Best Practice Standards in
Electronic Record Keeping
Kerry Gordon, Director
Recordkeeping Innovation P L
Typical records framework
• low volumes of hardcopy mail
• high and increasing volumes of electronic
• electronic documents storage is not
– email applications
– desktop applications - shared folders
– database records
• Poor folder naming structures - by business
unit, persons name
• disposal is ad hoc
• huge quantities of duplication
• lack of security, access control
• version control, templates
• not all records are copied to paperfiles
• unauthorised access - loss of intellectual
property, loss and corruption of data
• loss after a disaster
• loss of corporate knowledge when staff
• increased risks of litigation, potential losses
• unable to satisfy regulators
• retrieval is difficult
• lack of business continuity
• costs of redoing work, relearning
• exposure to fraud, corruption, poor
governance, lack of accountability
• poor public image
• directors sued for negligence
• additional storage costs
Why are records important ?
• evidence of business
• protect the assets of the business
• provide accountability
• needed in court, by regulators
• provide valuable precedence, corporate
• preserve the history of events
• New technology transforming
• increased mobility
• enormous increase in volume and response
• flatter management structures and
Where are we?
• Few organisations control all their
• less resources to manage information
• corporate failures show key role of records -
Enron, Arthur Andersen, One.tel, HIH,
British & American Tobacco
• electronic information is more fragile and
easily lost, or inaccessible
Formal or informal records
• Most companies have protocols for
managing hardcopy records
• expectation that electronic records are
simply a convenient copy
• breakdown in formal structure leads to
• most organisations do not know what
• AS 4390 and ISO 15489
• Australia has world’s first standard
• standards in government recordkeeping -
storage, electronic records
• compliance requirements in government
• results of audits
Role of the Standards
• 3 types of standards
– interoperability standards eg construction
– professional standards - competencies eg
accountants certification, doctors accreditation
– best practice standards eg ISO 9000 for quality
systems, food industry codes of conduct
• Aim: incentive, not mandatory, not audited
What is a record?
“information created, received, and
maintained as evidence and information by
an organisation or person, in the pursuance
of legal obligations or in the transaction of
business.” AS ISO 15489.1
Who is responsible?
• everyone in the company
• ‘expert’ users
• Records/knowledge managers
• Senior management
• the organisation
‘Organisations should be aware of their
legislative and regulatory environment’
• company secretary and legal advisors role
– industry codes and practices
– licenses and permits
Record standards include:
International standard (2)
• Recordkeeping controls
– appraisal and disposal
• Should apply to records in any format
• classification schemes
• indexing - software
• access and security
Where to from here?
• What is the problem?
• How serious is the commitment?
• What are the objectives?
• Can we break down the problem?
• What will it cost?
• Who will do the work?
• Identify recordkeeping requirements
• analyse and document the business processes
• assess and locate existing systems (IT audit)
• design the system - software, controls
• develop policies and procedures
• review and adjust
• vital records identified
• disaster recovery plan
• document controls for key items
• fraud controls - operational procedures are
• corporate standards
• system design to make compliance easy
• Strategic planning for records - objectives,
audience, performance measures, budget
• management support
• aim for systematic control over all records
in any format
• need for system procedures
• staff training
Help is available
• Government records agencies
• consultants - RMAA product register
• websites, listservs
• professional associations
• Standards provide best practice framework
• not mandatory
• implementation needs strong management
support, software and good design
• responsibilities must be allocated
• documented policies and procedures are
• conversion may be done gradually
Who we are : newly merged company. BR and KG are directors, between us more than 20 years experience. Services : strategic planning, records systems design and implementation, training, developing controls eg thesaurus and disposal programs, training staff, developing policies and procedures, evaluation and advising on software to meet best practice standards (eg GSAS) Clients include : NSW govt agencies, local govt, Malaysian Govt, the Olympics organisations, Optus, international standards association, Hong Kong Dept of Immigration, NSW Bar association, unions and charities, Lendlease, banks, universities.
Loss of support staff Often no induction, or any formal introduction to staff on operating procedures, what staff are expected to do to maintain good records. Fewer employees from the older, more disciplined environments where record systems were part of the job. Employees more stretched with more duties and less time for recordkeeping. Lingering perception that RK is not part of their job, that everyone should have a PA to do records work for them. Information is fragmented - need to know how a record arrived to be able to locate it? Everyone has own set of email folders that only they can access. When they leave these often deleted. Shared folder structure is often ad hoc - grown up, even a couple of attempts to restructure, but time consuming and difficult job. Many instances where conversion stopped half way because the job is too big. No links between applications, business systems, eg insurance claims database is separate from the records it generates. Our experience is that companies often do not understand the complexities of recordkeeping and expect support staff to be able to ‘fix the problem’.
