CONTENTS

L ist of i LLustrations xiii

a cknowLedgments xix
i ntroduction xxi

1 The Origins and Development of Records and Information

Management 1
Introduction 1
Records and Recordkeeping in Society 1
Recordkeeping in the United States in the Twentieth Century 5
Information Technology, Records, and the Information Age 7
Web 2.0, Social Media, and Society 13
Summary 21
Perspective: Information Governance: We Are Finally Asking the Right Questions,
by Barclay T. Blair 22
Notes 27

2 Building an Information Governance Program on a

Solid RIM Foundation 31
Introduction 31
Information Governance 31
Records Management as a Professional Management Discipline 34
Records and Information Management Lifecycle 36
Records Management Program Elements, Functions, and Activities 41
Standards, Laws, Regulations, and the Legal Environment 42
Summary 52
Paradigm: The Information Governance Imperative in Healthcare,
by Robert Smallwood 53
Notes 56

/ vii /
viii / C ON T EN T S

3 Records and Information Creation and Capture, Classification,

and File Plan Development 59
Introduction 59
Records and Information Creation and Capture 60
Controlled Language and Records Classification 65
Business Classification Schemes 71
Indexing, Content Analysis, and File Plan Development 74
Records Management Metadata 77
Summary 81
Paradigm: University Records Management File Plans, by Peg Eusch 82
Notes 86

4 Records Retention Strategies: Inventory, Appraisal,

Retention, and Disposition 89
Introduction 89
Records Inventory 89
Records Appraisal 99
Web Records: Identifying, Capturing, and Scheduling 102
Legal and Regulatory Compliance 106
Developing a Records Retention and Disposition Schedule 107
Summary 112
Paradigm: Leveraging a New Retention Schedule to Launch an Information Governance
Program, by Susan Cisco 113
Notes 116

5 Records and Information Access, Storage, and Retrieval 119

Introduction 119
Business Process Mapping and Workflow Process 120
Access Controls 124
Active Storage Systems 127
Search and Retrieval Process 137
Metadata and Metadata Standards 143
Summary 148
Paradigm: Introduction of Continuous Improvement in Records Management Programs
and Processes Using Lean Practices, by Charlene Cunniffe 148
Notes 151

6 Electronic Records and Electronic Records Management Systems 155

Introduction 155
Electronic Records 155
Enterprise Information Systems (EIS) 156
 C O N TE N T S / ix

Content Management Systems 158

Enterprise Content Management Systems (ECMS) 159
Electronic Records Management 160
Electronic Records Management Systems (ERMS) 163
Electronic Records Management Systems Guidance 164
SharePoint and Records Management 172
Data and System Migration 175
Records Management in the Cloud 177
Planning and Managing an Electronic Records Management Program 178
Summary 178
Paradigm: The Art and Science of ERMS Deployment,
by Morgan King and Stephen Aaronson 179
Notes 182

7 Developing and Emerging Technologies and Records Management 187

Introduction 187
Developing Technologies: Social Media 187
Social Media and Records Management 188
Diffusion of Innovation and Trend Spotting 200
Emerging Technologies 204
Summary 209
Paradigm: Blockchain Technology and Recordkeeping, by Victoria L. Lemieux 210
Notes 214

8 Vital (Essential) Records, Disaster Preparedness and Recovery,

and Business Continuity 219
Introduction 219
Business Resumption Strategies 219
Vital Records Program 220
Disaster Preparedness and Recovery Planning 230
Business Continuity Planning 239
Summary 241
Paradigm: Wirral University Teaching Hospital NHS Foundation Trust Utility Disruption,
by Helen Nelson 243
Notes 244

9 Monitoring, Auditing, and Risk Management 247

Introduction 247
Monitoring the Management of Records 247
Auditing the Records Management Program 253
Risk Management 256
x / C ON T EN T S

Summary 265
Paradigm: Identifying, Assessing, and Controlling Records and Information Management
Risks: A Cross-Disciplinary Approach, by Lisa Daulby 266
Notes 269

10 Information Economics, Privacy, and Security 273

Introduction 273
Information Economics (Infonomics) 273
Information Asset Privacy and Security 282
Summary 296
Paradigm: Integrating Information Governance into the Privacy
and Security Landscape, by Ilona Koti 298
Notes 301

11 Inactive Records Management: Records Centers and Archives 305

Introduction 305
Inactive Records and Records Centers 305
Archives Management 318
Summary 327
Paradigm: Establishing the Jelly Belly Candy Company Archives: A Case Study of a
Family-Owned Candy Company’s History and Recordkeeping, by Lori Lindberg 327
Notes 330

12 Long-Term Digital Preservation and Trusted Digital Repositories 333

Introduction 333
Long-Term Digital Preservation 333
Digital Curation and Stewardship 340
Building a Trusted Digital Repository 342
Cloud Digital Preservation as a Service 347
Digital Preservation Research 348
Summary 349
Paradigm 1: Use Case—eArchive for Pharmaceutical Pre-Clinical Research Study
Information, by Patricia Morris and Lori Ashley 350
Paradigm 2: Archivematica to ArchivesDirect: A Practical Solution for Limited Staff
Resources, by Amber D’Ambrosio 353
Notes 356

13 Lifelong Learning: Education, Training, and Professional Development 359

Introduction 359
Preparation for Records Management Professionals 360
Records Management Training Programs 369
 C O N TE N T S / xi

Summary 374
Paradigm: Graduate Archival Education—The Master of Archival Studies at the University
of British Columbia, by Luciana Duranti 375
Notes 379

14 From Records Management to Information Governance: An Evolution 383

Introduction 383
Developing a Records Management Program 383
Implementing an Information Governance Strategy 394
Summary 404
Perspective: Perspectives on Information Governance and Managing Information Assets,
by Diane K. Carlisle 406
Notes 412

a ppendix A Sampling of Records Management Laws and Regulations

Outside of the United States 413

g Lossary 417
B iBLiography 441
a Bout the a uthor and c ontriButors 463
i ndex 469
 I L LU S T R AT I O N S

FIGURES

1.1 Engraved clay tokens, evolution to cuneiform writing, and English equivalent. 3

1.2 Known as the Rose Mary Stretch, President Richard Nixon’s secretary
demonstrated how she accidentally hit the pedal beneath her desk that activated
the machine that erased eighteen minutes of a taped conversation while talking
on the telephone. 7
1.3 The Remington Rand UNIVAC, 1951. Shown are the operator control board,
central processor, and magnetic tape drive units. 8
1.4 Removable type element on the Selectric typewriter allowed operators to select
among a number of different fonts. 10
1.5 Web 2.0 model illustrating levels of activities organized into four categories. 15

1.6 What fun—a comfy sofa on the sand—too bad it is just augmented reality! Learn
more about IKEA’s Augmented Reality app at www.ikea.com/us/en/about_ikea/
newsitem/091217_IKEA_Launches_IKEA_Place. 19
1.7 The Facets of IG. 24

2.1 Information governance framework. 33

2.2 Document-centric records and information lifecycle model. 36

2.3 Information lifecycle model. 37

2.4 Records continuum model. 39

3.1 A secretary takes dictation on a typewriter, 1954. 61

3.2 Semantic richness of controlled language facilitates search and retrieval. 66

3.3 Alphabetic filing guides reduce filing and location time by subdividing a
file drawer. 68
3.4 Major headings of functional classification scheme derived from records and
information functional groups. 72
3.5 Hierarchical representation of a file plan for a human resources function. 73

3.6 The Semantic Web. 76

/ x iii /
xiv / LIST OF I LLUSTR ATIONS

3.7 Metadata Model as described in ISO 23081-2:2009. 79

3.8 Records Management File Plan elements. 84

4.1 Retention requirements for one type of record (Certificates of Organization for
Limited Liability Companies) stored on paper and microfilm. 90
4.2 Records Series Inventory form. 92

4.3 Florida Attorney General data map example. 96

4.4 Electronic records inventory worksheet. 98

4.5 Anatomy of a records series. 102

4.6 Whitehouse.gov site in 1996 (Web 1.0). 105

4.7 Portion of the University of California records retention schedule. 109

4.8 Versatile enterprise records series dialog box. 110

4.9 Portion of General Records Schedule Crosswalk, The General Records Schedules,
Transmittal 27, NARA, January 2017. 111

5.1 Workflow for manual requisition and purchasing process. 121

5.2 Automated requisition/purchase order workflow. 122

5.3 Purchase-to-Pay Process offered by Basware. 123

5.4 Nutrition labels contain structured data. The Entity is “Nutrition Facts”
for this particular product. The Attributes are Calories, Total Fat, Cholesterol,
and so on. 129
5.5 Structured data can be replaced by the term database data, because
this describes the format and presentation requirements of this
information. 130
5.6 End-of-term letter-grade distribution for students in one class. 131

5.7 The Primary key (ID in bold) in each table relates to the same ID in
another table. 131
5.8 Unstructured data examples. 132

5.9 Comparison of HTML and XML markup. 133

5.10 Distribution chart illustrating Hispanic population by state adapted from

two data sources. 134
5.11 Data remains in lake in native form until processed. 136

5.12 The Library of Congress Online Catalog. 139

5.13 Semantic search explores relationships between an instance (purchase) and its
facets. 143
5.14 Metadata added to image file by camera. 145
 LIST O F I LLUSTR ATIO N S / xv

5.15 Example of Creative Commons Rights Expression Language used to embed license
information on a webpage. 147

6.1 Supply chain management improves operations with information flowing both
upstream to suppliers and downstream to customers. 157
6.2 Context for Electronic records management (ERM). 161

6.3 DoD 5015.02-STD compliance test results are shown on the RMA Project Register
webpage. 165
6.4 A MoReq2010-compliant records system as a group of interrelated services with a
service-based architecture. 166
6.5 Model 1—Integration of stand-alone EDMS with stand-alone ERMS. 168

6.6 Model 2—EDRMS (integrated EDMS with ERMS). 169

6.7 Model 3—Integration of ERMS into an EDM repository/server. 169

6.8 Model 4—Records are captured from a business system and moved into a records
repository for control by the records system. 170
6.9 Model 5—Records managed by a records management system regardless of their
location. 171
6.10 Model 6—Records management functionality built into a business system. 171

6.11 Records declaration feature from the SharePoint-Gimmal Matrix. 174

7.1 Social Media Landscape 2017. 188

7.2 Accessible archive on Twitter for President Barack Obama. 194

7.3 Social Media Archive captured and managed by ArchiveSocial. 195

7.4 ArchiveSocial interface showing Facebook page posts and underlying

metadata. 199
7.5 Diffusion of innovation based on categories of adopters. 200

7.6 Results of a Google Trends search on three topics: Cloud computing, social media,
and artificial intelligence. 203
7.7 Gartner’s Hype Cycle for Emerging Technologies 2017. 205

7.8 Exchanging and analyzing data through the Internet of Things. 207

7.9 Transaction processing using blockchain technology. 208

7.10 A Typology of Blockchain Recordkeeping Solutions. 211

8.1 More than five months post-Katrina, salvaged medical records remained
inaccessible at Hancock Medical Center, Bay St. Louis, Mississippi. 221
8.2 Records value scale with three classifications of vital (essential) records. 223
x vi / LIST OF I LLUSTR ATIONS

8.3 Section from the Minnesota Records Inventory Worksheet. 227

8.4 Vital (essential) records schedule form. 229

8.5 Natural hazards exposure map. 231

8.6 Natural hazard events result in more than $1 billion each in 2017. 233

8.7 Records damage assessment site survey form. 235

8.8 Almost no paper survived the 9/11 attacks on the World Trade Center. 236

8.9 The business continuity management lifecycle. 241

9.1 Steps in the performance monitoring process. 248

9.2 Risk assessment model. 257

9.3 Risk assessment matrix. 260

9.4 Department of Homeland Security, FOIA requests received, processed, and

pending, fiscal year 2016. 264
9.5 Intersection of risk management methodologies and the IG Maturity Model. 267

10.1 Balance sheet listing the total of current and fixed tangible assets on the left,
“balanced” by the total of liabilities and equity on the right. 275
10.2 Portion of the 2016–2017 Condensed Consolidated Balance Sheets including
goodwill and purchased intangible assets. 276
10.3 Government/military security classifications. 291

10.4 Example of a private sector classification system. 292

10.5 Example of a data breach response process launched in the event of a recognized
incident. 295

11.1 Document services supervisor Maggie Turner in the main records vault, City
Records Center, Milwaukee. The Records Center is soon to be combined with the
Office of Historic Preservation and the Legislative Reference Bureau to form the
City Research Center. 306
11.2 Formulas used to estimate volume, capacity, and floor area for space planning. 307

11.3 Custom-designed media vault. 317

11.4 President George Washington’s personal copy of the Acts of Congress, including the
US Constitution and a draft of the Bill of Rights with Washington’s own signature
and handwritten notations. 320
11.5 The Vault of the Secret Formula located in the World of Coca-Cola, Atlanta,
Georgia. 323
11.6 Flight attendants wearing retro uniforms of Delta and related airlines: Northeast,
Northwest, Western, and Pan Am. 324
 LIST O F I LLUSTR ATIO N S / x vii

12.1 Overview of National Archives of the United Kingdom’s digitization process. 335

12.2 The Declaration of Arbroath, 1320. Letter from the barons, freeholders, and the
whole community of the kingdom of Scotland to Pope John XXII. 340
12.3 Digital curation lifecycle. 341

12.4 OAIS functional entities. 343

12.5 Integrated vision for digital preservation in a business process. 345

12.6 The original digital POWRR grid. 348

13.1 Records and information management lifelong learning. 361

13.2 Job posting for records and information lifecycle manager. 362

13.3 Increasing levels of formal education can prepare a records professional for
increasing levels of responsibility and authority. 367

14.1 The Mnemonic “A TIP CARD” listing the Eight Principles. 384

14.2 Essential elements of a records management program. 385

14.3 Developing a strategic records management plan. 388

14.4 SWOT analysis tool based on research conducted at SRI International. 390

14.5 Information governance components based on the Information Governance

Maturity Model matrix by EMC2. 395
14.6 Information Governance Reference Model. 396

14.7 The evolution from records management to information governance. 405

14.8 Core Concepts of Information Governance. 408

14.9 Excerpt from Information Governance Maturity Model. 410

TABLES

3.1 Records can be captured either manually or automatically by the employee, the
organization, or a third party. 64
3.2 Examples of categories included in North Dakota Subject Classification System. 69

3.3 Example of indexing order within an alphabetic filing system. 75

5.1 University of Pennsylvania records retention schedule: Academic/student

records. 128
5.2 Data warehousing and data marts—two perspectives. 135
x vi i i / LIST OF I LLUSTR ATIONS

6.1 How will you partner? 181

6.2 Metrics and assigned responsibility. 182

8.1 Classification of records as vital, important, useful, or nonessential. 225

8.2 Essential Records categories and subcategories. 226

8.3 Storage media and length of record life. 228

9.1 Sampling of FRCP rules affecting discovery of electronically stored

information. 263

10.1 Advantages Uber has over traditional cab companies due to technology and ability
to employ knowledge from its information assets. 279
10.2 A sampling of US data protection laws. 286

10.3 Privacy laws by country outside of the United States. 288

11.1 Optimal temperature and humidity ranges for paper, film, and electronic
media. 310
11.2 Acceptable storage environments for records types based on risk tolerance. 311

11.3 Records center/records control, and records destruction/disposition forms. 315

11.4 Repository types. 322

13.1 Steps to design and develop a records management training program. 371

14.1 Example of outline for records management policy. 386

14.2 Factors that may be discovered as a result of a SWOT analysis. 391

14.3 Partial example of information governance committee membership. 399

14.4 Information governance strategy: One example. 400

14.5 Information governance strategic policy: One example. 401

14.6 Examples of questions from the Health Information and Quality Authority
Information Governance Self-Assessment Tool. 404
 ACKNOWLEDGMENTS

W riting the first edition of Records and Information Management was a joy and a chal-
lenge. Writing the second edition was as rewarding but even more challenging due to
the expanding information landscape, the advances in technology, and the growing expec-
tations that records and information professionals be both specialists in their fields and
generalists when it comes to related fields.
I am sincerely grateful for the number of individuals who responded to my request for
comments on the first edition and suggestions for the second. Although it was not possible
to include every topic suggested in this one work, those suggestions did result in the inclu-
sion of two additional chapters and numerous other changes.
Any errors in this book are mine alone, but any of the improvements you find useful are
the result of the many individuals who shared their time and expertise. These individuals
include but are not limited to:

• Mark Driskill, Freelance Writer/Researcher and MARA graduate. Mark

provided invaluable assistance by editing each of the chapters, formatting
the notes sections, and developing the bibliography and glossary of terms.
• Anna Maloney, a MARA graduate currently working in Records and
Information Management in the financial services industry. Anna took the
time to critique each chapter of the first edition and provide suggestions
from a student’s perspective.
• James Tammaro, Adjunct Professor, State University of New York at
Buffalo. Jim not only provided suggestions for improvement but also
expressed his desire for teaching materials. In response to his request,
PowerPoint slides are available for this edition.
• In addition, special thanks go to a number of faculty from various
universities who are familiar with the first edition and took the time to
respond to a questionnaire about the usefulness of the content, including:

° Alexis Antracoli, Drexel University

° Jason Kaltenbacher, San José State University
° Janice M. Krueger, Clarion University of Pennsylvania
° Eun Park, McGill University
° Catherine Stollar Peters, University at Albany,
State University of New York
° Christina Reedy, University of North Texas.

/ xix /
 INTRODUCTION

In introducing the first edition of Records and Information Management, I asked,

With all of the hype about social media, cloud computing, digital preservation, elec-
tronic records, big data, and the concept of information governance to tame the re-
sulting chaos, why would anyone publish another book with a title as unpretentious as
Records and Information Management?

Again, the answer is that the discipline of records management, which includes a responsi-
bility to manage all information, is fundamental to every information governance program.
Since the first edition was published in 2013, much has changed—but much remains
the same. Among the changes are the growth of the Internet of Things; the extreme volume
and variety of data produced at a velocity hereto unmatched; the increased necessity of em-
ploying technology to categorize, analyze, and make use of the data; the recognition of the
value of information assets; and the emergence of new business models that leverage the
power of algorithms to manipulate data.
What has not changed since prehistoric times is our desire and need to create, capture,
control, make use of, preserve—and at times destroy—records that document our personal
and work lives. Advances in technology to facilitate the creation and management of records
continue to introduce challenges that require technological solutions to resolve. Increasingly
those solutions are offered by third-party cloud providers. In addition to employing machine
learning and artificial intelligence to analyze data, vendors are offering blockchain technolo-
gy to generate proof that records are authentic, verifiable, and possess integrity.
The terms recordkeeper, records manager, records and information manager, and records
professional are used interchangeably in this edition to describe those who have recordkeep-
ing responsibilities, including archivists, records managers, and information managers, re-
gardless of their job title (e.g., digital archivist, knowledge management advisor, information
governance specialist).
The breadth of knowledge expected of the successful records professional continues
to expand. It now includes the need to better understand not only the business process but
also the goals of the organization from a business perspective. In addition to the domain of
records and information management, records professionals must master the fundamen-
tals from related fields, including compliance, data governance, risk management, change
management, and project management. This book, therefore, differs from traditional
records management works by placing equal emphasis on the business operations from
which records arise and the ways in which the records professional can contribute to the
core mission of the enterprise beyond the lifecycle management of records.

ABOUT THIS BOOK

Seventeen individuals contributed their expertise to the conversation in the form of either
perspectives (reflections) or paradigms (case studies) that are provided at the end of each

/ xxi /
xxii / I N T ROD UC TION

chapter. The guest authors include archivists, records managers, and information gover-
nance professionals from the United States, Canada, and the United Kingdom.
Chapter 1 provides the reader with a glimpse of the path recordkeeping and record-
keepers have taken from prehistoric times to the present. Barclay Blair, founder and exec-
utive director of the Information Governance Initiative, reflects on the evolution of records
and information management and its role in information governance. He emphasizes the
pressing need to manage information as you would manage a business.
Chapter 2 expands upon the topic of building an information governance framework
of policies, processes, and compliance upon strong records and information management
principles. This chapter introduces laws, regulations, and standards that impact records
and information management programs for both government and private organizations in
the United States and abroad. Robert Smallwood, Managing Director of the Institute for
Information Governance, discusses the consequences of carelessness with records and infor-
mation in the healthcare industry and the imperative for information governance initia-
tives to drastically reduce medical mistakes.
Chapter 3 introduces the reader to records creation, capture, classification, and file
plan development that result from business activities conducted using some of the many
systems, components, networks, and applications employed by users at home and at work.
Peg Eusch, University Records Officer for the University of Wisconsin–Madison, describes
how a presentation she attended on File Plan Development provided the impetus for re-
vamping the university’s records management training program around the integration of
records management file plan elements with the Generally Accepted Recordkeeping Prin-
ciples framework.
Chapter 4 presents records retention strategies useful to those organizations that stress
the role of retention and disposition in the overall information governance approach. In her
contribution to this chapter, Susan Cisco, information governance subject matter expert
and educator, describes how a new retention schedule was used to launch an information
governance program for a consolidated entity that emerged as the result of the merger of
two firms.
Chapter 5 describes ways in which records and information managers can contribute
their expertise during the active phase of the information lifecycle to decisions being made
about workflow processes, access controls, storage systems, metadata, and the search and
retrieval processes. In her contribution to chapter 5, Charlene Cunniffe, Associate Direc-
tor, Information and Records Management, uses a case study approach to illustrate the
application of Lean Continuous Improvement practices to a real-world situation: records
management programs and practices.
Chapter 6 describes systems of record and systems of engagement as well as the vi-
tal role records professionals play in identifying records in both types of systems and in
providing guidance to those responsible for capturing and managing them. Morgan King,
Director and Head of Records and Information Management, and Stephen Aaronson, Di-
rector and Head of IT Legal, explain how they work as a team to implement a full-service
ERMS (electric records management system) at a leading global biotechnology company.
Chapter 7 explores the ways in which records and information managers are managing
social media records, including those of the first social media president, Barack Obama. It
introduces emerging technologies such as autonomous vehicles, Internet of Things plat-
forms, and augmented reality and considers the impact they will have on recordkeeping in
the future. The chapter presents two methods that can be used to prepare for the inevitable
changes to take place: diffusion of innovation and trend spotting. In her paradigm, Vicki L.
 I N TR O D U C TI O N / x x iii

Lemieux, Associate Professor of Archival Science at the University of British Columbia, de-
scribes blockchain technology and the ways in which it is beginning to impact recordkeep-
ing. She presents a series of questions for consideration when determining if blockchain
technology is the right direction for the organization to take.
Chapter 8 covers business resumption, which depends upon vital (essential) records
protection, disaster preparedness and recovery programs, and business continuity plans.
It also introduces two cloud-based options to assist an organization’s recovery after a nat-
ural or man-made disaster—Backup as a Service (BaaS) and Disaster Recovery as a Service
(DRaaS). In her contribution to this chapter, Helen Nelson of the Wirral Teaching Hospital,
NHS Foundation Trust, reminds us that not all incidents are catastrophic or long-lived but
need to be managed regardless. Readers will be reminded that there are times when our
electronic devices fail and we must resort to paper-based solutions for at least some of our
work.
Chapter 9 presents several methods of monitoring and auditing records and informa-
tion management programs. Risk assessment—which includes risk identification, risk anal-
ysis, and risk evaluation—is explored. Lisa Daulby, Lecturer, School of Information at San
José University, describes a unique approach to identifying, assessing, and controlling rec-
ords and information management risks by combining risk management methodologies,
the Generally Accepted Recordkeeping Principles and the five levels of the Information
Governance Maturity Model.
Chapter 10, “Information Economics, Privacy and Security,” is introduced in this edi-
tion of Records and Information Management in response to the growing recognition that
information assets have economic significance. As with physical assets and other intangible
assets already recognized by the Generally Accepted Accounting Principles (e.g., patents
and goodwill), information assets should be appraised, protected, and utilized to assist the
organization to achieve its goals. Ilona Koti, ARMA International President 2017–2018, pro-
vides her views on the integration of information governance into the privacy and security
landscape.
Chapter 11 covers the topic of inactive records management within records centers and
archives, with a heavy emphasis on physical holdings. In her contribution to this chapter,
Lori Lindberg, Archivist and Consultant, provides an archivist’s view of the relationship be-
tween sound records management principles and practices and the archival work involved
to create a company archives for the Jelly Belly Candy Company.
Chapter 12, “Long-Term Digital Preservation and Trusted Digital Repositories,” is the
second new chapter in this work. It was created by combining information on long-term
digital preservation from the first edition’s chapter on inactive records management with
an overview of trusted digital repositories. Two case studies complete this chapter. The
first, by Lori Ashley, Principal, Tournesol Consulting, LLC, and Patricia Morris, President
and Chief Process Consultant, eArchive Science, LLC, introduces us to the approach taken
to use a popular commercial service to establish an eArchive for Pharmaceutical Pre-Clin-
ical Research Study Information. The second, by Amber D’Ambrosio, Processing Archivist
and Records Manager, Willamette University Archives and Special Collections, documents
a practical open-source solution for institutions with limited financial resources.
Chapter 13 presents the reader with a variety of options for records and information
management education and training, including degree programs, professional development
opportunities, and in-house training programs. In the United States, there is often a di-
vide between archives and records management both in the workplace and when it comes
to professional associations and certifications. In recognition of the value archival studies
xxiv / I N T ROD UC TION

programs offer the records and information management profession, the ARMA Interna-
tional Education Foundation (AIEF) presented its first Award for Excellence in Education
to the Master of Archival Studies (MAS) program at the University of British Columbia
(UBC), Canada. In her contribution to this chapter Luciana Duranti, Professor, School of
Library, Archival and Information Studies at UBC, describes the MAS curriculum.
Chapter 14 explains how the information shared in chapters 2 through 13 can be used
to develop a legally defensible records management program and an effective information
governance strategy. In her contribution to this chapter, Diane Carlisle, Director of Pro-
fessional Development for ARMA International, provides her perspective on information
governance and tools available to help the organization more effectively manage its infor-
mation assets.
This book is suitable for records professionals at any stage of their careers. Those wish-
ing to learn all they can about records and information management would profit from read-
ing all of the chapters. However, the book is also intended for experienced professionals
who would benefit from a reference book that brings together a variety of topics—including
archives, records and information management, information governance, information eco-
nomics, privacy and security, digital preservation, and more. When necessary, important
ideas or definitions are included in more than one chapter so that the chapters can be read
independently.
Increasingly, organizations are forming information governance committees comprised
of stakeholders from records management, information technology, legal, compliance, and
business units, among others. Their task is to develop strategic information governance
policies and programs. The glossary included at the end of this book will provide a basic vo-
cabulary that should prove useful to members of these new information governance teams.
 CHAPTER 1

The Origins and Development

of Records and Information
Management

INTRODUCTION

From the days of the early cave dwellers who painted symbols onto stone walls through
today when social media-savvy citizens post their own digital messages on Facebook time
lines, three factors remain constant: human beings are compelled to record their experi-
ences, using the tools and technologies available to them, with the intent to share that infor-
mation with others. Before we can develop a strategic approach to records and information
management for today and tomorrow, we should look to the past at the custom of record-
keeping and the conventions that developed around it. As Shakespeare wrote in The Tempest
and the US government has carved on the National Archives Building in Washington, DC,
“What’s past is prologue.”1

RECORDS AND RECORDKEEPING IN SOCIETY

Long before the invention of the alphabet and the written word, stories and sagas were
shared by those who mastered the skill of rote memorization. Memory aids were used, espe-
cially as evidence of an activity. A brief glimpse at recordkeeping practices from 15,000 BCE
to the present day demonstrates that no matter how much civilization develops, our desire
to remember and document remains the same.

Recordkeeping and Ancient Civilizations

Between 15,000 and 13,000 BCE, human beings documented the animals involved in their
hunt for food through mural paintings on the walls of caves found in the “sole region of
Paleolithic mural paintings” in Europe.2 Abbe Breuil, an explorer and scientist who studied
the paintings on the walls of the caverns of Lascaux, describes the caves not as dwellings for
humans but as “places [that] could have served only as specially chosen repositories for the
secrets of a civilization.”3
Tangible and portable memory aids were needed to document transactions. In Mesopo-
tamia as far back as 8000 BCE, plain clay tokens were utilized for recordkeeping, probably

/ 1 /
2 / CH AP T ER 1

to count agricultural items such as grain or cereal. By 4000 BCE, tokens decorated with
markings thought to record manufactured goods appeared in settlements in southern Mes-
opotamia. Similar tokens were used to record animals, with wedge-like shapes engraved
into the clay to represent quantity followed by a sign that indicated the type of animal.4
This method of recordkeeping is considered the precursor to the cuneiform writing system
created by the Sumerians. The evolution of recordkeeping from tokens to the written word
is illustrated in figure 1.1.
By 3200 BCE, hieroglyphics were developed in Egypt by a people who saw literacy as
the most valued skill. Recordkeeping was used for commercial and religious purposes. Rec-
ords of land holdings, crop yields, and taxes were made. Religious texts were written and
copied by scribes in temples and were inscribed on funerary equipment and papyrus.
As writing skills became more widespread, the volume of information to be organized
and stored grew. The archives of Ebla (modern Tell Mardikh, Syria) ultimately contained
an estimated 20,000 clay tablets written in Sumerian script that dated from approximately
2250 BCE.5 The archives are believed to have been a repository for records about economic
matters, such as accounts of the state revenues, but they also contained royal letters, law
cases, and diplomatic and trade contracts—all organized on shelves according to subject.
The information contained in these tablets provided a glimpse into the everyday lives of
the citizens of Ebla.
Papyrus scrolls were used as a recording medium throughout the known world until
circa 170 BCE when Egypt cut off its supply of papyrus to Pergamum, an ancient Greek
city located in Anatolia (now modern Turkish town of Bergama). In response, the people
of Pergamum produced parchment made out of a thin sheet of sheepskin or goatskin. This
innovative recording medium allowed for increased information to be recorded and its use
spread throughout Europe and Asia.6

Recordkeeping: First Millennium through the Early Twentieth Century

The second century CE brought with it the development of a papermaking process in China
by Ts’ai Lun, known to the Chinese as the patron saint of papermaking.7 The paper was
thin, strong, and flexible. In the third century, the secret art of papermaking made its way
to Vietnam and Tibet. Over the next several centuries, it spread to the rest of the civilized
world. By the ninth century, papyrus had been replaced by parchment in Europe. Paper was
not used as a practical medium in Europe until Johann Gutenberg perfected moveable type
and printed the Gutenberg Bible in 1456. This sparked a revolution in mass communication
and ushered in the age of modern paper and the printing industry.
Just as we’re experiencing today, past advancements in technologies and tools required
new, often bureaucratic, solutions to managing records, such as:

• The fourteenth century saw the first office of the clerk of the rolls, register,
and council, later known as the Lord Clerk Register, appear in Scotland.
This office assumed responsibility for keeping the national archives.8
• The town clerk of the city of London was made responsible for the
safekeeping of the city corporation’s records in 1462.9
• In 1540, the Emperor Charles V transferred his most important records
to a tower in the castle of Simancas in Spain, and Jacob von Rammingen,
considered the father of archival science, wrote the manuscript of the
 TH E OR IG I NS AN D DE V E LOPM E N T O F R E C OR DS AN D I N F O R MATIO N MAN AG E M E N T / 3

FIGURE 1.1 Engraved clay tokens, evolution to cuneiform writing,

and English equivalent.
SOURCE: Denise Schmandt-Besserat, “Reckoning Before Writing,” Escola Finalay, accessed September 27, 2017,
http://en.finaly.org/index.php/Reckoning_before_writing. ©Denise Schmandt-Besserat, licensed under the Creative Commons
Attribution-ShareAlike 3.0 Unported License.
4 / CH AP T ER 1

earliest known archival manual. Rammingen’s archival manual was printed

in Germany along with a more detailed book on the same subject in 1571.10
• In 1681, Jean Mabillon, a Benedictine monk, published De Re Diplomatica
(Study of Documents). This six-volume treatise produced the name of a
new science—diplomatics—that attempts to establish the provenance of
a written text through systematic analysis of the material on which the
text is written, the scripts and penmanship used to write the text, and the
language usage within the text.11
• On January 7, 1714, Queen Anne of England granted the first known patent
for a machine or method for the impressing or transcribing of letters “so
neat and exact as not to be distinguished from print.”12 The machine was
useful in settlements and public records because the impression would be
more lasting than writing and could not be erased or counterfeited without
discovery.
• In 1772, the General Register House in Edinburgh was designed by Robert
Adam to serve as a repository for the public records of Scotland.13

The nineteenth century saw the establishment of a number of national archives, including
those in the Netherlands, Portugal, Argentina, Italy, Spain, Canada, France, India, Ireland,
and the Philippines. In the United States, several archives and historical societies were
established, including those in New York, Rhode Island, Pennsylvania, Indiana, Maryland,
Iowa, Nebraska, and Colorado.
The nineteenth century also produced new technology that automated the task of writ-
ing and editing—the first modern manual typewriter, invented by Christopher Latham
Sholes and two colleagues in 1867. E. Remington and Sons marketed the typewriter com-
mercially in 1874. This technology allowed records and correspondence to be produced
more quickly and easily. Businesses purchased “type writing machines” and hired women
as “typewriters” at salaries higher than for schoolteachers or nurses.

Corporate Archives Adapt to Capture and Preserve

the History of the Organization

I n 1922, the former American Telephone and Telegraph Company established its Histor-
ical Collection in New York City. Renamed the AT&T Historical Library in 1933, and later
called the AT&T Corporate Archives in 1982, this collection was consolidated in 1987 with
the Bell System Museum and the archives of Bell Labs and Western Electric, in Warren,
New Jersey. Following the 2005 acquisition of AT&T Corporation by Texas-based SBC
Communications, the AT&T Archives merged operationally with the SBC Archives to form
the AT&T Archives and History Center with two locations: San Antonio, Texas, and Warren,
New Jersey. Total archival holdings of materials dating from 1869 through 2017 include
45,000 cubic feet of books, periodicals, photographs, moving images, sound recordings,
and microforms as well as 15,000 three-dimensional objects.
SOURCE: Courtesy of the AT&T Archives and History Center.
 TH E OR IG I NS AN D DE V E LOPM E N T O F R E C OR DS AN D I N F O R MATIO N MAN AG E M E N T / 5

The population grew so rapidly in the United States that the 1880 census took seven
and one-half years to complete. In a search for a method to streamline the process, the US
Census Bureau offered a prize for an inventor to help with the 1890 census. The winner,
Herman Hollerith, used Joseph Marie Jacquard’s punched cards for the computation. The
1890 census was completed in three years and saved the government five million dollars.
Hollerith built a company that would eventually become International Business Machines
(IBM).
In 1893, an invention to organize and store the increasing volume of paperwork was
unveiled at the Columbian Exposition in Chicago, Illinois—the filing cabinet. In 1897, the
Library of Congress established its Manuscript Division with a staff of four and a collection
of 25,000 items.
The first decades of the twentieth century ushered in additional state and national ar-
chives, along with the first of many laws and regulations designed to protect official records.
In 1903, the State Library of Western Australia was authorized to accept official records,
and the Archives of Ontario, Canada, was founded. On December 15, 1909, H.R. 15428 was
introduced to create a Commission on National Historic Publications in the United States.
In 1911, the British Royal Archives was established in Windsor Castle in England. In 1922,
Sir Hilary Jenkinson’s book, A Manual of Archive Administration, was published. Also in
1922, the former American Telephone and Telegraph Company established its Historical
Collection in New York City. In 1925, South Australia passed an act to regulate the disposal
of government records.

RECORDKEEPING IN THE UNITED STATES IN THE TWENTIETH CENTURY

The federal government was the primary driver for records management in the United
States. Major technological innovations and unforeseen challenges emerged to which gov-
ernment and industry were required to respond.
Ground was broken for the US National Archives building in 1931; its cornerstone was
laid in February 1933. In 1934, Congress established the National Archives to centralize
federal recordkeeping, President Franklin D. Roosevelt signed the legislation creating the
National Archives, and Robert D. W. Connor was appointed first Archivist of the United
States.
In 1935, Emmett Leahy joined the staff of the National Archives. His first assignment
was to form a committee of special examiners to analyze the records presented to the Archi-
vist that were without “permanent value or historical interest” and to decide whether the
records should be destroyed or otherwise disposed of.14
By 1937, as the initial survey of federal government records neared completion, the
committee realized the enormity of the records problem it was facing due to a lack of con-
formity in procedures, unprecedented growth in volume of documents requiring manage-
ment and storage, and the number of duplicate records retained across all agencies.
The National Archives initiated a records management program to segregate records of
temporary value from those that had archival value. A key component of the program was
the records lifecycle model developed by Leahy that controlled the creation, use, and dispo-
sition of records either by destruction or transfer to the National Archives.
The Society of American Archivists (SAA) was founded in 1936 with A. R. Newsome, a
North Carolina historian, as its first president. Theodore C. Pease was appointed the first
editor of the SAA journal, The American Archivist, in 1939.
6 / CH AP T ER 1

During the summer of 1940, tired of being misquoted, President Roosevelt had a re-
cording machine installed under the Oval Office, which he sometimes turned on before
press conferences and turned off after capturing conversations. The device was also con-
nected to his telephone. Digital copies of these original recordings reside alongside images,
movies, and other radio addresses in the FDR Presidential Library and Museum in Hyde
Park, New York.
New US agencies and departments were established during World War II, and, not sur-
prisingly, the volume of documents grew as well. The scheduling of records for disposi-
tion was given legal status by the Records Disposal Act of 1943, which defined records and
authorized the National Archives Council to develop procedures to dispose of records no
longer needed as well as to reproduce permanent records on microfilm so that the originals
could be disposed of. The Act was amended in 1945 to include the government-wide General
Schedule (GS), which authorized the systematic disposal of government records.
In 1950, the Federal Records Act codified a series of laws—including prior legislation
from the late 1930s and 1940s—in 44 United States Code (U.S.C.) sections 21, 23, 25, 27, 29,
31, and 33. The Federal Records Act set forth records management policies and practices of
agencies within the federal government and established the National Archives and Records
Administration (NARA) with the mandate and the responsibility to preserve records of per-
manent historical value to the United States.15 In 1955, the first Guide to Records Retention
Requirements was published.16
In addition to contributions to the National Archives, Emmett J. Leahy was central to
the emergence of the commercial records center (CRC) industry. In 1948, he became the
first executive director of the National Records Management Council and formed the Busi-
ness Archives Center, thought to be the first CRC in the United States. During the 1950s
and 1960s, CRCs continued to emerge in large metropolitan areas, including New York and
Philadelphia, primarily to store inactive records for large corporations and organizations.
By the 1960s, the original US National Archives building on Constitution Avenue in
Washington, DC, was out of room, forcing expansion to a new site. Most of the federal
documents are now housed in Archives II, a 2-million-cubic-foot building in College Park,
Maryland, dedicated in 1994 that can accommodate 400 researchers.
Like President Roosevelt, Presidents Harry S. Truman and Dwight D. Eisenhower re-
corded conversations, but President John F. Kennedy installed the White House’s first se-
cret recording network to protect himself against officials who told him one thing in private
and said something different in public. A pen and pencil set on his desk turned the network
of microphones on and off.
President Richard M. Nixon also employed a secret recording system that was discov-
ered in 1973 as a result of the Watergate scandal. During the 1972 presidential campaign,
five men connected to the Committee for the Re-Election of the President broke into the
Democratic National Committee headquarters at the Watergate complex in Washington,
DC. During the investigation, it was revealed that President Nixon had a tape-recording
system in his office that recorded conversations that implicated the president in a cover-up
of the break-in. The president’s secretary, Rose Mary Woods, tried to take the blame for an
eighteen-minute gap in the tapes that provided evidence that the president was involved in
the Watergate break-in (see figure 1.2). The Watergate break-in and subsequent attempts to
cover it up resulted in President Nixon’s resignation from office in 1974.17
After archivists at presidential libraries confirmed that other presidents had secret
tapes as well, the US Congress passed the Presidential Records Act in 1978, which estab-
lished public ownership of records generated by subsequent presidents and their staffs.
 TH E OR IG I NS AN D DE V E LOPM E N T O F R E C OR DS AN D I N F O R MATIO N MAN AG E M E N T / 7

FIGURE 1.2 Known as the Rose Mary Stretch, President Richard Nixon’s secretary
demonstrated how she accidentally hit the pedal beneath her desk that activated the
machine that erased eighteen minutes of a taped conversation while talking on the
telephone.
SOURCE: Wikipedia, accessed September 27, 2017, https://en.wikipedia.org/wiki/Rose_Mary_Woods.

INFORMATION TECHNOLOGY, RECORDS, AND THE INFORMATION AGE

In the United States, records management policies and procedures were implemented
and modified over time as a result of an increasing volume of information generated by a
growing population using emerging technology. This technology, which would eventually
converge, initially followed two discrete paths: (1) computers for data processing and (2)
electronic typewriters and word processing equipment for text processing.

Computers for Data Processing

Between 1943 and 1945, two University of Pennsylvania professors, John W. Mauchly and J.
Presper Eckert, received funding from the US Department of War to build the first all-elec-
tronic digital computer, ENIAC (Electronic Numerical Integrator and Computer). ENIAC
was expected to replace all the women who were employed calculating firing tables for the
army’s artillery guns. ENIAC filled a 20- by 40-foot room, weighed 30 tons, and used more
than 18,000 vacuum tubes, which generated so much heat that it had to be housed in a spe-
cially designed room with a heavy-duty air conditioning system. The first task assigned by
the war department was to determine the feasibility of building a hydrogen bomb.
Later, the US National Bureau of Standards won a contract to build the Universal Au-
tomatic Computer (UNIVAC) (see figure 1.3). One of the significant technical features of
8 / CH AP T ER 1

FIGURE 1.3 The Remington Rand UNIVAC, 1951. Shown are the operator control board,
central processor, and magnetic tape drive units.
SOURCE: Getty Images. Photo by Underwood Archives.

UNIVAC was the use of magnetic tape for mass storage. Due to the high cost, control re-
mained in the hands of the few employees within the agencies using the technology. Re-
ports were printed out to provide information and filed for the record.
Although the term digital was first used in 1938 to describe a computer that operates on
data in the form of digits, the federal government did not introduce legislation concerning
machine-readable materials until 1950 when the US Federal Records Act was expanded to
establish the framework for records management in federal agencies.
In 1956, IBM launched the RAMAC 305, the first computer with a hard disk drive
(HDD). It weighed over a ton but could store only about 4.4 MB (megabytes) of data. In 1962,
the IBM 1311, the first storage unit with removable disks in disk packs, was released. Users
could easily switch files for different applications.
In 1975, IBM announced the 5100 Portable Computer for the use of engineers, ana-
lysts, statisticians, and other problem solvers. It weighed 50 pounds, was available in twelve
models with between 16 K (kilobytes) and 64 K of main storage and offered magnetic tape
cartridges that provided more than one hundred routines applicable to math problems,
statistical techniques, and financial analyses. This model was withdrawn from the market
in March 1982 as more efficient models took its place.
The 5.25-inch floppy disk became the standard removable storage medium in 1978 and
remained in use until the early 1990s. Three different options were available that provided
from 160 KB to 1.2 MB of storage. In 1984, IBM again changed the way information was
 TH E OR IG I NS AN D DE V E LOPM E N T O F R E C OR DS AN D I N F O R MATIO N MAN AG E M E N T / 9

Bits, Bytes, and Other Units of Information

A bit is the smallest unit of information

stored on a computer in the form
of either a 1 or a 0 (meaning on or off).
UNIT
1 kilobyte
EQUIVALENT
1,024 bytes
A byte is made up of 8 bits and has the 1 megabyte 1,024 kilobytes
ability to represent 256 characters, either 1 gigabyte 1,024 megabytes
numbers or letters. 1 terabyte 1,024 gigabytes
Computers use binary math (base
1 petabyte 1,024 terabytes
2), but the common units used to
1 exabyte 1,024 petabytes
measure digital information are often
simplified by using a digital numbering 1 zettabyte 1,024 exabytes
system. For example, you may see this 1 yottabyte 1,024 zettabytes
representation: 1 KB (kilobyte) = 1,000 1 brontobyte 1,024 yottabytes
bytes. 1 geopbyte 1,024 brontobytes

stored by introducing 3.5-inch floppy disks that provided three options ranging from 720
KB to 2.88 MB of storage. The 3.5-inch disks were widely used in the 1990s but seldom used
by the year 2000.

Electronic Typewriters and Word Processors for Text Processing

The first model of the Electromatic typewriter was completed in March 1930, and a new
division of IBM, Electromatic Typewriters, was formed in 1933. This product greatly
increased typing speeds and the ease with which documents could be created, resulting in
the growth of paper records.
In 1961, IBM introduced the Selectric typewriter, which could print faster than pre-
vious typewriters because the moveable carriage had been replaced with a revolving type
element (ball). The removable element also allowed the operator to select among different
type fonts (see figure 1.4).
This was followed in 1964 by IBM’s MT/ST (Magnetic Tape/Selectric Typewriter),
which combined the features of the Selectric with a magnetic tape drive that could hold
one to two pages of text. The text on the magnetic tape could be corrected and reprinted
to produce as many copies as desired, and then the tape could be reused for other projects.
This was the beginning of word processing technology that eventually would offer addition-
al features at lower costs as more manufacturers entered the market.
IBM introduced the first 8-inch floppy disk in 1971 as an alternative to storage on a
hard drive or magnetic tape. The floppy was reusable, portable, and inexpensive, but each
disk could store only 80 KB of data initially. In 1973, Vydec was the first manufacturer to
produce a word processing system using floppy disks for storage that could hold eighty to
one hundred pages of text. These floppy disks were also used to store programs, separat-
ing programs from the equipment and encouraging the development of word processing
and other programs independent of the hardware. The separation of the program from the
10 / CH AP T ER 1

FIGURE 1.4 Removable type element on the Selectric typewriter allowed operators
to select among a number of different fonts.
SOURCE: Flickr, accessed September 27, 2017, https://www.flickr.com/photos/teezeh/6089374659/sizes/z/in/
photostream. Courtesy of Thomas Cloer.

hardware marked the beginning of the convergence of word and data processing functions
that could be performed by the increasingly popular personal computer introduced by IBM
in 1981.
Word processors served as stand-alone office machines through the 1970s and 1980s, in
most instances to replace the electric typewriter. As features including display screens and
the ability to print to a dot matrix printer were added to personal computers, most business
machine companies stopped manufacturing dedicated word processors.18
Some scholars assert that the information age, which arguably began with the advent of
personal computers in the late 1970s, brought about a transition from a paper-based records
environment to a hybrid environment that includes digital records. In spite of claims that
we would soon see the paperless office, the ease with which documents could be created,
edited, stored, retrieved, and printed resulted in a growth in the volume of paper records.

Electronic Records Bring Additional Challenges

In 1976, Ethernet (a computer network architecture) was developed to provide distributed

packet switching for local area networks (LANs). The LANs provided a means for organi-
zations to encourage employees to file documents, spreadsheets, and other work-related
files to their private folders or to department folders, where the records could be subject to
records management policies. During much of this time, though, printing copies of docu-
ments and storing them in file cabinets were standard practice.
As the volume of records grew throughout the 1980s, organizations searching for
more efficient means to store and manage information turned to electronic document
 TH E OR IG I NS AN D DE V E LOPM E N T O F R E C OR DS AN D I N F O R MATIO N MAN AG E M E N T / 11

management systems (EDMSs). In addition to increasing accountability for the organiza-

tion, EDMSs helped to enforce records management policies and procedures. A major prob-
lem with the use of EDMSs was the inability to access information when away from the
office, which was increasingly the circumstance encountered by a more mobile workforce.
Staff copied information to their laptops for use when out of the office and then uploaded
files to the EDMSs when they returned.
Larger organizations that saw a need for connectivity between LANs at different geo-
graphic locations developed wide area networks (WANs), often using leased lines, which
were quite expensive. By the early 1990s, the internet and the World Wide Web made con-
nectivity possible, and businesses began to expand their own networks using virtual con-
nections instead of leased lines. The demand for solutions to allow access from outside of
the organization walls also resulted in virtual private networks (VPNs) provided by Cisco,
Check Point, and Microsoft. In reality, VPNs were difficult to use with an EDMS and col-
laboration was challenging. Enterprising workers used email with file attachments to avoid
the use of VPNs when necessary.
In 1990, Tim Berners-Lee created the World Wide Web in order to facilitate sharing
and updating information among researchers.19 By 1994, Jeff Bezos wrote a business plan
for Amazon.com, and a new business model was born. Governments, businesses, and indi-
viduals came to realize the potential of the Web. Records were created through transactions
taking place on websites. Web technology was also used to create intranets to facilitate ac-
cess to information within the organization and extranets to allow business partners and
customers to access information from outside the organization.

Communication Technologies

To this point we’ve discussed technologies used to record events and transactions, either
for use in daily operations or to share information with future generations. However, in
1965 a method was developed for the primary purpose of facilitating communication among
colleagues. Communications technologies would eventually be used to produce records that
also had to be identified and managed.

Email
Email was introduced at the Massachusetts Institute of Technology (MIT) in 1965. The sys-
tem called MAILBOX began with the concept of leaving an electronic note in people’s direc-
tories so they could see it when they logged in.20 Soon after, Ray Tomlinson, an ARPANET
(Advanced Research Projects Agency Network) subcontractor to the US Department of
Defense, wrote a program to alert users that they had a message in their directory if they
were using dumb terminals to access the same mainframe computer.
When computers became networked, a better system was needed to exchange mes-
sages. Tomlinson is also credited with inventing internet-based email in 1971. His contri-
butions included a file transfer protocol to adapt the local SNDMSG mail program to send
electronic messages to any computer on the ARPANET network and the use of the @ sym-
bol to tell which user was at which computer.21 Those early addresses would be written as
sender-name@computer-name to recipient-name@computer-name. By 1974, there were hun-
dreds of military users of email; by the end of the 1970s, 75 percent of all ARPANET traffic
was email.22
12 / CH AP T ER 1

In all of 1978, 5,000 email messages were sent; by the end of 2021, the total number
of business and consumer emails sent and received each day is expected to reach 319.6 bil-
lion.23
Records and information managers understand that although storage may not be a
major factor due to declining costs, time wasted searching through and reading irrelevant
communications, or even more time-consuming, retrieving and redacting information to
present email for e-discovery, can be substantial. Today organizations have the option of
outsourcing their email systems to take advantage of potential benefits, including:

• Ease of management: IT staff are not required to manage on-premise email

systems, and hosted services can offer customer support 24 hours a day, 7
days a week.
• Cost-effectiveness: Email that lives in the cloud often costs less than in-
house, server-based email platforms.
• Productivity enhancement: Hosted communication solutions can offer
more functionality than email, for example, scheduling and information-
sharing tools.
• Flexibility: Employees can access outsourced email from any location using
a variety of devices, such as smartphones and tablets.
• Data protection: Outsourced email resides outside of the organization’s
data center and server, so email messages will not be destroyed by a natural
or man-made disaster that strikes the organization. Hosted services offer
their own data protection (e.g., daily backups) and security features (e.g.,
protection to reduce spam and detect intrusions).

Email systems are communication systems, not management systems. However, a number
of email management systems exist that provide records management and retention func-
tionality.

Instant Messaging (IM) and Online Chats

In the early 1990s, software was designed to set up chat rooms on web servers. People typed
in messages that could be seen by everyone in the room. Early chat rooms allowed the equiv-
alent of instant messages for everyone within the room. Early instant messaging became a
chat for two. Today, instant messaging (IM) provided by services such as Skype allow more
than one contact to be created, resulting in a group instant message.
In 1996, an Israeli company, Mirabilis, introduced a free IM utility called ICQ , a ho-
mophone for I seek you. It used a client residing on the user’s computer to communicate
with an ICQ server whenever the user was online and the client was running. AOL acquired
Mirabilis in 1998 and named the IM utility AIM (AOL Instant Messenger). When AOL sold
AIM in 2010 to Digital Sky Technologies, a Russian internet company later renamed Mail
.ru Group, it had over 100 million registered accounts and had been updated to allow for
integration with Facebook and other websites.24 Today ICQ versions include ICQ Online,
ICQ8 for Windows, and ICQ for Android, IOS, and Windows Phones.
Records and information managers may wonder about the implications of using this
service on multiple devices and how ownership by a foreign entity impacts their ability to
comply with their home countries’ laws and regulations.
 TH E OR IG I NS AN D DE V E LOPM E N T O F R E C OR DS AN D I N F O R MATIO N MAN AG E M E N T / 13

Today there are many instant messaging services available—WhatsApp, Facebook Mes-
senger, QQ Mobile, WeChat, Skype, Snapchat, Viber, and Line to name a few.25 To alleviate
the inconvenience of having to switch IM services when communicating with users of dif-
ferent applications, users can employ an aggregator such as All-in-One Messenger or Franz.
Despite the introduction and growth of social media, according to BI Intelligence, the
number of monthly active users for the top four messaging apps has surpassed the number
of active users for the top four social networks.26 Employees used to the convenience of
using IM in their daily lives will find a way to incorporate IM into their work lives. Orga-
nizations that understand the benefits and risks related to IM have an alternative to pro-
hibiting its use: they can offer an enterprise solution. For example, IBM employs and offers
Sametime to replace voicemail in order to see when contacts are online and communicate
with them effortlessly in real time. IBM Sametime provides instant messaging with online
presence indicators and community collaboration in the form of integration with voice and
video conversations, group chats, online meetings, and instant polls. Records managers will
appreciate the documentation of online messages using time and date stamps and a log of
sent files and links.27
Although not as popular as they once were, online chat rooms offered by platforms such
as Twitch, Migme, and Nimbuzz provide individuals the opportunity to chat with others
anonymously based on specific topics, such as Autism Spectrum Disorder.28 Businesses in-
creasingly offer chat services for customer support, such as LifeChat, that allow firms to
interact with customers surfing their websites and provide customer service 24/7 through
the use of a ticketing system.29
Although some of the previous events occurred after the year 2000, they seem conser-
vative in nature compared to the technologies to be described in the next section. This is
where the disruptive change brought about by new technology and evolving societal views
and expectations can be most strongly felt.

WEB 2.0, SOCIAL MEDIA, AND SOCIETY

Until the end of the twentieth century, electronic systems were used mainly to conduct and
record business transactions. But early in the twenty-first century, these systems of record
were augmented by systems of engagement. By 2004, Facebook was founded, followed by
YouTube one year later; it became easy to publish content on these websites. The authori-
tarian, closed, passive, static, one-way communications medium offered by early webmas-
ters became democratic, collaborative, active, dynamic, and interactive. The organization
no longer had complete control of the message or the record.
In the past, organizations introduced technology to employees in a top-down fashion,
but the introduction of social media into the workplace was often bottom-up. As a battle
between email and social networks for users’ time and attention gained momentum, con-
sumers increasingly turned to mobile devices for social activities. Employees, comfortable
using social media in their personal lives, found ways to introduce Web 2.0 tools into the
workplace, and the acronym BYOD (bring your own device) was coined to describe business
acceptance of the use of personal devices to conduct business.
Records managers must be familiar with Web 2.0 tools and technologies, be aware of
current implementation strategies within the organization, and be able to identify and
manage the records created as a result of such implementation.
14 / CH AP T ER 1

Web 2.0 Tools

Web 2.0 tools are used for communication, social networking, and web publishing, as well
as to provide and acquire web services (see figure 1.5). A Pew Research Fact Sheet revealed
that by the beginning of 2017, 69 percent of the US population used some type of social
media.30
Social media tools continue to evolve; the lines between blogs, microblogs, and social
networks have all but disappeared. The convergence of functions continues as successful
social media platforms add new features to attract additional subscribers. For our purposes,
though, we’ll review the tools and categories as they are represented in each of the four
spheres of activity of the Web 2.0 model.

Tools That Facilitate Communication

Communication tools have blurred the lines between journalist and reader, publisher and
user, and communicator and broadcaster. It’s simple and inexpensive to develop content
and share it with the world.

RSS (Really Simple Syndication)

RSS is a form of web coding for delivering regularly changing web content directly to the
subscriber.31 Many news-related sites, personal blogs, and other online publishers use RSS
feeds to syndicate their content, which can include text, music, and images. To enjoy the
content, you must subscribe to a feed using a program called an aggregator or feed reader.
Programs and add-ons can provide RSS functionality to email clients and browsers. Feedly
is a popular, easy to use web-based RSS reader. Apps for the iPhone, iPad, and Android
devices will synchronize read status with Feedly on multiple devices.

Text and Photo Messaging Tools

Most cell phones support Short Message Service (SMS), commonly known as text messaging.
SMS allows one device to send and receive short messages of up to 160 characters to another
device. Today, most cell phones also allow the transmission of pictures, video, or audio con-
tent to another device using Multimedia Messaging Service (MMS), an evolution of SMS.32
The ease with which smartphone users can take and share photos gave rise to the pop-
ularity of apps like Instagram and Snapchat. Those who did not want to keep a record of
the exchanges applauded the fact that the photos shared through Snapchat were ephemeral
(self-destructive after only a few seconds). There are ways to get around this, of course; for
example, screenshots can be taken of photos in Snapchat. Although Snapchat alerts the
sender when this occurs, it cannot delete the copy. Snapchat users can capture disappear-
ing photos or videos, add overlaid text and imagery, and send them privately to friends or
broadcast them as a Snapchat Story. Snapchat also provides a limited data storage service
called Memories that users can turn on or off. Instagram, a Facebook-owned app, launched
its own version of “stories” in 2016, resulting in a decrease of views of stories on Snapchat.33
Because marketing dollars follow views, marketing campaigns devoted more resources to
Instagram and fewer resources to Snapchat. Records managers should keep abreast of these
types of events that impact business decisions and result in changes in the social media
tools used.
 TH E OR IG I NS AN D DE V E LOPM E N T O F R E C OR DS AN D I N F O R MATIO N MAN AG E M E N T / 15

ented Reality
Content Creation/ Augm Interaction/
Self Publishing Collaboration
Networks
Social

nso
ati Microblogs
pl ic

Vid
ing
e Ap

Tag okmarking

eo C
Bo
urc
RSS

ging
Vir tual Offic

Crowdso

onferencing
Blogs

Wik

/Social
Text

is
Messaging

Audio/Video
Messaging

Mash u p s
Bu Mo

g
si n d

ti n
s

pu
es e

Web lin Pro Vir tual Worlds m

(Application) g ce d Co Communication
ss
Services C lo u
V i d e o H o s ti n g

FIGURE 1.5. Web 2.0 model illustrating levels of activities

organized into four categories.

Audio and Video Messaging Tools

Podcasting is a way to receive audio and video files over the internet on a mobile device
or desktop. Companies like eBay, GE, Netflix and State Farm employ podcast companies
to develop creative content for them, but tools are available to allow individuals to create
their own podcasts.34 eBay’s successful podcast series, Open for Business, explores key issues
businesses face, such as “Hiring, Firing and Scaling: Creating a Workplace Culture.”35
Video files (vodcasts) can be used to create a diary, journal, or blog. Twitch, a social
video platform and community for video gamers, recommends using vodcasts to entertain
followers while interacting using chat.36 Vodcasts can be created to share knowledge, docu-
ment meetings, and more.

Tools That Facilitate Content Creation and Self-Publishing

Blogs and microblogs can be used to establish communities of interest by promoting inter-
action between and among publishers and readers. Additional tools in this sphere are wikis
and mashups.
16 / CH AP T ER 1

Blogs

Blogs (web logs) began as a form of personal online journal intended for public consump-
tion. More than one person is often authorized to post on behalf of an organization. Posts
are added to a single webpage in reverse-chronological order and may allow reader com-
ments. Organizations can delete unacceptable comments. Such control, though, could dam-
age the trust established within the blog community unless rules describing unacceptable
comments are clearly explained on the blog.
Blogs are easy and inexpensive to create using a blogging platform such as WordPress.
Blog search engines (e.g., BlogSearchEngine.org) can help you find posts of interest. By far
the most visited site in 2017 based on the eBIZMBA Ranking was Huffington Post with
110,000,000 estimated unique monthly visitors.37

Microblogs

Microblogs allow individuals to communicate by exchanging short messages. Twitter, which

since 2017 allows 280-character messages (double the original 140 characters allowed) called
tweets, has played an important role in reporting natural disasters and political uprisings
around the globe. As of January 1, 2018, Twitter had 330 million active monthly users, 80
percent of them using mobile devices.38 The Twitter account with the most followers (more
than 100 million) mid-2018 belonged to singer Katy Perry (@katyperry).39
One of the first examples of return on investment from microblogging came from @
Dell Outlet. Dell made over $2 million in sales of its refurbished products and another $1
million in sales of new products purchased by those who moved from the outlet site to the
main site between 2007 and 2009.40 By the end of 2016, Dell had trained more than 16,000
employees in forty-six countries through Dell’s Social Media University to advocate on be-
half of the company. Dell’s employees “listen in” on 25,000 conversations in English every
day as part of their jobs.41
In January 2012, Tumblr surpassed WordPress.com in the number of blogs hosted.
Tumblr allows users to post short blogs in various formats—text, photos, links, music, and
video—from their phones or desktops using email or a browser. Users can reblog a Tumblr
post from another user’s Tumblelog. By early 2017, there were 357.7 million Tumblr blog
accounts compared to 75 million websites (27.5 percent of all websites globally) powered
by WordPress.42 A comparison of the features of both Tumblr and WordPress indicate that
Tumblr could be a good vehicle for driving traffic to the main WordPress site.

Wikis

A wiki is a combination website and text document that allows groups to work collabora-
tively using only a browser. The best-known wiki is Wikipedia, an encyclopedia written by
volunteers from around the world. It exhibits the qualities of “openness, sharing, and acting
globally” identified by Tapscott and Williams as the principles of wikinomics.43 Enterprise
wikis are available as hosted options or for use on enterprise servers and are employed for
everything from product development to knowledge management.
One of the earliest government wikis was Intellipedia, an online, collaborative system
established in late 2005 for information sharing within the US intelligence community.
Don Burke, Intellipedia doyen, and Sean P. Dennehy, Intellipedia and Enterprise 2.0 evange-
list, were awarded 2009 Homeland Security Medals for their contributions to the nation. In
 TH E OR IG I NS AN D DE V E LOPM E N T O F R E C OR DS AN D I N F O R MATIO N MAN AG E M E N T / 17

January 2011, Chris Rasmussen proposed to use the same wiki software to create The Living
Intelligence System. In practice, neither Intellipedia nor The Living Intelligence System earned
widespread acceptance.44 Not one to acknowledge defeat, in 2017 Rasmussen announced
Tearline, an app for senior US intelligence officers that is a wiki-style collaborative platform
for reading and writing unclassified intelligence reports complete with charts, comments,
and updates.45

Mashups

Mashups are webpages or applications that combine data from two or more online sources,
such as application programming interfaces (APIs), other web services, and data feeds (e.g.,
RSS). The results are different from the original intent when the raw data was produced.
Three distinct types of mashups are consumer mashups, business (enterprise) mashups,
and data mashups.
A consumer mashup combines different data types from multiple sources and organizes
the information through the browser interface. Craigslist provides an example of a con-
sumer mashup that combines rental listings from Craigslist with mapping data from Google
Maps’ API.
Business (or enterprise) mashups combine the organization’s own resources, applica-
tions, and data with other external web services and publish the results to enterprise por-
tals, application development tools, or in a service-oriented architecture. Business mashups
can help a company improve customer service. For example, a mashup of the organization’s
order management system with logistics information from UPS or FedEx will give call cen-
ter representatives immediate access to order status and package tracking in one view.
Data mashups combine similar types of media and information from disparate data
sources, or different tables within a single data source, into a single representation. For
example, Havaria Information Services’ Alert Map continuously combines data from over
200 sources related to severe weather conditions, biohazard threats, and seismic informa-
tion.46 Data sources can be combined to create reports or dashboards for business analysts
to examine. One example, InetSoft’s business intelligence (BI) platform, offers users the
option to create and define their own data mashups.47
For records managers, two questions arise: (1) have new records been created as a re-
sult? (2) if so, where are they stored and how are they managed?

Tools That Facilitate Interaction through Social Networking

Social Networks

Social networking sites allow users to share content, interact, and develop communities
of interest. Facebook’s features include instant messaging, groups, forums, email, games,
music, and videos. As of March 31, 2018, there were over 2.20 billion monthly active Face-
book users worldwide.48 LinkedIn is a professional networking site with 546 million users
in over 200 countries and territories as of March 24, 2018; acquired by Microsoft in 2016,
it is one of the two most popular social media platforms for CEOs (Twitter is the other).49
A different type of social networking site began in 2010 as a service for individual users
to send email with an image attached for “pinning” to an online board. As of January 2018,
Pinterest had 175 million monthly active users, 75 million of them from the United States;
18 / CH AP T ER 1

by the end of 2016, more than one million businesses used Pinterest to share content, en-
gage consumers, increase customer reach, and drive traffic to their websites and other social
networking sites.50 Examples include Lowes’ use of Pinterest to promote its style expertise
related to home improvements and Allrecipes’ efforts to establish a community of home
cooks that go to Allrecipes first when planning a meal.51

Virtual Worlds (Multiuser Virtual Environments)

Sometimes called virtual worlds, multiuser virtual environments share certain character-
istics: 3-D graphics, web-based access, simultaneous interaction among users, and repre-
sentation of a persistent virtual world. Users, called residents, interact with one another
through avatars. The most successful virtual world for adults is Second Life, with about
800,000 monthly users in 2017.52
Early evidence of cost-savings potential was provided by the IBM Academy of Tech-
nology in the fall of 2008 when the company hosted a Virtual World Conference for over
200 members, which resulted in a savings of $320,000 compared to the potential cost of
conducting the conference in the physical world.53 The initial hype about virtual worlds,
however, has not resulted in widespread adoption. By 2017, attention shifted to virtual re-
ality, augmented reality, and mixed reality experiences.

Tagging and Social Bookmarking

The explosion of information posted to the Web has prompted the creation of author-cre-
ated and user-created metadata used for social tagging, social bookmarking, tagging of pho-
tos, and tag clouds/word clouds.
Tagging, or folksonomy, a user-generated taxonomy, is substantially different from tra-
ditional taxonomies, which are classification systems arranged in a hierarchical structure. A
folksonomy is comprised of terms in a flat namespace (no hierarchy and no parent-child or
sibling relationships). Folksonomies are sets of terms used to tag content—not a predeter-
mined set of classification terms or labels.54
Flickr, the photosharing site, encourages users to tag their photos with freely chosen
index terms. These tags, however, may or may not make sense to others. Someone searching
a simple term such as apple may have the fruit in mind but find the image returned to him
is of the Apple Newton MessagePad or an apple cake. Geotagging is another form of social
tagging that adds a geographic location to images based on a Google map. Word clouds (also
known as tag clouds) are visual representations of terms found in text. A graphic of terms
is created with each term presented in a size relative to the number of times it appears in
selected text. Users of SurveyMonkey’s premium account can generate word clouds as a way
of visualizing responses to specific survey questions.

Crowdsourcing

Crowdsourcing involves using the general public to do paid or unpaid research or other
work.55 The Smithsonian Institution saves staff time by using the crowd to identify photo-
graphs placed on Flickr and provide additional descriptive information that is integrated
with the Smithsonian’s catalog entries. Crowdfunding is a variation that allows donors to
contribute to pleas for monetary assistance. Go-Fund-Me is an example of this use of the
technology.
 TH E OR IG I NS AN D DE V E LOPM E N T O F R E C OR DS AN D I N F O R MATIO N MAN AG E M E N T / 19

Tools That Facilitate Web Services (Applications)

Web services rely on the technical requirements needed to allow different software
applications to interoperate. In this category are augmented reality, videoconferencing,
virtual office applications, cloud com-
puting, video sharing, and business pro-
cess modeling.

Augmented Reality

Between the real world and the virtual

world lies augmented reality (AR), tech-
nology that blurs the lines by enhancing
what we see, hear, feel, and even smell.
Both video games and cell phones are
driving the development of augmented
reality, but commercial applications
exist. In September 2017, IKEA launched
IKEA Place, an augmented reality app
that allows customers with iOS 11 on
their smartphones to not only browse
through approximately 2,000 products
in the AR catalog but also see how they
would look in their own homes. All prod-
ucts are 3-D and true to scale, making it
easy to reposition and resize the images.
Because we were at the beach, I wanted
to see how a comfy sofa would look on the
sand (see figure 1.6). What you’re seeing
in the background is what I’m viewing FIGURE 1.6 What fun—a comfy sofa on the
through my iPhone. sand—too bad it is just augmented reality!
Learn more about IKEA’s Augmented Reality
Video Hosting app at www.ikea.com/us/en/about_ikea/
newsitem/091217_IKEA_Launches_IKEA_
YouTube, the largest video hosting ser- Place.
vice with over 1.8 billion logged-in users Photo courtesy of G. J. Franks.
visiting the site each month, has become
synonymous with video hosting.56 But
other options are available, including Vimeo (the second largest service), Google, Vidyard,
and Wistia.57 When selecting a hosting service as part of marketing and sales campaigns,
consideration should be given to one that not only reaches out to the target audience but
also provides deep analytics and integrates smoothly with marketing automation software.
Businesses seeking to control its content should consider options that prevent unautho-
rized downloads.

Videoconferencing Services

Videoconferencing brings people together from different geographic areas in real time for
online meetings, training sessions, and product demonstrations. GoToMeeting and WebEx
20 / CH AP T ER 1

are two popular web-conferencing platforms. Key features include the ability to share pre-
sentations and speak using a computer microphone or phone conferencing. Additional
features vary but can include the ability to conduct web tours, share the desktop among
multiple participants, use a chat feature, and record the session for later use—potentially
creating new records that must be managed. In 2016, Gartner added Zoom as a new leader
to its Magic Quadrant for web conferencing. Zoom can be deployed as SaaS (software as a
service), on premises or in the cloud (hybrid and dedicated).58

Virtual Office Applications

Virtual office applications allow employees to access information they need to conduct their
jobs from home or while traveling. Office applications are hosted on third-party servers to
create virtual office environments.
Google’s G Suite provides Gmail, Google Calendar, Google Docs, Google Drive, and
more to over a million businesses and government agencies. Companies are attracted by
offers of unlimited email storage for every employee and a guarantee to be available at least
99.9 percent of the time.

Cloud Computing

Cloud computing is a general term for delivering hosted services—for example, software,
storage, backup, web hosting, and spam and malware filters—over the internet. Cloud
computing services include social networking sites, photography websites, video sites,
and tax preparation sites. Tim O’Reilly, credited with coining the term Web 2.0, viewed
cloud computing as using the internet as a platform for all computing. The National
Institute for Standards and Technology (NIST) defines cloud computing as “a model for
enabling ubiquitous, convenient, on-demand network access to a shared pool of config-
urable computing resources (e.g., networks, servers, storage, applications, and services)
that can be rapidly provisioned and released with minimal management effort or service
provider interaction.”59
Records managers should be included in discussions about cloud computing to ensure
that records stored in the cloud receive the same level of protection as records stored on
premise.

Cloud Computing
PRIVATE: Services and infrastructure are maintained on a private network.

PUBLIC: Services and infrastructure are provided off-site over the internet.

HYBRID: Includes a variety of public and private options with multiple providers.

GOVERNMENT: Products and solutions developed specifically for government

organizations and institutions.
 TH E OR IG I NS AN D DE V E LOPM E N T O F R E C OR DS AN D I N F O R MATIO N MAN AG E M E N T / 21

Business Process Modeling

A business process is a collection of activities designed to produce a well-defined goal. Busi-

ness analysts and managers perform business process modeling (BPM) in order to improve
efficiency and quality. Classic tools include flowcharts, data flow diagrams, Gantt charts,
and program evaluation and review technique (PERT) diagrams. New tools are based upon
a widely used standard called business process modeling notation (BPMN). These tools can
be used to document, simulate, and improve business processes.
SmartDraw is business process management software that enables the creation of
flowcharts and other process diagrams. Templates are provided to add professional design
themes, and teams can collaborate on the same flowchart using SmartDraw Cloud or on
another file using a file sharing app like Dropbox or OneDrive.60

Web 3.0 and the Semantic Web

Web 2.0 factors in the human element. Although it enables authors and users to tag objects
in ways meaningful to them, many of the tools create their own silos of information. Web
3.0 places the focus on technology that will allow the user to search for information across
silos using a common language related to real-world objects. It emphasizes a dependence on
technology, not humans, to construct meaning and accomplish tasks. We’re already seeing
virtual assistants (like Alexa, Amazon’s virtual assistant) analyzing speech and perform-
ing tasks (e.g., gathering and presenting information, dialing a phone number, ordering
products, marking an appointment on a calendar). The successful completion of such tasks
depends upon the ability of the disparate technologies to share data.
The Semantic Web is a web of data that “provides a common framework that allows data
to be shared and reused across application, enterprise, and community boundaries.”61 It is
an extension of the World Wide Web, sometimes described as linked data.
In 2007, Nova Spivack described Web 3.0 as “a set of standards that turns the web
into one big database” (Metz).62 By 2030, according to Spivack, artificial analysts that com-
bine natural language understanding and conversation technology with advanced analytics
could advise decision-makers “with actionable insights from their data, using natural lan-
guage conversation, visualization, simulation, data storytelling, and eventually even mixed
reality interfaces that illustrate insights in a more immersive way.”63
Today, records managers are concerned with identifying and managing records created
by employees across the enterprise and in the cloud. However, they must also be prepared
to identify and manage records created by artificial agents regardless of where those records
reside.

SUMMARY

From prehistoric times to the present day, human beings have recorded their experi-
ences using tools and technologies to share that information with others. These records
have served two purposes: primary (administrative, legal, and regulatory) and secondary
(historic and research). The methods used to create and store the content of these records
have changed over time based on a number of factors, including tools available to record
the content and the medium on which the content could be recorded and stored. In the
22 / CH AP T ER 1

past, recording tools and storage media included clay coins, parchment, papyrus, and the
Gutenberg printing press. Today, they include handheld devices and social media. Respon-
sibility for records evolved from our early ancestors who memorized stories to pass along
or painted drawings inside caves to today’s information governance (IG) teams comprised
of representatives from records management, information technology, business units, the
legal department, human resources, and more.
During the late nineteenth and early part of the twentieth century, public and private
organizations took steps to formalize the management of records, mainly in paper form.
Toward the end of the twentieth century and the first decades of the twenty-first century,
born-digital records outpaced the growth of physical records and organizations began to
explore ways to manage records that were never meant to have a physical form, including
those created using social media and mobile devices.
Efficiency and ease of use have always been the goals of the introduction of new tech-
nology, in spite of unintended outcomes (e.g., the growth in the volume of paper and digital
files to be managed). Since the dawn of the twenty-first century, users have become more
vocal in making their wants and needs known. This has resulted in the development of tools
such as social networking sites and mobile devices that make it easier to create records but
more difficult to manage them.
For those using the new technologies to conduct business, records creation is secondary
and a result of their efforts to pursue their core mission. Records and information managers
who understand the way work is conducted in their organizations have a better chance of
identifying and providing intellectual and/or physical control over the information created.
In 2008, Steve Bailey tackled the topic of records management and Web 2.0 in his book
Managing the Crowd: Rethinking Records Management for the Web 2.0 World.64 He challenged
records and information managers to find time amid their daily operational pressures to
debate the larger issues presented by the new technological paradigm and the threat it poses
to established theory and practice. Today, records and information managers are embracing
this advice to think more broadly about the contributions they can make not only through
records management but also information governance. In his contribution to this chapter,
Barclay Blair, founder and executive director of the Information Governance Initiative,
provides his perspective on records management and the role it plays in information gov-
ernance.

