Information Governance ITS 833 Dr. Ronald Menold ronald.menold@ucumberlands.edu Chapter 9 Information Governance and Records and Information Management Functions ITS 833 Objectives Alphabet Soup ▪ IG – Information Governance ▪ IT – Information Technology ▪ BYOD – Bring Your Own Device ▪ ISO – International Standards Organization ▪ HIPAA – Health Insurance Portability and Accountability Act ▪ SRO – Senior Records Official ▪ CIO – Chief Information Officer ▪ CCO – Chief Compliance Officer ▪ GARP – Generally Accepted Recordkeeping Principles® ▪ ARMA – Association of Records Managers and Administrators ▪ CEO – Chief Executive Officer ▪ CGOC – Compliance, Governance, and Oversight Council ▪ BOD – Board of Directors ▪ PII – Personally Identifiable Information ▪ EDRM - Electronic Discovery Reference Model Alphabet Soup ▪ IGRM - Information Governance Reference Model ▪ NARA – National Archives and Records Administration ▪ RIM – Records and Information Management ▪ DoD – Department of Defense ▪ ANSI – American National Standards Institute ▪ NIST – National Institute of Science and Technology ▪ ISO – International Standards Organization ▪ BSI – British Standards Institution ▪ ISMS – Information Security Management System ▪ IEC – International Electrotechnical Commission ▪ LHN – Legal Hold Notification ▪ FRCP – Federal Rules of Civil Procedure Alphabet Soup ▪ ESI – Electronically Stored Information ▪ RM – Records Management ▪ ERM – Electronic Records Management Records Management (RM) ▪ A key part of Information Governance ▪ However, IG is more than just RM ▪ ISO definition of records – “Information created, received, and maintained as evidence and information by an organization or person, in pursuance of legal obligations or in the transaction of business.” ▪ ISO definition of RM – “field of management responsible for the efficient and systematic control of the creation , receipt, maintenance, use, and disposition of records, including the processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records.” Records and Information Management (RIM) ▪ Encompasses records management and adds all information – – – – – – Email Social media Mobile data Documents Cloud storage Enterprise data Electronic Records Management ▪ Same concept as records management (RM) but in an electronic form ▪ Electronic records need – – – – Classification Taxonomy Retention schedules Disposition schedules ▪ Metadata about electronic records make them different than paper records – During e-discovery, metadata (e.g. creation date and author) about a document may be even more important than the document itself. Changes in Information Technology ▪ As technology advances, media upon which data is stored can become obsolete. – Floppy disk – ZIP drives – JAZ drives ▪ Advances in Long Term Digital Preservation (lTDP) Tape Archive Formats Over the Years ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ 1951 - UNISERVO 1952 - IBM 7 track 1958 - TX-2 Tape System 1961 - IBM 7340 Hypertape 1962 - LINCtape 1963 - DECtape 1964 - 9 Track 1964 - Magnetic tape selectric typewriter 1966 - 8-track tape[26] 1972 - Quarter-inch cartridge (QIC) 1975 - KC standard, Compact Cassette 1976 - DC100 1977 - Tarbell Cassette Interface 1977 - Commodore Datasette 1979 - DECtape II cartridge 1979 - Exatron Stringy Floppy 1981 - IBM PC Cassette Interface ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ 1983 - Sinclair ZX Microdrive 1984 - Sinclair QL Microdrive 1984 - Rotronics Wafadrive 1984 - IBM 3480 cartridge 1984 - Digital Linear Tape (DLT) 1986 - SLR 1987 - Data8 1989 - Digital Data Storage (DDS) on Digital Audio Tape (DAT) 1992 - Ampex DST 1994 - Mammoth 1995 - IBM 3590 1995 - StorageTek Redwood SD-3 1995 - Travan 1996 - AIT 1997 - IBM 3570 MP 1998 - StorageTek T9840 1999 - VXA 2000 - StorageTek T9940 ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ 2000 - LTO-1 2003 - SAIT 2003 - LTO-2 2003 - 3592 2005 - LTO-3 2005 - TS1120 2006 - T10000 2007 - LTO-4 2008 - TS1130 2008 - T10000B 2010 - LTO-5 2011 - TS1140 2011 - T10000C 2012 - LTO-6 2013 - T10000D 2014 - TS1150 2015 - LTO-7 2017 - TS1155 2017 - LTO-8 2018 - TS1160 Electronic Records Management (ERM) ▪ Management of electronic records ▪ Electronic management of non-electronic recods – – – – – Paper CD/DVD/Blu-rays (in audio and video format) Magnetic