether it should be classified as a business record. For instance, if a meeting of the board of directors is recorded by a digital video recorder and saved to DVD, it constitutes a record. If photographs are taken of a ground-breaking ceremony for a new manufacturing plant, the photos are records too. If the company's founders tape-recorded a message to future generations of management on reel-to-reel tape, it is a record also, since it has historical value. But most records are going to be in the form of paper, microfilm, or an electronic document.
Not all e-mail messages are records; those that document a business transaction or progress toward it are clearly records and require retention.
E-mail messages that document business activities, especially those that may be disputed in the future, should be retained as records.
Here are three guidelines for determining whether an e-mail message should be considered a business record:
Managing e-mail business records is challenging, even for technology professionals. According to an AIIM and ARMA survey, fully two-thirds of records managers doubt that their IT departments really understand the concept of electronic records life cycle management. That is despite the fact that 70 percent of companies rely on IT professionals alone to manage their electronic records.
Although the significance of e-mail in civil litigation cannot be overstated (it is the leading piece of evidence requested at civil trials today), one-third of IT managers state that they would be incapable of locating and retrieving e-mails that are more than one year old, according to Osterman Research.39
There are different schools of thought on e-mail retention periods and retention schedules. The retention and deletion of your electronic business records may be governed by laws or regulations. Unless your organization's e-mail and ESI records are governed by law or regulations, your organization is free to determine the retention periods and deletion schedules that are most appropriate for your organization.40 If your organization's e-mail retention periods are not specified by law or regulation, consider keeping them for at least as long as you retain paper records. Many software providers provide automated software that allows e-mail messages to be moved to controlled repositories as they are declared to be records.
Destructive retention of e-mail is a method whereby e-mail messages are retained for a limited period and then destroyed.
(We repeat this short section from Chapter 8 for those who are more focused on RIM than on legal functions.)
A destructive retention program is an approach to e-mail archiving where e-mail messages are retained for a limited time (say, 90 days), followed by the permanent manual or automatic deletion of the messages from the organization network, so long as there is no litigation hold or the e-mail has not been declared a record.
E-mail retention periods can vary from 90 days to as long as seven years:
Inactive records that are have historical value or are essential for maintaining corporate memory must be kept the longest. Although they are not needed for present operations, they still have some value to the organization and must be preserved. When it comes to preserving electronic records, this process can be complex and technical. (See Chapter 17 for details.) If you have a corporate or agency archivist, his or her input is critical.43
(This short section is repeated from Chapter 8 for those who are more focused on RIM than on legal functions.)
A key consideration in developing retention schedules is researching and determining the minimum time required to keep records that may be demanded in legal actions. “A limitation period is the length of time after which a legal action cannot be brought before the courts. Limitation periods are important because they determine the length of time records must be kept to support court action [including subsequent appeal periods]. It is important to be familiar with the purpose, principles, and special circumstances that affect limitation periods and therefore records retention.”44
(Note: This section also appears in Chapter 8 but is included here for completeness.)
Legal requirements trump all others. The retention period for a particular records series must meet minimum retention requirements as mandated by law. Business needs and other considerations are secondary. So, legal research is required before determining retention periods. Legally required retention periods must be researched for each jurisdiction (state, country) in which the business operates, so that it complies with all applicable laws.
In order to locate the regulations and citations relating to retention of records, there are two basic approaches. The first approach is to use a records retention citation service, which publishes in electronic form all of the retention-related citations. These services usually are bought on a subscription basis, as citations are updated on an annual or more frequent basis as legislation and regulations change.
Figure 9.5 is an excerpt from a Canadian records retention database product called FILELAW®. In this case, the act, citation, and retention periods are clearly identified.
Another approach is to search the laws and regulations directly using online or print resources. Records retention requirements for corporations operating in the United States may be found in the Code of Federal Regulations (CFR), the annual edition of which
is the codification of the general and permanent rules published in the Federal Register by the departments and agencies of the federal government. It is divided into 50 titles that represent broad areas subject to federal regulation. The 50 subject matter titles contain one or more individual volumes, which are updated once each calendar year, on a staggered basis. The annual update cycle is as follows: titles 1 to 16 are revised as of January 1; titles 17 to 27 are revised as of April 1; titles 28 to 41 are revised as of July 1, and titles 42 to 50 are revised as of October 1. Each title is divided into chapters, which usually bear the name of the issuing agency. Each chapter is further subdivided into parts that cover specific regulatory areas. Large parts may be subdivided into subparts. All parts are organized in sections, and most citations to the CFR refer to material at the section level.45
There is an up-to-date version that is not yet a part of the official CFR but is updated daily, the Electronic Code of Federal Regulations (e-CFR). “It is not an official legal edition of the CFR. The e-CFR is an editorial compilation of CFR material and Federal Register amendments produced by the National Archives and Records Administration's Office of the Federal Register (OFR) and the Government Printing Office.”46
Source: Ontario, Electricity Act, FILELAW database, Thomson Publishers, May 2012.