Electronic filing: Share drives are structured by business units - difficult to share documents. Naming is idiocyncratic, hard to find. Not enough space to really describe content, no way to link it to the business activity eg insurance claim no. Folder structures are overcomplex, hard to navigate and not documented. Folder structures are not controlled - easily deleted or corrupted, not trustworthy many different applications - fragmentation (email, records index, database applications, contacts lists, intranets, webpages) Disposal is ad hoc - not sure whether there is another copy somewhere else, disposal is done to soon, or not at all because the decision is too hard. Lack of secure and rules for access. No way to manage read, read/write access on a case by case basis are there standard methods for version control? Are they always observed?Use of templates is often ad hoc. Maintaining a corporate look and feel is very difficult. High volumes of duplication -everyone keeps a copy Impossible to know whether hardcopies are routinely made. often ad hoc - no clear guidelines about when its appropriate to use hardcopy or soft copy - when is a signature absolutely required and how to save it. Poor information sharing, transfer of corporate knowledge, use of information as a resource
Huge increases in volume - no paperless office, in fact printing more to paper than ever before. Difficulties of working in electronic environment without signatures - authenticity of electronic records is still an largely unresolved problem. Security and access is not well understood or controlled - IT has responsibility and tends to manage it by business unit - but this is often inadequate. Egs. Of disaster resulting in losses - 11 Sept - trading data saved, but information about employees not available. Regulators - any examples??
Retrieval is difficult, especially over time Results are additional costs, inability to operate effectively.
Many of our client come from highly regulated industries, finance, insurance, mining, engineering and construction, law and health. The link between recordkeeping and accountability is strong. Normally a clear need for evidence of business - who made decisions, when and on what basis. Records play an important evidential role when things go wrong, so there is a strong emphasis on evidence in court, protection of company assets and minimising risks in litigation
We observe companies providing very sophisticated software applications to the desktop, so staff can create document and communicate quickly. But almost no rules or procedures on how electronic documents are to be stored, used and managed. Paper based systems fail to cope with volume, are difficult to operate in a number of different sites. Lack of support staff to manage them. Hard to track, time consuming to do disposal and use office space effectively Decision are made across companies and require more decentralised records systems to capture records.
Based on recognition that if we wait, it is likely that there will be no records to become archives. Electronic records require good management now while they are activeif they are to survive many changes in hardware and software. Compliance includes: documented procedures budgets software standards storage requirements naming and indexing disposal - routine, regular and authorised. In NSW govt auditor has conducted a number of audits to monitor whether standards are complied with. Many govt agencies have not met the existing standards.
Interoperability standards - eg are shelving equipment and paper sizes - legal or A4 paper Best practice standards provide a means for measurement eg when a company is acquiring another entity, reduces risks (eg liability and exposure to WC claims), performance measurement across the company and means of benchmarking across industry. Eg IPART’s review of local government services.
Key characteristics of records: evidence of business (personal or public) important source of knowledge provide business continuity when staff leave are unique to your organisation are needed for defence and protection of assets in cases of claims, litigation, protection of intellectual property, privacy. Are relied on by regulatory authorities - eg failure to submit certain documents to Workcover could close down operations, operational licenses may be withdrawn may exist in any form eg maps, plans, drawings, photographs, emails, voice mail, even SMS. Are different from published information, internet, because these are not unique, easily replaceable.
Everyone creates records - everyone should manage their records. But this implies that there is a system and its easy to follow, so we need ‘Expert’ users - people who are training to understand rules and software, provide support to everyone Managers - shd be responsible to ensure everyone complies - not the responsibility of the PA to try to bring senior staff into line. Managers need policies, performance measurement - way of clearly stating what is expected, monitoring. RM - designers, gatekeepers - if you haven’t got one, think about buying in expertise on a part time or contracting basis. Senior managers, particularly company secretaries need to provide resources for the design, review, implementation of sound systems. Often thought of as an administrative overhead and so try to spend minimum, or dazzled by IT and spend inappropriately without results. We need to inform and persuade senior management of benefits. The organisation as a whole needs to be aware of its responsibilities, what records are required. Training is required on different levels to match the levels of responsibility.
