Understanding regulatory compliance in records management
Understanding your responsibilities when it comes to records and information management has never been more critical, given the risk of heavy fines, prosecution, and civil actions that organisations leave themselves exposed to if their information management house is not in order.
Just as information comes in many formats, the same applies to the legislative requirements around information – there is not a one-size-fits all approach, as different types of information have different sets of regulations when it comes to the legal requirements around retention and disposal.
The rules vary dramatically from one industry to another, so it is paramount that you avail yourself of the correct information pertaining to the specific documents at your disposal. For instance, contracts and agreements relating to the management of your IT infrastructure should be retained for at least 7 years, whereas contracts and agreements in the real estate industry should be retained for a minimum of 15 years.
Furthermore, there are other types of documents that need to be retained for far longer periods, such as copyright information, which should be kept for at least 70 years, or documents relating to insurance, policies or claims, which should be retained indefinitely.
Typically, documents are usually required to be retained somewhere between 5 and 7 years, though as evidenced with some of the examples above, it is necessary to be aware of the rules that apply to your particular industry sector.
Why you need to understand ISO 15489
In the context of the evidentiary value of your organisation’s information, the AS ISO 15489 standard is the primary guidance standard when it comes to the maintenance of your information management system.
The key elements of the standard that every records manager needs to know are:
- Information systems and retention processes should be designed to protect information against unauthorised access, loss or destruction
- Organisations should have a policy and guidelines in place governing the conversion or migration of information from one archiving system to another
- Systems for the retention of information electronically should be designed in such a way as to ensure the information remains accessible, auditable, authentic, reliable and usable during the retention period, regardless of any system changes.
In general, an organisation needs to be able to prove that the content of a particular electronic record or data file has not been altered since its creation at the date of storage.
The risks in managing your information lie in 3 areas:
- Unauthorised access – either accidental, or deliberate: Unauthorised access can result in theft or leakage of intellectual property, violation of the privacy principles, or alteration or destruction of information you are required, or intend keeping.
- Inability to locate information: If your information is not stored in a structured manner, this will lead to expensive search / discovery costs, inefficiency in your knowledge workers, and escalating storage costs.
- Inappropriate protection of information: this results in loss or damage to information – either from degradation due to the storage environment (paper mould / mildew, atrophy of magnetic media), or damage due to external events such as fire or flood.
The legal considerations of information management
There are a number of legal issues pertaining to information management that you must consider when it comes to the development and ongoing management of your organisation’s information.
Chief amongst them are:
- The legal requirement that certain contracts must be in writing.
- Whether legal obligations exist in your specific industry sector to retain certain types of information stored in hard copy paper format.
- The legal requirements in respect of the conversion of written information stored into an electronic format.
Additionally, as mentioned previously, the minimum and maximum retention periods should always be known and adhered to, and the evidentiary value of information stored electronically should be understood, as should the legislation around the retention and accessibility of information stored electronically.
Daniel Warren-Smith heads up Iron Mountain’s Imaging and BPO business in Australia.