Event-based disposition is kicked off with the passage of an event, such as hiring or firing an employee, the end of a project, or the initiation of a lawsuit.
Event-based disposition can have an associated retention schedule, and the clock starts running once the event occurs. The required retention period begins only after the triggering event occurs. The length of the retention period may be regulated by law, or it may be determined by IG guidelines set internally by the organization. So, when an employee is terminated, and personnel files are destroyed after (say) five years, the retention schedule entry would be “Termination + 5 years.”
One other definition of event-based disposition comes from the U.S. e-records standard, Department of Defense 5015.2, which states that a disposition instruction in which a record is eligible for the specified disposition (transfer or destroy) upon or immediately after the specified event occurs. No retention period is applied and there is no fixed waiting period, as with “timed” or combination “timed-event” dispositions. Example: “Destroy when no longer needed for current operations.”47
Some hardware vendors, such as IBM and EMC, provide solutions that assist in executing event-based disposition with assistance from firmware (fixed instructions on a microchip). The firmware-assisted solution should be considered if your RM or IG team aims to perform a complete and thorough retention solution analysis. These hardware-based solutions can potentially streamline the event-based disposition process.48
Event-based disposition begins with the passage of a triggering event.
Triggering events may be record-related, “such as supersession or obsolescence.” This is common to a policy statement. For example, if a group of policies are to be destroyed five years after superseded or obsolete, the old policy would be held for five years after the new policy has been created.
Sounds simple. But in an attempt to meet retention requirements, organizations handle event-based triggers in different ways, ways that often are problematic. For instance, the trigger events often are not captured electronically and fed directly into the retention scheduling software or records repository to start the clock running, or the event itself is not well documented in the retention schedule so it is not consistently being applied and tracked. In other cases, the organization simply does not have the ERM functionality it needs to manage event-based triggers.
This causes many organizations to simply over-retain and keep the records indefinitely, or until disk storage is full, which means that those records are retained for an incorrect—and indefensible—time. The period is either too long or possibly too short, but it always is always inconsistent. And inconsistent means legally indefensible.
The only prudent and defensible approach is to implement the proper IG policies to manage and control the implementation of event-based disposition.
Three key prerequisite tasks must be completed before event-based disposition can be implemented:
What is needed is an agreement as to what the definition is, so that the retention period will be uniform among the record series in question, providing a defensible policy.
To gain this agreement on these blurry areas, the RM lead/manager or team will need to work with the relevant business unit representatives, IT, compliance, risk management, and any other stakeholders.
The event triggers must be clear and agreed on so that they may kick off a retention period and disposition process.
In a number of cases, the answer to these questions will rely on trigger points, such as one year after completion or four months after the board of directors' meeting. It is important to choose a trigger point that you can implement. For example, there is no point in saying that records should be kept until an individual dies, if you have no reliable way of knowing the person is alive. Instead, choose a trigger point based on the information you have about the individual; in this case, the 100th birthday might be a suitable trigger point.
To accomplish clarity and agreement on event-based triggers requires close consultation and collaboration among RM staff, business units, IT, legal, compliance, risk management, and other stakeholders, as relevant.
After completing the records values analysis and legislative and legal research, you must determine the closure criteria and final disposition (e.g., destroy, transfer, archive) for each records series. To minimize costs and litigation risk, retention periods should be kept as short as possible while meeting all applicable regulatory, legal, and business requirements.49
For e-records, retention periods may be segmented into active and inactive, or online and offline. Offline may be segmented further into on-site and off-site or archival storage.
Going back and combing through records retrieval requests and usage logs may provide helpful insights as to the needs of records users—but bear in mind that these logs may be misleading as users may have (in the past, before a formal IG program was implemented) kept shadow copies of files on their local hard drives or backed up to flash drives or other storage devices.
A clear closure start date is required to kick off a retention period for any record, whether the retention is scheduled for on- or off-site. Calendar or fiscal year-ends are typical and practical closure dates for subject or topical records. The date used to indicate the start year is usually the date the file closed or the date of last use or update. In a university setting, school year-end may be more logical. Still, a reasoned analysis is required to determine the best closure start date for subject records in your organization.