PERSPECTIVE

Information Governance: We Are Finally Asking the Right Questions

Barclay T. Blair
Founder and Executive Director, Information Governance Initiative

W hy do we keep information? Why do we throw it away? How do we decide between

the two? Humans have presumably asked these questions since “information”
meant a stone tablet that some poor soul had to lug around the desert.
The answer was easy when we could feel the weight of information in our hands and
stub our toes on it when it piled up around us. We claim to be diligent, but the truth is that
 TH E OR IG I NS AN D DE V E LOPM E N T O F R E C OR DS AN D I N F O R MATIO N MAN AG E M E N T / 23

most of us still act as if we can still answer these questions this way: we keep it all until we
don’t have room to keep it any more.
However, this simple and imperfect human response is now as anachronistic as using
an abacus for quantum physics. But it’s not only outdated—it’s dangerous. Our inattention
to information is a creeping disaster in an age where we can no longer feel the weight of
information, but we completely rely on it for our success and even our survival. Silicon Val-
ley is an enabler, with business models that allow—and even depend upon—our atavistic
fear of throwing things away by making information storage (and its costs, both economic
and human) all but invisible.
The costs can be seen every day, all around us. Millions wasted on finding, reviewing,
and producing the haystack in litigation because they could not locate the needle. Entire
organizations brought to their knees because of their almost complete failure to under-
stand, manage, and protect their shareholders’ information assets, which criminals cer-
tainly understand how to value, even if CEOs and board somehow, incredibly, do not. Iden-
tities are stolen, lives damaged because managers can’t be bothered to put even the most
basic policies and technologies in place to manage, control, and protect that information.
The world is waking up to this fact. Questions now swirl on Wall Street and in financial
hubs around the world about how investors can protect their investments when the com-
panies they invest in treat information not as an asset that needs their attention, funding,
and governance, but as a technology problem that can be solved by writing more checks.
Citizens around the world are asking hard questions of their governments about how they
use their personal data and why. Governments are responding, grappling with a pleth-
ora of new laws that impose onerous regulations and contending with the complexity of
ever-changing technologies and societal expectations.
Another world is also coming into view—a world where a new wave of dedicated pro-
fessionals is doing brilliant, exciting work based on a deeper and more profound under-
standing of information, that is, that information is both good and bad. They understand
that some information is ore that we should spend tremendous amounts of time and
money refining and exploiting. They also understand that some information (some would
say most) is just an industrial by-product that we must remediate because it represents
potential cost, risk, and pain. Telling the difference between the two is complicated and
shifts based on context and time.
The research we conduct at the Information Governance Initiative each year shows
that information governance (IG)—the holistic, coordinated approach to information—is
shaping management practices across multiple sectors. In fact, the average large organi-
zation undertaking information governance has seven projects under way, each costing an
average of $750,000 USD. At the same time, organizations are experiencing an unprece-
dented disruption in enterprise IT, driven by the cloud, consumerization, mobile, Big Data,
and myriad other factors.
The science and discipline of records and information management (RIM) provides a
critical foundation for IG. In fact, year after year, when we survey our community of infor-
mation professionals about which disciplines they see as being part of (or coordinated by)
IG, RIM is always at the top of the list (see figure 1.7).
As part of this transition, we see more and more organizations chartering new IG
departments and giving them a mandate to steer and coordinate multiple activities from
information protection to data remediation to technology decommissioning. In many
cases, in addition to playing a coordinating role, these IG functions and their managers
have direct responsibility for and authority over these activities.
24 / CH AP T ER 1

We see plenty of evidence that we are on the threshold of rapid change around IG. We
see it in the stories that practitioners in our community tell us. We see it in research data
showing first movers and fast followers increasing investment in IG, deepening IG maturity,
and assigning senior managers to the IG portfolio.
RIM is a critical component of IG. RIM is not going anywhere. However, as Pat describes
in this book, it needs to evolve, and she has provided an excellent road map for that evo-
lution. The inherent wisdom and philosophies that have underpinned RIM for decades are
the same ones that underpin IG.

The Evolution of RIM and IG

Although there are many complex and fascinating evolutionary and revolutionary changes
happening in the worlds RIM and IG inhabit, the biggest and most important change is
quite simple.
Humans will not classify information.
This has always been true.
In a world of mail rooms, typing pools, interoffice mail, and records clerks, this didn’t
matter. Our ability to govern information did not depend upon every single employee act-
ing like a records clerk.
But it matters now more than ever.
RIM (and its practitioners, including me!) has suffered from a delusion, a delusion that
has affected every aspect of this discipline, from assumed best practices to the design of
technology and tool.

FIGURE 1.7 The Facets of IG.

SOURCE: Information Governance Initiative, https://iginitiative.com.
 TH E OR IG I NS AN D DE V E LOPM E N T O F R E C OR DS AN D I N F O R MATIO N MAN AG E M E N T / 25

The delusion was that humans will classify information. The delusion was that we can
create digital versions of those old office practices and file rooms, and voila, we are now
managing our electronic records.
It never worked, and it never will work.
So, what will?
The bad news is that there is no push-button solution. The good news is that there are
solutions, and we are now past the threshold where many of the same technologies that
got us into this mess in the first place will help get us out of it. Cars that drive themselves
are already on the road. Your phone can use your face as a key. Applying some of the same
machine learning and artificial intelligence to the identification, classification, and gover-
nance of information is already here, and you will be using it at your organization sooner
than you think.
But aside from the apparent magic of these algorithms and black boxes, the path for-
ward is much more pedestrian. It looks something like this:
Concept 1. A significant percentage of all of your unstructured information is
clearly the by-product of a structured business process. As such, the governance of
that information should be built into that business process in a “silent” way that requires
little human intervention beyond the initial design. The beauty of this approach is that it
does not require data “classification” (automated or not) in the traditional sense, because
the purpose, meaning, and nature of the information are deduced from the business pro-
cess that generates it.
Concept 2. A significant percentage of your unstructured information is not the
by-product of a structured business process and, thus, cannot be governed this way.
Our 25-year experiment to manage unstructured information using concepts that worked
well for paper (e.g., centralized capture and control, human records clerks for classification)
has failed. All unstructured information does not require the same level of governance. In
fact, a clear-eyed cost-benefit analysis at most organizations would reveal that the cost
of attempting to do so (and the loss of employee productivity, creativity, and collaboration
that usually follows) does not justify even the theoretical, much less actual, benefit.
Instead, we should:

1. Identify as many opportunities as possible to govern information as part of the

business process (as described in Concept 1, above).
2. Identify use cases where automated or machine-assisted human classification
makes sense as a tool for moving content into a managed state and maintaining it
there.
3. Identify information that requires a level of document-by-document, content-
based classification and governance that can only be practically accomplished by
humans and invest in the best processes for doing this.
4. Manage the rest using broad rules targeting systems, roles, business functions,
work groups, geographic areas, and other factors that reveal business function
and thus are instructive regarding the governance rules that must apply.

Focus on progress and pragmatism. Perfection is not the goal.

This approach enables us to take care of the big risks, deliver business value, and
move on from our fundamentally unworkable reliance upon human governance and clas-
sification for unstructured information.
26 / CH AP T ER 1

Quantification of IG: Managing Information Like a Business

Life, business, and government are increasingly quantified by data—data that is driving
critical decision-making. The demand for devices that track and analyze the data we gen-
erate just by living demonstrates the rise of the “quantified self.”65 Analysts predict that by
2020, the market for “fitness wearables” will grow to $10B USD (from $3.3B USD), with over
100 million people using the devices to enable data-driven decisions about health, sleep,
and exercise.66
The promise of data-driven decision-making is this: processing and analyzing data
at a scale far exceeding the capabilities of the human brain will transform our ability to
understand and predict reality. The Information Governance Initiative believes that ability
to govern information in a way that enables these deeper insights, unforeseen efficiencies,
and new business models is what will separate the winners from the losers in this new era.
But we still have a long way to go. Although we invest in technology that can beat a
human at Jeopardy in one part of our organization, we are stuck with the technology that
prints Trebek’s cue cards in another. For all the Big Data sexiness, “up to 80% of the total
development cost of an analytics project” is spent on “data discovery and wrangling . . . the
most tedious and time-consuming aspects of an analysis.”67
Why does it take so long? Because most organizations quite simply have very little
idea what data they have, where that data lives, what the data means, what rules must
attach to the data, and whether or not the data represents measurable value or risk. Conse-
quently, our data are messy, incomplete, difficult to find and access, duplicative, and miss-
ing context essential to enable its analysis and use. In short, it is the inevitable outcome of
a generation of attempting to force analog practices to work in a digital world. It has failed.
Most organizations continue to make management decisions about their information
based on tradition, superstition, and supposition instead of innovation, evidence, and analysis.
It’s time that our approach to governing our information caught up to the information
age. Quantified IG is the application of smart technology and evidence-based practices to
the governance of information. It ensures that we have essential facts about our informa-
tion and our operating environment so we can make evidence-based decisions.
The idea that we should make decisions based on facts or evidence of course derives
from the Enlightenment and the scientific method itself. But even in areas where you might
expect that this approach is already baked in, it is still challenging.
Why do we have 1,000 categories in our records retention schedule? Because that’s
the way the last guy did it. Or, because we inherited the schedule from a company we
acquired. Because Janice liked it that way. Because that’s what makes the most sense to
me. Because that’s what my old boss told us to do. Because that is what the consulting
company sold us.
But is it right? Is it true? Is it the best way? Are these justifications based on anything
more than tradition, superstition, or office politics?
Without quantification, it is impossible to know.
There is a generational movement to use quantification (evidence analyzed for insight)
to inform a growing spectrum of decisions in our world. At its heart, this movement contin-
ues the intellectual evolution that began in the Enlightenment. The promise is better deci-
sions: decisions based on better information and evidence; decisions that are more likely
to be correct; decisions that are more likely to result in the planned outcome.
However, most organizations are only beginning to adopt this approach for the gov-
ernance of their information. Many decisions in IG are made based on nothing more than
 TH E OR IG I NS AN D DE V E LOPM E N T O F R E C OR DS AN D I N F O R MATIO N MAN AG E M E N T / 27

a cognitively suspect human calculation of risk. Or, very commonly, decisions are effec-
tively not made, evidencing the bias towards inaction that plagues organizational decision-
making regarding information.
There is no excuse for this to continue. The techniques of data-driven decision-making
and quantification are well understood. We now have exciting new technologies that finally
empower us to collect facts, conduct deep analysis, and, at last, to take action on our data.
In a world where most organizations are experiencing exponential growth of data gener-
ally, and pools of dark and potentially dangerous data specifically, a commitment to action,
driven by powerful emerging IG best practices and technologies, is the only way forward.

NOTES
1. William Shakespeare, The Tempest, in The Complete Pelican Shakespeare, ed. Alfred Harbage
(New York: Penguin Group, 1969), 2.1.247. References are to act, scene, and line.
2. P. M. Grand, Prehistoric Art: Paleolithic Painting and Sculpture (Greenwich, CT: New York Graphic
Society, 1967), 34.
3. Ibid., 24.
4. AncientScripts.com, “Cuneiform,” accessed August 13, 2017, www.ancientscripts.com/
cuneiform.html.
5. C. H. Gordon, Forgotten Scripts: Their Ongoing Discovery and Decipherment
(New York: Basic Books, 1982), 155.
6. Encyclopaedia Britannica Online, s.v. “parchment,” accessed August 13, 2017,
www.britannica.com/EBchecked/topic/443382/parchment.
7. HQ PaperMaker, “All about Paper,” accessed August 13, 2017, www.hqpapermaker.com/
paper-history/.
8. Athol L. Murray, “The Lord Clerk Register,” The Scottish Historical Review, 53, no. 156, 124–56,
Edinburg, Scotland: Edinburgh University Press, October 1974, www.jstor.org/stable/25529087.
9. Reginald R. Sharpe, D.C.L., ed., Calendar of Letter Books Preserved among the Archives of the
Corporation of the City of London, Introduction (London, United Kingdom: John Edward Francis,
BreaiM’s Buildings, E.C., 1912), www.archive.org/details/cu31924103071134.
10. Ministry of Education, Culture, and Sport, “History of the General Archive of Simancas,” General
Archive of Simancas, accessed on August 13, 2017, www.mecd.gob.es/cultura-mecd/en/areas
-cultura/archivos/mc/archivos/ags/presentacion/historia.html; “The History of European
Archival Literature,” The American Archivist 2, no. 2, (April 1939): 269–70, accessed
http://americanarchivist.org/doi/pdf/10.17723/aarc.2.2.d7821153t468kr64?code=same-site.
11. Richard Pearce-Moses, s.v. “diplomatics,” Glossary of Archival and Records Terminology (GART),
Society of American Archivists, accessed August 13, 2017, www2.archivists.org/glossary/terms/d/
diplomatics.
12. Great Britain Patent Office, Patents for Inventions Abridgments of Specifications Relating to Printing,
Including Therein the Production of Copies on All Kinds of Materials
(London: George E. Eyre and William Spottiswoode, 1859), 84.
13. “The Register House: The Adams Building,” The Scottish Historical Review 53, no. 156 (October
1974): 117, Edinburgh, Scotland: Edinburgh University Press, www.jstor.org/stable/25529087.
14. Emmett Leahy Award, “Emmett J. Leahy (1910–1964),” accessed August 13, 2017,
https://www.emmettleahyaward.org/leahy-bio.html.
15. Pearce-Moses, s.v. “Federal Records Act,” www2.archivists.org/glossary/terms/f/federal-records-act.
16. Richard J. Cox, Closing an Era: Historical Perspectives on Modern Archives and Records Management
(Westport, CT: Greenwood Press), 3.
28 / CH AP T ER 1

17. Encyclopaedia Britannica Online, s.v. “Watergate scandal,” by Rick Perlstein, accessed August 13,
2017, https://www.britannica.com/event/Watergate-Scandal.
18. PC Encyclopedia, s.v. “word processing machine,” accessed August 13, 2017,
https://www.pcmag.com/encyclopedia/term/54834/word-processing-machine.
19. Cover pages, “W3C Director Tim Berners-Lee Awarded Millennium Technology Prize,”
accessed August 13, 2017, http://xml.coverpages.org/ni2004-04-23-b.html.
20. Ian Peter, “The History of Email,” Net History, accessed August 13, 2017, www.nethistory.info/
History%200f%20the%20Internet/email.html.
21. Mary Bellis, “History of Email & Ray Tomlinson,” About.com Guide, accessed August 13, 2017,
http://inventors.about.com/od/estartinventions/a/email.htm.
22. Peter, History of Email, p. 21.
23. The Radicati Group, Inc., “Email Statistics Report, 2017–2021” ( London, United Kingdom),
accessed August 13, 2017, www.radicati.com/wp/wp-content/uploads/2017/01/
Email-Statistics-Report-2017-2021-Executive-Summary.pdf.
24. “AOL to Sell ICQ Service to D.S.T. for $187.5 Million,” DealBook, The New York Times, accessed
August 13, 2017, https://dealbook.nytimes.com/2010/04/28/aol-to-sell-icq-service-to-d-s-t-for
-187-5-million/.
25. Statista, “Most Popular Mobile Messaging Apps Worldwide as of January 2017, Based on Number
of Monthly Active Users (In Millions),” accessed August 13, 2017, https://www.statista.com/
statistics/258749/most-popular-global-mobile-messenger-apps/.
26. “Messaging Apps Are Now Bigger than Social Networks,” Business Insider (September 20, 2016),
accessed August 13, 2017, www.businessinsider.com/the-messaging-app-report-2015-11.
27. IBM, “IBM Sametime,” accessed August 13, 2017, https://www-03.ibm.com/software/products/en/
ibmsame.
28. “What Happened to AIM Chat Rooms?” Lifewire, accessed August 13, 2017,
https://www.lifewire.com/what-happened-to-aim-chat-rooms-3969418.
29. Capterra, “Top Live Chat Software Products,” accessed August 13, 2017, www.capterra.com/
live-chat-software/.
30. Pew Research Center, “Social Media Fact Sheet,” January 12, 2017, www.pewinternet.org/
fact-sheet/social-media/.
31. BusinessDictionary, s.v. “Really Simple Syndication (RSS),” accessed July 23, 2017,
www.businessdictionary.com/definition/Really-Simple-Syndication-RSS.html.
32. “Everything You Need to Know about SMS & MMS,” Lifewire, accessed August 13, 2017,
https://www.lifewire.com/what-is-sms-mms-iphone-2000247.
33. “Instagram Stories Is Stealing Snapchat Users,” Tech Crunch, January 30, 2017,
https://techcrunch.com/2017/01/30/attack-of-the-clone/.
34. Laurie Johnson, “Major Brands Are Betting Big on Podcasts and It Seems To Be Paying Off,”
Adweek, August 28, 2016, www.adweek.com/digital/major-brands-are-betting-big-podcasts-and
-it-seems-be-paying-173035/.
35. eBay, “Open for Business,” accessed July 24, 2017, https://www.ebayinc.com/stories/podcast/.
36. Justin Oh, “Vodcast Brings the Twitch Community Experience to Uploads,” Twitch, May 31, 2017,
https://blog.twitch.tv/vodcast-brings-the-twitch-community-experience-to-uploads-54098498715.
37. “Top 15 Most Popular Blogs, July 2017,” eBizMBA Guide, accessed August 13, 2017,
www.ebizmba.com/articles/blogs.
38. Salam Aslam, “Twitter by the Numbers: Stats, Demographics and Fun Facts,” Omnicore,
January 1, 2018, https://www.omnicoreagency.com/twitter-statistics/.
39. Twitter Counter, “Twitter Top 100 Most Followers,” accessed August 13, 2017,
https://twittercounter.com/pages/100.
 TH E OR IG I NS AN D DE V E LOPM E N T O F R E C OR DS AN D I N F O R MATIO N MAN AG E M E N T / 29

40. DELL-Stephanie N. “@DellOutlet Surpasses $2 Million on Twitter,” Direct2Dell:

The Official Dell Corporate Blog, June 2009, accessed August 13, 2017,
http://en.community.dell.com/dell-blogs/direct2dell/b/direct2dell/archive/2009/06/11/
delloutlet-surpasses-2-million-on-twitter.aspx.
41. Russell Working, “6 Lessons from Dell’s ‘Social Media University’,” Ragan.com, December 2, 2016,
https://www.ragan.com/Main/Articles/6_lessons_from_Dells_Social_Media
_University_52028.aspx.
42. Statica, “Cumulative Total Number of Tumblr Blogs from May 2011 to July 2017,” accessed August
13, 2017, https://www.statista.com/statistics/256235/total-cumulative-number-of
-tumblr-blogs/; Craig Smith, “42 Amazing Wordpress Statistics and Facts (April 2017),” accessed
August 13, 2017, http://expandedramblings.com/index.php/wordpress-statistics/.
43. Don Tapscott, “Macrowikinomics: New Solutions for a Connected Planet,” accessed January 27,
2013, http://dontapscott.com/books/macrowikinomics/.
44. Emily Dreyfuss, “The Wikipedia for Spies—and Where It Goes from Here,” Wired, March 10, 2017,
https://www.wired.com/2017/03/intellipedia-wikipedia-spies-much/.
45. Emily Dreyfuss, “American Spies Now Have Their Very Own Smartphone App,” Wired, April 4,
2017, https://www.wired.com/2017/04/american-spies-now-smartphone-app/.
46. RSOE—Emergency and Disaster Information Service Alert Map, accessed August 13, 2017,
http://hisz.rsoe.hu/alertmap/index2.php.
47. InetSoft, “Enterprise Data Mashups,” accessed August 12, 2017, https://www.inetsoft.com/
solutions/enterprise_data_mashup/.
48. Facebook Newsroom, “Stats,” accessed May 11, 2018, https://newsroom.fb.com/company-info/.
49. LinkedIn, “The Top 100 CEOs on Social Media,” March 17, 2016, https://www.linkedin.com/pulse/
top-100-ceos-social-media-steve-tappin; Craig Smith, “220 Amazing LinkedIn Statistics and Facts
(March 2018), March 4, 2018, https://expandedramblings.com/index.php/
by-the-numbers-a-few-important-linkedin-stats/.
50. David Cohen, “New Look for Pinterest Business Profiles,” Adweek, November 30, 2016,
www.adweek.com/digital/pinterest-business-profiles-update/; Salam Aslam, “Pinterest by the
Numbers: Stats, Demographics & Fun Facts,” January 1, 2018, https://www.omnicoreagency.com/
pinterest-statistics/.
51. Pinterest, “Success Stories,” accessed August 13, 2017, https://business.pinterest.com/en/
success-stories.
52. Rachel Metz “Second Life is Back for a Third Life, This Time in Virtual Reality,” MIT Technology
Review, January 27, 2017, https://www.technologyreview.com/s/603422/second-life-is-back-for
-a-third-life-this-time-in-virtual-reality/.
53. Engage Digital (blog), “IBM saves $320,000 with Second Life,” accessed August 13, 2017,
www.engagedigital.com/blog/2009/02/27/ibm-saves-320000-with-second-life-meeting/.
54. Isabella Peters, Folksonomies: Indexing and Retrieval in Web 2.0 (Berlin: Walter de Gruyter GmbH,
2009), 223.
55. YourDictionary, s.v. “crowdsourcing,” accessed August 13, 2017, http://computer.yourdictionary
.com/crowdsourcing.
56. Adi Robertson, “YouTube Has 1.8 Billion Logged-In Viewers Each Month,” The Verge, May 3, 2018,
https://www.theverge.com/2018/5/3/17317274/youtube-1-8-billion-logged-in-monthly
-users-brandcast-2018.
57. G2 Crowd, “Best Video Hosting Software,” accessed August 14, 2017, https://www.g2crowd.com/
categories/video-hosting.
58. Gartner, “Magic Quadrant for Web Conferencing,” November 10, 2016,
https://www.gartner.com/doc/reprints?id=1-3LPJBEI&ct=161110&st=sb.
30 / CH AP T ER 1

59. Peter Mell and Timothy Grance, “The NIST Definition of Cloud Computing,” National Institute
of Science and Technology, September 2011, http://nvlpubs.nist.gov/nistpubs/Legacy/SP/
nistspecialpublication800-145.pdf.
60. SmartDraw, “Easy and Powerful Business Process Management Software,” accessed August 13,
2017, https://www.smartdraw.com/business-process-mapping/business-process-management
-software.htm?id=62200.
61. W3C, “W3C Semantic Web Frequently Asked Questions,” accessed August 13, 2017,
www.w3.0rg/RDF/FAQ.
62. Cade Metz, “Web 3.0,” PC Magazine, March 14, 2007, https://www.pcmag.com/
article2/0,2817,2102852,00.asp.
63. Nova Spivack, “AI, BI, and the Necessity of Automating the Analyst—It’s Time to Automate the
Analyst,” September 8, 2016, www.novaspivack.com/science/ai-bi-and-the-necessity-of
-automating-the-analyst.
64. Steve Bailey, Managing the Crowd: Rethinking Records Management for the Web 2.0 World (London,
United Kingdom: Facet Publishing, 2008), 31.
65. “Quantified Self (QS)” was developed into a “movement” largely by two editors from Wired
Magazine. See Deborah Lupton, “The Quantified Self Movement: Some Sociological Perspectives,”
This Sociological Life (blog), November 4, 2012, https://simplysociology.wordpress
.com/2012/11/04/the-quantitative-self-movement-some-sociological-perspectives/
66. James Moar, Wearables—The Heartbeat on Your Sleeve (Juniper Research, November 2015), 4; James
Moar, Fitness Wearables—Time to Step Up (Juniper Research, January 2016), 4.
67. Victoria Louise Lemieux, Brianna Gormly, and Lyse Rowledge, “Meeting Big Data Challenges with
Visual Analytics,” Records Management Journal, July 2014.
 CHAPTER 2

Building an Information
Governance Program on a
Solid RIM Foundation

INTRODUCTION

The unprecedented growth of digital information, the diversity of file formats, and the
accompanying challenges in determining what to trust, keep, secure, discard, and preserve
have resulted in a renewed interest in and appreciation for the value of records and infor-
mation management (RIM) to the organization.
During the first decade of the twenty-first century, organizations aspiring to manage
records and information assets across the enterprise embraced the concept of information
governance (IG). During the second decade of the twenty-first century, a focus on data gov-
ernance reemerged, as raw digital data are recognized as a strategic business asset that can
be analyzed (data analytics) to extract value in the form of patterns, predictions, and other
insights. In this chapter, you’ll be introduced to information governance and the role rec-
ords and information management plays within that structure. Data governance (DG) will
be addressed in chapter 10.
IG requires more than one point of view. Representatives from legal, human resources,
information technology, and business units must participate in developing the information
governance strategy. But because of their understanding of the flow of information across
the enterprise, records professionals are in a unique position to contribute their knowledge
and skills to this initiative.
The major element of IG is accountability—accountability with the laws, regulations,
and standards governing records and information. Therefore, in this chapter, you will also
be introduced to the major laws, regulations, and standards to which RIM programs (and
IG initiatives) must comply.

INFORMATION GOVERNANCE

A renewed interest in RIM has resulted in a call by many to use fundamental records man-
agement principles as the foundation for sound IG.
Information is a vital organizational asset, and information governance is an integrat-
ed, strategic approach to managing, processing, controlling, archiving, and retrieving infor-
mation as evidence of all transactions of the organization. Writing in the eDiscovery Journal

/ 31 /
32 / CH AP T ER 2

A ccording to Gartner, information governance is viewed as “the specification of

decision rights and an accountability framework to ensure appropriate behavior in
the evaluation, creation, storage, use, archiving and deletion of information. It includes the
processes, roles and policies, standards, and metrics that ensure the effective and efficient
use of information in enabling an organization to achieve its goals.”*
*“Gartner, s.v. “information governance,” IT Glossary, accessed August 20, 2017,
www.gartner.com/it-glossary/information-governance/.

blog, Barry Murphy explained that IG provides a framework for the “conservative side of
information management.”1
Every organization must consider its legal and regulatory environment along with its
tolerance for risk when designing its IG framework. Questions to be asked include:

• What records and information are needed to support business processes?

• What steps must be taken to be in compliance with governing laws and
regulations?
• What records and information could/should be destroyed, when, and how?

Although the Gartner definition of IG, which describes the need for an accountability
framework, is the most widely accepted, a recently released definition from the IG Initia-
tive reads: “Information Governance is the activities and technologies that organizations
employ to maximize the value of their information while minimizing associated risks and
costs.”2 Although technologies and activities are basic to IG, on a higher level there are three
core elements to an IG governance framework as shown in figure 2.1: policies, processes,
and compliance. Accountability measures in the form of audits and metrics must be used
to monitor the components of these elements. Records management must be integrated
throughout the process.
An information governance model can be used to provide context to discussions of the
integration of information management, risk management, and records management. This
framework should address all types of information, whether meeting the criteria estab-
lished for a record or not.

Records and Information Defined

Although an IG program manages both records and information, it is important to under-

stand the difference between the two for legal and compliance purposes. A record is “any
recorded information, regardless of medium or characteristics, made or received by an
organization in pursuance of legal obligations or in the transaction of business” according
to ARMA International.3 The definition of record provided by the International Standard
Organization (ISO) is slightly different: “information created, received, and maintained as
evidence and as an asset by an organization or person, in pursuance of legal obligations or
in the transaction of business.”4
Information is a “collection of data, ideas, thoughts, or memories.”5 Information is
also defined as “facts provided or learned about something or someone” and that which is
 BU I LDI NG AN I N F OR MATI O N G OV E R N AN C E PR OG R A M ON A S O LI D R I M F O U N DATI O N / 33

“conveyed or represented by a particular arrangement or sequence of things;” for example,

“data as processed, stored, or transmitted by a computer.”6
Because no two organizations are the same, each IG program and IG framework will
be unique. Ideally, the business will take a holistic approach as recommended by Robert
Smallwood, Managing Director at the Institute for Information Governance. According to
Smallwood:

Information Governance is used as a means of improving the quality and security of

information throughout its lifecycle. In essence, almost all of management must be in-
volved in supporting an Information Governance program, and the business is adjusted
as a whole . . . all departments must be involved in managing data to meet the regula-
tory, legal, and business demands of the modern business world, to maximize the data’s
value, while minimizing the risks and costs.7

Policies

An IG framework relies foremost upon a comprehensive RIM policy that draws on best
practices and can be adapted for almost any circumstance. It must address roles and respon-
sibilities, communications and training, and metrics and monitoring. The RIM policy must
refer to the requirements for managing records resulting from all business activities. And
the RIM policy must acknowledge additional considerations for managing records created
by or residing in social media and the cloud.
Policy teams must include representatives from the appropriate functional areas,
such as records management, information technology, business units, compliance, human

Information Governance Framework

Audits People
(Behaviors)
Processes Enterprise
Systems
Systems (Tools
Policies & Technology)
Third-party
(e.g., Records Systems
Management,
e-mail, Social Legislation
Media, Security,
Privacy, Other)
Laws

Regulations
Compliance

Standards

FIGURE 2.1 Information governance framework.

34 / CH AP T ER 2

resources, sales and marketing, and communications and public relations. The advent of
Web 2.0 and collaborative, web-based technologies has resulted in the formation of social
media teams in many organizations. Input from this team should be included as well. Most
organizations have a number of policies governing communications, security, privacy, com-
pliance, and social media that must be harmonized.

Compliance

Organizations must adhere to applicable laws, regulations, and standards. To be in compli-

ance, organizations understand that a records retention schedule should be media-neutral
and that retention requirements must be met. At the same time, all new initiatives, such as
wearable cameras for police officers, must be reviewed to determine if new records—and,
therefore, records series—will result. Automated processes should be utilized as much as
possible when capturing and managing information, including placing a hold on the dispo-
sition process when a legal action is pending. Guidance should be provided to all individuals
involved, including employees and consultants.

Processes

Processes are implemented to ensure compliance at an acceptable level of risk for the orga-
nization. Operational guidelines govern the selection of appropriate technology and ser-
vices to accomplish the core mission of the organization. Best practice should be established
for all parties involved with managing information. These include guidelines for the use of
personal and enterprise information technology, participation on social media sites, ethical
behavior, and security and privacy concerns.
Confusion over the role of records management within IG comes from a focus exclu-
sively on technology that can automate some records management functions, such as cat-
egorization, retention, and legal holds. There is much more to records management pro-
grams than automating technology to handle records management tasks.

RECORDS MANAGEMENT AS A PROFESSIONAL MANAGEMENT DISCIPLINE

The term records management describes a professional management discipline that origi-
nally managed physical documents (e.g., letters, contracts, minutes of meetings). This is in
contrast to the term information management, which came into use in the 1970s to describe
a computer environment in which structured information (data in columns and rows) was
stored electronically. Today’s holistic IG approach encompasses both—and records manage-
ment is an essential element.
To acknowledge the fact that records and information continue to exist in both elec-
tronic and physical form, the records management profession embraces the term records
and information management to describe the services it provides. Regardless of the form
of the record or information, the primary obligation remains the same—accountability.
Organizations expect their records and information management programs to enable the
management of information in a timely, accurate, complete, and cost-effective manner. The
information managed must be accessible and usable.
 BU I LDI NG AN I N F OR MATI O N G OV E R N AN C E PR OG R A M ON A S O LI D R I M F O U N DATI O N / 35

ISO 15489-1:2016 defines records management as the “field of management responsi-

ble for the efficient and systematic control of the creation, receipt, maintenance, use and
disposition of records, including processes for capturing and maintaining evidence of and
information about business activities and transactions in the form of records.”8

Record and Information Management Objectives

The activities of a records and information management program are undertaken with spe-
cific objectives in mind. They are to:

• develop and/or identify standards or procedures for the effective, efficient,

and secure management of records and information throughout the
organization;
• provide effective control, appropriate security, and management over
the creation, maintenance, use, and disposition of all records within the
organization;
• ensure that the records accurately reflect the business practices, policies,
and transactions of the organization;
• simplify the activities, systems, and processes of records creation,
maintenance, and use;
• preserve and dispose of records in accordance with business needs, statutes,
and regulations;
• protect vital records;
• provide business continuity in the event of a disaster;
• protect records of historical importance;
• provide evidence of business, personal, and cultural activity; and
• maintain corporate, personal, and collective memory.

Records and Information Management Risks

Organizations often look to RIM programs to mitigate risks. The risk management approach
looks at the other side of the coin to describe what will happen if the organization does not
have a comprehensive records management program in place. Major concerns are:

• damage to the organization’s reputation;

• high costs for information management and storage;
• lost files and risk of spoliation;
• legal discovery penalties or sanctions; and
• audit and compliance violations.

An effective RIM program comprised of records management policy and procedures,

well-trained personnel, and advanced information systems will reduce risks to the orga-
nization.
More recently, organizations have turned to its information assets (records included)
as a source of business intelligence (BI). This value must also be considered when develop-
ing the organization’s risk profile (risk will be discussed further in chapter 9).
36 / CH AP T ER 2

RECORDS AND INFORMATION MANAGEMENT LIFECYCLE

An essential characteristic of information is its value, which may decline as time passes and
eventually reaches zero. The value of information contained in records must be considered
at each stage of the RIM lifecycle. But models change over time, influenced by current prac-
tices and the technology available.

Document-Centric Records and Information Lifecycle

Throughout the twentieth century, records were controlled in the form of documents. Doc-
ument is defined as (1) any written or printed work (a writing); (2) information or data fixed
in some media; (3) information or data fixed in some media, but which is not part of a record
(a non-record); or (4) a written or printed work of a legal or official nature that may be used
as evidence or proof; (a record.)9
A document was traditionally considered to be text fixed on paper, but today drawings,
word processing files, web pages, and database reports are also considered documents. Like
records, they have content, context, and structure, but the nature of these attributes may
change in an electronic environment (e.g., a hypertext document on the web may be formed
by combining different sections housed on different servers in different countries through
the use of links).
The lifecycle model shown in figure 2.2 portrays a closed system that begins with the
birth of a document (capture/creation) and ends with its death (destruction) or movement
to an archive for permanent preservation. This model is useful when describing the man-
agement of paper-based records. In order to save storage space, retention schedules are
developed to document the meth-
od of disposition and to establish
destruction dates. Records that
are no longer in active use but that
have not yet met their retention Creation
requirements may be transferred
to a records center for storage and
Di & Use
n

eventual destruction. Records that

tio

str
Preser va al

have permanent value are most

Archiv

ibuti

often transferred to an archive for

preservation and use.
on

By 2011, the concept of doc-

ument-centric records and infor-
mation management lifecycle had
evolved to reflect the electronic
R e is

an &

en
ce

g
t

environment that allows for stor-

D

po tio ra n
age in a document library and to sit n & Sto te
ion in
emphasize the continuing value Ma
of the information contained—the
document management system.
New electronic documents enter
the system and those that no lon- FIGURE 2.2 Document-centric records and
ger have value to daily operations information lifecycle model.
 BU I LDI NG AN I N F OR MATI O N G OV E R N AN C E PR OG R A M ON A S O LI D R I M F O U N DATI O N / 37

exit the system. Records management functionality—such as retention, disposition, and

legal holds—is integrated into most document management systems.
Documents not born digital are also brought into document management systems
through digitization (scanning). The document management system automates storage and
retention through indexing, search, and disposal capabilities that allow users to store and
retrieve records within the electronic library. Document management systems are available
as self-hosted or cloud-based options. Today’s systems feature integrations for Microsoft
Office, Salesforce, DocuSign, QuickBooks, and other programs, and some offer an applica-
tion programming interface (API) for customized integrations.10

Information Lifecycle Management

Not all information is created equal. Some will be classified as records, but other useful
information may never be designated a formal record (e.g., work in progress). Therefore,
organizations are justifiably concerned about managing all information and not just official
records (those possessing legally recognized and enforceable qualities necessary to establish
a fact). Some of the information will be structured and other information unstructured.
Structured data is organized in a way that makes it identifiable. An Access or SQL database
is structured in columns and rows, which makes searching for the data type within the con-
tent possible. All other electronic information that has the potential to be records is stored
as unstructured data. Unstructured data is anything not in a database. Images, word docu-
ments, and even tweets are examples of unstructured data.11 Unstructured data are more
difficult to classify, maintain, archive, and dispose of than structured data.
Information, whether structured or unstructured, can be thought of as “the communi-
cation or reception of knowledge or intelligence” that must be managed.12 Information lifecy-
cle management (ILM) is a comprehensive approach to managing the flow of an information
system’s data and associated metadata from creation and initial storage to the time when it
becomes obsolete and is deleted.13
There are many variations on the ILM model, from simple to complex. Like the records
and information lifecycle model, it can take a cradle to grave perspective, as shown in figure
2.3.
This simplified diagram can be used to understand the controls that must be applied to
information during each stage of its lifecycle, regardless of the technology employed.

• Creation (including capture): Planning is an essential part of the creation

phase. Planning before creation can help ensure that the right information
is created and by the right people, that it is reliable and in the most

Creation Active Use Semi-Active Final

Use Outcome

FIGURE 2.3 Information lifecycle model.

38 / CH AP T ER 2

appropriate format, and that the necessary metadata are created and
captured.
• Active use: During this phase, information and records are in constant
or frequent use, primarily to conduct business. During this stage, the
purpose(s) for which the information can be used must be defined, the
information must be findable and accessible, the individuals who need
access must be granted such access, and the integrity of the information
must be secured.
• Semi-active use: These are the most vulnerable records and information
because they have declined in value and controls tend to be less
stringent. During this phase information may be held to satisfy retention
requirements, referred to on occasion for reference purposes, or retrieved
for evidential purposes.
• Final outcome: Information that is no longer useful to the organization and
that has met its retention requirements is destroyed. Information that has
enduring value for historic reference or research or that must be retained
due to regulatory obligations is preserved. Disposal of information that has
met its retention requirements and no longer has value must be controlled.
Even more challenging, preservation of and access to information of
enduring value must be ensured.

Records Continuum

Although most records and information managers in the United States embrace the records
and information lifecycle model, many experts outside of the United States advocate the
records continuum as an alternative. Australian archival theorist Frank Upward formulated
the records continuum concept based upon four principles:

1. A concept of record inclusive of records of continuing value (archives)

stresses their use for transactional, evidentiary, and memory purposes, and
unifies approaches to archives/recordkeeping, whether records are kept for
a split second or a millennium.
2. The focus on records as logical rather than physical entities, regardless of
whether they are in paper or electronic form.
3. Institutionalization of the recordkeeping profession’s role requires a
particular emphasis on the need to integrate recordkeeping into business
and societal processes and purposes.
4. Archival science is the foundation for organizing knowledge about
recordkeeping. Such knowledge is revisable but can be structured and
explored in terms of the operation of principles for action in the past, the
present, and the future.14

The records continuum model emphasizes the overlapping characteristics of recordkeep-

ing—evidence, transaction, and the identity of the creator. It deemphasizes the time-bound
stages of the lifecycle model and combines the recordkeeping and archiving processes into
integrated time-space dimensions as illustrated in figure 2.4.
In the United States, archives and records management are often viewed as two sep-
arate responsibilities managed by two different types of professionals, the archivist and
 BU I LDI NG AN I N F OR MATI O N G OV E R N AN C E PR OG R A M ON A S O LI D R I M F O U N DATI O N / 39

the records manager. The Australian model’s integrated approach, however, underscores
the importance of managing records and archives seamlessly to fulfill both managerial and
cultural responsibilities. Recordkeepers, whether they consider themselves archivists or
records managers, must understand the uses and values of records from creation through
long-term preservation.
The records continuum model illustrates a convergence of the functions of the archi-
vist with those of the records and information manager by placing equal emphasis on the
preservation of information to ensure societal memory.

Enterprise Content Management (ECM)

Enterprise content management (ECM) is an appropriate example of how quickly the tech-
nology landscape is changing. A search for document management systems in 2017 revealed
Gartner Inc.’s 2016 magic quadrant for enterprise content management systems instead,
underscoring the fact that, for many, document management has been subsumed into
enterprise content management. The four leaders for 2016 were IBM, Dell EMC, OpenText,
and Hyland. M-Files was considered the only visionary, and Oracle, Microsoft, Alfresco,
and Lexmark were considered challengers. The six niche players were Newgen Software,

FIGURE 2.4 Records continuum model.

SOURCE: Understanding Society through its Records, “Australian Contributions to Recordkeeping.” Courtesy of Frank Upward,
Monash University, Australia.
40 / CH AP T ER 2

Objective, Xerox, Laserfiche, SER Group, and Everteam.15 By 2017, the landscape changed
and a number of ECM companies had either split up or were acquired. Hyland (a leader in
this sphere), for example, acquired Lexmark (a challenger).16
So what is ECM? First defined by AIIM (Association for Information and Image Man-
agement) in 2000, the definition has been modified several times since then. In 2005, the
definition stressed the technologies used. By 2010, the definition was expanded to stress
the strategies, methods, and tools used. Today, AIIM includes the users and the use of the
content in this definition:

Enterprise Content Management is the systematic collection and organization of in-

formation that is to be used by a designated audience—business executives, custom-
ers, etc. Neither a single technology nor a methodology nor a process, it is a dynamic
combination of strategies, methods, and tools used to capture, manage, store, preserve,
and deliver information supporting key organizational processes through its entire life-
cycle.17

Gartner also revised its definition of ECM based on shifting business requirements and new
technologies. The most recent definition is:

ECM is a set of services and microservices, embodied either as an integrated product

suite or as separate applications that share common APIs and repositories, to exploit
diverse content types, and serve multiple constituencies and numerous use cases across
an organization.18

The eight essential functional components of ECM software evaluated for product inclu-
sion on 2016 Gartner’s Quadrant were: document management, records management,
image-processing applications, social content/collaboration, content workflow, packaged
apps and integration (new in 2016), analytics /BI (new in 2016), and extended components
such as digital asset management, web content management, enterprise search, and EFSS
(enterprise file sync and share).
In the first version of this book, the reader learned that ECM systems manage the
complete lifecycle of unstructured content in a variety of forms, including digitized docu-
ments, electronic forms, and unstructured data such as email, instant messages, text doc-
uments, social media content, and spreadsheets. By 2017, ECM systems “moved from a
command-and-control focus on managing unstructured content to a more integrated ap-
proach that prioritizes content usability, processing, and analysis.”19 The fact that document
management and records management are two of the eight components may be reassuring
to the records and information manager; however, the addition of new functionalities such
as Analytics/BI, packaged apps and integration, and extended components including en-
terprise search and EFSS mean RIM professionals must expand their horizons to better
understand how users work and what RIM can contribute.

The Next Wave: Moving from ECM to Intelligent Information Management

The title for this section was irresistible. John Mancini, Chief Evangelist, AIIM, used the
term intelligent information management to call attention to the changes occurring in the
enterprise content management environment in a report published jointly with OnBase by
 BU I LDI NG AN I N F OR MATI O N G OV E R N AN C E PR OG R A M ON A S O LI D R I M F O U N DATI O N / 41

Hyland.20 RIM professionals who now feel confident they understand ECM will need to be
prepared for the “next wave” since ECM is dead (or so reported Gartner analyst Michael
Woodbridge in a January 2017 blog post).21
I think most practitioners understood what those promoting ECM as a panacea knew
all along: A single enterprise content management system did not/could not really manage
all content within the Enterprise. What will be in place by the time this work is published
is anyone’s guess. Both Mancini (AIIM) and Woodbridge (Gartner) express slightly different
views—and employ different terminology.
According to Woodbridge, ECM systems are only successful at one of four main goals
associated with the utilization of content: regulatory compliance and risk management. One
of the three remaining goals, retention and dissemination of knowledge could only be accom-
plished by complex integration of the ECM with other systems. And the remaining two goals:
cost and process efficiencies and innovation and new ways of working were illusive.22
The solution proposed by Gartner is Content Services, which is comprised of Content
Services Applications, Platforms, and Components. This is a new way of thinking about
utilizing information regardless of where it resides. Using a Content Services approach,
content services will be “delivered quickly, cost effectively and to meet emerging business
innovations whilst maintaining the appropriate level of governance and compliance.”23
Mancini, on the other hand, suggests a move to intelligent information management. He
recognizes the reality that different species of technologies are currently employed, regard-
less of when they were introduced: Document management and workflow circa 1995, en-
terprise content management circa 2005, and mobile and cloud content management circa
2015. All provide different solutions to manage the interaction between people, processes,
and technology. That means the systems introduced earlier in this chapter are likely still
in use, sometimes all within the same enterprise. However, he also recognizes trends that
will “mold and shape” content management going forward, including the rise of data-cen-
tric technologies such as Hadoop, NoSQL, blockchain, the Internet of Things, and the shift
among solution providers to a cloud-first strategy.24
In Mancini’s vision of the future, both data and content must be managed. To help us
visualize this new world, we could use an Intelligent Information Management Roadmap
comprised of six components Create, Capture, Automate, Deliver, Secure, and Analyze.25

RECORDS MANAGEMENT PROGRAM ELEMENTS,

FUNCTIONS, AND ACTIVITIES

Although records management programs can and do vary depending on the size and culture
of organization, the industrial sector to which they belong, and the applicable laws and reg-
ulations, common functions must be performed.

Records Management Program Elements

The elements of a comprehensive records management program listed here will be add-
ressed further in future chapters:

• policy and procedure development

• records inventory, appraisal, retention, and disposition
42 / CH AP T ER 2

• active files management (paper and electronic)

• inactive files management and control (records center and digital archive)
• preservation and access (digital and physical)
• vital records protection, disaster recovery and business continuity planning
• training and outreach programs

Through all of the stages of the RIM lifecycle, security, privacy, and risk management must
be addressed.

Records Management Activities

In order to ensure that those functions listed previously are performed, the records and
information manager is responsible for specific activities. The National Archives and
Records Administration (NARA) defines the following typical records management (RM)
program activities that are also applicable to records managers in the private sector:

• Identifying records and records sources: This involves distinguishing

records from non-records for retention purposes; determining how, how
many (in terms of volume) and by whom the records are being created and
received; and identifying the relationship of the record to the agencies’/
organization’s business operations or functions.
• Developing a file plan: Specify how records will be organized by identifying
the classes of records (records series) the organization produces and
establishing how to associate records within a class to other records in the
same class.
• Developing records schedules: The schedules will document how long the
records must be retained and their final disposition (destruction or transfer
of legal and/or physical custody to an archives) based on time, event, or a
combination of the two.
• Providing records management guidance: This involves developing policies
and procedures for implementing records management activities, as well as
recordkeeping practices establishing the records that are created to conduct
agency/organization business and identifying parties within the agency/
organization with RM responsibilities, such as records officers of liaisons.26

When determining the specific activities mentioned here, such as developing a records
schedule, the records professional must refer to governing laws, regulations, and standards.
Prevailing trends in case law must also be monitored and taken into consideration when
evaluating risk. The next section of this chapter is developed to standards, laws, regulations,
and the legal environment.

STANDARDS, LAWS, REGULATIONS, AND THE LEGAL ENVIRONMENT

Regulatory compliance is required to safeguard physical and electronic records, shield the
organization from unnecessary risk, and help control costs. Standards, technical reports,
and guidelines create a professional environment of best-practice procedures that enable
 BU I LDI NG AN I N F OR MATI O N G OV E R N AN C E PR OG R A M ON A S O LI D R I M F O U N DATI O N / 43

organizations to develop compliant records/information systems, policies, and proce-

dures.

Standards

Standards provide us with codification of practice, explicit rules from implicit meth-
odologies, development of a body of common knowledge, consistency in practice and
quality, interoperability and interconnectivity, and efficiency. Many of the standards
overlap and one standard cannot be used for everything; instead, several standards may
work together to achieve standard practice.27

The appropriate mix of standards will be unique to each organization. Several of the stan-
dards often referred to by records/information managers are introduced in this chapter.28

De Facto Standards
Some programs and practices are used so often and widely that they are considered de facto
standards. One example is the US Department of Defense standard DoD 5015.2-STD Elec-
tronic Records Management Software Applications Design Criteria Standard. This standard
was originally developed to provide implementation and procedural guidance on the man-
agement of records in the US Department of Defense. The Joint Interoperability Test Com-
mand (JITC) tests the products and makes a product register available online to provide
information about certified records management application (RMA) products. Currently
all products listed on this project register are valid in perpetuity.29
NARA subsequently endorsed this standard for use by all government agencies. Even-
tually so many private firms turned to this standard when developing or evaluating enter-
prise records management system (ERMS) products that ARMA International published
a technical report, Using DoD 5015.02-STD outside the Federal Government Sector, to help
those outside of the federal government better understand how to apply the de facto stan-
dard for their own needs.
Outside of the United States, guidance is provided in the form of a similar de facto stan-
dard, Model Requirements for the Management of Electronic Records (MoReq). MoReq2010
is the latest specification published by the DLM Forum intended for use throughout the
European Union by public and private sector organizations. Like DoD 5015.02-STD, MoReq
outlines the essential elements a records system requires to ensure that records are proper-
ly managed, accessible, and available as long as they are needed and are properly disposed
of once the retention period has expired. MoReq test centers can test and certify software,
systems, and site installations against the specifications.30

De Jure Standards
De Jure Standards are those adopted by an official standards-setting body, such as the Inter-
national Organization for Standardization (ISO) and the American National Standards
Institute (ANSI). Standards development is a complex task. Some standards are accompa-
nied by a technical report to provide guidance for implementation.
ISO, the largest developer and publisher of international standards, is a network of
the national standards institutes of 160 countries. In the United States, ANSI is the official
44 / CH AP T ER 2

representative to ISO. ISO has adopted a number of records management standards that
belong on every manager’s resource list.
The standards important to records managers are not just those that are considered
records management standards. Records managers will identify other standards based on
the needs of the organization and the task at hand. For example, three additional ISO stan-
dards that may provide useful are ISO/TR 15801:2017 Document management—Electronical-
ly stored information—Recommendations for trustworthiness and reliability; ISO/IEC 27000
family of standards, Information security management systems; and ISO 31000:2009 Risk
Management—Principles and Guidelines.
Professional associations are active in developing standards, guidelines, best practices,
and technical reports to assist their members.31 These associations must work with a nation-
al standards development body if they wish to develop a standard.
AIIM, for example, was instrumental in moving the PDF file format forward from a
popular de facto standard to an ANSI- and then ISO-approved standard, ISO 32000-1. Based
upon the PDF 1.4 version of that standard, the first PDF/A standard for long-term preser-
vation was approved, ISO 19005-1:2005 Document Management—Electronic Document File
Formation for Long-Term Preservation—Part 1 Use of PDF 1.4 (PDF/A-1). Part 2 of ISO 19005
was approved as a final draft in 2011 based on version 1.7 of the PDF standard. Part 3, pub-
lished in 2012, specifies the use of PDF 1.7 for preserving the static visual representation of
page-based electronic documents over time, but it also allows any type of other content to
be included as an embedded file or attachment.
In 2017, PDF 2.0 was released. ISO 32000-02:2017 Document management—Portable
document format—Part 2: PDF 2.0 is primarily intended for developers of software that cre-
ates PDF files (PDF writers), software that reads existing PDF files and (usually) interprets
their contents for display (PDF readers), software that reads and displays PDF content and
interacts with the computer users to possibly modify and save the PDF file (interactive
PDF processors), and PDF products that read and/or write PDF files for a variety of other
purposes (PDF processors). The new format, PDF 2.0, has not yet resulted in changes to the
19005 standards for long-term preservation, but it is important to keep abreast of the latest
changes in the PDF/A format that might emerge.
In 2011, ANSI endorsed a standard developed by a consensus group formed by ARMA
International. The standard Implications of Web-Based, Collaborative Technologies in Records
Management (ANSI/ARMA 18-2011) provides requirements and best practice recommen-
dations related to policies, procedures, and processes for an organization’s use of internally
facing or externally directed (public or private) social media technologies such as wikis,
blogs, mashups, and classification (tagging) sites.

Laws and Regulations

How many articles have you read that included the phrase exponential growth of informa-
tion? I know I’ve used those words myself. But what does this mean? There is broad con-
sensus that the digital universe will double every two years (a fifty-fold increase between
2010 and 2020), with human- and machine-generated data growing ten times faster than
business data.32
It is difficult to imagine traditional records management approaches being applied
to all human- and machine-generated data. Records and information managers must be-
come part of the solution to these challenges. However, records retention and disposition
 BU I LDI NG AN I N F OR MATI O N G OV E R N AN C E PR OG R A M ON A S O LI D R I M F O U N DATI O N / 45

Sampling of ISO Records/Information Management

Standards and Technical Reports.
ISO 15489-1:2016 Information and documentation—Records management—
Part 1 Concepts and principles. ISO 15489-1:2016 is a replacement for ISO 15489-
1:2001. It establishes the core concepts and principles for the creation, capture, and
management of records. Although it is self-contained, this standard is central to a
number of ISO standards and technical reports that provide records management
guidance and instruction.
ISO/TR 18128:2014 Information and documentation—Risk assessment for
records processes and systems. This technical report provides assistance to
organizations in assessing risks to records processes and systems so they can ensure
records continue to meet identified business needs as long as required.
ISO 16175-1:2010—Information and documentation—Principles and functional
requirements for records in electronic office environments. This standard
establishes fundamental principles and functional requirements for software used
to create and manage digital records in office environments. This standard should
be used with ISO 16175-2 Guidelines and functional requirements for digital records
management systems and ISO 16175-3 Guidelines and functional requirements for
records in business systems.
ISO 23081-1:2017 Information and documentation—Records management
processes—Metadata for Records—Part 1: Principles. This part of ISO 23081
covers the principles that underpin and govern records management metadata. It is
applicable to records and their metadata, all processes that affect them, any system in
which they reside, and any organization that is responsible for their management. This
update to the 2006 version is supported by ISO 23018-2:2009—Part 2: Conceptual and
implementation issues and ISO 23018-3:2011—Part 3: Self-Assessment Method.

decisions will still be made with regard to many high-value business records due to four
different types of official actions: executive orders, legislation (statutes that become laws),
administrative actions (regulations), and judicial decisions (case law).

Executive Orders
Executive orders are issued by the incumbent president, who can revoke orders of pre-
vious presidents, changing the way in which presidential records are to be managed. The
Presidential Records Act (PRA) of 1979 changed the legal ownership of the official records
of the president from private to public and established a new statutory structure under
which presidents must manage their records. In January 1989, President Ronald Reagan
issued Executive Order 12677 to establish procedures for NARA and former and incumbent
presidents to implement the PRA. Shortly after the attacks of 9/11, President George W.
Bush issued Executive Order 13233 revoking President Reagan’s Executive Order 12677 and
restricting access to the records of former presidents. This new executive order applied to
the records of the Vice President as well. President Barack Obama’s first act as president
46 / CH AP T ER 2

in 2009 was Executive Order 13489 revoking President Bush’s Executive Order 13233 and
limiting the authority of the president and former presidents to block the release of presi-
dential records. Although President Donald J. Trump has not issued an executive order on
this issue at the time of this writing, there has been much speculation over the status of
his tweets on his private Twitter account, @realDonaldTrump, as presidential records and
whether removal of any of the tweets would violate the PRA.

Legislation and Regulations

Laws are created by statutes that originate from legislative bills. Laws can be enacted on the
federal, state, and local levels of government. On the federal level, the US Congress votes
to adopt legislation, the president signs the legislation making it a law, and various agencies
are charged with publishing regulations to provide guidance to implement the law. Regu-
lation is defined as “a rule or order issued by an executive authority or regulatory agency
of a government and having the force of law.”33 Regulations are applicable only within the
jurisdiction or purpose for which such regulations are made.
Noncompliance with laws or regulations can result in fines, sanctions, litigation, and
personal liability for corporate officers. Managing records in a prudent and defensible man-
ner is essential to minimizing risk and establishing proof of compliance. But the question
is, compliance with which laws and regulations? Responsibility for answering that question
varies across organizations. There is an increased appreciation for the role of records man-
agement in reducing risk exhibited by the fact that records management is typically housed
within governance and/or compliance areas.
The individual responsible for identifying applicable laws and regulations will need
to consider those laws and regulations specific to his or her organization’s situation. Reg-
ulations provide more detail than the laws from which they arise and will, in some cases,
specify the length of time certain records must be available for audit. This information is
essential to determining the retention period for records that result from a similar activity
or that document a specific type of transaction.
In the United States, the Office of the Federal Register provides access to the official
text of federal laws, presidential documents, administrative regulations and notices, and
descriptions of federal organizations, programs, and activities. Of particular significance
to records managers is the Code of Federal Regulations (CFR) that codifies the general and
permanent rules published in the Federal Register by the departments and agencies of the
federal government.
Records management issues are addressed in Title 44 of the United States Code (USC).
The basis of records management in the federal government is the Federal Records Act of
1950 (44 US § 2901) , which states: “The law establishes the basis for records management
programs in Federal Agencies.”34
NARA regulations can be found in Title 36 of the United States Code and in the Code of
Federal Regulations, 36 CFR 1220, subchapter B—Records Management. Subchapter B spec-
ifies policies for federal agencies’ records management programs relating to proper records
creation and maintenance, adequate documentation, and records disposition.
Congress can also regulate the actions of private firms. The Sarbanes-Oxley Act of 2002
(SOX) is legislation enacted by the US Congress and signed by President Bush in response
to the high profile Enron and WorldCom financial scandals. Administered by the Securities
and Exchange Commission (SEC), it is designed to protect shareholders and the general
public from accounting errors and fraudulent practices. It applies to all public companies
 BU I LDI NG AN I N F OR MATI O N G OV E R N AN C E PR OG R A M ON A S O LI D R I M F O U N DATI O N / 47

Key US Federal Statutes Related to Records

Management
National Archives Act of 1934. Signed by Franklin D. Roosevelt, this act
established the National Archives to centralize federal recordkeeping, with the
Archivist of the United States as its chief administrator.
Federal Records Act of 1950. This act, as amended, establishes the framework
for records management programs in federal agencies. As the primary agency
for records management oversight, the NARA is responsible for assisting federal
agencies in maintaining adequate and proper documentation of policies and
transactions of the federal government. This is done by appraising records, regulating
and approving the disposition of federal records, operating Federal Records Centers
and preserving permanent records. President Obama signed into law H.R. 1233,
the Presidential and Federal Records Act Amendments of 2014 that strengthened
the Federal Records Act by expanding the definition of federal records to clearly
include electronic records and granting to the Archivist of the United States final
determination as to what constitutes a federal record.
Freedom of Information Act (FOIA) of 1966. This act, as amended, ensures
public access to US government records. FOIA carries a presumption of disclosure.
The burden is on the government to demonstrate why information may not be
released. Upon written request, US government agencies are required to disclose
their records, unless they can be lawfully withheld from disclosure under one of nine
specific exemptions in the FOIA. This law was most recently amended by the FOIA
Improvement Act of 2016.
Privacy Act of 1974. This act establishes safeguards for the protection of records
that the federal government collects and maintains on US citizens and permanent
records. The act mandates that the government must disclose what information
is being collected and how it will be used. It also bars agencies from maintaining
information not directly related to their mission. This act allows individuals to
seek access to records retrieved by their name and personal identifier and to
seek amendment of any inaccurate information. The Privacy Act of 1974, 5 U.S.C.
§ 552a establishes a code of fair information practices that governs the collection,
maintenance, use, and dissemination of information maintained in the systems of
records by federal agencies.
Presidential Records Act (PRA) of 1978. This act governs the official records
of presidents and vice presidents created or received for all presidents who come
into office after January 20, 1981. This Act changed the legal ownership of the official
records of the president from private to public, and established a new statutory
structure under which presidents must manage the records while in office, and
the records automatically transfer into the legal custody of the National Archives
when the president leaves office. Responsibility for the control, preservation of, and
access to presidential records of past presidents lies with the archivist. H.R.1233, the
Presidential and Federal Records Act Amendments of 2014 modernized the PRA
of 1978. It codified procedures by which former and incumbent presidents review

[ CONTINUED ON FOLLOWING PAGE ]

48 / CH AP T ER 2

[ CONTINUED ]

presidential records for constitutional privileges. Formerly, this process was controlled
by an executive order subject to change by different administrations.
Paperwork Reduction Act of 1995. This act requires that agencies obtain the
approval of Office of Management and Budget (OMB) before requesting most types of
information from the public. It requires the head of each agency to designate a chief
information officer to carry out the responsibilities outlined.
E-Government Act of 2002. This act promotes the use of the internet and
electronic government services to make the federal government more transparent and
accountable. In addition, it provides enhanced access to government information and
services in a manner consistent with laws regarding protection of personal privacy,
national security, records retention, access for persons with disabilities, and other
relevant laws.
The US Government Publishing Office’s Federal Digital System provides access
to a dataset of publications, including acts signed by the President, at https://www
.gpo.gov/fdsys/search/home.action. FDS will be replaced by govinfo in December
2018 (https://www.govinfo.gov/).

in the United States, international companies that have registered equity or debt securities
with the SEC, and the accounting firms that provide auditing services to them. SOX con-
tains three rules that affect the management of business records. The first rule deals with
destruction, alteration, or falsification of records. The second defines the retention period
for records storage at not less than five years. The third refers to the types of business
records that need to be stored—all business records and communications, including elec-
tronic communications. Consequences for noncompliance include fines, imprisonment, or
both.35
The Financial Industry Regulatory Authority (FINRA) regulates the financial indus-
try and requires brokerage firms and their registered representatives to retain records of
all communications related to the broker-dealer’s business, including those that are made
through public blogs and social media sites such as Facebook, LinkedIn, and Twitter. Reg-
ulatory Notice 10-06 (2010) provided guidance regarding the issues that arise from such
use. Specifically, FINRA requires that any firm that “intends to communicate, or permit its
associated persons to communicate, through social media sites must first ensure that it can
retain and retrieve records of those communications as required by Rules 17a-3 and 17a-4
under the Securities Exchange Act of 1934 and NASD Rule 3110. In 2011, Regulatory Notice
11-39 was released to provide additional guidance. In 2013, Amendments to Rule 2210 cod-
ified the guidance provided in both Notices with respect to the supervision of interactive
social media posts by member firms. Regulatory Notice 17-18 (2017) specifies that records
of communications using text message applications (apps) and chats are also covered and
reiterates that for records retention purposes, it is the content of the communication that
determines what must be retained.36
Another heavily regulated industry is the healthcare industry. The Health Insurance
Portability and Accountability Act of 1996 (HIPAA) is a federal statute to help consumers
maintain their insurance coverage by standardizing the electronic exchange of informa-
tion (transactions) between trading partners.37 HIPAA regulations also established privacy
and security standards to protect individually identifiable health information. Records and
 BU I LDI NG AN I N F OR MATI O N G OV E R N AN C E PR OG R A M ON A S O LI D R I M F O U N DATI O N / 49

Key US Provisions Governing Records Management

by the Federal Government
The Code of Federal Regulations (CFR) is the codification of the general and
permanent rules published in the Federal Register by executive offices and agencies
of the federal government. The CFR is divided into fifty sections called “Titles.” Of
most interest to records and information managers is Title 36.
36 CFR 1220–1239: Parts 1220–1239 are specific to the National Archives and
Records Administration. Topics include Creation and Maintenance of Federal Records
(1222), Records Disposition Programs (1224), Transfer of Records to Records Storage
Facilities (1232), Electronic Records Management (1236), and Microforms Records
Management (1238). [1]
The United States Code (USC) is the consolidation and codification of the general
and permanent laws of the United States. The USC is comprised of fifty-three Titles.
Of most interest to records and information managers is Title 44, Public Printing and
Documents. [2]
44 USC Chapters 21, 22, 29, 31, and 33 are especially relevant to records
management on the federal level. Topics include: NARA (chapter 21), Presidential
Records (chapter 22), Records Management by the Archivist of the United States
and by the Administrator of General Services (chapter 29), Records Management by
Federal Agencies (chapter 31), and Disposal of Records, which includes a definition of
records (chapter 33).
SOURCE: https://bookstore.gpo.gov/catalog/code-federal-regulations-cfrs-print;
https://www.law.cornell.edu/uscode/text/44.

information management professionals in healthcare-related organizations must under-

stand and be prepared to comply with HIPAA rules and regulations. Employers outside of
the health sector who store records regarding employee health, such as employee absences,
must also understand and comply with HIPAA regulations.
A law that has far-reaching implications for organizations engaged in interstate and
foreign commerce is the Electronic Signatures in Global and National Commerce Act
(E-SIGN). E-SIGN was enacted by Congress and signed into law by President William J.
Clinton using his electronic ID on June 30, 2000. The purpose of this law was to facili-
tate the use of electronic records and signatures by ensuring the validity and legal effect of
contracts entered into electronically. Section 101 (1)(C)(ii) of the act requires businesses to
obtain the consumers’ electronic consent or confirmation to receive information electron-
ically that a law requires to be in writing.38 Almost two decades after this law was enacted,
professionals within a number of industries, including insurance, real estate, legal services,
and finance have adopted this technology to speed business transactions without increasing
risk. However, a record of the transaction in the form of an audit trail is recommended. For
example, “Insurance professionals are advised to use electronic signatures and electronic
records for ‘special consumer disclosures’ and to create an audit trail documenting the date
and time the document was sent, received and read, along with the recipient and sender IP
addresses and a digital image of the signed document.”39
50 / CH AP T ER 2

Caution is advised when identifying applicable laws and regulations. To be compliant

with these regulations, additional research is required. As illustrated by the number of ex-
ecutive orders repealing previous presidential executive orders, present, and future actions
can modify or negate previous decisions.

Rule 26 and Other Amendments of the Federal Rules of Civil Procedure

Organizations must not only be prepared to demonstrate compliance with laws and reg-
ulations, but they must also be prepared to defend themselves in court. The Federal Rules
of Civil Procedure (FRCP) govern the conduct of civil actions brought into federal district
courts.40 Many states have used the FRCP as a model for their own rules of civil procedure.
Rules 26 and 27 govern the production of evidence in most federal court cases and make
the efficient management of electronic records more important than ever. Implications for
records management programs cannot be ignored.
On December 1, 2015, amendments to the FRCP were released that mainly impact
e-discovery procedures. Rule 26(b)(1) introduces the concept of proportionality including
whether the burden or expense of the discovery outweighs its likely benefit. Rule 37(e )now
focuses on “failure to preserve Electronically Stored Information” as opposed to “failure
to provide Electronically Stored Information.” Consequences (e.g., dismissal of the action,
default judgment, instructions to the jury that it may or must presume the information was
unfavorable to the party) could result if reasonable steps (as per the reasonableness standard)
are not taken to preserve information in anticipation or conduct of litigation.41

The Legal Environment

Court rulings on cases similar to those in which an organization may find itself is part of the
risk assessment process used to determine which records and information demand addi-
tional protection.
One example that supports the concept of both proportionality and reasonableness is
Duffy v. Lawrence Memorial Hospital, No. 14-2256 (D. Kansas, Mar. 31, 2017).
A request to produce a random sampling of patient files was granted after the defen-
dant demonstrated that in order to comply with the original request, 15,574 unique patient
records would have to be located and gathered and that it would take thirty minutes to pro-
cess and review each record for a total cost of $196,933.23. In addition, redaction of patient
confidential information under the direction of one qualified attorney would cost another
$37,259.50. The total cost to produce would be over $230,000.
Kansas Magistrate Judge Teresa J. James granted the Motion to Modify Discovery Or-
der from the defendant (and counterclaimant), and directed the defendant to produce a
random sampling of 252 patient records, along with five spares, in order to respond to the
plaintiff/relator’s document requests. The defendant was further ordered to have the pa-
tient’s personal confidential information redacted.42
The Sedona Conference is a nonprofit research and educational institute dedicated
to the study of law and policy related to antitrust law, complex litigation, and intellectu-
al property rights. Among its research products are a number of articles on the topic of
eDiscovery, such as the “Commentary on Proportionality in Electronic Discovery 2017,”
published in volume 18 (2017) of the The Sedona Conference Journal, which can be download-
ed from The Sedona Conference website.43
 BU I LDI NG AN I N F OR MATI O N G OV E R N AN C E PR OG R A M ON A S O LI D R I M F O U N DATI O N / 51

Federal Rules of Civil Procedure (FRCP)

and Implications for Records Management

The Federal Rules of Civil Procedure govern civil proceedings in the United States
district courts. These rules impact records management programs: Rule 26(a), Rule
26(b)(1), Rule 26(b)(2), Rule 26(b)(5), Rule 34(b)(2), Rule 37(e), and Rule 37(f).

Rule 26(a): This rule defines electronically stored information as a specific

category to be disclosed. Businesses (whether plaintiff or defendant) have a
responsibility to produce e-records. The requesting party may ask that it be produced
in a specific format. If the parties do not agree, the court may specify the format.

Rule 26(b)(1): This rule changes the scope of discovery. Parties may obtain
evidence regarding any non-privileged matter that is relevant and proportional to the
needs of the case [italics are the author’s].

Rule 26(b)(2): This rule acknowledges that some electronically stored

information (ESI} may be unduly burdensome to produce due to issues such as
hardware or software obsolescence or damaged media. In such cases the party need
not produce e-records it regards as “not reasonably accessible because of the undue
burden of the cost.” The court can order production in spite of the assertion.

Rule 26(b)(5): This rule relates to claiming privilege or protecting trial-

preparation materials. It states that if information is produced in discovery that is
subject to a claim of privilege or of protection as trial-preparation material, the party
making the claim may notify any party that received the information of the claim
and the basis for it. The notified party must promptly return, sequester, or destroy
the specified information and any copies of it. The producing party, however, must
preserve the information until the claim is resolved.

Rule 34(b)(2): This rule specifies the need for greater specificity in objections to
requests for production. A “reasonable” time period applies to producing responsive
information, and responding parties must explicitly state in their production response
if documents are being withheld.

Rule 37(e): This rule authorizes courts to issue sanctions where four conditions
are met: (1) the ESI should have been preserved in anticipation or conduct of
litigation; (2) the ESI is lost; (3) the loss is due to a party’s failure to take reasonable
steps to preserve it; and (4) the ESI cannot be restored or replaced through additional
discovery.

Rule 37(f): This rule recognizes that companies cannot preserve all of the data
they produce. It states that “absent exceptional circumstances, a court may not
impose sanctions as the result of the routine, good-faith operation of an electronic
information system.”
NOTE: The Federal Rules of Civil Procedure as amended to December 1, 2016
can be viewed at https://www.law.cornell.edu/rules/frcp.
52 / CH AP T ER 2

If you are employed by an international firm, you must become familiar with legal
requirements and codes of practice in the countries in which business is conducted. This
can become complicated. For example, the Data Protection Act of 1998 (DPA 1998) is an
act of the Parliament of the United Kingdom (UK) defining the ways in which information
about living people may be legally used and handled.44 DPA 1998 was enacted to bring the
UK law up-to-date to reflect the European Parliament Directive 95/45/EC, which required
member states of the European Union (EU) to protect individuals’ fundamental rights and
freedoms, including the right to privacy with respect to the processing of personal data.45 In
2016, the EU Parliament approved a replacement for the DPA, the General Data Protection
Regulation (GDPR). The GDPR is a framework with greater scope and tougher punishments
for those who fail to comply with the new rules around the storage and handling of personal
data as of May 25, 2018.
The goal of the European Commission, the European Union’s governing body, is har-
monizing the laws of its member states to promote standardization and facilitate compli-
ance. However, not all countries belong to the European Union and not all that do are in
compliance with the directives of the European Commission. Although in 2016 the people
of the United Kingdom voted to withdraw from the EU, the GDPR is likely to become Brit-
ish law. A sampling of laws and regulations outside of the United States is included in the
appendix.
Unlike the EU countries and a number of others, the United States does not have a
blanket federal level privacy act or law in place to cover all privacy issues. The right to pri-
vacy is considered protected by the fourth amendment of the US Constitution (although
the Supreme Court has determined that freedom from unreasonable search and seizure is
different from other privacy rights). Several states have privacy protection explicitly writ-
ten into their constitutions. Individual laws, such as HIPAA for healthcare, address privacy
related to records of specific industries.
It is easy to see how complex this is becoming, which explains why large organizations
employ chief compliance officers (CCOs) to ensure that their organizations are comply-
ing with regulatory requirements and that the company and its employees are complying
with internal policies and procedures. Records and information managers must be aware
of these complex issues in order to develop compliant retention and disposition policies on
their own or in collaboration with the corporate compliance officer.

SUMMARY

The volume, velocity, and variety of data created today present enormous challenges to
the organization. Constantly evolving laws, regulations, and case law, along with the fact
that much of the data are being created outside of the organization’s firewalls, add to the
complexity of the situation. An accountability framework that includes policies, processes,
roles, standards, and metrics is necessary for the organization to effectively govern its
records and information.
An information governance program built upon a solid records and information man-
agement foundation can produce benefits and mitigate risks to the organization. Benefits
include the protection of essential records and those of historical importance; the preser-
vation of corporate, personal, and collective memory; and effective control, appropriate se-
curity and management over the creation, maintenance, use, and disposition of all records
within the organization. Risks that can be minimized include those that arise from lost files
 BU I LDI NG AN I N F OR MATI O N G OV E R N AN C E PR OG R A M ON A S O LI D R I M F O U N DATI O N / 53

and potential charges of spoliation; high costs for information management and storage;
and audits and compliance violations.
A number of models have been developed to describe the various stages in the life of
records and information, including the document management lifecycle model, the infor-
mation lifecycle model, the records management lifecycle model, and the records continu-
um. The goal of each of these is to ensure that the right information is available to the right
person at the right time in compliance with all governing laws and regulations.
Records management programs vary across organizations and industries, but they all
possess certain core elements (e.g., retention, disposition, preservation) and activities (e.g.,
records identification, disaster preparedness, and business continuity planning).
Laws, regulations, and standards impact records and information management pro-
grams for both government and private organizations. Industry-specific laws and regula-
tions must be taken into account. Organizations involved in international business must
understand the laws and regulations of the countries in which they operate.
In the United States, we see a system struggling to provide adequate healthcare to its most
important stakeholders, its patients. Robert Smallwood—an industry-leading author, key-
note speaker, consultant, and educator on Information Governance and Electronic Records—
provides an analysis of the problem and possible solutions. This paradigm is unique in that
it is placed not in the context of one specific organization but of an entire industry—the
healthcare industry.

PA R A D I G M

The Information Governance Imperative in Healthcare

Robert Smallwood
Managing Director, Institute for Information Governance

Introduction
Information governance (IG) is about minimizing information risks and costs while maxi-
mizing its value. More specifically, the American Health Information Management Associ-
ation (AHIMA) defines IG as “an organization-wide framework for managing information
throughout its lifecycle and supporting the organization’s strategy, operations, regulatory,
legal, risk, and environmental requirements.”46
Healthcare has major IG issues and it is imperative to address them.
The healthcare industry is uniquely challenged in that information accuracy, security,
and privacy are absolutely paramount. Failing to safeguard sensitive patient information,
especially protected health information (PHI), can have catastrophic consequences. Bad
actors can steal a person’s healthcare insurance credentials and identity and then undergo
expensive medical procedures, leaving the victim with an inaccurate health history to
untangle and perhaps major financial liabilities.
Moreover, when caregivers are provided inaccurate or out-of-date information, peo-
ple can die. And bad information is killing Americans at record rates: medical mistakes
kill over 250,000 people each year in the United States and are the third leading cause of
54 / CH AP T ER 2

death overall, behind heart disease and cancer, according to a study by doctors at Johns
Hopkins. (These numbers are certainly low, because they do not include deaths at nursing
homes and in-home care settings).47

Problem Statement
The United States has the most expensive healthcare in the world, the most advanced
equipment, the most advanced medicines, the best-trained doctors—yet in a recent study
of healthcare quality the United States came in dead last out of eleven civilized nations.48
The United Kingdom, Switzerland, and Sweden topped the list.
The United States’ problem is not medical training, advanced equipment, medicines,
or financial resources, the problem is mostly a failure to get the right information to the
right people at the right time; that is, caregivers must have accurate, current clinical infor-
mation to do their jobs properly.
The consequences of this carelessness with information are colossal IG failures that
almost daily expose major corporations to reputational and financial risk; for instance, the
Premera BlueCross, Excellus BlueCross BlueShield and Anthem Health breaches in 2015,
and the 21st Century Oncology breach in 2016 that exposed 2,213,597 patients’ records.49
These organizations obviously did not know where all their PHI, personally identifiable
information (PII), and confidential electronic documents were located and took inadequate
measures to secure that valuable information.
They—and most healthcare organizations—are not managing information as an asset
and do not have a current accounting of their information assets, particularly sensitive or
confidential ones. That is, there is no information inventory or “data map” showing where
different types of information are stored, and they would have difficulty finding all inci-
dences of it so that it may be secured.
Most organizations are not paying attention: they leave sensitive information out there
floating around on their servers unsecured, unencrypted. When it comes time to attend to
the problem, most often they “kick the can down the road” and do nothing.
The impact only becomes clear after a major event like a data breach, which can
severely damage an organization’s reputation—especially healthcare institutions where
people’s health and lives are at stake—and can result in thousands of patients and or cus-
tomers being dragged into a “lifelong battle” to control their personal information.
Sometimes, the realization may come when a major lawsuit causes runaway legal
costs or a significant fine or sanction is levied.

