Records Management and the Law Course Content

Transcription

1 Records Management and the Law Course Content Audio The contents of each screen are presented in audio. If you d like to mute the audio, click the icon that is highlighted below. To hear the audio, simply click the same icon again. Links and Resources At times a word or phrase may appear in blue type. Click these items to download a document or to visit an external site in a new window. Additionally, roll your mouse over words that are in red type to receive more information. Legal Disclaimer This course is for general information and educational purposes only. It is not intended to serve as legal advice and the contents should not be relied upon in any specific factual situation. Downloadable Course Contents If you d like a copy of the course audio, click to download a PDF version of it. Course Outline Section 1: RIM Supports Organizational Compliance Section 2: Duties of Records Management Section 3: Laws, Regulations, and Agencies Section 4: Standards, Guidelines, and Best Practices Section 5: Litigation Process Defined Section 6: Litigation Begins Section 7: Litigation Hold Section 8: Discovery Section 9: Trial Course Learning Objectives Upon completing this course, you will be able to: 1. Define how records and information management (RIM) policy and procedures provide the foundation for solid business operations 2. Define how the records retention and disposition program supports the records management program 3. List the six duties associated with records management 4. Explain the core U.S. federal laws and regulations which govern most businesses 5. Explain the standards, guidelines, and best practices related to establishing records management programs 1

2 6. List the elements of a litigation readiness program 7. Identify the steps of a typical litigation with an emphasis on records management considerations and requirements 8. Summarize the best practices for the legal hold process Introduction All organizations small businesses, corporations, not-for-profit organizations, governments, and educational institutions must manage records. Records are created as a normal by-product of business transactions and decisions. Companies must make decisions about how long the records should be kept and how they should be arranged for easy use. Many times there are laws and regulations that specify recordkeeping requirements for businesses. And, finally, companies can be sued in the courts or investigated by government entities. A Company s Records The company s records become the lifeblood of efforts to demonstrate that the company has met its legal obligations. And records are almost always the tangible evidence the company produces to defend its actions and support its claims in a lawsuit. This is the relationship of records and the law. Scope In this course you will learn how a formal RIM program supports your organization s legal and compliance responsibilities. The course will also explain the steps of a typical litigation action and identify the impact litigation has on the operations of a RIM program. You will learn how to plan for potential litigation, and how to respond to litigation so that your company is in compliance with the law. 2

3 Section 1: RIM Supports Organizational Compliance Section 1 Learning Objectives Upon completing this section, you will be able to: 1. Define how RIM policy and procedures provide the foundation for solid business operations 2. Identify the necessary elements of a records management policy 3. Identify procedures that are necessary in order to implement the policy 4. Explain how the records retention and disposition program supports the records management program and what it should include 5. Describe how effective records management supports litigation Introduction Records are created as a normal by-product of business transactions and decisions. Companies have to make decisions about how the records will be arranged and stored, how long the records will be kept, and what steps must be followed in order to properly destroy records. Many times a company will leave these decisions in the hands of individual departments or employees, rather than establishing an enterprise-wide approach. Introduction However, a company is much better served if it is proactive in determining how it will meet its legal and regulatory obligations. An enterprise-wide approach results in more consistent policies and procedures. This consistency makes it easier for employees to comply with the policies. And that makes it easier for company officials to establish the credibility of their records and business transactions if they are questioned in a lawsuit or government investigation. Three Components of Compliance A formal RIM program supports your organization s legal and compliance responsibilities in three areas: policy and procedures, retention and disposition, and litigation support. Records Management Policy In the first area of organizational compliance, the records management policy sets the foundation for the company s decisions on how its records will be handled. It also outlines the employees' broad responsibilities related to the records. Though the exact content of records management policies may vary, the issues on the following pages are routinely addressed. 3

