Records Management Redefined: From the Backroom to the Boardroom
What is Records Management? Records management is the application of policies, practices, technologies and other management controls related to information in order to:
1. Support business operations and processes; and
2. Protect legal interests and respond to regulators.
Good records management practices allow information to be easily accessed and reproduced on demand, regardless of location or form. Records management requires that an organization’s “treasure trove” of business content, data, records, messages, documents and so on (collectively referred to here as “information”) is managed over time, based upon its intrinsic value. A value-based approach dictates that limited company resources should not be spent managing less valuable information such as drafts, non-records and duplicates, for example. While simply “keeping everything forever” ensures that the information exists, it does not ensure that the right information can be found and produced when needed. Not only does such an approach add time and expense to records management, it may create liability by allowing information to be revealed in the context of litigation that could have been discarded in due course.
Furthermore, failing to properly capture, index and store records and other significant business content according to business rules and retention schedules may have the same effect as losing or destroying it. Courts have made clear that “utilizing a system of recordkeeping which conceals rather than discloses or makes it unduly difficult to locate” information may be the equivalent of destroying records.
While most organizations have programs that address paper records, these same organizations commonly fail to develop similar programs for methodically managing electronic records and other digital information. Organizations spend vast resources on e-mail and other communication systems, but often fail to spend enough to ensure that e-mail records are managed as a business asset. Part of the problem is that the definition of a “business record” in the digital world is rapidly changing and may require a new approach to records management—ideally, an approach that reflects the depth of an organization’s reliance upon information technology and promotes both business and legal interests. Organizations need an approach that reflects today’s business reality: organizations conduct business a multitude of ways, using a multitude of technologies and communications devices.
Failing to address these challenges exposes organizations to unnecessary risk, hampers regulatory and policy compliance, breeds mistrust among investors and citizens and makes business processes (such as CRM and transaction processing) less productive, so there are more than adequate incentives to get it right up front.
Approaches to Records Management
Each organization is unique and has different needs and priorities. However, it is clear that proper management should be a priority, and that there are several concepts and activities that are required in every organization:
1. Manage and retain by value, not by format. A fundamental goal of any records management program is the identification and proper retention of required information. However, many organizations put themselves at risk by recycling storage media and by purging retired computer systems without considering the megabytes of potentially significant business content that may be lost in the process.
Significant digital business content is created by a multitude of software applications and stored on a multitude of hardware devices. In many cases, if the same content were created in paper form, it likely would be retained and managed in accordance with records management policies. Consequently, only by managing digital information according to its legal and business value and not according to its method of creation can organizations ensure that they are acting in their best interests. However, the current reality is that most organizations are good at applying such policies to paper records, but they fail miserably when it comes to digital information. The IT department often makes decisions about “what data shall live and what data shall die” without regard to overarching legal and regulatory issues. As the Applied Telematics case (available in the full-length white paper—see footnote) indicates, such actions may create substantial liability.
2. Manage in electronic form. Digital business content often contains information that is lost or significantly altered when it is reduced to printed form. For example, digital documents may contain metadata (i.e., “data about data”) indicating title, author, reviewers, edits, and storage locations, among other things. While such metadata enables document management applications, it may also be crucial for determining a document’s authenticity or “chain of custody.” Unfortunately, this important information may be lost when the document is printed and the original digital file is destroyed. Courts and rules of evidence have responded to these facts by allowing (and in some cases requiring) parties to a dispute to have access to digital “live” versions of electronic records despite the fact that “complete” paper versions were already available.
In Public Citizen v. John Carlin, the court asserted that records created electronically should remain in electronic form because there was information available in that format that was not available when printed to paper. The example of a spreadsheet calculation was used to demonstrate the point. While the case was overturned for unrelated reasons, there are certain regulators, such as the FDA, which believes that “once electronic, always electronic” is the only way to retain such records. Further, there are many business benefits to managing digital content in its original form, such as ease of searching, retrieval, integration and dissemination.
Consequently, organizations should manage digital content in its original format whenever practical or required.
3. Manage from creation to disposition. Organizations can only truly appreciate the challenge of managing records after viewing it within the context of an information management lifecycle—a holistic viewpoint that considers information as having a living, breathing existence with a beginning, middle and end, with varying importance in each phase. This section identifies the five basic phases within the information management lifecycle, and their concomitant records management challenges and solutions.
a. Capture: Most electronic information comes into existence without prior thought as to how it will be identified, retained, protected and made accessible in the future, when in fact such considerations should be an inherent part of any technology purchasing and implementation cycle. It is much easier and cheaper to build a new system correctly from the outset than to break old habits and modify an entrenched installation. In addition, employees should be trained to identify and retain records that they generate directly, and their conduct in this regard should be audited.
b. Index: While the content of a paper document is obvious “on its face,” viewing the contents of a digital document depends on software and hardware. Further, the contents of digital storage media cannot be easily accessed without some clue as to its structure and format. Consequently, the proper indexing of digital content is fundamental to its utility. Without an index, retrieving digital information is expensive and time consuming, if it can be retrieved at all. In a recent case, a company could not search imaged medical claims records because the wrong metadata had been used in the indexing process, and they were therefore required to open and examine each record individually at great expens