The 20th century concept for records management was simple: Preserve certain categories of paper records for time periods according to a retention schedule determined by applicable legal rules. Essentially, preserving records meant doing just that: preserving the final, printed information asset for a designated period of time.
This allowed regulators, if necessary, to access and rely on those records to evaluate a company's performance against other applicable rules regulating corporate behavior. These rules could include a wide range of business processes, including the correct calculation of revenues and expenses, the safe production and distribution of manufactured products or the proper administration of medical procedures. Achieving records management compliance, in its essence, involved preserving records that could demonstrate a company's efforts to adhere to laws applicable to its operations.
In the 21st century, the global regulatory landscape is shifting rapidly, and most companies omit vital elements increasingly required to achieve records management compliance. With the introduction of data processing, electronic commerce and digital communications, a company's records and information management processes have changed in three significant ways. Overlooking these "missing links" drive up compliance costs and makes it more likely that company records will not satisfy increasingly rigorous inspections and examinations:
- First, regulatory agencies are no longer solely interested in the printed version of an information record. After all, some estimates suggest over 80% of corporate information is never produced as tangible paper documents. Regulatory agencies require companies to preserve the "electronic original" as well as earlier versions or drafts that may indicate changes or alterations that have occurred. In other words, as with fine art or expensive wine, agencies want to know the provenance of the information and see records to prove it.
The global regulatory landscape is shifting rapidly, and most companies omit vital elements increasingly required to achieve records management compliance.
- Second, regulatory agencies can no longer rely on the "finality" of paper documents. Regulators are fully aware that even what is deemed the final versions of digital records are subject to manipulation, particularly if those records contain data adverse to a company's compliance requirements. Increasingly, regulatory agencies look for information security controls that maintain the authenticity and integrity of digital records after the "final" versions are determined and distributed.
- Third, the increased use of third-party, cloud-based services is forcing regulatory agencies to assure legally-mandated records management processes are, in fact, being conducted under the control of the company subject to the regulatory jurisdiction even though the data may be under control of a storage provider.
These are the three missing links to achieving records management compliance: Showing information provenance, demonstrating its authenticity/integrity and preserving control of responsive records stored across broadly distributed, sometimes global, networks. To fill these lacking areas, companies should maintain documents and data that demonstrate the history of information assets and treat this historical data as company "records" to help prove compliance. Think of it using this comparison: The audit trail for information assets should be designed the same as audit trails that outline product safety or prove the accuracy of its financial reporting.
To make this project successful -- and affordable -- a company should consider three shifts in how they build new systems, applications and information assets:
First, any new systems, applications and processes should be designed, built and launched with the records management compliance requirements baked into their design. This means new seats at the enterprise IT architecture design table for information governance, information security and the legal function.
Doing so enables all of the company compliance stakeholders to identify what types of records about the information assets will be needed to report to federal agencies. This also imposes responsibility on those stakeholders to research and determine exactly what the organization's information assets are.
Second, historical information about a record should be accessible from the record itself. Lawyers call this "self-authenticating." It allows anyone accessing the record, including regulatory examiners, to acquire a holistic view of the information asset's provenance without excessive investigation.
More on records management strategy
The business benefits of information governance strategy
In digital age, records and information managers forced to adapt
This is an element that many application developers and IT architects do not include during design. Building blocks such as access logs that help self-authenticate records should be created within an application but are often overlooked.
Third, records that outline process design and self-authenticating data should be preserved in parallel to the primary records they refer to. This process design and self-authenticating information should be included as part of audit trail records to help display integrity of the records being examined by regulators. This, after all, is what preserving records for compliance is all about.
For existing systems or applications, companies should look for opportunities to retroactively build records clearly outlining their information assets. These opportunities may be hard to recognize and even harder to fund. Consistency, however, among records management compliance-related business practices reduces the possibilities of information asset data being challenged as legally insufficient.
About the author:
Jeffrey Ritter is one of the nation's experts in the converging complexity of information management, e-discovery and the emergence of cloud-based services. He advises companies and governments on successful 21st-century strategies for managing digital information with legal and evidential value. He is currently developing and teaching courses on information governance at Johns Hopkins University's Whiting School of Engineering and Georgetown University Law. Learn more at www.jeffreyritter.com.