Recommended Solutions
IG challenges in healthcare have life-or-death consequences. However, with focused anal-
ysis, planning, and dedicated effort, they can be fixed. But to do so healthcare profession-
als must gain the necessary education and tools, collaborate with IG experts and each
other, and gain executive management support for IG initiatives.
Although still in the early stages of adoption, healthcare organizations are beginning
to understand that IG is an important strategic tool for addressing compliance and legal
demand, as well as capitalizing on major trends like the onslaught of Big Data and the
emerging Internet of Things (IoT). IG also addresses related issues such as data qual-
ity and integrity, information lifecycle management (ILM), patient privacy, and regulatory
compliance.
 BU I LDI NG AN I N F OR MATI O N G OV E R N AN C E PR OG R A M ON A S O LI D R I M F O U N DATI O N / 55

Legal, regulatory, and information security demands are often key drivers for estab-
lishing IG programs in all industries, but in healthcare, information quality and control
demands are more extreme and consequential.
The US government mandate requiring all public and private healthcare providers and
other eligible professionals to automate medical records by January 1, 2014, and the ensu-
ing mad rush to install electronic health record (EHR) systems and to prove “meaningful
use” of these systems has had consequences. It has resulted in a number of sloppy, hap-
hazard implementations that are generating inaccurate information. What has been mostly
missing in these slapdash implementations are redesigned business processes with a
built-in focus on not only information privacy and security but also on data governance
and quality. When approached in this way, resultant reports and analyses are more accu-
rate and trustworthy.

Anticipated Results
With accurate and trusted information, healthcare professionals can do the job they were
trained to do, and drastically reduce medical mistakes. This is an IG effort with the highest
purpose: to save lives.
On top of this noble pursuit to save lives by improving information and its delivery
are the layers upon layers of regulatory compliance requirements and increased litigation
demands, all of which add cost to healthcare operations. These forces are adding increased
cost pressures to healthcare organizations, especially in the United States, where they are
already under pressure to cut costs and increase their financial performance. IG programs
can reduce the ongoing costs of compliance and litigation by streamlining and standard-
izing business processes that manage and control information and building in information
security and privacy requirements that can be accommodated routinely.
IG is not all about risk and cost reduction. IG programs also can improve patient care
and outcomes. IG efforts in healthcare have the opportunity to greatly improve clinical
insights by leveraging data science and analytics, which has the potential to improve heal-
ing, recovery rates, and patient satisfaction. Further, financial and service innovations can
arise from new insights gained by leveraging business analytics and other tools.
Healthcare, particularly in the United States, is at a crisis point, because the industry
has invested so much in automation, training, and advanced equipment and medicines—
but are still yielding troubling results in healthcare quality and outcomes.
Strong, ongoing IG programs in healthcare organizations can help harness the power
of all the investments that have been made in technology and business process redesign,
and improve results for patients and other healthcare stakeholders. However, most health-
care organizations have scarce resources to execute their business strategies, and IG pro-
gram efforts must compete with other priorities. The business case must be made that
once embedded, a robust IG program can yield significant benefits in improving patient
care and outcomes, protecting privacy, assuring compliance, and preparing for and exe-
cuting litigation requests, while reducing the costs of these key business activities.

Conclusion
Where should healthcare organizations start? How do they embark on an IG program?
First, an assessment of the current state of the organization’s information handling pro-
cesses should be conducted, including an information inventory of all information assets
56 / CH AP T ER 2

and the creation of a data map. A data map shows where information is stored, and may
include diagrams of information inflows and outflows. It is particularly helpful in identifying
where sensitive data resides, including PHI, PII, and credit card information (PCI). Once
identified and located, measures such as applying encryption can be implemented to bet-
ter secure and control information.
When making the case for launching an IG program, practitioners must highlight the
positive and demonstrate that improved patient outcomes, reduced legal risk, and lower
cost structures are possible. They must also emphasize the business risks of indecision
by showing the impact of data breaches and information loss which occur almost daily. A
survey of 5,000 US consumers by security firm Carbon Black showed that over two-thirds
of those surveyed would consider leaving their healthcare provider if it were the target
of a ransomware attack.50 So there can be real financial consequences if management in
healthcare organizations does not take proactive steps to implement IG programs.
Healthcare organizations cannot afford to wait any longer; continued procrastination
will only compound the problem and expose the organization to undue business and legal
risk. And it is management that will ultimately be held accountable.

NOTES
1. “What is Information Governance?” Information Architecture Inc. (blog), accessed August 29, 2017,
www.informationarchitected.com/blog/what-is-information-governance/.
2. Iron Mountain, “The IG Initiative Definition of Information Governance,” accessed August 28,
2017, www.ironmountain.com/Knowledge-Center/Reference-Library/View-by-Document-Type/
General-Articles/T/The-IG-Initiative-Definition-of-Information-Governance.aspx.
3. ARMA International, Glossary of Records Management and Information Governance Terms, 5th
ed. (ARMA TR 22-2016) (Overland Park, KS: ARMA International, 2016), 43.
4. International Organization for Standardization (ISO), ISO 15489-1, 2nd edition 4-15-2016
Information and documentation—Records management—Part 1: Concepts and Principles
(Geneva: ISO, 2016), 2.
5. Richard Pearce-Moses, s.v. “information,” Glossary of Archival and Records Terminology,
American Society of Archivists, accessed August 29, 2017, www2.archivists.org/glossary/terms/i/
information.
6. Oxford Dictionaries Online, s.v. “information,” accessed August 29, 2017,
https://en.oxforddictionaries.com/definition/information.
7. Keith D. Foote, “Data Governance and Information Governance: Contemporary Solutions,
“DATAVERSITY, September 13, 2016, www.dataversity.net/data-governance-information
-governance-contemporary-solutions/.
8. ISO 15489-1, 2nd edition, 3.
9. Glossary of Archival and Records Terminology, s.v. “document,” accessed August 29, 2017,
www2.archivists.org/glossary/terms/d/document.
10. Chad Brooks, “Document Management Systems: A Buyers Guide,” Business News Daily, January 19,
2017, www.businessnewsdaily.com/8026-choosing-a-document-management-system.html.
11. Christine Taylor, “Structured vs. Unstructured Data,” Datamation, August 3, 2017,
www.datamation.com/big-data/structured-vs-unstructured-data.html.
12. Merriam-Webster Online, s.v. “information,” accessed August 29, 2017,
http://unabridged.merriam-webster.com/unabridged/information.
13. SearchStorage, s.v. “information life cycle management,” last modified September 2005,
http://search storage.techtarget.com/definition/information-life-cycle-management.
 BU I LDI NG AN I N F OR MATI O N G OV E R N AN C E PR OG R A M ON A S O LI D R I M F O U N DATI O N / 57

14. Modeling Cross-Domain Task Force, “Appendix 16: Overview of the Records Continuum Concept,”
in International Research on Permanent Authentic Records in Electronic Systems (InterPARES) 2:
Experiential, Interactive and Dynamic Records, Luciana Duranti and Randy Preston, eds. (Padova,
Italy: Associazione Nazionale Archivistica Italiana, 2008),
www.interpares.org/display_file.cfm?doc=ip2_book_appendix_16.pdf.
15. Karen A. Hobert, Gavin Tay, and Joe Mariano, “Magic Quadrant for Enterprise Content
Management,” October 26, 2016, Gartner, https://www.gartner.com/doc/reprints?id=1
–3KZPGDB&ct=161031&st=sb.
16. Venus Tamturk, “Hyland Completes Acquisition of Lexmark’s Perceptive Business,”
CMS Connected, July 12, 2017, www.cms-connected.com/news-Archive/July-2017/Hyland
-Completes-Acquisition-of-Lexmark-s-Enterprise-Content-Management-Unit-Perceptive.
17. Glossary, s.v. “What is Enterprise Content Management (ECM)?” Association for Information and
Image Management (AIIM), accessed September 1, 2017, www.aiim.org/What-is-ECM
-Enterprise-Content-Management#.
18. “What is Enterprise Content Management (ECM) Software?” Gartner Peer Insights,
accessed September 1, 2017, https://www.gartner.com/reviews/market/enterprise-content
-management.
19. Hobert, Tay, and Mariano, “Magic Quadrant for Enterprise Content Management.”
20. John Mancini, The Next Wave: Moving from ECM to Intelligent Information Management
Association for Information and Image Management (AIIM), 2017, accessed August 27, 2017,
www.aiim.org.
21. Michael Woodbridge, “The Death of ECM and Birth of Content Services,” Gartner Blog Network
January 5, 2017, http://blogs.gartner.com/michael-woodbridge/the-death-of-ecm-and-birth-of
-content-services/.
22. Ibid.
23. Ibid.
24. Mancini, “The Next Wave.”
25. Ibid.
26. National Archives and Records Administration (NARA), “Fast Track Products,”
accessed September 1, 2017, www.archives.gov/records-mgmt/policy/prod6a.html.
27. Patricia Manning, “Competency Statement E (e-Portfolio Prepared in Partial Fulfillment
of MARA Degree),” unpublished essay, 2011.
28. For additional information, consult the updated Guide to Commonly Used National and
International Records Management Standards and Best Practices (2017) developed by Virginia
A. Jones, CRM, FAI. The guide is available at no cost from the ARMA International Education
Foundation website at http://armaedfoundation.org/research-reports/.
29. Joint Interoperability Test Command (JITC), “RMA Product Register,” accessed September 1, 2017,
http://jitc.fhu.disa.mil/projects/rma/reg.aspx.
30. “Model Requirements for the Management of Electronic Records,” (MoReq), “MoReq2010,” accessed
September 1, 2017, www.MoReq.info/. This site provides documents for download as well as
information on becoming a MoReq educator, translator, or test center.
31. If you are a member of a professional association and feel you can contribute to the development
of a standard, technical report, or guideline, consider becoming involved with your professional
organization’s standards development initiatives.
32. InsideBigData, “The Exponential Growth of Big Data,” February 16, 2017,
https://insidebigdata.com/2017/02/16/the-exponential-growth-of-data/.
33. Merriam-Webster Online, s.v. “regulation,” accessed September 1, 2017,
http://unabridged.merriam-webster.com/unabridged/regulation.
58 / CH AP T ER 2

34. Cornell University Law School, Federal Records Act of 1950, 44 USC § 2901 et seq.,
Legal Information Institute, accessed September 1, 2017, www.law.cornell.edu/uscode/html/
uscode44/usc_sup_01_44_10_29.html.
35. SearchCIO, Sarbanes-Oxley Act (SOX), accessed September 1, 2017, http://searchcio.tech target
.com/definition/Sarbanes-Oxley-Act.
36. Financial Industry Regulatory Authority (FINRA), “Regulatory Notice 17-18—Social Media
and Digital Communications: Guidance on Social Networking Websites and Business
Communications,” April 2017, https://www.finra.org/sites/default/files/notice_doc_file_ref/
Regulatory-Notice-17–18.pdf.
37. US Government Printing Office, Health Insurance Portability and Accountability Act of 1996, H.R.
104–191, 104th Cong. (1996), accessed September 1, 2017, www.gpo.gov/fdsys/pkg/PLAW
-104pub1191/content-detail.html.
38. Cornell University Law School, “Electronic Signatures in Global and National Commerce,” 15 USC
§ 96, Legal Information Institute, accessed September 1, 2017, www.law.cornell.edu/uscode/15/
usc_sup_01_15_10_96.html.
39. Arielle Castro, “E-Signature Market Update: What to Expect in 2017,” RPost (blog),
December 19, 2016, www.rpost.com/blog/e-signature-market-update-expect-2017/.
40. The Federal Rules of Civil Procedure can be viewed at www.law.cornell.edu/rules/frcp.
41. Olivia Gerroll, “Rule 1, 16, 26, 34, 37: FRCP Amendments Pertaining to eDiscovery,” D4, March 9,
2016, http://d4discovery.com/discover-more/2016/3/the-2015-amendments-to-the-frcp-that
-pertain-to-ediscovery#sthash.ppDeMjR1.dpbs.
42. JDSUPRA, “Court Approves Defendant’s Proposed Sampling Production Plan: eDiscovery Case
Law, May 5, 2017, www.jdsupra.com/legalNews/court-approves-defendant-s-proposed-42450/.
43. Sedona Conference, “The Sedona Conference Commentary on Proportionality in Electronic
Discovery,” The Sedona Conference Journal 18 (May 2017), 141–76.
44. SearchStorage.co.UK, U.K. Data Protection Act 1998 (DPA 1998), last modified January 2008,
http://searchstorage.techtarget.co.uk/definition/Data-Protection-Act-1998.
45. European Union, Directive 95/46/EC of the European Parliament and of the Council on the
Protection of Individuals with Regard to the Processing of Personal Data and on the Free
Movement of Such Data, October 24, 1995.
46. AHIMA. “Information Governance Glossary.” accessed April 26, 2018, www.ahima.org/topics/
infogovernance/ig-glossary.
47. Dan Munro, “U.S. Healthcare Ranked Dead Last Compared to 10 Other Countries,” Forbes/Pharma
& Healthcare, June 16, 2014, https://www.forbes.com/sites/danmunro/2014/06/16/
u-s-healthcare-ranked-dead-last-compared-to-10-other-countries/#89ab65a576fd.
48. Jen Christensen and Elizabeth Cohen, “Medical Errors May Be Third Leading Cause of Death
in the U.S,” CNN, May 4, 2016.
49. Jessica Davis, “7 Largest Data Breaches of 2015,” Healthcare IT News, December 11, 2017;
Cameron F. Kerry, “Lessons from the New Threat Environment from SONY, Anthem and ISIS,”
Brookings, March 26, 2015, https://www.brookings.edu/blog/techtank/2015/03/26/lessons
-from-the-new-threat-environment-from-sony-anthem-and-isis; “Major 2016 Healthcare Data
Breaches: Mid-Year Summary,” HIPPA Journal, July 11, 2016, https://www.hipaajournal.com/
major-2016-healthcare-data-breaches-mid-year-summary-3499.
50. Viscuso, Michael, “Ransom-Aware: Carbon Black Survey Finds 7 of 10 Consumers Would Consider
Leaving a Business Hit by Ransomware,” Carbon Black, May 25, 2017, https://www.carbonblack
.com/2017/05/25/ransom-aware-survey-finds-7-of-10-consumers-would-consider-leaving-a
-business-hit-by-ransomware/.
 CHAPTER 3

Records and Information Creation

and Capture, Classification, and
File Plan Development

INTRODUCTION

In 2025, the world will create and replicate 163 zettabytes (ZB) of data, a tenfold increase
over 2016. IDC (International Data Corporation) categorizes this data into four types:

• Entertainment: Image and video content created or consumed for

entertainment purposes.
• Non-entertainment image/video: Image and video content for non-
entertainment purposes, such as video surveillance footage or advertising.
• Productivity data: Traditional productivity-driven data such as files on PCs
and servers, log files, and metadata.
• Embedded: Data created by embedded devices, machine-to-machine, and
IoT.1

Much of digital data (embedded data) is created automatically and is ephemeral (transitory)
in nature. In the world of information management, transient data are created within an
application session. It passes quickly into and out of existence producing results beyond
itself. At the end of the session, it is discarded or reset back to its default and not stored in
a database.2 Transitory digital data should not be confused with transitory records. Transi-
tory records are those only needed for a short time. They can be used or acted upon and then
destroyed. They do not contain information that will be needed in the future. In this chap-
ter, we’ll deal specifically with records and information that result from business activities
(productivity data) conducted using some of the many systems, components, networks,
applications, and services employed by users at home and at work.
When discussing records and information creation and capture, it is necessary to
consider storage issues, which influence our attitude toward creation. The use of public,
private, and hybrid cloud storage environments continues to grow. Organizations that
have invested heavily in their own data centers will continue to support them for some
time, especially for storage of sensitive data, while making a gradual move to the cloud.
Hard disk drives, NAND flash storage (as well as emerging storage technologies similar
to flash) are used in data centers, as are tape and optical storage for data less frequently
accessed.

/ 59 /
60 / CH AP T ER 3

The core technology for data storage, especially magnetic disks, has progressed rapidly.
According to IBM scientists, who in 2017 set a new world record in tape storage, “tape stor-
age is still considered the most secure, energy efficient and cost-effective solution for stor-
ing enormous amounts of back-up and archival data, as well as for new applications such
as Big Data and cloud computing.” The new product has a potential to record 330 terabytes
(TB) of uncompressed data (the equivalent of 330 million books) on a single tape cartridge
that fits in the palm of your hand.3
Although great strides have been made in the area of data storage technology, additional
research and development are needed to address, among other issues, the lack of standards
for software (e.g., proprietary word processing formats); systems requirements needed to
support data privacy, access limitations, and retention requirements; and the development
of sustainable economic models to support data access and preservation over the long term.

RECORDS AND INFORMATION CREATION AND CAPTURE

Records are a subset of information created and captured as evidence of business decisions,
actions, or transactions. All records, including business email and other electronic records,
created or received, should be managed. Regardless of the methods used to create and cap-
ture records (manual or automated process), users sometimes have difficulty identifying a
record. The fact that there is no universal definition of a record contributes to the confu-
sion. Many believe it is time to move beyond the need to define a record and manage all
information based on its value to the organization.

Creating Records

Information is a valuable business asset that can help an organization achieve its goals by
supporting business activity; examples include data sets and technical manuals. Informa-
tion, though, is not evidence of an activity and is not a record unless it possesses these
additional characteristics:

• Authenticity: An authentic record can be proven to be what it purports to

be, created or sent by the person purported to have created or sent it, and
created or sent at the time purported.
• Reliability: A reliable record can be trusted as a full and accurate
representation of the transactions, activities, or facts to which it attests.
• Integrity: A complete and unaltered record is said to possess integrity.
• Usability: A usable record can be located, retrieved, presented, and
interpreted.

Records provide evidence of work activity and help the organization conduct its business in
an efficient and accountable manner.
At one time, organizations had limited tools with which to create records, and only a
few people within the organization had the authority to create records. In the mid-1950s,
for example, an executive would dictate a letter to a private secretary who would type infor-
mation onto paper for his signature as shown in figure 3.1.
Once signed, the original correspondence would be mailed to the intended recipient
and a copy would be filed in a file drawer. Office copiers were not necessary because the
 R E C OR DS AN D I N F OR MATION C R E ATION AN D CAP T U R E , C L A S SI FICATIO N , AN D FI LE PL AN DE V E LO PM E N T / 61

FIGURE 3.1 A secretary takes dictation on a typewriter, 1954.

SOURCE: Art Resource, NY. Photo: bpk, Bildagentur

secretary used carbon paper to make one or more duplicates on a thin, lightweight, strong
paper called onionskin at the same time that the original was typed. Access to the organiza-
tion’s official copy was limited. Therefore, privacy and security measures were less compli-
cated than they are today.
Advances in information technology changed the methods used to create and capture
records by making the job of the secretary easier through the introduction of electronic
typewriters and word processers and, eventually, by virtually eliminating the position of
secretary in most organizations.
Today, thanks to the introduction of computer and communications technology, net-
working, the World Wide Web, social media, cloud computing, the Internet of Things, and
more, records creation and capture are the work of all staff—or of no staff at all (e.g., sensors
and blockchain technologies). Therefore, recordkeeping must be considered integral to the
activities that promote the core mission of the business unit or organization and not as an
add-on. The extent of the tasks that must be performed by staff is, of course, impacted by
the degree of automation that can be applied.
62 / CH AP T ER 3

Recognizing the value in information that does not fit the definition of a record, the
National Archives of Australia explains that good information and records management
allow employees, contractors, and consultants to properly manage both information and
records to:

• find documents or information when needed,

• reuse work that the individual or someone else has done in the past,
• find the most recent version of a document,
• show evidence of why a particular decision was made and by whom, and
• protect themselves, their clients, the public and the Australian
Government.4

Knowing what records to create involves:

• using work process analysis to identify the records needed to document

business or work processes;
• understanding the legal and regulatory requirements that impact the
organization, including internal policies, procedures, and directives; and
• assessing the risks of failing to create records.

Records creation and capture can be integrated into business rules for workflow and trans-
action systems. Records can also be created as a deliberate action after the event, such as
documenting the minutes of a meeting from recordings made during the meeting.

Capturing Records

In records management terms, capturing a record means ensuring that the record—for
example, a receipt, contract, or directive—becomes fixed so that it cannot be altered or
deleted. This is different from the use of the term capture to denote the process of collecting
information and delivering it into business applications and databases for further action.
Dynamic records—such as those created as the result of a comment on a blog, a post to
a social networking site, or an entry on a wiki site—pose unique challenges because the
information may be both captured for further action and deemed a record that must be
preserved in an unalterable state.
Records are captured by a records system if they meet certain business, legal, or other
requirements identified through appraisal. Capture involves the:

• assignment of a unique identifier (either machine-generated and readable,

or human readable);
• capture or generation of metadata about the record at the point of capture; and
• creation of relationships between the record and other records, agents, or
business.5

These goals can be accomplished through the use of explicit metadata persistently linked
with the record (i.e., embedded in, attached to, or associated with the specific record).
Have you thought about the correlation between the legalization of marijuana and the
growth in volume of physical records? If you worked in the County of Denver, this would
 R E C OR DS AN D I N F OR MATION C R E ATION AN D CAP T U R E , C L A S SI FICATIO N , AN D FI LE PL AN DE V E LO PM E N T / 63

have been on your mind even before the sale of marijuana was approved. The County faced
the challenge of capturing and managing a backlog of paper documents and developing a
process to implement scanning into a document management system going forward. The
process used to manage the deluge is described in the TAB Success Story.

TAB Success Story: How the City and County

of Denver handled an unprecedented surge in retail
marijuana license applications.

I n October 2013, the City and County of Denver’s Department of Excise and Licenses
began accepting licenses for retail marijuana sales. Applications grew to ten times the
normal volume in just a few months. Turnaround time and, therefore, customer service
suffered. Two problems needed to be resolved: (1) how to handle the backlog and (2)
redesign of the business process to accommodate the “new normal.” The process involved
seventeen different documents for each application, including insurance and background
checks. The backlog alone consisted of over 2,000,000 documents—all paper. Tab’s
FutureRMS app (see tab.com) was employed to provide the expertise needed to manage
the situation. Records management best practices for physical collections were imple-
mented to handle the backlog, resulting in placing documents in proper file folders or
pocket folders in their correct locations on shelves and creating an inventory listing of
all folders and pockets. The process going forward involves scanning physical records,
mapping workflows in a document management system, and implementing a day-forward
scanning process.
SOURCE: www.tab.com/resources/case-studies/project-spotlight-retail-marijuana-licensing-city-county-denver/
Copyright © 2018, TAB

Records Capture Methods

Records capture can occur manually after creation if using a paper-based filing system (e.g.,
by printing and filing an email message). Records can be captured automatically at the time
of creation, if an electronic system is used. For example, records can be captured upon
receipt of physical documents (as in the case of marijuana license applications) by scanning
into an electronic system. Capture can be accomplished by automatic transfer of email to an
archive server (repository) based on keywords or metadata such as sender, recipient, date,
and terms found in the subject line or text of the message. Records on third-party systems
used for outreach, such as blogs, may be captured upon creation if the content is static in
nature or after creation if the content is dynamic. Table 3.1 lists some of the ways that an
organization can capture content.
Social media tools present unique challenges to the organization. Pressured by consum-
ers and enterprises alike, sites such as Facebook provide tools to allow the user to down-
load information. Competition also spurs social networking providers to innovate. In an
attempt to distinguish itself from other social networking sites, Google+ offers a number of
64 / CH AP T ER 3

TABLE 3.1 Records can be captured either manually or automatically

by the employee, the organization, or a third-party.

PAPER-BASED FILING ELECTRONIC THIRD-PARTY

SYSTEM SYSTEM SYSTEM
Printing an electronic Registering an electronic Contracting with a cloud-
document (e.g., an email) to document in an electronic based service provider
place in a file folder housed in records management system (e.g., Smarsh) to harvest (or
a file cabinet (manual) accept transfer of) and store
electronic content for the
organization

Making a photocopy of an Entering data into an Using a web crawler (e.g.,

original document sent by electronic system, which then Internet Archives’ Heritrix) to
your organization and placing saves the data automatically collect digital objects over the
it in a file folder Internet

Receiving a physical copy of a Scanning and digitizing an old Use tools provided by third-
signed contract and placing it photo to store in an electronic party sites to download your
in a fireproof vault records management system data (e.g., download all data
stored within Google products
with the use of Google
Takeout)

ways to export data, including a feature called Google Takeout. Google Takeout, also avail-
able as a stand-alone service, allows users to export contacts, photos, profiles, and streams
of posts with a single click. In addition, data can be downloaded from a number of other
Google products, including Blogger, Calendar, Google Drive, Gmail, and YouTube.6 Exam-
ples of methods currently employed to capture and manage social media records will be
presented in chapter 7.
One estimate claims that 77 percent of the American population owns a smartphone
and more than 85 percent of physicians and practices use mobile devices daily. The use of
these devices and medical software applications is known as mHealth, or mobile health-
care.7 Software applications for mobile devices are available, and data created by physicians,
healthcare professionals, and patients using those devices must be captured as well.
By the time you read this text, the technology landscape will have changed. Scan the
horizon not only for new technologies but also for vendors who provide software solutions
that make it easier to capture records created through those technologies.
Because information creation and capture is the work of all staff to some extent, the
organization must provide its employees with these tools:

• policies, procedures, and guidelines

• effective information technology systems
• records management compliance program
• staff training
 R E C OR DS AN D I N F OR MATION C R E ATION AN D CAP T U R E , C L A S SI FICATIO N , AN D FI LE PL AN DE V E LO PM E N T / 65

Mobile Records Management

N ot only are mobile devices used to create records—they can also be used to track,
organize, and manage information. Some of the ways in which Tab’s Fusion RMS
mobile app is used for records management are:

• accessing documents using a meta-tag search feature

• documenting file transfers to update the chain-of-custody of physical files
• reading barcodes using the built-in camera on the smartphone or tablet
(see http://fusionrms.tab.com/what-is-mobile-records-management/).

CONTROLLED LANGUAGE AND RECORDS CLASSIFICATION

Once records are created and captured, they must be managed in a way that allows the
right record to be located at the right time and in a usable form. Non-records can also have
evidentiary or informational value for the organization, so decisions must be made that
relate to the management of all information of value. Traditionally, controlled language was
developed to identify terms used for titling or indexing records. Those terms were incor-
porated into a thesaurus used to classify records (grouped together under a specific label)
or to select indexing terms for the record. These terms were used for broad subject areas
and were not closely related to business functions. More recently, classification has gone
beyond developing an alphabetical listing of terms for indexing and grouping to developing
a functional classification scheme based on an organization’s business functions, activities,
and transactions.

Controlled Language

Controlled language, also called controlled vocabulary, is a way to organize information in “an
agreed-upon use of language in a predetermined or predictable way for description of orga-
nizational information resources, regardless of the format of the resource (media neutral).”8
Several controlled language (vocabulary) tools are available, including an index, a glos-
sary, a folksonomy, a taxonomy, a thesaurus, and an ontology. When placed on a semantic
richness continuum, they appear as shown in figure 3.2.

• An index is an ordered list of controlled language terms that points to the

location of information related to each term.9
• A glossary, also known as a vocabulary, is an alphabetical list of terms in a
domain of knowledge with the definitions for those terms.10
• A folksonomy, a contraction of the words folk (person) and taxonomy, is an
[unstructured] system of classification that makes use of terms that occur
naturally in the language of users of the system.11
• A taxonomy is a subject-based classification scheme used to arrange terms
in a controlled vocabulary into a hierarchical structure that shows parent-
66 / CH AP T ER 3

FIGURE 3.2 Semantic richness of controlled language facilitates search and retrieval.

child relationships. In a simple taxonomy, each item being classified fits

into just one place in the taxonomy, with a single parent and any number of
children.12
• A thesaurus is a controlled vocabulary of terms arranged in a structured
order and with relationships between terms indicated with standardized
designations that are used to aid document indexing and searching.13 The
following are examples of properties describing subjects:

° BT (broader term) refers to a term above a given term in a hierarchy that

is wider in scope or less specific in meaning (e.g., BT = reading materials).
° NT (narrower term) refers to a term below a given term in a hierarchy
that is narrower in scope or more specific in meaning (e.g., NT = volume).
° USE (preferred term) refers to another, synonymous term that should be
used instead of the given term (e.g., USE = book).
° RT (related term) refers to a term related to the given term that is neither
a synonym nor a broader term (e.g., RT = leisure reading).
• An ontology is a working model of entities and interactions in some domain
of knowledge or practice, such as transportation.

In 1993, Stanford University artificial intelligence specialist Tom Gruber described ontol-
ogy as “the specification of conceptualizations used to help programs and humans share
 R E C OR DS AN D I N F OR MATION C R E ATION AN D CAP T U R E , C L A S SI FICATIO N , AN D FI LE PL AN DE V E LO PM E N T / 67

knowledge.”14 This is accomplished using a set of concepts—classes (or sets), attributes (or
properties), and relationships (or relations among class members)—that are specified in
some way to create an agreed-upon vocabulary for exchanging information.
Two terms in figure 3.2 represent related but dissimilar concepts:

• Metadata is information about an asset beyond the file name. It is an

attribute or element that helps define an “object” (e.g., document, database,
image, or presentation). It can be used as a finding aid, but it is not a system
of classification. Tools like thesauri provide statements about “subjects”
used in classification. Subject-based classification uses subjects in metadata.
• Topic maps combine classification and metadata. They are organized
around topics (subjects). But, because a subject can be anything, we can
use objects described by metadata as a special kind of subject. This allows
us to create a subject for those objects, such as document. We can express
the metadata describing the new subject (document-object) using names
(e.g., authors), occurrences (e.g., events/activities), and associations (e.g.,
employee).

Let us now turn our attention now to the ways in which classification systems are used in
the business environment.

Classification and Filing Systems

Classification is defined as the organization of materials into categories according to a

scheme that identifies, distinguishes, and relates the categories.15 Classification systems can
be used to impose some kind of order on the chaos that results from the growth of informa-
tion by grouping like objects together. Remember the clay tokens used in Mesopotamia in
4000 BCE that were discussed in chapter 1? Some of the engraved symbols represented not
only the quantity, but also the type, of animal. The symbols representing different types of
animals comprised a form of classification scheme.
There are many different classification schemes, but we’ll cover just a few in this chap-
ter. In the first half of the twentieth century, manual filing systems tamed the chaos that
arose from the growth of records attributed to the typewriter. Paper files were most often
organized according to one of these filing methods: alphabetic, numeric, geographic, sub-
ject, and chronological. Many organizations must still deal with their legacy paper docu-
ments. Although that is changing, change takes time. For example, in 2012, the Executive
Office of the President released the Managing Government Records Directive, which required
federal agencies to manage both permanent and temporary email records in an accessible
electronic format by 2016 and to manage all permanent electronic records in an electronic
format by 2019.16 By 2017, progress toward these goals had been made, but there was still a
need for improvement according to the Federal Agency Records Management Annual Report
for 2016.17
In the 1960s, the emergence of mainframe computers brought about the desire to com-
puterize filing systems. At the same time, text indexing systems and sophisticated search al-
gorithms came into use to classify and locate data. Don’t allow the focus on digital informa-
tion to lead you to dismiss simple classification schemes completely. The alphabetic scheme
used to organize and classify paper records can be used to control digital records as well.
68 / CH AP T ER 3

Alphabetic, Subject, and Numeric Filing

Although digital records may be created by employees using devices such as computers,
smartphones, and iPads, at least some of those businesses have paper files. A visit to the
dentist’s office underscored this fact for me. A patient scheduling system allowed for com-
puterized scheduling of appointments, but copies of dental charts, insurance forms, and
even X-rays were placed into paper file folders on open shelving.

Alphabetic Filing System

A system in which files and documents are arranged in alphabetic order from A to Z is
known as an alphabetic filing system.18 It’s an easy and effective organizational system that
has one primary goal—fast retrieval of important documents. Records stored as hard copies
are often filed alphabetically (see figure 3.3). Computer files can also be organized alphabet-
ically into folders labeled with the letters of the alphabet.
Setting up an alphabetic filing system using system folders is one option for organizing
client files. We often see this system in small law offices, where a simple folder structure
based on client names stored alphabetically is created on a shared drive. The client folders
may be subdivided into folders based on the subject of the contents, such as correspon-
dence, deposition, and evidence. Access to the shared folders is provided on an as-needed
basis for attorneys, paralegals, and other support staff. Without the benefit of document
management, enterprise content management, and/or records management software, this
may be the best option.

Subject Filing System

A subject filing system is one in which each document relates to a specific subject matter
and is arranged in alphabetical order by subject.19 In a document-based system, subject
filing requires someone to analyze each
document to determine the subject.
Cross-referencing is required if more
than one subject is contained within the
same document.
Many small, local governments use a
subject filing system that is arranged al-
phabetically. The categories are arranged
according to the types of activities taking
place, and each category usually con-
tains several subcategories. The state of
North Dakota’s Information Technology
Department (IDT) provides guidance on
the effective management of electronic
records. This guidance includes the rec-
FIGURE 3.3 Alphabetic filing guides ommendation that each state agency de-
reduce filing and location time by velop a standard naming convention for
subdividing a file drawer. electronic documents based on its pro-
Courtesy of the Smead Manufacturing Company,
gram needs, but that they should consid-
www.smead.com/. er using the State’s Subject Classification
 R E C OR DS AN D I N F OR MATION C R E ATION AN D CAP T U R E , C L A S SI FICATIO N , AN D FI LE PL AN DE V E LO PM E N T / 69

TABLE 3.2 Examples of categories included in North Dakota

Subject Classification System.

# CODE SUBJECT DEFINITION

01 (ACT) ACCOUNTING All functions involved in a financial transaction.

Information concerning organizations outside

14 (AOC) ASSOCIATIONS of the department (corporate data, membership
rosters, institutes, trade groups).

CONTRACTS/ LEASES/ Information or documents regarding office

30 (C/L/A)
AGREEMENTS agreements, leases, and contracts.

Any information relating to personnel of the

60 (PER) PERSONNEL
agency.

Records relating to operating safety

requirements, precautions, protection from
75 (SA) SAFETY/SECURITY
damages, risk, injury, and reports pertaining to
safety.

SOURCE: North Dakota State Government, ITD, “Electronic Records Management Guidelines,” revised July 10, 2017,
https://www.nd.gov/itd/standards/electronic-records-management-guidelines.

System when creating directories and subdirectories. Five of the thirty-one subjects are
shown in table 3.2.

Numeric Filing System

A numeric filing system is any classification system designed to arrange records based on
numbers that are assigned or taken directly from a record (e.g., a purchase order). Decimal
numeric filing arrangements are the most commonly used numeric filing method, and the
best-known system of this type is the Dewey Decimal Classification System (DDC) devel-
oped for libraries in the late 1800s; the current version, DDC 23, was released in 2011. DDC
specifies ten main classes divided into ten subclasses, which are further divided into ten sub-
divisions. A code known as a numeric call number is assigned to each book or other resource
based on where the content falls within the taxonomy. WebDewey, an online version of DDC,
provides access to the DDC 23 database including automatic updates to the system.

Other Options for Libraries

At the turn of the twentieth century, the Library of Congress developed its own classifica-
tion system to categorize books and other items. It has twenty-one subject categories.
In keeping with the move away from print materials, the LC no longer provides print
publications. However, a web-based subscription service, Classification Web, features the
entire Library of Congress Classification System and complete Library of Congress Subject
Headings (LCSH) and Name Headings for a fee. The Classification Web is updated daily,
and a free trial is available through the LC website.20
70 / CH AP T ER 3

Example of a Numeric Filing System

The Dewey Decimal System has ten main classes:

000 Computer Science, information and general works

100 Philosophies and psychology
200 Religion
300 Social sciences
400 Language
500 Science
600 Technology
700 Arts and recreation
800 Literature
900 History and geography
SOURCE: OCLC, “Dewey Decimal Classification Summaries,” accessed May 12, 2018,
https://www.oclc.org/en/dewey/features/summaries.html#hi.

Determining what classification system is best for users is not an easy task. The Ran-
dolph C. Watson Library at Kilgore College provides a table to help those familiar with the
DDC understand where to find the material they are seeking under the LCSH; for example,
Dewey Subject Area 160 Logic translates to BC Logic for the LC Subject area. However, 070
Journalism, Publishing, News media translates to AN Newspapers in LC Subject area.21
Some librarians unhappy with the weaknesses of both the Dewey Decimal System and
the Library of Congress Classification System began as early as 2007 to use a simplified
subject-based taxonomy similar to the classification system found in bookstores.22 Works
classified according to the BISAC (Book Industry Standards and Communications) Subject
Heading list enhance the browsing experience of patrons unfamiliar with both the Dewey
Decimal System and the Library of Congress Classification System.23 An example of a BI-
SAC subject heading with additional subheadings (more specific headings) is:24
LC0002000 LITERARY COLLECTIONS / American / General.

Dewey Services, provided through OCLC, discontinued mapping between DDC and LCSH
in 2006 in order to divert resources to a project to add DDC numbers to the authority
records for BISAC subject headings.

Chronological and Geographic Filing Systems

A chronological filing system is arranged by date and can be used to organize business records
such as invoices, purchase orders, and bills of lading. If using a file folder, the newest records
go in the front. If using a computer, a field to hold the date of the transaction is included in
order to allow the software to find the date in question and retrieve the appropriate docu-
ment. If more than one document has the same date, a search is conducted on a secondary
field as well. This system is most useful for small files and records with a short life span so
that older files can be purged to make room for more recent records.
 R E C OR DS AN D I N F OR MATION C R E ATION AN D CAP T U R E , C L A S SI FICATIO N , AN D FI LE PL AN DE V E LO PM E N T / 71

Library of Congress Classification Outline

The Library of Congress Classification Scheme includes twenty-one categories:

A General Works
B Philosophy, Psychology, Religion
C Auxiliary Sciences of History
D World History and History of Europe, Asia, Africa, Australia, New Zealand, etc.
E History of the Americas
F History of the Americas
G Geography, Anthropology, Recreation
H Social Sciences
J Political Science
K Law
L Education
M Music and Books on Music
N Fine Arts
P Language and Literature
Q Science
R Medicine
S Agriculture
T Technology
U Military Science
V Naval Science
Z Bibliography, Library Science, Information Resources (General)
SOURCE: Library of Congress, “Library of Congress Classification Outline,”
accessed May 12, 2018, www.loc.gov/catdir/cpso/lcco/.

A geographic filing system classifies records according to geographic location. The Stan-
dard Geographical Classification (SGC) is Statistics Canada’s official classification system
for geographic areas in Canada. SGC 2016 provides standard names and codes for the geo-
graphical regions of Canada (Level 1), followed by provinces and territories (Level 2), census
divisions (Level 3), and census subdivisions (Level 4).25

BUSINESS CLASSIFICATION SCHEMES

ISO 15489-1:2016 defines classification as the “systematic identification and/or arrange-

ment of business activities and/or records into categories according to logically structured
conventions, methods, and procedural rules.”26 Business classification is the process that
helps an organization describe, organize, and control information. Business classification
systems are built upon an analysis of the organization’s business activities. The business
72 / CH AP T ER 3

classification scheme is used to link records to their business context and is necessary to
capture full and accurate records.

Functional Classification Scheme

Since the release of ISO 15489 in 2001, classification based on organizational functions and
activities has been the preferred method to control information and records. Classification
by function is based on the context of a record’s creation and use rather than content alone.
Classification by function means classification according to why the record exists and not
what it is about (subject). Functions consist of activities, which consist of transactions.
The main functional high-level categories used in the example in figure 3.4 along with
the unique three-letter identifier for each are:

• Firm Administration (FRM) • Reference (REF)

• Sales and Marketing (MKT) • Human Resources (HUM)
• Finance Department (FIN) • Legal (LEG)
• Information Management (INF) • Operations (OPS)

FIGURE 3.4 Major headings of functional classification scheme derived

from records and information functional groups.
SOURCE: Unpublished report. Courtesy of MARA graduate C. J. Rodriguez.
 R E C OR DS AN D I N F OR MATION C R E ATION AN D CAP T U R E , C L A S SI FICATIO N , AN D FI LE PL AN DE V E LO PM E N T / 73

A functions-based classification system offers several benefits because it:

• provides an understanding of the relationship between the business and its

records;
• identifies records that should be created for their evidential value;
• identifies high-priority records that should be captured because of their
business value;
• facilitates retention decisions; and
• allows retention requirements to be determined at the point of creation.27

Records Classification Schemes

Records classification is the process followed to categorize or group records into retrieval
units. A records classification scheme is also referred to as a file plan. The records classifica-
tion scheme is a tool used to classify records
and other business information based on
the business activities that generate records.
It is derived directly from the organization’s
business classification scheme.
The records classification scheme is
often represented as a directory or folder
structure, especially in electronic records
management systems (as shown in figure 3.5)
and it can provide two, three, or sometimes
four levels. The hierarchical structure orders
or ranks function > activity > topic > subtopic.
When implemented within a business infor-
mation system, it controls the vocabulary
used, ensures consistency of information de-
scription, and facilitates the capture, titling,
retrieval, maintenance, and disposal of re-
cords and other information.
As with any hierarchical scheme, navi-
gational paths (such as links) exist between
related terms, but those paths are limited to
the relationships within the structure and
the terms used for classification. A second
classification tool, the functional thesaurus,
can be built from the same business classifi-
cation scheme, but the terms would be list-
ed in alphabetical order. FIGURE 3.5 Hierarchical representation
of a file plan for a human resources
function.
Auto-Classification
SOURCE: Don Lueders, “Introducing the SharePoint 2010

Auto-classification (automatic classification) Records Center,” SharePointRecordsManagement.com

(blog), May 2, 2010, http://sharepoint.recordsmanagement
is the “process of using electronic systems .com/2010/05/02/introducing-the-sharepoint-2010-records
to encode rules and apply them to records -cdener/. Courtesy of SharePointRecordsManagement.com.
74 / CH AP T ER 3

in order to categorize and sort them.28 Auto-classification software mines the content of
structured and unstructured data files, analyzes the content based on defined rules and
workflows, and categorizes the files based on metadata, words, or phrases. The categories
can be associated with retention schedules and security classifications. Documents can be
archived, disposed of, and even placed on legal hold based on the organization’s records
management policy. Auto-classification is becoming an important part of an organization’s
information governance strategy resulting in improvements in user productivity and sat-
isfaction. Grouping files based on categories or characteristic can aid in compliance and
reduce litigation risks. Employing auto-classification tools to search for the presence of PII
or other sensitive content can help protect the organization against data breaches and lower
eDiscovery costs.

INDEXING, CONTENT ANALYSIS, AND FILE PLAN DEVELOPMENT

The primary method used to create an index for records and information management has
evolved from humans analyzing and then indexing individual documents to computers that
scan large volumes of documents against controlled terms and indexing them automati-
cally. An analysis of the content of records can provide the controlled terms used in index-
ing. Simply put, content analysis is a term that can be applied to all examinations of message
content. The primary focus of content analysis, however, has expanded from conceptual
analysis of the content of a record to an analysis of the relationships between concepts. File
plan development also relies on content analysis to describe and categorize the content in
the enterprise that is or may become a record.

Indexing

Classification systems work because they follow predefined rules to ensure consistency.
ARMA International’s alphabetic filing rules establish an index order of units for personal
names that are indexed by surname and then first name followed by initial or middle name
as shown in table 3.3.
Numeric filing uses numbers directly from a record such as a purchase order number
or relies on the use of assigned numbers. In a straight-numeric filing system, purchase order
numbers would be the primary unit of indexing, and the purchase orders would be arranged
consecutively in ascending order.
In the functional classification system illustrated in figure 3.4, the sales and marketing
function is represented by the letters MKT and the legal function as LEG. The organiza-
tion could as easily have determined that each function should be represented numerically
instead, for example, Sales and Marketing as 10 and Legal as 20. If so, the numbers 10 and
20 would be the primary numbers; subdivisions would then be identified by appending a
second number, and so on. This is known as a duplex-numeric system because two or more
sets of codes are used.
The chronological filing system is a type of numeric arrangement, but dates are used
as indexing units. The most common order is year, month, day as in 2020-05-03 to denote
May 3, 2020, as specified in ISO 8601—Data elements and interchange formats—Information
interchange—Representation of dates and times. Under this system, the document with the
most current date is placed at the front of a physical file folder.29
 R E C OR DS AN D I N F OR MATION C R E ATION AN D CAP T U R E , C L A S SI FICATIO N , AN D FI LE PL AN DE V E LO PM E N T / 75

TABLE 3.3 Example of indexing order within an alphabetic filing system.

PERSONAL (FILE) NAME FIRST UNIT SECOND UNIT THIRD UNIT

Jane A. Doe Doe Jane A.

Jane Alexandra Doe Doe Jane Alexandra

An Introduction to Content Analysis

Content analysis (also called content analytics) is defined as a research tool used to deter-
mine the presence of certain words or concepts within texts and sets of texts.30 It is also
defined as a research technique for making replicable and valid inferences from texts (or
other meaningful matter) to the contexts of their use.31
Recently Big Data technologies have been recognized as tools that can add insight into
records and information an organization possesses. One example is IBM’s Watson Content
Analytics, which can collect and analyze both structured and unstructured content found
in databases, email, documents, websites, and more. The text analytics result in a search-
able index that can be queried to find and retrieve relevant documents from a ranked list
of results.32
As early as the 1930s, content analysis was used in military intelligence to analyze com-
munist propaganda and military speeches for themes by searching for the number of oc-
currences of particular words and phrases.33 Today content analysis is used in several fields,
including marketing and media studies, sociology and political science, and literature and
rhetoric. It can include visual documents as well as text, and the focus is on phrases and cat-
egories rather than simple words. Two categories of content analysis are conceptual analysis
and relational analysis.
The examination of text for the existence of certain words is an example of concep-
tual analysis. Text content analysis tools, for example, can provide statistics about the text
(written content)—such as word count, number of sentences, and reading ease—to help you
improve your writing. This type of tool is built into most word processing programs but also
exists as stand-alone software or services.
Some content analysis tools not only report the existence of certain words and phrases
but also perform tasks such as extracting metadata and hyperlinks, classifying documents,
and detecting language and encoding. This type of tool is particularly suited to information
retrieval and extraction projects and is an important part of text-mining tools.
Relational content analysis has been termed semantic analysis.34 It goes beyond determin-
ing the presence of concepts by looking for meaningful (semantic) relationships between
those concepts. In chapter 1, you were introduced to the Semantic Web that facilitates data
sharing and reuse across application, enterprise, and community boundaries. The Semantic
Web employs semantic ontologies (controlled vocabularies) to accomplish this task.
When we enter data into a database, the application controls the data. In order to re-
trieve the data, we look for the file in question and then open it in the appropriate appli-
cation. By contrast, the Semantic Web allows a person—or a machine—to start out in one
database and then move through other databases about the same topic seamlessly and ef-
fortlessly (see figure 3.6).
76 / CH AP T ER 3

FIGURE 3.6 The Semantic Web.

SOURCE: Eric Miller, “Weaving Meaning: An Overview of the Semantic Web.” World Wide Web Consortium,
November 20, 2004, https://www.w3.0rg/2004/Talks/1120-semweb-em/slide17–0.html.
Copyright © 2004 World Wide Web Consortium (Massachusetts Institute of Technology,
European Research Consortium for Informatics and Mathematics, Keio University).
All Rights Reserved. www.w3.0rg/Consortium/Legal/2002/copyright-documents-20021231.

Paypal’s Praveen Alavilli described the semantic world on the web as “one giant labeled,
directed multigraph of people, things, and relationships.”35 The term labeled refers to the use
of vocabularies and data formats that enable semantics on the web.
The terms Semantic Web and linked data have received much less attention in the last
few years due to the lack of easy-to-use tools to deal with large volumes of diverse data
and the quality and quantity of mappings between related data. This doesn’t mean that
the Semantic Web is no longer important—just not as an end in itself. Indications are the
Semantic Web and semantic technologies and techniques are being absorbed into the larger
artificial intelligence field.36

Content Analysis and File Plan Development

The terms content analysis and file plan are most often used to refer to elements of an elec-
tronic content or records management system. The file plan lists the records in the orga-
nization and describes how they are organized and maintained. There is more to file plan
development than one might think when looking at an image that represents a records clas-
sification hierarchy (file plan) as shown previously in figure 3.5. The file plan also describes,
for each type of record in the enterprise, where the records should be retained, the policies
that apply to them, how they need to be retained, how they should be disposed of, and who
is responsible for managing them. Procedures for amendments and additions must be doc-
umented, and responsibility for the control of the file plan (e.g., evaluating and updating)
must be assigned. It is wise to identify all regulatory, operational, and societal recordkeep-
ing requirements before completing the records classification scheme.
 R E C OR DS AN D I N F OR MATION C R E ATION AN D CAP T U R E , C L A S SI FICATIO N , AN D FI LE PL AN DE V E LO PM E N T / 77

RECORDS MANAGEMENT METADATA

Metadata for records, as described in the updated basic records management standard ISO
15489-1:2016, is “structured or semi-structured information, which enables the creation,
management, and use of records through time and within and across domains.”37 Records
management has always managed metadata. When dealing with paper records, metadata
such as author, subject, and title of records were implicit in the record and were used to
index records for filing. In the digital world, metadata needs to be explicitly documented
in order to describe the content, business context, structure (e.g., form and format), rela-
tionships with other records and other metadata; identifiers and other information needed
to retrieve and present the record; and the business actions and events that involved the
record throughout its existence.
Metadata are used to define a record at the point of capture so that it is fixed into the
business context and management control is established over it. It will continue to be ap-
plied throughout the record’s lifecycle, essentially documenting the record’s provenance
(i.e., origins, custody, and ownership). It ensures the authenticity, reliability, usability, and
integrity of the record and can be used as evidence of transactions and activities (see side-
bar, Production of ESI and Metadata for e-Discovery).
The metadata itself is considered a record and must be managed as such. It must be pro-
tected from loss, unauthorized deletion, and unauthorized access, and it must be retained
or destroyed according to the requirements identified during appraisal.38 Court opinions
continue to evolve regarding the evidential value of metadata and should be monitored.
The attention paid to this topic indicates that the organization will be at risk if it does not
capture and manage metadata along with the record.

Records Management Metadata Standards

The importance of creating, capturing, and managing metadata at every stage of a record’s
lifecycle is evident. But, which metadata? Records management standards and technical
reports were introduced in a sidebar in chapter 2. Let’s see how RIM standards apply to
managing metadata for records.
There are three specific international standards related to managing metadata for rec-
ords within the framework of ISO 15489:

• ISO 23081—Part 1: Principles

• ISO 23081—Part 2: Conceptual and Implementation Issues
• ISO 23081—Part 3: Self-Assessment Method

ISO 23081:1-2017—Part 1: Principles

First released in 2006, this international standard was updated in 2017. It sets the frame-
work for creating, managing, and using records management metadata and explains the
principles that govern them. It addresses the relevance of records management metadata in
business processes and the different roles and types of metadata that support business and
records management processes. As is the nature of standards, this document tells the reader
what to do but not how to do it. This standard makes clear that different perspectives on
records management metadata are possible and may coexist. They include:
78 / CH AP T ER 3

Production of Electrically Stored Information and

Metadata for e-Discovery

T he best answer to the question of whether a plaintiff can be compelled to produce

metadata is “that depends.” However, the following court cases indicate that it is best
to be prepared. Some courts are taking a favorable view on requests for electronically
stored information (ESI) with accompanying metadata.
In Morgan Hill Concerned Parents Association v. California Department of
Education, Magistrate Judge Allison Claire of the US District Court Eastern District
of California signed an order on February 1, 2017, ordering that the “Plaintiffs’ motion
to compel is GRANTED, as follows: Within thirty days, CDE shall produce all ESI in
native format with all metadata attached. Any ESI that has already been produced in
another format shall be reproduced in native format with all metadata attached .”*
“In Singh et al. v. Hancock Natural Resources Group, Inc. et. al., No. 15-1435 (E.D.
Cal., Dec. 29, 2016), California Magistrate Judge Jennifer L. Thurston granted the
defendants’ motion to compel (in part), ordering the plaintiffs to ‘produce all emails
and other documents sought by the defendants in the format demanded with the
accompanying metadata from the native computer.Ӡ
The Magistrate Judge in the US District Court, District of Connecticut, in Prezio
Health Inc. v. Schenk et. al., granted “in part the Plaintiff’s Motion to Compel to the
extent that an in camera review is ordered, which depending on the content of the
documents, may be followed by production of the metadata.” Defendants were
required to submit the requested documents to this Magistrate Judge’s Chambers on
or before September 4, 2015.‡
In 7-Eleven, Inc. v. Sodhi, Magistrate Judge Joel Schneider ordered that by March
1, 2015, “7-Eleven shall produce the requested metadata for the documents identified in
Plaintiff’s moving papers.” He also “ordered that the Order is entered without prejudice
to Plaintiff’s right to request additional metadata.”**
* Justia Dockets & Filings, “Morgan Hill Concerned Parents Association v. California Department of Education,
February 1, 2017, https://docs.justia.com/cases/federal/district-courts/california/caedce/2:2011cv03471/233488/287.
† Doug Austin, “Court Orders Plaintiff to Produce Emails with Original Metadata: eDiscovery Case Law,”
February 3, 2017, https://www.ediscovery.co/ediscoverydaily/electronic-discovery/court-orders-plaintiff-produce-
emails-original-metadata-ediscovery-case-law/.
‡ Justia Dockets & Filings, “Prezio Health Inc. v. Schenk et al.,” August 25, 2015, https://docs.justia.com/cases/
federal/district-courts/connecticut/ctdce/3:2013cv01463/102297/77.
** Justia Dockets & Filings, “7-ELEVEN, INC. v. SODHI, No. 3:2013cv03715 - Document 291 (D.N.J. 2015),”
modified March 18, 2015, https://law.justia.com/cases/federal/district-courts/new-jersey/njdce/3:2013cv03715/
290844/291.

• metadata that document the business perspective, where records

management supports business processes;
• metadata that document the records management perspective, where
metadata capture the characteristics of records and their context, and
support management over time; and
• metadata that document the use perspective within or outside the
records creating business context, where metadata enable the retrieval,
understandability, and interpretation of records.39
 R E C OR DS AN D I N F OR MATION C R E ATION AN D CAP T U R E , C L A S SI FICATIO N , AN D FI LE PL AN DE V E LO PM E N T / 79

ISO 23081-2:2009—Part 2 Conceptual and Implementation Issues

This technical specification supports Part 1 of the standard. It does not prescribe a specific
set of metadata elements, but it does identify generic types of metadata that fulfill the
requirements for managing records. No metadata schema is presented; organizations are
expected to select specific metadata to meet their own business requirements.
The phrase metadata for managing records as “structured or semi-structured informa-
tion that enables the creation, registration, classification, access, preservation and disposi-
tion of records through time and within and across domains” is defined in this document.40
Metadata for managing records describes the attributes of records to enable their manage-
ment and use or reuse. But the metadata also document the relationships between records
and the agents that make and use them and the events or circumstances in which the rec-
ords are made and used (relationships such as those illustrated in figure 3.7).
A metadata model for managing records groups metadata elements into six categories,
as shown in figure 3.7. Metadata elements are recommended for each of these six categories.
For example, the following elements are recommended description metadata:

• Title • Place
• Classification • Jurisdiction
• Abstract • External Identifiers

FIGURE 3.7 Metadata Model as described in ISO 23081-2:2009.

SOURCE: © ISO. This figure is adapted from ISO 23081-:2009 with permission of the American National Standards Institute
(ANSI) on behalf of the International Organization for Standardization (ISO). Copies of this standard may be purchased from
ANSI at http://webstore.ansi.org.
80 / CH AP T ER 3

A logical plan showing the relationships between all metadata elements identified,
called a metadata schema, must be created. The metadata schema incorporates a set of rules
to enable the management of metadata; for example, rules related to semantics (e.g., agree-
ment about the meaning of elements, such as author or title) and syntax (rules to convey
semantics and structure of the expression of the values).

ISO 23081-3:2011—Part 3: Self-Assessment Method

Part 3 provides guidance on conducting a self-assessment on records metadata created in
relation to the creation, capture, and control of records. It was designed to identify an orga-
nization’s current state of records metadata readiness and the risks associated with the cur-
rent state and to give direction on how to improve the organization’s readiness. The self-as-
sessment method considers two levels: the metadata framework level and the systems level.
The set of metadata framework criteria rates how well an organization has established
a framework to meet key recordkeeping metadata criteria. It addresses nine main criteria
independent of specific systems, such as metadata strategy, policies and rules, and metadata
structures, including schemas and encoding schemes. The set of twenty criteria for systems
and system-related projects includes criteria such as the implementation of metadata ele-
ments into systems and the management of the metadata process.

Developing a Records Management Metadata Schema

Developing a metadata schema for records management can be time-consuming. Although

organizations are expected to define their own metadata elements and schema, a good place
to start is by reviewing existing records management metadata standards and guidance. The
Government of Canada Records Management Metadata Standard (GC RMMS)41 defines
a records management metadata element set that outlines the metadata that should be
captured in records management systems used by federal government institutions. The
document declares and defines the semantics of a core set of metadata elements necessary
to ensure the authenticity, reliability, integrity, and usability of records as set forth in ISO
15489:2001 and ISO 23081. A companion document, the Government of Canada Records
Management Application Profile (GC RMAP), provides business rules for the use of each
element and the relationships among elements.42
Employees are the intended audience for the documents, in particular, information
management professionals (especially records managers), knowledge management profes-
sionals, metadata specialists who work in the records management domain, electronic doc-
ument and records management system (EDRMS) designers and developers, and informa-
tion technology staff responsible for supporting EDRMS.
The characteristics of the GC RMMS can be used as a guide for your own work:

• Metadata model: Determine the names of all of the elements to be used to

manage records and list them alphabetically. The GC RMMS has identified
fifty elements, such as title, creator, and description.
• Adopt existing metadata elements when possible. The GC RMMS has
adopted seven Dublin Core descriptive metadata elements: creator,
description, identifier, language, subject, title, and type.
• Determine the convention to be used to format the names of the declared
elements. The GC RMMS uses the following convention: lowerCamelCase.
 R E C OR DS AN D I N F OR MATION C R E ATION AN D CAP T U R E , C L A S SI FICATIO N , AN D FI LE PL AN DE V E LO PM E N T / 81

The character strings’ remaining element names must remain unchanged;

this is essential when translating a human readable GC RMMS
document into a machine-readable format (e.g., XML) and for ensuring
interoperability.
• Describe the attributes of each metadata element. For the seven Dublin
Core descriptive metadata elements, the attributes are name, URI, and
definition. For example, the metadata element Subject would be described
in this way:

ATTRIBUTE VALUE
Name Subject

URI http://purl.org/dc/elements/1.1/subject

Definition The topic of the content of the resource

• Describe the attributes of each metadata element created for the

organization. For example, the metadata element Disposition Action would
be described in this way:

ATTRIBUTE VALUE
Name dispositionAction

Definition The action that will be taken on the records or

file on expiry of its retention period

Value Domain Enumerated strings of text representing

disposition actions

Datatype Name String

Metadata are essential to ensuring that records and information will survive and con-
tinue to be accessible into the future. Records professionals should be prepared to work
with information managers and vendors to define metadata requirements, develop meta-
data policies and strategies, and monitor metadata creation.

SUMMARY

This chapter began with the statement, “In 2025, the world will create and replicate 163
ZB of data, a tenfold increase over 2016.” Estimates such as this are becoming meaningless
to most of us. But what we do understand is that the volume, velocity, and variety of data,
information, and records will continue to grow, and we must take a proactive approach to
govern it. This digital data can be divided into three categories:

• Transient data created within an application session and discarded or reset

to its default by the end of the session.
82 / CH AP T ER 3

• Transitory records needed for a short time that are used or acted upon and
then destroyed.
• Records that result from business activities that must be retained as
essential records to ensure business continuity or for administrative,
regulatory, fiscal, and historical purposes.

Records creation can occur in numerous ways using a variety of devices, including laptops,
iPads, smartphones, and smart appliances (e.g., refrigerators and automobiles).
Records capture ensures that the record is fixed (unalterable) as evidence of an activity
or event. Metadata are captured with the record and continue to accrue throughout its life-
cycle. The method of capture depends on the method of creation (e.g., email received, posts
on social networks, or data entered into database as the result of a business transaction) and
initial location of the information (e.g., enterprise system or third party).
Once records are identified and captured, they must be managed. Controlled language
and classification systems are used to impose order. Classification schemes range from
simple alphabetic and subject filing systems to business classification schemes and records
classification schemes (file plans). Before completing the records classification scheme, all
recordkeeping requirements, such as applicable regulations, must be identified. Auto-clas-
sification tools are becoming more prevalent and powerful.
Beyond content analysis, file plan development includes records description, policies,
retention and disposition requirements, and responsibility for controlling the file plan.
The key to managing electronic records is the use of metadata. Records management
has always managed metadata. When dealing with paper records, metadata were implicit
in the record, but in the digital world, metadata must be explicitly documented in order to
describe the content, context, and structure of records and their management through time
and within and across domains.
Before moving on to chapter 4, read the paradigm contributed by Peg Eusch, CRM. Peg
retired from her position as University Records Officer, University of Wisconsin—Madi-
son, on June 8, 2017. Within the University’s decentralized records management structure,
she served as the university-wide consultant providing advice and education. She reminds
us there is more than one way to view the concept of a file plan. As one of her last pro-
fessional activities, Peg agreed to share her unique approach to using the elements of file
plan development to train employees within the University’s decentralized records man-
agement structure.

PA R A D I G M

University Records Management File Plans

Peg Eusch, CRM
University Records Officer, University of Wisconsin–Madison

Introduction
The University of Wisconsin–Madison was founded in 1848. It comprises thirteen schools
and colleges, 21,796 faculty and staff, and 43,338 students. The UW–Madison Archives was
 R E C OR DS AN D I N F OR MATION C R E ATION AN D CAP T U R E , C L A S SI FICATIO N , AN D FI LE PL AN DE V E LO PM E N T / 83

founded in 1951. As a result of the changing needs and management of campus records,
the Records Management Program was founded in 1985. The Records Management Pro-
gram is housed in the University Archives and reports through the General Library System.
The UW-Madison University Records Management program is managed in accordance
with the UW Board of Regents Records Management Policy 3-2 and the Wisconsin Pub-
lic Records Board requirements for records management programs. The program follows
ISO 15489 for Records Management and ARMA International’s eight Generally Accepted
Recordkeeping Principles aka “The Principles” of Transparency, Availability, Compliance,
Accountability, Protection, Integrity, Retention and Disposition. The University Records
Management Advisory Group (URMAG) endorsed these principles in 2010.
Currently the Records Management Program is staffed by one full-time employee, the
University Records Officer. There were two Records Management Student Assistants for
2016–2017.
Records management is an essential part of all university employees’ daily activities.
University employees, at all levels, use, distribute, and retain university records from record
creation through disposition. University records are important assets in the operation of the
University and should be organized, accessed, and managed in accordance with records
management best practices, such as the Generally Accepted Recordkeeping Principles, in
all formats and media. An organized workplace is more conducive to creating new ideas
and improved efficiencies.
The University Records Manager/Officer plans, organizes, and directs activities of the
university’s Record Management Program by communicating record policies and industry
best practices for university records. There are many facets to the Records Management
Program that bring information value and reduce risk to the UW–Madison campus. The
University Records Officer serves on a variety of university committees across campus
that are concerned with records and information management issues and relies on the
University Records Management Advisory Group (URMAG) to support and give direction
to Records Management initiatives.

Problem Statement
Communication and training are an ongoing challenge in this decentralized environment
on campus for the University Records Officer. Consultation is a large part of the University
Records Officer responsibilities. During these visits, the Records Officer learned that when
an employee departs, the next employee coming into the position is unaware of what the
records management processes were and what types of records are created. This incon-
sistent management of records has the potential to lead to increased records control risks
and legal risks in the management of university records. The Records Officer has recom-
mended to the campus that there should be some kind of documentation to demonstrate
what the department or unit is doing with regard to the information it captures and main-
tains through the records lifecycle. One way to do this is through the use of a Records
Management File Plan for transparency in the records processes.

Approach Taken
A change in thought and approach came about because of a presentation on file plans
given in the fall of 2015 by one of our ARMA Milwaukee Chapter members, Herb Foster,
CRM. His presentation provided the basis and ideas for reevaluation and revamping the
84 / CH AP T ER 3

information being conveyed in presentations from the traditional “What Is Records Man-
agement?” to those on how employees could put records management into practice to
better manage the information that they create and store. Covering records management
through the elements in the file plan touches all areas and questions employees have and
underscores that records management is more than just retention. Some examples are:
what is a public record and non-record, records and email, records and digital imaging,
and retention and disposition. The file plan is used in a slightly different capacity than the
traditional concept of a file plan in a spreadsheet. The idea is to provide an outline and
understanding of records management concepts and also provide a way to apply these
concepts to practice on the university campus. The file plan also complies and integrates
with ARMA International’s Generally Accepted Recordkeeping Principles.

The University Records Management File Plan

The Records Management File Plan creates the road map for the management of records.
It is the Who, What, When, Where, Why, and How of managing records within the depart-
ment or unit. The university department or unit creates its own Records Management File
Plan to demonstrate how information is created and managed, where it is stored, and what
processes it is using. There are ten elements covered in the Record Management File Plan,
as shown in figure 3.8.

1. Document: What type of information does the department or unit create?

2. Record Organization: What filing structure and naming conventions are used to
manage the information?

FIGURE 3.8 Records Management File Plan elements.

Courtesy of Paradigm author, Peg Eusch, CRM.
 R E C OR DS AN D I N F OR MATION C R E ATION AN D CAP T U R E , C L A S SI FICATIO N , AN D FI LE PL AN DE V E LO PM E N T / 85

3. Compliance Requirements: Are there any legal or regulatory requirements that

need to be identified in complying with retention and the management of records?
4. Record Custodian: Is there a role that has been designated as responsible for the
department or units records?
5. Security Classification: Has there been appropriate security applied to the
information managed based on the categories Restricted, Sensitive, Internal or
Published/Public?
6. Access Permissions: Have the appropriate access permissions been evaluated
and been given?
7. Record Storage: Where are all the repositories where records are being used and
stored—in both electronic and paper formats?
8. Records Management Process: Is there transparent documentation of the records
processes and creation of the File Plan for each department or unit?
9. Records Retention: Is knowledge of where to find the university retention
schedules and department unique schedules and how long to maintain records
being shared?
10. Records Disposition: Does the department understand what events trigger the
retention schedule and the appropriate disposition?

This is covered through University training, which consists of the presentation given to
department and units as well as the job aid and file plan template for departments or units
to use to guide them through all ten elements.
The file plan is used for:

• training new employees in how records are managed within the

department/unit
• identifying records consistently
• retrieving records in a timely fashion
• disposing of records no longer needed
• meeting legal and organizational requirements
• providing transparency in how records are managed

Information on the Records Management File Plan can be found on the UW–Madison
Records Management website. (https://www.library.wisc.edu/archives/records-manage
ment/training/organizing-university-records-for-departments-and-units/.)

Conclusion
Incorporating records management into the File Plan presentation and guidance was
important to show how records management is used and to make the concepts easier for
employees to understand. The information has been well received and provides options
for improved recordkeeping and for opening the discussion of records management chal-
lenges.

Next Steps
The UW–Madison Records Management Program will continue to educate employees
regarding their responsibility for management of records and best practices. The Records
86 / CH AP T ER 3

File Plan is just one of many record concepts and issues that are being addressed with
university employees. More information can be found on the UW-Madison Records Man-
agement website. https://www.library.wisc.edu/archives/records-management/.

NOTES
1. David Reinsel, John Gantz, and John Rydning, “Data Age 2025: The Evolution of Data to Life-
Critical,” IDC White Paper, April 2017, p. 12, https://www.seagate.com/files/www-content/
our-story/trends/files/Seagate-WP-DataAge2025-March-2017.pdf.
2. PC Magazine Encyclopedia, s.v. “transient data,” PCMag.com Encyclopedia, accessed September 2,
2017, www.pcmag.com/encyclopedia_term/0,2542,t=transient+data&i=53093,00.asp.
3. IBM,“IBM Sets New Record for Magnetic Tape Storage; Makes Tape Competitive for Cloud
Storage,” August 2, 2017, www-03.ibm.com/press/us/en/pressrelease/52904.wss.
4. “Everyone Working for Government,” National Archives of Australia, accessed September 2, 2017,
www.naa.gov.au/information-management/getting-started/for-everyone-who-works-for-govern
ment/index.aspx.
5. International Organization for Standardization (ISO), ISO 15489-1 2016. Information and
documentation—Records management—Part 1: Concepts and principles, 16.
6. Google Takeout, accessed September 2, 2017, https://takeout.google.com/settings/takeout.
7. Sarah Krizanic, “Mobile Devices and Applications are Transforming Clinical Practice,” California
Healthcare News, August 7, 2017, www.cahcNews.com/articles/08–2017/ca-skrizanic-0817.php.
8. ARMA International, Controlled Language in Records and Information Management (Lenexa, KS:
ARMA International, 2008), 5.
9. Ibid., 7.
10. Wikipedia, s.v. “glossary,” last modified September 7, 2017, http://en.wikipedia.org/wiki/Glossary.
11. Dictionary.com, s.v. “folksonomy,” accessed September 7, 2017, http://dictionary.reference.com/
browse/folksonomy.
12. Merriam-Webster Online, s.v. “taxonomy,” accessed September 7, 2017,
https://www.merriam-webster.com/dictionary/taxonomy.
13. ARMA International, ARMA TR 22:2016, Glossary of Records Management and Information
Governance Terms (Overland Park, KS: ARMA International, 2016), 52.
14. Thomas R. Gruber, “Toward Principles for the Design of Ontologies Used for Knowledge Sharing”
(Technical Report KSL 93-04, Knowledge Systems Laboratory, Stanford University), paper
presented at the International Workshop on Formal Oncology, Padova, Italy, March 1993,
www-ksl.stanford.edu/KSL_Abstracts/KSL-93–04.html. Gruber has since updated this definition:
“In the context of computer and information sciences, an ontology defines a set of representational
primitives with which to model a domain of knowledge or discourse. The representational
primitives are typically classes (or sets), attributes (or properties), and relationships (or relations
among class members)” (http://tomgruber.org/writing/ontology-definition-2007.htm). However,
the original definition is better suited for our purposes.
15. Richard Pearce-Moses, s.v. “classification,” Glossary of Archival and Records Terminology, American
Society of Archivists, accessed September 7, 2017, https://www2.archivists.org/glossary/terms/c/
classification.
16. Executive Office of the President, Memorandum for the Heads of Executive Departments and Agencies
and Independent Agencies, August 24, 2012, https://www.archives.gov/files/records-mgmt/m-12-18.pdf.
17. Laurence Brewer, Memorandum to Federal Senior Agency Officials for Records Management and
Agency Records Officers: Federal Agency Records Management Report, September 28 2017,
https://www.archives.gov/records-mgmt/memos/ac39–2017.
R E C OR DS AN D I N F OR MATION C R E ATION AN D CAP T U R E , C L A S SI FICATIO N , AN D FI LE PL AN DE V E LO PM E N T / 87

18. ARMA TR 22:2016, Glossary of Records Management and Information, 2.

19. Ibid., 51.
20. Library of Congress, Classification Web, accessed September 8, 2017, www.loc.gov/cds/classweb/.
21. “Library of Congress vs. Dewey Decimal,” Randolph C. Watson Library, Kilgore College,
accessed September 8, 2017, http://library.kilgore.edu/library/lc_dewey.htm.
22. Barbara Fister, “The Dewey Dilemma,” Library Journal, May 20, 2010,
http://lj.libraryjournal.com/2010/05/public-services/the-dewey-dilemma/.
23. Book Industry Study Group (BISG), Complete Subject Headings List, 2016 Edition,
accessed September 8, 2017, http://bisg.org/page/BISACEdition.
24. BISG, Complete Subject Headings List, s.v. “literary collections,” http://bisg.org/page/
LiteraryCollections.
25. Statistics Canada, “Geographic Classifications (SGC) 2016—Volume I, The Classification,”
last modified May 16, 2016, www.statcan.gc.ca/eng/subjects/standard/sgc/2016/index.
26. ISO 15489-1:2016, 2.
27. Jay Kennedy and Cherryl Schauder, Records Management: A Guide to Corporate Recordkeeping,
2nd ed. (Melbourne: Longmans, 1998), 115.
28. ARMA International, ARMA TR 22:2016, Glossary of Records Management and Information
Governance Terms s.v. “automatic classification.” (Overland Park, KS: ARMA International, 2016), 5.
29. Additional examples of indexing methods can be found in ARMA International, Establishing
Alphabetic, Numeric, and Subject Filing Systems (Lenexa, KS: ARMA International, 2005). Users
referring to this guide are presented with specific rules that must be followed to ensure that
records can be retrieved quickly and easily when necessary.
30. The term texts is used broadly to include books, essays, interviews, discussions, newspaper articles,
speeches, conversations, advertising, theater, informal conversations, or any occurrence of
communicative language.
31. See Google Books for excerpts from books discussing content analysis: http://books.google.com/
ooks?hl=en&lr=&id=q65703M3C8cC&oi=fnd&pg=PA3&dq=%22content+analysis%22
+%2B+records&ots=bK8kBYGdwW&sig=WttW3p0Gquh1APRUXRdQa50FJfQ#v=onepage&q
=%22 content%20analysis%22%20%2B%20records&f=false.
32. IBM, IBM Watson Content Analytics 3.5.0: Product Overview, accessed September 8, 2017,
https://www.ibm.com/support/knowledgecenter/en/SS5RWK_3.5.0/com.ibm.discovery.es.nav
.doc/iiypofnv_prodover_cont.htm.
33. C. W. Roberts, “Content Analysis,” in International Encyclopedia of the Social and Behavioral
Sciences, accessed September 8, 2017, http://dx.doi.org/10.1016/B0-08-043076-7/00707-5.
34. Michael E. Palmquist, Kathleen M. Carley, and Thomas A. Dale, “Applications of Computer-Aided
Text Analysis: Analyzing Literary and Nonliterary Texts,” in Text Analysis for the Social Sciences:
Methods for Drawing Statistical Inferences from Texts and Transcripts, ed. Carl W. Roberts (Mahwah,
NJ: Lawrence Erlbaum Associates, 1997).
35. Sean Golliher, “SemTech 2011 Coverage: PayPal Discusses Social Commerce and the Semantic Web,
DATAVERSITY,” June 13, 2011, www.dataversity.net/semtech-2011-coverage-paypal-discusses
-social-commerce-and-the-semantic-web/.
36. Jennifer Zaino, “2017 Trends for Semantic Web and Semantic Technologies,” DATAVERSITY,
November 29, 2016, www.dataversity.net/2017-predictions-semantic-web-semantic-technologies/.
37. ISO 15489-1:2016, 2.
38. Ibid., 6.
39. International Organization for Standardization (ISO) ISO 23081–1:2017 Information and
Documentation—Records management processes—Metadata for records—Part 1: Principles (Geneva:
ISO, 2017), 4.
88 / CH AP T ER 3

40. International Organization for Standardization (ISO), ISO 23081–2:2009 Information and
Documentation—Managing Metadata for Records—Part 2: Conceptual and Implementation Issues
(Geneva: ISO, 2009), 2.
41. Library and Archives Canada. (2006, February 7). Government of Canada Records Management
Standard, February 7, 2007.
42. Ibid.
 CHAPTER 4

Records Retention Strategies

Inventory, Appraisal, Retention, and Disposition

INTRODUCTION

The debate over keeping information forever versus following a records retention and dis-
position policy is ongoing. Some experts believe that all information has potential value and
should (and could) be preserved permanently. They point to the decreasing cost of storage
and the increasing capacity of storage media, especially the advantages presented by cloud
storage. Other experts adhere to the lifecycle model of records management and advocate
for destruction of records that no longer have value. They point to the cost of locating and
redacting information requested in the course of litiga-
tion (even when using auto identification and redaction
tools) and the danger of exposing personally identifiable Even if you can keep
information if proper controls are not in place. Robert information forever,
J. Johnson, author of Information Disposition: A Practical should you?
Guide to the Secure, Compliant Disposal of Records, Media
and IT Assets, makes what is to my mind a profound state-
ment when he says, “All information and all media will eventually be discarded.”1 Disposi-
tion of information no longer of use to the organization is one way to “protect” that infor-
mation from improper disclosure at this vulnerable point in its life cycle.
Organizations are faced with compelling reasons to retain records for use in conducting
business and to comply with existing laws and regulations. They must conduct a cost-and-
risk assessment to decide if they will retain all information permanently or dispose of it.
The purpose of this chapter is not to resolve the debate over the keep everything forever stor-
age retention strategy versus the traditional records retention and disposition strategy. Instead
this chapter will provide records retention strategies useful to those organizations that in-
clude disposition as part of their overall information governance approach.