4 RIM Policy: Ownership of the Records Even though an individual employee created the record, it remains the property of the company. This means that employees are not permitted to take company records with them if they leave the organization. RIM Policy: Geographical Scope The company must decide if the policy applies equally to all its business units. It may choose to allow business units in other countries to establish a slightly different policy if circumstances dictate that. Record Formats The policy should state that it applies to records in all formats (electronic or digital, paper, microfilm, etc.). RIM Policy: Responsibilities The policy should state who is accountable for implementing the records management policy and for authorizing departmental compliance. RIM Policy: Retention vs. Backup The policy should state that backup copies may not be used for long-term retention requirements of electronic records. A backup copy has a different purpose from long-term retention. A backup is used to restore a system and data in case of inadvertent loss of the data. Long-term storage of electronic records is for the purpose of meeting retention requirements. RIM Policy: Duplicates The policy should include language that allows duplicate copies of a record to be destroyed as long as the official copy is retained for the official retention period. RIM Policy: Legal and Regulatory Requirements The policy should include language indicating that the Records Retention Schedule is the authority for designating how long records will be retained. The policy should indicate that the retention periods are based on legal and regulatory requirements, standards and best practices, and business operating needs. RIM Policy: Legal Hold The policy should dictate that the normal retention period will be suspended for records that are involved in litigation or government investigations. 4

5 RIM Policy: Executive Approval A records management policy must be approved at the highest level of the company to ensure employees recognize the authority of the records manager and the importance of complying with the program. RIM Procedures Once the company determines its records management policies, it needs to define procedures for implementing the policies. Procedures will describe the steps that must be followed to ensure the policy requirements are met. Procedures typically identify: What must be done Who is responsible for each step in the procedure What forms are to be used in the process Who can/must approve the final results of the procedure when approvals are required Though the exact content of the procedures will vary, some of the most common ones are discussed on the following pages. RIM Procedures: Official vs. Duplicate A procedure is needed for separating the record copies from the duplicate or working copy records. Its purpose is to reduce the volume of records that must be retained by allowing destruction of duplicate copies before the retention period expires. The division or work group that maintains the official copy is designated the office of record for retention purposes. Copies maintained by other program units are considered duplicate records. Storing Records Electronically Companies use a variety of technical solutions for creating and storing electronic records. They may use document management systems, archives, networked file shares, collaborative work software, etc. It is important to teach employees how these tools function so they make the right decisions in storing and managing the records. If the right decisions are not made, the company may not be able to use the records in legal proceedings. RIM Procedures: Protecting Records Procedures are necessary for deciding how to best protect records in their storage locations. The records manager must consider the physical and chemical properties of the records and how to protect them from loss, destruction, and theft. 5

6 RIM Procedures: Final Versions Procedures are needed to address where in the business process the documents are considered final and authoritative. At that point, these two actions must take place: The final, authoritative document is stored electronically and locked down so it cannot be altered. Draft versions are deleted unless the retention schedule directs otherwise. RIM Procedures: Records Specific guidance for managing records can be found in the ARMA International guideline titled Requirements for Managing Electronic Messages as Records. The records retention schedule is the same for records as it is for other types. RIM Procedures: Naming Conventions Procedures should dictate the consistent use of naming conventions for records. Consistency will make it easier to retrieve records quickly for business purposes or litigation. RIM Procedures: Metadata It's important to develop procedures for the use of metadata with your electronic records. Effectively using metadata helps you identify records and determine their retention periods. Additionally, metadata is integral to an organization's ability to use software tools to store, manage, and dispose of records according to established policies. RIM Procedures: Access Rules are necessary for who is permitted access to the records and under what circumstances. There may be specific legislation that restricts who should have access to records. Records that contain private or personal information will be restricted to certain individuals. Government entities have procedures that allow public access to government records through freedom of information requests and that provide open access to the public. Archives institutions have procedures for who can access records and whether they can be removed from the institution. Records may contain personal, commercial, or operationally sensitive information that must be protected from unauthorized access. ISO : 2001 stresses that restrictions should be imposed for a stated period, to ensure that the additional monitoring required for these records is not enforced for longer than required. RIM Procedures: Tracking ISO : 2001 emphasizes the importance of tracking the movement and use of records within a records system. Tracking has a number of uses, such as: identifying outstanding actions required; enabling retrieval of records; monitoring usage for systems maintenance and security; and maintaining an audit trail of records transactions. 6