Legislation, such as: tax industrial relations company reporting stockmarket rules occupational health and safety Privacy Industry Ombudsman Industry specific licenses, permits, practising certificates, technical and professional standards, eg in engineering - hazardous goods industry requires a continuous record of maintenance of plant N.B AS states that a compliant organisation will have a training program to address the roles and responsibilities of personnel and will make them aware of the regulatory environment and their recordkeeping responsibilities.
Compliant - records must satisfy the requirements of the regulatory environment. The company must be aware of its obligations and how it might be accountable e.g to the ATO, regulatory authorities such as Australian Prudential and Regulatory Authority. Ignorance is not an excuse complete - electronic records must carry enough metadata to show both content, structure meaningful - linkages between records and the record management processes to understand how records were created and used, eg the time and date of transactions, who authorised transactions comprehensive - must cover the full range of activities, all locations, all kinds of transactions accurate - employees should find it easy to create accurate records, eg how to manage versions of documents. The procedures and systems should be designed so its easy to comply - use of templates, mandatory fields, forms etc authentic - in the hardcopy world we rely on the letterhead and signatures to show authenticity. This can be difficult to manage electronically - can scan a signed document, but inefficient. Use logins and passwords in IT, but not sufficient for courts - a proper RK regime and usually supported by EDMS software is essential to show records are credible and authoritiative inviolate - not deleted, altered or lost. Again needs software support with the use of audit trails to identify changes and deletions. Reliability of software over time - migration of key data.
Registration is the process by which records are captured into the RK system: date, unique identifier Classification is process of linking to business processes eg finance - invoices and receipts, personnel records, development applications, construction projects Indexing adds codes for retrieval, eg locations, names, claim numbers, Tracking are the processes of knowing the physical location of the record and how it has been accessed or used. Appraisal is evaluation to determine how long to keep the records and disposal is the actions taken when the record is non-current, either to retain or destroy. These are records processes that were once done in a centralised registry - now records storage is decentralised and we impose intellectual rather than physical controls over records.
Little more detail on those key control tools. Key design elements are: Classification scheme - naming convention. A set of authorised terms to identify records and link them to the business processes that created them, eg personnel - leave, recruitment, superannuation, conditions of employment. May be simple, especially when there’s high volume of case related records eg insurance, or extremely complex - investigation and litigation, companies with many functions. When done right, very powerful. Can be used to manage security, disposal etc Indexing tools - Excel - sophisticated EDMS software. Need to automate many RK processes, records to be accessed using different kinds of information, status, location. Ability to provide a single, shared point of access with security controls. Eg ability to interface with Word and ask for information about the record prior to saving it, automatically placing it in the correct folder, security, disposal. Disposal requires the development of standard guidelines that can be implemented systematically across whole organisation. Difficult to develop - alternatives are retain everything (costly), ad hoc approach (risk losing important records) Access and security - need for public access? Identify commercial in confidence, intellectual property, privacy, sensitive business transactions - strategies, business directions, records in public domain could cause loss or embarrassment to others, affect stock price, insider trading etc. Needs to be clear, simple. With electronic documents more sophistication needed - read only, read/write, version controls, which version of software is needed to access?
Scenario: CEO asks you to fix the electronic filing system. Where do you start? Start with a scoping study to answer these questions: - key issue is what software you propose to use - is the system going to cover the entire enterprise; only the executive and legal areas - what are the priorities - vital records, current records, customer records…...
Requires change management - impacts most staff in an organisation. Needs user support, because they can have options to subvert the system and go back to the old ways Need to think beyond just the organisation - doing a joint venture - how will records be captured, who will own them?? What to communicate with Singapore office - do you all have the same policies and procedures?
What is needed is a risk based approach to recordkeeping, starting with identification of vital records (& disaster recovery planning) Develop and implement some controls over key electronic records Make sure that operational procedures are in place to ensure records are protected from fraud. Have corporate standards : staff awareness of recordkeeping requirements - policies and procedures, code of conduct, privacy protection, performance measurement and employment contracts. Clear guidelines about when records should be created Standards for storage, labelling, numbering, access, disclosure, transmission, and disposal How can you achieve high levels of compliance with corporate standards? - senior management endorsement of policy and procedures - regular monitoring - make sure the ‘design’ has user acceptance and is easy to use. - regular maintenance and improvement
Develop a plan of action - identify key objectives, identify who is responsible. Eg monitoring - who has authority. Does it need someone independent?