RECORDS INVENTORY

New businesses are often so consumed with their core mission that records management is
an afterthought. By the time those in charge finally understand the necessity of developing
a strategic approach to records and information management, records exist in a variety of
formats stored in a multitude of equipment types and locations, often putting the organi-
zation at risk. That makes the task of ensuring that records and information are managed

/ 89 /
90 / CH AP T ER 4

FIGURE 4.1 Retention requirements for one type of record (Certificates of Organization
for Limited Liability Companies) stored on paper and microfilm.
SOURCE: “Massachusetts Statewide Records Retention Schedule, Quick Guide,” Schedule Number: 01–17, 282.
www.sec.state.ma.us/arc/arcpdf/MA_Statewide_Records_Schedule.pdf.

properly much more difficult. A records inventory is the first logical step in establishing a
records retention and disposition program where none exists.
Businesses with established records and information management programs must con-
tinue to audit compliance and make adjustments to their policies and practices based on inter-
nal factors (e.g., reorganization, acquisitions, and mergers) and external events (e.g., changes
in laws and regulations). A periodic records inventory is necessary to ensure that the organi-
zation understands what types of records exist, in what format, and where they are stored.
ARMA International defines records inventory as “a detailed listing that includes the
types, locations, dates, volumes, equipment, classification systems, and usage data of an or-
ganization’s records.”2 This definition can be applied to both physical and electronic records
inventories.
Although we are swiftly and surely moving toward a digital world, a records and infor-
mation management professional must acknowledge and be equipped to manage paper rec-
ords until they are either digitized and the paper version can be disposed of, or until their
retention requirements have been met.
Even in offices where paper records need not be retained if the records are available in
alternate formats (e.g., microfilm), many offices will maintain a hybrid system for years, as
shown in figure 4.1.
Some inactive records have long-term retention requirements and back-scanning can
be cost prohibitive. In addition, if paper records of historical value exist, they must be iden-
tified and managed in a way that ensures their physical survival.

Inventory of Physical Records

Records can be stored on different types of physical media, such as paper, CDs, videocas-
settes, microfilm, magnetic tape, and xray film. Architectural models made out of balsa
wood may even be considered records that must be managed. The records inventory can be
 R EC OR DS R E TEN TION STR ATEG I E S: I N V E N TOR Y, APPR AI S AL , R E TE N TIO N , AN D DI SP OSI TIO N / 91

Physical Record Example

A commission resurveying the North

Carolina–South Carolina boundary in
1928 found a longleaf pine that had been
blazed to mark the boundary in 1735. They
felled the tree, replaced it with a stone
marker, and gave one-half of the blazed
section of the tree to each state. The
South Carolina State Archives holds many
maps and plats serving as legal records
of boundaries of various kinds, but this
tree section is unique and one of the most
unusual records in the holdings of the State Archive.
SOURCE: Image courtesy of the South Carolina Department of Archives and History.

used to develop a retention schedule, provide input to the vital records protection program,
and identify potential improvements to the records and information management program
for both active and inactive records.
A necessary component of any successful project is support from top management—
preferably in the form of a directive from the organization’s president or chief operating
officer to all employees who will be involved in the records inventory project. Additional
champions within the organization should be identified, including managers from finance,
legal, information management, and human resources. The project can be accomplished
by internal records and information management staff, departmental staff, or an outside
consulting firm. Each approach has advantages and disadvantages. The budget allocated for
the project and the time frame within which it must be accomplished will be determining
factors.
The internal records and information management staff will have a good understand-
ing of the records held by the organization and the individuals they need to work with
to conduct the inventory. But they may not have the time needed to conduct a physical
inventory. The work-unit staff would know what records are created and where they are
located, but they may be reluctant to point out any weaknesses in their system. An outside
consultant would be objective and have the experience necessary to conduct the records
inventory, but there may be internal resistance and the cost for an outside consultant would
be higher than if internal staff were used.

Pre-inventory Steps
Once support from top management has been obtained, champions have been identified, and
the project manager has been appointed, the following pre-inventory steps should be taken:

• Clarify the records inventory objectives and strategies.

• Design the inventory form and accompanying directions. Blank forms
are available from ARMA International, and many examples, such as the
92 / CH AP T ER 4

Main State Archives Records Series Inventory illustrated in figure 4.2, are
available online.
• Staff and train the project team. Provide them with an organizational
chart describing the main functions of each office along with the necessary
supplies to inventory physical holdings, including blank inventory forms;

FIGURE 4.2 Records Series Inventory form.

SOURCE: Maine State Archives, MSA/Records Management, 5/29/2015,
www.maine.gov/sos/arc/records/state/inventoryinfo.pdf.
 R EC OR DS R E TEN TION STR ATEG I E S: I N V E N TOR Y, APPR AI S AL , R E TE N TIO N , AN D DI SP OSI TIO N / 93

adhesive labels to identify records and containers and to show they have
been inventoried; and equipment including flashlight, gloves, and dust
masks for use in storage areas.
• Communicate to staff and management about the project. Allay the fears of
those representing each work unit to be inventoried and explain that this is
an inventory and not an audit.
• Conduct a preliminary survey to identify the location of records, estimate
their total volume, flag hazards, and note any problems with space and storage.
• Establish a work schedule that includes dates, locations, and contacts
for each unit to be inventoried that provides flexibility. Other activities
(e.g., budget deadlines) may take priority within units and need to be
accommodated.

Conducting the Inventory Steps

The following are the recommended steps to take when conducting a physical inventory:3

• Draw a map of the physical layout of each area, numbering each piece of
storage equipment and noting the location of each records series. Record all
records such as correspondence, photographs, reports, and maps that are
evidence of the organization’s activities. Disregard all non-records such as
magazines, catalogues, blank forms, books, and pamphlets.
• Inventory the records as a series, that is, a group of identical or related
records that can be evaluated as a unit because they are normally filed,
used, and disposed of as a unit. Record the information on an inventory
form. Complete a separate form for each location where records in the
same series are filed or stored. The information from all forms related to
one series will be consolidated onto a master inventory and used to develop
a records retention and disposition schedule.
• Store the inventory data in a database developed in-house (e.g., using
Microsoft Access), in records management software purchased specifically
for the task, or in a content management system with records management
functionality. A system to manage physical assets as well as electronic
records provides additional advantages. For example, one solution allows
users to manage both the physical document and an electronic copy if both
must be retained. A double-click on the electronic copy will bring up the
location of the physical record. Once the retention requirements have been
met, the system alerts the appropriate party to destroy both copies.

Completing the Records Inventory Form

An inventory form similar to the one illustrated in figure 4.2 must be completed for each
records series. The method described here takes an archival approach by starting at the end
of the workflow, and accepting the fact that existing records must be managed. Complete
the inventory form by performing the following steps:

• Visit or contact all functional areas within the organization.

• Locate, identify, and inventory their records.
94 / CH AP T ER 4

• Complete one form for each records series title. All records in a series must
have the same retention period. If a record exists that does not fit within
established series, create a new record series. Note whether the records are
original or a duplicate as well as the medium on which they are stored.
• If the information is not available from the representative of the functional
area, check the applicable data privacy classification laws and business
practices for data in the record series.
• The retention requirements are based on legal, fiscal, and administrative
requirements. If the retention periods are not known, or need to be
verified, identify state and federal laws that prescribe a retention period
for the records and check the state and federal audit requirements as well.
Note that for this particular form, retention requirements will be stated in
terms of length of time the records have been in the office, storage area, and
records center. The retention period can be expressed in terms of time, for
example, retain three years, or in terms of an event or action, for example,
retain six months after audit.

Inventory of Electronic Records and Electronic Systems

Records and information managers must know the electronic records created and the sys-
tems involved in order to develop a plan to manage those e-records.

Location of Electronic Records

An electronic records inventory will form the basis for management decisions and assist
organizations in fulfilling their current and future obligations when faced with e-discovery
and/or Freedom of Information (FOI) requests. The electronic records inventory is more
challenging than a physical records inventory and requires assistance from information
technology (IT) as well as input from users of the information and communication sys-
tems. The information gathered will feed into the development of the file plan discussed in
chapter 3 and will be a key element when developing requirements for the organization’s
electronic records management system discussed in chapter 6.
The electronic records inventory will include both structured records (e.g., data-
base-driven such as payroll records) and unstructured records (e.g., photos, email, and
presentations). In addition to electronic records housed within an electronic records man-
agement system, active records are maintained in the organization’s business systems and
stored in third-party systems and on mobile devices. The result is that organizations are
faced with electronic records in a variety of formats stored in multiple locations that can be
categorized as follows:

• Centralized information systems: Centralized information communications

technology systems are installed and operated by the information
technology department; they include email servers, content/document/
records repositories, enterprise-wide application servers (e.g., enterprise-
wide geospatial information systems), and legacy systems (obsolete
information technology). Organizations operating from multiple physical
sites benefit from centralized systems that provide instant access to
updated, consistent information.
 R EC OR DS R E TEN TION STR ATEG I E S: I N V E N TOR Y, APPR AI S AL , R E TE N TIO N , AN D DI SP OSI TIO N / 95

• Decentralized information systems: Decentralized computing occurs

when work units have a high degree of local autonomy in developing their
information technology resources and specific needs not relevant to other
work units in the organization (e.g., a 911 computer dispatch system used by
the local fire department).
• Personal work stations and storage devices: Decentralized computer
systems pose fewer problems than other decentralized locations within
which records may reside, such as PC hard drives, laptops, digital cameras,
smartphones, and tablets.
• Third-party systems: The internet, Web 2.0, social media, cloud computing,
and the Internet of Things have changed the way organizations conduct
business. Organizations interact with their current and potential customers
on social networking sites hosted by third-party providers, often creating
records that must be managed. They take advantage of the benefits offered
by cloud service providers, which can result in records that are stored on
computers located outside of the country in which the organization does
business. And increasingly they gather data from sensors embedded in high-
tech devices employed in “smart cities,” “smart homes,” “smart warehouses”
and “smart offices.”

The electronic records inventory should concentrate on logical collections of records

grouped by business function or subject rather than by physical location. Many of the steps
involved in preparing for and conducting an electronic records inventory mirror those
involved in a physical records inventory. However, rather than a map of the physical layout
of an office area or records storage center, a data map can be used as a diagram of agen-
cy-owned information and communication tools and technologies.
IT should maintain a data map for centralized systems and decentralized systems for
which they have responsibility. The data map should also include information hosted at
social media sites and by third-party providers. Individuals familiar with information and
communication technology within each work unit will need to be interviewed to identify
any information systems or storage locations not already included on the data map.

Electronically Stored Information Data Mapping

Data mapping is not a new concept, but it is used in two different ways. In the first instance,
data mapping specifies how one information set relates, or maps, to another. The relation-
ships between the data are key for migration and integration projects. However, data map-
ping in the second instance is a comprehensive inventory of a corporation’s IT systems
that store information. This “defensible inventory” is important for litigation and other
proceedings.
The data map shown in figure 4.3 identifies the locations of electronically stored in-
formation (ESI) for which the Florida Attorney General’s Office is responsible: individual
agency workstations, shared drives, database repositories, servers, archives, home comput-
ers, telephones and pagers, storage media, and cloud storage.
Inventorying provides intellectual control over electronic systems (network appli-
cations, backups, and legacy media). This inventory often contains information as to the
number and size of files residing in email accounts or shared folders, but it rarely explains
the types of information produced by the systems. Electronically stored information data
96 / CH AP T ER 4

FIGURE 4.3 Florida Attorney General data map example.

SOURCE: Florida State College of Law Research Center, http://guides.law.fsu.edu/ediscovery/datamaps
License: CC BY-ND 4.0.

maps must be accompanied by additional information that can be used to develop effective
records management, records retention, and litigation hold policies and procedures.
ESI data maps show the logical relationship between the systems and repositories and
backup systems. They allow the organization to better understand the current state of stor-
age, identify sensitive data in unknown areas of the network and remediate, and gain visi-
bility into risky data usage patterns in order to secure data and prevent loss.
The process of creating the data map involves compiling a complete list of all systems
used, including communication and collaboration tools. A list of business processes should
also be compiled and then compared with the system list to ensure that all electronically
stored information is accounted for. A list of roles, groups, and users involved in the busi-
ness processes should also be developed. Off-site or third-party storage systems used for
communications, cost-efficiency, or disaster recovery should be identified.4 Mobile devices
used when working remotely and equipment used in home offices may also contain busi-
ness records and should be included.
Social media enterprise solutions may be implemented internally and belong on the
data map. If the organization uses social media tools provided by commercial entities or
takes advantage of cloud services, the data map must be modified to specify the information
hosted by these third-party providers as well. The data map(s) supplemented by charts, lists,
and tables, with supplementary illustrations and analyses that describe the information
and the infrastructure and systems that host the information, provides a “total information
systems overview” one can equate to a data atlas.5
 R EC OR DS R E TEN TION STR ATEG I E S: I N V E N TOR Y, APPR AI S AL , R E TE N TIO N , AN D DI SP OSI TIO N / 97

Completing the Electronic Records Inventory

The scope of the electronic records inventory project must be considered during the
planning phase. Enterprise-wide inventories may be accomplished as part of one project
in small- or medium-sized organizations, but limiting the scope of the project is a better
way to approach an electronic inventory project in a large organization. Project managers
understand the wisdom of tackling the low-hanging fruit (projects and people most likely to
ensure success), so that success can be demonstrated and built upon.
Although the data map is invaluable, users of the information systems must also be
surveyed. The electronic records inventory can be approached in one of three ways:

1. Require that representatives of each work unit complete an electronic

records inventory for their area. The questionnaire should be submitted
to the project manager, who would contact the persons completing the
inventory form if there were questions.
2. Assign the task of completing the records inventory form to the records
manager or other member of the records inventory team. The form should
be completed during interviews with work unit liaisons and those using the
information systems within each area.
3. Implement a hybrid approach. Ask the work unit representatives to
complete and submit the form. Use the form as a basis for the interviews to
follow. Additions and corrections should be made based on the information
gathered during the interview.

Examples of electronic records inventory forms, similar to the physical records inventory
forms, can be found online. If used, liaisons are advised to use the form to add, change, or
delete a records series on the related records retention schedule.
Two most important questions that need to be answered are: (1) what systems are in
use? and (2) what records series are in each system? However, some organizations may
seek more detailed information. The Electronic Records Inventory Worksheet employed
by the Indian Health Service, the federal health program for American Indians and Alaska
Natives, is shown in figure 4.4.
This form requires additional information, such as system owner, information owner,
data backup/frequency, backup location, retention of records, and authority for retention.
This information can be used to create or update a records retention schedule and can be
factored into migration and preservation decisions for records with long-term retention
requirements.
Once the electronic records inventory project has been completed, the records manag-
er or other person conducting the electronic records inventory must ensure the informa-
tion provided is interpreted accurately. If a questionnaire was completed and submitted by
a work unit, the responses should be reviewed with the unit records liaison or other person
who completed the form. If the survey/interview method was used, the person conducting
the interview should prepare a summary of the results of the inventory and submit it to the
interviewee for editing, if necessary, and approval.
An analysis of the results of physical and/or electronic inventories can be used to
identify:
• obsolete and/or duplicate records and documents that can be consolidated
or disposed of
98 / CH AP T ER 4

• location of information to respond more quickly to discovery requests

• records most critical to business continuity in the event of a disaster
• current and future storage needs

When describing the process of completing an inventory, interviews with records creators
were included. Those interviews could be used not only to ask about the current records
but also about the business process. However, an analysis of the business process can be
conducted independently of the records inventory.
Manual Exhibit 5-15-B
Page 1 of 2

IHS-971 (02/2016)
ELECTRONIC RECORDS INVENTORY WORKSHEET

General Information
Agency: Indian Health Service Date:
1. Location 3. Building/Room
2. Office/Division/Section:
Name: Number:

4. Name of Person 6. Contact E-mail

5. Phone Number:
Taking Inventory: address:

Electronic Records Information

7. Name of Electronic System:
8. Application Name:
9. Information Owner:
10. System Owner:
11. System is: Commercial off the shelf Custom, In-house
12. Electronic Records Description:

13. Inputs/Source Documents: (hard copy forms and hard copy documents that are scanned (e.g.
correspondence, reports, still pictures, maps, etc.))

14. Outputs: (what types of reports are generated from application)

15. Is there a register, index, etc. to the records? Yes No

16. Are data files backed-up? Yes No Frequency:
17. Where are the data backups stored?
18. How long are records kept? Years(s) Month(s)
19. Retention is based on: Statute or Law Regulation Industry Standard
20. If question #18 is not applicable, then recommend a retention period:

TN 2016-01
FIGURE 4.4 Electronic records inventory worksheet. (01/15/2016)
SOURCE: Indian Health Service, https://www.ihs.gov/ihm/includes/themes/responsive2017/display_objects/documents/pc/
dsp_ihm_pc_p5c15_ap_b.pdf.
 R EC OR DS R E TEN TION STR ATEG I E S: I N V E N TOR Y, APPR AI S AL , R E TE N TIO N , AN D DI SP OSI TIO N / 99

RECORDS APPRAISAL

The 2016 update of the ISO 15489 records management standard introduces the concept
of records appraisal as: “the process of evaluating business activities to determine which
records need to be created and captured and how long the records need to be kept.”6 The dif-
ference between the results of the inventory and the appraisal is that one determines what is
being/has been retained while the other determines what should be captured and retained.
In order to determine what evidence of business should be retained, the person per-
forming the appraisal must understand: (1) the nature of the business in the context of its
legal, resourcing, and technological environment, and (2) the risks to which it is exposed
and how those risks can be managed through the creation, capture, and management of
records (ISO 15489:2016).7

Business Records Requirements

ISO 15489-1:2016 further states that records requirements are derived from business needs,
legal and regulatory requirements, and community or societal expectations. Obviously,
identifying the business records requirements necessitates working with all stakeholders,
including representatives from business units, legal, information technology, and risk man-
agement.

Business Needs
Asking representatives from business units to describe their process will reveal points at
which documentation (a record) is created to serve a business need. For example, the pur-
chasing process involves the creation of both a purchase requisition form (seeking approval
to order) and a purchase order (placing the order with the vendor). Both must be created
and provide evidence of a business activity, but as you might already suspect, one retains
its value longer than the other. In this case, the retention periods are different: commonly
three years for the requisition form and seven years for the purchase order. In electronic
systems, metadata and linkages between these two and other records must be maintained.

Legal and Regulatory Requirements

The legal and regulatory environment is becoming more complex due to an increasing num-
ber of laws and regulations and new business models that facilitate commerce across juris-
dictional boundaries. For example, the European Union’s GDPR (General Data Protection
Regulation) that became effective May 25, 2018, impacts businesses outside of the Euro-
pean Union, because the legislation applies to anyone with an establishment or equipment
inside the EU; anyone who offers goods and services (even if they are free) to EU residents;
and anyone who monitors the behavior of EU residents.8

Risk Management
Risk management involves identifying, assessing, and controlling threats to an organiza-
tion. Today, many risks arise from the improper handling of an organization’s records and
information. Some also arise from the response taken immediately after an incident. For
10 0 / CH AP T ER 4

example, in 2017, Equifax (a company that keeps financial details about all Americans to
gauge how much of a risk they are when applying to borrow money) disclosed that vital data
about 143 million Americans was exposed. Immediately after the announcement, which
took place one month after the actual incident, the company compounded the negative
publicity by offering affected customers free credit-file monitoring and identity-theft pro-
tection but included fine print stating that acceptance of the offer would require customers
to use a private third-party arbitration service to resolve any disputes (i.e., they could not
file a lawsuit). Reaction to the event and the organization’s response resulted in calls for
formal investigations, damage to the firm’s reputation, and a drop of 25 percent in the value
of its stock.9

Primary and Secondary Value of Records

Records are created and maintained to provide evidence of and value to the organization
(primary value) but that value may extend beyond the purpose for which they were created
(secondary value). Records can meet one or more of the following four requirements:

• administrative (operational)
• fiscal
• legal (and regulatory)
• historical (research/archival)

When possible, archival records should be identified during the appraisal process to ensure
proper maintenance until such time as the record is transferred to an archive.

Administrative (Operational)
Records that meet administrative needs aid in the conduct of day-to-day business, define
policy and procedures, or ensure administrative consistency and continuity. Administra-
tive (operational) records include directives/policies/procedures; organizational charts;
general correspondence; minutes of official meetings; and personnel records.

Fiscal
Records that satisfy fiscal requirements may be necessary to conduct current or future busi-
ness or provide evidence of financial transactions and the movement and expenditure of
funds. These records include financial audit reports, accounting journals and ledgers, tax
receipts; annual budget documents, and payroll records.

Legal (and Regulatory)

Records that satisfy legal requirements are those that document and protect the rights and
interests of an individual or organization, provide for prosecution or defense of litigation,
demonstrate compliance with laws and regulations, and/or meet other legal needs. These
records include contracts, titles, claims, deeds, and birth certificates.
 R EC OR DS R E TEN TION STR ATEG I E S: I N V E N TOR Y, APPR AI S AL , R E TE N TIO N , AN D DI SP OSI TIO N / 10 1

Historical (Documentation or Research/Archival)

Records that satisfy historical requirements are useful or significant for documenting and
understanding the past. These records may have had primary value for the organization
at one time but are no longer needed for administrative, legal, or fiscal purposes. They do,
however, contain authentic evidence of an organization’s policies, decisions, operations, or
other activities that should be retained. They often document the development of a govern-
ment and its policies, provide evidence of the lives and activities of people, describe social
and economic conditions, and record the development of community and business. Records
of historical interest may include correspondence (authored by or received by a significant
person, such as the founder of the organization or the president of the country); US military
records; birth, marriage, and death records; meteorological (weather and climate) data; and
legal opinions.

Primary and Secondary Value of Records

The primary value of records—those that satisfy administrative (operational), fiscal, and
legal requirements—is derived from the original use for which they were created. Tradition-
ally administrative and fiscal records are considered transient by archivists, and records
must possess other values to be considered archival.
Records have secondary value when they are useful or significant for purposes other
than that for which they were originally created. Secondary value includes records that
satisfy information or evidential needs as well as research interests. US Census records, for
example, provide evidence of the size and composition of the US population only until the
next census is published. But the content of census records provides information of value
to researchers long after its evidential value has expired.
Records that meet legal requirements can have primary or secondary value, depending
upon the purpose and function of a record. A contract, for example, is a legally enforceable
agreement between two or more persons that documents specific actions on the part of
each party (primary purpose). However, the contract may continue to meet legal require-
ments after final settlement if the contract period is less than the relevant statute of limita-
tions (secondary legal value).
Essential (vital) records may be identified as part of a paper or electronic records inven-
tory or may be the subject of a separate essential (vital) records inventory. Essential records
and their relationship to disaster preparedness and recovery and to business continuity are
covered in chapter 8.

Records Series

The common unit for organizing and controlling files in the United States is a records series.
Records are grouped together, either through physical or intellectual control, because they
relate to a particular subject or function, result from the same activity, document a specific
type of transaction; take a particular physical form; or have some other relationship arising
out of their creation, receipt, maintenance, or use.10
Consider the different types of documents you used to prepare last year’s federal tax
return. Whether you mailed your hard-copy return or filed electronically, the supporting
documentation must be retained to provide evidence for the figures you used on your tax
10 2 / CH AP T ER 4

return in case of an audit. If you file electronically, you are urged to print (either as hard
copy or to a PDF file) your tax return and keep a copy for your records along with the sup-
porting documentation.
A copy of the forms you submitted and the supporting documentation comprise a rec-
ords series that could be named ”2020 Tax Returns.” You might decide to separate the var-
ious documents used to prepare your tax returns into two folders, one for “State Tax Ret-
urns” and another for “Federal Tax Returns.” The resulting hierarchy is shown in figure 4.5.
Once you determine how to organize these records, the next question is “how long
should you keep them?” If you file a claim for a refund, for example, the Internal Revenue
Service (IRS) has three years from April 15 of the year due, or from the date you actually
filed if later, to audit your tax returns. Unless you believe the IRS will initiate proceedings
against you for tax fraud, you can probably dispose of your records after the three-year
period expires.
Notice the conditional term probably. Retention periods can be affected by other fac-
tors, such as claiming loss for worthless securities or failing to report all of your income.
The tax code and retention requirements are even more complex for businesses, including
self-employed individuals and small businesses, partnerships, and international corpora-
tions. A records manager must follow a similar but more complex thought process to deter-
mine what constitutes a records series. Each record series must be controlled by a records
schedule that provides mandatory instructions for the retention and disposal of records.
In order to determine the retention period for each records series, research needs to be
conducted into prevailing legal and regulatory requirements. This process can be used to
determine the retention requirement for all types of records, including those that present
the public face of the organization online, website records.

WEB RECORDS:
IDENTIFYING, CAPTURING, AND SCHEDULING

Of course, there is no records series named “Web Records.” The term is used to help us focus
on the considerations that must be made when planning to manage web-based records—a
concern for almost every public and private organization.

FIGURE 4.5 Anatomy of a records series.

 R EC OR DS R E TEN TION STR ATEG I E S: I N V E N TOR Y, APPR AI S AL , R E TE N TIO N , AN D DI SP OSI TIO N / 10 3

Recordkeeping Roles and Responsibilities

Individuals with responsibilities related to website records management may include con-
tent providers, website managers, records professionals, archivists and/or librarians, legal
services, and end users. Their duties must be clarified.

Recordkeeping Requirements for Web-Based Records

Web-based records are subject to the same requirements as paper-based or other electronic
records. They must be retained and disposed of in accordance with retention and disposal
schedules based on their administrative (operational), legislative, financial, and historical
value. In some cases, content displayed on a website is information held elsewhere in hard
copy or electronic format. The online digital representation disseminates information to a
broader audience. The original records may already be managed by a recordkeeping system.
However, if records contained on a website are not being kept in another form, it is essential
to ensure that they are managed by the organization’s recordkeeping system. Approaches to
managing web-based records will differ based on the type of content contained: static or
dynamic.

Static Web Content

A static webpage displays the content to each viewer in the same way. Static content can
be developed quickly through the use of website development tools that publish HTML
files for upload to the web or using a website content management system. Pages that rep-
resent static content considered records can be captured by a records management system
before posting. A set of recordkeeping rules to provide guidance for custodians of the content
(whether content contributors, website managers, or others) might include:

Addition of content:
• No action is required when the content published on the website
already exists in a record controlled by the organization’s recordkeeping
system.
• If new versions of documents are added to websites or changes are made to
existing content (excluding minor changes such as the correction of spelling
errors), a copy of the updated document should be retained.
• Content must be published with metadata to provide context (e.g., date of
approval, authorization, disclaimer, copyright notice).

Removal of content:
• If a complete and current copy of a file published via the Web is managed by
a recordkeeping system or is held by the initiating party, it may be deleted
from the website at any time.
• If a copy of the web-based record is not managed by the recordkeeping
system or elsewhere, it may be deleted from the website only when all
records retention requirements have been met.
10 4 / CH AP T ER 4

• If the records are required for audit or legal purposes, or relevant to an

e-discovery or Freedom of Information (FOI) request, they must not be
modified or destroyed even if their retention requirement has been met.
A legal hold must be put into effect following procedures in place for all
records (e.g., the legal department notifies the records manager, who then
advises the IT security manager).

Preservation for archival purposes:

• If most of the content is held in a content management system or

controlled by a recordkeeping system, periodic snapshots may be
appropriate to create an accurate archive of a significant portion of the
website at a particular point in time. A risk assessment should be conducted
to determine which portions of the website(s) should be included and the
frequency of the snapshots (e.g., annually or when major changes have been
made to the design and/or content).
• Records created by capturing snapshots must be managed according to
accepted recordkeeping principles (e.g., not overwritten until retention
periods have been met and migrated through upgrades of hardware and
software to ensure their continuing usability and authenticity).
• Snapshots are not recommended for websites that incorporate highly
dynamic functionality, including databases and e-commerce transactions.

In general, snapshots are suitable for the static websites but not appropriate for dynamic
websites.

Dynamic Web Content

To help us understand the differences between early static websites and today’s interactive
sites, we can use the Internet Archives’ Wayback Machine to locate an image of an earlier
site (see figure 4.6). The 1996 WhiteHouse.gov site contains only text and links to other
textual documents and does not allow for public comments. You can imagine the ease with
which records could be managed, because content could reside in the same location as other
electronic documents not posted to the Web. For historical purposes, a periodic screenshot
is sufficient, because the page would be changed very little over time.
A dynamic webpage is one that delivers custom content and is generated in response
to a user request, drawing content from a database and displaying the content in a prede-
termined format.11 Dynamic sites often contain links to other sites, including social media
sites that should be captured and preserved if a complete picture of the ways in which the
organization communicates is desired. The current White House website contains dynamic
elements and encourages interactivity with the public. Users can register to receive updates,
view featured videos, and tune in to live events as they occur. The site encourages the public
to become involved in government by creating and signing petitions. Links to the following
social media tools are located at the bottom of the home page: Facebook, Twitter, and Insta-
gram. In addition, web pages for the president, first lady, vice president, and second lady can
be reached through links on the main site—each with a link to their Twitter account. The
Twitter accounts are also covered by the Presidential Records Act and must be preserved.
 R EC OR DS R E TEN TION STR ATEG I E S: I N V E N TOR Y, APPR AI S AL , R E TE N TIO N , AN D DI SP OSI TIO N / 10 5

FIGURE 4.6 Whitehouse.gov site in 1996 (Web 1.0).

SOURCE: Internet Archive Wayback Machine, accessed October 19, 2017, https://web.archive.org/web/19961227062541/
http://whitehouse.gov/.

Although the files that made up presidential administration websites are preserved
in the Executive Office of the President Electronic Records Archive, their interfaces are not.
Therefore, NARA provides links to the WhiteHouse.gov websites for President William Jef-
ferson Clinton (1993–2001), President George W. Bush (as archived 2009), and President
Barack Obama (2009–2017) as part of the Presidential Libraries sub-site.12
Data retention decisions must be made about the content contributed by the public so
that information that could constitute an invasion of privacy is not released. However, ac-
cess to this information may be the subject of a Freedom of Information request five years
after the end of the current administration. NARA or the White House may dispose of in-
formation lacking historical value. Currently, the White House has the following retention
requirements:

• Server log entries are retained for one year.

• Cookie data linked to individual users are retained for thirteen months.
• Other cookie data and automatically generated email data may be retained
by the White house until the end of the current administration.13

Web Archiving

As mentioned earlier, creating snapshots of websites may be acceptable for historical pur-
poses when preserving static websites, but that method is not suitable for dynamic websites.
In addition to hosting the Wayback Machine, a public archive containing over 306 bil-
lion webpages from 1996 through October 20, 2017, the Internet Archive provides a web
archiving subscription service, Archive-It, which allows institutions to build and preserve
collections of born-digital content.14 Archive-It partners can harvest, catalog, manage, and
browse the archived collections. The collections are hosted at the Internet Archive data
center and are accessible to the public via full-text search. Another tool developed by the
Internet Archive is Heritrix.15 This is an open-source, scalable Web crawler capable of
10 6 / CH AP T ER 4

fetching, archiving, and analyzing internet-accessible content. Heritrix is free software that
can be downloaded by technical staff to crawl the internet. Users of this tool include the
Austrian National Library, the US Library of Congress, and the British Library. Archive-It
and Heritrix are used to capture websites and, in some cases, social media sites to which
they are linked, primarily for preservation.

Compliance Issues

Web-archiving practices can protect the organization from risks, including penalties for
regulatory noncompliance, litigation challenges, and e-discovery costs. For example, Point
West Credit Union, a federally insured organization regulated by the National Credit
Union Administration (NCUA) and the Federal Financial Institutions Examination Coun-
cil (FFIEC), must be prepared to reproduce any given page from its corporate website on
any given day over a three-year period. They transitioned from keeping track of changes on
their website in a spreadsheet to using Smarsh’s Web Archiving Tool to capture and manage
all content.16 In addition to web content, this solution can be used to archive email, instant
messages, text messages, and social media as well. Tools are provided to allow customers to
export all content without data-related fees; however, assistance (and storage media) can be
provided for nominal hourly fees.

LEGAL AND REGULATORY COMPLIANCE

As illustrated by the Point West Credit Union example, organizations must comply with
the recordkeeping requirements established by the entities that exercise control over them.

Federal and State Laws

In the United States, some regulations apply to organizations in general, such as accounting
and tax laws; others apply to organizations within specific industries, such as healthcare.
Some are imposed by the federal government, whereas others are imposed by the state
or local governments. Retention requirements often vary across jurisdictions. Florida, for
example, requires public hospitals, healthcare facilities, and medical providers to maintain
master patient indexes (including patient name, number, birth date, date of admission, and
date of discharge where applicable) for ten years.17 Texas requires master patient indexes to
be retained permanently.18

Statutes of Limitations

Statutes of limitations are federal or state laws that restrict the time in which legal proceed-
ings can be brought against a defendant in either a civil or criminal matter. In Alabama, a
product liability action must be brought “within two years from the time when the injury is
or should have been discovered.”19 In Louisiana, action must be taken “within one year from
the time when the injury occurred.”20 In Massachusetts, however, action must be brought
“within three years of the date on which the injury occurred.”21
 R EC OR DS R E TEN TION STR ATEG I E S: I N V E N TOR Y, APPR AI S AL , R E TE N TIO N , AN D DI SP OSI TIO N / 10 7

Audit Period

There are different types of audits. “Generally, the IRS can include returns filed within the
last three years in an audit. Additional years can be added if a substantial error is identified.
Generally, if a substantial error is identified, the IRS will not go back more than the last six
years.”22 The Securities and Exchange Commission requires accounting firms to retain cer-
tain records relevant to their audits and reviews of issuers’ financial statements for seven
years.23 Records to be retained include the accounting firm’s work papers and certain other
documents that contain conclusions, opinions, analyses, or financial data related to the
audit or review.24 According to the Massachusetts Society of Certified Public Accountants,
a corporation’s internal audit records should be retained six years, but a public audit report
must be retained permanently.25

Administrative Needs

The retention requirements for records with administrative or operational value would not
be discovered during legal research but would be revealed based on input from records cre-
ators and users. The information gathered through records appraisal and legal research is
used to develop the records retention and disposition schedule. Contrary to advice to con-
sider the risks associated with the retention and disposition of records in ISO 15489-1:2016,
I would not factor risk in just yet. It is important first to identify how long the records
should be retained based on legal and regulatory requirements. Adjustments, if desired, can
be made later.

DEVELOPING A RECORDS RETENTION

AND DISPOSITION SCHEDULE

The primary purpose of a records retention and disposition schedule is to ensure that
records are retained only as long as necessary and then disposed of when they no longer
have value.
The benefits of developing a records retention and disposition schedule to facilitate
disposal of physical records are well-documented. They include a reduction in time to locate
and retrieve desired information as well as a reduction in costs associated with the equip-
ment, space, staff, and/or services needed to manage those records.
When the discussion turns to electronic records, however, the benefits are less clear.
First, electronic records are not as visible as physical records. They take up less space on
storage devices that are constantly increasing in capacity and decreasing in price. However,
the cost of identifying and disposing of electronic records residing both under the direct
control of the enterprise and under the control of third-party providers can exceed storage
costs.
There are advantages to disposing of electronic records, which include mitigating the
risk of retaining records that could be used against the organization (the proverbial smoking
gun); reducing the cost of locating the requested records in response to e-discovery and/
or Freedom of Information requests; and reducing the cost of inspecting records to redact
PII, such as social security numbers, credit card numbers, address information, and driver’s
license numbers.
10 8 / CH AP T ER 4

Retention Schedule Considerations

The following list of questions should be answered before the actual work begins on the
development of the records retention and disposition schedule:

• Is there an existing records retention and destruction schedule or are you

creating it from scratch?
• What is the scope of the retention schedule—enterprise-wide or focused on
one function or work group?
• Will you use a functional retention schedule or one related to the
organization’s structure?
• Were a records inventory and business process analysis completed
recently? If so, you may have already gathered much of the information you
need. If not, both should be completed before proceeding further.
• Will a general records schedule be prepared for records that exist in
departments, agencies, and work groups across the enterprise?
• Have legal/regulatory considerations been researched? If so, you can use
that information for the schedule. If not, determine who will conduct the
research and monitor any changes in legislation. This research feeds into
the records schedule and must be completed first.
• Will electronic records be included in this retention/disposition schedule
or will separate records retention and disposition schedules be prepared for
physical and electronic records?
• What resources are available to develop and maintain the retention
schedule(s), such as records retention scheduling software and a records
legal research database?

Records Retention and Disposition Schedule

The records retention and disposition schedule is created after the records inventory, busi-
ness process analysis, and legal/regulatory research have been completed. The format used
to record information will differ, but common elements will be included in every schedule.
This information may be gathered manually, but it should be managed through the use of a
database or records retention software program.
The most common elements include the records series, record title and description,
records office, retention requirement (often specifying location for active and inactive
files), and disposition method. If a functional classification is used, the function (e.g., fiscal),
and the record category (e.g., fiscal: budget and budget control) will be included. Additional
information may include storage medium, volume of records, effective date, and revision
number and date.
The University of California allows the public to search its web-based Records Dispo-
sition Schedules Manual. Figure 4.7 is the result of a general search on the entire retention
schedule.26
Notice the distinction between administrative records in the second and third rows—
one class requires permanent retention although the other can be deleted or destroyed five
years after the end of the physical year in which they were created.
Software and services can be acquired from vendors such as RecordLion27 that auto-
mates tasks based on rules-based recordkeeping. For example, records are categorized and
 R EC OR DS R E TEN TION STR ATEG I E S: I N V E N TOR Y, APPR AI S AL , R E TE N TIO N , AN D DI SP OSI TIO N / 10 9

automatically declared based on classification rules; retention periods are based on triggers
(e.g., calendar events, business system events, or rules based on any combination of avail-
able metadata); and disposition is automated, including approvals, review periods, destruc-
tion certificates, and an audit trail.
Zasio’s Versatile Enterprise software manages the complete lifecycle of physical (e.g.,
documents and boxes) and electronic records (e.g., word processing and email). Figure 4.8
displays a user-friendly records series dialog box for Accounts Payable records, with reten-
tion requirements based on the date of creation.
Even for an electronic system, a retention schedule takes a great deal of time to create
and maintain because it is based on classification rules someone must create. That’s one of
the reasons some records managers prefer the concept of big buckets.

Big Buckets and Records Retention Schedules

Big buckets is a method used to simplify records retention schedules by consolidating record
types related to the same business function or process with similar retention requirements
into bigger retention buckets (records series). The fewer buckets, the fewer retention choices,
and the greater likelihood of compliance with the organization’s retention schedule.
There are also challenges to the big buckets approach. One is the need to manage ex-
ceptions, such as event-driven retention requirements. For example, two records titles may
have a retention requirement of ten to twenty-five years, but the triggers can be different.
The trigger for one can be the phrase after the last update, although the trigger for the other
can be after the last date of activity. If the last update does not take place on the last date of
activity, these are two different triggers.

FIGURE 4.7 Portion of the University of California records retention schedule.

SOURCE: http://recordsretention.ucop.edu/index.php/du/retentionSchedules/recordCategory.
110 / CH AP T ER 4

FIGURE 4.8 Versatile enterprise records series dialog box.

Courtesy of Zasio Enterprises, Inc.

Developing a big bucket retention schedule requires the same initial steps we’ve al-
ready discussed, including organizing the information by business function and records
series, performing a business process analysis, conducting legal research, and identifying
the retention periods for all records—those that are governed by legal and regulatory re-
quirements and those that are not.
Once those tasks are accomplished, attention can be turned to creating the big buckets.
In her 2008 article, “How to Win the Compliance Battle Using Big Buckets,” Dr. Susan Cis-
co makes recommendations for developing new retention schedules and updating existing
schedules, including:28

• Map the records to the correct legal groups. These will form the first round
of buckets (records series).
• Consolidate those buckets into fewer buckets by assigning the longest
retention period in a group of consolidated buckets to form new bigger
buckets.
• Develop crosswalks to legacy content classified by a traditional records
schedule and update retention requirements for physical and electronic
records to reflect the new, bigger retention buckets.
• Conduct a pilot implementation, analyze feedback, and make modifications
before introducing the big bucket retention and disposition schedule
enterprise-wide.
 R EC OR DS R E TEN TION STR ATEG I E S: I N V E N TOR Y, APPR AI S AL , R E TE N TIO N , AN D DI SP OSI TIO N / 111

NARA provided guidance for federal agencies wanting to create a flexible Big Bucket or
large aggregation schedule for their records in “NARA Bulletin 2010-03, Subject: Flexible
Scheduling.”29 Supporting materials include an example of the type of crosswalk Cisco rec-
ommended in her article.
Several requests for records disposition authorities to move to a Big Bucket approach
have been approved for US federal agencies since then. One was a request by the Centers for
Medicare and Medicaid Services, to use nine buckets for all of its records. The Request for
Records Disposition Authority for Bucket 3—Financial Records (programmatic) was first
certified in 2015 and revised and approved by the Archivist of the United States in 2017. The
crosswalk submitted reveals Big Bucket 3 replaces twenty-six previous items.
NARA committed to a five-year (2013–2017) project to update and revise its General
Records Schedules, resulting in fewer buckets and either an increase or decrease in the
retention period for records. Figure 4.9 shows one section of a crosswalk between the new
records series and the old records for General Records Schedule 4.2: Information Access
and Protection Records.
Aggregating records series into big buckets involves making risk-management decisions
related to keeping records too long or not long enough. Notice in figure 4.8 that the original
retention period for item 020 ranged from two years to six years. However, under the big
bucket schedule, the retention period for each of these records series is six years. Larger
buckets will make it easier for auto-categorization tools to make more accurate and consis-
tent classification decisions.
Once the records retention and disposition schedule has been completed, operating
procedures must be updated to reflect changes to existing operations. The operating proce-
dures and records schedules should be included in a repository to be shared with all stake-
holders (e.g., legal counsel, chief operating officer, chief financial officer, etc.) for their com-
ments, approval, and signature. Once modifications are made, the parties satisfied, and the

FIGURE 4.9 Portion of General Records Schedule Crosswalk,

The General Records Schedules, Transmittal 27, NARA, January 2017.
SOURCE: NARA, https://www.archives.gov/files/records-mgmt/grs/grs-trs27.pdf.
11 2 / CH AP T ER 4

procedures and schedules approved, the information can be published and training can be
provided.
The records manager’s job doesn’t end with implementation and training. A program
compliance review must be designed to audit the destruction or transfer of records sched-
uled for disposition. Notices of noncompliance must be sent when necessary. The records
manager should also scan the internal environment for changes that may require an ad-
justment to the records retention and disposition schedule and monitor the external envi-
ronment to see how legal and regulatory changes might impact the records retention and
disposition schedule.

SUMMARY

The primary purpose of a records retention and disposition schedule is to ensure that
records are retained only as long as necessary and then disposed of when they no longer
have value. The information gathered through the records inventory, records appraisal pro-
cess, and legal research is used to complete the records retention and disposition schedule.
The records inventory provides a detailed listing of all records held by the organization,
both physical and electronic. Tools such as floor plans of records storage areas and data
maps of computer systems are helpful in conducting the records inventory.
To determine records retention requirements, records are appraised based on their
current operational, regulatory, legal, fiscal, and historical value, and legal research is con-
ducted to identify governing laws and regulations.
Related records are grouped into records series and evaluated as a unit for retention
purposes. Retention requirements are assigned. This information is recorded on the records
retention and disposition schedule, along with additional information such as the office of
record, location of record, and method of disposition.
Attention must be paid to all records, including those residing on corporate websites. The
content on static web pages may be copies of content held elsewhere; however, content on
dynamic sites may be considered records that must also be governed by a records schedule.
Aggregating records series into big buckets is an alternative approach to the tradition-
al records series that makes it easier for employees and auto-categorization tools to make
more accurate and consistent classification decisions.
The records retention and disposition schedule, along with accompanying operational
procedures, must be made available to all employees who are assigned records manage-
ment responsibilities. This information can be disseminated through the publication of rec-
ords retention and disposition guidelines and through employee training programs. Tools
needed to support retention and disposition should be integrated into communication and
information systems during the planning phase to remove the burden for retention and
disposition decisions from the user when possible. The destruction or transfer of records
that have met their retention requirements should be audited to ensure that the organiza-
tion is in compliance. Both the internal and external environment should be monitored for
changes that might impact the records retention and disposition schedule.
This chapter culminated with a discussion of big buckets proposed by Susan Cisco in
2008. Much has changed in the intervening years, but much remains the same. Organiza-
tions continue to face issues related to retention and disposition of information assets. In
her contribution to this chapter, Susan Cisco takes advantage of the need to revise a reten-
tion schedule to launch an information governance program.
 R EC OR DS R E TEN TION STR ATEG I E S: I N V E N TOR Y, APPR AI S AL , R E TE N TIO N , AN D DI SP OSI TIO N / 113

PA R A D I G M

Leveraging a New Retention Schedule to Launch

an Information Governance Program
Susan Cisco, PhD, CRM, FAI
Information Governance Subject Matter Expert and Educator

Introduction to Project
Two financial firms merged to form one consolidated operation. Each had its own records
and information management systems, processes, and retention schedule. As the new firm
(the “Firm”) consolidated systems and processes, no systematic deletion or destruction of
information took place because there was no master retention schedule to ensure consis-
tent and defensible disposition.
In the highly regulated broker-dealer industry, clients and regulators expect that firms
retain and dispose of information appropriately and compliantly. Information governance
mistakes can be costly for broker-dealers so the stakes are high. In 2016, the Financial Indus-
try Regulatory Authority (FINRA) handed down $14.4 million in fines to a dozen firms for
breaches related to improper retention of electronic records and potential harm to investors.
Because the Firm aspires to be the best, information governance is a high priority.

Problem Statement
The Firm is transparent about the critical, ongoing need for a comprehensive oversight and
governance process to protect its proprietary information and clients’ PII. This and several
other factors contributed to its decision to launch an IG Program. They included:

• Enhanced Defensible Information Disposition Process. The Firm wanted

to update its master retention schedule to enhance the process for the
consistent, systematic, and defensible disposition of redundant and
obsolete information. Some information was being retained indefinitely and
often in duplicate.
• Risk from Over Preservation of Information. Retaining redundant and
obsolete information introduced risk to the Firm and its clients, including
exposure to security breaches of private information and industry
sweeps of firms by regulatory agencies. The SEC, for example, can and
does conduct risk-based examinations of broker-dealers to assess their
compliance with SEC Rule 15c3-3.
• Real Estate Consolidation. The Firm had to consolidate operations. With
an updated retention schedule, they anticipated the disposition of mostly
physical eligible and redundant information prior to the move, saving them
time and money.
• Biggest Pain Point of Employees Is Finding Information. The Firm used an
online polling system and learned that finding information is a significant
problem for many employees. If they cannot locate and access needed
11 4 / CH AP T ER 4

information in a timely fashion, clients may lose confidence and trust in the
Firm, and regulatory agencies may monitor them more frequently—risks
the Firm wanted to mitigate.

Approach Taken
In the first year after the merger, the Firm launched its IG Program by establishing a frame-
work of roles, policies, standards, and metrics to ensure the effective and efficient use of
information:

• The Information Governance Security Committee—Established the

Information Governance Security Committee to oversee information
security, privacy, and governance in a proactive manner; ensure the
establishment of strategies, controls, methodologies, and frameworks to
protect information resources/assets; and ensure the Firm is abiding by
the IG policies and retention schedule. The committee meets monthly.
• IG Policies—Updated the Records Management Policy, Data Classification
Policy, and Data Backup/Recovery Policy.
• Up-to-Date and Approved Retention Schedule—Consolidated three existing
retention schedules into a single “master” retention schedule containing
119 record series or buckets in a twelve-week project that included:
• Development of a new retention schedule classification scheme and
mapped information from the three existing retention schedules to the
new scheme.
• A third-party legal services provider identified the legal and regulatory
requirements for retention, privacy, and storage format for US federal as
well as for the 21 states in which the Firm operates. The requirements
were then mapped to the associated record series in the retention
schedule classification scheme—producing the first draft of the Firm’s
new, consolidated retention schedule.
• Gathering feedback and validation on the draft retention schedule
during which the Firm met with Subject Matter Experts (SME) at
all levels across the Firm. Fifty SMEs met in groups of two to six
participants in two separate review sessions. They were asked to:
• Identify any gaps in coverage of business functions and
processes.
• Review legal retention recommendations for reasonableness.
• If the retention requirement of the business is longer than the
legal retention requirement, provide justification for extending the
retention period.
• For records series without legal retention requirements, provide
the business requirement for retention (38 percent of the record
series had no federal or state requirements for retention, and
SMEs made retention recommendations).
• A presentation of the final draft retention schedule to the Information
Governance Security Committee and General Counsel, which included
 R EC OR DS R E TEN TION STR ATEG I E S: I N V E N TOR Y, APPR AI S AL , R E TE N TIO N , AN D DI SP OSI TIO N / 115

three requests to extend retention periods. The retention schedule and

requests to extend retention were approved.
• Presentation to the Firm’s Board of Directors for final approval.
• Employee Training and Awareness Program—Committed to establishing a
network of IG Coordinators across the Firm, training all employees on IG
policies and procedures, and monitoring for compliance with IG policies
and the retention schedule.

Results
Once the IG policies and retention schedule were approved, the Firm targeted quick wins
while at the same time planning for the rollout of the IG Program across the Firm.

Quick Wins
• Identified approximately 25,000–35,000 backup tapes that had satisfied
their retention requirement and could be destroyed. The Firm paid for the
one-time secure destruction by a third party and estimated off-site storage
cost savings of $4,000 per month going forward. In addition, the defensible
disposition of the obsolete data immediately reduced unnecessary liability
to the Firm during litigation or regulatory inquiry.
• Sought out caches of paper originals maintained after scanning because
the Firm considered scanned images to be the “official” record. On a trip
to a branch office, the Firm’s General Counsel identified a large volume
of paper files eligible for destruction pursuant to the Retention Schedule,
which were scheduled for immediate secure destruction.
• In the consolidation of operations, the Firm securely disposed of fifteen
filing cabinets of duplicates and obsolete information and reclaimed
more than 100 square feet of expensive office real estate. More cleanup is
expected before the consolidation is complete.

Rollout of the IG Program across the Firm

• Used Firm’s in-house media (newsletters, blogs, etc.) to make employees
aware of the IG Program and its activities.
• Initiated plans to:
• Communicate directly with managers and supervisors on details of the
IG Program rollout.
• Identify IG Coordinators, at least one per department plus one backup.
• Implement the annual information survey required in the Firm’s policy.
• Provide an IG portal for IG Coordinators and casual users to access
details on the firm’s IG Program including how long to retain a specific
record and where to get help with retention and disposition.
• Require annual certification of employees for compliance with the IG
Program.
• Require web-based training for all employees.
• Include the IG Program overview in new employee orientation.
11 6 / CH AP T ER 4

Lessons Learned
• Resistance. When resistance is met, dig into the problem to understand
all points of view and collaborate to identify a solution. Sometimes it
may be necessary to engage senior leaders or third parties to adjudicate
decisions such as requests to extend retention periods beyond the legal
requirement. Of course, when litigation or investigations are anticipated
or under way, destruction of information responsive to a matter is
suspended until the matter is settled.
• All Information Needs a Retention Period. Determine retention
requirements for information that is not covered by the retention
schedule such as drafts, duplicates, and convenience copies. For this
Firm, the policy states that information having short-term or transitory
value is to be retained only as long as needed for short-term operational
purposes and then disposed of.

Conclusion
As the custodian of clients’ personal and private information and due to the strict guide-
lines imposed by regulators, the Firm acknowledges the critical, ongoing need to provide
a comprehensive oversight and governance process to protect its information assets. In
the first year of its IG Program, the Firm sought to take small, prioritized steps in building
the program rather than “boiling the ocean” in an attempt to address all of the Firm’s IG
issues at one time. The Firm thinks training and awareness are paramount in the transition
to more IG controls and will require annual training for all employees. The Firm knows
there are technical solutions available to support the Firm’s IG program; however, a better
understanding of what employees and clients need is the first priority. Finally, the Firm is
committed to collecting metrics and monitoring for compliance with IG policies and the
retention schedule.

NOTES
1. Robert J. Johnson, Information Disposition: A Practical Guide to the Secure, Compliant Disposal of
Records, Media and IT Assets (Phoenix, AZ: NAID, 2017).
2. ARMA International, ARMA TR 22:2016, Glossary of Records Management and Information
Governance Terms (Overland Park, KS: ARMA International, 2016), 2.
3. Suzanne Etherington and Ann Marie Przybyla, Inventory and Planning: The First Steps in Records
Management (Archives Technical Information Series #76), New York State Archives, 2003, accessed
September 13, 2017. www.archives.nysed.gov/common/archives/files/mr_pub76.pdf.
4. Ganesh Vednere, “The Quest for eDiscovery: Creating a Data Map,” Infonomics 23, no. 6, 28–33.
5. Wayne Wong, “Managing Your Way to Data Compliance with a Data Atlas,” Information
Management (January/February 2012), 21–25.
6. International Organization for Standardization (ISO), ISO 15489-1:2016 Information and
documentation—Records management—Part 1: Concepts and principles, 10.
7. Ibid.
8. Mike Carthy, “10 Things You Need to Know about the GDPR,” Information and Records
Management Bulletin (March 2017), 196.
9. Ken Sweet, “Getting Up to Speed on the Equifax Data Breach Scandal,” ABC News, September 11,
2017, http://abcNews.go.com/Technology/wireStory/speed-equifax-data-breach-scandal-49771561.
 R EC OR DS R E TEN TION STR ATEG I E S: I N V E N TOR Y, APPR AI S AL , R E TE N TIO N , AN D DI SP OSI TIO N / 11 7

10. US Department of the Interior, “What is a Records Series.” Records Management Questions,
accessed September 14, 2017, https://www.doi.gov/ocio/policy-mgmt-support/information-and
-records-management/records-management-questions.
11. ARMA International, Website Records Management (Overland Park, KS: ARMA International,
2009).
12. Presidential Libraries, “Archived Presidential White House Websites,” last reviewed January 18,
2017, https://www.archives.gov/presidential-libraries/archived-websites.
13. White House.gov, “Privacy Policy,” accessed October 20, 2017, https://www.whitehouse.gov/
privacy#section-340861.
14. Internet Archive Wayback Machine, accessed October 20, 2017, https://archive.org/web/.
15. Heritrix, accessed October 20, 2017, https://webarchive.jira.com/wiki/spaces/Heritrix/overview.
16. Smarsh, “Point West Credit Union Uses Smarsh Web Archiving for Compliance Peace of Mind,”
accessed October 20, 2017, www.smarsh.com/case-studies/point-west-credit-union.
17. Florida Department of State, “General Records Schedule GS4 for Pubic Hospitals, Health Care
Facilities, and Medical Providers,” State Library and Archives of Florida, December 1997 (technical
updates May 2007), 6, https://www.unf.edu/uploadedFiles/anf/controllers/records_management/
GS04_Retention_Schedule_for_Health_Care_Facilities.pdf.
18. Texas Department of State Health Services, “State of Texas Records Retention Schedule,”
May 1, 2016, p. 3, www.dshs.state.tx.us/Records/MentalHealthHospitals.pdf.
19. FindLaw, “Time Limits for Filing Product Liability Cases: State-by-State,” accessed September 14,
2017, http://injury.findlaw.com/defective-dangerous-products/defective-dangerous-products-law/
state-time-limits-for-filing-product-liability-cases.html.
20. Ibid.
21. Ibid.
22. Internal Revenue Service (IRS), “How Far Back Can the IRS Go to Audit My Return?” IRS Audit
FAQs, last modified September 11, 2017, https://www.irs.gov/businesses/small-businesses-self
-employed/irs-audits#far-backs.
23. Securities and Exchange Commission, “SEC Adopts Rules on Retention of Records Relevant
to Audits And Reviews” (2013), accessed September 14, 2017, https://www.sec.gov/news/
press/2003-11.htm.
24. Ibid.
25. Massachusetts Society of Certified Public Accountants, Inc., The Record Retention Guide, 2004, 3,
www.cpa.net/resources/retengde.pdf.
26. University of California, “Records Disposition Schedules Manual,” accessed September 14, 2017,
www.ucop.edu/recordsretention/.
27. RecordLion. “Records Management Software,” accessed September 14, 2017, www.recordlion.com/
solutions/objective/records-management/.
28. Susan Cisco, “How to Win the Compliance Battle Using ‘Big Buckets,’” Information Management
(July–August 2008), http://content.arma.org/IMM/JulyAug2008/How_to_win_the_compliance
_battle.aspx.
29. National Archives and Records Administration (NARA), “NARA Bulletin 2010–03: Flexible
Scheduling,” Records Managers, May 3, 2010, https://www.archives.gov/records-mgmt/
bulletins/2010/2010–03.html.
 CHAPTER 5

Records and Information Access,

Storage, and Retrieval

INTRODUCTION

The active phase of the records lifecycle is one in which records managers traditionally had
little involvement. Paper records were stored in offices close to those who had reason to
refer to them during the conduct of business. Office workers were responsible for designing
and implementing filing systems, and records managers received custody of the records
when they became inactive.
The introduction of digital information and electronic information systems took some
of the responsibility out of the hands of office workers but placed it into the hands of the
information technology department. Records managers still had little involvement with the
active use of the information in the systems and devoted time to such activities as writing
policies and procedures, developing retention and disposition schedules, caring for inactive
records, and overseeing the disposition of records either through destruction or transfer to
an archives.
Recently, however, the explosion of digital information and the proliferation of elec-
tronic information and communication systems have transformed the way records manage-
ment is perceived and practiced. Records have value both for their content and as evidence
of communications, decisions, and actions. Records and information professionals are ex-
pected to understand the business processes, identify records-related risks, and partner with
other stakeholders to ensure that the implementation and use of new systems and emerging
technologies will comply with governing laws and regulations. The Australian government
terms this new era of records management digital records and information management.1
Today almost all records are created digitally, but some paper-based practices still ex-
ist. The records manager can help the organization make a transition from the practice of
retaining paper records to a digital records and information program by identifying existing
work processes and determining where paper-based practices can be replaced by digital
practices. This requires an understanding of information systems used to conduct daily
operations.
In the previous chapter, you were introduced to an archival approach to identifying
records by starting at the end of the workflow, identifying records in existence, and ensur-
ing they are managed according to a records retention and disposition schedule. But there
is a second approach, known as the systems analysis approach. This approach requires the
records manager to start at the point of creation (or planning, when possible), following
each step of the workflow to identify the type of records created and indicating the records
series to which the resulting records belong. Because records and information managers

/ 119 /
12 0 / CH AP T ER 5

are increasingly part of an information governance team, an understanding of the business

process is essential not only to identify and manage records but also to improve the process.
During this active phase of the information lifecycle, records and information managers
can contribute their expertise to decisions being made about workflow processes, access
controls, storage systems, metadata, and the search and retrieval processes.
Operational efficiency can be enhanced when automated processes are introduced or
improved. In most cases, business practices will be changed to fit the new and improved
process. The activity of reviewing existing business practices in order to make these changes
is called business process analysis. Two approaches that can be used to better understand
current business practices are business process mapping and the development of workflow
diagrams.

BUSINESS PROCESS MAPPING AND WORKFLOW PROCESS

Business process mapping and workflow diagrams can help an organization identify records,
streamline its operations, reduce redundant work tasks—and therefore duplicate records—
and improve efficiency.

Business Process Mapping

A business process identifies how work is done within an organization, not what is done.
“Business process mapping is a way to visualize what a business does by considering roles,
responsibilities and standards.”2
Organizations create value for their stakeholders by developing more efficient and ef-
fective operations; this is called business process improvement. The process can be illustrated
as a series of activities that contribute to a specific output. Those same activities contribute
to the creation of records that must be captured and managed. Purchasing, for example, is
a straightforward function found within any organization. However, the missions of pur-
chasing departments may vary. The purchasing department of the University of Alabama
has developed the following mission and vision statements to guide its practices:

The Purchasing Department’s mission is to continually identify and incorporate inno-

vative purchasing practices that will support the teaching, research, and service efforts
of The University of Alabama.
Our vision is to create customer satisfaction by providing value and efficiency to
each purchase request while adhering to University policy, state law, and sound busi-
ness practices.3

Before the purchasing department can take control of the purchasing process, a requisition
must be submitted by the requesting department and approved by those with authority to
do so. Although a number of individuals may be involved in the requisition and purchase
process, the primary user is concerned with one thing—ordering and receiving the necessary
goods and services.
Once the goods or services have been received, two different documents may also be
received: the bill of lading and a vendor invoice. The bill of lading is the official document
prepared by the carrier duly accepting goods for shipment containing information, which
 R E C O R DS AN D I N F O R MATIO N AC C E S S, STO R AG E , AN D R E TR I E VAL / 121

includes the item, quantity, value, date, and more.4 This bill of lading is a contract to carry
goods to the intended destination. It is the basis by which the seller can claim consideration
(bill for the products) and the buyer can take delivery of the goods. The vendor invoice is a
bill generated by the vendor and submitted to the purchaser once delivery is made.

Workflow Diagrams for a Paper-Based Business Process

Workflow is a term used to describe the tasks, procedural steps, organizations, or people
involved, required input and output information, and tools needed for each step in a busi-
ness process.5 A workflow diagram is used to visually represent the components of the busi-
ness process. The workflow will vary from one organization to another depending upon the
size of the organization and the organizational structure. An example of a manual requi-
sition/purchase ordering process for an organization that has a purchasing department is
shown in figure 5.1.
In this manual system, we follow the process from the creation of a purchase requisition
through the approval process and receipt of a purchase order by the vendor.
Although not illustrated in figure 5.1, the bill of lading is returned to the purchasing
department to provide evidence of delivery. A vendor invoice may accompany the delivery
or be sent to the purchasing department separately. If it accompanies the bill of lading, it
is also sent to purchasing marked with the corresponding purchase order number for veri-
fication purposes. Upon verification, the purchasing department sends the vendor invoice
to the accounts payable department for payment (if it has not been prepaid). The origi-
nal paper invoice is retained by accounts payable, often for the remainder of the current

FIGURE 5.1 Workflow for manual requisition and purchasing process.

12 2 / CH AP T ER 5

fiscal year plus six years. A copy of the purchase order is filed and retained by the initiating
department and the purchasing department according to the records retention schedule,
commonly three years within the purchasing department but only one year within the de-
partment that requested the order. The retention periods and departments involved may
differ from one firm to another.
Within this manual process, the same data may be entered more than once and dupli-
cate copies of documents are likely to exist within and across departments. An analysis of
the workflow can result in savings of time and space if the manual process is modified—but
the ideal solution is to automate this process.

Workflow Diagrams for a Digital Process

Today, most records—including purchase orders—are born digital. They are created using a
variety of software and technologies, many with a web-based interface. And because of the
ease of access to digital records, use takes on a whole new meaning. Let’s return to the pur-
chase order as an example of an automated requisition and purchasing system, the records
created, and the operational and informational value that can be derived.
The requisition creation and approval process can be made more effective through the
use of an automated requisition system that focuses on efficient workflow. User security
measures ensure that the end user preparing the purchase requisition can access only her
or his own accounts. The end user may be required to enter quotes for the requested items.
Those quotes may be electronically attached or scanned into the requisition maintenance
screen for future reference.
The workflow process informs those with the authority to approve purchase requisi-
tions that there are requisitions awaiting approval. In some organizations, there may be
more than one level of approval. The purchase requisition may be rejected at any level of
the approval process for various reasons, for example, if the amount requested is higher
than the approved spending limit. The outcome of the purchase requisition process is the
purchase order as shown in figure 5.2.
The features of an automated requisition/purchasing process are many and can extend
beyond the act of submitting a purchase order. The basics of the automated requisition
process can include adding and maintaining suppliers, adding new requisitions, requisi-
tion approval workflow, requisition revisions and cancellations, converting requisitions to

PURCHASE PURCHASE
ORDER ORDER

e
Online 1st Level 2nd Level Purchase PO Received/fulfilled
Requisition Approval Approval Order Transmitted by Supplier

FIGURE 5.2 Automated requisition/purchase order workflow.

 R E C O R DS AN D I N F O R MATIO N AC C E S S, STO R AG E , AN D R E TR I E VAL / 12 3

purchase orders, receiving processes, invoice matching, and closing purchase orders and
requisitions.
In spite of the benefit of automating the requisition and purchase process, users ac-
customed to shopping online understand there is a better way to gather information and
complete requisition requests—such as access to online catalogs and a shopping cart. And
accounts payable personnel recognize the value of integrating the purchasing process with
accounts payable systems. Vendors taking advantage of these new opportunities to satisfy
the needs of the customers offer e-procurement (procure-to-pay) options.

e-Procurement and Procure-to-Pay Suites

“e-Procurement (electronic procurement) is the business-to-business (B2B) requisitioning,

ordering, and purchasing of goods and services over the internet.”6 From the employee’s
perspective, this is an attractive option that allows him or her to select the needed items
(i.e., those that match the procurement office’s requirements for cost, quality, and supplier)
from online catalogs; complete a requisition for the items; and track delivery status.
Figure 5.3 illustrates the Purchase-to-Pay process (also known as Procure-to-Pay and
P2P) offered by Basware (one of only three leaders in Gartner’s 2016 Magic Quadrant for
P2P Suites). As seen in figure 5.3, creation involves visiting the marketplace and placing
needed items in a shopping cart. In addition, the process involves reconciling invoices with
purchase orders as well as payment plans and taking advantage of discounts when war-
ranted. When the invoices are reconciled, an “ok-to-pay” trigger is sent to the accounting

FIGURE 5.3 Purchase-to-Pay Process offered by Basware.

SOURCE: www.basware.com5.
124 / CH AP T ER 5

system. A dashboard allows the organization to analyze transactions and generate reports
that can be used to consolidate suppliers, negotiate better pricing, improve time between
delivery and payment for invoices to take advantage of discounts, and more.
Among the benefits of moving to a P2P process are:

• reduction in operational expenses

• increased user adoption on the requisition end
• supplier consolidation based on analysis of reports
• on-time payments through automatic reconciliation of invoices and
receipts
• reduction of spending on Accounts Payable (AP) through automation
• improved discount capture ratio through AP automation solution

In 2017, Basware released a whitepaper citing three disruptive trends that will shape the
finance and procurement process going forward: 1) artificial intelligence (AI) and robotic
process automation (RPA), 2) predictive analytics, and 3) Blockchain technology. The best
advice they give is to hire people that have the breadth of skills to work alongside technology
and provide on-going training to current staff to prepare them for these new possibilities.7
Regardless of the system, one thing is certain: controls are necessary to ensure that
only authorized individuals have access to the system. That access will be conditional based
upon roles and responsibilities.

ACCESS CONTROLS

Access control is the process by which users are identified and granted certain privileges to
information, systems, or resources. Access controls can allow or deny access to a physical
environment or an electronic environment. There are three types of access control meth-
ods: logical, physical, and administrative.8

Physical Access Controls

Attempt to board an airplane and you will understand physical access controls. You cannot
check your luggage unless it is screened. In addition to scanning, human screeners often
open and inspect the luggage. You cannot get into the boarding area unless you and your
carry-on baggage are screened, most often automatically but at times by human screeners
conducting what, in some cases, amounts to a “pat down.” And, you can’t board the airplane
unless you prove you have purchased a ticket, been provided a seat, and are who you say you
are. Authentication is established by providing a government-issued picture ID such as a
valid driver’s license or a current passport.
If you work in any large public or private organization, you understand that physical
controls are used there as well. You may be issued a badge with your employee ID, name,
and picture. The badge likely will serve as a smart card that can be read electronically. Once
you are in the building, keypads may serve as another layer of security to control access
to restricted rooms. Access to physical assets can be further controlled through the use of
containers such as file cabinets, safes, or vaults that are protected and require codes, keys,
or combinations to open.
 R E C O R DS AN D I N F O R MATIO N AC C E S S, STO R AG E , AN D R E TR I E VAL / 125

I n 2017, the Apple iPhone X was announced. Its most exciting feature was Face ID—fa-
cial recognition used to unlock the screen. The intended benefits are increased user
convenience and security. Apple claims Face ID is more reliable than Touch ID (fingerprint
recognition). The chance of someone else unlocking your phone with Touch ID is one in
50,000, but with Face ID it is one in a million.
Face ID is accomplished by the use of a camera and 3-D scanner to both record
an image and measure the contours of facial features using 30,000 invisible points to
create a 3-D map that can be read by an infrared camera. An infrared light is beamed
at the user’s face to help recognize it even in the dark, and the camera can adapt to
the user’s physical changes.
Concerns over successful attempts to beat facial recognition in the past using
pictures and models of the subject’s face were dismissed because of the unique 3-D
process Face ID employs. Concerns linger, however, because if someone does find
a way to fool the system, they can do so forever. Passwords can be changed easily;
the contours of your face cannot. In addition, it is easier to coerce you to unlock your
phone by positioning the camera in front of your face than forcing you to reveal a
password.
SOURCE: Bloomberg Business Week, “Why iPhone X Face Recognition is Cool and Creepy,”
accessed September 23, 2017, https://www.bloomberg.com/news/articles/2017-09-15/
why-iphone-x-face-recognition-is-cool-and-creepy-quicktake-q-a

Some corporate biometric access control systems based on a card, pin number, or fin-
gerprint can handle thousands of users and be configured via a secure connection from any
standard web browser. Access policies, user management, and reporting can be controlled
from an administrator’s desk. Of all the biometric devices and scanners available today, iris
cameras are considered the most accurate. They perform recognition detection based on an
analysis of patterns visible within the iris of an eye.
Physical access controls can be breached, some more easily than others. IDs can be
forged and buildings can be entered by waiting for someone else to open the door and walk-
ing in behind them as if you belong. Security requires layering the access controls in the
hopes that a breach at one layer (e.g., workplace perimeter) will be discovered when the
person moves on to the next layer (e.g., building), and the next (e.g., secure room).

Logical/Technical Access Controls

Protecting electronic information involves both physical and logical access controls. Log-
ical access controls often entail the use of multiple security controls and authentication
techniques. Logical access controls are found in databases, applications, servers, and even
in transit. Access to critical data should be determined by a person’s role, and the need for
access should be reviewed regularly.
The information technology (IT) manager must work with the business unit managers
(data owners) to determine what access an employee should have to business information
systems; for example, who needs access to the requisition and purchase order process in
our previous example. Access could be extended to stakeholders outside of the organization,
including vendors and clients. The records manager could work with IT to determine where
12 6 / CH AP T ER 5

records are created, how they are captured, and who needs access.
When used by a firm that allows access from outside the country, IT access policies
should be set by geographic region and then by user roles and responsibilities. This ap-
proach will help the firm comply with differing international standards for privacy. Just
as with ID badges for physical control, identification credentials (e.g., a digital signature)
must be issued to authenticate the user. Three factors can be required for authentication:

• something you know (e.g., a password)

• something you have (e.g., a certificate with associated private key or smart
card)
• something you are (e.g., a biometric such as fingerprint, iris, or facial
recognition)9

Authentication assurance increases with the addition of a second and third authentication
technique. In addition to establishing proof of identity, authorization to access the asset
must be confirmed.
Today’s technology allows employees to engage in telework (also called remote or virtu-
al work), and organizations in the public and private sectors are taking advantage of its
benefits. This means, however, a growing number of individuals need access to sensitive
information from outside the corporate firewall. Access can be provided through a virtual
private network (VPN), which requires encryption and authentication of the remote client
prior to access.
Access controls must also take into account mobile users of the system. In addition
to the physical and logical access controls already discussed, networks can be made more
secure to prevent unapproved access that could result in loss for the organization. These
access controls would be applied by those responsible for information security. Two exam-
ples are:

• a remote access server (RAS) or network access server (NAS) that functions
as the access control point to allow or deny access to the local network; and
• firewalls that control traffic flow between a trusted network and an
untrusted network.

Access Controls and Cloud Computing

Access control is a key concern when a firm moves critical applications and sensitive infor-
mation to public and shared cloud environments. Cloud providers—such as Amazon, IBM,
Google, Salesforce.com, and Microsoft—must provide access controls at least as robust as
those employed by the client firm. Humans are still a factor, and employees of the firm pro-
viding cloud services must be screened and trained to the same standards as the client firm’s
own employees. Physical location of the cloud provider’s data center must be evaluated for
its physical security features, including authorized access and network requirements.
A service level agreement (SLA)—also known as a terms of service (TOS) agreement—is
your contract with the cloud provider. Read it carefully, understand the contents, and ne-
gotiate the terms where possible to reduce risks to your organization.
When evaluating the feasibility of contracting with a cloud service provider, keep
in mind that access is dependent upon the internet. How will the organization operate if
 R E C O R DS AN D I N F O R MATIO N AC C E S S, STO R AG E , AN D R E TR I E VAL / 12 7

Factors to Consider When Selecting a Cloud Vendor

• certifications and standards
• technologies and service road map
• data security, data governance, and business policies
• service dependencies and partnerships
• contracts, commercials and SLAs
• reliability and performance
• migration support, vendor lock, and exit planning
• business health and company profile
Cloud Industry Forum, “8 criteria to ensure you select the right cloud service provider,” accessed January 28, 2018,
https://www.cloudindustryforum.org/content/8-criteria-ensure-you-select-right-cloud-service-provider

internet access is interrupted at either the vendor’s or the organization’s location? This is
an issue that must be addressed in relation to the organization’s disaster preparedness and
business continuity plan for major interruptions. But minor interruptions due to network
saturation, bandwidth capacities, and incompatibility with the organization’s architec-
ture will also adversely impact business operations.

Administrative Access Controls and Social Media

A third method to control access results from administrative action that includes develop-
ing policies and procedures, providing education and training, and monitoring and evalu-
ating use. These controls must remain current to reflect the use of emerging technologies
and evolving laws and regulations. In order to protect the organization from risk related to
social media use, access control processes should complement the social media and records
management policies. Social media used to reach out to the public involves technologies
controlled by third-party providers; content may be stored in multiple locations; content
may be created by multiple collaborators; and interactive content management may be a
requirement. Many of the factors to be considered when selecting a cloud provider apply
when evaluating the use of social media.
Although most employees will engage in social media activities in their private lives,
social media activities on behalf of the firm can be limited to authorized employees. Those
employees should understand their roles and responsibilities. They should be provided user
IDs and passwords to access the account(s) and to speak on behalf of the organization. The
best protection for both the individual engaging in social media interactions and the orga-
nization requires the development of clear but comprehensive social media and records
management policies followed by employee education and training.