7 RIM Procedures: Disposition Records disposition must be done on a systematic and routine basis, and in the course of normal business activity. Procedures will define the destruction approval process to ensure that they are not affected by litigation or investigation. If records are involved in litigation or investigation they cannot be destroyed until the matter is resolved. Disposition procedures must also ensure that all copies of the records authorized for destruction (e.g., security copies, preservation copies, duplicate copies) are destroyed at the same time. RIM Procedures: Documenting Documenting your records actions makes it possible for the company to show that its RIM program is part of its routine business operations and that records-handling decisions are controlled and consistent : 2001 states that records systems should contain complete and accurate representations of all transactions that occur in relation to a particular record. Electronic systems will track who accessed the records and when. They will track whether any alterations were made to the records. Results of Policies and Procedures The records management policy and the supporting procedures work together to establish the company s foundation for records management. When the procedures are consistently followed and records management decisions are documented, the company can be said to have a legally defensible records management program. This is a strong advantage for any company facing legal action since it is more difficult for opposing lawyers to question the actions that were taken. If a company has the documentation to prove that records were destroyed in accordance with an established and approved procedure, it is difficult for others to persuade the court that records were destroyed because they contained harmful information. Retention and Disposition A key way that records management supports the company s compliance with laws and regulations is in the creation and implementation of a records retention and disposition policy and procedure. The Principles Managing records effectively is a key part of a company's information governance structure. ARMA International has developed a framework for structuring records management programs, based on eight clearly defined principles. The Generally Accepted Recordkeeping Principles most closely related to records management and the law are discussed later in this course. 7

8 Principle of Retention The Principle of Retention states: An organization shall maintain its records and information for an appropriate time, taking into account legal, regulatory, fiscal, operational, and historical requirements. In practical terms, this means the records manager must understand a great deal about the company in order to establish an effective records retention schedule. In the next several slides we discuss these requirements. Legal and Regulatory Requirements The records manager must understand the legal and regulatory requirements for the company. Such requirements are found by conducting research into federal, state, and local statutes and regulations. In some industries, there are licensing boards or professional associations that establish requirements for some records. Fiscal Requirements The records manager must take fiscal requirements into account in determining retention periods. Some records are needed to support the company s statements of its financial position and to support the tax filings it makes to the taxing authorities. Operational Requirements The records manager must understand how the records are used in the business and how long the records are relevant to daily business transactions. These are the operational requirements. In most cases, operational requirements will be shorter than legal or regulatory requirements. Historical Value Some companies have special programs established to retain records that have historical value. These records might need to be retained permanently, in spite of other legal and regulatory requirements. Only a small percentage of records generally qualify as historical. Principle of Disposition An effective RIM program gives specific directions to ensure that records are disposed of when the established retention period has expired. The Principle of Disposition states: An organization shall provide secure and appropriate disposition for records and information that are no longer required to be maintained by applicable laws and the organization s policies. A records retention and disposition schedule defines how long records must be kept and serves as the starting point for determining if and when they can be destroyed. For a more detailed explanation, see the ARMA International s Essentials of RIM course titled Records Retention and Disposition. 8

9 Best Defense Sound policies and procedures are the best defense against litigation because they protect the organization s records and they mitigate risk. However, companies must go further by ensuring the policies and procedures have been documented, implemented, communicated, updated, and followed on a regular and consistent basis. Credibility When a company wants to reinforce the credibility of the records retention and disposition practices, the following actions are as important as having the policy in the first place. Policies must be approved and actively supported by the company s legal department and top management. Employees must have easy access to the policies and procedures and must be trained. They must fully understand the process and what is required of them individually. There should be a consistent process in place to make needed adjustments to the policy and procedures as technology changes and business conditions evolve. The company must document records destruction actions in order to show that it follows the schedule on a routine basis. This allows the company to show the court that records destruction was done in a proper manner and not in an effort to hide pertinent facts. Litigation Support Litigation has become an everyday event for today s businesses. And every litigation relies to at least some extent on the records and information that document business actions, decisions, and transactions. It is the company s records that are produced as evidence to support its claims and/or legal defense in these actions. Similarly, the company s records are a chief focus of government investigations into wrong-doing. Additional Factors In addition to increased litigation, companies have become very dependent on technology to store and manage information. The scope of business transactions has become global. All of these factors increase the quantity of records that must be managed and the importance of robust records management practices to ensure records are appropriately handled. How it Begins At the simplest level, litigation arises when two or more individuals or organizations have a disagreement that they cannot resolve by themselves. All the parties to the litigation start looking for the records that they believe will prove their case. In recent years, the records manager has become a more valuable partner for the legal staff, preparing the legal strategy for the cases involving the company. At the heart of their responsibility is identifying 9

