July 2005

Electronic RecordsElectronic RecordsManagementManagement

Why have an e-records Why have an e-records management program?management program?

• Compliance with federal, state or local regulations– HIPAA, Sarbanes-Oxley, Gramm-Leach-Bliley,

FACTA, FERPA, CFR, IRS

• Control over “rogue” systems• Support mission-critical decisions• Reduce low-quality decisions• Improve system performance• Reduce risk and potential for liability

• Legal status of e-records as records– Burst.com v. Microsoft– Zubulake v. UBS Warburg LLC

• Value to organization for administrative, historical, evidential or longitudinal purposes

• Ease of manipulation and mishandling

Program Elements:Program Elements:

• Planning

• Policy development, implementation and compliance

• Technology as “de-incentivizer”

• The User: behavior, demands and perceptions

Planning...Planning...

“The primary benefit of not planning is that failure will come as a complete surprise rather than being preceded by a period of worry and depression.”

--Harold Kerzner

When should planning occur?When should planning occur?

• Before e-systems are built

• When other planning initiatives are taking place

• When identifying objectives for programs

Who should participate?Who should participate?

• Important players– Users– IT administrators– Decision-makers / resource allocators– Records managers

• Cross-functional team if system is to be implemented organization-wide

What should planning cover?What should planning cover?

OBSTACLE:• Funding source• Size of project/program• Who does the work?• Software solutions• Is validation required?

MILESTONE:

Justification

Scope

Project team

Selection

Security protocols & procedures

What should planning cover?What should planning cover?

• User training• When will system/ program go live?

• Ongoing system/program management?

• How will e-files be managed?

Training program

Implementation

Change control

Retention and disposition

Planning—JustificationPlanning—Justification

• Prepare business case:– Align with other organizational goals for

managing records– Provide cost / benefit data– Provide realistic timeline for program

implementation– Enumerate the risks and potential costs of not

having the program– Be able to back up your request with data

Planning—ScopePlanning—Scope

• Define the scope of the e-records management program– Individuals, departments, entire organization?

– Email, desktop, intranet / extranet, websites

– Instant messaging

• Define documentation tools for amending the program

Planning—Project teamPlanning—Project team

• Must be accountable for planning and developing the program

• Should be cross-functional– Executive—solves monetary concerns

– Project manager—leads team, tracks budget, reports to executive

– IT analyst—provides technical expertise and necessary system support

– Functional area representatives (users)

Planning—SelectionPlanning—Selection

• Will software be used to manage e-records?– Research vendors– Requests for information– Define functional requirements– Vendor demos using large data sets– Select application

Planning—ValidationPlanning—Validation

• Depending on your environment, you may need to validate that e-records have not been tampered with and are authentic

• Plan for these validation and security needs early on

Planning—TrainingPlanning—Training

• How will users be trained in e-records management?

• Will training include management of records in original, digital form?

Planning—ImplementationPlanning—Implementation

• How will the e-records management program be phased in?– Incrementally– Organization-wide– By site

• Who is on call to answer questions?

• Anticipate resistance to new system

Planning—Change ControlPlanning—Change Control

• How will changes in retention requirements of e-records be handled?

• Are requests for changes formal or informal, and what sort of approval process must they go through?

• How are changes to the program documented?

Planning—Retention and dispositionPlanning—Retention and disposition

• Retention and disposition is affected by:– Corporate policy– IT infrastructure and management

• E-records management program must attempt to overcome the “retain forever” mentality

“We currently have no guidelines on retention of records since we do not purge them. We have experienced unusual requests over the years to reconstruct statistics from work order data going back a number of years. It is best that when your Director asks for something that you don't have to say we deleted those records last week. We might be interested in a more formalized archiving system, but probably not purging the records. The only reason I could see for even archiving records would be if system performance deteriorates, or the number of records created some inefficiency in an application process.”

The Planning Obstacle...The Planning Obstacle...

• Going through these steps requires time and financial investment.

• To succeed, e-records management must remain a top priority, or resources shift to other projects leaving the planning phase incomplete.

Policy Development...Policy Development...

• Statement of purpose clarifies the reason for the policy

• Scope clarifies record types included—should be exhaustive

• Aids in consistency and reducing variation

Do records-related policies and Do records-related policies and definitions include electronic definitions include electronic records?records?

• User discretion

• Inconsistent application

• Arbitrary / subjective retention and disposition decisions

Having no policy is a “policy”Having no policy is a “policy”

“Employees with limited perspectives on management and legal issues should not be relied upon to make decisions that could affect the entire business.”