Case records are different; logically, their closure date is set when a case record is completed (e.g., the date when an employee resigns, retires, or is terminated).
Future dates may be used, such as an employee promotion date, student graduation, or project completion. After consulting those who create and handle the records series you are analyzing, apply good business judgment and common sense when determining closure dates.50
There may be some vital, historical, or other critical records that, in the best interests of the organization, need to be retained permanently. This is rare, and storing records long term must be scrutinized heavily. If certain electronic records are to be retained indefinitely or permanently, then LTDP policies and techniques must be used. (See Chapter 17 for more details.)
Transitory documents usually do not rise to the level of becoming a record; they are temporary and are useful only in the short term, such as direct mail or e-mail advertising (brochures, price lists, etc.), draft documents (although not all are transitory, and some may need longer retention periods, such as draft contracts) and work in progress, duplicates, external publications (e.g., magazines, journals, newspapers, etc.), and temporary notices (e.g., company picnic, holiday party, or football pool). You must consider transitory records in your master records retention schedule.
Automated programs that interpret these retention periods are the best way to ensure that records are disposed of at the correct time and that an audit trail of the disposition is maintained.
Upon completion of the records retention schedule, project management best practices dictate that it be signed off by an executive or project sponsor, to indicate it has been completed and there is no more work to be done on that phase of the project. In addition, you may want to gain the sign-off and acceptance by other key stakeholders, such as senior representatives from legal, IT, the board of directors or executive committee, and perhaps audit and information governance. The schedule should be updated when new record types are introduced and, in any case, at least annually.
It is much easier to time or schedule the disposal of e-records than of paper or physical records, but true and complete destruction of all traces of a record cannot be done by hitting a simple “delete” key. There must be a process in place to verify the total destruction of all copies of the record. (See Chapter 17 for more details.) Records destruction can occur daily, routinely, or be scheduled at intervals (i.e., monthly or quarterly).
ERM systems typically are capable of automatically executing a record deletion when a record has reached the end of its life cycle. Often these systems have a safety feature that allows an operator who has the authority to review deletions before they are performed.
To make a retention schedule change, such as extending the life of a record series, IG controls must be in place. So, usually, ERM systems require that a person of higher authority than the system operator make these approvals. Every subsequent delay in destroying the records often requires an escalation in approval period to extend the time that records are kept past the destruction date.
In some environments, especially in the public sector, a certificate of destruction or other documentation is required to prove that a record and all its copies have been completely deleted (including its metadata—although at times it is beneficial to retain metadata longer than the record itself; see Appendix A, “Information Organization and Classification,” for more details). ERM systems can be configured to keep an audit trail and prove that destruction has occurred.
Records series are not static; they change, are added to, and are amended. New record functions emerge, based on changes in business, acquisitions, and divestitures. So it is necessary for organizations to review and update—at least annually—their records retention schedule.
In addition, retention requirements change as legislation changes, lawsuits are filed, and the organization refines and improves its IG policies. Development of a records retention schedule is not a one-time project; it requires attention, maintenance, and updating on a regular schedule, and using a controlled change process.
Once your organization establishes records retention schedules for business units, or a master retention schedule, there must be IG policies in place to audit and ensure that policies are being followed. This is a key requirement of maintaining a legally defensible retention schedule that will hold up to legal challenges.
1. International Organization for Standardization, ISO 15489-1: 2001 Information and Documentation—Records Management. Part 1: General (Geneva: ISO, 2001), section 3.15.
3. ARMA.org, “What Is Records Management?” 2009, www.arma.org/pdf/WhatIsRIM.pdf. (accessed December 2, 2013).
4. Microsoft White Paper, “Records Management with Office SharePoint Server,” 2007, www.microsoft.com/en-us/download/details.aspx?id=15932, Used with permission from Microsoft. (accessed December 2, 2013).
8. U.S. Environmental Protection Agency, “Why Records Management? Ten Business Reasons,” updated March 8, 2012, www.epa.gov/records/what/quest1.htm.
9. U.S. National Archives and Records Admmistration,Disposition of Federal Records: A Records Management Handbook, 2000, Web edition, www.archives.gov/records-mgmt/publications/disposition-of-federal-records/chapter-3.html.
11. State and Consumer Services Agency Department of General Services, Electronic Records Management Handbook, State of California Records Management Program (February 2002), www.documents.dgs.ca.gov/osp/recs/ermhbkall.pdf.