10 and preventing the disposition of records that are needed for the litigation. Responsibilities Include This responsibility can take a variety of forms, depending on the scope of the records management program, the legal strategy and the records needed for the litigation, and the other individuals involved in planning the legal strategy. However, it is common for the records manager s responsibilities to include: Identifying and locating the records that the attorneys need Notifying employees and/or off-site records storage facilities of the need to prevent the destruction of the relevant records Helping distribute legal hold notices to key individuals Training employees on their obligations to protect records when involved in litigation 10

11 Section 2: Duties of Records Management Section 2 Learning Objectives Upon completing this section, you will be able to: List the six duties associated with records management Explain the importance of each duty Describe why each duty affects the outcome of the records retention schedule Introduction Records management requirements in the law are many and varied, but they all rest on the duty to perform the following six tasks: Define what materials are official records of the organization. Create, preserve, and disclose records during the discovery process in all litigation matters or during government investigation. Retain all records, including those having the same or substantially similar retention periods, based on legal requirements and legitimate business needs. Retain records until the destruction date authorized by the records retention schedule. Prevent destruction of records before that date. Change the retention schedule when legitimate business or legal considerations justify shortening or lengthening the records retention period. Maintain documentation of the records retention program, including records retention schedules, procedures, audits, approvals, program development, and proof of destruction. Records of Activities Records are the lifeblood of an organization because they contain information on its mission, operations, and activities. Examples of activities that should be recorded include: Transactions such as an order, a payment, or client intake Decisions that could result in policies or procedures Research either scientific or business Documentation required by regulation or law The history of the business or organization For the sake of accuracy, the information should be recorded as close to the time of the action, decision, or discovery as possible. Define Official Records Define your records by distinguishing official copies from draft copies and duplicates. The official records must be kept for the retention period. Draft copies are those that have yet to be completed or finalized. Duplicates are additional copies that departments may use for reference if they 11

12 are not responsible for the official copy. For example, HR would keep the official copy of an employee's performance appraisal, but a supervisor typically keeps a copy as well--a duplicate or draft that can be destroyed when the business purpose is complete. Once these distinctions have been made, the retention accountabilities can be assigned to the necessary business units. Create, Preserve, and Disclose The organization has the duty of creating records that accurately represent its business decisions. It must retain the records for normal retention and preserve them in case legal issues require their use. Finally, the organization must disclose these records when ordered by a court. Follow the Retention Schedule Records managers also have the duty of retaining their records. Records are important in documenting and recalling major developments in human affairs and organizational history. The records retention schedule ensures that the records created today will be available in the future. Click to open a sample retention schedule. The Legal Hold Process The legal hold process often called the litigation hold process requires the combined coordination of the organization s legal staff or outside counsel and the opponents in the legal proceedings. It is imperative that knowledge of the case is communicated to anyone who may hold relevant records, and that these individuals find and preserve those records. Relatively Short Retention Periods Keep your retention periods relatively short. To do so, you must have some understanding of the legal requirements that affect your records so you can safely pare down the retention periods, as noted by John Montana in How to Develop a Retention Schedule (2010). The schedule has one single purpose: to list what records are in the organization and how long the organization intends to keep the records, while addressing issues of privacy, access, and use. Retain Records Until Destruction Date Destruction of records should occur as a routine and regular business process in accordance with the records retention schedule. This type of process ensures that an organization is following a cyclical process. A Routine Process By making destruction a routine process, you are proving the organization was not destroying records haphazardly. Do not destroy records before their designated date of destruction for any reason. In How to Develop a Retention Schedule, Montaña touches on this important topic: 12

13 The pattern to be avoided is one that has gotten more than one litigant into trouble: a one-time records destruction event that occurs in suspiciously close proximity to some lawsuit or other legal problem involving the records, giving rise to the implication that destruction of evidence was occurring. Routine, scheduled destruction of records helps prevent this problem. By making the destruction process a routine process, it will prove the organization was not destroying records haphazardly. Do not destroy records before their designated date of destruction for any reason. Change the Retention Schedule When Justified Assess your records retention schedule often, especially when legitimate business or legal considerations justify any modifications to it. Consider not only your current needs but future trends as well. Continual Improvement All records programs can be improved and, if funds permit, expanded. Major new projects or significant technology changes may signal an opportune time to reassess your program and consider changes in direction or priorities. Records programs must be agile enough to change as needed. Positive change can take your program to a new level and help create an organization that is much stronger. Systematic States of Change A quality program is built through systematic stages of change, according to Leading and Managing Archives and Records Programs (2008): Demonstrate the need and urgency for the change Build teams to support and guide the change Lead a process to develop the vision for the change Communicate often to secure buy-in on the changes Enable and encourage action by change-inclined employees Create short-term wins that show the benefits of the new direction and will encourage on-going change Make changes stick by embedding the new ways in the organizational structure and culture Maintain Documentation In the final duty on our list, records managers are required to keep certain documentation, including: Records retention schedules Procedures and changes in procedures Audits 13

