What are records and why are they important?
Records are a valuable business asset. One of the key ways organisations are held accountable for their actions is through evidence of business transactions in the form of records. Records are ‘information created, received, and maintained as evidence and information, by an organisation or person, in pursuance of legal obligations or in the transaction of business’. They must be retained for a period of time that is in line with an authorised retention schedule or disposition authority, sometimes referred to as a ‘disposition’.
A record is not just a collection of data, but is the consequence or product of an event and therefore linked to business activities. A distinguishing feature of records is that their content must exist in a fixed form, that is, be a fixed representation of the business transaction. Managing records in business systems, which contain data that is frequently updated and dynamic, is particularly challenging and may provide a rationale for implementing a separate electronic records management system. Records comprise not only content but also information about the context and structure of the record.
Records management metadata ‘identifies, authenticates and contextualises records and the people, processes and systems that create, manage, maintain and use them and the policies that govern them.’ It allows records to be located, rendered and understood in a meaningful way. ISO/TS 23081 – 2 provides a generic statement of records management metadata elements.
Organisations may also have jurisdiction-specific elements sets to which they must adhere.
An appropriately managed record will provide a basis for:transparent, informed and quality decision-making and planning;an information resource that can be used to demonstrate and account for organisational activities; andconsistency, continuity and efficiency in administration and management.
The International Standard on Records Management, ISO 15489, provides best- practice guidance on how records should be managed to ensure they are authentic, reliable, complete, unaltered and usable. Organisations that do not employ an electronic records management system may risk loss of key evidence of their business activities, thereby resulting in a lack of corporate memory, inefficiency and an inability to meet accountability and legislative requirements. The risks of not implementing an electronic records management system are:failure to meet legislative and regulatory requirements;embarrassment to your chief executive, the government and/or private individuals, especially if inability to manage information competently is highlighted in the media;poor strategic planning and poor decisions based on inaccurate information;business critical information not accessible for the conduct of business, dispute resolution, legal challenge or evidential purposes;loss of credibility, lowered public confidence, or financial or legislative penalties through inability to produce records or provide evidence of business activity when required in a timely manner;inability to provide evidence of the organisation’s activities or undertakings with external agencies, clients or contractors;inconsistent and inefficient conduct of business;inability to exploit organisational information and knowledge to full potential;unlawful disposal of records and inability to fully exploit corporate knowledge and data;duplication of effort, and poor resource and asset management;reduced capability of demonstrating good performance and any increased efficiencies or improved service delivery; and organisational embarrassment and damage to reputation.
The benefits of good recordkeeping include:
protection and support in litigation, including the management of risks associated with the existence or lack of evidence of organisational activity;protection of the interests of the organisation and the rights of employees, clients, and present and future stakeholders;improved security of business records and robust management of commercial-in-confidence, personally sensitive or confidential information;the ability to deliver services in an efficient and consistent manner;ability to support current and future research and development activities;improved comprehensiveness and reliability of corporate memory;availability of relevant business activity records when required to support well-informed decision-making and policy development;reduced risk of data loss or accidental destruction of records;reliable performance measurement of business outputs;increased public and/or client confidence in the integrity of an organisation’s activities; and identification of vital records for disaster planning, so that organisations can continue to function in the event of severe disruption.
Authoritative and credible recordkeeping is an essential component of good governance and for underpinning reliable and consistent business practice and service delivery.
Characteristics of electronic records and electronic records management systems
Once records have been created, they must be managed and maintained for as long as required to ensure they have the following characteristics:Authenticity – the record can be proven to be what it purports to be, to have been created or sent by the person that created or sent it, and to have been created or sent at the time it is purported to have occurred.Reliability – the record can be trusted as a full and accurate representation of the transaction(s) to which they attest, and can be depended on in the course of subsequent transactions.Integrity – the record is complete and unaltered, and protected against unauthorised alteration. This characteristic is also referred to as ‘inviolability’.Usability – the record can be located, retrieved, preserved and interpreted.
