.jpg)
|
Bridging the Gap:
Organizations that want to survive legal and regulatory compliance requirements must not only have robust records management programs, those programs must integrate business management, legal departments, records management, and information technology management. These four groups need to cooperate and collaborate on records management policies and procedures. The challenge in effecting this collaboration is that these four groups speak different languages and have different concepts of requirements. A common understanding has developed between selected pairs of these groups. Business managers and legal advisors have a longer history of working together and that history has resulted in better communications. Business managers and information technology managers have had a long history, though a much more turbulent relationship. Business managers and records managers also have a history of cooperation. One pairing that has not received as much attention is between records managers and information technology (IT) managers. Their dialogue is complicated by the medium of the computer itself. For many years, records managers have been paper-based in their thinking. Even when computers were used to replace paper, many organizations still used the computer systems to generate paper for recordkeeping purposes. Thus the records manager has to understand the differences that an electronic system implies. The IT manager has to understand the paper-based solutions that are being used. We are accustomed to thinking in terms of paper, what it represents, how it is arranged and stored, and how we dispose of it. People have different attitudes toward paper records than toward electronic records. An example often crops up in information security. The same employee who would never leave an open folder of confidential papers on the desk thinks little of leaving an electronic copy of such information open on the desktop computer while going for coffee. The integration of records management and IT management is complicated by different vocabularies, terminologies, and constructs. IT is a discipline often described in terms only truly comprehensible to the IT staff. Records managers are not trained to think in IT terms about record creation, maintenance, and disposition. In most organizations, integration is also complicated by the need to do it quickly. Time pressure to implement records management systems adequate to legal and regulatory challenges is significant. The issue becomes how to accomplish a rigorous and timely integration without requiring records management staff to become IT knowledgeable and vice versa. The approach that may work best is to focus on developing the right questions rather than knowing the answers. Here are a few examples of the issues that can arise in the dialogue between records managers and IT.
Completeness of a record In a criminal case, a chain of custody must be preserved for key pieces of evidence. That implies that every person who touches the evidence, every time evidence is moved, and every place the evidence is moved to must be documented. In a paper-based system, log sheets are kept in each location and sign out/sign in are required. If such a system is being replaced by an electronic evidence tracking system, the chain of custody information must be preserved. Electronic logging and bar code tracking are some techniques for preservation. The records manager must be able to explain the requirements to the IT manager. That’s usually not difficult to design into a database management system. Capturing instances in the chain of custody is important but being able to produce the whole chain is essential. So the database must keep each instance of movement as a discrete record and be able to assemble the entire chain when required. The system must be tamper-proof, and must be able to prove that it is so. The records manager must be able to convey the complete requirements.
Privacy and confidentiality of records Another example is that of a paper-based system that manages personal information. A simple example of that might be a system that assigns and manages identification badges for an organization’s staff. This is a good example because the paper-based approach may actually have involved 2 filing systems and the electronic version may combine those systems in ways that violate privacy laws. The paper-based badge system probably used a form where the individual recorded name, office designator, and office telephone number. Another paper-based system may have been accessed to verify name and social security number (SSN). The replacement electronic system may combine these systems in one or two ways. The SSN could be added into the system so that a separate access is not required. Alternatively if the name/SSN system has been automated, the electronic system could query the name and obtain the SSN. This combination creates a potential privacy issue. Federal rules on privacy state that any two pieces of personally identifiable information (here, name and SSN) that can be combined without human intervention constitutes a record that must be protected from disclosure under the Privacy Act. Under the paper-based system, information is accessed and combined only by a human action. In the electronic version, the combination is automatic. The two paper systems can be combined but that means the information security protections for the automated system must be more rigorous. This situation has to be conveyed to the IT developers.
Electronic mail requirements A final example is electronic mail (email). Under Federal regulations, email is subject to discovery in legal proceedings. That means that all email exchanges about the topic being litigated have to be preserved and collected together. Federal regulations regarding email emphasize that email systems must be capable of gathering all email related to a subject, including individual information message headings. Further, these regulations state that taking email backups is inadequate for preservation of email unless the email system can associate all exchanges involving a subject and can preserve this information for the requisite time period. The IT managers involved in selecting electronic mail software must be aware of these requirements. Retention periods are specific for various record types. For instance, tax information has to be kept for a specific period of time. Email systems must preserve information for the retention period required by the subject matter. That means IT administrators must not purge email files based on a general date but must either examine each record type or request the records managers to review and delete records. Summary These are just a few of the challenges organizations face in integrating their records management program with their IT management program. To move forward expeditiously on this integration, organizations need to focus on developing the questions that will allow records management staff to verify that records management requirements are being met in electronic systems in place and/or proposed. There is a temptation to have the records manager learn enough about the IT system to ask IT-related questions. This is not a good idea because it is too easy to ask a question that solicits a correct but incomplete answer. Knowing the right questions is far more important than being able to have the right answer. |