14 Approvals Legal research Program development Proof of destruction Retention Documentation Documentation related to the records retention program is necessary to prove the existence of a systematic operation of the records program. The records which document the development of the program, original signed retention schedules, and listings of records destroyed, are critically important as evidence to indicate that the records in question were destroyed in the ordinary course of business. Click to open a sample Certificate of Destruction document. Documentation of an Audit or Review Other records to be retained include certain documents that contain conclusions, opinions, analyses, or financial data related to an organization s audit or review. Documentation should include actions that will be taken to improve any operations not in compliance, as well as the dates when such actions are completed. 14

15 Section 3: Laws, Regulations, and Agencies Section 3 Learning Objectives Upon completing this section, you will be able to: 1. Explain the core U.S. federal laws and regulations which govern most businesses 2. Describe the importance of industry-specific laws and regulations and how they affect a records retention schedule 3. Give examples of state and local laws and regulations that affect businesses 4. Discuss the importance of addressing international laws Introduction RIM has changed exponentially in recent years. Major events within the U.S., the legal systems, and the government have had a profound impact on how companies manage and protect their records. As one of its key responsibilities, a systematic records management program must identify legal and regulatory requirements that bear upon the creation, storage, retrieval, and retention of records and implement policies and procedures to ensure compliance with them. Regulations May Specify Laws and regulations may specify storage conditions, acceptable media formats, retrieval requirements, and restrictions on disclosure for records associated with activities as well as commonly encountered business operations, such as hiring employees and paying taxes. Identify the Regulatory Environment All organizations need to identify the regulatory environment that affects their activities and the requirements to document their activities. Your policies and procedures must reflect the application of the regulatory environment to your business processes, according to the standard developed by the International Organization for Standardization (ISO), ISO :2001(E): Information and Documentation Records Management Part 1: General. The Regulatory Environment According to ISO :2001(E), the regulatory environment consists of: Statute and case laws, and regulations governing the sector-specific and general business environment, including laws and regulations relating specifically to records, archives, access, privacy, evidence, electronic commerce, data protection, and information Mandatory standards of practice Voluntary codes of best practice Voluntary codes of conduct and ethics 15

16 Identifiable expectations of the community about what is acceptable behavior for the specific sector or organization Organization and Sector Organizations are subject to different regulations, depending on their industry, their size, and their business jurisdictions. These agencies impact most organizations. Roll your mouse over each item for a description. Equal Employment Opportunity Commission Occupational Safety and Health Administration Uniform Photographic Copies of Business and Public Records as Evidence Uniform Electronic Transactions Act Uniform Rules of Evidence: Uniform Rules of Evidence specifies criteria for determining if a process or technology system results in accurate, trustworthy records. Rollover content: Equal Employment Opportunity Commission: The EEOC creates regulations related to hiring, promotion, and other working conditions. Occupational Safety and Health Administration: OSHA specifies regulations regarding workplace safety, including the need for companies to document their safety procedures, incidents of injury, and employee training. Uniform Photographic Copies of Business and Public Records as Evidence: UPA allows organizations to produce duplicate copies of a record into evidence, if copies can be certified as true copies of the original (e.g., microfilm copies of records). Uniform Electronic Transactions Act: This Act applies to parties who have agreed to conduct business electronically and ensures the electronic records are viewed with the same authority as their physical counterparts. Uniform Rules of Evidence: Uniform Rules of Evidence specifies criteria for determining if a process or technology system results in accurate, trustworthy records. Federal Agencies Certain federal agencies also mandate specific recordkeeping responsibilities beyond those required by statute. In developing a retention schedule, it is important to work with legal counsel to ensure comprehensive identification of the laws and regulations for your particular organization. Federal Laws Affecting Most Businesses Recordkeeping laws and regulations apply to all private and public organizations that operate within a specific jurisdiction. U.S. corporations, for example, are subject to recordkeeping requirements contained in federal laws. RIM programs are based on regulations; therefore, the regulations need to be addressed in order to determine the records retention requirements. The following pages will detail some of the regulations impacting the RIM industry today. 16