--Steven C. Burnett

• Websites / blogs / wikis

• Email and instant messaging

• Unified messaging

• Versioning

• Imaging

• Computer forensics and “destruction”

• E-commerce

Are policies keeping pace withAre policies keeping pace with technologytechnology??

• Depends on your environment

• Depends on “newness” of the policy and users’ familiarity with other records management principles

• When and how policies are applied can be critical…..

Will policies conflict or coincide with Will policies conflict or coincide with culture?culture?

• “This is not something you get to decide. This is company policy. Do not archive your mail. Do not be foolish. 30 days.”

http://www.timesonline.co.uk/article/0,,2095-1367433,00.html

The Policy Obstacle...The Policy Obstacle...

• Policies governing e-records management must be comprehensive, addressing as many formats as your organization handles.

• If not following the policies creates unnecessary risk for your organization, sanctions must be in place.

• The policy obstacle may change based on your environment.

Technology…Technology…

• “It costs you more to think about whether to delete something than simply to leave it on your computer.”

Tom Burt, Deputy General Counsel at Microsoft

http://www.businessweek.com/magazine/content/04_51/b3913099.htm

IT and RecordsIT and Records• IT community is hard to convince that

records management and e-records preservation are important– Move toward systems capable of saving

everything

• Does technology sneak up on us? – It is planned, built, and installed BUT– If not planned people develop own solutions– Technology is the “go to” solution

Different paradigmsDifferent paradigms

• Record series is not such a clear delineation with e-records unless consciously designed

• Filing / organizing becomes moot

Are the technologically savvy allies or Are the technologically savvy allies or adversaries for e-records management?adversaries for e-records management?

• 10 years worth of data can be kept just as easily as 1 year’s worth

• Gmail (“Search, don’t sort” and “Don’t throw anything away”)

• Perceived irrelevance of records managers and archivists

Storage is cheap…Storage is cheap…

• …but e-records management applications are not

• Creates over-abundance of electronic information– Digital landfills contain obsolete data,

irrelevant data– Overabundance increases risk of low-quality

decisions

• Transport mechanism for business data– Example: email attachments

• Effect of technology on workflow– Duplication dilemma– Productivity

RMA or EDMS?RMA or EDMS?

Not transparent

Turned on or off?

Expensive

DatabasesDatabases:

TransactionalA/P or A/R

RegistrationsLibrary books

ReferenceLexisNexis

Retention informationImage banks

DatabasesDatabases:

Research RichDurable Data

Relational

Longitudinal

• Databases are powerful tools used to compile statistics or research data, or to track / find other types of records

• Typically can’t apply traditional records management principles to database records

The Technology Obstacle…The Technology Obstacle…

• Acts as a “de-incentivizer” because it installs the ability to store vast amounts of data and e-records.

• There are fewer reasons to purge e-records once technology is in place.

• The behaviors affected by technology become part of the organization’s culture

The User…The User…

Some questions askedSome questions asked

• What criteria do you use to decide to keep and electronic document?

• To delete one?• Do you follow a schedule for

retaining/destroying files or records? • Do you ever weed files (e.g., word

processing documents) or folders from the hard drive?

Retention criteria Retention criteria

• Keep– Anticipated use – 40%– Save everything – 40%

• Delete– No further use anticipated – 20%– Print then delete – 5%

Follow a schedule?Follow a schedule?

• No – 63%

• Yes – 30%

Weed files or folders?Weed files or folders?

• Yes -- 64%

• No – 33%

So what needs to happen?So what needs to happen?

Planning:

• Ideally before e-systems are built

• As part of other planning initiatives

• Strategically (strategy drives structure)

• Planning requires data

So what needs to happen?So what needs to happen?

Policy:

• Reduce user discretion

• Broadcast widely

• Provide justification for policy (legal or regulatory, efficiency, etc.)

So what needs to happen?So what needs to happen?

Technology:• Recognize the behaviors it installs• It can reduce or eliminate incentive to

manage e-records• It will usually be part of the solution, not

the entire solution• Identify where technology fits in the entire

system

So what needs to happen?So what needs to happen?

Users:• Identify users’ perceptions & behaviors

– Surveys

– Interviews

– Training, especially for new employees

– Take every opportunity to educate

– Understand how e-records are used and for what purposes before trying to develop your e-records management program

Obstacles:Obstacles:

• They exist

• They can be overcome

• They are created by users, the technologies we employ, inadequate planning, and poorly constructed policies