ACTIVE STORAGE SYSTEMS

Records in the active phase of the records lifecycle are stored in a way that allows daily
access and use. Physical records can remain in file cabinets in the office environment, close
12 8 / CH AP T ER 5

to those who refer to them in the course of business. In education, for example, student
folders with documentation of courses required for programs, courses already taken, and
courses planned might be located in the advisor’s office, easily accessible for use during
meetings with students. When use drops off, such as when a student graduates or transfers
to another school, permanent records are often microfilmed and stored in physical control
containers, such as vaults.
In an electronic environment, information used in the course of business is also stored
in a manner that allows immediate access. For example, student information today most
likely resides in a student information system (SIS), also known as a student records system
(SRS). The SIS is a software application used to organize student information and conduct
operations. The systems vary in size, scope, and capability, and the functions of the system
can support admitting, advising, and registering students; recording grades; and storing stu-
dent records. In addition to allowing the advisor access to information about a student, the
same information can be made available to multiple users—including the student—simul-
taneously. Access rules can be set up to allow access only to the information users need to
perform their work.
Retention requirements must be considered when deciding upon the storage medium
used. For example, the University of Pennsylvania’s current Records Retention Schedule
that sets the requirements for student records is shown in table 5.1.10
The schedule shown in table 5.1 mandates that transcript requests should be disposed
of after one year. They can be digitized and stored electronically or stored as paper in a file
folder in a cabinet in the office until the end of that year. Grades should be retained per-
manently. If they are retained electronically, they could remain in the SIS for fast retrieval,
but their use would diminish over time. Transfer to a more permanent medium such as

TABLE 5.1 University of Pennsylvania records retention

schedule: Academic/student records.

RECORD TYPE RETENTION PERIOD

Admission records 10 years

Grade records Permanent

Other academic records 5 years

Career planning and placement 4 years

Class schedules Transfer to UARC after 2 years; permanent

College Catalog Transfer to UARC after 2 years; permanent

Degree audit records 5 years after date of last attendance

Disciplinary action records 5 years after graduation or date of last incidence

Student academic files (departmental) 5 years

Transcript requests 1 year

SOURCE: University of Pennsylvania, University Archives and Records Center, “University of Pennsylvania Records Retention
Schedule: Academic/Student Records,” University Records Center. Last modified June 17, 2011, www.archives.upenn.edu/urc/
recrdret/studtacad.html.
 R E C O R DS AN D I N F O R MATIO N AC C E S S, STO R AG E , AN D R E TR I E VAL / 12 9

microfilm for long-term storage may be a more viable option than managing the informa-
tion in a database permanently.
According to the university guidelines, the office of origin has the option of maintain-
ing most records in their office or of transferring them to the university records center. In
some cases, however, permanent records, including class schedules and the college catalog,
must be transferred to the university archives and records center. Inactive records manage-
ment and long-term preservation will be discussed further in chapters 11 and 12.
Student information systems can be integrated with other tools, such as learning man-
agement systems (LMS) used for online instruction. If so, grades computed in an LMS could
be transferred electronically into the SIS at the end of the term. Grades stored in a grade
book database in the LMS and transferred to the SIS utilize structured data, that is, in col-
umns and rows of data.
In addition to the information stored in databases, other systems—both paper and
electronic—hold different types of data. Student requests for transcripts, for example, may
arrive in the mail in the form of a letter. Regardless of whether the letter is filed in a physical
file or scanned into a content management system, the data contained is unstructured and
difficult to search. Schools also provide information for prospective and current students
on their website in addition to or in place of the traditional print catalog. Data contained
in webpages may be stored in a web content management system with associated metada-
ta to enable search and retrieval based on content. That data is considered semi-structured.

Structured, Unstructured, and Semi-Structured Data

The terms structured data, unstructured data, and semi-structured data have long been used
by professionals in the information technology sector. Because a team approach is needed
to manage information and records today, records and information managers should under-
stand the vocabulary that may be used by other
members of the information governance team.
More important, though, is understanding the
systems that manage these types of data. Sim-
ply put, structured data is synonymous with
database data managed by database manage-
ment systems and unstructured data with elec-
tronic objects managed by electronic document,
electronic content, and electronic records man-
agement systems.

Structured Data
Most of us consult structured data every time we
visit the grocery store. The data listed on prod-
uct labels as “Nutrition Facts” is structured data
(see figure 5.4). FIGURE 5.4 Nutrition labels contain
However, the term structured data refers structured data. The Entity is “Nutrition
more commonly to a database where specific Facts” for this particular product.
information is stored based on a methodology of The Attributes are Calories, Total Fat,
columns and rows. Databases can be classified Cholesterol, and so on.
13 0 / CH AP T ER 5

based on the content type, for exam-

ple, bibliographic, document-text,
statistical, or multimedia objects.
They can also be classified according
to their application, such as account-
ing, movies, manufacturing, or insur-
ance. Metadata associated with each
of the records within the electronic
file are used to display those records
within columns and rows as shown in
figure 5.5. Structured data are easily
searched, mined, and manipulated.

Data Presentation
FIGURE 5.5 Structured data can be replaced by Reports, tables, and charts provide
the term database data, because this describes snapshots of data in the database at
the format and presentation requirements of this specific points in time. These for-
information. mats make it easier for the busy indi-
vidual to derive meaning from the
data stored in a database. For example, the fact that a grade of B was earned by 40 percent
of the students although a grade of C was earned by only 10 percent is easily and quickly
understood by those viewing figure 5.6.
Reports, tables, and charts produced from data in the database can be managed with soft-
ware intended to manage unstructured objects, for example, electronic document manage-
ment, electronic content management, and electronic records management system software.

Relational Database Management Systems (RDBMS)

The student grades example in figure 5.5 displayed information from one database table
that contained the student ID, student name, and student grade. But, popular database
management systems are relational systems (RDBMS) that store data in collections of
tables (also called entities). Each table consists of columns (properties of the table referred
to as fields, such as student name and grade) and rows (also called records, such as an indi-
vidual student’s record) as shown in figure 5.7.11 Relations are defined between tables for
cross-referencing using a primary key, for example, the ID assigned to each student. Data
can be pulled from more than one table in a relational database to create a record (student
scores on assignments and tests, for example).
Information technology personnel are usually responsible for managing the relation-
al database, but they may not understand the records retention implications of creating
records using data from tables in a relational database. Because the official record is com-
prised of the tables’ fields, rows, and elements, plus the relationships between the tables,
the record will be incomplete if one table containing information used to build the record is
missing. RIM professionals must ensure that the records retention schedule is modified so
that when it is applied to structured content, none of the tables are removed prematurely.
This involves working with IT, and under certain circumstances the vendor, to explain what
the different records series mean and how to apply the records retention schedule so that
data are not disposed of without consideration of the relationships between that data and
other data in the database.
 R E C O R DS AN D I N F O R MATIO N AC C E S S, STO R AG E , AN D R E TR I E VAL / 131

Unstructured Data
C
IDG estimates unstructured data is
10% A
growing at the rate of 62 percent per 30%
year, and that by 2022, 93 percent of
all data in the digital universe will B
40% A-
be unstructured, primarily from the
B+ 10%
emergence of social media networks; 10%
customer information from telcos
and utilities such as call history, mes-
saging logs, and usage trends; and
information services such as traffic
data, weather information, and stock
indices.12 FIGURE 5.6 End-of-term letter-grade
Unstructured data has no well- distribution for students in one class.
defined model or schema for accessing
information and typically includes digital images and objects, text, and other data types not
part of a database (see figure 5.8). Email messages, instant messages, Word documents, images,
PowerPoint presentations, blogs, Twitter posts, and MP3 files are all examples of unstruc-
tured data.
An easy way to determine if an item is unstructured is by asking if it is easily searchable
(i.e., without adding metadata or using a crawler like an index server). If the answer is no, it
is unstructured data. One of the biggest challenges facing organizations today is discovering
a way to extract value from the vast amount of unstructured data produced. Organizations
can capitalize on this vast amount of data by applying business intelligence applications and
technologies for gathering, storing, analyzing, and providing access to unstructured data in
order to help the enterprise make better business decisions.13
Wall Street traders, for example, found they can use computer programs to monitor
and decode words, opinions, and even keyboard-generated smiley faces posted on Twitter.
Johan Bollen, a professor at Indiana University and coauthor of the study linking Twitter

FIGURE 5.7 The Primary key (ID in bold) in each table relates to the same ID
in another table.
13 2 / CH AP T ER 5

FIGURE 5.8 Unstructured data examples.

mood measurement to stock market performance, claims an 87 percent accuracy rate in us-
ing Twitter mood measurements to predict Dow stock prices three to four days later.14 The
“Bollen Study” remains the most cited paper investigating the link between sentiment data
and predictive models for trading.
This type of knowledge about human emotions can be used as a basis for placing trades
that profit from the information. Organizations can use sentiment analysis to gauge the
reception a newly announced (but not yet available) product is receiving. As mentioned
earlier, the Apple X iPhone introduced FaceID, enhanced facial recognition for unlocking
the phone. An analysis of 150,000 Twitter comments immediately after the announcement
revealed slightly more negative than positive comments. A study of the negative comments
may lead to product improvement or at least a change in messaging. One of the messages
asked, “Can the police compel a suspect to look into their iPhone X to unlock it?” One of the
negative comments had to do with product design, “The iPhone X’s screen is all glass front
and back. So if it cracks I can be disappointed from both sides.”15
Structured data has been an IT-led activity, but unstructured data are best understood
by the business units working with the data. Records managers play a role in identifying the
multiple ways in which unstructured data are generated and can assist the organization in
developing a strategy to capture, manage, and derive value from it.

Semi-Structured Data
Once unstructured data has been organized and/or has metadata attached that describes
content, it is considered semi-structured. SharePoint lists, document libraries, and project
and team sites are examples of semi-structured data. Although the web may appear to be a
vast database, most of the information on the web consists of unstructured data. Hypertext
 R E C O R DS AN D I N F O R MATIO N AC C E S S, STO R AG E , AN D R E TR I E VAL / 13 3

FIGURE 5.9 Comparison of HTML and XML markup.

Markup Language (HTML) is the publishing language of the Web, and it is used to provide
structure that tells the web browser how to present the page. But webpages marked up with
HTML tags cannot be queried based on those tags. When the Extensible Markup Language
(XML) is used to describe the content of the HTML document, those documents can be
queried based on that content. XML is not a replacement for HTML; it doesn’t do anything
except wrap information in tags that can be used by software to send, receive, or display it.
In figure 5.9, the HTML tags <h1> </h1> surrounding the word bibliography tell the web
browser that the word should be displayed as a header (large, bold). The <p> </p> tags tell
the browser the content between the opening and closing tags should be treated as a para-
graph, which means adding a blank line before and after. The <cite> </cite> tags instruct
the browser to tag the words between the opening and closing tag as a title of a work and to
display the title in italics. The <br> creates a line break on the webpage. These tags provide
display instructions to the browser, but they don’t facilitate search and retrieval of a work
based on the title, any of the authors, the publisher, or the date of publication.
XML is a markup language for documents that contain structured information. How-
ever, because XML files don’t conform to the formal structure of tables and data models
associated with databases, information contained within an XML document is considered
semi-structured. In addition to web documents, semi-structured data can be found in
e-commerce transactions, mathematical equations, vector graphics, object metadata, and
server application programming interfaces (APIs).

Big Data

Now let us turn our attention to the pie chart in figure 5.10 illustrating distribution of the 58
million strong Hispanic population in the United States at the start of 2016 based on data
13 4 / CH AP T ER 5

FIGURE 5.10 Distribution chart illustrating Hispanic population by state

adapted from two data sources.
SOURCE: Pew Research Center and “How the U.S. Hispanic Population is Changing.” www.pewresearch.org/fact-
tank/2017/09/18/how-the-u-s-hispanic-population-is-changing/.

from 2015 American Community Surveys. This type of data is considered Big Data, which is
difficult to work with using traditional data management options.
Big Data can be defined as “data so large that it is difficult to process with traditional
database and software techniques.”16 The term can be used to describe both structured and
unstructured data “consisting of billions to trillions of records of millions of people—all
from different sources (e.g., web, sales, customer contact center, social media, mobile data,
and so on).”17 Big Data could be used to describe the tools and techniques used to manage
Big Data sets. Challenges and opportunities are presented by three properties of Big Data:
volume, variety, and velocity.
Organizations can incorporate Big Data techniques into their existing architecture.
For example, radio frequency identification (RFID) tags can be used to track every product
manufactured by an organization and stocked in product warehouses and consumer stores
around the globe, providing updates that can be used to understand what is being purchased
and where. Market intelligence can be mined from billions of tweets that are posted to
Twitter each month. Complex machinery producing terabytes of data per hour can be mon-
itored and examined by engineers in near real time or can be mined later for engineering
improvements.
Cloud technologies are increasingly used to store and process large amounts of data.
Enterprise Integration Platform as a Service (iPaaS), first used for “cloud service integra-
tion (CSI) and application to application (A2A) integration is increasingly used for business
to business (B2B) integration, mobile application integration (MAI), API (application pro-
gramming interface) publishing, and Internet of Things (IoT) integration.”18
 R E C O R DS AN D I N F O R MATIO N AC C E S S, STO R AG E , AN D R E TR I E VAL / 13 5

Data Mart, Data Warehouse, and Data Lake Systems

One way to gain valuable insights from the huge amounts of fast-flowing data facing large
enterprises today is to transfer a copy into a data warehouse where it can be queried and
analyzed without negatively impacting the transaction system. In a 2016 report issued by
Amazon Web Services, a data warehouse is described as “a central repository of information
coming from one or more data sources. Data typically flow into a data warehouse from
transactional systems and other relational databases, and typically includes structured,
semi-structured, and unstructured data.”19
As defined by Bill Inmon, the “father of data warehousing,” a data warehouse is a “sub-
ject-oriented, integrated, time-variant and non-volatile collection of data in support of man-
agement’s decision-making process.” Ralph Kimball, the “father of business intelligence,”
preferred a more simple definition with the focus on function: “A copy of transaction data
specifically structured for query and analysis.”20 Both Inmon and Kimball recognized the
need to bring copies of valuable data together so that it can be queried and analyzed to sup-
port strategic decision-making. The difference in their philosophy rests mainly on which
comes first, the data warehouse or subsets called data marts.
A data mart is a specific, subject-oriented repository of data gathered from operational
data and other sources and designed to serve the needs of a particular community (e.g., a
specific department or team) of knowledge workers. The key objective is to provide the

TABLE 5.2 Data warehousing and data marts—two perspectives.

BILL INMON RALPH KIMBALL

Father of . . . Data warehousing Business intelligence

Credited with coining the term “data Credited with defining the concepts
warehouse” behind “data marts”

Definition A subject-oriented, integrated, time- A copy of transaction data specifically

of data variant, and nonvolatile collection structured for query and analysis.
warehouse of data in support of management’s
decision-making process.

Focus Design Functionality

Paradigm An enterprise has one data Data warehouse is the conglomerate

warehouse, and data marts source of all data marts within the enterprise.
their information from the data Information is always stored in the
warehouse. dimensional model.

View of data Data warehouses can become Start with building several data marts
marts enormous, with hundreds of gigabytes that serve the analytical needs of
of transactions. As a result, subsets, departments, followed by “virtually”
known as “data marts,” are often integrating these data marts for
created for just one department or consistency through an information
product line. bus.

NOTE: Data warehouses in most enterprises resemble Kimball’s idea because they start out as a departmental effort,
originating as a data mart. Once additional data marts are added, a data warehouse is created.
13 6 / CH AP T ER 5

business user with the most relevant data as quickly as possible. The data warehouse is a
central aggregation of data (which can be distributed physically) that starts from an analysis
of what data already exists and how it can be collected and later used.21 A comparison of the
two perspectives is provided in table 5.2.
Both the data warehouse and data mart organize data to fit the context of the database
scheme into which it is transferred. Another option is to retain the data in its structured,
semi-structured, unstructured raw format in a data lake. Data lakes add structure to the
data only once it has been transferred back out to the application layer, as illustrated in
figure 5.11.
Integration Platform as a Service (iPaaS) solutions typically include capabilities such
as data mapping and transformation as well as integration flow development and life cycle
management tools. One provider considered “the” leader in the 2018 Garner Magic Quad-
rant is Informatica. This firm provides various options of cloud integration capabilities that
include data lake management.22

FIGURE 5.11 Data remains in lake in native form until processed.

SOURCE: Dunn Solutions Group, www.dunnsolutions.com.—a digital transformation consultancy
focusing on analytics and e-commerce automation
 R E C O R DS AN D I N F O R MATIO N AC C E S S, STO R AG E , AN D R E TR I E VAL / 13 7

Records managers immediately recognize that the contents of data warehouses, data
marts, and data lakes are duplicates of data already in existence. The question is, “Are the
data stored in data warehouse records?” Some believe “they are and the records manager
should have overall responsibility for the data.”23

SEARCH AND RETRIEVAL PROCESS

The search and retrieval process is dependent upon the storage system(s) in use. Storing
data is one side of the coin; the other side is being able to retrieve it. Let us look at each data
type—structured, unstructured, semi-structured—and some associated search and retrieval
methods.

Structured Data: Search and Retrieval Methods

From a user standpoint, it is not necessary to understand how to program a database, but it
is important to understand how to use a database management system and its search and
retrieval mechanisms to obtain the desired information.
Structured data are stored in a database that can be presented in tables comprised
of columns and rows. Programming languages have been developed to manage structured
data. Structured Query Language (SQL), which is an American National Standards Institute
(ANSI) and International Organization for Standardization (ISO) standard, is the original
data definition and query language for updating, deleting, and requesting information from
databases. The program runs on a server interpreting actions taken by users who manipu-
late the data using tables, columns, rows, and fields. The client programs send SQL state-
ments to the server for processing. The replies are returned to the client program.
A database management system is necessary to access and process data contained in
the SQL database. MySQL is a popular open-source database management system used in
web applications. SQL is also used in commercial applications.

Structured Search and Retrieval Example: Lexis/Nexis

LexisNexis is a subsidiary of the RELX Group (formerly Reed Elsevier). The group started
in 1970 as a database named LEXIS that was a continuation of the Ohio State Bar’s efforts
to offer full-text searching of all Ohio court cases. By the time it went public in 1973, it had
added New York cases to the database. In 1980, the database contained all of the US federal
and state cases, and the NEXIS service was added to give journalists a searchable database
of news articles.
If you visit LexisNexis Support, you will encounter an abundance of resources available
to help the researcher.24 Basic search tips make recommendations on the use of capital let-
ters, connectors, noise words (stop words such as a and the that are disregarded in a search),
developing a search request, and an introduction to traditional Boolean searching. To find
documents concerning employee drug tests, for example, you might use this search request:
Drug w/5 test or screen! w/10 employ! This search request is not natural language. The user
must learn how to search on this system in order to locate the desired information. And this
is only one type of system. Search tips for other databases reveal different strategies that
must be employed by the user.
13 8 / CH AP T ER 5

Basic Search Terms

keyword search: A type of search that looks for matching documents that contain
one or more words specified by the user. This is a good option to find a document
when you do not know the authorized subject heading or the complete name of
the author of the document.

Boolean search: A type of search allowing users to combine keywords with operators
such as AND, NOT, and OR to make keyword-based text searches more precise.
Boolean operators can be used with most databases and web-search engines.

faceted search: Also called guided navigation, faceted search is a type of navigation
model that leverages metadata fields and values to provide users with visible
options for clarifying and refining queries. Faceted searches allow the users
to filter data through multiple paths and different ordering. Database-driven
e-commerce catalogs include the facets price range, color, brands, and more.

field search: A search for a term or a number within a data field of a document or
database. An online telephone directory allows users to search within fields.

full-text search: A search that compares every word in a document, as opposed to

searching an abstract or a set of keywords associated with the document. Most
web search engines perform this type of search.

inverted index search: A search using an index of unique words appearing in any
document, and for each word a list of documents in which the words appear.*

structured search: A search method that uses the structure of data that has an
inherent structure—such as dates, times, and numbers, even text such as names
of colors.† The three types of structured searches are: Boolean (Structured Query
Language, or SQL) search, keyword (vector) search, and reverse indexes.

vector search model: The vector model considers a search query as a vector in
keyword space and then scores the items located based on the distance from
the query calculated by counting the number of times keywords appeared in
each document, the size of the document, and the density of the keywords in the
document.

* Inverted Index, Elastic, accessed November 18, 2017, https://www.elastic.co/guide/en/elasticsearch/guide/

current/inverted-index.html.
† Structured Search, Elastic, accessed November 18, 2017, https://www.elastic.co/guide/en/elasticsearch/guide/
current/structured-search.html.

Search and Retrieval Options: Library of Congress

Note the search options available for the Library of Congress (LC) Online Catalog shown
in figure 5.12. One search method allows the user to insert a subject keyword. This allows a
search for any word or phrase found in one of the subject heading controlled vocabularies
used at the LC. If the user doesn’t know what words are in the controlled vocabulary, he or
 R E C O R DS AN D I N F O R MATIO N AC C E S S, STO R AG E , AN D R E TR I E VAL / 13 9

FIGURE 5.12 The Library of Congress Online Catalog.

SOURCE: Library of Congress, https://catalog.loc.gov/.

she can view the latest edition of the Library of Congress Subject Headings (LCSH), which is
now part of the Library of Congress Classification Web subscription service.25
Structured data can present the desired results if the user knows how to conduct a
search. Business units should provide training to employees who are the end users of the
systems. Records managers should understand the types of records generated by these sys-
tems, where they reside, and how they can be managed. The IT department in most cases
will own the systems and have ultimate responsibility for the information managed, but
effective information governance requires that all stakeholders are involved. If the systems
are used to share information with the public, instructions to facilitate search and retrieval
must be provided.

Unstructured Data: Search and Retrieval Methods

Data volume is set to grow 800 percent over the next five years, and 80 percent of it will be
unstructured data.26 This fact raises the question of how can we determine its value and put
it to use. Enterprise search solutions, now dubbed “Insight Engines” by Gartner, can help
the organization do just that. 27
140 / CH AP T ER 5

Enterprise Search and Insight Engines

Enterprise search is the organized retrieval of stored business data within an organization
so that users can securely enter and find data across enterprise databases.28 The software
searches data across multiple repositories without the necessity of tagging and filing. It can
be integrated with data analytics, business intelligence, and data management solutions.
Workers accustomed to performing Google searches in their private lives may wonder
why a simple Google-like search couldn’t be used to locate and retrieve information in the
workplace. Actually, Google had such a product, the Google Search Appliance, from 2012 to
2016, but discontinued the appliance in favor of a cloud-based solution. Because custom-
ers of the previous offering were able to receive support through 2017, Google Enterprise
Search has yet to prove itself.
Insight engines, by contrast, are described as “enterprise search that [provides]
“more-natural access to information for knowledge workers and other constituents in ways
that enterprise search cannot.29 Imagine giving oral commands to your search engine to
locate that needed email message or document, just as you use Siri, Apple’s intelligent assis-
tant, to locate the closest gas station or best seafood restaurant in the area. Insight engines
have the capability to provide natural language interfaces to handle questions specific to
your workplace. Three vendors occupied the “Leader” category on Gartner’s 2017 Magic
Quadrant for Insight Engines: Coveo (a Canadian firm), Sinequa (a French firm), and Mic-
rosoft (a US firm). Unlike the first two vendors, Microsoft’s inclusion is based on enterprise
search applications that are available only as part of its Office Suite.

Open-Source Solution: Apache Solr

Open-source products, like Apache Solr, remain popular options. Major features of Solr
include full-text search, hit highlighting, faceted search, database integration, rich docu-
ment (e.g., Word, PDF) handling, and geospatial search.30 Products like Lucidworks’ Fusion
3 integrate with Solr to allow users to set up capabilities using both an “Index Workbench”
and a “Query Workbench.”31 Solutions such as Apache Solr require more IT expertise than an
out-of-the box or cloud-based solution. However, in the long run, an open-source solution
may be less expensive. These are factors that must be considered when determining the
best search and retrieval solution for the enterprise. The role of the records manager is to
keep abreast of search and retrieval options and to provide input from a records manage-
ment and user perspective.

Semi-Structured Data: Search and Retrieval Methods

Semi-structured data are often grouped with unstructured data when discussing search
and retrieval methods. Two examples of search and retrieval methods are especially useful
when working with semi-structured data.

Extensible Markup Language (XML)

As stated previously, Extensible Markup Language (XML) is a markup language developed
to describe the content of web documents. It uses standard descriptions for labeling digi-
tal information and automates the identification of material and exchange of data between
 R E C O R DS AN D I N F O R MATIO N AC C E S S, STO R AG E , AN D R E TR I E VAL / 1 41

computers. Data are stored within XML tag sets so that it can be searched, transmitted, or
updated by any application that recognizes XML tags. XML can be used to label the informa-
tion content of diverse data sources, including structured and semi-structured documents,
relational databases, and object repositories.
An advantage of a search for XML documents is increased precision in search results.
Consider a search for a document written by an author named Black using a full-text search.
The query might return documents with black as a color or black as a mood. Even the ad-
dition of the word author to create a Boolean search term of Black AND author may not
reveal the required results if the word author is not included in the document and instead
the contribution by the author is written as contributed by. However, if the author’s name
were marked up using XML as <author>Black</author>, the search would be more precise.
XML tags provide structure, but the tags themselves are not standardized. Unlike
HTML’s predefined tags, any individual, organization, or industry can define their own
XML tags. This is an advantage in that the organization or industry can use XML tags rele-
vant to its situation. But the disadvantage is the resulting inconsistency across organizations
and industries. This can be illustrated by the <author> </author> tag set used previously.
What if the document was marked up using the tags <contributor> </contributor> instead of
author? A search for author would not produce the desired results.
Two methods can be employed to express the XML system used:

• Document type definition (DTD) lists what tags can be used with the XML
document along with their content and relationships to one another.
• XML schema—the newer, more powerful approach—provides the rules an
XML document has to follow.

XML schemas (documents defining the legal building blocks of an XML document) do much
more than describe the elements that can appear in a document, such as author or con-
tributor. They also define, among other things, attributes that can appear in a document
and the default and fixed values for elements and attributes. Schemas set expectations. For
example, the format of a date can be confusing. In some countries 6-11-2021 is interpreted
as June 11, 2021, but in others as November 6, 2021. The schema can ensure mutual under-
standing of the date by setting the date element with a data type like this:

<date type=“date”>2021–06–11</date>

The XML data type date requires the format of YYYY-MM-DD and ensures an understand-
ing of the content because the XML date is always formatted as YYYY-MM-DD.
Vendors contribute to the problem when they use nonstandard XML tags in their prod-
ucts. But they can also be part of the solution. OASIS (Organization for the Advancement
of Structured Information Standards) is a not-for-profit consortium that drives the devel-
opment, convergence, and adoption of open standards. A technical committee of OASIS
comprised of several large technology vendors—including Microsoft, IBM, RedHat, and
SAP—developed the Open Data Protocol (OData) specification to simplify data sharing
across disparate applications in the enterprise, Cloud, and mobile devices. The specification
defines an XML representation of the entity data model exposed by an OData service. Their
work resulted in the development of two ISO standards: ISO/IEC 20802-1:2016 Information
technology—Open data protocol (OData) v4.0—Part 1: Core and ISO/IEC 20802-2:2016 Infor-
mation technology—Open data protocol (OData) v4.0—Part 2: OData JSON Format.
142 / CH AP T ER 5

This brief discussion is not meant to tell you all you need to know about XML or the
open-standards initiative. Rather, it is included to provide a glimpse into the technology in
use or in development that will impact information systems that create, store, and manage
information assets.

Semantic Search
Semantics refers to the meaning of words. A semantic search, therefore, will search and dis-
cover the meaning of words and not just their occurrence. The concept of a semantic network
model was coined in the early 1960s, but it was not until the advent of the World Wide Web
that the concept of the Semantic Web (Web 3.0) was introduced as an extension to enable
people to share content beyond the boundaries of applications and websites. Unlike the
relationships built using hyperlinks within webpages, on the Semantic Web the relation-
ships are named and understood; for example, a relationship binding a person and his or
her email address.
Semantic search engines return results based on their ability to understand the defi-
nition of the word or term being searched for and to understand the context in which the
words are used. According to the World Wide Web Consortium (W3C), the vision for the
Semantic Web is to extend the principles of the Web from documents to data.32 The inabil-
ity to easily share information residing in disparate repositories (silos) is a major deterrent
to the efficient use of an organization’s information assets. The integration of independent
silos of data is one application that would benefit from semantic search.
Figure 5.13 illustrates the two-way relationship that exists between a purchase made
and various facets of that purchase. This relationship can provide the basis for a semantic
faceted search in which users explore a collection of items (purchases) by browsing their
conceptual dimensions (facets) and their values (facet values).33
Note the relationships expressed in figure 5.13. They can be expressed as the purchase
of a “good book” was made for $30 by Scott from books.com as a birthday present. The name of
the recipient could be another facet providing additional information. A search on almost
any one of these facets can provide valuable business intelligence. For example, who made
this purchase? Scott. What do we know about Scott and how do we act on that knowledge?
Two facts are apparent:

• He liked that good book. Maybe he will like similar books? Who else bought
the good book? What other books did they purchase recently? Maybe Scott
should be informed in case he’d like to buy those, too.
• He bought it as a birthday present for Zoe Franks. Perhaps he’d like to
register the recipient of the gift in a birthday registry. Reminders of Zoe’s
birthday may result in repeat sales.

You were introduced to ontologies in chapter 3. The data in parentheses in the chart, for
example, (allValuesFrom), are properties in the Web Ontology Language (OWL) vocabulary.
OWL is a semantic markup language for publishing and sharing ontologies on the World
Wide Web.34 OWL was developed as a vocabulary extension of the Resource Description
Framework (RDF). RDF is the standard model for data interchange on the web that allows
structured and semi-structured data to be mixed, exposed, and shared across different
applications.
 R E C O R DS AN D I N F O R MATIO N AC C E S S, STO R AG E , AN D R E TR I E VAL / 143

METADATA AND METADATA STANDARDS

Archivists and records managers have long used metadata to create finding aids, file lists,
inventories, and file plans. Records managers also capture metadata to manage records in
records management systems. You became familiar with records management metadata in
chapter 3. This chapter will introduce you to metadata used for different types of digital
objects, including images, publications, and rights management.
Metadata is structured information that describes, explains, locates, or otherwise
makes it easier to retrieve, use, or manage an information resource.35 A metadata framework
involves five components:

• Schema: a systematic, orderly combination of elements and terms

• Vocabulary: the value that would be entered into the schema
• Conceptual model: a model describing how all the information and
concepts in a resource relate to one another
• Content standard: a standard that describes how vocabularies should be
entered within the metadata schema categories
• Encoding: a method used to present the metadata (e.g., XML)

In 1995, work began on a set of metadata elements that would provide a basic group of
text elements to describe and catalog digital resources. At the time, fifteen text fields were

FIGURE 5.13 Semantic search explores relationships between an instance

(purchase) and its facets.
144 / CH AP T ER 5

developed and called the Dublin Core after Dublin, Ohio, where the work originated. The
Dublin Core metadata element set is now an international standard, ISO 15836:2009 Infor-
mation and Documentation—The Dublin Core Metadata Element Set.36 A Dublin Core meta-
data record can describe physical resources, digital materials, or composite media, such as
webpages. The original fifteen elements are shown here:

• Title • Contributor • Source

• Creator • Date • Language
• Subject • Type • Relation
• Description • Format • Coverage
• Publisher • Identifier • Rights

The Dublin Core allows for extensibility; the elements can be added to and built upon
to meet the needs of the organization. Metadata can be stored with the digital object or
separately in a database. When metadata are associated with a digital object, the elements
are encased in a tag and the source is identified by a dc for Dublin Core as in this example:

<dc:creator>Samantha Franks</dc:creator>

In this example, Samantha Franks is added as descriptive metadata to credit her as creator
of the work. In addition to descriptive metadata, structural and administrative data can be
applied to a digital object.

Descriptive Metadata

Descriptive metadata are information describing the intellectual content of the object.
XML is an encoding language used to describe content. But the metadata encoded will vary
depending on the object and the metadata schema used. It will even vary by equipment used
to create it and software used to manipulate it.
When a digital image is viewed in a popular graphic imaging program, for example, a
form is available for the user to enter descriptive metadata in the following fields: docu-
ment title, author, author title, description, description writer, keywords, copyright status,
copyright notice, copyright info, and URL. However, descriptive metadata automatically
added by the camera is also available (see figure 5.14).
Metadata standards exist to facilitate interoperability. Although an organization might
develop its own metadata schema for in-house use, problems occur when the collection is
shared with outside institutions. Metadata standards have been developed for digital still
images such as the one in figure 5.14, but unfortunately, there is no definitive metadata
standard that can be used without modification. Standards for digital still images include
“Categories for the Description of Works of Art” (CDWA) and “MIX: NISO Metadata for
Images in XML Schema” (MIX).37

Structural Metadata

Structural metadata describes the physical and/or logical structure of complex digital
objects, for example, how scanned pages should be assembled into a book. It can be used to
 R E C O R DS AN D I N F O R MATIO N AC C E S S, STO R AG E , AN D R E TR I E VAL / 145

describe the relationships between an object’s component parts and is often used to facil-
itate navigation and presentation of complex items. The content organized by a structural
metadata map may be a mix of digital content files, including structured or unstructured
text, images, audio, video, and/or applications (e.g., PDF).

Scanned Books and Publications

When considering a structural metadata scheme, it is necessary to consider the type of dig-
ital items being modeled and how they will be used. Scanned pages of a book would best be
marked up in the Metadata Encoding and Transmission Standard (METS). One benefit of
using METS for digital libraries is the number of page-turning applications that understand
METS.
METS is a standard for encoding descriptive, administrative, and structural schema
for digital objects. It was developed in 2001 for the Digital Library Federation (DLF), was
approved as a NISO standard in 2004, and is maintained by the Library of Congress.38
The METS XML document format consists of seven major sections: header, descrip-
tive metadata, administrative metadata, file section, structural map, structural links, and
behavior.39 However, the heart of the document format is the overall structure contained in
a structure map between the following tags:

<mets:structMap TYPE=“physical”> </mets:structMap>

Those responsible for libraries and archives in the public and private sectors should become
familiar with METS XML to understand the type of metadata available for digital library
objects they access or acquire and in order to make informed decisions on methods that can
be used to scan and make available complex digital objects.

Electronic Books (e-Books)

What about e-books? Publishers suffering from a downward spiral in sales of print materi-
als now embrace the electronic publishing environment. In October 2011, the International

FIGURE 5.14 Metadata added to image file by camera.

146 / CH AP T ER 5

Digital Publishing Forum (IDPF), the trade and standards association for the digital pub-
lishing industry, approved the EPUB 3 specification as a distribution and interchange for-
mat standard for digital publications and documents including textbooks; digital maga-
zines; and educational, professional, and scientific publications. The most recent version,
EPUB 3.1, is a family of specifications that define a means of representing, packaging, and
encoding structured and semantically enhanced web content for distribution in a single
file container.40
The file extension, .epub (EPUB), is an XML format for reflowable digital books and
publications. It is composed of three open standards: the Open Publication Structure (OPS),
Open Packaging Format (OPF), and Open Container Format (OCF). EPUB allows publishers
to produce and distribute a single digital publication file and provides consumers with
interoperability between software/hardware for unencrypted reflowable digital books and
publications.
The Open Publishing Structure (OPS) combines subsets and applications of other spec-
ifications to facilitate the construction, organization, presentation, and interchange of elec-
tronic documents. Among the other specifications are XML, Digital Talking Book (DTB),
Scalable Vector Graphics (SVG), and Cascading Style Sheets (CSS).
Not many records and information managers will find themselves responsible for creat-
ing EPUBs, but if necessary, enterprise content publishing solutions are emerging to allow
technical communication authors and software development teams to convert and publish
high volumes of content from Microsoft Word and Adobe InDesign CS to common formats
including PDF and e-books. In addition, records and information managers may need to
provide input into editing the metadata that accompanies e-books they acquire, especially
if working in a corporate archives or library.
EPUB metadata editors are appearing on the scene, and certain batch operations are
allowed. The following metadata fields are available:

• Title • Publisher • Source

• Creator • Date (original publication) • Language
• Series • Type
• Series Index • Format Identifier

The Title, Creator, Description, Publisher, and Date fields are prepopulated.
EPUB files can be opened in most e-book readers, including the Barnes and Noble Nook
and the Kobo eReader. Amazon’s Kindle uses a proprietary format, AZW, but files can be
converted to a similar format, MOBI, for reading on the Kindle. EPUB files can also be
opened on a computer with various free programs, including Calibre, Adobe Digital Edi-
tions, Mobipocket Reader Desktop, and Apple Pages for the Mac.

Administrative Metadata

Administrative metadata states when and how information resources were created, file type
and other technical information, and access rights. Two types of administrative data that
are sometimes listed as separate metadata types are rights management metadata and pres-
ervation data.
 R E C O R DS AN D I N F O R MATIO N AC C E S S, STO R AG E , AN D R E TR I E VAL / 147

Rights Management
Increasingly those publishing on the Web are turning to Creative Commons, a nonprofit
organization that allows anyone who publishes on the Web to license their work using a
three-layer design: legal code, human readable language, and machine readable version
using CC Rights Expression Language (CC Rel). This language uses a combination of HTML
and RDFa to embed license information into a webpage as shown in figure 5.15.
Archivists and records and information managers should understand Creative Com-
mons licensing (see http://creativecommons.org/).

Preservation: METS and PREMIS

Earlier you were introduced to METS and learned that it is a standard for encoding descrip-
tive, administrative, and structural schema for digital objects—types of metadata relevant
to preservation. Although the schema was developed originally for digital libraries, its use
has been extended to digital repositories and preservation. Archival objects must retain
the characteristics of fixity, viability, renderability, understandability, and/or authenticity.
The Preservation Metadata: Implementation Strategies (PREMIS) working group released
version 3 of the PREMIS Data Dictionary for Preservation Metadata in June 2015 to address
these challenges.41 A data model was developed to organize the semantic units in the dic-
tionary into four activities important to digital preservation: Rights, Events, Agents, and
Objects.
“PREMIS Preservation Metadata XML Schema version 3.0” was released January 18,
2016. Both METS and PREMIS are XML schema. PREMIS can reside within a METS doc-
ument. METS can provide the structure and transferability, and PREMIS can provide the
information about a digital object necessary for digital preservation actions. The Library of
Congress has prepared guidance on how the PREMIS and METS tags should be integrated.42

HTML Code using the RFDa property attribute

All content on this site is licensed under a

Human <a property=”http://creativecommons.org/ns#license” Machine
Readable Readable
href=”http://creativecommons.org/licenses/by/3.0”>
Creative Commons License.</a> ©2019 Pat Franks

Appears on web page as

All content on this site is licensed under a Creative Commons License. ©2018 Pat Franks

Link to Creative Commons License web page

FIGURE 5.15 Example of Creative Commons Rights Expression Language

used to embed license information on a webpage.
148 / CH AP T ER 5

SUMMARY

The growth of digital information has transformed the way records management is perceived
and practiced. Today’s records and information professionals, who once primarily managed
inactive records and made arrangements for destruction or transfer to an archives, now use
their expertise to improve active records and information management.
Today’s records and information management professional must master more than one
knowledge domain. He or she must understand the mission and goals of the organization
and the work of business units. At the same time, he or she must understand information
technology well enough to provide value to discussions related to information systems and
must understand archives well enough to ensure that records are captured, managed, and
preserved as long as they have value.
This expanding role requires that the new records professionals understand business
and information systems and be able to evaluate their effectiveness through the use of
business process mapping and workflow diagrams. They must also understand structured,
unstructured, and semi-structured data and be able to develop or recommend search and
retrieval tools and strategies appropriate for each type of data.
Metadata plays an important part in information search and retrieval. The new records
and information professional must understand metadata and become familiar with metadata
schema and standards of use in her or his industry.
Records and information professionals can also participate in the development of
physical, logical, and administrative access controls. They can address the importance of
adhering to established procedures and play a prominent role in negotiating service lev-
el agreements with third-party providers, including social networks and vendors of cloud
computing services.
Becoming involved in business process improvement is one way to add value to the or-
ganization; a similar approach can be applied to the process used to manage records and in-
formation. In her contribution to chapter 5, Charlene Cunniffe, Associate Director of HRM,
explains how a Continuous Improvement process using Lean practices can be implemented
to improve Records and Information Management programs.

PA R A D I G M

Introduction of Continuous Improvement in Records

Management Programs and Processes Using Lean Practices
Charlene Cunniffe
Associate Director, Information and Records Management

Introduction

Lean thinking begins with an understanding of two critical concepts: value and waste.
Most of the tools and techniques used in Lean Continuous Improvement exercises focus
on (a) identifying value creation for the customer, the value-added steps a customer is
 R E C O R DS AN D I N F O R MATIO N AC C E S S, STO R AG E , AN D R E TR I E VAL / 149

willing to pay for, or (b) reducing waste, generally by reducing the number of steps in a
process or the time it takes to complete an end-to-end process. Lean continuous improve-
ment also identifies and eliminates any rework and defects. Removing non-value-added
activities (what the customer does not care about or is unwilling to pay for) is part of Lean
analysis. A case study approach is used to illustrate the application of Lean practices to a
real-world situation.

Problem Statement
One of the constant challenges for large multinational organizations is the continual merger,
acquisition, and divestiture activity experienced as the organization assesses its product
portfolio and market position, and refocuses its efforts to maximize shareholder value.
In the records management world of this type of organization, there are many chal-
lenges arising from the constant churn and restructuring. Records managers may partic-
ipate in the closure of sites no longer needed due to low product sales or the decision to
no longer produce a product. There may be efforts made to squeeze more people in a new
working space in high price-per-square-foot locations. This might mean that the records
management staff concentrates on reducing paper in those locations. Another possibility
may be that the company merges with a similarly sized company, which could result in
the need to make a decision about which processes are adopted—those of Company A or
Company B? Which company’s retention schedule will be used?

Approach Taken
Each organizational change scenario results in the need to streamline processes and har-
monize the way that employees approach information management. At one large pharma-
ceutical company, several mergers, acquisitions, and continual growth resulted in disparate
systems and processes throughout the shared services organizations including those in
IT, Records Management, Finance, Procurement, Human Resources, and more. A decision
was made to adopt a Lean approach to analyzing and dealing with the systemic issues in
order to identify the best system or process for the company as it currently existed. Efforts
were made transversally across all the shared services organizations to work on improving
cross-functional solutions, and to take a new look at what end-to-end processes could be
developed to respond quickly to evolving organizational needs.
To improve processes in the Information and Records Management department, sev-
eral kaizens (multiday continuous improvement workshops) were held on several RM-re-
lated subjects, focusing team efforts on an analysis of current state and a determination of
how the group could move forward to improve processes that impacted not only RM but
related groups—IT, legal, and compliance, for example.
To introduce the concepts and tools of Continuous Improvement and Lean to the
records management team, one specific issue was addressed. An ongoing challenge for
the US Information and Records Management (IRM) of the organization was to harmonize
the approach to off-site storage and to reduce the complexity of the process for com-
pany end users. At some locations, the end users were encouraged to independently index
and pack records for off-site storage, complete data entry into the vendor system, and
take responsibility for quality checking the box content and indexes. No entry was made
into the central non-vendor management system. At the company headquarters, all boxes
going off-site were directly collected and managed by RM staff, who verified the contents
15 0 / CH AP T ER 5

of the box against the index and entered the data into a records management system main-
tained by the company itself, not the off-site storage vendor.
The IRM team consisted of five professionals in two major hubs, located in Massachu-
setts and New Jersey. IRM had hired several contractors to work at each site on off-site box
storage as demand increased and the team started to have some concerns about quality
in the decentralized process location. As valued partners, the on-site supervisor from each
contractor group was invited to participate in analyzing the existing process and helping
to determine the future state of the off-site storage process. It was important to the team to
improve and maintain a quality records lifecycle process for physical records.
The IRM team was guided by two trained Lean leaders who were not members of the
IRM organization, who had not had any real interaction with the group, and who did not
have much knowledge of the work that IRM did. They followed the company-established
protocol for conducting a kaizen. There were two phone meetings before the actual event
with a subset of the team to discuss the kaizen—what the purpose was, who might be the
right participants, and what Lean tools would be employed to deliver the right results for
this project, which was very different from a more traditional kaizen that might focus on
logistics or manufacturing steps.
The initial kaizen was held with five team members. The Senior Director of IRM was
the project sponsor, and his manager was the Executive Sponsor of the effort, ensuring
executive support and necessary resources such as budget for travel. The team met for
four days. One of the intangible benefits to this meeting was introducing members of the
team to each other in person, which led to smoother team interactions and better commu-
nication between sites for future efforts.
The team was led through exercises including the establishment of a kaizen charter—
including a problem statement, a list of participants and their roles, goals, metrics of suc-
cess, and scope. For this introductory kaizen, the following were developed for use of the
Continuous Improvement (CI) team:

Identifying an Opportunity
The average turnaround time needed to complete an IRM service request from start to
finish is approximately five business days. The current process for requesting services
includes three separate points of request vehicles (in-person, electronic, phone). There
are also four different spreadsheets used to track requests resulting in duplicative efforts,
confusion, and addition of non-value added time.

Goal Statement
• develop a harmonized process to create, track, and report on IRM
service requests
• reduce the number of failed delivery attempts for box retrievals by
35 percent
• reduce the average turnaround time for search requests by 20 percent
• as one IRM, continue to meet or exceed the 95 percent KPI level

The team also created mechanisms for more fluid box request processing through a
central mailbox shared by members of all sites. Steps were reduced in the process, time
to results was reduced, and metrics reporting was set up.
 R E C O R DS AN D I N F O R MATIO N AC C E S S, STO R AG E , AN D R E TR I E VAL / 151

Results
Members of IRM felt that their efforts had many measurable results in the ninety days allot-
ted to improve the process, and which continue today. Longer-term projects and issues
were identified as a side effort of the kaizen, leading to future kaizens and CI efforts for the
team. Other IRM team members participated in many more kaizens to improve not only
IRM processes but also work between IRM and other organizations, including IT, Legal,
Procurement, Facilities Planning, and Human Resources.
Two years after the initial kaizen, the same team met again, this time under the direc-
tion of one of its own members who had become a Lean leader, to revisit their harmonized
process after changes in the organization and the team. The former “future state” had
become the “current state,” but times had changed and there was a need to adjust several
parts of the process to accommodate a new acquisition that brought additional sites and
personnel to fit into the process.
Training in and practice of Continuous Improvement efforts using Lean methodology
has made the IRM team more efficient and effective. The team is quick to point out areas
that could benefit from immediate “quick wins” and are also regularly eager to put their
heads together for informal or formal CI efforts focusing on other processes on which the
group relies.

Conclusion
The application of Lean practices in a real-world records management environment cre-
ated great opportunities for team building and continuous process improvement in several
processes of the operational records program. Using such Lean tools as a kaizen Charter,
Voice of the Customer exercises, a Value Stream Map, an implementation plan, and defined
metrics of success, the records management team created the universe of shared expec-
tations, roles, responsibilities, and quick-win goals. A kaizen readout to all the team and
its sponsors demonstrates the Lean methods used and defines the expected successes. A
benefit effort matrix helps define the expected quick wins to be accomplished in thirty to
ninety days as well as identifying what the team could work on for future kaizens or long-
term projects.

NOTES
1. National Archives of Australia, “Digital Records,” accessed September 27, 2017, www.naa.gov.au/
information-management/digital-transition-and-digital-continuity/digital-transition-policy/
digital-transition/index.aspx.
2. SmartDraw, “Business Process Mapping,” accessed September 27, 2017,
https://www.smartdraw.com/business-process-mapping/.
3. The University of Alabama, “Mission/Vision Statement,” Procurement Services, accessed
September 23, 2017, www.missiontexas.us/city-departments/purchasing-department.
4. Legal-Explanations.com, s.v. “bill of lading,” accessed September 27, 2017,
www.legal-explanations.com/definitions/bill-of-lading.htm.
5. Faufu Oluwatoyin Raheem, “Human Workflow Task for ONE-Admin of Mediator for the
Interaction of Internet Protocol Network and Transport Network Management System,”
The IUP Journal of Knowledge Management, 14, no. 3, 23–43.
6. TechTarget, “e-Procurement (Supplier Exchange),” accessed September 27, 2017,
http://searchcio.techtarget.com/definition/e-procurement.
1 52 / CH AP T ER 5

7. Basware, “3 Disruptive Trends Shaping the Future of Finance and Procurement,”

accessed May 13, 2018, https://www.basware.com.
8. Matthew Greenwell, Defense-in-Policy Begets Defense-in-Depth, SANS Institute, March 26, 2015,
https://www.sans.org/reading-room/whitepapers/leadership/defense-in-policy-begets-defense-in
-depth-35882.
9. Kyle O. Bailey, James S. Okolica, and Gilbert L. Peterson, “User Identification and Authentication
Using Multi-Modal Behavioral Biometrics,” Computers and Security 43 (2014), 77–89.
10. University of Pennsylvania, University Archives and Records Center, “University of Pennsylvania
Records Retention Schedule: Academic/Student Records,” University Records Center, last
modified June 17, 2011, www.archives.upenn.edu/urc/recrdret/studtacad.html.
11. The term record when referring to rows in a database is different from the term record defined in
ISO 15489-1:2016.
12. Headwaters Group, “Your Unstructured Data is Sex—You just Don’t Know It,” May 23, 2017,
http://content.theheadwatersgroup.com/blog/your-unstructured-data-is-sexy-see-how; Eileen Yu,
“Oracle Looks to Clear Air on Big Data,” ZDNet, October 4, 2012, www.zdnet .com/oracle-looks-to
-clear-air-on-big-data-7000005211.
13. SearchDataManagement, s.v. “business intelligence (BI),” accessed September 27, 2017,
http://searchdatamanagement.techtarget.com/definition/business-intelligence.
14. Adam Shell, “Wall Street Traders Mine Tweets to Gain a Trading Edge,” USA Today, May 4, 2011,
www.usatoday.com/money/perfi/stocks/2011-05-03-wall-street-traders-mine-tweets_n.htm.
15. Patrick Whatman, “Apple Event: What We Learned from 500,000+ Social Mentions,” September
13, 2017, www.business2community.com/mobile-apps/apple-event-learned-500000-social
-mentions-01917637#0iBSSd885887Wih0.97.
16. Webopedia, s.v. “big data,” accessed September 27, 2017, www.webopedia.com/TERM/B/
big_data.html.
17. Ibid.
18. Gartner. “Magic Quadrant for Enterprise Integration Platform as a Service,” March 2017,
https://www.gartner.com/doc/reprints?id=1-3X0Y452&ct=170403&st=sb.
19. AWS, “What is a Data Warehouse?” accessed September 27, 2017, https://aws.amazon.com/
data-warehouse/.
20. Bill Inmon, “A Tale of Two Architectures,” Scribd, accessed April 30, 2018, https://www.scribd.com/
document/52332955/A-TALE-OF-TWO-ARCHITECTURES.
21. Ibid.
22. Informatica, 2018, https://www.informatica.com.
23. Edward Atkinson, “Data Warehousing—A Boat Records Managers Should Not Miss,” Records
Management Journal 11, no. 1, 35–43.
24. LexisNexis, “Search Basics,” Lexis Advance Support and Training, accessed May 13, 2018,
https://www.lexisnexis.com/en-us/support/lexis-advance/search-basics.page.
25. Library of Congress Classification Web, accessed September 24, 2017, www.loc.gov/cds/classweb/.
26. Headwaters Group, “Your Unstructured Data is Sexy.
27. Gartner, (2017, March 30), “Magic Quadrant for Insight Engines,” accessed September 24, 2017,
https://www.gartner.com/doc/reprints?id=1-3WQ4EMP&ct=170330&st=sb.
28. G2 Crowd, “Best Enterprise Search Software, accessed September 24, 2017,
https://www.g2crowd.com/categories/enterprise-search.
29. Kamran Khan, “Here’s Why Insight Engines Are the Next Big Thing,” CMSWire, August 8, 2017,
www.cmswire.com/digital-workplace/heres-why-insight-engines-are-the-next-big-thing/.
30. Apache Solr, Apache Software Foundation, accessed September 24, 2017, http://lucene.apache.org/
solr/.
 R E C O R DS AN D I N F O R MATIO N AC C E S S, STO R AG E , AN D R E TR I E VAL / 15 3

31. Enterprise Search, “Lucidworks 3 Released!” January 25, 2017 www.enterprisesearchblog.com/

open-source/.
32. World Wide Web Consortium (W3C), “Semantic Web,” accessed September 24, 2017,
https://www.w3.0rg/standards/semanticweb/.
33. Weize Kong, “Extending Faceted Search to Open-Domain Web,” ACM SIGIR Forum 60, no. 1
(June 2016), 90–91.
34. World Wide Web Consortium (W3C), “Web Ontology Language (OWL),” W3C Semantic Web,
September 24, 2017, https://www.w3.org/2001/sw/wiki/OWL.
35. National Information Standards Organization (NISO), Understanding Metadata (Baltimore, MD:
NISO, 2017), 1, www.niso.org/apps/group_public/download.php/17446/Understanding%20
Metadata.pdf.
36. International Organization for Standardization (ISO), ISO 15836:2009 Information and
Documentation—The Dublin Core Metadata Element Set (Geneva: ISO, 2009).
37. The Getty Research Institute, “Categories for the Description of Works of Art,” J. Paul Getty Trust,
last modified October 6, 2015, www.getty.edu/research/publications/electronic_publications/
cdwa/index.html; Library of Congress, “MIX: NISO Metadata for Images in XML Schema,” last
modified November 23, 2015, www.loc.gov/standards/mix.
38. Library of Congress, “Metadata Encoding and Transmission Standard (METS),” last modified
August 18, 2017, www.loc.gov/standards/mets/.
39. Library of Congress, “METS: An Overview and Tutorial,” last modified March 30, 2017,
https://www.loc.gov/standards/mets/METSOverview.v2.html.
40. Idpf. (2017, January 5). EPUB 3.1, latest version January 5, 2017, accessed September 24, 2017,
www.idpf.org/epub/31/spec/epub-spec.html#sec-epub-specs.
41. PREMIS Editorial Committee, PREMIS Data Dictionary for Preservation Metadata, Version 3,
Library of Congress, June 18, 2016, www.loc.gov/standards/premis/index.html.
42. Ibid.
 CHAPTER 6

Electronic Records and Electronic

Records Management Systems

INTRODUCTION

In the previous chapter, we explored the active phase of the records and information lifecy-
cle, focusing on systems and methods used to access, store, and retrieve data for operational
needs and to be used in decision-making. You learned that records managers, although iden-
tifying records created by or residing in information systems, can contribute to the organi-
zation by analyzing workflows and streamlining business processes. You were introduced
to search and retrieval methods for structured, unstructured, and semi-structured data, as
well as metadata standards that facilitate search and retrieval.
You also learned that information has value, whether considered a record or not. But
not all information should be retained indefinitely for various reasons, including the cost of
responding (locating, retrieving, reviewing, redacting, presenting) to e-discovery and Free-
dom of Information requests in today’s litigious and open society. In this chapter, we’ll
turn our attention to the subset of information termed electronic records and the use of
technology to manage them.

ELECTRONIC RECORDS

Information stored on paper or microfilm can be read by the human eye. An electronic
record is invisible and indiscernible to a user until the system produces an image or sound.1
US National Archives and Records Administration (NARA) regulations (36 CFR 1234.2)
defines an electronic record as “any information that is recorded in a form that only a com-
puter can process and that satisfies the definition of a record.”2 ISO 16175-1:2010 defines
an electronic record as a “record on electronic storage media, produced, communicated,
maintained and/or accessed by means of electronic equipment.”3 Examples of electronic
records include email messages, word processing documents, electronic spreadsheets, dig-
ital images, databases, video and audio files, voicemail, webpages, text messages and data
stored in geographic information systems (GIS).
Electronic records reside in a variety of devices and locations depending on how they
are created and by whom, as well as where they are within the records management lifecycle.
For example, employees can create records away from the office and store them on USB
flash drives, tablets, and smartphones. Employees working within the enterprise may store
records on personal computer (PC) hard drives, network drives, and compact discs (CDs).

/ 15 5 /
15 6 / CH AP T ER 6

Information technology (IT) departments can move records to magnetic tapes for storage.
Electronic records may reside in third-party systems controlled by vendors, for example,
blog posts, tweets, and profiles posted to social networking sites or customer data stored in
applications hosted by a software-as-a-service (SaaS) vendor providing file sharing/collabo-
ration tools such as Box, Dropbox, or iCloud.
One example of the increasingly widespread acceptance of a digital record is the stock
certificate, which once was one of the most important pieces of paper in the life of an in-
vestor. Today, the paper stock certificate is becoming a historic relic. Most Wall Street firms
will produce paper stock certificates upon request, but they may charge a fee to handle the
transaction. The Walt Disney Company, for example, will send a nonnegotiable “Disney
Collectible Shareholder Certificate” adorned with Disney characters to investors for $50
plus tax upon receipt of a Registered Shareholder Verification Form. These are often pur-
chased as gifts to commemorate the purchase of the actual gift—Disney shares. The certifi-
cate has no value because stock ownership is tracked electronically in order to eliminate the
loss of certificates and simplify the transfer or sale of shares.4
In the past, records managers were responsible for retention and disposition of records
that were no longer actively used by employees of the organization. But one major differ-
ence between then and now is the focus on the user, who may derive value from access to
records that in the past were inaccessible (e.g., information in paper documents or on mag-
netic tapes stored in a records center). Another major difference is the diversity of systems
employed today that create digital records. In some cases, it makes sense to control the
records in the system of origin rather than move them to a records repository.
Electronic records must be identified regardless of their origin and location so that they
can be controlled by the organization’s records retention program. The timely disposition
of records will reduce storage costs and mitigate risk related to legal and regulatory record-
keeping requirements that otherwise would be incurred by retaining records that no longer
have value.

ENTERPRISE INFORMATION SYSTEMS (EIS)

Electronic records can be produced by systems that serve the specific needs of one depart-
ment or function (e.g., customer relationship management). However, in 2005, the term
enterprise information system came into use to represent the integration of information sys-
tems that include web-enabled features. Key business processes integrated into a single soft-
ware system enable information to flow seamlessly throughout the organization. Supply
chain management is an area that benefited greatly from the integration of multiple sys-
tems into one in which every business unit along the supply chain has access to the same
information (see figure 6.1).
Wal-Mart’s supply chain management practices present a classic example of how an
investment in information technologies to facilitate information sharing can result in in-
creased efficiency in operations and better customer service. In large part due to infor-
mation technologies, Wal-Mart was the first nonindustrial service business in the United
States to rise to the top of the corporate rankings.5
Logistics, as described by David Andries, Vice President of UPS Customer Solutions,
is about “implementing efficiencies across a business’s entire supply chain that help them
achieve their strategic goals”6 United Parcel Service (UPS) attributes its success to its logis-
tics activities—which include air and ground delivery, as well as warehousing and supply
 ELEC TRON IC R E C OR DS AN D E LE C TR O N IC R E C O R DS MAN AG E M E N T SYSTE MS / 15 7

chain management—and its superior customer service, which allows customers to track
their shipments online.
Although its ability to present customers with options based on advanced analytics is
legend, Amazon.com is another company that excels when it comes to supply chain man-
agement; for example:

• In 2013, Amazon announced Prime Air, a delivery service that would use
drones to deliver packages. At the time, the United States considered drones
that fly outside a human’s line of sight illegal, but the British government
began testing of drones for delivery.
• In 2015, Amazon received a license from both the United States and China
to act as a freight forwarder for ocean container shipping, essentially
allowing it to buy space on container ships at wholesale rates and sell at
retail.
• In 2015, Amazon filed a patent to build beehive-like towers in urban areas
to serve as multilevel fulfillment centers for delivery drones to take off and
land. These “beehives” would support truck deliveries and include self-
service areas for customers to pick up items.
• In 2016, Amazon introduced its Air Cargo service based on a deal to lease
Boeing 767 aircraft to shuttle merchandise around the United States. The
intent is not to compete with other carriers but to increase capacity that
will allow customers to purchase later in the day and still receive next-day
and two-day deliveries.7

FIGURE 6.1 Supply chain management improves operations with information

flowing both upstream to suppliers and downstream to customers.
15 8 / CH AP T ER 6

• In 2016, Amazon was awarded a patent for blimps stocked with drones to
serve as airborne warehouses circling over cities at 45,000 feet to launch
drones to fulfill orders.8
• In 2017, Amazon made its application for the “beehive” patent public.9

These steps by Amazon are expected to reduce shipping expenses and reliance on third-
party logistic providers like UPS.
Of interest to note is that in 2017, the Trump administration began instituting a pro-
gram to expand drone testing in the United States that would allow beyond-visual-line-of-
sight flights, nighttime operations, and flights over people. The same year, the Federal Avi-
ation Administration (FAA) granted CNN the first waiver to fly drones in crowded areas.10
This initiative will pave the way for Amazon’s use of drones in populated areas.
The examples are provided to underscore the primary reason for electronic informa-
tion systems. They are not implemented to create records. They are implemented to help the
business improve operations, with an eye to increasing customer satisfaction. Records are
created, though, and the organization has an obligation to manage them. Stop to consider
the Amazon example and all the ways in which records are created, starting with the idea
protected by a patent and ending with delivery of the desired item by drone. Obviously tra-
ditional methods of managing records and information are incapable of meeting the chal-
lenge.
One school of thought is that if records are stored in an enterprise-wide information
system, they will be easier to manage because the records will be controlled by one system.
The introduction of enterprise-wide information systems has simplified the task of locating
and capturing records. EIS, though, are not the solution to records management challenges
unless electronic records management functions are employed to control the records cre-
ated by those systems. You were introduced to content management systems in chapter 2.
Their use is so pervasive within organizations today—often integrated with records man-
agement systems and collaboration systems—that they deserve additional attention.

CONTENT MANAGEMENT SYSTEMS

Content is described as the electronic information in an organization, including electronic

records, email, and even the organization’s website. The term content management system can
be used to describe specific types of systems in use for different purposes or within differ-
ent industries, for example:

• Web content management systems (WCMS) allow users “to create, edit,
and publish digital content such as text, embedded audio and video files,
and interactive graphics for websites.”11 Most WCMS use a database to store
and control a dynamic collection of web material (e.g., text, photos, sound,
video, metadata, and other information assets) needed by the system.
Among other features, a WCMS typically includes automated templates,
access control, easily editable content, workflow management, content
syndication (such as content distribution by RSS feeds to other systems),
and versioning (which allows roll-back to a previous copy).
• Industry-specific web content management systems are available,
such as the one provided by Influence Health. Its Content Management
 ELEC TRON IC R E C OR DS AN D E LE C TR O N IC R E C O R DS MAN AG E M E N T SYSTE MS / 159

System (CMS) allows for the creation of hospital websites, landing pages,
micro sites, and mobile sites through an authoring and editing platform
that requires no coding. Images, videos, and other digital assets can be
uploaded. Content can be delivered not only through the website but
also to smartphones tablets, and more. The system can be integrated
with customer relationship management (CRM), marketing automation,
enterprise, and analytics platforms through the use of pre-built
connectors.12
• Social content management systems can combine social networking
applications (e.g., blogs, wikis, image sharing) into one suite to make it easy
to manage and share social content without building silos of information.
Enterprise social content management systems can authenticate users with
a single sign-on, approve content with integrated workflow, and meet key
compliance requirements. They allow the organization to capture, manage,
and leverage social content generated from a wide variety of locations
and devices. In some cases, social media can also be integrated with an
organization’s existing enterprise content management system to enable
the enterprise to store and manage its unstructured social content in the
same repository.
• Mobile content management (MCM) systems can be employed when
employees use their own devices for both personal and work-related
activities. According to The Sedona Conference Commentary on BYOD
(2018), employee-owned devices that contain unique, relevant ESI should
be considered sources for discovery.13 One of the challenges of the bring
your own device (BYOD) movement is the fact that it is difficult to
separate work-related and personal communications. Software is available
to provide separate containers for data on the same device—one for
personal applications controlled by the user and the other for corporate
applications controlled by a corporate administrator. The corporate
administrator can, for example, allow or prohibit saving data on the
device, encrypt stored data, configure application start authentication,
and control internet access, SMS and calls. One benefit for departing
employees is that containerized data can be wiped from the device
without impacting personal data.14

The web content management market is expected to grow by 2.5 times by 2022 because of
B2B companies adopting CMS for mobile and social content management as well as artifi-
cial intelligence capabilities and natural language processing.15

ENTERPRISE CONTENT MANAGEMENT SYSTEMS (ECMS)

Enterprise content management systems (ECMS) are used to control unstructured content
so that the information can be used in daily operations. But they are also designed to pro-
tect digital documents (primarily text and graphics) that serve as accurate and complete
evidence of transactions. Those records are regulated and contained, easy to search, and
include core elements such as facts, dates, and commitments.
According to AIIM, ECMS can perform five major functions:
16 0 / CH AP T ER 6

• Capture: Create, obtain, and, organize information.

• Manage: Process, modify, and employ information.
• Store: Temporarily back up frequently changing information
in the short term.
• Preserve: Back up infrequently changing information in the medium
and long term.
• Deliver: Provide clients and end users with requested information.16

An organization may employ one or more ECMS to control the flow of information and
manage its records. Electronic records management functionality may be integrated into a
new ECMS or built upon the ECMS already in place. ECMS were initially used to manage
records that provide evidence of business transactions. Today’s ECMS must also be able
to manage information resulting from social media and collaborative technologies. ECMS
can be integrated with business processes, business rules technologies, and analytics to offer
more than just the information stored. Content analytics, for example, can glean business
intelligence out of unstructured content to discover patterns that provide additional insight
into the business, such as patterns that reveal the factors that lead to customer churn (lost
customers).
Some enterprise content management systems, such as M-Files, include artificial in-
telligence (AI)-based capabilities. M-Files acquired Apprento, a Canadian developer of AI
and natural language technology, to enhance its content management offerings. M-Files
uses the Apprento Business Context Engine to automate metadata management. Natural
language processing is employed to understand semantics and concepts in content. For ex-
ample, M-Files is able to identify the “customer” in a “contract.” This ability to understand
the content in business documents automates workflow and document filing.17

ELECTRONIC RECORDS MANAGEMENT

The term electronic records management (ERM) as defined by ARMA International presents
two different scenarios—one in which an electronic system manages all records (including
paper and microfilm) and another in which an electronic system applies records manage-
ment principles to electronic records.18 In 2000, NARA provided clarification by stating
that the word electronic in ERM refers to automation, not to the nature of the record (see
figure 6.2).19
On November 28, 2011, President Barack Obama took steps to improve records man-
agement within the US federal government by signing the Presidential Memorandum—
Managing Government Records.20 As a result, on August 24, 2012, federal agencies were
directed by the Office of Management and Budget (OMB) and National Archives and Rec-
ords Administration (NARA) through M-12-18: Managing Government Records to pursue the
following goals:

1. By 2016, manage both permanent and temporary email records in an

accessible electronic format.
2. By 2019, manage all permanent electronic records in electronic format. Of
note is the strong recommendation that agencies consider the benefits of
digitizing permanent records created in hard-copy format or other analog
formats (e.g., microfiche, microfilm, analog video, analog audio).21
 ELEC TRON IC R E C OR DS AN D E LE C TR O N IC R E C O R DS MAN AG E M E N T SYSTE MS / 1 61

A preliminary analysis of the reports submitted from Executive Branch departments and
agencies by the March 17, 2017, deadline indicated most federal agencies were managing
their email electronically and have met the target set for them. However, this data also
shows that improvements are still needed to meet the success criteria set out by David S.
Ferriero, the Archivist of the United States, in April 2016, which are categorized into four
groups: policies, systems, access, and disposition.22 In addition, it was noted that some agen-
cies may have specific email management requirements related to issues such as the US
Freedom of Information Act and Privacy Act; classified information; and cyber security.
Because our chapter is about Systems, let’s review NARA’s expectations and success criteria
for government electronic systems.
The basic expectation is:

Agencies must have systems in place that can produce, manage, and preserve email
records in an acceptable electronic format until disposition can be executed. Addition-
ally, systems must support the implementation of agency policies and provide access to
email records throughout their lifecycle.23

Success for such systems would look like:

Your agency’s systems and business processes support the management of email records
in accordance with all applicable requirements including the manual or automatic

FIGURE 6.2 Context for Electronic records management (ERM).

SOURCE: Adapted from Information at National Archives and Records Administration (NARA). “Context for Electronic Records
Management (ERM),” Records Managers, last updated March 27, 2000, https://www.archives.gov/records-mgmt/initiatives/
context-for-erm.html.
162 / CH AP T ER 6

Capstone-based Approach to Email Management

T his approach simplifies the records schedule for email and reduces the records man-
agement burden on users by:

1. Basing email records retention on the mailbox owner’s role in agency rath-
er than on the content of each email record, and
2. Automating email capture and management according to the simplified,
role-based Capstone retention periods.

NARA’s General Records Schedule (GRS) for email managed under the Capstone
approach specifies three retention periods: permanent for Capstone officials (e.g.,
heads of agencies, assistants to heads of agencies, directors of significant program
offices and principle management positions such as Chief Operating Officer or Chief
Knowledge Officer); Temporary. Delete when 7 years old unless required for business
use for email of non-Capstone officials, their staff and contractors; and Temporary.
Delete when 3-years-old unless required for business use. This applies to non-
supervisory positions carrying out routine and/or administrative duties.
The permanent requirement applies to all existing accounts of the Capstone
official including legacy email accounts and accounts managed by staff, regardless
of the address names on the accounts (e.g., nicknames, office, title, names). It
also applies to personal email accounts used for agency business. When personal
accounts are used, “a complete copy of these records must be forwarded to an official
electronic messaging account of the officer or employee not later than 20 days after
the original creation or transmission of the record.”
SOURCE: General Records Schedule 6.1, accessed October 19, 2017,
https://www.archives.gov/files/records-mgmt/grs/grs06.1.pdf

execution of their disposition whether using a Capstone-based or content-based record

schedule.24

The Internal Revenue Service (IRS) is one agency that failed to meet the deadline. The
IRS plans to implement the Capstone approach recommended by NARA to manage the
content within 190,000 mailboxes for three groups of users: forty senior agency officials
with permanent retention, two hundred senior managers with temporary retention of fif-
teen years, and the remaining end users with temporary retention of seven years. A report
created by the Treasury Inspector General for Tax Administration in August 2017 indicated
the IRS met nineteen of thirty-two criteria (59 percent) and specified that additional efforts
were needed to ensure an email records management solution meets all requirements by
the end of 2017 (more than a year after the target date).25 Failure to meet the criteria on
time resulted in the inability to reap the expected benefits of minimizing cost, increasing
efficiency, improving documentation of agency actions and decisions, and transferring his-
torical records with permanent retention to the NARA.26
All criteria for the Disposition category were reported as having been met. And only two
of the criteria for the Policies section were not met: periodic compliance audits and training.
Neither could be approached until the system was in place. A sample of the requirements
 ELEC TRON IC R E C OR DS AN D E LE C TR O N IC R E C O R DS MAN AG E M E N T SYSTE MS / 16 3

still under development for both systems and access indicate functional requirements that
must be addressed:

• Systems: Maintain the content, context, and structure of the records;

associate email records with the creator, their role, and their agency;
migrate email from one system to another, or to an email archiving
application to ensure consistent access; and retain the components of email
messages including labels that identify each part of the header, the message
content, and any attachments.
• Access: Use, retrieve, and interpret email records throughout the entire
NARA-approved retention period; access email from current and departed
employees; perform a federated search across multiple email accounts or
multiple systems to find the email necessary for agency business; and use
digital signatures or encrypted technology for email where email can be
used and retrieved across the record lifecycle.

These goals can be accomplished only by implementing the right type of electronic system:
one that supports records management and litigation requirements, including the capability
to identify, retrieve, and retain the records for use if needed.

ELECTRONIC RECORDS MANAGEMENT SYSTEMS (ERMS)

ERMS consists of “software, hardware, policies, and processes to automate the prepara-
tion, organization, tracking, distribution, and disposition of records regardless of media.”27
The system must include retention scheduling and disposition.28
An ERMS is sometimes referred to as a records management application (RMA). The
ERMS/RMA selected to manage records will depend upon organizational needs and the
functionality provided by various products. The primary management functions of an
ERMS/RMA are categorizing and locating records and identifying records due for disposi-
tion. EMRS/RMA software also stores, retrieves, and disposes of the electronic records in
its repository.
Functional requirements must be identified before deciding to acquire an electronic
records management solution. Typical functions of an ERMS/RMA include:

• Marking an electronic document as a read-only electronic record.

• Protecting the record against modification or tampering.
• Filing a record against an organizational file plan or taxonomy for
categorization.
• Marking records as essential (vital) records.
• Assigning disposal (archival or destruction rules) to records.
• Freezing and unfreezing disposal rules.
• Applying access and security controls (security rules may differ from the
source electronic document in an EDMS or ECMS).
• Executing disposal processing (usually an administrative function).
• Maintaining organizational/historical metadata that preserves the business
context of the record in the case of organizational change.
• Providing a history/audit trail.
16 4 / CH AP T ER 6

ELECTRONIC RECORDS MANAGEMENT SYSTEMS GUIDANCE

Guidance is available for both the vendors who develop records management applications
and the users of such systems. Two publications many records managers are familiar with are:

• The US Department of Defense’s DoD 5015.02-STD: Electronic Records

Management Software Applications Design Criteria Standard.29
• The European Commision’s Modular Requirements for Records Systems
(MoReq2010 )30

Neither DoD 5015.02 nor MoReq2010 has been endorsed by a standards development body
to become a de jure standard, but both documents may be considered de facto standards
due to their universal appeal, availability, and adoption.