17 FISMA Enacted in 2002, the Federal Information Security Management Act defines a comprehensive framework to protect government information, operations, and assets against natural or manmade threats. FOIA Enacted in 1966, the Freedom of Information Act allows for the full or partial disclosure of previously unreleased information and documents controlled by the U.S. government. It defines agency records subject to disclosure and outlines mandatory disclosure procedures. It was amended in 1996 to allow for greater access to electronic information. Gramm-Leach-Bliley Enacted in 1999, GLBA repealed part of the Glass-Steagall Act of 1933, opening up the market among banking companies, securities companies, and insurance companies. GLBA allows commercial banks, investment banks, securities firms, and insurance companies to consolidate services that previous regulation had prohibited. The act includes provisions to protect consumers' personal financial information. Examples include: privacy notices explaining how the institution uses personal information; allowing consumers to "opt-out" of the institution sharing their information with unaffiliated parties; and a requirement to develop a written information-security plan. Each of these provisions results in recordkeeping requirements for the organization. HIPAA Enacted in 1996, Title I of the Health Insurance Portability and Accountability Act protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. Title II also addresses the security and privacy of health data. It is meant to encourage the widespread use of electronic data interchange in the U.S. health care system. Sarbanes-Oxley Enacted in 2002, this act, also known as SOX, specifies corporate accountability and financial controls for publically held organizations. Some private organizations have adopted provisions of the act so they can be seen as trustworthy to do business with. Children s Online Privacy Protection Act Enacted in 1998, this act applies to the online collection of personal information by persons or entities under U.S. jurisdiction from children under 13 years of age. It details what a website operator must include in a privacy policy, when and how to seek verifiable 17

18 consent from a parent or guardian, and what responsibilities an operator has to protect children's privacy and safety online, including restrictions on the marketing to children under age 13. Fair and Accurate Credit Transactions Act Enacted in 2003, this act allows consumers to request and obtain a free credit report once every 12 months from each of the three nationwide consumer credit reporting companies. The act also contains provisions to help reduce identity theft--for example, individuals can place alerts on their credit histories if they suspect identity theft or if they're deploying overseas in the military, thereby making fraudulent applications for credit more difficult. Further, it requires secure disposal of consumer information. Industry-Specific Laws and Regulations Additional laws and regulations only apply to specific industries or business activities, such as financial services or pharmaceuticals, which are regulated by one or more government agencies. Such laws may dictate specific records that must be kept, as well as retention time periods. Roll your mouse over each example for more information. Rollover content: The Food and Drug Administration regulates everything from food safety to prescription medications to medical devices to vaccines. The Securities and Exchange Commission governs securities transactions for all public companies. The Department of Transportation governs commercial truck driver and railroad crew qualifications, including drug and alcohol testing. The Fair Credit Reporting Act regulates how consumer reporting agencies use an individual s information. Among other things, it restricts who has access to sensitive credit information and how that information can be used. The Fair Labor Standards Act established a national minimum wage, guaranteed time-and-a-half for overtime in certain jobs, and prohibited most employment of minors in oppressive child labor, a term defined in the statute. Family Educational Rights and Privacy Act The Family Educational Rights and Privacy Act is a federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. The act gives parents certain rights with respect to their children s education records. These rights transfer to the students when they reach age 18 or attend a school beyond the high school level. State and Local Laws and Regulations State and local laws and regulations have a major bearing on retention requirements and in some cases may be even more stringent than federal laws. 18