Typically, electronic records management systems have the following attributes that seek to ensure these characteristics are maintained:Creating records in context – electronic records management systems enable organisations to capture evidence of their business activity. This involves identifying a set of electronic information to serve as the evidential record comprising both content and context. So, in order for information to have the capability of functioning as a record, it is necessary to augment that content information with additional data (that is, metadata) that places it in the context of the business operations and computing environment in which it was created.Managing and maintaining records – electronic records have to be actively managed as evidence of business activity, and to maintain their authenticity, reliability, integrity and usability.
Maintenance of this evidence, as records, is necessary for operational viability and accountability of the organisation.Maintaining records for as long as they are required – records must be retained for a period of time that is in accordance with authorised legislative and jurisdictional requirements. Decisions
about how long records must be retained are defined in disposition/disposal policies and rules. There will be some records that must be retained permanently while others will be required to be retained for varying periods or have a maximum retention period (for example, for privacy or data-protection legislative purposes).
Records have to be able to be disposed of in a managed, systematic and auditable way. A hallmark of appropriate records management is the retention and appropriate disposition of records according to specified rules as stated in Section 27 of National Archives Act 2003.
Systems need to be able to delete records in a systematic, auditable and accountable way in line with operational and juridical requirements. Organisations will need to meet the policies and procedures of their local jurisdictional authority for identifying, retaining and disposing of records.Records management metadata can be configured – to be meaningful as evidence of a business process, records must be linked to the context of their creation and use. To do this, the record must
be associated with metadata about the business context in a classification structure. In addition to this ‘classification’ metadata, other metadata that should be captured at the point of creation includes:
- record identifier (as specified in the e-file plan);- date of creation;- creator/author/person responsible; and- the business being conducted- etc
Much of this information can be automatically generated. In this Specification, integration of metadata for managing records is addressed at a relatively high level. Rather than specifically detailing every metadata element required, the functional requirements set instead provides broad references to the need to have functionality that is capable of creating, capturing and maintaining
adequate metadata elements. It is expected that each organisation will capture records management metadata in line with an identified records management metadata standard, in accordance with organisational and/or jurisdictional requirements, and/or be consistent with ISO 23081 – 1:
2006, Information and Documentation – Records Management Processes – Metadata for Records, Part 1 – Principles;
and ISO/TS 23081 – 2: 2007, Information and Documentation – Records Management Processes – Metadata for Records, Part 2 – Conceptual and Implementation Issues.Records can be reassigned or reclassified, closed and if required, duplicated and extracted – the identification of needs for records should establish at what point in the process a record should be created. Any further Processes that happen to the record after this point must result in the creation of a new record or the recorded augmentation/versioning of the existing record, rather than alteration to it. This means that content and metadata that need to be kept to record previous decisions or processes cannot be overwritten, but that new content or metadata can be added.
It is important to ensure that the system is not ‘locked down’ to such an extent that simple mistakes (such as mistyping a name) cannot be corrected – although permission for changes may be restricted to a system administrator or prevented by the system in exceptional circumstances, such as pending legal action.Reports can be undertaken – on records and the management thereof.Security processes can be put in place – normal systems controls over access and security support the maintenance of authenticity, reliability, integrity and usability, and therefore should be appropriately documented.
A risk assessment can inform business decisions as to how rigorous the controls need to be. For example, in a high-risk environment, it may be necessary to prove exactly what happened, when and by whom.
This links to systems permissions and audit logging, to prove that approved actions are undertaken by authorised users. User requirements should be assigned at appropriate levels of access by an administrator.
1 International Standard on Records Management, ISO 15489
2 International Standard on Information and Documentation – Records Management Processes – Metadata for Records, ISO 23081.
3 These are taken from ISO 15489.1 Records Management, Section 7.2 Characteristics of records.