DoD 5015.02-STD: Electronic Records Management

Software Applications Design Criteria Standard

DoD 5015.02-STD, published by the US Department of Defense (DoD), provides guidance for
electronic records management information systems development. This standard presents
mandatory baseline functional requirements—as well as requirements for classified marking,
access control, and other processes—and identifies non-mandatory but desirable features.
Version 3 of the standard, issued in 2007, incorporates baseline requirements for RMA-to-
RMA interoperability and archival transfer to the NARA.31
As technology changes, so must guidance. In August 2017, Department of Defense In-
struction Number 5015.02 updated a previous Department of Defense Directive—both of
which are related to the Department of Defense Records Management Program.32 Several
changes were made, including the use of the term essential records in place of vital records
and the addition of the term IT services to EIS systems. Several major changes reflect the
goals of M-12–18: Managing Government Records Directive and the numerous instances of
the misuse of email by officials, employees, and subcontractors at all levels of government.
As you read the following additions to the instructions, think about actual events that may
have precipitated their inclusion:

• Applicability: This instruction applies to information created, received,

collected, processed, maintained, disseminated, disclosed, or disposed of by
or for the DoD, in any medium or form, including information managed by
DoD or a third party on behalf of DoD.
• Policy: It is DoD policy that
° Records created, sent, or received using electronic messaging accounts
must be managed electronically, including the capability to identify,
retrieve, and retain records for as long as they are needed.
° Records and non-record materials are government-owned and cannot
be copied or removed from government custody or destroyed, except as
authorized.
° Nonofficial electronic messaging accounts, with very few exceptions,
must not be used to conduct official DoD communications. If a DoD
 ELEC TRON IC R E C OR DS AN D E LE C TR O N IC R E C O R DS MAN AG E M E N T SYSTE MS / 16 5

employee uses a nonofficial electronic messaging account, the employee

must copy the message to his or her official electronic messaging account
when the record is first transmitted, or must forward a complete copy of
the record to their official electronic messaging account within 20 days
of the record’s original creation or transmission.33
RMA products are tested for compliance with DoD 5015.02-STD, and certification by the
Defense Information Systems Agency’s (DISA) Joint Interoperability Text Command (JITC)
indicates the product has met the baseline requirements for electronic recordkeeping for
Department of Defense organizations. The JITC RMA Product Register publishes the test
results online (as shown in figure 6.3).
Note the plus signs in the Vendor column in figure 6.3. Select one to learn more about
that product. For example, a detailed report for the third listing, IBM Enterprise Records
v5.1.x, indicates the following among the other useful features demonstrated: document im-
aging capability, bar-coding capability, workflow and document management features, print
file label capability, and web capability.
Note also in figure 6.3 the column labeled “FOIA & PA.” Products certified compliant
with both the Freedom of Information Act (FOIA) and the Privacy Act (PA) will have a
checkmark in that column.
Using DoD 5015.02-STD Outside the Federal Government Sector, the ARMA technical re-
port introduced in chapter 2, identifies gaps in the standard’s requirements where records
management functions—such as bar coding, folder and box labels, physical records track-
ing systems, integration with offsite storage facilities, and development of (mandatory) de-
struction certificates—are not addressed.34

Modular Requirements for Records Systems (MoReq2010)

The MoReq2010 specification was designed for users of electronic records, experts in records
management, and suppliers of ERMS software outside of the United States. Launched in

FIGURE 6.3 DoD 5015.02-STD compliance test results are shown

on the RMA Project Register webpage.
SOURCE: Joint Interoperability Test Command (JITC). “RMA Product Register,” Records Management Application (RMA),
accessed October 7, 2017, http://jitc.fhu.disa.mil/projects/rma/reg.aspx.
16 6 / CH AP T ER 6

May 2011, this version contains functional and nonfunctional requirements for records
systems as defined by ISO 15489-1:2001 (MoReq2010 has not yet been updated to reflect ISO
15489-1:2016). MoReq2010 does not specify any records system, but it outlines the essen-
tial elements a records system should possess.35 It defines the core functionality required
of records systems for public and private sectors. Because it is a modular specification, it
can be extended to allow for specialized application in different jurisdictions, markets, and
industry sectors, including healthcare, finance, defense, and legal.
In previous specifications of MoReq, an ERM system was visualized as a stand-alone
content repository situated alongside other content repositories. MoReq2010 however,
views ERM as a capability that could be integrated within each separate application used
or could sit behind those applications and manage records within them. For organizations
that have invested heavily in different types of electronic systems, the view of one user
interface and one repository/server is unrealistic. The introduction and rapid adoption of
products such as SharePoint for collaboration have introduced the potential for collabora-
tive silos and further complicates the issue.
MoReq2010 is described as the first of a new generation of systems and processes that
will enable a single view of records and archives. Interoperability is achieved by abstracting
metadata from the underlying document repository, database, middleware, and operating
system. This specification provides a layer of RM-inspired middleware between the under-
lying infrastructure and every application and service, which should provide a RM policy
from cradle to grave.
MoReq2010 “enables commercial and government organizations to secure and develop
critical information independent of email, document and content management, cloud and
mobile systems, so that when systems are changed, updated, migrated or integrated, the
security, value and probity of the records is maintained.”36 Figure 6.4 illustrates the compo-
nents of a MoReq-compliant records system.
The MoReq2010 accreditation, certification, and testing program was announced in De-
cember 2011, and the first accredited test center, Strategy Partners, was named. The DLM

Plug and Play Components of a MoReq2010®

Compliant Records System

Core Services Model Services

• Records Service • Model Role Service
• Classification Service • Model Metadata Service
• Disposal and Scheduling Service
• Disposal Holding Service
• Search and Reporting Service Features that support plug-in modules
• Export Service • Component Storage
• User and Group Services • Interfaces

FIGURE 6.4 A MoReq2010-compliant records system as a group of interrelated

services with a service-based architecture.
 ELEC TRON IC R E C OR DS AN D E LE C TR O N IC R E C O R DS MAN AG E M E N T SYSTE MS / 167

Forum serves as the certifying body.37 Whereas earlier versions of MoReq were very popu-
lar, as of this writing, MoReq2010 has not garnered wide support and the project appears
to have stalled. This could reflect the trend toward integration of systems by vendors of
products and services that do so without referencing MoReq or seeking certification.

Electronic Records Management System Functionality

The scope of the electronic records management system will be determined by other sys-
tems already in place, the functional requirements identified by the organization, and the
resources available. Organizations have several options and can install:

• separate systems for electronic and paper records;

• a single system for all records, both physical and electronic;
• separate systems for some records types, such as email and IM; and
• a separate system (or systems) for functional areas or subgroups.

The most pressing challenge is to acquire a records management system that works with
existing and planned business systems. This section provides examples of several differ-
ent frameworks for integration to help you visualize where records under the control of a
records management system might reside and how those systems could interact with one
another.

Integration of EDM and ERM Systems

The technical report ANSI/AIIM/ARMA TR48-2006 Revised Framework for Integration of
Electronic Document Management Systems and Electronic Records Management Systems pro-
posed three approaches to implementing an integration of an electronic document manage-
ment system (EDMS) with an electronic records management system (ERMS).38
The first model illustrated the integration of a stand-alone EDMS with a stand-alone
ERMS. This situation exists, for example, when an EDMS is in place and the organization
decides to implement a separate ERMS system (see figure 6.5). The existing EDMS interface
and repository/server are used to manage documents produced in other systems. Docu-
ments considered records but residing in the EDMS could be classified as records by linking
them to an ERMS folder. Both physical and electronic documents created in other sys-
tems (for example, email messages) could be declared and classified directly into the ERMS.
An email attachment could be classified into the ERMS if considered a record or into the
EDMS if considered a work in progress.
The second and third models show how one user interface could manage documents
and records in either a single repository/server (Model 2) or in separate repositories/servers
for the EDMS and the ERMS (Model 3). From these early attempts to integrate the function-
ality of EDM and ERM systems came the term electronic document and records management
system (EDRMS).
A full-featured EDMS with built-in ERMS is portrayed in Model 2. This product is the
result of acquisitions of ERMS by vendors of EDMS to add records management functional-
ity to their products. Management is simplified by providing the user with a single interface
and single repository/server (see figure 6.6). Documents stored directly within the EDRMS
along with their associated metadata utilize a consistent metadata schema. However, some
16 8 / CH AP T ER 6

FIGURE 6.5 Model 1—Integration of stand-alone EDMS with stand-alone ERMS.

electronic information, such as email, will have to be imported from other systems, and
their associated metadata will differ. Documents produced by other systems are saved to
the EDRMS first and then declared, classified, and managed as records. An EDRMS can also
identify and track physical documents such as incoming mail and patient records using bar
code labels or RFID (radio frequency identification) smart labels.
The third approach integrates electronic records management functionality into the
EDMS repository (see figure 6.7). The user interface interacts with the EDMS repository/
server, which then interacts with the ERMS. The records remain in one location, and the
metadata residing within the ERMS is used to point to and manage them. The ERMS man-
ages the enterprise file plan, retention schedule, and disposition processing.

Enterprise Content Management Systems

and Records Management Functions

The previous models were designed at the same time the concept of enterprise content
management systems was gaining momentum. Although one might say ECM goes back
almost thirty years to the introduction of computer networks and document scanners, it
wasn’t until the early 2000s that managing web content and websites as corporate assets
came under the control of ECM. In 2004, Gartner introduced the Magic Quadrant for ECM,
which it described as “the convergence of document management, Web content manage-
ment, and other content technologies into a comprehensive suite.”39 At the time, six com-
ponents were reviewed, and one of them was “records management for legal or regulatory
purposes, long-term archiving, and automation of retention and compliance policies.”40
In November 2016, Gartner released a critical capability report for ECM products41
and scored fifteen ECM products on five factors: personal and team productivity; records
management and compliance; process applications; content ecosystem; and digital Trans-
formation/modernization. The fifteen vendor products listed in rank order from highest
to lowest were OpenText, IBM, Dell ECM, Hyland, Laserfiche, Oracle, Lexmark, M-Files,
Alfresco, Objective, Newgen Software, SER Group, Xerox, Microsoft, and Everstream.
In 2017, Gartner declared ECM dead for one specific reason—it was not meeting expec-
tations. ECM promised to deliver the following benefits:
 ELEC TRON IC R E C OR DS AN D E LE C TR O N IC R E C O R DS MAN AG E M E N T SYSTE MS / 169

• regulatory compliance and risk

management
• retention and dissemination of
business knowledge
• cost and process efficiencies
• innovation and ways of working.

The ECM platform appeared to success-

fully enable only one of the four benefits:
regulatory compliance. In reality, most
organizations have more than one reposi-
tory, and the integration required to share
business knowledge is challenging.42
The cloud, social networks, and mo-
bile and analytics technologies require a FIGURE 6.6 Model 2—EDRMS
different approach. Therefore, Gartner (integrated EDMS with ERMS).
proposed the concept of the Content Ser-
vices Platform (CSP) as the next stage of
ECM. The core of CSP is an integrated set of content-related services and microservices,
repositories, and tools that can be extended and adapted. The first Gartner Magic Quad-
rant for Content Service Platforms (2017) included some familiar vendor products, such
as OpenText, Microsoft, IBM, Alfresco, and Laserfiche. But it also included vendors that
would not have been considered in the ECM market, such as those that serve a single ver-
tical market or those that offer strictly platforms and not package solutions, including Box,
iManage, Comarch, Micro Focus (HPE Software), and Nuxeo.43
MoReq2010 moved beyond the concept of integrating either an EDMS or an ECMS
with an ERMS to the integration of records management functions within all business sys-
tems.

FIGURE 6.7 Model 3—Integration of ERMS into an EDM repository/server.

170 / CH AP T ER 6

MoReq2010 Architecture

MoReq2010 was originally based on one centralized repository model where an organiza-
tion’s stand-alone records systems would capture records into its own repository from a
variety of external sources, including users and other business systems (see figure 6.8). Fig-
ure 6.9 shows records managed in place by a records management system. This integration
of a records management system with any type of business system rather than an EDMS
or ECMS accommodates current and future types of business systems that create records.
Another alternative is the adoption of records controls by the business system. This busi-
ness/records system would manage only a specific set of records captured or generated by
that business system as shown in figure 6.10.
Interoperability enables different systems with different features from different sup-
pliers to exchange records and other information. This is accomplished using standard-
ized metadata, in this case the MoReq2010 XML schema. For testing and certification,
MoReq2010 requires that records systems be measured against the MoReq2010 model
metadata service in one of two ways:

• The records system implements the MoReq2010 model metadata service in

full.
• The records system implements its own native metadata model and
(1) demonstrates that its native metadata model is equivalent to the
MoReq2010 model metadata service, and (2) that it can convert its native
metadata into the same XML format used by the MoReq2010 model
metadata service.

The examples presented in figures 6.8, 6.9, and 6.10 represent three records control options,
any combination of which may be employed within an organization to manage electronic
records:

FIGURE 6.8 Model 4—Records are captured from a business system and moved into a
records repository for control by the records system.
 ELEC TRON IC R E C OR DS AN D E LE C TR O N IC R E C O R DS MAN AG E M E N T SYSTE MS / 171

• intellectual and physical control of records within a records repository,

• intellectual control of records housed in a document management system
or enterprise content management system, or
• intellectual control of the records housed within business systems (e.g., an
email system, an accounting system, or a GIS).

In some cases, the electronic records systems will also exert intellectual control over phys-
ical records housed on- or off-site.

FIGUE 6.9 Model 5—Records managed by a records management system

regardless of their location.

FIGURE 6.10 Model 6—Records management functionality built into a business system.
172 / CH AP T ER 6

Records management functionality has been considered an essential component of

document management, electronic content management, and now content service plat-
forms. The ideal situation is to have records management capabilities integrated into the
solution; however, even when that is the case, it may not be enough to meet the needs of the
organization. To see how complicated this issue has become, we’ll use SharePoint On-Prem-
ise and Office 365/SharePoint Online as an illustration.

SHAREPOINT AND RECORDS MANAGEMENT

SharePoint is known as a collaboration tool, a document management tool, or an enterprise

content management product. It comes in two versions—an on-premise version (Share-
Point Server 2016 at the time of this writing) and an online version (part of the Office 365
suite, called SharePoint Online).
An organization must decide if one or a combination of both is suitable based on mul-
tiple factors. SharePoint on-premise requires an IT team to maintain the server and apply
updates and patches. Office 365/SharePoint online is a software-as-a-service (SaaS) offer-
ing. With a cloud offering there is no hardware to buy and software updates occur automat-
ically. Of course, there are other considerations—cost for one and compliance requirements
for another. With the on-premise option, an investment must be made in hardware, which
will be depreciated over time. The cloud option, on the other hand, is an operating expense,
that is billed monthly per user. When it comes to records management, both the on-premise
and the cloud version have functionality built in.

On-Premise Version and Records Management Features

The on-premise version allows the management of unstructured content through a hierar-
chy of site collections: sites/sub-sites, document libraries, (folders/document sets), and doc-
uments. Document libraries can be used to store and manage records—essentially becoming
logical containers or aggregations of records like files in a traditional EDRM system.

Online Version and Records Management Features

Like SharePoint Server 2016 for on-premise, SharePoint Online offers several features
important for managing records, including:44

• metadata options that allow multiple metadata-based rules to be set

• unique, persistent document ids
• folders and document sets
• versioning
• detailed audit trails
• access/permission controls
• legal compliance/retention and disposal
• search capabilities

However, the cloud option, part of the Office 365 suite,45 provides users with added features
that facilitate communication and collaboration while complicating records management,
including but not limited to:
 ELEC TRON IC R E C OR DS AN D E LE C TR O N IC R E C O R DS MAN AG E M E N T SYSTE MS / 173

• Office 365 Groups, each with its own SharePoint site

• Teams, a chat-based workspace
• OneDrive for Business, a personal version of SharePoint
• Yammer, a microblogging and collaboration tool (asynchronous
communication)
• Skype for Business
• Outlook for email
• Delve, a data visualization and discovery tool
• Planner, a planning application to organize teamwork
• Sway, an app to create and share interactive reports, presentations, and
personal stories

Consider the ramifications—SharePoint is only one part of Office 365 and users can elect to
work with any of the options enabled. They can store files in OneDrive, communicate with
those outside the organization through Yammer, upload files to a document library in a
team site, and more. Some of these settings can be disabled for added control. Even so, users
who are more creative and productive working in a lightly controlled environment would
object. To further complicate matters, a hybrid approach—using both SharePoint on-prem-
ise and online—is possible. Planning before implementation and rollout is essential. This is
where records management expertise is invaluable!

Implementing Records Managers in both SharePoint

On-Premise and SharePoint Online

There are three approaches:

1. Within SharePoint, you can create a Records Center to serve as a repository

for copies of documents when they become records.
2. You can manage records in place without copying or moving documents to
a special repository by declaring the document a record and then applying
security, retention, and disposition properties to it.
3. You can use a hybrid approach by managing active documents in place for
a set period and then moving them to a records center when no longer
actively in use.

Records retention policies are set in the Security and Compliance Center. Two retention
policy subsections (options) are (1) retention-based policies meant to be used for global poli-
cies, such as retention of email not governed by other retention policies, and (2) label-based
policies mapped to individual classes in a retention schedule or disposition authority (as is
done in the Australian recordkeeping context).

Enhancing SharePoint Records Management Functionality

Remember the RMA Product Register in figure 6.3? As strong as its records management
features appear, Microsoft SharePoint is not on the list.
A report produced by a committee of the InterPARES Trust research project found,
“Office365/SharePoint online has limited retention and disposition features that may be
1 74 / CH AP T ER 6

sufficient for smaller organizations or for initial installations to better understand its ca-
pabilities. However, those who demand more robust records management functionality
would be wise to look at the integration of third-party solutions.”46
One such product, the Gimmal Compliance Suite, which is on the RMA Product regis-
ter, can use SharePoint architecture and taxonomies to extend the following record man-
agement functions for both SharePoint on premise and SharePoint online:

• File plan and retention schedule • Disposition

management • Auditing
• Classification and identification • Email
• Record declaration • Physical records
• Retention • Legal holds

A comparison of features included in Office 365 out of the box with those when Gimmal’s
software is added is shown in figure 6.11. Although these features may change by the time
you read this, it gives you an idea of how gaps between what you need to manage your
records and what is provided in the solution you choose can be filled in by a second product.

FEATURES Office 365 Office 365 + Gimmal

Automatic declaration of records at creation. ✓ ✓

Manual record declaration in addition to

automated processes.
✓ ✓

Create rules to declare records based on

conditions of an item (e.g., metadata).
x ✓

Lifecycle-based control throughout the life of

the record.
x ✓

Support Records Centers—but declaration of

records can occur in any suitable location.
x ✓

Declare records in OneDrive for Business,

Office 365, or legacy My Sites from one Limited ✓
solution.

Declare and manage physical and digital

records regardless of location.
x ✓

Manage essential records in SP while ensuring

security at all times.
x ✓

FIGURE 6.11 Records declaration feature from the SharePoint-Gimmal Matrix.

SOURCE: Created by author based on information provided on Gimmal’s website, https://www.gimmal.com/.
 ELEC TRON IC R E C OR DS AN D E LE C TR O N IC R E C O R DS MAN AG E M E N T SYSTE MS / 175

This type of extender is now also available from Gimmal for other electronic systems—
legacy ECM solutions, file shares, OneDrive for Business, and Box—due to Gimmal’s acqui-
sition in early 2017 of RecordLion, an information governance and records management
software company. And there is competition in this marketplace as well from vendors such
as Collabware and Colligo. Another option, Records 365, was built especially for Office 365.
Responding to client needs, in September 2017 Microsoft announced new data gov-
ernance features would be added in Office 365. Among them are three powerful tools to
govern data, information, and records:

• Records management dashboard: The dashboard will provide an overview

of all disposition activity.
• Access governance dashboard: This dashboard, which supports data
leakage controls, will show any items that (a) appear to contain sensitive
content and (b) can be accessed by “too many” people.
• Autosuggested records retention policies: The system can identify groups
of records that do not seem to be subject to a suitable retention policy and
make a recommendation to create one.47

DATA AND SYSTEM MIGRATION

Storing digital objects in a repository, identifying records, and managing them using an
electronic records management system are important, but that is not the end of the records
management process. The records must be managed “over time” as dictated by records
retention requirements. Because some records have retention requirements that extend
beyond the expected life of the systems in which they reside, the records manager must also
understand the issues involved in migrating content from one system to another.

Data Migration Issues

Data migration issues must be addressed before moving on to system migration issues.
Among the data migration considerations are:
• Data identification: Identify all source data that must be migrated to
the target system and where it is located. Identify gaps between the data
required in the target system and the data existing in the source system.
Consolidate data from more than one source system if necessary to fill in
the gaps.
• Unique identifiers: When records from two or more databases are
consolidated into one database during migration, there is a possibility that
the same identifier is used more than once. For example, one database may
use the prefix “P” for the planning whereas a second database uses the
prefix “P” for purchasing. If conflicts are identified, a business rule can be
written to change one of the identifiers (e.g., PR for purchasing or PL for
planning) to avoid duplication and facilitate search and retrieval.
• Data quality assessment: Examine the value of the data. Remove duplicate
data and identify data that no longer has value before implementing a
system migration.
176 / CH AP T ER 6

• Metadata identification: Decide which metadata should be migrated and

which metadata are no longer relevant. Document the rationale behind
these decisions.
• Explicit metadata fields: Search and retrieval depends upon the existence
of explicit metadata. If the current system does not store all necessary
metadata as required (e.g., separate fields for first name and last name),
establish those new fields. If the current system applies metadata through
inheritance from a parent record (e.g., disposal after audit), enter the
metadata as an explicit value or preserve the functionality that will allow
the value to be inherited from a parent record.

System Migration Issues

Systems may be upgraded or replaced to accomplish business goals, including enhanced

security, increased productivity, and decreased costs. In addition, mergers and acquisitions
can force an organization to transfer its data to a system used by a company with which it
has merged. Among the issues to be considered when migrating content to new systems are:

• Metadata mapping: Content migration is challenging due to the potential

loss of quality of existing metadata. It is important to map metadata
between the existing business system and the new one. The metadata that
must be mapped is metadata about the types of objects the application can
hold (entities); a description of the document/object; the actions that users
can perform on the entities (functions); and the roles users can be assigned
(collections of functions users can perform such as access, view, download
content).
• Records management metadata: Records management metadata—
including records management controls (disposal authorities, security
classifications, and record classification tools); metadata to automate
activities; and metadata used to aggregate related documents into files,
volumes, or series—must also be migrated.
• Consider the alternative: Migration can be time-consuming and costly.
An alternative to migration is to use the new system going forward and
maintain the legacy system to manage existing content. Disadvantages to
this approach include the cost of maintaining both systems (e.g., licensing
fees and technical support); loss of productivity because users will be
required to use both systems to access information; and eventual loss of
employees who know how to use the older system.
• Keep abreast of new systems and standards: With the increased
popularity of cloud solutions, organizations should be aware of the issues
and strategies related to data migration to the cloud. Those wishing to
take advantage of cloud migration without jeopardizing mission-critical
information should consider a private cloud or a hybrid approach to
maintain some data behind the organization’s firewall. A review of the
current information governance strategy is also necessary to address
security and control issues introduced by moving to the cloud.
 ELEC TRON IC R E C OR DS AN D E LE C TR O N IC R E C O R DS MAN AG E M E N T SYSTE MS / 177

System Migration Process

Records managers who understand integration challenges are prepared to work with infor-
mation technology personnel to plan and manage system migration. They can, for example,
assist during the pre-migration and post-migration testing phases to ensure the output is
accurate and complete, monitor data quality in the new system, and help prepare for the
next migration.
Additional guidance on managing the migration of digital records is available from sev-
eral sources, including the State Records Authority of New South Wales. Guideline 22, Sec-
tion 4 of the Government Recordkeeping Manual, “Effectively Manage the Migration of Your
Digital Records,” which provides a wealth of information to help manage the migration of
digital records.48 The topics covered include key record requirements critical to maintaining
record authenticity, integrity, reliability, and usability during migrations; data and system
issues to consider when developing a migration plan; the use of contractors to perform
migrations; pre- and post–migration testing; and creating records of the migration.

RECORDS MANAGEMENT IN THE CLOUD

What should be done about records residing on third-party servers? One option is to cap-
ture those records (e.g., tweets and posts) and bring them into an in-house system. Another
option is to manage those records in the cloud. To decide which option is most appropriate
for any organization, it is important to understand cloud computing.
Cloud computing involves web-based hosted services divided into the following three
basic categories:

• Software as a service (SaaS): Software as a service means delivering

software over the internet, eliminating the need to install the software on
the organization’s own computers. Examples include Office 365 and Google
Apps.
• Platform as a service (PaaS): The best-known example comes from
Salesforce.com, which has been providing customer relationship
management (CRM) applications since 1999. Salesforce.com offers a set of
tools and application services called Force.com that internet service vendors
and corporate IT departments can use to build new and better applications
for tasks such as human resource management (HRM), supply chain
management (SCM), and enterprise resource planning (ERP).
• Infrastructure as a service (IaaS): Infrastructure as a service is the delivery
of computer infrastructure—generally virtualized platform environments—
as a service. This service typically is considered a utility, like electricity and
water, which is billed based on the amount of resources consumed. Amazon
.com Web Services and Rackspace Openstack Cloud are two examples of
this type of cloud service.

Cloud computing offers the following benefits:

• highly efficient storage of records that are rarely accessed but must be
maintained, such as old email messages and documents.
178 / CH AP T ER 6

• economies of scale, giving the organization access to records platforms,

functionality, and preconfigured compliance-driven solutions that were
previously unaffordable.

Some cloud providers will likely fail or be forced to change their business models, resulting
in a reduction of the functionality delivered for a specific price. In addition, as the sector
matures, mergers and acquisitions will reduce the number of products we’re familiar with
while introducing new options.
Due diligence is advised, but it is not always easy to predict future events. In the case of
cloud computing, it is essential to understand customer rights to terminate the agreement,
migrate to another service, or fall back to a pre-cloud contract if one existed.

PLANNING AND MANAGING AN ELECTRONIC

RECORDS MANAGEMENT PROGRAM

The information in this chapter is provided to help you better understand electronic
records and the systems that create and manage them. Selecting and implementing the
ERM system is one phase in planning and managing an electronic records management
program outlined as follows:

1. Conduct an electronic records survey.

2. Plan the electronic records management project.
3. Select and implement the ERM system.
4. Advocate effective electronic records management.
5. Manage organizational change.

The ERM program is one aspect of the organization’s overall records management program.

SUMMARY

Electronic information systems are employed to improve the efficiency and effectiveness
of an organization, not to create records. However, information is created by these systems,
and a portion of that information is comprised of records that must be managed to meet
compliance requirements and to provide evidence of business transactions.
Web and social media technologies have changed the way we communicate, collab-
orate, and interact with others within and outside of the enterprise. They also generate
information, some of which are records. Records and information managers play a vital
role in identifying records and providing guidance to those responsible for capturing and
managing them.
Various content management systems can be used to control unstructured content, in-
cluding web content management systems, enterprise content management systems, and
social content management systems. Electronic records management systems can be in-
tegrated with other business systems to manage the records residing in the systems of ori-
gin. Typical electronic records management system functions include protecting the record
against modification or tampering, marking records as essential, and freezing and unfreez-
ing disposal rules.
 ELEC TRON IC R E C OR DS AN D E LE C TR O N IC R E C O R DS MAN AG E M E N T SYSTE MS / 179

Two de facto standards that provide guidance to vendors creating records management
applications are the US Department of Defense’s DoD 5015.02-STD: Electronic Records Man-
agement Software Applications Design Criteria Standard and the European MoReq2010: Mod-
ular Requirements for Records Systems.
Organizations have several options for implementing records management systems,
including installing separate systems for electronic and paper records or installing a single
system for both electronic and physical records. Several approaches to integrating electronic
records management systems with other electronic systems exist. And connectors and ex-
tenders can be installed to enhance records management features built into business sys-
tems.
The useful life of records and information often extends beyond the lives of the sys-
tems in which they are created and stored. Migration is an activity that transfers records
and information from one system to another so they can be read and used as long as nec-
essary. Records managers can contribute to data and system migration operations in vari-
ous ways, including identifying records and the metadata required to describe and manage
those records.
The growing trend to take advantage of cloud computing services presents additional
records management opportunities and challenges.
In the next chapter, we’ll explore emerging technologies and their impact on records
management. But before we do that, Morgan King, Director and Head of Records and In-
formation Management, and Stephen Aaronson, Director and Head of IT Legal, explain
how they teamed up to implement a full-service ERMS at a leading global biotechnology
company in their paradigm.

PA R A D I G M

The Art and Science of ERMS Deployment

Morgan King Stephen Aaronson
Director and Head of Records and Information Director and Head of IT Legal,
Management, Shire Pharmaceuticals Shire Pharmaceuticals

T he days of manual and paper-based processes are gone. Technology is the core infra-
structure that runs all businesses. Because employees can instantaneously duplicate
data for their convenience, Electronically Stored Information (ESI) is growing at an unprec-
edented rate. Enterprises are employing a myriad of vehicles for storing and providing
access to information. These include traditional client servers, cloud-based solutions,
mobile devices, and other computing systems. Demand and pressures for state of the art
information technology-based solutions and delivery vehicles are increasing exponentially.
Although these solutions are generally regarded as readily available commodities and ven-
dors are marketing them to leaders of core business functions as “must haves” to remain
innovative, companies are challenged to keep their IT costs relatively flat.49 Technology is
not free.
This creates a fiscal paradox for companies: it is necessary to keep investments in
information technology solutions flat while growing the technology footprint. With these
18 0 / CH AP T ER 6

conflicting pressures in play, organizations are challenged to prioritize investments in infor-

mation technology. They must balance running the business (or keeping it afloat) and opti-
mizing the business through investments in technology and process innovation. At the
center of this paradox is information.
Further compounding this central tension between cost reduction and growth is
the fundamental pressure on many organizations to mitigate risks and satisfy regulators.
Depending on the industry, there are different rules and regulations for storing and retain-
ing information that is considered a company record. Failure to protect this information
can lead to damages associated with liabilities, license to operate, loss of intellectual
properties, sanctions, or damage to corporate image. Many companies that are faced with
the demand to manage regulatory and legally complex risks first begin by establishing a
records and information management (RIM) presence in the organization. This may be one
individual for smaller companies or an entire team of personnel in larger organizations. In
an exclusively paper world, the mere presence of a RIM expert, the institution of policies,
and the education of staff on principles and best practices would entail risk. However, we
do not live in such a world.
Companies must now address dynamic ecosystems of information in a variety of for-
mats and silos. Records and information management must be partnered with other func-
tions concerned with information, most pointedly, the information technology function. See
table 6.1 for details.
Beyond partnership, technology and automated process are required to achieve the
level of systematic control that legal and regulatory authorities now expect organizations
to meet.
Electronic records management systems (ERMS) assist with applying systematic pro-
cesses and controls to mitigate the risks that could lead to damages. An ERMS requires
significant investment that must be justified, vetted, and prioritized against the other
demands for investments in information technology.
In the past, justification for an ERMS focused mainly on intangible needs—to have
good practices, the ability to locate information, or the damages that may result if there
was failure to comply with regulations. This was an extension of the risk mitigation ratio-
nale that led companies to institute a records and information management program in the
first place. However, as companies face the “pull” of the information paradox—the demand
to reduce cost—the high price tag and resource requirements attached to robust ERMS
implementations become a major deterrent. When faced with these figures and options,
companies may be more willing to accept risk and hope that policies and training are
enough.
The damages that RIM professionals may often dangle in front of management to try
to make the case for investments in technology are “what if” scenarios that are difficult to
quantify. They can be viewed as scare tactics or fear-mongering. Companies may be will-
ing to accept the risk of not having an ERMS. Their rationale may be that these damages
will never occur and that their investment in RIM personnel and organizational education is
appropriate. In our experience as leaders in IT and RIM, rather than focusing on the intan-
gibles, successful business cases shift the focus towards the tangibles and how an ERMS
can be viewed as the “push” of the information paradox—paving the way for innovation and
growth.
The tangible benefits of a full service ERMS are associated with reducing storage
costs by eliminating ROT (redundant outdated and trivial content) and records and infor-
mation that do not need to be retained, freeing up operating and infrastructure expenses
 ELEC TRON IC R E C OR DS AN D E LE C TR O N IC R E C O R DS MAN AG E M E N T SYSTE MS / 181

TABLE 6.1 How will you partner?

Who? Description Responsibilities with respect to ERMS

Records and The individual or • Set the business policies for operating the ERMS.
Information team accountable for • Responsible and accountable for training. the
Management implementing records organization to ensure appropriate use.
and information • Socialize tool and promote user adoption.
management policies, • Gather metrics to assess and manage ERMS
standards, procedures, performance.
and guidelines and • Identify new business use cases/ opportunities to
training the organization enhance tool performance over time.
on good records • Defend tool in audits and investigations.
management practices

RIM IT The individual or • Envision (in partnership with RIM) the technology
Business team responsible for required to support records and information
Partner partnering with RIM management requirements.
to support technology • Architect solutions.
solutions for records • Procure the ERMS.
and information • Deploy the ERMS—includes validation and
management documentation to support the system in a highly
regulated environment such as healthcare.
• Run the ERMS—ensure the system does what it
is supposed to do, respond to user experience
feedback, and make incremental process
improvements over time.
• Enable system upgrades, migrations, and
enhancements as appropriate.

RIM Liaisons Records and information • May serve as testers/or pilot participants as an
management subject ERMS is rolled out.
matter experts within • Serve as “change champions” as the tool is
business functions. socialized to the organization.
• Utilize the ERMS to appraise and archive content.
• Provide feedback to RIM and IT to ensure tool
meets their needs.

Information The owners or • Utilize the ERMS to appraise and archive content.
Owners or custodians of records • Provide feedback to RIM and IT to ensure tool
Custodians and information meets their needs.

Senior Senior leaders in the • Serve as executive sponsors for business cases.
Management organization—often • Provide buy-in and funding for ERMS projects.
have a direct leadership • Monitor progress as tools are deployed by
line to RIM and RIM IT receiving sponsor updates from RIM and IT.
(in our case these are
leaders in Legal and IT).
18 2 / CH AP T ER 6

TABLE 6.2 Metrics and assigned responsibility.

What? Who Captures?

License/Maintenance cost IT system owner of tool or infrastructure

Storage cost IT system owner of tool or infrastructure

GB of data ingested RIM team/RIM IT business partner

Data disposed per policy RIM team/RIM IT business partner

Systems archived/decommissioned RIM team/RIM IT business partner

by eliminating legacy or redundant systems, enabling human resource productivity gains

to focus on other business critical activities through efficient information searches and
retrieval, and accelerating associated tasks. These gains are realized while remaining com-
pliant with legal and regulatory requirements. How a team arrives at the tangible benefits
is both an art and a science; a framework for value capture must be artfully designed by
individuals who also understand all the variables in the landscape that can be applied
mathematically to demonstrate the profitability of the initiative. Table 6.2 provides details.
As for the framework, those endeavoring to build an ERMS must understand the land-
scape in which it will operate. This includes an understanding of where records are located,
record types, information custodians and owners, time spent managing the records, the
space they consume, application and infrastructure licensing, and infrastructure run rates.
This foundational information must be gathered in tandem by RIM and IT professionals to
engineer a comprehensive suite of tools to address business needs and drive growth.
As for the mathematical algorithms, productivity calculations can be done with the
help of an organization’s HR department. If you think of an ERMS as stock, it can yield high
dividends that can be immediately reinvested in running the business or cashed in. The
license, maintenance, and storage costs of retiring systems and reducing the organiza-
tion’s storage footprint are straightforward once the mechanism for capturing the metrics
is established and consistently deployed. Once the metrics are captured, they can be used
by your team to demonstrate the value of your investments. In many industries, the ability
to do so is a required competency in order to continue to operate and further develop the
program.
In our experience, taking the time to develop a robust strategy for your ERMS prior
to deployment is critical to success. Building a meaningful file plan, investing in the right
technology, and deploying it in such a way that it becomes an accelerator rather than a
hindrance to the business will inevitably lead to meaningful savings. It will also lead to an
appreciative organization that is no longer held captive by the costs and operational bur-
dens of historical data.

NOTES
1. Glossary of Archival Language for Archives in Tennessee, s.v. “electronic record,” accessed October 7,
2017, www.expertglossary.com/definition/electronic-record.
2. National Archives and Records Administration (NARA), s.v. “electronic record,” “Context for
Electronic Records Management [ERM], accessed October 7, 2017, https://www.archives.gov/
records-mgmt/initiatives/context-for-erm.html.
 ELEC TRON IC R E C OR DS AN D E LE C TR O N IC R E C O R DS MAN AG E M E N T SYSTE MS / 18 3

3. International Organization for Standardization (ISO), ISO 16175-1:2010—Information

and Documentation—Principles and Functional Requirements for Records in Electronic Office
Environments—Part 1: Overview and Statement of Principles (Geneva: ISO, 2010).
4. Broadridge Financial Solutions, “Welcome Disney Shareholders,” accessed October 7, 2017,
http://shareholder.broadridge.com/disneyinvestor/#navTabs4.
5. Laurent Belsie, “Wal-Mart: World’s Largest Company,” The Christian Science Monitor,
February 19, 2002, www.csmonitor.com/2002/0219/p01s04-usec.html.
6. UPS, “Defining Logistics, How it Relates to Your Supply Chain—And Why It’s Crucial for Your
Company,” accessed October 7, 2017, https://www.ups.com/us/en/services/resource-center/
Logistics-Definition.page.
7. Michael Bentley, “Fighting Amazon’s Supply Chain Takeover,” Logistics Management,
January 3, 2017, www.logisticsmgmt.com/article/fighting_amazons_supply_chain
_takeover.
8. Arjun Kharpal, “Amazon Wins Patent for a Flying Warehouse That Will Deploy Drones to Deliver
Parcels in Minutes,” CNBC, December 30, 2016, https://www.cnbc.com/2016/12/29/
amazon-flying-warehouse-deploy-delivery-drones-patent.html.
9. Kayla Yurieff, “Amazon Patent Reveals Drone Delivery ‘Behives,’” Money, June 23, 2017,
http://money.cnn.com/2017/06/23/technology/amazon-drone-beehives/index.html.
10. Marco Margaritoff, “Trump Administration Expands Drone Use to Beyond Visual Line of Sight,”
The Drive, October 25, 2017, www.thedrive.com/aerial/15458/trump-administration-expands
-drone-use-to-beyond-visual-line-of-sight; Margaritoff, “FAA Grants Waiver Allowing CNN to Fly
Drones Over Crowds,” The Drive, October 18, 2017.
11. G2 Crowd, “Best Web Content Management Systems,” accessed October 7, 2017,
https://www.g2crowd.com/categories/web-content-management.
12. Influence Health, “Content Management System (CMS) by Influence Health,”
accessed October 7, 2017, https://www.influencehealth.com/consumer-experience-platform/
content-management-system.
13. Kaspersky Lab, “Multilayered Security, Management and Control for All Mobile Endpoints,”
accessed April 28, 2018, https://media.kaspersky.com/en/business-security/
kaspersky-mobile-security-datasheet.pdf.
14. The Sedona Conference, “Commentary on BYOD: Principles and Guidance for Developing
Policies and Meeting Discovery Obligations,” 2018, https://thesedonaconference.org/publication/
Commentary%20on%20BYOD.
15. Sudipto Ghosh, “Content Management Systems with Web Analytics & Social Media Integrations
Key to Industry,” Market Technology Insights, March 31, 2017, http://martechseries.com/
content-marketing/content-management/content-management-systems-with-web-analytics
-social-media-integrations-key-to-industry/.
16. AIIM, “What Is Enterprise Content Management (ECM)?” accessed October 7, 2017,
www.aiim.org/What-is-ECM-Enterprise-Content-Management.
17. Rick Whiting, “M-Files Adding AI Capabilities to Its Content Management System with
Acquisition,” CRN, August 29, 2017, www.crn.com/news/applications-os/300091296/
m-files-adding-ai-capabilities-to-its-content-management-system-with-acquisition.htm.
18. ARMA International, s.v. “electronic records management (ERM),” Glossary of Records and
Information Management and Information Governance Terms, 5th ed., p. 18, ARMA International
TR 22-2016. (Overland Park, KS: ARMA International, 2016).
19. National Archives and Records Administration (NARA), “Context for Electronic Records
Management (ERM),” Records Managers, last reviewed May 10, 2017, www.archives.gov/
records-mgmt/initiatives/context-for-erm.html.
18 4 / CH AP T ER 6

20. Barack Obama, “Presidential Memorandum—Managing Government Records,”

WhiteHouse.gov, November 28, 2011, www.whitehouse.gov/the-press-office/2011/11/28/
presidential -memorandum-managing-government-records.
21. Executive Office of the President, “M-12-18: Memorandum for the Heads of Executive
Departments and Agencies and Independent Agencies,” August 24, 2012,
https://www.archives.gov/files/records-mgmt/m-12-18.pdf.
22. David S. Ferriero, “Criteria for Managing Email Records in Compliance with the Managing
Government Records Directive (M-12-18),” April 6, 2016, p. 2, https://www.archives.gov/files/
records-mgmt/email-management/2016-email-mgmt-success-criteria.pdf.
23. Ibid., p. 3.
24. Ibid.
25. Treasury Inspector General for Tax Administration, “Additional Efforts Are Needed to
Ensure the Enterprise E-Mail Records Management Solution Meets All Requirements
Before Deployment, Ref. No. 2017-20-039,” August 7, 2017, https://www.treasury.gov/tigta/
auditreports/2017reports/201720039fr.pdf.
26. Ibid., p. 10.
27. ARMA International, s.v. “electronic records management system (ERMS),”
Glossary of Records and Information Management and Information Governance Terms,18.
28. Ibid.
29. Department of Defense, DoD 5015.02-STD: Electronic Records Management Software Applications
Design Criteria Standard (Washington, DC: United States Department of Defense, April 25, 2007),
www.dtic.mil/whs/directives/corres/pdf/501502std.pdf.
30. DLM Forum Foundation, MoReq2010: Modular Requirements for Records Systems,
accessed October 7, 2017, http://MoReq.info/.
31. DoD 5015.02-STD: Electronic Records Management Software Applications Design Criteria Standard.
32. Department of Defense Instruction, Number 5015.02, Incorporating Change 1, (August 17, 2017),
www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/501502p.pdf?ver=2017-08-17
-142503-963.
33. Ibid.
34. ARMA International, Using DoD 5015.02-STD outside the Federal Government Sector,
ARMA TR 04–2009 (Lenexa, KS: ARMA International, 2009).
35. DLM, “About MoReq2010.”
36. Gareth Morgan, “Leading Vendors Collaborate for Records Management Scheme,” Computing.co.uk,
July 14, 2011, www.computing.co.uk/ctg/news/2094155/leading-vendors-collaborate -records
-management-scheme.
37. DLM is an acronym for Document Lifecycle Management. The DLM Forum is a European community
of parties interested in archive, records, document, and information lifecycle management.
38. AIIM International, ANSI/AIIM/ARMA TR48-2006 Revised Framework for Integration of Electronic
Document Management Systems and Electronic Records Management Systems (Silver Spring, MD:
AIIM International, 2006).
39. James Lundy, Kenneth Chin, and Karen M. Shegda, “Start Planning for Enterprise Content
Management,” Gartner, November 16, 2004, https://www.gartner.com/doc/461344/start-planning
-enterprise-content-management.
40. Brice Dunwoodie. “Vignette a Leader in ECM Magic Quadrant,” CMSWire, October 25, 2004,
www.cmswire.com/cms/enterprise-cms/vignette-a-leader-in-ecm-magic-quadrant-000459.php.
41. Karen M. Shegda and Gavin Tay, “Critical Capabilities for Enterprise Content Management,”
Gartner Report, November 29, 2016, www.project-consult.de/files/Gartner_ECM_Critical
_Capabilities_2017_Jan2017.pdf.
 ELEC TRON IC R E C OR DS AN D E LE C TR O N IC R E C O R DS MAN AG E M E N T SYSTE MS / 185

42. Michael Woodbridge, “The Death of ECM and Birth of Content Services,” Gartner, January 5, 2017,
http://blogs.gartner.com/michael-woodbridge/the-death-of-ecm-and-birth-of-content-services/.
43. Karen A. Hobert, Michael Woodbridge, and Joe Mariano, Gavin Tay, “Magic Quadrant for Content
Services Platforms,” Gartner, October 5, 2017, https://www.m-files.com/en/Gartner-Magic
-Quadrant-CSP-2017.
44. Andrew Warland, “How Office 365 Challenges Traditional Records Management Practices,”
blog post, September 27, 2016, https://andrewwarland.wordpress.com/2016/09/27/how-office
-365-challenges-traditional-records-management-practices/.
45. Microsoft Office, Get the Most from Microsoft Office, accessed October 12, 2017,
https://products.office.com/en-us/business/get-office-365-for-your-business-with-latest-2016
-apps?&WT.srch=1&wt.mc_id=AID623587_SEM_udcTpKDH.
46. Patricia Franks, et al., “Retention and Disposition in a Cloud Environment, Final Report,”
May 17, 2016, InterPARES Trust, 15. https://interparestrust.org/assets/public/dissemination/
NA06_20160902_RetentionDispositionInCloud_FinalReport_Final.pdf.
47. Andrew Warland, “Office 365—New Data Governance and Records Retention Management
Features,” blog post, October 7, 2017, https://andrewwarland.wordpress.com/2017/10/07/
office-365-new-data-governance-and-records-retention-management-features/.
48. State Records Authority of New South Wales, “Effectively Manage the Migration of Your Digital
Records (Guideline 22),” revised February 2015, https://www.records.nsw.gov.au/recordkeeping/
advice/effectively-manage-digital-records-migration.
49. Charles McLellan, ““IT Budgets 2016: Surveys, Software and Services, ZDNet,” October 1, 2015,
www.zdnet.com/article/it-budgets-2016-surveys-software-and-services/.
 CHAPTER 7

Developing and Emerging

Technologies and Records
Management

INTRODUCTION

Each year, analysts, futurists, and others attempt to identify the technologies most likely
to alter industries, fields of research, and even the way we live. Many of those emerging
technologies will impact the way records and information are created, stored, used, disposed
of, and preserved. Some of the predictions made, if they materialize, will change the way we
answer such questions as:

• What is a record?
• How can we capture it?
• How can we preserve it?

Recordkeepers must consult a variety of sources to stay abreast of emerging technologies and
trends. Emerging technologies are “new technologies that are currently developing or will
be developed over the next five to ten years, and which will substantially alter the business
and social environment. These include information technology, wireless data communica-
tion, man-machine communication, on-demand printing, biotechnologies, and advanced
robotics.”1 It is important to keep in mind that emerging technologies are not only technol-
ogies that have not yet been introduced to the consumer market but also those that have
been introduced and are in the process of refinement while in use—those are referred to as
developing technologies in this work.

DEVELOPING TECHNOLOGIES:
SOCIAL MEDIA

In the first edition of this book, social media was considered an emerging technology. Today,
most of us can identify at least one tool we use in our everyday lives from those included in
figure 7.1. Because of the speed at which social media is evolving, social media is considered
a developing technology still worthy of consideration in this chapter.

/ 187 /
18 8 / CH AP T ER 7

FIGURE 7.1 Social Media Landscape 2017.

SOURCE: FredCavazza.net, CC 4.0, https://creativecommons.org/licenses/by/4.0/.

SOCIAL MEDIA AND RECORDS MANAGEMENT

The term social media record is being used in this instance to represent all records posted
to, created through, or residing in social media technologies. Many of these records could
potentially be classified under existing series titles, such as electronic communications or
press releases. If the content represents a new record series, the records retention schedule
must be updated.
Social media records can reside in social media technology hosted by third-party pro-
viders or hosted by the organization itself. Social media technology hosted by the organi-
zation provides a greater degree of control over the content and is ideal for projects that
don’t require participation by the general public or that require high levels of security. When
the intent of the social media initiative is outreach to the public, the use of popular social
networks hosted by third parties is the best approach.
In the early days of social media use, those responsible for records management often
learned about social media initiatives after they had been implemented. This was the case
within the executive branch of the US federal government in January 2009 when President
Obama directed all federal agencies to create an environment of openness and transparen-
cy. Soon after, social media teams were formed and social media outreach initiatives were
launched. These employees were the innovators and early adopters who paved the way for
the rest of the government agencies.
In October 2010, the US National Archives and Records Administration (NARA) pub-
lished “NARA Bulletin 2011-02: Guidance on Managing Records in Web 2.0/Social Media
 DE V ELOPI NG AN D E M E R G I N G TE C H N O LOG I E S AN D R E C O R DS MAN AG E M E N T / 18 9

Platforms.”2 That same month a study was released by the IBM Center for the Business of
Government titled “How Federal Agencies Can Effectively Manage Records Created Us-
ing New Social Media Tools.”3 In March 2011, the American Council for Technology and
Industry Advisory Council, a nonprofit public-private partnership dedicated to improving
government through the application of information technology, identified the following
challenges presented by emerging technologies:

• identification of a record
• capture of the record
• retention of the record
• scheduling/distribution/disposition of the record
• staffing and education (for employees, including executives)4

These challenges are like the challenges recordkeepers faced before social media, and the
recommended actions remain the same:

• updating RIM policy “before” using social networks

• updating the RIM training course
• defining and applying strict access controls
• defining a record and determining its status
• developing and applying a comprehensive records retention schedule

Although the responsibilities remain the same, the policies and practices must be adjusted.
The 2016 Records Management Self-Assessment Report completed by 257 federal agen-
cies revealed that after email management, information generated through electronic com-
munication was their biggest challenge. Only 56 percent (143 of 256) of agencies reported
having documented and approved policies and procedures in place to manage electronic
messages (including text, chat/instant, and voice), as well as messages created in social me-
dia tools or applications, and only 30 percent of agencies had approved records schedules to
cover the same types of electronic messages.5

Identifying Social Media Records

According to Arian Ravanbakhsh, Supervisory Records Management Policy Analyst in the

Office of the Chief Records Officer at NARA, “Social media content and electronic messages
related to the conduct of agency business are presumed to be Federal Records.”6 “NARA
Bulletin 2011-02” contains a non-exhaustive list of questions that employees can use to help
determine record status.7 The list provided here uses the term organization for the term
agency in the original list.

• Is the information unique and not available anywhere else?

• Does it contain evidence of the organization’s policies,
business mission, etc.?
• Is this tool being used in relation to the organization’s work?
• Is the use of the tool authorized by the organization?
• Is there a business need for the information?
19 0 / CH AP T ER 7

Additional guidance is provided in the following documents:

• NARA Bulletin 2014-02: Guidance on Managing Social Media Records

• NARA Bulletin 2015-02: Guidance on Managing Electronic Messages

NARA Bulletin 2014-02 reminds agencies that content created on social media platforms,
including Twitter, is likely to be a federal record. Content posted to third-party sites must
be captured and managed according to the agency’s policy. Some may be temporary records
that have transitory, short-term, or long-term retention requirements, but others may be
permanent records requiring eventual transfer to NARA for preservation.8
NARA Bulletin 2015-02 applies to text messaging, chat/instant messaging, direct mes-
saging functionality in social media tools or applications, voice messaging, and similar
forms of electronic messaging systems. These messages must also be scheduled for disposi-
tion based on the author and content. As with email, electronic records created or received
in a personal account but which meet the definition of a federal record must be forwarded
to an official messaging account within twenty days.9
Even when social media content does not rise to the level of a record according to the
definition in use, the organization may still be responsible for managing the non-record
content. For example, an organization may consider a social networking profile a record
but consider comments non-records. That decision will have an impact on what must be
retained according to the records retention schedule. It does not, however, absolve the orga-
nization from monitoring and evaluating the comments. Security and privacy risks emerge,
for example, through posts that reveal trade secrets or those that violate company policy.

Understanding the Origin of Social Media Records

The New York State Archives offers three models for managing the development of content
for social media sites based on an organization’s desire for control and appetite for risk: (1)
the Centralized Approach with strict controls and low risk, (2) the Decentralized Approach
with control distributed to units of the organization and moderate risk, and (3) the Lais-
sez-Faire Approach with no internal controls resulting in high risk.10 The last approach is
the most troublesome for the organization and should be remedied as quickly as possible.
Although a centralized approach is the least risky (other than not engaging in social media
at all, which is not an option), in larger organizations, the decentralized approach may make
the most sense. For example, more than 200 employees of NARA contributed to 130 social
media accounts on 14 different platforms, generating over 250 million views in 2015.11
In a recent study of the use of social media by twenty local governments—ten in the
United States and ten in Canada—the communications or public relations department
most often managed social media. As one public relations manager explained, “social media
has the same value implication as a press release, and we need to select the staff as we would
any other media spokesperson so that they are approved and then equipped for success.”12
Although it is possible to submit content to social media sites manually, there are tools
that can automate the process regardless of the number of accounts managed. HootSuite
provides a dashboard that allows the user to add accounts, schedule posts across major plat-
forms, and add account managers.13 HootSuite’s real-time analytics makes it easy to spot
trends and drill down for insights into how the social content is performing.
 DE V ELOPI NG AN D E M E R G I N G TE C H N O LOG I E S AN D R E C O R DS MAN AG E M E N T / 191

Capturing Social Media Records

The methods used for the development of content for social media sites have a direct bear-
ing on the methods that could be used to capture social media records. Capture meth-
ods also depend on the social media technology and the tools available to the organization.
NARA Bulletin 2014-02 suggests the following options—some also suitable for capturing
website records:

• using web crawling or other software to create local versions of sites;

• using web capture tools to capture social media;
• using platform specific application programming interfaces (APIs) to pull
content;
• using RSS Feeds, aggregators, or manual methods to capture content; and
• using tools built into some social media platforms to export content.14

To this list we should add using social media archiving and compliance services.
We will now analyze the content contained within three popular social media tech-
nologies—blogs, microblogs, and social networking sites—to consider alternate methods to
capture content from two different perspectives, the federal government and the finance
industry.
The methods used to determine how best to manage content today can also be applied
to technologies, tools, and services not yet in existence.

Blogs, Microblogs, and Social Networking Sites

Blogs

Blogs contain only four significant sections: the header, the content area, the footer, and the
sidebar. Organizations that allow comments can delete those that are deemed unacceptable
(backed by a policy explaining what is unacceptable). An archive may be maintained for
public access. Blog content is fairly simple to capture, because content is created and then
uploaded and comments are not necessarily considered records. Here are several options:

• If the blog does not contain comments, the blog posts can be captured and
saved to a content management system before they are uploaded to the site.
• If the blog contains comments, an RSS feed can be used to capture
comments and forward them to the organization. Some organizations use
a sampling technique to capture some but not all the comments made by
visitors to the blog.
• If the entire blog, not individual posts, rises to the level of a record, the
entire blog site can be captured in the same way a website is captured.
For example, content can be harvested using Archive-It and hosted at the
Internet Archive data center for public access.
• If the blog is to be retained by the organization—as is the case with the
National Library of France—robots, or bots, can be used to carry out bulk
harvesting to capture a blog at specific points in time.
192 / CH AP T ER 7

Today blogs are often used as websites, with 91 percent of all blogs and 62 percent of the
blogs of the top fastest growing companies running on WordPress.15 WordPress allows
administrators to export the content of their blogs to an XML file or export directly to a
new WordPress site. Options are available to export All, Posts, Pages, or Feedback. For those
who want to transfer to another blog site but don’t want to transfer themselves, a Guided
Transfer Option is available for a fee.

Microblogs

Twitter has become synonymous with the term microblog. Tweets can be posted in a num-
ber of ways, including by email, text messaging, instant messaging, through the Twitter
website, or by using a social media management tool with a dashboard. One of the easiest
ways for an individual to archive tweets is by grabbing the RSS feed for the tweet stream of
choice and then adding it to a preferred RSS reader, such as Feedly or NewsBlur. Instagram
and Tumblr are also considered microblogs.
Enterprise microblogs are business tools that enable users to communicate, collabo-
rate, and share files with those who are provided access to the network. Two prominent
enterprise social networking tools that began as microblogs are Salesforce Chatter and Mi-
crosoft’s Yammer. These enterprise social networks can be used as desktop or mobile appli-
cations or through integration with business applications.
Salesforce Chatter is marketed as the #1 Enterprise social network. It can be extend-
ed to allow customer social networks. Users can follow people or records (accounts, cases,
opportunities, etc.). Application data (e.g., Microsoft Office documents, PDFs, and image
files) can be previewed in the user’s Chatter feed. Chatter posts, including those posted
from Chatter Mobile, are stored forever unless deleted by an administrator or user. Apps
are available to extend the functionality. One app, Chatter Compliance, allows system ad-
ministrators to archive and search Chatter posts, comments, and private messages. Anoth-
er app, Archiver For Chatter, accomplishes compliance with FINRA, SEC, and HIPAA by
sending a copy of the post and related content to the journaling mailbox specified for long-
term retention.
Chatter can be integrated with other applications. For example, customers who use
Salesforce Customer Relationship Management can integrate an app called Shipmate for
UPS by Zenkraft to prepare shipments and print labels using data in Salesforce CRM. Ship-
mate is “made social” by integrating with Chatter to track shipments to customers without
having the tracking number or logging into a separate system.
Yammer Basic is available for free if you register with a valid company email account.
One fee-based version allows access to both the enterprise social network and SharePoint
Online. The enterprise version provides administrative features that include customization
of the network, user management, security tools, and keyword monitoring. Administra-
tors can export data for legal and regulatory compliance and lock down content as final to
prevent editing and new versions. Files and notes can be marked as official and read-only.
Those files and notes most actively shared, commented on, viewed, or marked as official
appear higher in search results and content directories.

Social Networking Sites

You were introduced to Facebook and LinkedIn earlier. Facebook provides the option to
Download a copy of your Facebook data at the bottom of General Account Settings. The user can
 DE V ELOPI NG AN D E M E R G I N G TE C H N O LOG I E S AN D R E C O R DS MAN AG E M E N T / 19 3

instruct Facebook to create an archive of photos, posts, messages, and other information.16
An expanded archive can also be downloaded that includes historic information such as the
mobile phone numbers added to the account, a list of log-ins stored for the account (which
is not complete), and the IP addresses from which the user logged out. It even includes facial
recognition data—a unique number based on a comparison of the photos in which you’re
tagged. Facebook uses this data to help others tag you in photos.
The process of downloading data from Facebook is time-consuming. Persons must use
their ID and password to log in and request the download. When the data are archived, an
email is sent to the address on the account for confirmation. This process only provides data
up to a specific time, so if this method is used, a regular schedule should be developed and
adhered to.
LinkedIn’s user agreement contains the following statements: “Both you and LinkedIn
may terminate the Agreement and your account for any reason or no reason at any time,
with or without notice.”17 LinkedIn allows users to download an archive of their data in two
stages. Within minutes of making a request, an email is sent with a link to a page where mes-
sages, connections, and contacts can be downloaded. Within twenty-four hours, a second
email is sent containing a link to a page from which the full archive, including activity and
account history, can be downloaded.
As illustrated by these two examples, if an organization chose to download its own data
from Facebook and LinkedIn, a great deal of time would be required.
Two approaches to manage social media records are discussed next, one practiced by the
Executive Office of the President of the United States and another recommended for mem-
bers of the finance industry. They illustrate approaches that are dependent upon a number
of factors, including governing regulations.

Executive Office of the President

President Barack Obama was known as the “first social media president.” Between 2009
and 2017, the Office of the President rolled out a revamped WhiteHouse.gov site featuring a
blog, RSS, and an email list. From 2009, the Office of the President communicated with the
public through social media accounts including Facebook, Flickr, Vimeo, iTunes, MySpace,
Instagram, Snapchat, and Twitter.18 As with other presidential records, the content of these
sites belong to the public. The digital transformation process upon the end of the Obama
presidency and the start of the Trump presidency had to address three issues: transfer of
the accounts to the incoming president, transfer of social media content to NARA, and
making the content accessible to the public. Before President Donald J. Trump took office,
the following are just some of the actions taken:

• @POTUS, with its 11 million followers but no tweets on the time line, was
made available for use by President Trump on January 20, 2017.
• @POTUS44 was created to retain the tweets on Twitter as an accessible
archive of President Obama’s use of Twitter (see figure 7.2).
• President Obama’s tweets were also transferred to NARA to be preserved
and made accessible alongside other presidential records.
• An Obama White House Instagram account was created as an accessible
archive at https://www.instagram.com/ObamaWhiteHouse/.
• An accessible archive of the Obama White House Facebook page was
created at https://www.facebook.com/ObamaWhiteHouse.
19 4 / CH AP T ER 7

• The Facebook and Instagram accounts were renamed to “44” user names
and preserved by NARA.

A similar process was planned for other social media accounts including YouTube and
Tumblr.19
ArchiveSocial developed The Obama White House Social Media Archive, shown in figure
7.3, to allow the pubic to query the content of all White House social media platforms at once.
Visit the fully searchable Social Media Archive to examine 250,000 social media records
from more than 100 official White House social media profiles. Among them are the White
House Facebook page, the First Lady’s Instagram feed, and the @POTUS Twitter time line.

The Finance Industry

The finance industry utilizes blogs, microblogs, and social networking sites to reach out to
current and prospective clients. Here, too, we can look to laws and regulations to provide
guidance.
The Finance Industry Regulatory Authority (FINRA) was established to protect Amer-
ican investors by making sure the securities industry operates fairly and honestly. FINRA
oversees nearly 3,800 broker dealer firms with approximately 634,000 brokers. FINRA has
been providing guidance to its members about social media communications since it issued
Regulatory Notice 10-06 in 2010 followed by Regulatory Notice 11-39 in 2011. Both notices
made it clear that “every firm that intends to communicate, or permit its associated persons
to communicate, through social media sites must first ensure that it can retain records of
those communications as required by Rules 17a-3 and 17a-4 under the Securities and Ex-
change Act of 1934 and NASD Rule 3110.”20 Firms were instructed to retain all social media
activities for not less than three years, the first two in an easily accessible place.21

FIGURE 7.2 Accessible archive on Twitter for President Barack Obama.

SOURCE: https://twitter.com/potus44?lang=en.
 DE V ELOPI NG AN D E M E R G I N G TE C H N O LOG I E S AN D R E C O R DS MAN AG E M E N T / 195

The treatment of blogs and social networking sites such as Facebook, Twitter, and
LinkedIn under FINRA Rule 2210 depends on whether the content is static or dynamic.22
Static blog posts, for example, constitute advertisements and require approval prior to post-
ing. If the blog allowed users to engage in real-time interactive communications, the blog is
considered an interactive electronic forum, and the contents do not need preapproval. Stat-
ic content on social networking sites needed preapproval, but dynamic content on those
same sites does not. According to FINRA, third-party posts are not records unless endorsed
by a representative of the firm. Actions have consequences. Do not favorite or like third-par-
ty posts and be careful of retweets.
FINRA Regulatory Notice 12-29,23 with an effective date of February 4, 2013, reduced
the number of communication categories from six to three: institutional communication
(distributed only to institutional investors), retail communication (distributed or made avail-
able to more than twenty-five retail investors within any thirty calendar-day period), and
correspondence (distributed or made available to twenty-five or fewer retail investors with-
in any thirty-day calendar period). Social media communications fall under the retail com-
munication category and they:

• are exempt from pre-use approval requirements (no approval needed before
posting);
• must be managed “after” posting;
• must comply with NASD Rule 2210(b)(4)(A) concerning recordkeeping
requirements; and
• must be retained for a period of three years (two years on the premises).

In 2014, FINRA conducted a review of its communication rules. Several issues were raised
by survey participants including the need for additional guidance on how to distinguish

FIGURE 7.3 Social Media Archive captured and managed by ArchiveSocial.

SOURCE: https://archivesocial.com/whitehouse/.
19 6 / CH AP T ER 7

between static and interactive content and clarification of rules applied to web, social
media, and mobile content.24 As a result of the review, Regulatory Notice 17-18, “Social
Media and Digital Communications,” was released in April 2017. Illustrating the evolving
nature of communication technology, the following guidance was provided related to text
messaging:

Every firm that intends to communicate, or permit its associated persons to communi-
cate, with regard to its business through a text messaging app or chat service must first
ensure that it can retain records of those communications as required by SEC Rules
17a-3 and 17a-4 and FINRA Rule 4511. SEC and FINRA rules require that, for record
retention purposes, the content of the communication determines what must be re-
tained.25

When it comes to FINRA rules and guidance, there is no fresh start—each builds upon or
modifies previous instructions. Keeping up with the changes to ensure the firm under-
stands what it must do to be in compliance is a time-consuming task. Ensuring com-
pliance is an added challenge. You’ve already been introduced to several services that
provide archiving solutions for financial advisors—including Smarsh and ArchiveSocial.
Another, GlobalRelay, was designed specifically to meet the recordkeeping and compli-
ance requirements of the financial industry put in place by the Security and Exchange
Commission (SEC), the Financial Industry Regulatory Authority (FINRA), and the Fed-
eral Rules of Civil Procedure (FRCP). It captures and archives an authentic and complete
record of more than forty-five data types including social media, instant messages, and
mobile messages.26

Records Scheduling Challenges and Solutions

Some social media records can be considered duplicate records. This can easily be under-
stood in the case of a video created in-house and uploaded to YouTube. The original is often
stored within the enterprise in its native format and the version posted to the social media
site is considered a copy. In a traditional paper-based world, a copy is assigned a shorter
retention period than the original. The copy is destroyed based upon the retention sched-
ule. In reality, once a digital object is shared through the use of a social media, it is unreal-
istic to believe that all copies can be disposed of according to a retention schedule. Although
an enterprise may have a terms of service agreement that allows it to close an account and
remove the content, due to the viral nature of social networking, it is extremely likely that
copies will exist that cannot be located and destroyed.
Once records are captured into an enterprise content management, records manage-
ment system, or other digital repository, records retention requirements can be applied.
The granular nature of retention schedules designed for paper-based records poses a prob-
lem to those attempting to manage records created by social media technologies and pro-
vides additional support for the big buckets approach to records retention introduced in
chapter 4.
Automated solutions are the best option to records identification, capture, and sched-
uling for organizations large and small, public and private. Unfortunately, some organiza-
tions continue to place the ultimate responsibility for records management decisions on
the creators of the records, and mistakes are made. To protect the organization and its em-
ployees, social media policies are needed.
 DE V ELOPI NG AN D E M E R G I N G TE C H N O LOG I E S AN D R E C O R DS MAN AG E M E N T / 197

Social Media Policy Development

Policies are high-level plans that embrace the general goals and acceptable procedures of an
organization. They are established to document a definite course or method of action. Most
firms have more than one policy—such as those for records management and electronic
communication.
The social media policy may start out simple if the organization is in the early stages
of embracing social media technology. It will grow as the company becomes more deeply or
broadly engaged. The policies will contain general guidelines governing employee behavior
as well as more specific information related to social media technologies used by the or-
ganization. All stakeholders, including information technology, business units, human re-
sources, records management, marketing, and compliance, must be involved in developing
the policy. Some organizations have social media teams. Members of this team can form
the core of the social media policy development committee. A number of organizations
have posted their social media policies online. For example, IBM published the “IBM Social
Computing Guidelines” for blogs, wikis, social networks, virtual worlds, and social media
online on its website.27 The Social Media Governance website hosts a database with links
to almost 200 social media policies.28 Review some of these before beginning to write your
own social media policy.

General Social Media Policy Contents

The social media policy should address security, privacy, and communications issues, as
well as records management. At a minimum, include the following general information:

• Specify who is authorized to represent the organization in social media (e.g.,

representatives from marketing or communications).
• Encourage employees to include a standard disclaimer when publishing
content that makes clear that the views shared are representative of the
employee and not necessarily of the organization.
• Specify who is authorized to create social media accounts for your
organization and/or provide an online form to allow an employee to apply
for one or more social media accounts.
• Clarify the content of messages to be shared through social media on
behalf of the organization; for example, sharing of personal messages on
organization social media sites may be prohibited.
• Specify the criteria to be followed before implementing a new social media
initiative to obtain approval that will guarantee the resources needed to
ensure success.
• Include a reference to your organization’s records management policy
within the social media policy.

Social Media Strategy

The use of social media and other electronic communication tools is now an integral part
of every organization’s daily operations. To take advantage of the benefits and minimize
the risks, a strategy should be developed, implemented, reviewed, and revised. Employees
at NARA were pioneers in adopting the use of social media for themselves and provided
19 8 / CH AP T ER 7

guidance to other federal agencies. NARA’s Social Media Strategy for Fiscal Years 2017–
2020 identifies four main goals: Tell Great Stories; Deepen Engagement; Grow Our Audi-
ence; and Cultivate a Community of Practice.29 All strategies and actions are designed to
help NARA reach those goals. Equally important is the inclusion of metrics in the form of
“data in action” to help the agency provide content of value and interest to the public. It is
important to collect not only statistics that reveal how many people were reached and who
they are, but also what actions they took as a result of visiting the site, such as commenting,
sharing, liking, replying. Beyond the number of comments, the NARA metrics look at the
kinds of comments—what is the sentiment of the reaction exhibited by visitors to the site?

Integration with the Electronic Content/Records Management System

Leaders of large companies acknowledge the fact that there will never be one repository for all
content. That means, for content to be managed by a records management system, a connection
must be made from different source systems. Let’s look at one example.

Enterprise Social Media and Electronic Records Management

We’ll use Salesforce Chatter, discussed previously, to demonstrate one potential solution to
apply records management control to data created in the clouds.
Salesforce is the leader in CRM cloud services. Chatter is built on the Force.com plat-
form that also enables the CRM software. Chatter feeds are stored permanently unless de-
leted by an administrator or user. The Salesforce customer who has records from both busi-
ness transactions and social interactions that must be managed can store those records in
an electronic content management system like Open Text’s Extended ECM for Salesforce,
which possesses the following capabilities: Document Management, Records Management,
Capture, Archiving, Workflow, and Collaboration.30
This example specifies specific products, but the process used to determine the solution
is the important lesson. As a records manager, you will need to understand transaction and
social systems and then conduct some research in order to determine the best content/
records management solution.

Public Social Media and Electronic Records Management

The best approach to capturing content is to employ an automatic archiving solution.
Recently, a number of social media archiving solutions for business compliance and records
management have come on the market. Two examples already mentioned are ArchiveSocial
and Smarsh.
The ArchiveSocial system is entirely web-based and archives data from social network-
ing platforms including Facebook, LinkedIn, Twitter, Instagram, YouTube, Vimeo, Flickr,
Pinterest, and Google+. ArchiveSocial features a sophisticated search interface for filtering
social media content and generating PDF exports of the entire social media conversation
surrounding the key words searched (see figure 7.4). Records can be viewed in their original
context with the Social Media Replay feature, and changes over time (e.g., edits, deletions,
hidden content) can be viewed using Version History. ArchiveSocial maintains the native
format of each record with metadata. A time-stamped digital signature applied to each indi-
vidual record establishes proof of authenticity when providing electronic records as evidence
 DE V ELOPI NG AN D E M E R G I N G TE C H N O LOG I E S AN D R E C O R DS MAN AG E M E N T / 199

in response to an e-discovery request. Government agencies, faced with a growing number

of Freedom of Information requests, can simplify search and retrieval of requested public
records using this solution.
Smarsh is an SaaS firm that provides hosted archiving and compliance solutions for
archiving electronic communications, including email, instant messaging, and social me-
dia platforms (e.g., Facebook, LinkedIn, and Twitter). Captured content is preserved in re-
dundant, geographically dispersed data centers and burned to WORM optical storage. The
content is accessible via a web-based management console, and it is possible to track the
entire thread of social media posts from multiple individuals, providing context to the con-
versation. Records are retained according to the organization’s retention policies, including
legal holds. Administrators can retrieve as many messages as necessary in original form
on demand. They can download content to a PC or portable media device, or export it for
e-discovery in the electronic discovery reference model (EDRM) XML interchange format
schema and transfer it to document review and processing systems. Part of this service is
delivery of monthly copies of data on encrypted DVDs. Integration with enterprise social
collaboration tools is possible.
These examples are provided to help you understand the logic behind developing rec-
ords management solutions for records created through the use of social media. By the time

FIGURE 7.4 ArchiveSocial interface showing Facebook page posts

and underlying metadata.
SOURCE: Courtesy of ArchiveSocial, http://archivesocial.com/.
200 / CH AP T ER 7

you read this, the landscape will have changed dramatically. But what will still be important
is that you are prepared to investigate and understand solutions that will help you manage
your organization’s records and information. A similar thought process can be applied to
new emerging technologies demanding attention from records and information managers.
How do we know what they are? The next section provides some suggestions.

DIFFUSION OF INNOVATION AND TREND SPOTTING

As we experienced with the evolution of social media, emerging technology will always
require updates and adjustments to records management practices. Records and informa-
tion managers must not only deal with what is but must also be prepared for what will be.
This is not an easy task but one that can be accomplished by identifying emerging tech-
nologies, monitoring their adoption rate, and evaluating their potential impact on the RIM
program.

Diffusion of Innovation

Individuals, and even entire organizations, can be categorized according to their willing-
ness to adopt emerging technologies. The diffusion of innovation model shown in figure 7.5
plots the spread of a new idea or technology over time among members of a social system.
Records and information managers must learn how to work with members of each category.
The characteristics of members of each category and ways in which records managers
might interact with them follow:

• Innovators: The adoption process begins with a small number of visionary,

imaginative, well-informed risk-takers who are willing to try an unproven
product. Innovators represent the first 2.5 percent to adopt the product.
Records managers should become their first followers. Keep an eye on their
ideas and projects.

FIGURE 7.5 Diffusion of innovation based on categories of adopters.

SOURCE: Wikipedia, s.v. “Innovation Adoption Lifecycle,” by Everett Rogers, last modified December 30, 2011,
https://upload.wikimedia.org/wikipedia/en/archive/4/45/20110714211709%21DiffusionOfInnovation.png.
 DE V ELOPI NG AN D E M E R G I N G TE C H N O LOG I E S AN D R E C O R DS MAN AG E M E N T / 201

• Early adopters: Once benefits begin to become apparent based on the

positive response of innovators, early adopters begin to purchase the
product or subscribe to the service. Early adopters tend to be educated
opinion leaders and represent about 13.5 percent of consumers. Records
managers should foster relationships with this group and offer to assist
them to identify and resolve records management challenges. They enjoy
talking about their initiatives and welcome the opportunity to be part of a
pilot records management project.
• Early majority: Members of this group are careful and tend to avoid risk.
The early majority adopts the product once it has been proven by the early
adopters. They rely on recommendations from others who have experience
with the product or initiative. They look for simple, proven, better ways
of doing what they already do. The early majority represents 34 percent
of consumers. Records managers should be prepared to provide rationale
and guidance to this group in managing records created using emerging
technologies.
• Late majority: Members of this group are conservative pragmatists who
avoid risk. They are somewhat skeptical and will acquire a product or
subscribe to a service only after it has become commonplace. The late
majority represents about 34 percent of consumers. In the product world,
their only fear is of not fitting in; this carries over to the workplace.
Records managers should be prepared to provide concrete examples of
how the members of the previously described categories address records
management considerations surrounding emerging technology and the
benefits they derive from doing so.
• Laggards: Laggards hold on to the status quo as long as possible. They
avoid change and may not adopt a new product or service until traditional
alternatives no longer are available. Laggards represent about 16 percent of
consumers. Records managers should be prepared to address their criticisms
and provide as much information as possible about the new products or
procedures. Like the late majority, they should see examples of how others
have successfully adopted the innovation. They may need to be granted a
great deal of control over when, where, how, and whether they will modify
their behavior to manage records resulting from new technology.

Trend Spotting

Those responsible for records management within an organization should scan the environ-
ment to spot emerging technologies and trends that may impact RIM in the future.

Learn to Trend-Spot
Trend spotters identify changes taking place in both the short term and long term and
share stories about the value of the change in order to influence others to adopt that change.
Trend spotting is an industry, and expert trend spotters (e.g., forecasters and futurists) can be
employed to help an organization understand both tangible (e.g., smartphones) and intan-
gible (e.g., expectations) trends.
202 / CH AP T ER 7

You can spot trends yourself by using these approaches:

• Listen to others around you. Identify the innovators and early adopters in
your organization. Get involved in innovative projects to experience change
yourself.
• Listen and learn from those outside of your organization. Attend
conferences and trade shows, speak to colleagues, and understand what is
important to them before you see it in print.
• Watch/read/browse journals, newspapers, and the internet. Learn what is
happening with emerging technologies, in records management and related
fields, and in the industry in which your organization operates.
• Look more broadly at other industries that may impact your own.
• Use software and/or services for spotting trends. Search the internet for
trend-spotting software and services.

Trend-Spotting Service: Google Trends

Google Trends is a free online service that allows a search of one or multiple terms to deter-
mine the world’s interest in topics of your choice (www.google.com/trends/). You can search
in real time (a feature added in 2016) to get the results of a random sample of searchers over
the last seven days or in non-real time. The non-real time search provides another random
sample of the full Google dataset that can go back anywhere from 2004 to approximately
thirty-six hours ago.
You can compare results for five different topics at one time. The results are plotted
on a line graph showing interest over time and they are plotted on a map chart to indicate
interest by region. Queries related to the search terms are also presented.
A search on three key terms—social media, cloud computing, and artificial intelli-
gence—between 2004 and 2017 clearly shows an increasing interest in social media; howev-
er, interest in cloud computing peaked in 2011 and has trended downward since then (see
figure 7.6). The data on cloud computing reinforces a 2011 prediction by International Data
Corporation (IDC), that cloud computing as a buzzword will decrease as the use of cloud ser-
vices becomes part of the mainstream.31 What some may find surprising is that the current
increased interest in artificial intelligence has not yet brought that search term in line with
the interest expressed in January of 2004.