19 An organization must comply with the laws in all states in which it operates. An organization should consult with general counsel who is authorized to practice law in the states for which the organization is seeking legal advice. State-Specific Laws and Regulations Each state has its own public access laws that should be consulted for access to state and local records. Such laws are referred to as Freedom of Information Acts (FOIA) or open records laws. In addition, the Open Government Guide is a complete collection of information on every state s open records and open meetings laws. Each state s section is arranged according to a standard outline that can easily be compared state by state. The guide is available online and is published by The Reporters Committee for Freedom of the Press. Laws Outside the United States Laws related to personal privacy are a key difference between the U.S. and other legal jurisdictions. Many countries, particularly in Europe, have more stringent requirements than the U.S. for protecting personal privacy. By contrast, some countries have lax laws, or do not have data protection and privacy laws at all. Records managers should be aware of such differences in the event that information management functions are being outsourced to another country. The organization should understand the intellectual property laws and customs of that country so that appropriate adjustments can be made to the contracts or procedures that are implemented. In addition, multinational organizations must conform to requirements in all countries where they maintain business operations. Foreign Jurisdictions and Litigation U.S. courts expect that records stored in foreign jurisdictions will be produced in discovery, just as records that are stored in the U.S. Failure to produce such records may result in sanctions. However, this issue may be complicated in those instances where a foreign law forbids disclosure of certain information or its removal from the country. 19

20 Section 4: Standards, Guidelines, and Best Practices Section 4 Learning Objectives Upon completing this section, you will be able to: 1. Describe standards and best practices and how they are developed 2. Summarize the importance of guidelines 3. Define the Generally Accepted Recordkeeping Principles 4. Outline the importance of ethics in records management Introduction Standards, guidelines, and best practices are critical in helping others understand what RIM professionals do. It has not always been easy to describe what "good recordkeeping" looks like. Standards provide a benchmark of expectations and outcomes that can create consistency out of varying RIM practices. ARMA International recognized this need and developed a clear statement of "Generally Accepted Recordkeeping Principles. Standards Overview Standards and best practices are developed through a formal standards body, such as the American National Standards Institute (ANSI), ISO, or a member of these standards bodies, such as ARMA International or AIIM. Records managers use standards to enhance and improve the contribution their records retention program makes to an organization s ability to function more effectively and efficiently. Leading and Managing Archives and Records Programs: Strategies for Success (2008) says relying on standards gives professionals additional credibility in what they are proposing, and gives the organization greater defensibility if its records management activities are being questioned. Importance of Standards According to Leading and Managing Archives and Records Programs: Strategies for Success, standards are important because they: Provide a benchmark of expectations and outcomes that can be used to forge consistency out of varying practices. Help to identify mandatory elements of a records management program or software application that all sectors of the organization must complete. Provide objectivity, which arises from the controlled development process that engages a variety of individuals and organizations. Are viewed as authoritative. The authority comes from the fact they are developed by experts in the field. 20

21 Additional Benefits Leading and Managing Archives and Records Programs: Strategies for Success cites additional reasons to implement standards: They are readily available to the public. The records manager does not have to rely on judgment to decide what is more important. They provide an authoritative foundation for new program development. They provide for consistency in practice across business units. They can provide a basis for the continuous improvement of an existing program. They are helpful in the development of policies and procedures. ISO :2001(E) ISO :2001(E) is seen as a highly significant accomplishment in international records management because it has the effect of establishing records management as a global management discipline. It is of special interest to multi-national organizations as it sets a common foundation for records management principles and outcomes, regardless of the geographic location of the company s business units. Organizations can use this standard as a basis for determining more specific requirements for recordkeeping systems. The standard places heavy emphasis on policies, procedures, and practices that are designed to ensure that adequate records are created, captured, and managed properly. Guidelines ANSI, ISO, and other formal standards bodies distinguish standards from other types of documents that provide guidance or suggestions for the best methods to accomplish certain ends. Terms such as technical reports, technical specifications, recommended practices, or guidelines generally indicate that, for a variety of reasons, the organization was unable to develop a formal standard. Value of Guidelines In a rapidly changing field like records management, formal standards bodies may choose to issue a guideline in order to respond more quickly to changes in the industry. The committee drafting the document may also believe that the nature of the material does not meet the mandatory nature of a standard, but feels the content merits distribution. These guidelines can be valuable to a records manager and should not be dismissed. Understanding how they have been developed, who sponsored their development, and how the balloting requirements for these documents differ from those for a standard are important steps for a records manager to address. Understanding the process can help records managers determine how fit that guideline is to their organization and environment. The Principles Records and recordkeeping are inextricably linked with any organized activity. It is only through the information an organization records in the normal course of business that it can know what it has done 21

