Records Management - Record Definition

From EDRM

Information Management

The Records Management Program The Objectives of a Comprehensive Records Management Program Record Definition Incorporation of Electronic Records into a RM Program The Complexity of Metadata Managing Information Copies/Duplicates Records Storage and Maintenance Storage/Access/Security/Disposition of Records - Legal Requirements Records Disposition Program Assessment/Audit Training Suspension of Records Destruction During Litigation Holds When the Duty to Preserve Relevant Materials Arises What Happens to Records Once Hold Terminated Emerging Technologies Records Management - RM Technology Solutions E-Mail Content Filtering and Monitoring Software E-Mail Archiving Encryption and Security EDMS/ECMS/RMS Web-Based Compliance Training Records Home Page Other Solutions Additional Materials Participants

Contents 1 What is a Record? - ISO Definition 2 Record Identification 3 Record Capture (Metadata) 4 Vital Records 4.1 Categories of Vital Records 4.2 Methods of Protecting Vital Records 4.2.1 Duplication and Dispersal 4.2.2 On-Site Storage 4.2.3 Off-Site Storage 4.3 Backing Up Vital Records 4.3.1 Stand-Alone Departmental Systems 4.4 The Vital Records Disaster Management Team 4.4.1 Institutional Staff Members 4.4.2 Auxiliary Members 5 Footnotes

What is a Record? - ISO Definition

ISO 15489 definition of a record:

A "record" is information created, received, and maintained as evidence by an organization or person in the transaction of business, or in the pursuance of legal obligations, "regardless of media".

A record can also be thought of as information that holds operational, legal, fiscal, vital or historical value. Following are some examples of records:

• A final draft of a contract;
• Evaluation report of a current employee;
• Insurance related documents; and
• Company charter.

On the other hand, information with no operational, legal, fiscal, or historical value is not a record. Duplicates and copies of existing, maintained records are also not records. These should be disposed of as soon as they are no longer of use or value. Retaining such beyond their use is a liability to any organization. Following are some examples:

• Personal messages;
• Email inviting staff to a birthday party;
• Routine notices; and
• A phone message note "Call Joe back after 3 pm."

(back to top)

Record Identification

After information is produced, the employee must determine if it is a record. Each employee should be familiar with the ISO record definition from their Records Management training. Training should explain exactly how records should be retained (i.e. where records will be stored, for how long and in what form.) The training should teach the employee to ask: "Does this information reflect an activity of the business? Does it reflect fiscal, operational, administrative, legal, vital or historical value?" If it does, then the information is a record, and steps must be taken to retain it and its associated metadata.

The record representative of each department in a company is responsible for assisting employees in identifying, retaining, and organizing the records they create. These representatives are implanted resources that mediate between the business departments and the Records Management office.

(back to top)

Record Capture (Metadata)

Upon the declaration that a document is a record, the document and its existing metadata must be captured. At this point, a new piece of metadata will be added, the RM classification of the record.

The RM program might physically move the record into a separate repository, move it into a repository with all of the enterprise data (with slightly different metadata, like "Read Only" and the RM classification) or keep the document where it is, but record the metadata into the RM Program.

There are several considerations to take into account within the confines of the RM Program:

• How the record is going to be captured;
• When the record will be captured;
• What metadata will be captured; and
• How the document declaration will be made.

The RM Program will also need to account for different categories of electronic documents, like email and Word or Excel files and databases.

The document declaration is the step that requires the most of the end user. For all of the documents and communications an employee creates, sends and receives, he must decide which ones are "records" and indicate that to the RM system. There is a delicate balance between the need to accurately capture the record's metadata and to not interrupt the employee from his work. A document declaration step that is too intrusive risks not only hindering employee productivity, but might even result in records not being declared as employees bypass the burdens of the declaration process. On the other hand, a document declaration process that asks too little risks irrelevance in the enterprise.

One attempt around this dilemma is to automate the declaration of records. This would necessarily involve a conceptual analysis of the document to determine if it is a record, and if so, what its classification should be. This has been the holy grail of ERM for years and has yet to be implemented on a widespread basis.

Until this is achieved, the declaration process will require manual intervention. Current methodologies include having a dialog box appear that demands user input before a document is saved or sent. It allows a user to click classification options from drop-down boxes and drag a file or message to one of a set of RM folders. The file or message then inherits the RM properties of the folder.

Another consideration is the timing of the declaration. Some file and email systems allow for metadata modification, meaning that a declaration made after the document is sent or initially saved might include altered metadata. This may not cause concern in the RM world, but could raise preservation concerns during discovery.

A final consideration is what metadata needs to be captured by an RM system. The RM group might care for little other than the date, author and classification of a document, while discovery users will need a great deal more.