Journals and Research Firms

A number of analysts and research firms provide information on technologies and trends
that you will find useful. A description of three of those resources—MIT Technology Review,
International IDC, and Gartner—as well as examples of recent predictions, follow. Note the
references to different groups along the diffusion of innovation curve shown in figure 7.1 in
their predictions.
The MIT Technology Review, published by the Massachusetts Institute of Technology
(MIT), identifies emerging technologies and analyzes their impact for technology lead-
ers, business leaders, and researchers who create and fund the innovations that drive the
global economy. MIT Technology Review is “a global community of business and thought
leaders, innovators and early adopters, entrepreneurs and investors, as well as all of MIT’s
alumni.”32
 DE V ELOPI NG AN D E M E R G I N G TE C H N O LOG I E S AN D R E C O R DS MAN AG E M E N T / 203

Don’t limit yourself to monitoring trends within your own industry. Advances in an-
other industry may have a significant impact on your work in the future.
On the May 2017 list of ten breakthrough technologies are those that can help fight can-
cer, reverse paralysis, and create cheap and continuous power. One device that appeals to
individuals wishing to capture a 360-degree record of their experiences is the “360-degree
selfie.” Although it has been possible to record 360-degree photos and videos for some time,
the process was time-consuming and expensive. Today, several cameras, such as the ALLie
Camera that retails for less than $500, support fast stitching (to produce the 360 degree ef-
fect) and live-streaming to share what is recorded. Journalists from various news outlets use
similar cameras (e.g., the Samsung Gear 360) to produce spherical photos and videos that
document events such as hurricanes and visits to refugee camps.33
Let’s consider this particular innovation—360-degree selfie cameras—in terms of rela-
tionship to law enforcement and RIM. In the United States, police officers are required to
file reports of incidents, crimes, arrests, and accidents investigated. The reports describe
what was done, what was not done, and why. They may include a description of sounds,
bloodstains, statements, demeanor of witnesses, and more. The majority of these are con-
sidered public records, which can be read by insurance companies, attorneys, journalists,
and other interested parties. In many cases, dash cams on police vehicles provide an unbi-
ased view of the event that occurs in front of the dash cam. A growing number of localities
across the nation are beginning to allocate funding for body cams that, again, allow us to
view what is directly in front of the officer. But that is not the complete picture. Often,
what is occurring directly around the immediate environment is also important and should

FIGURE 7.6 Results of a Google Trends search on three topics:

Cloud computing, social media, and artificial intelligence.
204 / CH AP T ER 7

be part of the record; 360-degree recordings would expand the picture to provide this ad-
ditional information. What may be surprising to some is that police officers often write
up their reports without being able to view the video first. That, too, is slowly changing. In
March 2017, a House committee voted 17–0 to allow police officers in Tallahassee, Florida,
to view the footage from their body cameras before submitting reports or responding to
complaints.34
IDC is a provider of market intelligence, advisory services, and events for the infor-
mation technology and telecommunications markets. More than a decade ago, IDC began
documenting the emergence and evolution of the third platform, which is built on cloud,
mobile, Big Data/analytics, and social technologies. Adoption of these technologies has
prompted a digital transformation that, according to Frank Gens, Senior Vice President and
Chief Analyst at IDC, has resulted in a shift in digital transformation efforts from “project”
or “initiative” status to strategic business imperative.35
Emerging technologies may be considered disruptive technologies, a term coined by
Clayton M. Christensen in 1995 to describe a new, emerging technology that replaces an
established one. By 2003, Christensen had replaced the term disruptive technology with the
term disruptive innovation to broaden the concept to include the strategy or business mod-
el that the technology enables that creates the disruptive impact.36 Traditional examples of
disruptive innovations (also termed disruptive technologies by some) are the automobile
and the computer. More recent examples are the Internet of Things and blockchain tech-
nology. Innovative accelerators are used to advance (kick start) disruptive innovation initia-
tives. According to IDC, nearly 75 percent of IT spending by 2019 will be for third platform
core technologies and services, as well as innovation accelerators such as cognitive/artificial
intelligence (AI) systems, augmented reality/virtual reality (AR/VR), and next-generation
security.37
Gartner, an information technology research and advisory company, published the
Gartner Hype Cycle for Emerging Technologies 2017 (figure 7.7). Not all innovation will be
adopted quickly—note the more than ten-year time frame for smart dust (extremely small
computing particles, sensors, robots, RFID chips, or other very small technologies that can
be sprayed on, ingested, or injected), 4-D printing (of objects that can change shape or trans-
form over time), and autonomous vehicles.
Whenever you come across something new, even if it is in an unrelated field, ask your-
self these types of questions: Could this technology be applied within my place of employ-
ment? If so, are records being created? Where do they reside? How can/will they be used?
How long must they be retained?

EMERGING TECHNOLOGIES

According to Gartner, Artificial General Intelligence is going to become pervasive during

the next decade, becoming the foundation of AI as a Service (AIaaS). Other emerging tech-
nologies to monitor include: 4D Printing, Autonomous Vehicles, Brain-Computer Inter-
faces, Human Augmentation, Quantum Computing, Smart Dust, and Volumetric Displays.38
Throughout this book, you’ll come across references to some of these technologies includ-
ing machine learning, augmented reality, and virtual reality. For now, let us look at three
types of emerging technologies—autonomous vehicles, the Internet of Things platform, and
blockchain technology —to see if and how they might impact records and information man-
agement.
 DE V ELOPI NG AN D E M E R G I N G TE C H N O LOG I E S AN D R E C O R DS MAN AG E M E N T / 205

Autonomous Vehicles

Billionaire tech investor Jim Breyer predicts artificial intelligence (AI) will be five to ten
times bigger than the social media market, especially when AI’s self-learning capabilities are
applied to the healthcare and finance fields.39 However, one exciting application of AI that
might be relevant to the majority of us is autonomous vehicles (i.e., smart cars).
Smart cars learn to drive as humans do—by looking at the road ahead and making deci-
sions. Also like humans, they learn from their mistakes. Google is developing an algorithm
to allow cars to learn to drive—expect that release in 2020. Tesla’s smart cars have been on
the road for a few years now, but the autopilot system is not yet fully functional.
What does this have to do with records management or information governance? Quite
a bit! Because intelligent systems in smart cars can respond to voice comments, it is con-
ceivable for them to record all conversations taking place in the vehicle. In the case of an
accident between two vehicles, both vehicles could immediately send accident information
to law enforcement and emergency responders. Included among the data gathered may be
facial images of those inside or outside of the vehicle; facial recognition can be employed to
identify those involved.

FIGURE 7.7 Gartner’s Hype Cycle for Emerging Technologies 2017.

SOURCE: Gartner (August 2017).
206 / CH AP T ER 7

Beside information about the accident itself, other data will be gathered, such as the
identity of the driver and all passengers, start and end points, travel route, time and date
of trip, speed (continuously monitored), and payment (a growing trend for rental automo-
biles). The data will most likely be stored in the cloud, and the data controllers will most
likely be automakers and rental car companies who may find it lucrative to sell this infor-
mation to others, including government, insurance companies, and other businesses. For
example, city transportation departments would benefit from understanding when most
accidents occur to prioritize road safety projects. And insurance companies may interpret
the data sent by smart cars and determine you are a poor driver of your regular car, which
could result in an immediate increase of your premium.

Internet of Things Platform

The Internet of Things (IoT), born sometime between 2008 and 2009, is basically a network
connecting any device with an on/off switch to the internet and to one another. The IoT
can include devices as near to you as your home washer and dryer or devices as remote as
the drill on an oil rig or the jet engine of an airplane. These devices can collect and exchange
data using embedded sensors. Business Insider Intelligence estimates there will be more
than twenty-four billion IoT devices on earth by 2020 (four devices for every human being
on the planet).40
Industries that will take advantage of IoT include manufacturing, transportation, de-
fense, logistics, healthcare, and smart buildings (see figure 7.8 for examples of emerging
opportunities).
Among the hundreds of companies already linked to the IoT are Amazon, Apple, Fitbit,
Garmin, GE, IBM, Microsoft, and Zebra Technologies.41
IoT systems are comprised of four components: sensors/devices, connectivity (to the
cloud), data processing (software), and User Interface (so the human can interact with the
rest of the system). IoT Platforms provide the support software to connect anything to the
IoT system. It facilitates communication, data flow, device management, and the function-
ality of applications.
An Internet of Things platform is the support software that connects and facilitates ev-
erything in the IoT system. There are three different types of network architectures: Point
to Point (e.g., between your Fitbit and your smartphone), Hub and Spoke (a star-shaped
network), and Mesh Networks (automatically reconfigure in case of device failure). The last
is the best option for mission critical applications (e.g., the oil and gas industry, healthcare).
Leading IoT platforms at this time include Microsoft Azure IoT Suite, Oracle IoT, Thing-
Worx, IBM Watson, Amazon Web Services (AWS), and Kaa IoT (an open-source platform).
You may again wonder what this had to do with records management or information gov-
ernance. First, the IoT provides new data streams that are not possible without the connec-
tivity between devices. Those data streams may be relevant for business decisions, regulatory
matters or lawsuits. That means the organization must understand what is being collected
and where it is stored. That also means the Internet of Things must be reflected in policies
and procedures that address privacy, security, records management, and litigation readiness.

Blockchain Technology

Blockchain is a digitized, decentralized, immutable ledger for recording the history of cryp-
tocurrency transactions. It was developed as the accounting method for the virtual currency
 DE V ELOPI NG AN D E M E R G I N G TE C H N O LOG I E S AN D R E C O R DS MAN AG E M E N T / 207

Wearable Devices
Smartphones
[ Co
nsu
Emerging Opportunities:
Internet of Things
l
[ Inventory Control
Focused Marketing
me tai
Home Appliances
r Re Product Tracking

Smart Meters
Climate Control
[
Industrial
Network
Connectivity
Powered by
Military
[ Biometric Sensors
Resource Allocation
Heavy Machinery Software Threat Analysis

Activity Trackers
Ingestible Sensors
[ M
e di
ca
l
Go
ve
rn
me
nt [ Disaster Response
Fleet Telematics
Implanted Devices Smart Cities

FIGURE 7.8 Exchanging and analyzing data through the Internet of Things.

Bitcoin. Bitcoin (Bitcoin.org) uses peer-to-peer technology, eliminating the need for a cen-
tral authority or bank; all transactions are carried out by the network. Notice that in figure
7.7, Blockchain technology is moving down from the peak of inflated expectations toward
the trough of disillusionment. That is likely to be a temporary readjustment of expectations
as we are now beginning to see other vendors provide business applications of blockchain
technology without the need for cryptocurrency exchange. Leaders in the Blockchain as a
Service (BaaS) field are Microsoft, IBM, and Deloitte. (See figure 7.9.)
Another firm, Factom, provides technology that can be adapted to almost any orga-
nization. Although it does issue its own cryptocurrency, called Factoids, it separates the
blockchain from the currency,
enabling use for events outside of
monetary transfers. Factom has The blockchain is an incorruptible digital
been working with the US De- ledger of economic transactions that can
partment of Defense and the Bill be programmed to record not just financial
and Melinda Gates Foundation transactions but virtually everything of value.
to develop new ways to secure
—Don and Alex Tapscott, authors, Blockchain Revolution
records. Their goal is to use their
(2016), https://www.linkedin.com/pulse/whats-next
blockchain-based software sys- -generation-internet-surprise-its-all-don-tapscott/
tem to record, manage, and share
records while ensuring sensitive
information is appropriately shared and privacy is respected.
You may remember the banking crisis of 2007 that resulted in millions of mortgage
foreclosures over the next few years. Since then over 6.2 million families have lost their
homes.42 The first decision in the “produce-the-note” defense occurred in 2007 when
a federal judge in Cleveland threw out fourteen foreclosures by Deutsche Bank National
Trust Co. Although at least one of the families eventually lost their home, the decision was
FIGURE 7.9 Transaction processing using blockchain technology.
SOURCE: BlockGeeks, https://blockgeeks.com/guides/what-is-blockchain-technology/
 DE V ELOPI NG AN D E M E R G I N G TE C H N O LOG I E S AN D R E C O R DS MAN AG E M E N T / 209

considered a success in keeping the families in their homes a while longer, and it alerted
the mortgage industry to the consequences of poor recordkeeping.43 However, as recently as
2016, staffing firms were recruiting default breach specialists to locate missing documents
needed to complete the chain of title prior to foreclosure referral. How much easier and less
expensive it would be to do it right the first time!
Released in 2016, Factom Harmony is a blockchain solution for the mortgage industry.
The average mortgage loan produced 500 documents in 2014. The industry itself produces
five trillion pages of new documents each year, with a need to keep forty trillion pages of
mortgage history. As illustrated by the “produce the note” defense to prevent or delay fore-
closure, the biggest challenge occurs when the mortgage company is asked to re-create a
decision (not a document) years later. Using blockchain technology, this required data can
be provided.

SUMMARY

Social media is included in this chapter not because it is a new, emerging technology, but
because it is a developing technology that continues to challenge records and information
managers. The good news is that solutions to capture and manage social media content,
including enlisting the services of a social media archiving provider, are also evolving.
Although records and information managers deal with day-to-day responsibilities, they
must also scan the horizon for emerging technologies that may impact their RIM programs
in the future. One way to keep abreast of emerging technologies is to identify trends. This
can be accomplished by listening to others within and outside your organization; watching,
reading, and browsing journals, newspapers, and the internet; looking more broadly outside
of your own industry; and using software and/or services to spot trends.
The diffusion of innovation model introduced in this chapter plots the adoption of new
technology over time. In addition to understanding how society at large adopts new tech-
nology, it is necessary to understand how members of the organization attempt to imple-
ment it in the workplace. The Gartner Hype Cycle model provides an overview of emerging
technology through its various stages from innovation through productivity. Three of those
innovations, autonomous vehicles, the Internet of Things platform, and blockchain tech-
nology were examined to better understand how they might impact records and informa-
tion management and information governance. You can use a similar approach to explore
the potential impact of other emerging technologies.
One of the emerging technologies introduced in this chapter is blockchain technology.
On the Gartner Hype Cycle (figure 7.3) it is represented as moving down the Peak of In-
flated Expectations into the Trough of Disillusionment. However, by mid-2017 it became
a hot topic in various industries including healthcare, banking, and the travel industry. All
indications are that blockchain technology may move into the Slope of Enlightenment more
quickly than many other emerging technologies.
Dr. Victoria Lemieux, an associate professor at the University of British Columbia
(UBC), leads the University’s research effort Blockchain@UBC. In her contribution to this
chapter, Dr. Lemieux provides an introduction to this emerging technology as applied to
recordkeeping and presents questions that should be asked and answered before an organi-
zation can determine if blockchain technology is appropriate for them.
2 10 / CH AP T ER 7

PA R A D I G M

Blockchain Technology and Recordkeeping

Victoria L. Lemieux
Associate Professor, Archival Science
The University of British Columbia, Vancouver, Canada ([email protected])

B lockchain is a novel technology that is often described as a distributed ledger. In block-

chain systems, transaction records are grouped into blocks that are cryptographi-
cally secured in an append-only, time-ordered chain to provide, at least in theory,44 an
immutable ledger. In addition, the ledger is copied to distributed computer nodes commu-
nicating with one another via a peer-to-peer, mesh network.45 The unique combination of
cryptographically chaining transactions together and distributing copies of the ledger to
many nodes permits detection of any alteration of the transaction records, allows parties to
transact business without necessarily trusting one another, and creates a transparent and
immutable46 record. Increasingly, the business rules that determine when and how a trans-
action will take place are encoded into computer code in “smart contracts” and executed
automatically on the blockchain. This allows different types of transactions to take place
autonomously on a blockchain, without any human intervention.47
Just like other technologies before it, blockchain technology is beginning to transform
the way that organizations communicate and keep records. All around the world govern-
ments and businesses are piloting the use of blockchain technology in a wide variety of
sectors, including in the medical, real estate, financial, and education domains. An ongoing
study of different types of blockchain projects for recordkeeping suggests that there are
currently three basic types of blockchain solutions in operation today (see figure 7.10).48 In
the “mirror” type, the blockchain serves as a repository of “digital fingerprints,” or hashes,
of the records in an originating system. In the “digital record” type, records are no longer
just mirrored or fingerprinted on chain but are actively created on chain in, for example, the
form of smart contracts. Finally, in the “tokenized” type, not only are records captured on
chain, but assets, such as land, agricultural products, and creative works, are represented
and captured on chain by linking them to an underlying cryptocurrency or digital token.
Given the way in which blockchain technology is beginning to transform organiza-
tional communication and recordkeeping, information governance professionals may be
called upon to help their organizations decide whether they need a blockchain solution
and, if so, how to go about implementing one.
In thinking about the application of blockchain technology, the first decision an orga-
nization must make is whether a blockchain solution is necessary. Many organizations
are simply jumping on the blockchain bandwagon, possibly for fear of being left behind.49
Before considering whether to launch a blockchain project, however, organizations should
consider whether blockchain technology is the right direction to take. Typical questions for
consideration include:50
1. Is your organization happy with its current recordkeeping system (e.g., a relational
database)? All organizations keep records of transactions in some kind of system,
but often that system of recordkeeping may not work well for the organization.
If not, there may be an opening to improve an organization’s recordkeeping
 DE V ELOPI NG AN D E M E R G I N G TE C H N O LOG I E S AN D R E C O R DS MAN AG E M E N T / 2 11

FIGURE 7.10 A Typology of Blockchain Recordkeeping Solutions.

SOURCE: Victoria L. Lemieux , “A Typology of Blockchain Recordkeeping Solutions and Some Reflections on Their Archival
Implications,” 2nd IEEE Big Data Workshop on Computational Archival Science. Figure is Victoria L. Lemieux’s own rendering.

by applying blockchain technology. In some cases, an organization may be

reasonably happy with its current technology but still motivated to explore
the application of blockchain technology to avoid being “disrupted” or to take
advantage of a strategic business opportunity offered by blockchain that is not
available with its current technology solution.
2. Do you need to ensure that multiple parties, who do not inherently trust one
another, can each see and attest to a synchronized authoritative source of the
“truth”? If the application area for blockchain technology that your organization
is considering does not involve multiple parties to a business transaction who
need to update a shared recordkeeping system (e.g., database) to which they
must refer back for trustworthy evidence of completed business transactions,
then blockchain technology may not be needed. Some also argue that blockchain
systems are most applicable to situations in which the transacting parties do not
necessarily need to identify themselves or trust one another.51
3. Do you need a guarantee that any party creating transactions between untrusted
organizations or multiple jurisdictional boundaries is following the same known
set of rules? When multiple stakeholders interact with one another in a business
transaction according to a shared and known set of business rules there may be
an advantage to using blockchain technology, especially when those stakeholders
do not necessarily trust each other and also collectively need to add records to
a recordkeeping system in the process of completing a transaction. An example
would be an online marketplace where the buyer and seller do not necessarily
know or trust one another and want to exchange goods for currency.
4. Do you have reasons why you would want to eliminate or reduce the role of an
intermediary, such as high transaction costs (e.g., a clearing house or a bank
with high fees)? Middlemen, who act as disinterested intermediaries to facilitate
business transactions among stakeholders, typically add expense and complexity
2 12 / CH AP T ER 7

to the execution of organizational transactions. Think about the fees that banks
charge to transfer funds from one person to another, for example. Additionally, in
some contexts, the trusted intermediaries prove to be not so trustworthy after all
(e.g., officials who accept bribes to make fraudulent accounting entries). In such
cases, the potential to eliminate intermediaries through applying blockchain’s
peer-to-peer transaction capabilities can be an attractive way to cut costs and
reduce the risk of fraud or tampering. If your organization is the middleman, you
may want to begin experimenting with blockchain technology to avoid being
suddenly disrupted by it.
5. Do you care about highly secured methods of transacting? Blockchain’s use
of cryptographic techniques and distribution of copies of the ledger make it a
relatively secure form of transacting business. This is not to say that it is without
security or other information risks, however.52 In addition, blockchain solutions
come in many varieties and use different consensus mechanisms (or means of
chaining together blocks of business transactions),53 each of which may trade off
security to maximize other capabilities, such as speed and transaction throughput.
In recommending the application of blockchain technology, information
governance professionals need to understand the implications of these design
trade-offs for the application of blockchain technology within their organizations.
6. Do you need stakeholders to have the ability to access shared evidence of business
transactions? Blockchain technology creates a transparent record of transactions
in the form of a hash indicating those transactions that have been securely
added to the chain. Each node in the blockchain’s distributed network keeps a
full or partial copy of the ledger so that it is always possible to check whether a
transaction is legitimate or not. Through the use of blockchain search interfaces,
such as the Block Explorer for the Bitcoin blockchain, it is possible to search for
and confirm the existence and legitimacy of transactions.54
7. Do you need something that helps ensure that assets are not used or “spent” twice?
Blockchain technology solves what is called the “double spending” problem. For
example, if you have a house that you are selling to a buyer, that buyer wants
assurance that you cannot turn around and sell the same house to someone else
before they have a chance to occupy it. Blockchain’s unique design makes sure
that you can only use or spend an asset once, not twice.
8. Do you need a guarantee that transactions have not been tampered with or
altered? In the digital era, when records are often subject to intentional or
accidental alteration, it is important to be able to detect if the integrity of records
has been affected. Through the use of digital signatures, which produce a unique
hash fingerprint of records, it is relatively easy to detect if records entered into
a blockchain have been altered by comparing the hash of those records in the
blockchain with a subsequent hash of the same records. If the two hashes do not
match, the integrity of the records may be in question.
9. Do you need to maintain data synchronization, consistency, and integrity across
multiple data stores that may transcend untrusted organizations or other such
jurisdictional boundaries? Because blockchain technology operates as a
distributed system in which there are multiple copies of the ledger kept by the
 DE V ELOPI NG AN D E M E R G I N G TE C H N O LOG I E S AN D R E C O R DS MAN AG E M E N T / 2 13

nodes, or participants, in the network, records of transactions are synchronized

and consistent across the network, and their integrity can always be checked. If a
copy of the ledger held by one node does not match copies held by other nodes,
then it may be untrustworthy and need to be eliminated from the distributed
ledger.
10. Does your organization operate in a fluid regulatory environment rather than
an established, tightly regulated space? The more highly regulated and tightly
controlled the institutional context in which a potential blockchain solution may
be implemented, the more difficult it may be to make the transition to a blockchain
solution. Generally speaking, early adopters of blockchain solutions are emerging
where regulation and institutions are weak, which presents an opportunity for
blockchains to be applied to solve a problem as opposed to disrupting an existing
stable environment.

If the answer to all or most of these questions is “yes,” then blockchain technology is the
way to go. If not, then more traditional technologies may be best.55 For most organizations,
the answers to these questions will not be a binary yes or no, but a matter of degree. Orga-
nizations operating in areas with weak state institutions (e.g., lesser-resourced nations)
or that must interact with costly intermediaries (e.g., finance), and that have a high risks
and costs associated with establishing the provenance of commodities such as diamonds
and food, may be experiencing enough “pain points” to take on the risk of being early
blockchain system adopters. For other organizations, it may make more sense to wait until
blockchain technology becomes cheaper, more developed and more accessible.
Having determined that, in theory, blockchain technology is suited to your organiza-
tion’s use case, the path to practically validating its suitability and the process of digital
transformation can be a long and complex one. For one thing, blockchain technology is
still evolving and changes to its design and configuration are occurring at a fast pace. This
makes any long-term decisions about deploying a blockchain solution challenging. Some
organizations are using design challenges and hackathons as a means of further validating
the suitability of blockchain technology and generating ideas about how to apply it within
their organizations. The British Columbia Land Titles and Survey Authority, in collaboration
with the Digital Identity and Authentication Council of Canada and Identity North, has
used a design challenge to deepen its understanding of blockchain technology and gener-
ate ideas about how to apply the technology to solve a particular use case (i.e., how digital
identity can improve and simplify the process of accessing and distributing electronically
delivered state of title certificates [eSTCs]).56
Blockchains also work best when multiple stakeholders transact business together.
To realize the added value of blockchains, your organization may need to negotiate with
multiple business partners (e.g., participants in a supply chain) to encourage them to join
a blockchain-based business network if such a network does not already exist. For this
reason, many organizations are starting their blockchain transformations with smaller, low-
risk pilots that do not radically alter existing business practices or require the involvement
of multiple stakeholders right away. The Brazilian land registry office for the Municipality
of Pelotas, for example, is experimenting with blockchain technology by creating a mirror
of its existing land registry using a blockchain solution.57 Its approach avoids disrupting
existing procedures and technology solutions, while still allowing for experimentation with
a new blockchain-based land transaction solution. Some organizations are further along
214 / CH AP T ER 7

in the process of mainstreaming blockchain technology into their operations. The Swedish
land registration authority is now into the third stage of a pilot of blockchain-based land
transfer recording using smart contracts across a multi-stakeholder network that includes
a digital identity provider, real estate buyers and sellers, banks, and the land title registra-
tion authority, and has begun tackling the review and updating of laws, regulations, and
procedures needed to support transformation to this new form of recordkeeping.58
As organizations seek to determine whether the introduction of blockchain technol-
ogy is the right move for them, they may discover that there are other, less expensive
and complex, means to solve their recordkeeping and business challenges. Observation
of current practices reveals that, even if there appears to be a strong business case for the
adoption of blockchain technology, organizations still are undertaking a careful review of
blockchain’s capabilities, applications, shortcomings, and the need for interoperability and
integration with existing information systems, infrastructure and operations before moving
ahead.59 At that point, organizations appear to be opting for low-risk pilot studies that, for
the most part, do not disrupt existing business operations or technology solutions. Public
agencies starting down the path of digital transformation with blockchain technology must
remain sensitive to the need to safeguard public trust. Most organizations are far from
ready to jump headlong into the use of blockchain technology, but it is clear that adoption
of this novel form of recordkeeping is gathering momentum and information governance
professionals should be prepared.

NOTES
1. BusinessDictionary.com, s.v. “emerging technologies,” accessed October 19, 2017,
www.businessdictionary.com/definition/emerging-technologies.html.
2. National Archives and Records Administration (NARA), “NARA Bulletin 2011-02: Guidance on
Managing Records in Web 2.0/Social Media Platforms,” Record Managers, October 20, 2010,
www.archives.gov/records-mgmt/bulletins/2011/2011–02.html.
3. Patricia C. Franks, How Federal Agencies Can Effectively Manage Records Created Using New Social
Media Tool, (Washington, DC: IBM Center for the Business of Government, 2010).
4. American Council for Technology (ACT) and Industry Advisory Council (IAC), Best Practices Study
of Social Media Records Policies: ACT-IAC Collaboration and Transformation (C&T) Shared Interest
Group (SIG), March 2011, 11, https://www.actiac.org/system/files/Best%20Practices%200f
%20Social%20Media%20Records%20Policies%20-%20CT%20SIG%20-%2003–31–11%20
%283%29.pdf.
5. National Archives and Records Administration (NARA), “Federal Agency Records Management
2016 Report,” revised October 2, 2017, https://www.archives.gov/files/records-mgmt/
resources/2016-federal-agency-records-management-annual-report.pdf.
6. Arian Ravanbakhsh, “Records Management of Social Media and Electronic Records,” The National
Archives Records Express, blog post, January 27, 2017, https://records-express.blogs.archives.gov/
2017/01/27/records-management-of-social-media-and-electronic-records/.
7. National Archives and Records Administration (NARA), “NARA Bulletin 2011-02.”
8. National Archives and Records Administration (NARA), “NARA Bulletin 2014-02.”
9. National Archives and Records Administration (NARA), “NARA Bulletin 2015-02.”
10. New York State Archives, “Records Advisory: Preliminary Guidance on Social Media,” Managing
Records, last modified May 24, 2010, www.archives.nysed.gov/records/mr_social_media.shtml.
11. US National Archives. “Social Media Strategy,” page last reviewed December 21, 2016,
https://www.archives.gov/social-media/strategies.
 DE V ELOPI NG AN D E M E R G I N G TE C H N O LOG I E S AN D R E C O R DS MAN AG E M E N T / 215

12. Lois Evans, Patricia C. Franks, and Hsuanwei Michelle Chen, “Voices in the Cloud: Social Media
and Trust in Canadian and U.S. Local Governments.” Records Management Journal 28 (1).
13. HootSuite, accessed October 21, 2017, https://hootsuite.com/#.
14. “NARA Bulletin 2014-02.”
15. Meridith Fiedler Dennes, “How to Start a Blog in 2017 (Step by Step Guide with Images),”
July 25, 2017, https://www.linkedin.com/pulse/how-start-blog-2017-step-by-step-guide-images
-meridith-fiedler-dennes/.
16. Facebook, “Accessing Your Facebook Data,” https://www.facebook.com/
help/405183566203254?helpref=faq_content.
17. LinkedIn, “User Agreement,” effective June 7, 2017, https://www.linkedin.com/legal/
user-agreement.
18. Kori Schulman, “The Digital Transition: How the Presidential Transition Works in the Social
Media Age,” The White House Blog, October 31, 2016. https://obamawhitehouse.archives.gov/
blog/2016/10/31/digital-transition-how-presidential-transition-works-social-media-age.
19. Ibid.
20. FINRA, “Social Media Web Sites: Guidance on Blogs and Social Networking Web Sites,” Regulatory
Notice 10–06, January 2010, www.finra.org/web/groups/industry/@ip/@reg/@notice/documents/
notices/p120779.pdf.
21. SEC Rule 17a-4(f ) permits broker-dealers to maintain and preserve these records on “micrographic
media” or by means of “electronic storage media,” as defined in the rule and subject to a number of
conditions.
22. FINRA, “2210. Communications with the Public,” FINRA Manual, accessed October 22, 2017,
http://finra.complinet.com/en/display/display_main.html?rbid=2403&element_id=10648.
23. FINRA, “Communications with the Public,” Regulatory Notice 12–29, June 2012, www.finra.org/
sites/default/files/NoticeDocument/p127014.pdf.
24. FINRA, “Communications with the Public: Respective Rule Review Report,” December 2014,
www.finra.org/sites/default/files/p602011.pdf.
25. FINRA, “Social Media and Digital Communications,” Regulatory Notice 17–18, April 2017,
www.finra.org/sites/default/files/notice_doc_file_ref/Regulatory-Notice-17–18.pdf.
26. GlobalRelay, accessed October 21, 2017, https://www.globalrelay.com/.
27. IBM, “IBM Social Computing Guidelines,” accessed October 22, 2017, www.ibm.com/blogs/zz/en/
guidelines.html.
28. Chris Boudreaux, “Social Media Policy Database,” Social Media Governance.com,
accessed October 22, 2017, http://socialmediagovernance.com/policies/.
29. National Archives, Social Media Strategy 2017–2020, accessed October 22, 2017,
http://usnationalarchives.github.io/social-media-strategy/.
30. OpenText Extended ECM for Salesforce, accessed October 22, 2017, https://www.opentext.com/
what-we-do/products/opentext-suite-for-salesforce/opentext-extended-ecm-for-salesforce.
31. CBS News, “3 Emerging Technologies to Go Mainstream in 2011,” January 10, 2011, CBS Money
Watch, video, www.cbsNews.com/video/watch/?id=10495949n?tag=bnetdomain.
32. “About Us,” MIT Technology Review, Massachusetts Institute of Technology,
accessed October 19, 2017, https://www.technologyreview.com/about/.
33. Ibid.
34. Michael Vasilinda, Capital News Service, March 16, 2017, https://policerecordsmanagement.com/
2017/03/tallahassee-fl-wctv-house-committee-voted-17–0-allow-police-officers-view-footage-body
-cameras-submitting-reports-responding-complaints/.
35. IDC, “IDC Sees the Dawn of the DX Economy and the Rise of the Digital-Native Enterprise,”
November 1, 2016, https://www.idc.com/getdoc.jsp?containerId=prUS41888916.
2 16 / CH AP T ER 7

36. Clayton Christensen, “Disruptive Innovation,” accessed October 19, 2017,

www.claytonchristensen.com/key-concepts/.
37. IDC. “IDC Sees the Dawn of the DX Economy and the Rise of the Digital-Native Enterprise,”
November 1, 2016, https://www.idc.com/getdoc.jsp?containerId=prUS41888916.
38. Louis Columbus, “Gartner’s Hype Cycle for Emerging Technologies, 2017 Adds 5G and
Deep Learning for First Time,” Forbes, August 15, 2017, https://www.forbes.com/sites/
louiscolumbus/2017/08/15/gartners-hype-cycle-for-emerging-technologies-2017-adds-5g-and
-deep-learning-for-first-time/#420ad65b5043.
39. Catherine Clifford, “Billionaire Tech Investor: There Will Be a Mark Zuckerberg and Bill Gates of
AI,” Forbes, September 25, 2017, https://www.forbes.com/sites/benkerschberg/2017/09/26/
5-best-artificial-intelligence-articles-you-should-read-today-916/#24ac9bcc6d19.
40. Andrew Meola, “What Is the Internet of Things (IoT)? Business Insider, December 19, 2016,
www.businessinsider.com/what-is-the-internet-of-things-definition-2016-8.
41. Ibid.
42. David Dayen, “Mortgage Companies Seek Time Travelers to Find Missing Documents,”
The Intercept, June 17, 2016, https://theintercept.com/2016/06/17/mortgage-companies
-seek-time-travelers-to-find-missing-documents/.
43. Associated Press, “New Foreclosure Defense: Prove I Owe You,” NBCNews.com, . February 17,
2009, www.nbcnews.com/id/29242063/ns/business-real_estate/t/new-foreclosure-defense
-prove-i-owe-you/#.WgngTIZrxG8.
44. Gideon Greenspan, “The Blockchain Immutability Myth,” 2017, https://www.multichain.com/
blog/2017/05/blockchain-immutability-myth/.
45. Victoria L. Lemieux, “Blockchain Recordkeeping: A SWOT Analysis,” 2017, www.bluetoad.com/
publication/?i=454085&ver=htm15&p=22#{“page”:22,”issue_id”:454085}.
46. Ibid.
47. Nick Szabo, “The Idea of Smart Contracts,” 1997, www.fon.hum.uva.nl/rob/Courses/
InformationInSpeech/CDROM/Literature/LOTwintersch0012006/szabo.best.vwh.net/
idea.html.
48. Victoria L. Lemieux, “A Typology of Blockchain Recordkeeping Solutions and Some Reflections on
Their Archival Implications,” 2nd IEEE Big Data Workshop on Computational Archival Science, 2017.
49. Gideon Greenspan, “Avoiding the Pointless Blockchain Project: How to Determine If You’ve Found
a Real Blockchain Use Case,” 2015, https://www.multichain.com/blog/2015/11/avoiding-pointless
-blockchain-project/.
50. These questions have been adapted from Greenspan (2015) and the work of colleagues in the W3C’s
Blockchain Community Group, especially Colleen Kirtland, on identifying the blockchain business
case, which the author would like to acknowledge.
51. Scott Nelson, “Looking for a Nail to Hit with My Blockchain Hammer: A Q&A with Adventium
Blockchain Expert T.D. Smith,” CIO, 2017, https://www.cio.com/article/3236559/data-protection/
looking-for-nails-to-hit-with-my-blockchain-hammer.html.
52. See, for example, Victoria L. Lemieux, “Trusting Records: Is Blockchain Technology the Answer?”
Records Management Journal 26, no. 2 (2016): 110–139.
53. Hitoshi Okada, Yamasaki Shigeichiro, and Vanessa Bracamonte, “Proposed Classification
of Blockchains Based on Authority and Incentive Dimensions,”IEEE 19th International
Conference on Advanced Communication Technology (ICACT). IEEE; Christian Cachin and Marko
Vukolic, “Blockchain Consensus Protocols in the Wild,” Arxiv, July 17, 2017, https://arxiv.org/
pdf/1707.01873.pdf.
54. See Bitcoin Block Explorer, https://blockexplorer.com.
55. Greenspan, 2015, en. 7.
 DE V ELOPI NG AN D E M E R G I N G TE C H N O LOG I E S AN D R E C O R DS MAN AG E M E N T / 21 7

56. See Digital Identity and Authentication Council of Canada, “Design Solutions: Using Blockchain
for Real Estate Transactions,” 2017, https://diacc.ca/design-solutions-using-blockchain-for-real
-estate-transactions/.
57. Lemieux, 2017, fn. 5, and Luke Parker, “Brazil Pilots Bitcoin Solution for Real Estate Registration,”
Brave Newcoin, April 9, 2017, https://bravenewcoin.com/news/brazil-pilots-bitcoin-solution-for
-real-estate-registration/.
58. Lemieux, 2017, fn. 5, and Lantmäteriet, “Annual Report 2016,” www.lantmateriet.se/
contentassets/3d550bd6c8104483bac8d1fca69f4a4e/webb_lm.verksamhetsberattelse.eng.2016
_170323.pdf.
59. Deloitte, “Six Control Principles for Financial Services Blockchain,” 2017,
https://www2.deloitte.com/content/dam/Deloitte/ie/Documents/Technology/
IE_C_BLOCKCHAINPRINCIPLES.pdf.
 CHAPTER 8

Vital (Essential) Records, Disaster

Preparedness and Recovery,
and Business Continuity

INTRODUCTION

What is a records disaster? Simply stated, it is a sudden and unexpected event that results
in the loss of records and information essential to an organization’s continued operation.
Natural or man-made disasters—the terrorist attack that shocked New York City on 9/11,
Hurricane Harvey that slammed Texas on August 25, 2017, and the 7.1 magnitude earth-
quake that shook Mexico City on September 19, 2017—leave devastation in their wake. The
loss of life is tragic, and the damage to the local infrastructure can be significant. Long-term
recovery efforts are hampered by the interruption of normal economic activity. Even those
businesses and public institutions that have disaster preparedness/recovery and business
continuity plans in place could find that the effects of these disasters exceed the scope of
those plans. Not all records are essential to ongoing operations after a disaster, but those
that are must be identified as part of the overall business continuity effort.

BUSINESS RESUMPTION STRATEGIES

By definition, a business continuity plan is a “documented plan that defines the resources,
actions, tasks, and data required to manage the disaster prevention, emergency prepared-
ness, disaster response and recovery, and business resumption process in the event of a
business interruption.”1 Some sources use the terms business continuity plan and disaster
recovery plan interchangeably. Others see the business continuity plan as an umbrella plan
that consists of several component plans, among them the disaster preparedness and recov-
ery plan.
ARMA International defines a disaster recovery plan as “a written and approved course
of action to take after a disaster strikes that details how an organization will restore critical
business functions and reclaim damaged or threatened records.”2 A disaster preparedness
and recovery plan includes not only steps necessary to recover from loss but also steps to
take before a disaster or emergency occurs to either avoid or mitigate loss.
The term vital records can be used to describe two different types of records:

• Those that record/register life events under a government authority, such

as birth and death certificates, marriage licenses, divorce decrees, and
adoption.

/ 219 /
220 / CH AP T ER 8

• Those that are essential for the continuation of an organization during

and after an emergency as well as well as those that protect the legal and
financial rights of the organization and individuals affected by its activities.

Because of confusion over the two definitions, the term essential records is being used more
frequently to describe the second category—those necessary to protect the rights and inter-
ests of the organization and individuals as well as those necessary for emergency operations.
Unfortunately, the term essential has not yet been universally adopted, as evidenced by
a 2017 article in Information Management, “How to Develop a Vital Records Program Proj-
ect Plan.”3 In this book, the two terms are used interchangeably, with vital most often used
when discussing a program or plan and essential when discussing the records themselves.
A vital (essential) records program is one that consists of the policies, plans, and procedures
developed and implemented and the resources needed to identify, use, and protect those
records necessary to meet operational responsibilities under emergency or disaster condi-
tions or to protect the rights of the organization or those of its stakeholders. This may be a
program element within an emergency management plan.4
A vital records manual is a communications tool used to document the vital records
program. It could be published as a separate document or as part of the overall records man-
agement manual, and it would most likely be made available to employees electronically. It
is comprised of three elements:

• procedures and objectives

• explanation of the essential records schedule (master list)
• instructions for reconstructing the essential records, including the
necessary equipment

Identifying the records essential to the organization’s continued operations is the first step
toward developing both a disaster recovery plan and a business continuity plan.

VITAL RECORDS PROGRAM

Every organization, large or small, needs a plan to protect essential information from
destruction due to earthquakes, floods, terrorism, and other disasters. Large organizations
may survive such disasters because they have duplicate records at other sites. Small compa-
nies without a vital records program may never be able to reopen due to lost records.
Some companies feel a false sense of security because they have implemented a disaster
recovery program. To most companies, this means protecting files on a computer system
so that they can get it up and running again. Older records not stored on computer-read-
able media are not protected under these disaster recovery programs. Nearly three out of
four companies responding to a 2014 survey failed from a disaster recovery preparedness
standpoint in one or more of the following ways:

• lost one or more of their mission critical software applications

• lost one or more of their virtual machines
• lost critical files
• experienced days of datacenter downtime5
 V I TAL ( E S SEN TIAL ) R EC OR DS, DIS A STER PR E PAR E DN E S S AN D R E C OV E R Y, AN D BUSI N E S S C ON TI N U I T Y / 2 21

Unlike digital records, paper records are rarely backed up off-site. Without medical records,
doctors are unable to treat people who need medical attention but whose conditions and
medications are unknown. When Hurricane Katrina devastated New Orleans in 2005,
only about 25 percent of doctors in the United States reportedly kept electronic medical
records.6 Boxes of paper records were destroyed, and those that were salvaged remained
inaccessible, as shown in figure 8.1.
After the disaster, the federal government began a pilot test of KatrinaHealth.org, an
electronic health record (EHR) online system, sharing prescription drug information for
most of the hurricane evacuees with health care professionals.7 By the time Hurricane Har-
vey devastated Texas and roared into Louisiana in 2017, approximately 75 percent of health
care providers kept records electronically.8 That’s the good news. The bad news is that pa-
tients, first responders, and new healthcare providers had trouble accessing those records
when they needed them most: during a disaster. One of the reasons is that medical records
remain behind firewalls and in silos—if
you have more than one doctor, each
will have records they can share with
each other only with your permission
and usually by fax.
Recognizing this as less than desir-
able, health officials have been looking
for a system that could be used in the
event of a national emergency. One pi-
lot project that ran from July 2015 to
July 2017 is the Patient Unified Lookup
System for Emergencies (PULSE), which
would allow disaster healthcare vol-
unteers registered and authenticated
through California’s Emergency Sys-
tem for Advance Registration of Volun-
teer Health Professionals (ESAR-VHP) FIGURE 8.1 More than five months post-
to retrieve health information for Katrina, salvaged medical records remained
victims and evacuees from Health In- inaccessible at Hancock Medical Center,
formation Exchanges (HIEs), hospital Bay St. Louis, Mississippi.
systems, and other sources statewide SOURCE: Electronic Health Association, “HIMSS Katrina Battles
Ongoing Hurricane Effects with Health IT Donations,” Press
using national standards.9 Releases, February 13, 2006. Reprinted with permission from
Although a natural disaster cannot HIMSS. Photo by David Collins for HIMSS.
be prevented, the impact of the disaster
could be mitigated by the development of both a comprehensive disaster preparedness and
recovery plan and a business continuity plan. These plans are often designed simultaneously.

Planning a Vital Records Program

A vital records program is necessary to identify and protect those records that specify how
an organization will operate during an emergency or disaster, those records necessary to
the continued operations of the organization, and those records needed to protect the legal
and financial rights of all stakeholders.10 According to the ANSI/ARMA 2017 technical
report, Vital Records, a vital records program must be developed in conjunction with those
222 / CH AP T ER 8

stakeholders responsible for the organization’s business continuity, disaster recovery, and/
or emergency management programs. It recommends the following steps:

• identifying vital (essential) records

• classifying records (as vital, important, and useful)
• compiling a vital records schedule
• pretesting the program (e.g., procedures to restore backup files)11

The Vital Records technical report stresses the importance of reviewing the impact of the
loss of essential records on the business itself. The risk management process suggested has
two main components: business impact analysis (BIA) and essential records impact analy-
sis. The BIA looks at the loss of essential records through the perspective of the business,
including understanding the critical functions of the business in order to prioritize their
resumption, identifying potential losses due to disruption, and estimating the time and
resources necessary to resume or continue operations. The essential record impact analysis
requires understanding the essential records and then linking that back to the business;
for example, identify potential disaster-related threats to essential records and determine
the cost of protecting them from those threats. This is followed by the development of a
vital records loss prevention plan (e.g., reduce, remove, or mitigate risks) and a vital records
protection plan (e.g., dispersal and protective storage). Of course, training of staff is neces-
sary—including introduction of the vital records manual.12
The Washington State Archives provides advice and resources on Disaster Prepared-
ness, Response and Recovery on their website.13 Among the resources is a link to the State
of Washington’s Essential Records and Disaster Preparedness Manual (available in both PDF
and Microsoft Word formats), which was published to help local agencies within the state
protect their essential records from damage, loss, or theft. The manual begins by suggesting
the following first steps: defining essential records and protecting them; conducting a risk
analysis; reducing the likelihood of damage, loss, or theft; and producing a records disaster
recovery plan. It then provides practical advice to follow when a disaster occurs.14
When developing the vital records program, the first questions to answer are:

• Who is responsible for a vital records program?

• What is an essential record?
• How do you identify an essential record?

Who Is Responsible for a Vital Records Program?

Clear authority for a vital records program must be established through policies and proce-
dures. A vital records manager must be designated. Often, the organization’s records man-
ager fills this role. This person must work with other stakeholders throughout the organiza-
tion to identify, inventory, protect, store, make accessible, and update as needed the copies
of essential records required in an emergency, including records that document legal and
financial rights.
The following people should be involved in preparing the vital records inventory:

• Vital records manager: to manage the program

• Records manager (if different from vital records manager): to work with
the vital records manager
 V I TAL ( E S SEN TIAL ) R EC OR DS, DIS A STER PR E PAR E DN E S S AN D R E C OV E R Y, AN D BUSI N E S S C ON TI N U I T Y / 223

• Department, bureau, and division records liaison officers: to serve as

vital records coordinators and implement the vital records program for
their areas, including preparing the inventory and ensuring protection for
records within their area
• Management: to demonstrate support for the vital records program by
making it a priority
• Information technology (IT) staff: to ensure electronic systems in their
control are regularly backed up and accessible in an emergency
• All other employees: to cooperate and assist where and when needed

Under some circumstances, the organization may hire a consultant to speed up the process.
This may also help to ensure quality; however, this option will also increase costs.
What is an essential record? Although the type of essential record that needs protection
may differ slightly between public and private institutions, its value is the same: to re-cre-
ate the organization’s or agency’s legal and financial status and to preserve the rights and
obligations of stakeholders, including employees, customers, investors, and citizens. The
information may be recorded in any format (e.g., paper, digital, electronic, film, or tape).
Percentages for categories of records vary depending on source with some estimating as low
as 1 percent, but as a rule, not more than 7 percent of an organization’s records are consid-
ered essential, and it is more likely that the figure would be between 3 percent and 5 percent
(see figure 8.2).
To continue or resume operations and to meet customer needs, the organization should
protect records that identify fixed assets, identify and fulfill existing commitments to cus-
tomers, rebuild facilities, develop new business, identify the nature and value of invento-
ry, and resume computer system operations and telecommunications. To ensure the rights
of employees, the organization should protect records that list salaries and benefits due
employees and former employees and document any other corporate commitments to

Vital A―Essential in event of disaster

3–7% Vital B―Essential for resumption & continuity

Vital Vital C―Essential for legal or audit purposes

Important 15–25%

Useful 50–75%

Nonessential 20–30%

FIGURE 8.2 Records value scale with three classifications of vital (essential) records.
2 24 / CH AP T ER 8

employees, such as union contracts. To safeguard legal, financial, and shareholder interests,
the organization should protect records that document receivables, determine liabilities,
identify the locations and amounts of cash and securities owned by the company, establish
and defend the organization’s tax position, identify shareholders and their holdings, meet
all legal requirements for establishing the corporate status, and protect intangible assets
such as patents and trademarks. Emergency operations records, such as staff contact and
assignment information, and the business continuity plan itself, are examples of essential
records needed during an emergency.
In many instances, the loss of recorded information can have more devastating conse-
quences for continuation of an organization’s operations than the loss of physical space or
equipment, which is often replaceable and insured.15
The loss of essential records can result in:

• disruption of essential customer services,

• exposure to unplanned expenses of financial settlements or loss of revenue,
• increased vulnerability to litigation, and
• loss of productivity due to gaps in information.

Essential records should not be confused with permanent records. Records retain their
essential status only if they are necessary to the continued existence of the organization.

How Do You Identify an Essential Record?

Identify the records required to continue functioning during the disaster or to reestablish
operations immediately after the event. Too often vital information is interpreted as archi-
val or historical information preserved for the benefit of researchers and posterity. This is
another good reason why the term essential makes sense.
Each unit within the organization must analyze its own operations to determine what
information is necessary to its continued existence and the attainment of its critical missions.
This will feed into the overall vital records inventory for the organization. On the unit level,
a committee of senior staff should be convened to undertake this task. It is recommended
that the committee meet on a regular basis (e.g., every two weeks) until the records have been
identified and a vital records program is in place. The individuals on the committee should
be very familiar with their areas and the records in those areas and be willing and able to
devote time to the program until it is operational. One person from this committee should
assume the role of records liaison to communicate with the vital records program manager.
There are several ways to classify records. Some classification systems do not take into
account nonessential records. However, including such a classification makes it easier for
employees to understand which records they can immediately disregard when compiling
their inventory. The Delaware State Archives classifies records as vital, important, useful, or
nonessential and provides the descriptions of each category (see table 8.1).
The University of Washington also takes into account nonessential records but reduces
the categories to three: essential, useful, and nonessential.16 Regardless of the classification
scheme, the committee should begin with the comprehensive records retention schedule.
First, eliminate all nonessential records. Then eliminate those records that contain impor-
tant information but that can be easily reproduced. Identify all situations where informa-
tion is or can be protected through computer system backups. Finally, reevaluate the re-
maining records to see if they are essential. To do this, ask two questions:
 V I TAL ( E S SEN TIAL ) R EC OR DS, DIS A STER PR E PAR E DN E S S AN D R E C OV E R Y, AN D BUSI N E S S C ON TI N U I T Y / 2 25

TABLE 8.1 Classification of records as vital, important, useful, or nonessential.

VITAL RECORDS These records are essential to the continuity of services during
a calamity or the restoration of daily business if it has been
interrupted. These records are irreplaceable, and copies do not
have the same value as originals.

IMPORTANT RECORDS This category of records is replaceable only at considerable

expense of funds, time, and labor.

USEFUL RECORDS These records, if lost, might cause some inconvenience but could
easily be replaced. Loss of these records does not present any
real obstacle to restoring daily business.

NONESSENTIAL Loss of these records presents no obstacle whatsoever to

RECORDS restoring daily business.

SOURCE: Adapted from information at State of Delaware, “The Process of Vital Records Management: Records Classification,”
Vital Records Management, accessed December 3, 2017, http://archives.delaware.gov/govsvcs/records_policies/vital%20
records%20management.shtml.

• What would we be unable to do if this record were destroyed?

• How critical is our inability to do this or what is the impact on our
organization?

Increasingly, publications cite the 5 percent of records “you can’t live without” but ignore
the other 95 percent when providing advice on disaster preparedness/recovery and busi-
ness continuity.17 This does not imply that other important records should be ignored. How-
ever, it may be easier to set aside a discussion of the other categories to focus on the essen-
tial records during the disaster preparedness/recovery planning process.

Vital Records Inventory

The goal of a comprehensive records inventory is to identify records categories, not every
record that exists. A physical inventory conducted by properly trained personnel should
be conducted. Be sure to inventory not only paper but also computer printouts, microfilm,
magnetic media, photographs, slides, engineering drawings, and any other recorded infor-
mation. Don’t forget the digital files stored in enterprise content management systems and
with third-party vendors in the cloud.
When a retention schedule is developed, the operational, legal, administrative, and/
or historical value of the record is considered. Essential records are appraised in a similar
manner with one major difference: the value of the record during and immediately after
an emergency is what makes it essential. Essential records are either rights and interests
records or emergency operations records. Rights and interests records can be subcategorized
as operational, legal, and fiscal (see table 8.2).
The complete records inventory—which identifies all records, their locations, and the
format in which they are maintained—is the basis from which the records retention schedule
is created. An essential records inventory can be carried out independently of or at the same
time as the comprehensive records inventory introduced in chapter 4. As new records are
226 / CH AP T ER 8

TABLE 8.2 Essential Records categories and subcategories.

CATEGORY/SUBCATEGORY DESCRIPTION
Rights and Interests

Operational Any functions necessary to the operation or

continuation of your unit or the organization as a whole.

Legal Any functions that provide proof of the organization’s

legal status.

Fiscal Any functions which prove the unit’s or the

organization’s financial status.

Emergency Operations

Emergency Operations Any functions needed during an emergency.

created, they should be analyzed to determine their status. A records inventory form should
be completed for each records series and include information such as the title of the record,
a description, the location, and its format. You’ve already been introduced to inventory forms
for physical and electronic records. Figure 8.3 shows a portion of the Minnesota Historical
Society’s Records Inventory form, which I find especially useful because it not only asks if
the records are vital (essential) but expects the person completing the form to explain why.

Vital Records Analysis

Once the records inventory forms have been completed or gathered, they can be used as
the basis for interviews with the organization’s management staff. The task is to determine
their perception of the value of the records under their jurisdiction and the consequences
that would be incurred if those records were lost.
Questions to be asked during the interview could include:

• Who are the stakeholders of the unit or organization?

• What records are produced because of each function (operational, legal,
fiscal, emergency management)?
• What is the impact of not providing the records necessary to support each
function (i.e., can the work be carried on if the record is gone)?
• How long can you carry out those key functions without the records?
• Which of the records are essential (unique and required in their original
form to meet evidential requirements, not easily reproduced, or only
reproduced or replaced at a disproportionately high cost)?
• Can these records be replaced from another source?
• Are these records on computer, microfilm, backed up to the cloud, other?
• Are these records duplicated in a different format?
• Is the format easily accessible during or after an emergency?

The records manager should analyze the information gathered from these interviews to
determine the protection status of the vital records.
 V I TAL ( E S SEN TIAL ) R EC OR DS, DIS A STER PR E PAR E DN E S S AN D R E C OV E R Y, AN D BUSI N E S S C ON TI N U I T Y / 227

FIGURE 8.3 Section from the Minnesota Records Inventory Worksheet.

SOURCE: www.mnhs.org/preserve/records/docs_pdfs/recordservices/inventory.pdf.

Vital Records Protection

The goal is to use the simplest, most economical method that fits the circumstances. The two
methods of protection, which apply to both physical and electronic records, are duplication
and dispersal and protective storage.

Duplication and Dispersal

Records can be protected by making copies and storing them in one or more locations apart
from the original records. Methods of dispersal include:

• Routine dispersal: This low-cost method is the result of keeping a copy

of the record at more than one location as a normal part of business
operations. If this method is used, procedures must be put in place so that
records can be retrieved easily when necessary.
• Planned (designed) dispersal: This method entails duplicating the record
for protection purposes rather than as a normal part of the business
operation. This involves storing the duplicate off-site with a few exceptions,
such as microfilming the records and storing in a vault on-site or creating
an extra copy of essential data residing on a computer and transferring that
copy to a secure, remote location.
• Derivative dispersal: Although this is not a method of dispersal any
organization should rely on, it deserves mention when considering the
actual life of information. This is a term used to represent information and
records intentionally (with or without malice) spread through the use of the
Internet, social media, and smart devices. It is a direct by-product of the
information age. Information that may or may not be considered records
of the organization can be shared virally once made public and have a life
of their own beyond that of the useful life determined by the organization.
Examples include the documents released through the nonprofit
organization WikiLeaks and the tweets now preserved in perpetuity by the
Library of Congress.
228 / CH AP T ER 8

Protective Storage
Dispersal does not ensure the protection of either the original or the copies. Steps must be
taken to provide storage to protect vital assets, for example:

• On-site storage: Some organizations, including many local governments,

maintain essential records in a vault, fireproof cabinet, or fireproof
container on their premises. If this option is elected, the storage equipment
must conform to the rating requirements of the National Fire Protection
Association (NFPA) standards, which currently require essential records
be stored in a vault, or for small volumes, in two-hour records protection
equipment in a fire-resistive building.18
• Off-site facility: A large company may invest in its own off-site storage
facility for essential records on a variety of media, including paper,
microfilm, tapes, and discs. Others use commercial off-site storage. The
facility should be accessible twenty-four hours a day by appropriate
officials, have twenty-four-hour climate control with a temperature of
approximately 20°C or 68°F and a relative humidity of 30–40 percent, and
be located far enough away from the site that the same disaster will not
affect records stored at both.
• Electronically stored information (ESI): Identify “hot,” “warm,” and “cold”
sites to accommodate electronic records. Consider cloud-based solutions. Be
sure systems, applications, and system documentation are stored along with
the records. We will address these options in more detail later in this chapter.

Storage Media
When possible, store essential records on a medium that will last as long as the record is
needed. Because an essential record may not have permanent retention status, a life span of
500 years for a storage medium is not necessarily required. Compare the expected retention
period of the records with the length of life of different media when determining how to
store records (see table 8.3).
The actual length of time that storage media remain viable will depend on many fac-
tors, including:

• the quality with which the media were manufactured,

• the care with which the media were handled,
• the number of times the media were accessed,

TABLE 8.3 Storage media and length of record life.

MICROFILM 500 years

ACID-FREE PAPER 300 years

REGULAR OFFICE PAPER 20–30 years

ELECTRONIC STORAGE Availability of equipment & software to assess

MEDIA information (review every 3 years)
 V I TAL ( E S SEN TIAL ) R EC OR DS, DIS A STER PR E PAR E DN E S S AN D R E C OV E R Y, AN D BUSI N E S S C ON TI N U I T Y / 229

• the quality of the device used to write to or read from the media, and
• the cleanliness, temperature, and humidity maintained within the storage
environment.

In addition to the danger of loss due to longevity of storage media selected, some media will
fail. Therefore, essential records must be stored redundantly (backed up on more than one
type of media). The media must be tested periodically to ensure that the data are readable
and have not been altered.

The Vital Records Schedule

The vital records schedule is a listing of an organization’s essential records along with an
explanation of how each is to be protected from destruction in the event of a disaster. This
information is gathered from the records inventory. The easiest way to create this schedule
is to create a database. Fields to include in the database will vary; examples include record
title, descriptions of records, records media, method of protection, storage location, cycling
schedule of records, and critical functions supported by records (see figure 8.4).
Records management software and services can be used to manage both paper and
electronic vital records. Applications that comply with DoD 5015.2-STD: Electronic Records
Management Software Applications Design Criteria Standard will allow for periodic review
and cycling of essential records to ensure they are accurate and up-to-date.19 This involves
designating a category or folder as containing essential records and assigning an essential
records review period (time between reviews) and an essential records reviewer (a user or a
group of users) to receive email notifications when a review is due. Obsolete copies of es-
sential records would be replaced with copies of current essential records. Once the review
is complete, a new last review date would be appended. This procedure should be requested
for essential records protection even when using software applications that are not DoD
5015.2 certified.

Testing and Updating the Program

Test your disaster recovery and vital records programs by picking a team of employees who
would have to reconstruct operations in the event of a disaster. Provide the employees

FIGURE 8.4 Vital (essential) records schedule form.

230 / CH AP T ER 8

with the list of information needs the organization would have after a disaster. Have them
reconstruct the data and provide the information needed using only the protected records.
Test the program and revise it annually.

What to Do If a Disaster Does Occur

The need for emergency operations plans is immediate. A copy of the vital records/disaster
recovery plan should be stored at or close to the facility and available on a twenty-four-hour
basis. In case the immediate area is inaccessible, key employees should also have access to
the essential records/disaster recovery program from home either as a print or electronic
copy or available online.
In the event of a cataclysmic disaster, communications breakdowns will occur. For ex-
ample, in 2017, Hurricane Maria decimated the communication, transportation, and util-
ity infrastructure of the island of Puerto Rico. Private residences and businesses were left
without power, cable, or landline service, and mobile reception was spotty or nonexistent—
not to mention that even if there were cell service, phones would not operate without elec-
tricity to recharge them. In a situation like this, the local print copies, if any survive, may
be all that are accessible.

DISASTER PREPAREDNESS AND RECOVERY PLANNING

The disaster recovery plan is an emergency plan that outlines the steps your organization will
take to protect itself from loss due to a disaster and the steps the organization will take if actu-
ally impacted by a disaster. The plan coordinates the efforts, staff, and other resources needed
to protect the business’s information and equipment, as well as its employees and customers.
The disaster preparedness and recovery plan should identify procedures to be imple-
mented to prevent disasters from occurring in the first place and steps that can be taken
to mitigate the effect of those disasters that cannot be prevented. Hazards to be evalu-
ated include natural hazards (geological, meteorological, and biological), human-caused
events (accidental and intentional), and technologically caused events (accidental and
intentional). Any information that may prove useful in preventing disasters, or in being
prepared for disasters, should be included in the vital records disaster preparedness and
recovery plan.

Pre-disaster Preparedness

Pre-disaster preparedness involves identifying the types of risks most likely to impact your
organization, including natural hazards, human-caused events, and technologically caused
events.

Natural Hazards
Every business faces some sort of risk from natural hazards, regardless of its geographic
location. Some parts of the globe are more likely to be affected by certain types of disasters
than others. You should determine the risks presented to the organization based on its geo-
graphic location. Figure 8.5 is a map prepared by the Insurance Institute for Business and
 V I TAL ( E S SEN TIAL ) R EC OR DS, DIS A STER PR E PAR E DN E S S AN D R E C OV E R Y, AN D BUSI N E S S C ON TI N U I T Y / 2 31

Home Safety, a nonprofit initiative of the insurance industry, to help the public identify the
natural hazards to which they may be exposed. Through its website, the Institute provides
many disaster preparedness/recovery and business continuity resources, including a tool
based on this map that allows you to enter your zip code to discover the risks you face in
your section of the country.20
This type of map is useful when assessing the risks due to natural disasters that may
occur within your region in order to best protect your physical and digital assets. It will
also come in handy when determining the location for a disaster recovery site. When finding
the right spot for a disaster recovery site, you need to select an area that is not likely to be
affected by the same type of disaster your primary site faces.

Human-Caused Events
In spite of the attention devoted to loss of information due to major disasters, records dam-
age most often comes from preventable conditions such as equipment failure, arson, ter-
rorism, vandalism, and carelessness. Due to the frequency and sophistication of attacks on
data, this topic is addressed in chapter 10.
Damage can also occur due to leaking roofs, burst pipes, and damp conditions in base-
ment storage areas. Although most damage is localized and affects only a small percentage
of an organization’s vital records, valuable information may still be lost if the recording
media is damaged by water, fire, smoke, mold, or chemicals. Salvage and restoration efforts
can be expensive if even possible.

FIGURE 8.5 Natural hazards exposure map.

SOURCE: Insurance Institute for Business and Home Safety, “What Is at Risk?” in Open for Business: A Disaster Protection and
Recovery Planning Toolkit for the Small to Mid-Sized Business, 2007, 4—now only available as an interactive map at
https://disastersafety.org/.
2 32 / CH AP T ER 8

Pre-disaster preparedness efforts require team members to determine if potentially

hazardous substances have been used in constructing or equipping offices. If those sub-
stances are present in the workplace, essential records should be stored off-site and copies
used on a daily basis.

Technologically Caused Events

Events that affect central computers, mainframes, software, or internal and external appli-
cations are included in this category. Also included are events that disrupt ancillary support
equipment, telecommunications, and sources of energy, power, or utilities, as was experi-
enced on the island of Puerto Rico in 2017.
Increasingly, organizations are entering into agreements to store electronic records
in the cloud. The same procedures used to protect records controlled by the organization
must be used to protect records stored by service providers. Proof that the service provider
has an adequate backup and recovery plan in place is necessary. This information should
be included in a terms-of-service agreement (or service contract) negotiated between the
organization and the service provider. Periodic tests should be conducted to ensure that
the backup recovery systems and processes work as agreed upon. Just as with organiza-
tion-owned sites, both the service provider’s primary site and its own backup site must be
geographically located to avoid risk from the same natural disaster.

Disaster Recovery

By October 6, 2017, fifteen weather and climate disaster events in the United States resulted
in the deaths of 282 people and caused losses exceeding $1 billion each. They included one
drought, two floods, one freezing, seven severe storms, three tropical cyclones, and one
wildfire, as shown on the map in figure 8.6.
Developing a disaster recovery plan takes a great deal of time and effort—just how
much depends on the size of the organization and the risks identified. It is important to
remember that human safety is the first priority. Recovery of information and records
comes only after all employees and visitors are safe. Experts disagree on the format of a
disaster recovery plan, but when comparisons are made, common elements emerge, such
as:

• Communications strategy: Determine how you will reach all employees

during a disaster.
• Roles and responsibilities: Assign responsibilities for everyone involved,
and designate backup in case the primary team member is not available.
Provide training for all primary and backup team members.
• Access to systems: Be sure the primary and backup individuals are
assigned role-based access where necessary to perform a recovery.
• Remote access: Be sure recovery can be initiated remotely.
• Document the process: The disaster recovery procedures should include
clear step-by-step instructions for members of the team.
• Test the plan: Practice makes perfect. After initial training, at minimum,
provide, an annual test of your disaster recovery plan.
• Evaluate and update your plan.
 V I TAL ( E S SEN TIAL ) R EC OR DS, DIS A STER PR E PAR E DN E S S AN D R E C OV E R Y, AN D BUSI N E S S C ON TI N U I T Y / 233

A cursory review of disaster recovery plans available on the internet reveals that most tend
to emphasize either physical records or digital records. The steps outlined to recover from a
disaster may be specific to the medium used to store a majority of the records, but essential
records must be protected regardless of the medium.

Recovering Physical Records

Essential records will be listed on your vital records schedule. Depending on the type of
organization, those records could include:

• contracts, leases, and license and franchise agreements;

• laboratory notebooks and other research data;
• engineering drawings and blueprints;
• product formulas and production specifications;
• insurance policies;
• articles of incorporation, bylaws, and board minutes;
• patents, trademarks, copyrights; and
• deeds and title to property.

As soon as possible, a records damage assessment site survey should be conducted to deter-
mine the type of damage that has occurred. Records should be treated based on priorities
set previously and the severity of the damage. The site survey would include:

• the name of the surveyor and the date and time of the survey;
• the location (floor, room);

FIGURE 8.6 Natural hazard events result in more than $1 billion each in 2017.
SOURCE: NOAA National Centers for Environmental Information (NCEI) US Billion-Dollar Weather and Climate Disasters
(2017). https://www.ncdc.noaa.gov/billions/.
234 / CH AP T ER 8

• the type of damage (mold/mildew, mud, water, smoke, fire, sewage, insects,
rodents, other);
• the type of media (paper, books, photographs, slides, tapes, microfilm,
maps, hard drives, CD-ROMs/DVDs, other); and
• additional information based on type of record.

For essential records, the following information would be recorded: types of records/record
series, volume in feet, and dates of records. Figure 8.7 can be used as the basis for your own
records damage assessment site survey.
In the event of a disaster affecting your essential records stored on-site in physical for-
mats, you would follow the steps outlined in your own vital records disaster recovery plan.
The following steps are provided as one example:

• Stabilize the site and gain access as soon as the building is safe for reentry
armed with the vital records schedule and a list of all safe and vault
combinations, location of keys to all file cabinets, vaults, or containers that
house vital records.
• Restore environmental controls and allow the heating or air-conditioning
systems to run 24/7 with the goal of maintaining a temperature below 70°F
and a relative humidity below 50 percent.
• Document the damage. The coordinator of the vital records disaster
management team is responsible for documenting the damage by taking
photographs and videos and/or completing a records damage assessment
site survey.
• Toss duplicate records and replaceable or disposable materials to remove
a source of humidity and reduce the volume of materials the team must
inspect.
• Keep an inventory of material disposed of for insurance, replacement, and
tracking.
• Assess the damage. This can be accomplished by analyzing the records
damage assessment site survey to determine the extent of the damage
and the approximate volume of records affected. Prioritize treatment
by handling essential records first. Determine which records are official
records on vulnerable media that have not been backed up.
• Stabilize the records. Salvage wet records within forty-eight hours to avoid
costly restoration efforts. Photographs, magnetic media, and coated-stock
paper should be given highest salvage priority, because they deteriorate
more quickly. It may be necessary to move these records off-site if
stabilization is not possible in the original environment.
• If necessary, move records off-site following previously agreed-to
procedures that include identification of a suitable vendor for handling
and restoration, tracking method, relocation destination, transportation,
necessary clearances, and personnel assigned to accompany the records.

Recovering Electronic Records

The terrorist attacks of September 11, 2001, sent shock waves around the world. That day
Americans realized that natural disasters were no longer the greatest threat to our lives
 V I TAL ( E S SEN TIAL ) R EC OR DS, DIS A STER PR E PAR E DN E S S AN D R E C OV E R Y, AN D BUSI N E S S C ON TI N U I T Y / 235

and our economy. Several top financial services firms had offices in the World Trade Cen-
ter, including Morgan Stanley Dean Witter, Credit Suisse, Commerzbank, and Deutsche
Bank. The attacks exposed one area of vulnerability to business continuity: almost no paper
records survived the attacks on the World Trade Center (see figure 8.8).
Those businesses with offices in and near the World Trade Center site that had disas-
ter recovery plans in place for electronic data moved to off-site locations and took steps to
resume business operations. As a direct result of 9/11, all businesses began to question their
own ability to recover from such an event. Whether you develop your own data recovery
center or contract with a service provider, keep in mind the following lessons learned:

FIGURE 8.7 Records damage assessment site survey form.

236 / CH AP T ER 8

• Don’t place backup facilities near each other. One business located in the
World Trade Center had a backup facility several blocks away and data was
lost at both sites.
• Do regular backups of data residing on desktops and laptops. Synchronize
data with the server daily. One data recovery service provider was able to
recover 100 percent of the data for their clients—except for data that had
not been backed up. Critical works in progress are often neglected when it
comes to backing up.
• Don’t just back up your data. To restore the data, copies of data catalogs
and directories are needed to organize the data and obtain the appropriate
permissions to access the data.
• Do avoid incompatibility issues when recovering data by running backup
and storage environments like those in daily use.
• Do make sure that backup facilities have the hardware, software, network
connectivity, and services needed to run your entire operation.
• Do be prepared to reestablish systems management capabilities quickly,
including monitoring, job execution, and security features.
• Do prepare by training internal disaster response teams and identifying the
applications and business operations that should be recovered first.21

Taking a lesson learned from 9/11, disaster recovery sites should be not only off-site but
also in a geographic location that would not be exposed to the same risks from disasters as
the original site. The choice must be made between establishing and managing a compa-
ny-owned site or contracting with a disaster recovery service provider, but a decision on

FIGURE 8.8 Almost no paper survived the 9/11 attacks on the World Trade Center.
SOURCE: Doug Kanter/AFP/Getty Images.
 V I TAL ( E S SEN TIAL ) R EC OR DS, DIS A STER PR E PAR E DN E S S AN D R E C OV E R Y, AN D BUSI N E S S C ON TI N U I T Y / 237

the most appropriate type of site for the organization must be made. Traditional options
include:

• Disaster recovery cold sites: A cold site is available space without the
equipment and data needed to continue business operations. This type of
site is attractive for businesses that want to save money and have eighteen
or more hours to get up and running. The disadvantage of a cold site is the
need to set up your own equipment, load software and data, and make all
internet and phone connections.
• Disaster recovery warm sites: Warm sites provide not only space but also
the equipment you need to continue operations. However, you would need
to load or restore your data to the system. This type of site relies on backups
for recovery. In the past, the use of tape-based backups meant it might take
days to recover from a disaster. When tape-based backup is replaced by
electronic vaulting—the transfer of data by electronic means to a backup
site—recovery times are near those for hot sites but at a fraction of the cost.
• Disaster recovery hot sites: It is essential that financial institutions retain
the trust of the public in times of crisis by minimizing disruption to services.
Therefore, they use hot sites as the basis for their disaster recovery system.
A hot site is a duplicate of the original site, with full computer systems and
near-complete backups of user data. This is the most expensive option.

Backup as a Service (BaaS) and Disaster Recovery as a Service (DRaaS)

Cloud-based backup and disaster recovery services are increasingly popular options to meet
the need for data protection in a way that reduces the cost of infrastructure, business pro-
cesses, and other applications.
Backup as a service (BaaS) is “an approach to backing up data that involves purchasing
backup and recovery services from an online data backup provider.”22 Disaster recovery as
a service (DRaaS) is “the replication and hosting of physical or virtual servers by a third
party to provide failover in the event of a man-made or natural catastrophe”23 The two
terms are not synonymous. Backup is a copy of your data replicated to another device or
location—e.g., a tape drive also on premise or a server at another location. You may have
your data, which could be restored if you had your entire system in place. But in the event
of a disaster, you’d still have to replace your server, re-install your software and data, and
reconfigure the system with your settings and preferences. This could take hours or days.
Cloud-based disaster recovery services began to appear in 2009, and by 2017 DRaaS
was a mainstream offering. In 2017, Gartner recognized twenty-four providers that meet
the criteria set for DRaaS. Among the leaders were IBM, Sungard Availability Services, In-
frascale, Iland, and Recovery Point.24 Among the critical capabilities evaluated were the
provider’s industry-related credentials and security features.
As with any third-party service providers, you should select a DRaaS vendor that pro-
vides service level agreements that meet your needs at an acceptable risk level. Questions
to ask include:

• Will the organization’s data be held within the organization’s desired

geographic boundary?
2 38 / CH AP T ER 8

• Is the data being backed up by the cloud provider to another system for
redundancy?
• Is the physical location of the alternate system acceptable?
• Can the data be restored within an acceptable time frame?
• Does the provider meet the organization’s security standards and allow for
periodic facility audits by the customer?
• Does the service provider’s network meet the organization’s network
requirements related to issues such as compatibility of architecture and
bandwidth capabilities?
• Can the service provider offer uninterrupted access to the organization’s
data?
• How easily and at what cost can you move your data to another cloud
provider if you are dissatisfied with its services or a change in its policies?

Although businesses look to cloud-based disaster recovery services to reduce costs that
would be incurred with other options, it is essential to understand how the organization
will be billed for storage and disaster recovery services. Consideration must be given to the
ways in which vital records are handled, for example, stored in a separate location from
the organization’s other records and the records of other organizations. If the multi-tenant
nature of the public cloud poses an unacceptable risk, the organization may want to con-
sider the use of a private cloud.

Integrating Mobile Devices into the Disaster Recovery Plan

Business-critical information may exist on mobile devices. The following steps will help the
organization incorporate mobile devices into the disaster recovery plan:

• Inventory the mobile devices. (Where are they? To whom are they
assigned? Do employees use personal mobile devices to conduct business?)
• Determine the importance of the mobile device data and applications. (Do
they contain business-critical data?)
• Determine how quickly you can recover from a disaster. (What steps can be
taken before and after an event to prevent data loss?)

Records managers are responsible for including records that may be stored on mobile
devices in their records management programs. IT is responsible for information protec-
tion and data recovery. Although most devices will be used to run applications that collect
data to be transmitted back to a central server, it is important to plan for cases in which
sensitive data does exist on a lost or stolen mobile device.
Several tools are available to protect sensitive data on mobile devices by providing a
device lock, enhanced passwords, and a device wipe that can be used by the organization
to remotely delete all data on the device and removable storage cards. Recovery will take
less time if the organization standardizes mobile devices and has a replacement plan in the
event of a wide-scale hardware failure. Upper management will need to be aware of the
necessity of standards and support the replacement plan.
 V I TAL ( E S SEN TIAL ) R EC OR DS, DIS A STER PR E PAR E DN E S S AN D R E C OV E R Y, AN D BUSI N E S S C ON TI N U I T Y / 239

Disaster Recovery Policies and Plans

Organizations, both public and private, have a responsibility to employees, partners, cus-
tomers, and other stakeholders to improve their disaster recovery capabilities. The tactical
decisions addressed previously must be performed within an overall disaster recovery pol-
icy framework. The governing policy statement should include, at a minimum, the follow-
ing instructions:

• The organization should have a comprehensive disaster recovery plan.

• A formal risk assessment should be undertaken to determine requirements
for the disaster recovery plan.
• The disaster recovery plan should be tested in a simulated environment to
ensure it can be implemented in an emergency. Two full tests per year along
with several component tests throughout the year are recommended for
electronic systems.
• The disaster recovery plan should cover all mission-critical and business-
critical activities.
• The disaster plan should be updated as necessary as part of configuration
management and change management.
• All staff must be made aware of the disaster recovery plan and their roles in
it.