tapes Audio-visual (film/cassette tapes) Other physical records Review of Information Governance ▪ From Smallwood (2014) – IG is the polices, processes, and technologies used to manage and control information throughout the enterprise to meet internal business requirements and external legal and compliance demands ▪ Overarching program over all data and knowledge in an organization Enterprise Content Management (ECM) ▪ ERM is included in ECM ▪ ECM generally includes all unstructured data in the organization including web pages and social media posts ▪ Databases/structured date is usually excluded in ECM Records Management Business Rationale ▪ Notable industry drivers for RM – Increased government oversight and industry regulation ▪ Sarbanes-Oxley (SOX) imposes fines and prison sentences – Changes in legal procedures and requirements during civil litigation ▪ Federal rules of civil procedure (FRCP) updated in 2006 for e-discovery – IG awareness ▪ Since SOX in 2002 and FRCP in 2006, IG is getting more recognition – Business continuity concerns ▪ Real disasters happen – 9/11 terror attacks – Hurricane Katrina – Superstorm Sandy ▪ Need for disaster recovery to include vital records are critical Why is Records Management Challenging ▪ Changing and increasing regulations ▪ Maturing IG requirements within the organization ▪ Managing multiple retention and disposition schedules ▪ Compliance costs and requirements with limited staff ▪ Changing information delivery platforms ▪ Security concerns ▪ Dependence on the IT department or provider ▪ User assistance and compliance Benefits of Electronic Records Management ▪ Improved capabilities for enforcing IG over business documents and records ▪ Improved, more complete, and more accurate searches ▪ Improved knowledge worker productivity ▪ Reduced risk of compliance actions or legal consequences ▪ Improved records security ▪ Improved ability to demonstrate legally defensible RM practices ▪ Increased working confidence in making searches, which should improve decision making Additional Intangible Benefits ▪ To control the creation and growth of records ▪ To assimilate new records management technologies ▪ To safeguard vital information ▪ To preserve the corporate memory ▪ To foster professionalism in running the business Inventorying E-Records ▪ The United States National Archives and Records Administration (NARA) defines a records-management inventory as – “A descriptive listing of each record series or system, together with an indication of location or other pertinent data. It is not a list of each document or each folder but rather of each series or system.” – The idea is knowing what you have and knowing where to find it. – An inventory item can be ▪ John Smith’s email archive for 2018, LTO5 archive tape, Kansas City, Kansas, Archive – It is not a list of every email in John Smith’s email archive. ▪ If I want to find an email from John Smith’s 2018 email archive, I now know where to look. E-Records Inventory Challenges ▪ You cannot see or tough them without searching online ▪ They are not in a central file room ▪ They have metadata which may distinguish between similar archives ▪ Multiple copies may exist and may be hard to determine “original” Records Inventory Purposes ▪ Identifies records ownership ▪ Determines which records are physical, electronic, or both ▪ Provides for the basis of retention or disposition schedule ▪ Improves compliance ▪ Supports training objectives for those handling records ▪ Identifies vital and sensitive records ▪ Assesses the state of records storage ▪ Supports Freedom of Information Act (FOIA) for government agencies Records Inventorying Steps ▪ Define the inventory’s goals ▪ Define the scope of the inventory ▪ Obtain top management’s support ▪ Decide who will conduct the inventory ▪ Learn where the agency’s files are located ▪ Conduct the inventory ▪ Verify and analyze the results Inventory Collection Elements ▪ What kind of record is it ▪ What department owns it ▪ What department access it ▪ What application created the record ▪ Where is it stored ▪ Date created ▪ Date last modified ▪ Is it a vital record (mission critical record) ▪ Are there other forms of the record (paper, .DOCX, .PDF, etc.) IT Network Diagram ▪ Creating network diagram with flow helps understand where the records