22 and effectively plan what it will do in the future. A Key Resource As a key resource in the operation of any organization, records must be created, organized, secured, maintained, and used in a way that effectively supports the activity of that organization, including: Facilitating and sustaining day-to-day operations Supporting predictive activities such as budgeting and planning Assisting in answering questions about past decisions and activities Demonstrating and documenting compliance with applicable laws, regulations, and standards Defining Good Recordkeeping It has not always been easy to describe what good recordkeeping looks like to those who do not do the work. Yet, this question gains in importance as regulators, shareholders, and customers are increasingly concerned about the business practices of organizations. ARMA International has filled this gap by creating a structure of Generally Accepted Recordkeeping Principles. The Principles are used to guide: CEOs in determining how to protect their organizations in the use of information assets Legislators in crafting legislation meant to hold organizations accountable Records management professionals in designing comprehensive and effective records management programs Critical Hallmarks of Information Governance The Principles identify the critical hallmarks of information governance and apply to all sizes of organizations, in all types of industries, and in both the private and public sectors. Multi-national organizations can also use The Principles to establish consistent practices across a variety of business units. There are eight principles. We look at each of them on the following pages. Principle of Accountability ARMA International s executive summary of accountability is as follows: A senior executive (or a person of comparable authority) shall oversee the information governance program and delegate responsibility for records and information management to appropriate individuals. The organization adopts policies and procedures to guide personnel and ensure that the program can be audited. 22

23 Principle of Integrity ARMA s executive summary of integrity is as follows: An information governance program shall be constructed so the information generated by or managed for the organization has a reasonable and suitable guarantee of authenticity and reliability. Principle of Protection ARMA s executive summary of protection is as follows: An information governance program shall be constructed to ensure a reasonable level of protection for records and information that are private, confidential, privileged, secret, classified, or essential to business continuity or that otherwise require protection. Principle of Compliance ARMA International s executive summary of compliance is as follows: An information governance program shall be constructed to comply with applicable laws and other binding authorities, as well as with the organization s policies. Principle of Availability ARMA International s executive summary of availability is as follows: An organization shall maintain records and information in a manner that ensures timely, efficient, and accurate retrieval of needed information. Principle of Retention ARMA International s executive summary of retention is as follows: An organization shall maintain its records and information for an appropriate time, taking into account its legal, regulatory, fiscal, operational, and historical requirements. Principle of Disposition ARMA International s executive summary of disposition is as follows: An organization shall provide secure and appropriate disposition for records and information that are no longer required to be maintained by applicable laws and the organization s policies. Principle of Transparency ARMA International s executive summary of transparency is as follows: An organization s business processes and activities, including its information governance program, shall 23

24 be documented in an open and verifiable manner, and that documentation shall be available to all personnel and appropriate interested parties. Records Managers and Ethics The ethical and moral aspects of leadership are increasingly important to records managers and program executives. The ethical considerations of records management activities should not be discounted. Legislatures and courts view failure to keep required records as a strict liability offense that includes: Intent not to keep records Knowledge that records are inadequate Mere negligence to do what is required Good Faith in Compliance In Legal Ethics and Records Management (ARMA Records Management Quarterly, October 1997), John Montaña states that there may in some cases be an explicit requirement that the records be "accurate" or "true and accurate" records. However, even when not stated, such a requirement is undoubtedly implied. Inaccuracies resulting from bad faith are sanctionable in court and can be damaging to a company s reputation. Lawsuits, Discovery, and Ethics Litigation, or anticipation of litigation, is an area where an organization's records management ethics are frequently tested. Sooner or later, states Montaña, most medium to large commercial organizations are faced with lawsuits and discovery. When this happens, the organization is faced with the reality that it must produce evidence for the other side. That evidence typically consists of records it has produced, which may prove detrimental to its legal cause. Each Party s Duty Nevertheless, each party's duty in this situation, explicitly legal and implicitly ethical, is clear, according to Montaña: Each party should produce anything it has which is of relevance, so that the legal system may resolve the dispute on its merits, rather than on the results of a game of cat-and-mouse played by the parties. Standard of Behavior Records retention practices are coming under increasingly greater scrutiny as time goes on. In determining what standard of behavior to employ, states Montaña, every organization and its employees must remember that there are objective standards, over and above the immediate, shortterm benefit of the organization, by which its actions will be judged. 24