12. U.S. Environmental Protection Agency, “Six Steps to Better Files,” updated March 8, 2012, www.epa.gov/records/tools/toolkits/6step/6step-02.htm.
13. Margaret Rouse, “Generally Accepted Recordkeeping Principles,” updated March 2011, http://searchcompliance.techtarget.com/definition/Generally-Accepted-Recordkeeping-Principles-GARP (accessed March 19, 2012).
16. Public Record Office, “Guidance for an Inventory of Electronic Record Collections: A Toolkit,” September 2000, www.humanrightsinitiative.org/programs/ai/rti/implementation/general/guidance_for_inventory_elect_rec_collection.pdf, pp. 5–6.
17. Ibid. (accessed December 2, 2013).
18. National Archives, “Frequently Asked Questions about Records Inventories,” updated October 27, 2000, www.archives.gov/records-mgmt/faqs/inventories.html.
19. William Saffady, “Managing Electronic Records, 4th ed.,” Journal of the Medical Library Association, 2009, www.ncbi.nlm.nih.gov/pmc/articles/PMC2947138/.
20. Jesse Wilkins, “The First Step: Inventory Your Electronic Records,” http://pr1vacy.blogspot.mx/2005/11/first-step-inventory-your-electronic.html (accessed October 11, 2012).
23. Quotes in this section are from Government of Alberta, Records and Information Management, www.im.gov.ab.ca/index.cfm?page=imtopics/Records.html. (accessed December 2, 2013).
24. Maryland State Archives, “Retention Schedule Preparation,” June 1, 2012, www.msa.md.gov/msa/intromsa/html/record_mgmt/retention_schedule.html.
25. National Health Service, “Connecting for Health,” www.connectingforhealth.nhs.uk/ (accessed April 10, 2012).
26. Wortzman Nickle Professional Corporation, “Effective Records Management—Part 4—Ensuring Adoption and Compliance of RM Policy,” 2009, www.wortzmannickle.com/ediscovery-blog/2011/12/14/rmpart4/ (accessed April 12, 2012).
27. Government of Alberta, “Developing Retention and Disposition Schedules.”
28. National Archives, “Disposition of Federal Records.”
29. Government of Alberta, “Developing Retention and Disposition Schedules.”
30. National Archives, “Frequently Asked Questions about Records Scheduling and Disposition.”
32. University of Edinburgh, Records Management Section, July 5, 2012, www.recordsmanagement.ed.ac.uk/InfoStaff/RMstaff/Retention/Retention.htm.
33. National Archives, “Frequently Asked Questions about Records Scheduling and Disposition.” http://www.archives.gov/records-mgmt/faqs/scheduling.html#steps accessed December 2, 2013.
34. University of Edinburgh, Records Management Section.
35. National Archives, “Frequently Asked Questions about Records Scheduling and Disposition.”
36. University of Toronto Archives, “Glossary,” www.library.utoronto.ca/utarms/info/glossary.html (accessed September 10, 2012).
37. Government of Alberta, “Developing Retention and Disposition Schedules.”
39. Marty Foltyn, “Getting Up to Speed on FRCP,” June 29, 2007, www.enterprisestorageforum.com/continuity/features/article.php/3686491/Getting-Up-To-Speed-On-FRCP.htm.
40. Nancy Flynn, The E-Policy Handbook (New York: AMACOM, 2009), pp. 24–25.
41. ArcMail Blog http://arcmail.com/blog/archiving-rules-the-dangers-of-destructive-retention/ (accessed Dec. 2, 2013).
42. Mary Flood, “Survey: They see a more litigious future,” October 18, 2010, http://blog.chron.com/houstonlegal/2010/10/survey-they-see-a-more-litigious-future/ (accessed Dec. 2, 2013).
44. Government of Alberta, “Developing Retention and Disposition Schedules,” p. 122.
45. U.S. Government Printing Office, Code of Federal Regulations, www.gpo.gov/help/index.html#about_code_of_federal_regulations.htm (accessed April 22, 2012).
46. U.S. National Archives and Records Administration, “Electronic Code of Federal Regulations,” October 2, 2012, http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&tpl=%2Findex.tpl.
47. Department of Defense, “Design Criteria Standard for Electronic Records Management Software Applications,” July 19, 2002, http://jitc.fhu.disa.mil/cgi/rma/downloads/p50152s2.doc.
48. Craig Rhinehart, IBM, e-mail to author, July 30, 2012.
49. Government of Alberta, “Records and Information Management.”
3.15.228.246