(back to top)

Vital Records

Vital records are any records, regardless of archival value, that are essential to the functions of an organization during and after an emergency. They also include those records essential to the protection of the rights and interests of that organization and of the individuals for whose rights and interests it has responsibility. Roughly 3% - 8% of an organization's records are vital(ref to be added). The loss of vital records during a disaster could result in the disruption of essential services, exposure to unplanned expenses of financial settlements or loss of revenue, increased vulnerability to litigation, and loss of productivity due to gaps in information. The length of retention of vital records is often mandated by internal company policy as well as by regional and federal statute (rules and regulations).

A document can evolve from the general case to a vital record. If an organization is anticipating or engaged in a legal or regulatory discovery request, or internal investigation, then the records and documents associated with the matter become vital records. Documents that are deemed vital to discovery may include custodian files, email and instant messages stored on servers, PCs/laptops, handheld devices such as a BlackBerry and portable hard drives. These documents must be identified and declared records for discovery purposes. They become vital records to the matter and should be managed as such. Furthermore, an existing vital record may be identified as relevant to a legal matter or internal investigation. In this case, the retention date for the record may have to be changed to meeting the overriding requirement of the legal matter.

(back to top)

Categories of Vital Records

Vital records fall into two general categories:

• "'Emergency Operating Records"'

These are records which are needed immediately by fire and safety personnel during an actual emergency and records which are needed by an organization's management and staff members assigned to disaster recovery efforts.

• "'Rights and Interest Records"'

These are records which are needed by an organization's staff to continue mandated operations and services during and after the actual emergency and in order to preserve the legal and financial rights and interests of the organization and the individuals directly affected by its activities.

Procedural considerations include routinely updating vital records, prohibiting food, beverages and smoking in records areas, segregating combustible material, and conducting periodic electrical, building and fire inspections. Another important procedure is the regular testing of a vital records program through simulations to ensure adequate functioning in the event of a genuine emergency. Exclusive reliance upon on-site vital records protection measures is not recommended because of the potential for total or near total destruction of a single location in a disaster.

(back to top)

Methods of Protecting Vital Records

Common methods of protecting vital records are:

Duplication and Dispersal

This technique involves the distribution of duplicate copies created in paper, microfilm, or electronic format to locations other than the institution's primary office space. Such dispersal may be either routine or planned. During the regular course of business, duplicates of vital records are often routinely distributed to other buildings. So long as these duplicates are designated as the vital records security copy and maintained in the proper conditions for the same length of time as the primary copy, the information they contain would be protected. In cases where copies of vital records are not routinely dispersed, each office must plan to have copies of vital records distributed to alternative sites specifically for protection purposes. Such copies should be sent to designated buildings and kept for the full retention period.

Using the dispersal method of protection requires constant monitoring by each office to ensure that the vital records security copy is updated on a periodic basis (called cycling). It is also essential that this copy be dispersed to a location that would not be affected by an area-wide disaster that could destroy both the copy and the primary records, but yet be sufficiently close that the security copy is readily accessible if needed.

(back to top)

On-Site Storage

Each office can protect its vital records by storing them in fire-resistant vaults, safes, or file cabinets. Such equipment is rated according to the maximum number of hours of exposure to fire and maximum temperature at which they will protect records.

Magnetic tape, microfilm, diskettes, CD-ROM's, and photographic records require special equipment ratings because of their susceptibility to high humidity levels. The National Fire Protection Association publishes standards for these types of protective equipment which can be located at http://www.nfpa.org/Home/index.asp.

The major disadvantage to on-site storage of vital records is the potential for total or near destruction or contamination of the organization's primary office area in the event of a disaster.

(back to top)

Off-Site Storage

Involves keeping vital records in a single location separate from the central building. An off-site storage center should be close enough for access, control, and updating. Locations which may be considered for off-site vital records storage include other organizations' buildings within a locality which are reasonably secure (neighboring organizations could exchange vital records, thereby using their neighbor's facility as an off-site storage location), or a commercial storage vendor. The advantages of central, off-site storage include:

• General effectiveness - It is less likely that an off-site storage facility will be affected by the same disaster that occurs to your building;
• Ease of retrieval - Unlike dispersal techniques where vital records may be distributed to a number of off-site locations, central off-site storage simplifies access;
• Ease of control - The ability to incorporate the same design and procedural considerations for security, facility and equipment compatibility, as used in on-site storage, and
• Ease of staffing - The ability to use trained records professionals to administer the facility.^[1]

For off-site storage of backup tapes and disks, the team coordinator is responsible and the appropriate vendors, if necessary, should be contacted. At a minimum, each office should save its vital electronic records to the organization's Local Area Network servers on a periodic basis if routine backups are made and/or make backup copies of vital electronic records on floppy disks, tapes, or CD-ROM's, and store them at an alternative off-site storage location.^[2]

(back to top)

Backing Up Vital Records

To protect information and records from accidental erasure, hardware malfunction, or disaster, back-up procedures for information and records stored on the organization's computers must be instituted. Departments will determine a regular back-up schedule and assign responsibility for insuring that the back-up schedule is kept.