The transition from paper to electronic records means that time can be saved restoring
important and useful records. Tape is still considered the dominant backup technology.
If stored off-site, information is backed up locally and transported to an off-site facility.
However, replication is becoming more popular to protect both mission-critical and busi-
ness-critical records. After tape backup, synchronous and asynchronous replication meth-
ods are favored for critical applications, whereas periodic point-in-time copies and remote
backup over a wide area network are used most often for noncritical applications and data.
Disaster recovery is often seen as the organization’s ability to recover its IT resources,
including infrastructure, databases, and applications. Disaster recovery is just one part of
the organization’s business continuity strategy.

BUSINESS CONTINUITY PLANNING

The disaster recovery plan, however well designed, does not exist in isolation. It is part
of a larger business continuity management (BCM) program that is most effective when
grounded in generally accepted standards and built to meet the business’s objectives. Busi-
ness continuity (BC) is the strategic and tactical capability of the organization to plan for
and respond to incidents and business disruptions to continue business operations at an
acceptable predefined level.25 The Business Continuity Institute provides a broad defini-
tion of vital records as any information, documents, or data deemed essential for recovery
from a disaster or major incident. The protection and recovery of essential records is a
required component of a business continuity plan. The vital records schedule is an impor-
tant resource for those preparing this plan.
Various standards and legislation relate to business continuity management. The Brit-
ish Standards Institution (BSI) produced a two-part standard, BS 25999-1:2006 Business
24 0 / CH AP T ER 8

Continuity Management: Code of Practice and BS 25999-2:2007: Business Continuity Man-

agement: Specification.26 In 2010, the American National Standards Institute (ANSI) ap-
proved the ASIS/BSI BCM.01-2010: Business Continuity Management Systems: Requirements
with Guidance for Use standard, a standard that shares the core of BS 25999 while reflecting
the differences between the infrastructures, systems, and terminology of the United King-
dom and the United States.27 In June 2012, ISO 22313:2012, Societal security—Business conti-
nuity management systems—Requirements, was released. This standard provides a framework
for planning, establishing, implementing, operating, monitoring, reviewing, maintaining,
and continually improving a business continuity management system (BCMS).28

Business Continuity Management Lifecycle

The business continuity management lifecycle depicted in figure 8.9 is comprised of four
phases: analysis, solution design, development and implementation, and exercise, mainte-
nance, and review. The cycle should be repeated at predetermined intervals to ensure that
it remains current.

Phase 1: Analysis
The analysis phase of the business continuity management lifecycle represents a business
impact analysis (BIA) designed to prioritize business functions by assessing the potential
impacts that might result if an organization were to experience a business interruption. A
risk analysis is an essential element of this phase.

Phase 2: Solution Design

The business continuity plan is developed during the solution design phase. Alternative busi-
ness recovery operating strategies for continuation of business within recovery time and/
or according to recovery objectives while maintaining the organization’s critical functions
are determined. Plans and procedures to communicate with internal stakeholders during
incidents are formulated and provision is made for post-incident support and guidance for
employees and their families.

Phase 3: Development and Implementation

The development and implementation phase includes developing and implementing emergency
response procedures in order to stabilize the situation following an incident. Designing,
developing, and implementing business continuity and incident management plans that
provide continuity within recovery time and/or recovery objectives takes place during this
phase.

Phase 4: Exercise, Maintenance, and Review

The exercise, maintenance, and review phase includes:

• pre-planning and coordinating the plan through walk-throughs and

exercises;
 V I TAL ( E S SEN TIAL ) R EC OR DS, DIS A STER PR E PAR E DN E S S AN D R E C OV E R Y, AN D BUSI N E S S C ON TI N U I T Y / 241

FIGURE 8.9 The business continuity management lifecycle.

• evaluating, updating, improving, and documenting the results of the exercises;

• developing processes to maintain the currency of continuity capabilities,
business continuity plans, and incident management plans in accordance
with the organization’s strategic direction;
• establishing policies and procedures for coordinating incidents, continuity,
and restoration activities with external agencies while ensuring compliance
with applicable statutes and/or regulations; and
• practical experience in dealing with external agencies.
Many resources exist to help you with your disaster recovery and business continuity
plans, including standards documents such as NFPA 1600: Standard on Disaster/Emergency
Management and Business Continuity Programs, 2016 edition.29 This standard establishes a
common set of criteria for disaster/emergency management and business continuity pro-
grams. The 2016 edition was expanded to emphasize the importance of leadership and com-
mitment and includes new requirements for records management. The standard calls for
the development of a records management program, as well as policies created, approved,
and enforced to address records classification, confidentiality, integrity, retention, storage,
archiving, destruction, access control, and document control.

SUMMARY

Vital (essential) records protection, disaster planning, and business continuity management
are essential to the survival of an organization impacted by a major disaster. Records and
information managers have a key role to play in each of these initiatives.
242 / CH AP T ER 8

Essential records contain information required by the organization to re-create its legal
and financial status and to preserve the rights and obligations of stakeholders, including
employees, customers, investors, and citizens. These critical business records are in most
instances irreplaceable, and the organization cannot exist without them. Records managers
already responsible for inventorying and appraising records for retention purposes may
also be tasked with developing and managing a vital records program.
Disaster planning should be conducted by a committee that includes representatives
from all functional areas of the organization, with upper-management support. Because of
the volume of digital information produced, IT departments play a major role in developing
the disaster plan. A well-devised plan cannot, of course, prevent disaster, but it can serve to
mitigate loss through both protection and recovery efforts. Records managers possess the
skills and knowledge necessary to assist the organization in developing the sections of the
plan related to protection of records in both paper and digital formats and in developing the
procedures necessary to recover records affected by a disaster.
Business continuity stresses the importance of continuing business activities in spite of in-
terruptions. Some think of business continuity as synonymous with disaster recovery. But
although the two may overlap, there are key differences. A disaster plan focuses on prevent-
ing or mitigating loss due to a disaster and recovering the essential records and information
needed to continue operations after a disaster. Business continuity planning involves de-
veloping a process to ensure that critical business processes can continue in spite of any
type of interruption, including power failure, vandalism, employee theft, human error, and
work stoppages. Records managers can contribute to business continuity planning because
of their familiarity not only with essential records but also with essential business opera-
tions that require records that must be available during a critical event.
Taking steps to protect essential records and to resume operations after a major disas-
ter is required for an organization’s survival. Organizations today recognize the value of
data as a business asset that must be protected. One option is to utilize Backup as a Service
(BaaS) to store a copy of the organization’s data so that it can be restored if necessary. Disas-
ter Recovery as a Service (DRaaS) goes beyond backup by providing an alternative environ-
ment to sustain continuing operations.
Business continuity management is necessary to ensure continued operations to meet
legal, regulatory, and contractual obligations in the face of any disruption to business, large
or small. Records managers have unique knowledge, skills, and perspectives on the business
activities of the organization that should be tapped by the organization when developing
plans to protect essential records, recover from a disaster, and continue business opera-
tions.
Catastrophic disasters do occur that result in changes to daily operations of those or-
ganizations that are fortunate enough to resume business. But more often incidents occur
that are more local in nature that also require us to respond according to a preapproved
plan. Responding to these incidents requires a three-step approach: Activation (of the right
plan), Assessment (of the scope of the incident), and Recovery (from the incident).
In her contribution to this chapter, Helen Nelson, Head of Emergency Preparedness
for Britain’s Wirral University Teaching Hospital National Health Service (NHS) Founda-
tion Trust, shares a case study based on her report of an incident in which electricity was
disrupted for the better part of one day and required implementation of their emergency
response. Two primary goals were apparent: caring for patients and resuming normal busi-
ness operations. Note the need for paper-based procedures and future data-entry tasks as a
result of IT downtime.
 V I TAL ( E S SEN TIAL ) R EC OR DS, DIS A STER PR E PAR E DN E S S AN D R E C OV E R Y, AN D BUSI N E S S C ON TI N U I T Y / 24 3

PA R A D I G M

Wirral University Teaching Hospital

NHS Foundation Trust Utility Disruption

Helen Nelson
Head of Emergency Preparedness
Wirral University Teaching Hospital, National Health Service Foundation Trust

What Happened?
On a Thursday morning the hospital suffered a power main failure in its internal electrical
supply. Emergency power, supplied by generators, remained, but the hospital was unable
to accept elective or emergency patients. Engineers were called to the site and the supply
was restored. The power was stabilized in early evening the same day.

Action Taken
The on-call structure was alerted. Command and control was put in place and an initial
meeting held. The battle rhythm for the briefing meetings was set for hourly.
The High Voltage (HV) engineers (contractors) had been called to assist the internal
HV Authorized Engineers and it was anticipated that a four-hour downtime was required
to locate the fault.
All outpatient appointments were cancelled for the day. Patients scheduled for surgery
were cancelled. Two patients who had been anaesthetized in operating rooms awoke with-
out having had their procedures. Theatre and endoscopy procedures that were in progress
were to be completed, but no new cases were begun. No harm came to any of the patients.
A full ambulance diversion was put in place with patients being diverted to the other
local hospitals. The Emergency Department (ED) was also closed to walk-ins. All relevant
partners were contacted and informed.

Lessons Identified
A number of lessons were identified:
1. All staff need to be aware which equipment and areas are connected to
emergency power supplies. There should be a process for confirming that
equipment is appropriately connected and which equipment is connected to the
nonessential electrical supply.
2. All staff need an awareness of IT downtime processes and paper-based
procedures to be implemented should a power outage occur. Ownership and
maintenance of paper-based downtime packs need to be clear.
3. Regular communication with staff (including contractors) is very important and
should be maintained as part of the communications strategy, even without
electricity. This should include when the end to the incident is declared and
business as usual is resumed.
24 4 / CH AP T ER 8

4. Entering data back onto an IT system following downtime must be included in the
downtime plan.
5. Communication with external partners is important so that they understand the
implications of the incident on the organization’s ability to deliver services.
6. Emergency kits that include items such as torches and batteries are useful on
wards, but ownership and maintenance need to be clear.
7. A review of what is plugged in and working when only emergency power is
available can help to free up plug sockets if some equipment is not needed at any
particular point in time.
8. Support from the ambulance service provider is important to manage flow into
and from the hospital.
9. Doors, which are usually locked, fail-safe (i.e., remain open) without electricity.
Some of these are required to have manned checkpoints established.
10. Those managing the incident need to be relieved of other duties so they can focus
on the task in hand. They also need to be appropriately supported in the Incident
Control Center (ICC).

Note: Further case studies can be found online (https://www.england.nhs.uk/). All organi-
zations within the National Health Service (NHS) are encouraged to share what they have
learned from incidents in order to reduce their impact elsewhere in the NHS and improve
service resilience.

NOTES
1. ARMA International, s.v. “business continuity plan,” Glossary of Records and Information
Governance Terms, 5th ed. (Overland, KS: ARMA International, 2016), 7.
2. ARMA International, s.v. “disaster recovery plan,” Glossary, 16.
3. Amy Van Artsdalen, “How to Develop a Vital Records Program Project Plan,” Information
Management 51, no. 6 (November/December 2017): 33–37.
4. Justia.com, “Management of Vital Records,” US Law, 36 CFR § 1236.20 (1995),
http://law.justia .com/cfr/title36/36–3.0.10.2.17.html.
5. Willie Mata, “Data Loss Statistics That Will Make You Think Twice About Business Continuity,”
Center Technologies, May 18, 2015, https://centretechnologies.com/data-loss-statistics-that-will
-make-you-think-twice-about-business-continuity/.
6. Megan Molteni, “Harvey Evacuees Leave Their Belongings—and Health Records—Behind,” Wired,
September 1, 2017, https://www.wired.com/story/harvey-evacuees-leave-their-belongings-and
-health-records-behind/.
7. Gina Marie Stevens, Hurricane Katrina: HIPAA Privacy and Electronic Health Records
of Evacuees, Congressional Research Service (CRS) Report for Congress, RS22310,
updated January 23, 2007, 1, http://library.ahima.org/xpedio/groups/public/documents/
government/bok1_034961.pdf.
8. Stevens, Hurricane Katrina; Molteni, “Harvey Evacuees.”
9. HealthIT.gov., “Patient Unified Lookup System for Emergencies (PULSE),”
accessed December 2, 2017, https://www.healthit.gov/techlab/ipg/node/4/submission/1801.
10. Justia.com, “Management of Vital Records.”
11. ARMA International, Vital Records, ANSI/ARMA, TR29–2017 (Overland Park, KS:
ARMA International, 2017).
12. Ibid.
 V I TAL ( E S SEN TIAL ) R EC OR DS, DIS A STER PR E PAR E DN E S S AN D R E C OV E R Y, AN D BUSI N E S S C ON TI N U I T Y / 24 5

13. “Disaster Preparedness, Response and Recovery—Advice and Resources,” Washington State
Archives, accessed December 3, 2017, https://www.sos.wa.gov/archives/RecordsManagement/
DisasterPreparednessandRecovery.aspx.
14. Ibid.
15. William Saffady, Records and Information Management: Fundamentals of Professional Practice, 3rd
ed. (Overland Park, KS: ARMA International, 2016), 172.
16. “Vital Records,” Records Management Services, University of Washington, accessed December 3,
2017, https://finance.uw.edu/recmgt/vitalrecords.
17. Iron Mountain, “Important Versus Vital Records: The Magic 5% You Can’t Live Without,”
Executive Summary, accessed April 17, 2018, www.ironmountain.com/resources/whitepapers/i/
important-versus-vital-records-the-magic-5-you-cant-live-without.
18. National Fire Protection Association (NFPA), NFPA 232: Standard for the Protection of Records,
2017 ed. (Quincy, MA: NFPA, 2017). www.nfpa.org/codes-and-standards/all-codes-and-standards/
list-of-codes-and-standards/detail?code=232.
19. Electronic Records Management Software Applications Design Criteria Standard, April 25, 2007,
http://jitc.fhu.disa.mil/projects/rma/downloads/p50152stdapr07.pdf.
20. OFB-EZ—Business Continuity Planning, Insurance Institute for Business and Home Safety,
accessed December 3, 2017, http://disastersafety.org/ibhs-business-protection/
ofb-ez-business-continuity/.
21. Jan Stafford, “Lessons Learned from 9-11: Disaster Recovery Dos and Don’ts,” TechTarget,
December 5, 2001, http://searchwindowsserver.techtarget.com/news/784938/Lessons-learned
-from-9-11-Disaster-recovery-dos-and-donts.
22. TechTarget, s.v. “backup as a service (BaaS),” accessed December 15, 2017,
http://searchdatabackup.techtarget.com/definition/backup-as-a-service-BaaS.
23. TechTarget, s.v. “disaster recovery as a service (DRaaS),” accessed December 3, 2017,
http://searchdisasterrecovery.techtarget.com/definition/disaster-recovery-as-a-service-DRaaS.
24. Ron Blair and Mark Thomas Jaggers, “Magic Quadrant for Disaster Recovery as a Service,” Gartner,
June 19, 2017, www.gartner.com/doc/3746618/magic-quadrant-disaster-recovery-service.
25. Business Continuity Institute, s.v. “business continuity,” Glossary of Business Continuity Terms,
updated April 13, 2017,. https://www.drj.com/downloads/drj_glossary.pdf.
26. British Standards Institution (BSI), BS 25999–1:2006 Business Continuity Management:
Code of Practice (London: British Standards Institution, 2006).
27. American National Standards Institute (ANSI), ASIS/BSI BCM.01–2010: Business Continuity
Management Systems: Requirements with Guidance for Use (New York: ANSI, 2010).
28. International Organization for Standardization (ISO), ISO 22313:2012 Societal Security—
Business continuity management systems—Guidance (Geneva, Switzerland: ISO, 2012).
29. National Fire Protection Association (NFPA), NFPA 1600: Standard on Disaster/Emergency
Management and Business Continuity/Continuity of Operations Programs (Quincy, MA: NFPA,
2016).
 CHAPTER 9

Monitoring, Auditing,
and Risk Management

INTRODUCTION

Today’s records and information management professionals must know how to monitor
the performance of employees as well as the performance of the records management pro-
gram. They must understand the auditing process and be able to assist with internal and
external audits. And they must be in a position to identify and analyze records and informa-
tion risks—including those posed by new technology, cloud computing, contracts with third
parties, e-discovery requests, and Freedom of Information requests—and make recommen-
dations to manage them.

MONITORING THE MANAGEMENT OF RECORDS

In chapter 2, you learned that records management programs are undertaken with spe-
cific objectives in mind, including providing effective control, appropriate security, and
management of the creation, maintenance, use, and disposition of all records within the
organization. Monitoring is a process conducted by departmental staff and may involve the
internal audit or compliance department to uncover fraud and abuse, measure progress
toward goals, and identify the need for an audit. Monitoring includes conducting analyses
and making adjustments accordingly. Organizations generally conduct two types of mon-
itoring activities to understand how well the program is performing and to identify areas
that need attention: performance monitoring and compliance monitoring.

Performance Monitoring

Performance monitoring is conducted to measure performance and provide ongoing feed-

back to employees and workgroups on their progress toward reaching their goals. It is a
continuous process that involves developing criteria, conducting interviews, and examin-
ing documentation to determine whether a process is efficient and effective. In addition to
monitoring the performance of individuals, performance monitoring can include monitoring
overall performance of the records management program, effectiveness of the records man-
agement process, efficiency of records management systems, and strength of the organiza-
tion’s capacity to support records management. The development of a performance mon-
itoring program involves identifying actions to be taken during each stage of the process
shown in figure 9.1.

/ 247 /
24 8 / CH AP T ER 9

FIGURE 9.1 Steps in the performance monitoring process.

SOURCE: Adapted from Stage Records Authority of New South Wales, “Monitoring Recordkeeping Performance,” accessed
December 19, 2017, https://www.records.nsw.gov.au/recordkeeping/advice/monitoring/recordkeeping-performance..

Performance measurements are based on predetermined internal or external criteria.

Industry benchmarks are often used to compare an organization’s performance to that of
industry leaders. Individual employees can also be rated based on their performance over
time or among other employees. Employee performance plans with accompanying rating
systems are used as a basis for pay increases and retrenchment decisions.
Some organizations provide incentives to motivate employees and teams to excel. An
employee pay raise is an example of an individual reward. Other rewards can be in the form
of an informal or formal thank-you—a pizza party, a bonus, or time off.
Recognizing excellence is an effective way to honor those who have contributed to a
superior records management program. In 2016, the Utah State Division of Archives and
Records Service presented the Excellence in Information Governance Award to Colleen
Mulvey, the city’s recorder, for her leadership in developing the city’s records management
program. Specifically, Mulvey was recognized for:

• implementing a variety of methods to ensure accurate, manageable, and

innovative preservation of the city’s records
• establishing agency-wide training to educate staff on the importance of
proper records management
• actively engaging in professional development and sharing experiences with
colleagues1

Monitoring is an essential component in measuring employee and organization progress

toward goals so that appropriate feedback can be given, corrective action can be taken, and
 MON I TO R I N G , AU DI TI N G , AN D R ISK MAN AG E M E N T / 24 9

informal and formal rewards can be granted for meeting standards of excellence. Monitoring
can also be used to gauge the organization’s ability to comply with internal policies and
standards as well as external standards, laws, and regulations.

Compliance Monitoring Using Self-Assessments

Compliance monitoring can include targeted assessments of recordkeeping based on the

identification of a business issue or problem. One way to measure progress is by conducting
an initial evaluation and then using that as a baseline for future studies. In large public and
private organizations, self-evaluations may be the most efficient way to gather data. In 2009,
the US National Archives and Records Administration (NARA) implemented a mandatory
self-assessment process for all federal agencies that required the agencies to complete and
return a survey form. The main focus of the 2009 records management self-assessment
(RMSA) was email because of the widespread public interest in this topic.2 Four additional
topics were evaluated: program management, records disposition, vital records, and elec-
tronic records. Over 90 percent of the federal agencies responded to the self-assessment, and
the responses indicated that 79 percent of those agencies were at high to moderate risk of
compromising the integrity, authenticity, and reliability of their records.
In 2010, NARA conducted a second RMSA.3 The report released in May 2011 revealed
that 95 percent of the 251 respondents were at high to moderate risk of comprising the
integrity, authenticity, and reliability of their records. In 2010, there were fewer agencies
considered low risk with regard to their compliance with federal records management
regulations and policies than in 2009, possibly because the survey instrument was re-
vised by increasing the nature and number of questions. Therefore, NARA determined
the responses to the 2010 survey would be used as the new baseline for future annual
self-assessments.
The special topic area in the 2010 survey was training, where the findings indicated:

• a widespread dearth of formal training for staff (and contractors) at all

levels;
• training that slights or neglects important records management topics,
including vital records; and
• a lack of effective and long-term evaluation mechanisms.

The RMSA was issued separately through 2016. As of 2017, the RMSA report was consol-
idated with the Senior Agency Officials for Records Management Report and the Federal
Email Management Report and published as the “Federal Agency Records Management
2016 Annual Report.” The results of the 2016 RMSAs revealed the good news that 45 per-
cent of agencies scored in the low risk category, compared to 5 percent in 2010. The report
also revealed that printing and filing email declined from 75 percent in 2013 to 46 percent
in 2016.4
As with private organizations, it helps when high-level government officials provide
support for records management improvements. On November 28, 2011, President Barack
Obama took steps to improve the management of federal records by issuing a presidential
memorandum directing agencies to move into a digital-based recordkeeping system. Con-
tinuing the transformation from physical to digital recordkeeping, the 2018–2022 NARA
Strategic Plan includes several relevant objectives, such as:
25 0 / CH AP T ER 9

1. By FY 2024, NARA will digitize 500 million pages of records and make them
available online through the National Archives Catalog.
2. By FY 2020, NARA will have policies and processes in place to support
Federal agencies’ transition to fully electronic recordkeeping.
3. By December 31, 2022, NARA will, to the fullest extent possible, no longer
accept transfers of permanent or temporary records in analog formats
and will accept records only in electronic format and with appropriate
metadata.
4. By FY 2020, NARA will have a career development program in place to
support NARA’s transition to electronic records.5

The federal government is not the only sector facing compliance challenges. Let’s turn our
attention to issues confronting two other industries.

Compliance Monitoring and Laws and Regulations

Compliance officers are often employed by organizations to ensure that programs are in
line with federal and state regulations, as well as industry-specific regulations, such as the
Health Insurance Portability and Accountability Act, the Health Information Technology
for Economic and Clinical Health Act, the Financial Regulatory Authority, and the Sar-
banes-Oxley Act. Organizations may rely on records management personnel to conduct
internal reviews, which can help prepare the organization for formal external audits.

Health Insurance Portability and Accountability Act (HIPAA)

One goal of the Health Insurance Portability and Accountability Act (HIPAA) is to protect
patients’ privacy. The privacy rule of HIPAA protects personally identifiable information
(PII) as it moves through the healthcare system. Healthcare organizations, including pro-
viders, payers, and clearinghouses, must comply with the privacy rule. HIPAA security
standards were developed to help organizations protect PII. The implementation of admin-
istrative, physical, and technical safeguards—such as access controls, auditing controls, and
workstation security—are necessary to protect PII.
A classic example of the violation of an individual’s HIPAA-protected medical informa-
tion involves a well-known actor, George Clooney. In 2007, he and his girlfriend were riding
their motorcycle when a car hit them. They were hospitalized briefly at Palisades Medical
Center in North Bergen, New Jersey. According to the Associated Press, as many as twen-
ty-seven hospital employees were not only tempted to look at the actor’s medical informa-
tion but some even tried to sell the records to the tabloids. How do we know? A routine
internal records management audit for HIPAA compliance conducted by the hospital’s rec-
ords management personnel uncovered the violation.6 Those actions resulted in the sus-
pension without pay of dozens of medical personnel. Records managers uncovered lapses
in records management practices that resulted in changes to prevent future federal statute
violations, and they emerged from this situation as the heroes rather than the scapegoats.

Health Information Technology for Economic and Clinical Health Act (HITECH)

In 2009, the Health Information Technology for Economic and Clinical Health Act
(HITECH) provisions of the Economic Stimulus Act expanded HIPAA regulations to include
 MON I TO R I N G , AU DI TI N G , AN D R ISK MAN AG E M E N T / 251

mandatory breach notifications, heightened enforcement, expanded patients’ rights, and

increased penalties of up to $50,000 for each violation and up to $1.5 million per calendar
year.
In January 2017, the Children’s Medical Center of Dallas (Children’s) was penalized
$3.217 million by the US Department of Health and Human Services for its impermissi-
ble disclosure of unsecured electronic protected health information (ePHI) and non-com-
pliance with multiple standards of the HIPAA Security Rule. The penalty was based on a
2009 loss of an unencrypted, non-password protected BlackBerry device at the Dallas/Fort
Worth International Airport containing data on 3,800 individuals and a loss of a second un-
encrypted laptop from Children’s premises in April 2013 containing data on 2,462 individ-
uals. The issue was the failure of Children’s to deploy encryption or an equivalent measure
on all company laptops, workstations, mobile devices, and removable storage media.7
Today, encryption issues involve not only data stored within the enterprise but also
data stored in the cloud and while in transit between the two. An analysis of encryption
controls offered by over 12,000 cloud providers revealed that while 81.8 percent of cloud
service providers encrypt data in transit from the user to the cloud, only 9.4 percent en-
crypt data at rest in the cloud. File sharing services account for 39 percent of all company
data uploaded to the cloud, and 34 percent of those have uploaded sensitive information
including personal health information (PHI).8 Third-party technologies that encrypt cloud
data both at rest and in transit should be employed to enhance security and privacy.

Managing the Compliance Process

The best approach to managing compliance is to establish an intelligent information gover-
nance process—one supported by enabling technology. A number of vendors offer software
and services to assist organizations with the compliance process.
Some solutions providers take a holistic approach by offering integrated governance,
risk, and compliance (GRC) technology. Allgress (https://allgress.com/) is one provider that
offers a multimodular, integrated solution for enterprises of all sizes. Allgress’ Insight Risk
Management platform provides risk oversights in real time and continuous monitoring
with actionable insights. The company also offers ComplianceVision, an automated compli-
ance solution within the AWS Cloud.
Some companies offer limited, specific compliance solutions as part of their products
and services. For example, Google Vault is a web-based archiving and records management
solution that can be purchased on its own for a fee but is included with the GSuite Enter-
prise or Business or Education edition. Google Vault allows organizations to retain, archive,
search, and export email, Hangout chat messages, Google Groups, and Files in Google Drive
and Team Drives in response to e-discovery and compliance requests. Retention rules can
be used to specify how long data are retained before being deleted from user accounts and
Google Systems.9
Technology to accomplish your goals will continue to evolve and new solutions will be
available to you. In order to select the right product or service, keep in mind the following
six critical compliance needs:

• centrally controlled document access management

• document classification policy management
• retention policy management
• destruction and disposition policy management
252 / CH AP T ER 9

Risk Culture
Risk culture is a term describing the values, beliefs, knowledge, attitudes, and
understanding about risk shared by a group of people with a common purpose. This
applies to all organizations—including private companies, public bodies, governments,
and not-for-profits.
SOURCE: Institute of Risk Management, accessed December 21, 2017,
https://www.theirm.org/knowledge-and-resources/thought-leadership/risk-culture.aspx.

• legal hold management

• metadata generation and management

If you are responsible for records management programs at your organization, you should
be familiar with available products and services so you can discuss these options with oth-
ers involved with compliance issues, such as the information technology (IT) and legal
departments. The cost of such products or services can be minor compared to potential
losses incurred due to fines, penalties, and loss of reputation related to poor recordkeeping
practices.
Thomson Reuters is a firm that offers Compliance Management products and services
for firms worldwide. Its Regulatory Intelligence solution covers 750 regulatory bodies across
the globe and more than 2,500 collections of regulatory and legislative materials. Regulatory
Intelligence Feeds automate the flow of information extracted from the regulatory database
to the organization for immediate review and implementation when changes occur. Tech-
nology is essential, but one of the topics we must not ignore when discussing regulatory
compliance is the impact of culture (including ethics and integrity) on conduct risk. The

Conduct Risk
A standard definition has yet to be agreed upon, but the following two examples share
a common theme—fair treatment to others:

• Conduct Risk is the “intentional or negligent actions of employees or

agents that may lead to negative outcomes for customers, clients and
markets.”*
• “Conduct Risk is the risk that arises as a result of how businesses and
employees conduct themselves, particularly in relation to their clients and
competitors.Ӡ

* Citi, “Conduct, Culture, and Governance,” accessed December 21, 2017, www.citigroup.com/citi/about/
citizenship/download/2015/global/2015-citi-global-citizenship-factsheet-conduct-culture-governance-en.pdf.
† Risk.net, “Top 10 Operational Risks for 2016,” accessed December 21, 2017, https://www.risk.net/
risk-management/2441306/top-10-operational-risks-2016.
 MON I TO R I N G , AU DI TI N G , AN D R ISK MAN AG E M E N T / 25 3

results of a study conducted by Thompson Reuters revealed that 68 percent of the par-
ticipating firms had a working definition for “conduct risk,” but 87 percent believed that
regulatory focus on culture and/or conduct risk would increase personal liability of senior
managers.10

AUDITING THE RECORDS MANAGEMENT PROGRAM

Auditing is a formal review governed by professional standards that includes:

• completion by professionals independent of the operation under review;

• a structured approach that includes planning, sampling, testing, and
validating; and
• formal communication with recommendations, followed by corrective
actions and documented follow-up of those corrective actions.

Over time, organizations will be subject to different types of audits, including compliance
audits and operational (program) audits.

Records Management Program Audits

Program audits are systematic studies conducted to assess how well a program or operation
is working. Similar to performance monitoring but more formal, program audits are used to
assess either achievement or progress toward a goal. The audits can be used to monitor an
entire program or one portion of it, for example, electronic records management. The audit
can evaluate not only practices but also systems, technologies, and facilities.
An audit could be conducted by an internal official of the organization, such as the
director of internal audits or chief compliance officer. It could also be conducted by an
outside auditor. In either case, the audit results would be formally communicated to the
appropriate high-level executive or board of directors. The data gathered must be evaluated
in order to identify if and where problems exist. The results should indicate if the records
are complete and if security breaches were identified. Policies and procedures should be
modified as necessary based upon the findings.

Auditing Procedures

To prepare for an upcoming audit, it is necessary to understand the audit process. Three
phases of the audit are planning, conducting, and reporting the findings:

• Planning the audit: The audit plan is a description of the expected scope
and conduct of the audit with sufficient detail to guide the development of
the audit program. Auditors meet with management to discuss plans for the
audit process and to discover specific risks to the organization to be given
special attention by the auditors. To prepare for the meeting, management
should uncover areas of concern, such as issues related to email or social
media use.
25 4 / CH AP T ER 9

• Conducting the audit: Auditors will conduct fieldwork by meeting with

employees (including management) responsible for handling sensitive
records to ensure they are following standard operating procedures. In order
to assure maximum coordination of staff time and availability of records,
audit visits should be prepared for as soon as notification is received.
• Reporting the findings of the audit: An audit report is completed after
the fieldwork has been conducted and the auditors have identified areas
of weakness related to government regulations and/or standard operating
procedures. The auditors then meet with management to discuss the results
and may recommend scheduling a remedial audit in the future to see if the
weaknesses have been remedied.

Auditing against a Standard, ISO 15489-1: 2016

An audit must be conducted against some type of measure, and an assessment tool must
be acquired or developed. For example, an external audit could be conducted to determine
compliance with the ISO 15489-1:2016.11
In addition to a section on principles for managing records, ISO 15489-1:2016 contains five
major areas in which an organization could be evaluated:

• records and records systems

• policies and responsibilities
• appraisal
• records controls
• processes for creating, capturing, and managing records

The relevant requirements of ISO 15489-1:2016 could be turned into a series of questions
used as a checklist or audit assessment tool. Unlike ISO 15498-1:2001, which had a section
on Regulatory Environment, the 2016 version subsumes regulations under the section on
Appraisal and disperses references to the regulatory environment throughout the standard.

Auditing the Regulatory Environment

To begin our analysis of ISO 15489-1:2016 as related to regulations and the regulatory envi-
ronment, we find that the fourth of five principles for managing records (Section 4.d.) reads:

. . . decisions regarding the creation, capture and management of records are based on
the analysis and risk assessment of business activities, in their business, legal, regula-
tory and societal contexts.

That quote indicates that whenever records are created, captured, or managed, the reg-
ulatory environment must be considered. Section 4.d. also refers the reader to Clause 7,
Appraisal.
Section 5.3.2.3 on compliance for records systems specifies that records systems should
be managed in compliance with requirements—including those from the regulatory envi-
ronment. In addition, compliance with the requirements should be regularly assessed and
records of those assessments retained. From Sections 4 and 5 alone, four questions that
could be used as a basis for an audit arise:
 MON I TO R I N G , AU DI TI N G , AN D R ISK MAN AG E M E N T / 25 5

1. Are regulations considered when making decisions about records creation,

capture, and management?
2. Are records managed in compliance with regulatory requirements?
3. Is compliance with the regulatory environment regularly assessed?
4. Are records of such assessments retained?

In addition, Section 6.2 states that policies should define where mandates (including regu-
lations) and best practices affect the creation, capture, or management of records, so a fifth
question could be:

5. Does the organization’s records management policy include reference to

regulations that affect the creation and capture or management of records?

The regulatory environment is not restricted to federal, state, or local regulations. As

explained in the first edition of ISO 15489-1, the regulatory environment consists of:

• statute and case laws, and regulations governing the sector-specific and
general business environment, including laws and regulations relating
specifically to records, archives, access, privacy, evidence, electronic
commerce, data protection, and information;
• mandatory standards of practice;
• voluntary codes of best practice;
• voluntary codes of conduct and ethics; and
• identifiable expectations of the community about what is acceptable
behavior for the specific sector or organization.12

To prepare for an audit on compliance with the regulatory environment, the organization
should determine if they are meeting the obligations outlined in the standard. In addi-
tion, the audit assessment tool might ask questions about systems, security, metadata, and
more.
An auditor would expect to see not only positive responses to the questions but also
evidence to support those positive responses. ISO 15489-1 is a general records management
standard with requirements that apply across industries. But, as with compliance monitor-
ing, organizations facing compliance audits must understand their industry-specific regu-
latory obligations.

Industry-Specific Audits: Higher Education

The higher education sector is responsible for complying with a complex legal and regula-
tory environment relating to privacy and security. Just as in the healthcare industry, higher
education institutions must address compliance activities around the HIPAA, including
developing policies and procedures and training for handling information about patients
and research subjects.
In addition, higher education institutions must address the Family Educational Rights
and Privacy Act of 1974 (FERPA).13 Postsecondary officials must notify students of their
FERPA rights, provide tools for students to consent to online and offline sharing of records
and to opt out of sharing directory information, and provide training to faculty and staff on
the appropriate uses of student records.14
25 6 / CH AP T ER 9

A 2017 study revealed that the average cost of each record compromised in US educa-
tion organizations is $245—$25 higher than the average cost per record for all US organiza-
tions. It was found that one of the contributors to the higher cost is that mobile platforms
are used more extensively in education. This increases the cost of each comprised record by
an average of $6.50.15 It is important to remember that compliance does not equal security.
Even fully compliant institutions run the risk of potential data breaches, which can be
quite costly.

Industry-Specific Audits: Transportation

SoundTransit plans, builds, and operates express bus, light rail, and commuter train ser-
vices in the state of Washington. It is one of the most scrutinized public agencies in the
state. It is accountable to a fifteen-member volunteer Citizen Oversight Panel, an indepen-
dent fifteen-member Diversity Oversight Committee, and the US Department of Transpor-
tation. SoundTransit defines public records as any information created or received to sup-
port its decisions, actions, operations, or business transactions. The 2016 “Internal Audit
Report, Records Management Program,” conducted by the Washington State Internal Audit
Division, revealed the following goals for the records management program: (1) compliance
with the Revised Code of Washington (RCW) and (2) management of an ever-increasing
amount of digital and physical records and responsiveness to an increasing number of pub-
lic information requests.16
The audit also had two objectives: (1) to determine if departments and divisions had
effective document controls to create, use, and store records during the active phase of
the records lifecycle and (2) to determine if the Records Management Division had effec-
tive controls for retaining and disposing inactive records during the archival phase. This
performance audit was conducted in accordance with the Generally Accepted Government
Auditing Standards and the International Standards for the Professional Practice of Inter-
nal Auditing. The audit process involved data analysis, documentation reviews, site visits,
and personnel interviews. Risks identified by the process included inadequate metadata
and classification scheme and lack of a records evaluation process. Recommendations were
offered to mitigate risks resulting from those deficiencies.
ARMA TR 25-2014, Auditing for Records and Information Management Program Com-
pliance, aims to encourage innovation, spur improvement, strengthen information gover-
nance efforts, and bolster compliance for all organizations. It provides advice for the im-
plementation of audits that will be useful for assessing an organization’s risk exposure and
providing opportunities for quality and performance improvement. Now, we’ll turn our
attention to the topic of risk management.

RISK MANAGEMENT

Organizations face internal and external factors and influences that make it uncertain
whether and when they will achieve their objectives. The effect this uncertainty has on an
organization’s objectives is risk. The level of risk is determined by multiplying the probability
of the event occurring (likelihood) times the level of impact (consequences) the event would have
on the organization if it did occur.
 MON I TO R I N G , AU DI TI N G , AN D R ISK MAN AG E M E N T / 25 7

Risk Management Process

ISO 31000:2009 Risk Management—Principles and Guidelines can be used to assess risk for
a wide range of activities, including processes, operations, and functions. According to ISO
31000, the risk management process includes:

• communication and consultation with internal and external stakeholders

throughout the process;
• establishing the context, including objectives, scope, and risk criteria;
• conducting the risk assessment;
• selecting and implementing the risk treatment to modify risks; and
• monitoring and reviewing the risk management process.17

Risk assessment includes risk identification, risk analysis, and risk evaluation as shown in
figure 9.2.
ISO 31000 is a general risk management standard. Additional guidance can be obtained
from publications developed specifically to evaluate and mitigate risks related to records
and information management.18
ARMA International’s publication Evaluating and Mitigating Records and Information
Risks categorizes risks into four quadrants: administrative, records control, legal/regulato-
ry, and technology.19

FIGURE 9.2 Risk assessment model.

25 8 / CH AP T ER 9

Risk Identification
The four categories into which ARMA International divides risks can be explained as fol-
lows:20

• Administrative risks are related to the management of the records and

information management program, including information governance,
change management, and emergency management. As an example,
employees may consider records they have been working on their records
rather than the organization’s. Others actually plan to steal confidential
data when leaving their jobs, with intellectual property and customer
records topping the list. The lack of a policy to secure and/or recover the
records of employees in transition—due to dismissal, retirement, transfer,
or completion of time-bound projects for the firm—could result in the loss
of valuable information. According to a 2015 survey, 87 percent of departing
employees take records with them; however, only 28 percent admitted to
taking data they had not created. The most common methods were saving
to a flash or external drive (84 percent), printing hard copies (37 percent),
loading to a shared drive (21 percent), or saving to a file synchronizing/
sharing service like Dropbox (11 percent).21
• Records control risks relate to records classification, records retention
and disposition, and records storage. As an example, in 2016, nine
Canada Revenue Agency (CRA) staff members accessed tax files without
authorization in spite of the fact that CRA spent $10.3 million on
technology to impose access control. Eight of the nine were fired. The
federal privacy commissioner’s office issued ten tips to improve situations
like this. One of them is to “proactively monitor and/or audit access logs
and other oversight tools.”22
• Legal and regulatory risks include risks arising from the failure to
institute appropriate controls over mobile devices. These risks can
arise from unauthorized physical access, malicious code, device attacks,
communication interception, and insider threats. As an example, between

I BM announced a ban on employee use of removable storage devices in all facilities

worldwide in May 2018. The reason for the ban, according to Shamla Naidoo, Chief
Information Security Officer, was the “possible financial and reputational damage from
misplaced, lost or misused removable portable storage devices.”
The ban will be disruptive for some employees; however, the firm believes the
measures are warranted to prevent massive file leaks like the one in 2013 where
hundreds of pages regarding IBM’s cloud computing technology were leaked by a
former employee. IBM is currently heavily invested in research in the areas of artificial
intelligence, quantum computing, and more and this globally enforced policy should
help protect its trade secrets.
SOURCE: Parrish, Kevin. “IBM clamps down on leaks, bans works from using external storage,”
Digital Trends, May 10, 2018.
 MON I TO R I N G , AU DI TI N G , AN D R ISK MAN AG E M E N T / 259

2013 and 2014, 22,000 smartphones and other electronic devices were left
in New York City taxicabs.23
• Technology risks are associated with information security, electronic
communications, and software applications. Records storage in the clouds
may be a panacea to some organizations striving to reduce their capital
investment in digital infrastructure and software while leveraging the
ability the cloud offers to scale up or down depending on the needs of the
enterprise. But use of the cloud can magnify the negative impact of a data
breach. For example, on April 14, 2016, a US citizen discovered that voter
registration records of 93.4 million Mexican citizens—including names,
birth dates, home addresses, ID numbers, and more—were visible on the
internet. The database was moved out of Mexico and into the United
States, contrary to Mexico’s data governance laws. The database was made
available to the public through Amazon Web Services. Both Mexican and US
authorities were notified but it took eight days to remove the database from
the public domain. In the words of Lorenzo Cordova Vianello, president of
the Mexican National Electoral Institute, “it is not just a criminal offense,
it is a national offense.”24

Risk Assessment Matrix

Once risk has been identified, it must be analyzed and evaluated. Some organizations are in
industries that are more heavily regulated than others, and they may have a lower tolerance
for certain types of risks. Risk tolerance reflects the organization’s attitude toward risk—how
much risk an organization wants or is willing to assume. The amount of risk the organization
wants to assume may or may not align with its risk capacity—what it needs to assume in
order to reach its goals. Risk capacity also reflects the amount of loss the organization can
incur and still reach its goals.
The organization can develop its own risk assessment matrix to determine the level of
risk presented by various events (see figure 9.3). The events that pose risk are slotted into
the appropriate categories depending on how likely they are to occur and the severity of
the consequences of their occurrence. Action is taken to mitigate risk based on the levels of
risk and the organization’s tolerance and capacity for risk. For example, events that result
in extreme levels of risk require immediate action, whereas those that result in low levels
of risk might be ignored. Resources are assigned to mitigate risks that negatively impact the
organization and from which it would be difficult to recover.

Risk Mitigation: Cloud Computing, Electronic Discovery,

and the Freedom of Information Act (FOIA)

Risk mitigation (i.e., risk reduction) is the systematic reduction in the extent of exposure to
a risk and/or the likelihood of its occurrence.25 A benefit of using the risk assessment matrix
is the fact that risks are categorized according to both probability and severity, and those
risks can be prioritized for the risk mitigation plan. Once administrative, records control,
legal/regulatory, and technology risks are identified and prioritized, mitigation strategies
can be identified for each risk that has a high level of adverse impact on the organization in
260 / CH AP T ER 9

FIGURE 9.3 Risk assessment matrix.

the event it occurs. The risk mitigation strategies can be incorporated into the risk manage-
ment plan as procedural guidelines or a code of practice.
Emerging technologies and new or revised laws and regulations will continue to present
challenges to the organization. The external environment must be monitored to identify
new risks that should be considered when developing the organization’s risk management
plan. The issues presented next are examples of risks introduced by today’s new technologies
and the current legal environment.

Risk Mitigation and Cloud Computing

Cloud computing presents both benefits and risks. Fortunately, guidance is available from
a number of sources. The National Archives of Australia provides guidance for government
agencies about cloud computing and information management that can be useful for public
and private organizations as well. When planning to engage a cloud service provider, agen-
cies are expected to consider a number of issues, including:

• Compliance: Does the cloud service provider comply with all applicable
laws, regulations, standards, and policies governing the government’s
records?
• Preservation: Does the cloud service provider have the ability to preserve
the business information stored and managed as long as required?
• Retention and disposal: Will the cloud service provider dispose of
information, including copies, following instructions from the agency?26

In 2016, the Checklist for Cloud Service Contracts was released by a committee of the Inter-
PARES Trust, a multinational, interdisciplinary research project, that explores issues
 MON I TO R I N G , AU DI TI N G , AN D R ISK MAN AG E M E N T / 2 61

concerning trust in digital records and data in the online environment.27 The checklist is
available for use under a Creative Commons Attribution. The eight categories are listed
below, followed by an example of a relevant question:

• Agreement: Is there an explanation of circumstances in which the services

could be suspended?
• Data ownership and use: Do you retain ownership of the data that you
store, transmit, and/or create with the cloud service?
• Availability, retrieval, and use: Are the procedures, time, and cost for
restoring your data following a service outage clearly stated?
• Data storage and preservation: Are there procedures to ensure file
integrity during transfer of your data into and out of the system
(e.g., checksums)?
• Data retention and disposition: Will your data (and all copies, including
backups) be destroyed in compliance with your data retention and
disposition schedules?
• Security, confidentiality, and privacy: Will you be notified in the case of a
security breach or system malfunction?
• Data location and cross-border data flows: Do you know where metadata
are stored and whether they are stored in the same location as your data?
• End of service—contract termination: If the contract is terminated, will
your data be transferred to you or to another provider of your choice in a
usable and interoperable format?28

The risks identified could be analyzed, prioritized, and potentially used as questions for a
self-study or audit.

Who Audits Third-Party Providers?

If you use public social media or cloud computing services, your organization is work-
ing with third-party providers. The provider must also be audited. In the United States,
when the social media provider is as large as Facebook or Google, the government takes
the responsibility for ensuring that independent audits are conducted not just to protect
information from unauthorized access (as with a security audit) but to protect information
from both authorized and unauthorized access (privacy audit).
In 2011, the Federal Trade Commission (FTC) settled with Google and Facebook after
receiving complaints of unfair and deceptive practices in the way they handled their us-
ers’ personal information. The result? Twenty years of independent audits going forward
to be paid for by Google and Facebook. Problems that are uncovered by future audits
could result in fines of $16,000 per violation per day if the FTC decides to pursue the
issues in court.29
There are times when it makes sense to conduct a self-audit and/or contract with an
independent firm to conduct an audit for you. In 2017, in response to concerns from adver-
tisers skeptical of the social network’s metrics, Facebook Inc. agreed to submit to audits by
the Media Rating Council. In this case, Facebook’s internal audits revealed some mistakes
in reporting to partners and advertisers—which could result in a loss of trust and ad reve-
nue. Audits by an independent organization will go a long way to reestablishing trust among
Facebook’s corporate customers.30
2 62 / CH AP T ER 9

Risk Management and e-Discovery and FOIA Requests

What’s the worst that can happen if you can’t respond to an e-discovery or Freedom of
Information Act (FOIA) request in a timely fashion? Formulating the response to that ques-
tion is part of the risk management process.

E-discovery and Legal Preparedness

In large firms, corporate counsel or the legal department may manage the discovery process,
but the records management team will be involved when requests are made for records
and information. Discovery is part of the pretrial litigation process during which each party
requests relevant information and documents from the other side in an attempt to dis-
cover pertinent facts. According to the Federal Rules of Civil Procedure (FRCP), electronically
stored information (ESI) is discoverable. ESI is described as “writings, drawings, graphs,
charts, photographs, sound recordings, images, and other data or data compilations—stored
in any medium from which information can be obtained either directly or, if necessary,
after translation by the responding party into a reasonably usable form.”31
E-discovery, or electronic discovery, refers to the process of locating, securing, and search-
ing ESI with the intent of using it as evidence in a civil or criminal legal case. The pertinent
rules in the revised FRCP are 16, 26, 33, 34, 35, 37, and 45.32 You were introduced to Rules
26 and 37 in chapter 2. The intent of these and additional applicable FRCP rules are shown
in table 9.1.
Complying with an e-discovery request can be time-consuming and expensive. In 2007,
for example, Microsoft reported spending an average of $20 million for e-discovery per lit-
igation. Microsoft’s records management analysis manager described e-discovery and rec-
ords management as two sides of the same coin, adding that the success of a company’s
e-discovery strategy relies on the strength of its records management function.33 At the
end of 2016, Microsoft’s legal department attributed savings of $4.5 million annually to its
use of Microsoft Office 365’s eDiscovery in the cloud features (including search tools and
advanced analytics).34
The 2015 amendments to the FRCP modified several FRCP rules, including Rule 26.
Rule 26(b)(1) increased the weight given to the scope of discovery and the concept of pro-
portionality in order to rein in the perceived excesses of the discovery process. Rule 37(e)
concerning preservation of ESI was also addressed. This issue continues to be fine-tuned be-
cause “proper preservation” often depends upon case-specific facts. Courts offer guidance
but not prescriptive solutions.35
E-discovery software and services are available from a number of vendors. Lawyers
working on behalf of the organization must understand how e-discovery software works. In
one recent case in Illinois, in a lawsuit subpoena request, a lawyer representing Wells Fargo
inadvertently turned over confidential information about thousands of bank clients. In an
affidavit, the attorney said she used an e-discovery vendor’s software to review what she
believed to be a complete set of results and marked some documents as privileged and con-
fidential. She did not realize she was using a view that showed a limited set of documents.
Therefore, she turned over documents she had not reviewed for confidentiality and priv-
ilege. In addition, she reported having flagging documents for redaction before they were
produced, but the documents were not redacted. She explained she misunderstood the role
of the vendor and may have miscoded some documents during her review.36
 MON I TO R I N G , AU DI TI N G , AN D R ISK MAN AG E M E N T / 26 3

TABLE 9.1 Sampling of FRCP rules affecting discovery

of electronically stored information.

FRCP RULE INTENT

16(b) Allows the court to establish rules around disclosure, privilege, methods and
work product prior to electronic discovery commencing.

26(a) Adds “electronically stored information” (ESI) as a separate category.

26(b) 5 Clarifies procedures when privileged ESI is inadvertently sent over to the
requesting party (retrieval of that information).

26(f) Requires all parties to sit down together before discovery begins to agree on
some form of protocol.

33 Includes ESI as part of the business records related to interrogatories.

34(b) Establishes protocols for how documents are produced to requesting parties.

35 Standardizes discovery agreements (results in an automatic reminder to

include ESI).

37(e) Provides “safe harbor” from sanctions when electronic evidence is lost and
unrecoverable as a matter of regular business processes.

37(f) Allows for sanctions against parties unwilling to participate in the 26(f)
discovery conference planning process.

45 45(c) provides protection to a person subject to a subpoena. 45(c)(2)(B)

allows such persons who are asked to produce documents, including ESI, to
file an objection to production.

During an e-discovery process, the requesting party may wish to see all documents
about a specific project or created by a specific individual. He or she will not be concerned
with the organization’s decision to declare some information a record and other information
a non-record. Therefore, the organization’s retention policy should include all information.
Adding at least one transitory record series to the schedule and applying a brief retention
period to the category provides a defensible retention category for this information. NARA’s
“General Records Schedule 5.2: Transitory and Intermediary Records” states that transito-
ry records (those of short-term value—usually less than 180 days) must be destroyed when
no longer needed for business use, or according to the agency’s predetermined time peri-
od or business rule. Intermediary records (those involved in creating a subsequent record)
must be destroyed upon verification of successful creation of the final document or file, or
when no longer needed for business use, whichever is later.37
Although an organization may not be able to control the increasing number of law-
suits, audits, and investigations it faces, it can establish guidelines and policies, employ
e-discovery software and services, address e-discovery issues when contracting with third
parties, and provide training for employees to mitigate risk to the organization and to the
individual.
264 / CH AP T ER 9

The Freedom of Information Act

The records of the government belong to the people, and the US Freedom of Information
Act (FOIA) ensures public access to US government records. Upon written request, US
agencies are required to disclose records requested unless the records can lawfully be with-
held under nine specific exemptions in the FOIA.38 In January 2009, one of the first mem-
oranda President Obama signed was on the subject of FOIA. The fundamental message
was that FOIA should be administered with a clear presumption that “in the face of doubt,
openness prevails.”39
The US Department of Justice hosts the FOIA.gov website which provides FOIA data,
including requests received, disposition of requests, and backlog. The largest number of re-
quests is for information from the Department of Homeland Security, followed by requests
to the Departments of Justice and Defense. The total requests received in 2016 by the De-
partment of Homeland Security alone were 325,780, and a backlog of 64,374 remained by
the end of the year (see figure 9.4).
The twenty-day time frame for a response is a challenge for agencies that need to lo-
cate and retrieve the documents and then review and redact sensitive information before
releasing them. This short time frame, even with one allowed extension under FOIA, makes
it difficult for some agencies to meet their obligations. States also have public records laws
that provide for a response within a set number of calendar days. Fees for copies of request-
ed documents may be charged.
There are two sides of the public records issue. Access to public information is a right,
and the government is obligated to be open and transparent, but the agency responsible to
comply with FOIA requests faces challenges, including:

• searching for, retrieving, and duplicating requested information takes time

away from activities that relate to the core mission of the agency;

FIGURE 9.4 Department of Homeland Security, FOIA requests received,

processed, and pending, fiscal year 2016.
 MON I TO R I N G , AU DI TI N G , AN D R ISK MAN AG E M E N T / 26 5

• the current staff may not be sufficient to handle the number of public
records requests, so extra staff may be required, resulting in higher payroll
costs;
• the charges allowed to be passed along to the requester may not be
sufficient to cover the expenses incurred in complying with requests;
• staff training may be needed to ensure that employees gather requested
information correctly and redact sensitive information before releasing
records to the public; and
• FOIA requests generate new records for agencies that must be managed,
including FOIA request logs, copies of forms indicating response (approval/
denial), and copies of forms indicating time and cost of information
provided.

Most countries have some version of a public records act. For example, Sweden recognized
access to information as a constitutional right in 1766, Armenia adopted its Law on Free-
dom of Information in 2003, Liberia adopted its Freedom of Information Act in 2010, and
Yemen’s parliament approved its Right to Information Bill in 2012.40
What are the consequences for the agency that does not comply with public records re-
quests in a timely manner or at all? Obviously, ill will on the part of the public is one. Orga-
nizations such as the Electronic Frontier Foundation (https://www.eff.org/) in the United
States exist to champion the public interest and provide the means for citizens to advocate
for openness and transparency. This organization often submits its own FOIA requests,
including appeals when necessary.
In the United States, if a federal agency denies a request for public information, the
requester has the right to appeal the decision to the agency. A nonresponse is treated the
same as a denial. If the appeal is not responded to within twenty working days, the requester
has the right to file a lawsuit to compel disclosure. This will result in additional work for
the agency. If a court finds in favor of the requester, it might allow the requester to recover
attorney fees and other reasonable costs incurred in filing the litigation.

SUMMARY

How do you know that you have an effective, efficient, and compliant records management
program? One way is to set objectives for your program and then monitor progress toward
those objectives. Monitoring can reveal fraud and abuse, provide spot checks on perfor-
mance, and identify the need for an audit. Performance monitoring is used to monitor the
performance of individuals as well as the overall performance of the records management
program. Compliance monitoring can determine an organization’s adherence to governing
regulations, including industry-specific laws and regulations.
Internal compliance officers or records management personnel can conduct internal
audits to gather data and to help prepare the organization for formal external audits. A
formal audit is a review conducted by professionals independent of the program being au-
dited, using a structured approach and resulting in a formal report with recommendations
for improvement.
Auditing is conducted against some type of measure, such as the records management
standard ISO 15489-1:2016, to determine compliance with the regulatory environment,
including statute and case laws and regulations governing the sector-specific and general
266 / CH AP T ER 9

business environment. Industry-specific audits reveal the extent to which the organization
complies with laws and regulations affecting that particular industry; for example, higher
education institutions must comply with the Family Educational Rights and Privacy Act
(FERPA) and SoundTransit of the State of Washington must comply with the state’s Revised
Code of Washington (RCW).
Organizations must identify sources of risk, analyze risks, and develop action plans to
mitigate those risks. A risk assessment matrix can be used to determine the level of risk and
provide data that can be used to prioritize risks. New technologies present additional risks
that must be considered, as do risks resulting from agreements with third-party providers.
E-discovery and FOIA requests also present challenges to the organization. The cost of
complying with e-discovery requests can be high, with fines and other penalties imposed
for failure to produce records requested. The inability of government to produce records
requested by the public in a timely fashion can result in ill will on the part of citizens. The
success of the organization’s ability to respond to either e-discovery or public records re-
quests relies on the strength of its records management program.
Risk management involves understanding, analyzing, and addressing risk to make sure
organizations achieve their objectives. Risk can arise from an organization’s inability to
manage its records and information in a legally defensible manner. In her contribution to
this chapter, Dr. Lisa Daulby suggests that organizations can combine risk management
methodologies with information governance industry principles and maturity models to
identify, assess, control, and report on RIM risks.

PA R A D I G M

Identifying, Assessing, and Controlling Records and Information

Management Risks—A Cross-Disciplinary Approach
Lisa Daulby, PhD, CRM, IGP
Faculty, Master of Archives and Records Administration Program
School of Information, San José State University

Introduction to Project
Records and information management (RIM) program decisions must be based on an under-
standing of risk. Risk management methodologies protect organizations from unaccept-
able business or reputational events arising from operational, compliance, regulatory, legal,
administrative, technological, financial, and other risks while supporting and enabling the
organization’s overall business strategy. A risk management program identifies, assesses,
measures, controls, monitors, and reports on significant risks that face organizations. There
are a number of risks associated with the mismanagement of information, including the
unauthorized creation, collection, use, over-retention, or disclosure of information. Organi-
zations can accurately and effectively identify, assess, control, and report on RIM risks in
a cross disciplinary approach by combining risk management methodologies with estab-
lished information governance (IG) industry principles and maturity models.
 MON I TO R I N G , AU DI TI N G , AN D R ISK MAN AG E M E N T / 267

Problem Statement
ARMA International’s Information Governance Maturity Model (IG Maturity Model) defines
the characteristics of an Information Governance (IG) program for the eight Generally
Accepted Recordkeeping Principles (The Principles). The maturity levels are based on the
completeness and effectiveness of records/information management competencies and
range from Level 1 (Sub-Standard) to Level 5 (Transformational). For those organizations
that have an existing, or are establishing, a RIM program within an IG framework, the IG
Maturity Model can be employed to advance and grow the program irrespective of the
defined level on the maturity spectrum. Although the IG Maturity Model is an excellent
instrument for determining RIM program maturity, the measured outcomes can be chal-
lenging to communicate internally to senior management, decision-makers, and other
stakeholders not familiar with the model. One effective approach in recommending pro-
gram support is through an integrated risk profile that accurately reflects the potential
impact associated with various RIM risks and related vulnerabilities. By combining risk
management methodologies with the IG Maturity Model, organizations can accurately
identify, assess, control, and report on RIM risks to support enhanced RIM program deci-
sion-making and governance (see figure 9.5).
The risk management process is an iterative mechanism that enables stakeholders
to collaboratively identify and manage RIM risks. The components of the risk manage-
ment process include risk identification, risk rating and assessment, risk control, and risk

FIGURE 9.5 Intersection of risk management methodologies and the

IG Maturity Model.
Courtesy of Lisa Daulby.
268 / CH AP T ER 9

monitoring. Risk identification describes the process of recognizing risks, whereas risk
assessment evaluates risks with the goal of providing a foundation on which to construct
a response. Risk controls are processes or activities designed to offset or mitigate risks,
and risk monitoring provides insight into the various ways risks are tracked and reported.
The risk management process, when framed with the IG Maturity Model, defines a shared
discourse that subsequently enriches the value and significance of a RIM program.

Recommended Approach
To begin, an organization must define its RIM risk appetite. Risk appetite is the amount and
type of risk that an organization is able and willing to accept in the pursuit of its business
objectives. The approach to outlining the RIM risk appetite will vary depending on several
factors including IG Maturity Model target levels and the number of principles defined
in scope. Organizations may choose to target all eight principles or a defined subset in
addition to also selecting the suitable level on the IG Maturity Model scale they wish to
attain for each principle. These decisions must be based on an understanding of informed
risks. In completing the risk management process, it is important that all stakeholders are
engaged to ensure that the risks are appropriately analyzed and ranked so that the results
of the assessment are accurate and supported.
Key RIM risks must be identified, validated, and scoped. The IG Maturity Model can
be most effectively used during the risk identification phase of the risk management pro-
cess. The aim of this step is to generate a comprehensive list of all RIM inherent risks and
explain them in business terms. The IG Maturity Model can be used as a guide to assist
organizations to reliably self-identify RIM risks. For example, by means of the IG Maturity
Model, an organization may discover that although it has a retention schedule and policy
available, these do not encompass all records and information and the policy is not well-
known throughout the organization. This attribute reflects a Level 2 (in development) on
the IG Maturity Model scale for the principle of retention. Although this rating may reflect a
less-than-ideal situation for most organizations, how can this rating be measured in terms
that an organization will understand? From a risk perspective, what does a ranking on the
IG Maturity Model mean for organizations?
Organizations understand risk, and the most effective method of communicating IG
Maturity Model ratings is through categorizing and rating each level attribute as a quan-
tified risk. The IG Maturity Model encompasses a series of scenarios that can each be
rendered or explained as organizational risks. For example, the identified and documented
retention principle Level 2 rating could next be assigned a risk category and inherent RIM
risk rating. This risk analysis involves consideration of the RIM risk, as well as the impact
and likelihood of it adversely affecting one or more of an organization’s principle risk cat-
egories including operational, compliance, reputational, regulatory, legal, administrative,
technological, and financial.
Overall, assessing inherent risk requires using professional judgment supported by
a logical, defensible rationale. For example, consider the previously identified RIM risk
whereby the retention policies do not encompass all records and information and are not
well known around the organization. Furthermore, an additional risk exists if a decision has
been made to not purge one or more applications or systems in accordance with criteria
established in the retention schedule. This RIM risk results in an exposure to a combina-
tion of the organization’s principal risks categories including legal, regulatory, reputational,
and compliance. If realized, the magnitude of this unmitigated identified risk, when plotted
 MON I TO R I N G , AU DI TI N G , AN D R ISK MAN AG E M E N T / 269

onto a standard risk assessment matrix (see figure 9.3), yields a high risk rating due to the
potential risk of privacy or security breaches and service disruptions. This could result in
client dissatisfaction, loss of business, regulatory fines, and damaged reputation/brand.

Results
When the outcome of the RIM risks have been measured, an organization must respond
to the risks by taking action and implementing controls. Controls can include: (1) putting
a process in place to eliminate or minimize the risk, (2) acceptance, whereby no action is
taken, (3) sharing or transfer that shifts the risk from one organization to another party, or
(4) avoidance by discontinuing the activities or conditions that give rise to risk. This phase
of the risk process requires determining whether each risk identified exceeds the organi-
zation’s risk appetite.
Organizations have several options to deal with risk. Selecting the most appropriate
risk control option involves balancing the costs and efforts of implementation against the
benefits derived with regard to legal, regulatory, and other requirements. For instance, in
response to the second identified failure to purge records that have met their retention
requirement, the organization could mitigate the risks by implementing a remediation proj-
ect to create purge jobs for all noncompliant systems and applications. These actions will
reduce the frequency and/or impact of a risk and decrease exposures and adverse effects.

Conclusion
With competing organizational resources and priorities, raising the visibility of and commu-
nicating RIM program development with senior management, decision-makers, and other
stakeholders can be challenging. Risk management process components are designed to
proactively uncover RIM risks dimensions and promote a risk-aware culture. Organizations
can make and defend RIM program decisions and judgments based on internal evidence
and external risk management criteria. The risk management process, when framed with
the IG Maturity Model, accurately reflects the potential impact associated with current and
emerging RIM risks. This cross-disciplinary approach enriches stakeholder awareness of
identified RIM issues in a way that narrates in defined risk methods. Elevating and embed-
ding RIM program risks into the culture and operations of an organization empowers and
clarifies accountability.

NOTES
1. Cedar Hills, Utah, “City Recorder Receives Excellence in Information Governance Award,”
accessed January 2, 2018, www.cedarhills.org/node/4772.
2. National Archives and Records Administration (NARA), Records Management Self-Assessment
Report 2009, accessed December 19, 2017, www.archives.gov/records-mgmt/resources/
self-assessment.html.
3. National Archives and Records Administration (NARA), Records Management Self-Assessment
Report 2010, accessed December 19, 2017, www.archives.gov/records-mgmt/resources/
self-assessment.html.
4. National Archives and Records Administration (NARA), Federal Agency Records Management 2016
Annual Report, October 2, 2017, https://www.archives.gov/files/records-mgmt/resources/
2016-federal-agency-records-management-annual-report.pdf.
270 / CH AP T ER 9

5. National Archives and Records Administration (NARA), Draft National Archives

Strategic Plan, 2017, https://www.archives.gov/about/plans-reports/strategic-plan/
draft-strategic-plan.
6. Associated Press, “Hospital Workers Suspended for Allegedly Peeking at Clooney Medical Info,”
FoxNews.com, October 10, 2007, www.foxnews.com/story/0,2933,300648,00.html.
7. “Lack of Timely Action Risks Security and Costs Money,” February 1, 2017, HHS.gov., February
1, 2017, https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/
childrens.
8. Cameron Coles, “Only 9.4% of Cloud Providers Are Encrypting Data at Rest,” 2017,
https://www.skyhighnetworks.com/cloud-security-blog/only-9–4-of-cloud-providers-are
-encrypting-data-at-rest/.
9. “What is Google Vault?” accessed December 21, 2017, https://support.google.com/vault/
answer/2462365?hl=en.
10. Stacey English, Susannah Hammond, and Ashley Kovas, “Culture and Conduct Risk 2017,”
Thomson-Reuters, accessed December 21, 2017, https://risk.thomsonreuters.com/content/
dam/openweb/documents/pdf/risk/report/culture-and-conduct-risk-report-2017.pdf.
11. International Organization for Standardization (ISO), ISO 15489–1:2016 Information and
documentation—Records management—Part 1: Concepts and Principles (Geneva: ISO, 2016).
12. International Organization for Standardization (ISO), ISO 15489–1:2001: Information and
Documentation—Records Management—Part 1: General (Geneva: ISO, 2001), 4.
13. US Department of Education, Family Educational Rights and Privacy Act (FERPA), accessed
December 21, 2017, www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html.
14. US Department of Education, “Protecting Student Privacy by Audience: Postsecondary School
Officials, accessed December 21, 2017, https://studentprivacy.ed.gov/audience/
school-officials-post-secondary.
15. EAB, “Cost of Data Breaches in Education Hits All-Time High: $245 per Record,” July 27, 2017,
https://www.eab.com/daily-briefing/2017/07/27/cost-of-data-breaches-in-education-hits-all-time
-high-$245-per-record.
16. SoundTransit, “Internal Audit Report: Records Management Program,” Report Number 2016-
5, December 1, 2017, https://www.soundtransit.org/sites/default/files/Internal%20Audit%20
Update-2016%20Records%20Management%20Program.pdf.
17. International Organization for Standardization (ISO), ISO 31000:2009 Risk Management—
Principles and Guidelines (Geneva: ISO, 2009).
18. Ibid.
19. ARMA International, Evaluating and Mitigating Records and Information Risks (Overland Park, KS:
ARMA International, 2009).
20. Ibid.
21. Sarah Peters, “Survey: When Leaving Company, Most Insiders Take Data They Created,”
Information Week, December 23, 2015, https://www.darkreading.com/vulnerabilities—-threats/
survey-when-leaving-company-most-insiders-take-data-they-created/d/d-id/1323677.
22. Howard Solomon, “Eight Canada Revenue Staffers Fired This Year for Snooping through Records:
CBC,” IT World Canada, December 21, 2016, https://www.itworldcanada.com/article/eight-canada
-revenue-staffers-fired-this-year-for-snooping-through-records-cbc/389441.
23. “Mobile Device Security in the Workplace: 6 Key Risks and Challenges,” accessed December 21,
2017, https://www.slideshare.net/Forsythe_Technology/mobile-devices-in-the-workplace-5-key
-security-risks-11988063/17.
24. Lulu Chang, “The Latest Data Breach Involves the Voting Records of 93.4 Million Mexican
Citizens,” April 13, 2016, https://www.digitaltrends.com/computing/mexico-voting-breach/.
 MON I TO R I N G , AU DI TI N G , AN D R ISK MAN AG E M E N T / 271

25. BusinessDictionary.com, s.v. “risk mitigation,” accessed December 21, 2017,

www.business dictionary.com/definition/risk-mitigation.html.
26. National Archives of Australia, “Cloud Computing and Information Management,” accessed
December 23, 2017, www.naa.gov.au/information-management/managing-information
-and-records/storing/cloud/index.aspx.
27. InterPARES Trust, “Checklist for Cloud Service Contracts: Final Version,” last reviewed February
26, 2016, https://interparestrust.org/assets/public/dissemination/NA14_20160226
_CloudServiceProviderContracts_Checklist_Final.pdf.
28. Ibid.
29. Kashmir Hill, “So, What Are These Privacy Audits That Google and Facebook Have to Do for the
Next 20 Years?” Forbes, November 30, 2011, www.forbes.com/sites/kashmirhill/2011 /11/30/
so-what-are-these-privacy-audits-that-google-and-facebook-have-to-do-for-the-next-20 -years/.
30. Jing Cao, “Facebook Commits to Audit of Its Ad Metrics by Media Watchdog,” Bloomberg
Technology, 2017, February 10, 2017, https://www.bloomberg.com/news/articles/2017–02–10/
facebook-commits-to-audit-of-ad-metrics-by-media-watchdog.
31. The Federal Rules of Civil Procedure are accessible at Cornell University School of Law,
Legal Information Institute at https://www.law.cornell.edu/rules/frcp.
32. Ibid.
33. Angela Natividad, “Microsoft Calls E-Discovery, Records Management Inseparable Halves,”
CMS Wire, April 30, 2007, https://www.cmswire.com/cms/records-management/microsoft-calls
-ediscovery-records-management-inseparable-halves-001238.php.
34. Microsoft, “Office 365 Meets Evolving eDiscovery Challenges in a Cloud-First World,”
accessed December 24, 2017, https://www.microsoft.com/itshowcase/Article/Content/843/Office
-365-meets-evolving-eDiscovery-challenges-in-a-cloudfirst-world.
35. Rhys Dipshan, “FRCP Amendments Dominate 2016 Federal E-Discovery Cases, Report Finds,”
Corporate Counsel, December 14, 2016, https://www.law.com/insidecounsel/2016/12/14/
frcp-amendments-dominate-2016-federal-e-discovery/.
36. Debra Cassens Weiss, “Lawyer’s e-Discovery Error Led to Release of Confidential Info on
Thousands of Wells Fargo Clients,” ABA Journal, July 27, 2017, www.abajournal.com/news/article/
lawyers_e_discovery_error_led_to_release_of_confidential_wells_fargo_client.
37. National Archives and Records Administration (NARA), “General Records Schedule 5.2,” July 2017,
https://www.archives.gov/files/records-mgmt/grs/grs05–2.pdf.
38. US National Archives, The Freedom of Information Act (FOIA) (5 USC § 552), last reviewed
February 10, 2017, www.archives.gov/about/laws/foia.html.
39. Barack Obama, “Freedom of Information Act,” Memorandum for the Heads of Executive
Departments and Agencies, WhiteHouse.gov, accessed December 23, 2017,
https://www.sec.gov/foia/president-memo-foia-nov2009.pdf.
40. “List of Countries with Access to Information,” accessed December 21, 2017,
http://home.broadpark.no/~wkeim/foi-list.htm.
 CHAPTER 10

Information Economics,
Privacy, and Security

INTRODUCTION

ISO 15489-1:2016, “the” RIM standard, describes records as “assets” without a clear expla-
nation of their value, which leaves the following questions unanswered:
• Do records have economic value?
• If so, how do we determine that value?
• Is the value based, as the value of physical assets can be, upon an appraisal
process?
ISO 15489-1:2016 introduces the concept of “appraisal,” but it is in terms of an “analysis of
business context, business activities and risk to enable decision-making on what records to
create and capture, and how to ensure the appropriate management of records over time.”1
The operational words in this statement are: records and creation, capture, and management
in relation to risk. Missing is the word use.
Of course, risk mitigation is extremely important. It is an indirect method of deriving
economic benefits from information. We’ve addressed risk in the previous chapter and will
deal with the topic again in the second half of this chapter in relation to privacy and secu-
rity. For the first half of this chapter, however, we will step through the looking glass into
a world where taking care of records and information is NOT the primary goal—accom-
plishing the core mission of the organization (i.e., making a profit or serving the public) IS.
It takes this type of business perspective to understand the direct method of deriving eco-
nomic benefit from information: the monetization of (earning revenue from) information.

INFORMATION ECONOMICS (INFONOMICS)

In his 2018 work Infonomics, Douglas B. Laney of Gartner, Inc. challenges us to consider the
economic significance of information. What is its true worth? How do we monetize, man-
age, and measure it as an actual asset and not merely as a representation of business activ-
ities?2 Laney defines Infonomics as “the theory, study, and discipline of asserting economic
significance to information.”3
In a 2012 Forbes article, Laney referred to infonomics as “the practice of information
economics.”4 Probably the best advice he gave to those of us who profess to hold information
as a valuable asset is to go beyond thinking and talking about it and actually value it and
treat it as one.5

/ 273 /
2 74 / CH AP T ER 10

I nfonomics is the “emerging discipline of managing and accounting for information

with the same or similar rigor and formality as other traditional assets (e.g., financial,
physical, intangible, human capital). Infonomics posits that information itself meets all the
criteria of formal company assets, and, although not yet recognized by generally accepted
accounting practices, increasingly it is incumbent on organizations to behave as if it were
to optimize information’s ability to generate business value.”
SOURCE: Gartner. Infonomics. IT Glossary, accessed January 6, 2018,
https://www.gartner.com/it-glossary/infonomics.

What Are Business Assets?

Valuing assets is the domain of the finance and accounting profession. If you’ve taken an
introductory accounting course, you know that assets can be tangible (a storefront or a cash
register) or intangible (a patent or goodwill). Tangible assets are easily included on a balance
sheet, which is a financial statement illustrating a business’s net worth by listing assets
(what is owned), liabilities (what is owed), and owner’s or stockholders’ equity (what is left).
Figure 10.1 is an example of a simple balance sheet prepared at the end of the fiscal year for
a company owned by stockholders. If there were no stockholders, “Owners’ Equity” would
replace “Stockholders’ Equity” to represent the difference between assets and liabilities.
The balance sheet in figure 10.1 includes only tangible assets—current assets such as
cash and inventory and fixed assets such as building and equipment.

Intangible Assets
The balance sheet in figure 10.1 does not account for intangible assets (those not physical
in nature) such as patents, copyrights, franchises, customer lists, trademarks, trade names,
and goodwill (the value of customer relationships). But intangible assets do appear on some
balance sheets, as shown in figure 10.2.

Goodwill
Goodwill can be viewed as the amount paid for a company above its book value (i.e., tangible
assets minus intangible assets and liabilities). Goodwill is reported on the balance sheet
along with long-term assets such as land, buildings, and equipment. It is the most com-
mon form of intangible asset included on a balance sheet. Goodwill is determined when a
company is acquired. In an effort to balance the balance sheet, the difference between the
purchase price and the book value of the company is recorded as positive or negative good-
will. Negative goodwill is possible when a company is acquired for less than its book value.

Purchased Intangible Assets

The term purchased intangible assets in figure 10.2 covers all other assets not accounted
for under tangible assets or goodwill that can be valued. These nonphysical assets have a
life greater than one year and are typically recognized, similar to goodwill, when acquired.
Intangible assets can also be generated internally.
 I N F O R MATIO N E C ON O M I C S, PR IVAC Y, AN D SE C U R I T Y / 275

Examples of intangible assets that may be included on balance sheets include customer
lists, patented technology, and computer software. Additional examples include internet
domain names, pictures, use rights (drilling for water or oil), and trade secrets (secret for-
mulas and recipes).
Let’s look at two examples of intangible assets:
• Internet domain name: The most expensive domain name ever sold
was Cars.com. It was valued at a staggering $872 million in 2014 by the
purchaser Gannett Co., Inc. Don’t you wish you had thought of purchasing
that domain name years ago? In a filing with the Securities and Exchange
Commission, Gannett Co., Inc. explained the valuation of this acquisition in
this way: “After the impairment testing date, we completed our acquisition

FIGURE 10.1 Balance sheet listing the total of current and fixed tangible assets on the
left, “balanced” by the total of liabilities and equity on the right.