might be ▪ High-level is all that is needed, not every computer ▪ Should show cloud applications and cloud storage ▪ Sharepoint servers should be identified Who Should Conduct the Inventory ▪ RM project team is lead ▪ People who may assist – – – – IT Staff Legal Staff Business Analysts Outside Consultants Conducting the Inventory ▪ Three methods – Distributing and collecting surveys ▪ Traditional approach – Conducting in-person interviews ▪ Often used after initial survey – Direct observation ▪ Begin at the central server level and work out from there Records Survey Form Records Inventory Electronic Records Inventory ▪ Department Information ▪ Identifying Information ▪ Record Requirements ▪ System Inputs/Outputs ▪ Technology and Tools ▪ Record Requirements ▪ Disposition ▪ Disposition ▪ Records Holds ▪ Record Holds Records Inventory Survey Form Who to Interview ▪ Managers ▪ Supervisors ▪ Professional/technical staff ▪ Clerical/support staff ▪ Choose wisely, interviews take a lot of time. – Choose a cross-section of all categories above. Not just all managers. Interview Questionnaire ▪ Sample interview questions ▪ Smallwood, 2014, p. 167 Value of Records ▪ Records appraisal – Analysis of all records to determine ▪ ▪ ▪ ▪ ▪ ▪ Administrative value Fiscal value Historical value Legal value Regulatory and statutory value Other archival value Ensuring Adoption of RM Policy ▪ RM is everyone’s duty ▪ Don’t micro-classify ▪ Ensure executive support ▪ Train and educate staff about RM ▪ Conduct compliance audits General Principles of a Retention Schedule ▪ Must include all records ▪ All legal requirements must be recorded ▪ Proactive process. Schedules are created in advance ▪ Retention period must meet needs of user (e.g. don’t purge email at end of each day) ▪ Records should be kept minimum amount of time necessary ▪ Periodic review is necessary ▪ Records must be in repository where it can be protected ▪ Continuous updating and amending ▪ Senior management must sign off on retention schedule ▪ Classification and records scheduling are intertwined ▪ Similar records should have similar retention ▪ Historic records must be preserved ▪ Senior management must review audit findings ▪ Scheduling process must be documented and updates/changes tracked Why Retention Schedules are Needed ▪ Allows for the uniformity in the retention and disposition process ▪ This can happen regardless of media or location of the record ▪ Tracks, enforces, and audits the retention disposition of records ▪ Keeps records to the minimum needed for legal/regulatory compliance Information Included on Retention Schedules ▪ Title of series ▪ Description of series ▪ Office responsible for retention ▪ Disposal decision – e.g. destroy, archive, or postpone (rare) ▪ Timing of disposal ▪ Events that trigger disposal ▪ Dates which schedule goes into effect ▪ Legal citations Key Steps in Developing Records Schedule ▪ Review recordkeeping requirements of business unit ▪ Inventory the records ▪ Determine periods of time records are needed – Business needs – Legal requirements ▪ Draft disposition instructions – What to specifically do with the records at end of retention period Before You Create a Records Schedule ▪ Prerequisites for creating a records schedule – Inventory ▪ You have to know what types of records you have – Classification ▪ You have to the type of record ▪ Create an information map – Where information is created – Where information resides – What path information takes Informal Information Map ▪ List of different types of records in each business area – – – – – Who created them What they are used for Who uses them What is their purpose What is their content ▪ If an inventory has not been done, you need to do one – This is mandatory Classification of Records ▪ Business functions and activities – Tasks performed to accomplish business function ▪ Records series – Group or unit of identical or related records that are filed as a unit ▪ Document types – Grouping of related records ▪ On-boarding documents on employee’s first day – Category of records ▪ Meeting minutes ▪ Presentation ▪ Category is not a retention factor, business purpose is Record Groupings ▪ Grouping by similar theme for completeness ▪ Increasing searching speed ▪ Increases organizational knowledge by providing context of creation ▪ Clearly identifies creator ▪ Grouping by disposition allows for ease of archive/destruction Record Series ▪ Case records – – – – – – Follow a timeline Personnel records/files Mortgage files Insurance claims Have a beginning and an end Are added to over time ▪ Subject Records – Topic of function records – Related to a business function – Example ▪ Legal compliance series ▪ Standard operating procedures ▪ Education and training Retention of E-Mail Records ▪ Determination needs to be made if the emails are records or not – Some are and some are not – Substantive emails can be records ▪ ▪ ▪ ▪ Documents business transaction or progress toward a transaction Documents business-related event Documents internal governance/policies Documents business activity which may be disputed or litigated in the future – Email about going to lunch are not records How Long to Keep E-Mails ▪ Determination is made by content of the email, not that fact that it is an email ▪ Destructive Retention of E-Mail – Unregulated industry ▪ One-quarter delete email after 90 days unless it has been identified as a record – Regulated industry (energy, technology, communication, etc.) ▪ Most delete email after 1 year ▪ E-Mails marked as records have to be retained per records retention schedule. – If emails are deleted after 90-days, record emails have to be move to storage before that 90 days expires Long-Term Archiving of Records ▪ Records having historical value must be archived long-term ▪ Records essential for maintaining corporate memory must be archived long-term ▪ When in doubt, go to corporate archivist ▪ Statute of limitations can define how long a record must be maintained – If you can no longer be sued for something you did 5 years ago, records about that action which are 5 years old can be destroyed if they do not meet another category (e.g. historical) for records retention Legal Requirements/Compliance ▪ A legal hold on a document supersedes all other categories of retention – If an email would normally be purged after 90-days, a legal hold would prevent it from being purged ▪ Legal retention periods such as statute of limitations can vary between jurisdictions (local, state, federal, international) – Record must be retained for the longest limitation period – Only legal counsel (lawyers) can make determinations ▪ A non-lawyer reading the same law may misinterpret the requirements Event-Based Retention Scheduling ▪ An event starts the clock on the retention period – Employee records are kept while the person is employed – On the day the employee is fired the clock starts on the statute of limitations for them suing you. – So the retention period is Firing date + statute of limitations (e.g. termination date + 5 years) – When no legal hold/historical value exists, disposition may be ▪ Destroy when no longer needed for current operations Prerequisites for Event-Based Disposition ▪ Clarify trigger events – they are not always easy to define – End of contract can be ▪ Day vendor finishes work ▪ Day invoice is received ▪ Day invoice is paid ▪ ERM system can be triggered automatically, this trigger event must be well-defined ▪ ERM system must have archive and disposition capabilities – ERM system must be able to delete records at specified date with no ability to recover record (complete wipe of record) Final Disposition and Closure Criteria ▪ Retention Periods – Online ▪ Active ▪ inactive – Offline ▪ Onsite ▪ Offsite ▪ Closure Date – End of fiscal year/school year – Event date ▪ Termination Date Transitory Records ▪ Documents not rising to the level of being a record – Temporary – Short term ▪ ▪ ▪ ▪ ▪ Email advertising Draft documents Works in progress Duplicates Temporary notices – Must be considered in master retention schedule Implementation of Retention Schedule and Disposal of Records ▪ Automated systems are best at ensuring records are disposed of properly ▪ Formal signoff on retention schedule – – – – – CEO Legal Counsel Board of Directors Auditors Information Governance Program ▪ Verify true and complete destruction ▪ Records destruction needs to be certified ▪ Ongoing maintenance of records schedule ▪ Audit of IG policies is necessary task Chapter 9 Information Governance and Records and Information Management Functions ITS 833 
Purchase answer to see full attachment