(back to top)

Stand-Alone Departmental Systems

In developing a regular schedule for the backup of information on stand-alone departmental systems, frequency of back-ups must be determined. This should be based on:

• The frequency with which changes are made;
• The volume of changes made;
• The importance of the records or information to the function of the department. For instance, if the database is updated daily and if the office would suffer operationally without the information in the database, then back-ups should be done on a daily basis; and
• The number of back-ups.

The general rule for good back-up procedures dictates that there be three generations of back-up. For instance, data backed up on a daily basis would have back-up versions for three days. On the fourth day, the oldest back-up version would be overwritten by that day's back-up procedure.

(back to top)

Some departments have a local area network to which their departmental computers are attached. Normally, the network system administrator has responsibility for backing up files stored on the network, and these procedures are determined by departmental management. It is important to note, however, that one should not assume that their files are being backed up just because their computer is attached to the departmental network. Any file that is created and maintained on a computer attached to a network will only be backed up if the person who created the file takes the extra step of copying the file to the network server. The department, in this case, should publish its network back-up schedule and encourage staff to copy important files to the server. NOTE: Information Technologies (IT) Network and System Services staff have responsibility for the back up and protection of all files residing on IT's centrally supported computing systems.

In the context of protecting records and information, departments must determine whether their computers are vulnerable to theft. Departments are responsible for instituting measures for the physical security of system hardware, if hardware is determined to be vulnerable (by location, traffic, or previous history). Departments should seek assistance in selecting an appropriate physical security device, which can then be installed by the Lock Shop or by the department.

Documentation of departmental electronic recordkeeping systems must be available to support the uninterrupted functioning of the department in the event that the person who set up the system(s) is no longer available. It is important to document the following:

• The location of software disks and software documentation;
• The backup and recovery procedures used by the department;
• The file-naming standards and classification schemes used by the department; and
• A list of data bases and spreadsheets that support departmental functions, including a description of the application and its purpose, a listing of spreadsheet cell formulas, a listing of database field names, and a definition of any programs that are run in conjunction with departmental applications.

This is an important step in having a vital records team in place and ensuring that the business will be operating in good times, bad times, and even with unexpected disasters. This is also an important step towards ensuring that the organization is in compliance with recent regulations.

The protection and preservation of vital records is essential to the maintenance of organizations. The most important step an organization can take to protect its vital records is to develop a Vital Records Protection Plan, the goals of which are to prevent the loss of information critical to the continuing operation of the organization, to recover damaged information, and to resume operations quickly and efficiently. This plan is intended to deal with disasters involving the organization's vital records.

(back to top)

The Vital Records Disaster Management Team

Organizations should establish a vital records disaster management team. The following list identifies personnel that would be key in having a successful vital records team. The Vital Records Disaster Management Team will help prepare, implement and update the Vital Records Protection Plan. The team should consist of the following members:

Institutional Staff Members

• Team Coordinator: Overall responsibility for disaster recovery operations.
• Assistant Coordinators: Provide assistance in identifying vital records, assessing damage, and selecting recovery methods.
• Records Manager: Assists with recovery operations and records scheduling.

Auxiliary Members

• Director of Operations: Coordinates overall recovery activity and serves as chief liaison with fiscal and purchasing offices.
• Facilities Manager/Security: Has overall responsibility for security and safety of physical structure.
• Information Systems Manager: Serves as advisor to overall systems backup for the organization's computer systems.
• Fiscal Officer: Approves emergency expenditures relating to disaster.
• Purchasing Officer: Provides support for emergency recovery operations by expediting purchases of supplies and equipment.
• Legal Counsel: Provides advice on legal issues associated with disaster response.
• Press Officer: Prepares press releases and works with media to issue accurate and timely information in a disaster situation.

The staff members of the Vital Records Disaster Management Team should meet on an annual basis to review procedures relating to disaster preparedness and disaster response. Auxiliary members will be consulted periodically on specific issues as they arise. They will also review their Vital Records Inventory Forms on an annual basis to ensure that all information is accurate and will submit updated forms to the team for incorporation in the plan. Only those records listed on the official inventory forms maintained by the Assistant Coordinator will be considered vital if a disaster occurs. Other staff members will be kept informed of any changes or updates, and the team will periodically conduct training exercises.^[3]

(back to top)

Footnotes

1. ^  http://www.state.de.us/sos/dpa/govsvcs/records_policies/vital%20records%20management.shtml (last visited by author October 10, 2005).
2. ^  http://www.phmc.state.pa.us/bah/RecordsMgnt/LocalGovDisasterPlanning.asp?secid=43 (last visited by author October 10, 2005).
3. ^  http://www.state.de.us/sos/dpa/govsvcs/records_policies/vital%20records%20management.shtml (last visited by author October 10, 2005).

(back to top)