This article is from the August 2003 issue of Update.
In the public sector the Freedom of Information Act 2000 (FOIA) has focused attention, often for the first time, on the way organisations manage their records.
FOIA gives a general right of access to all types of ‘recorded’ information held by ‘public authorities’ (which range from central government departments to schools, colleges and universities), sets out exemptions from that right, and places a number of obligations on such authorities.
The Act will be implemented in full by January 2005 by which time all public authorities must be able to answer individual enquiries on information held by the authority. Once a request has been received, the individual has the right to be told whether the information exists and to receive it however they choose. In general the authority will have 20 days in which to reply. Exemptions to disclosure do exist, some automatically (such as if disclosure would compromise a data subject’s rights under the Data Protection Act), some requiring a case-by-case decision as to whether the risks posed by disclosure outweigh the ‘public interest’ in accessing the information.
The Lord Chancellor’s Code of Practice issued under Section 46 of the Act clearly identifies records management (RM) as a prerequisite for compliance with the Act. Indeed, the fact that, of only two codes of practice issued as part of this Act, one should be entirely devoted to RM underlines the importance placed upon it. The code indicates the need for an over-arching RM policy and for all corporate records to be included within a record-keeping system which controls their creation, storage and use. Specific mention is made of the importance of ensuring that the disposal of records is undertaken in accordance with clearly established policies. The destruction of information has acquired a new significance under the Act and it is essential that institutions can prove that all activities in this area are subject to agreed and defined processes.
At this point a reminder about what is meant by RM and where it fits into the wider information management landscape may be worthwhile. There is a difference between information and records. A record can be described as ‘evidence of a business transaction’. It is the proof that something has occurred, either within that organisation or between it and another. This evidential quality is important and lies at the heart of RM theory. In order to fulfil this evidential role, it is vital that a record captures all the information needed for the future understanding and interpretation of that transaction, including when it was undertaken, who was involved, what its purpose was and what its outcomes were. The difference between information and records can be summarised by the statement that, while all records are information, not all information is a record.
Records lifecycle
Management of records is primarily based on the concept of the records lifecycle, covering all identifiable phases from creation through current and semi-current use to final disposition, whether that involves destruction or permanent retention and re-use as archival records. RM seeks to ensure that all records are managed consistently and appropriately at every stage, so that their usability, integrity and security are maintained.
The Data Protection Act of 1998 broadened the scope of the original 1984 Act by including physical as well as electronic records. Three of the Act’s eight main principles go hand in hand with established RM theory. For example, adherence to Principle 5 of the Act (‘Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes’) can only be ensured through the implementation of a record retention programme which identifies exactly how long records must be kept, legitimises their retention and helps ensure their timely and controlled destruction or deletion according to a defined business process.
According to Principle 6, an individual has the right to be informed whether an institution is processing personal data about them. Clearly, unless records are structured and managed in an appropriate manner it will not be clear what information is held. This can lead to a waste of time and effort in replying to requests, and the risk that the full and accurate response required will not be provided. Finally, Principle 7 requires that ‘appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data’ — again something that an effective and well-established RM programme will help ensure.
Modern HEIs are large and complex organisations which undertake a multiplicity of functions. They generate and hold large volumes of personal data on their staff, students and alumni. Often this information will be held in multiple locations including not only ‘official’ storage areas such as the Personnel Department or Registry but also unofficial areas such as individual staff filing cabinets. The proliferation of personal data such as student references and the notes used to compile them carries the risk that serious breaches of the Data Protection Act will occur if the material is not known about by the institution and disclosed to the data subject on receipt of a ‘subject access request’.
The FOIA has increased this danger substantially by dramatically broadening the scope of information that an institution may be legally required to make available within a defined time period. An examination of the alumni function within HEIs, for example, shows that this one relatively small area of activity is likely to create 23 different types (‘series’) of records. These range from those containing personal data which should only be retained for as long as they are required for the purpose for which they were obtained (under data protection legislation) to the institution’s alumni relations strategy and records documenting the organisation and administration of institutional events for alumni. All these will need to be retained for differing amounts of time and all may have to be disclosed on request from January 2005 under the FOIA.
Jisc’s pioneering study
It is partially in response to this that Jisc has relaunched its pioneering Study of the Records Life Cycle for HEIs. The study consists of two main parts, a Business Function and Activity Model and a Records Retention Schedule. The Function and Activity Model provides HEIs with a generic tool for analysing the functions and activities carried out during the course of their business. The companion section of the study, the HEI Records Retention Schedule, then defines the types of records these actions produce and sets out the periods for which they should be retained to meet operational needs and comply with legal and other requirements.
To help institutions convert the generic content of the study into a tailored toolkit relevant to their institution, Jisc is also funding 12 projects as part of the 09/02 Supporting Institutional Records Management programme, aimed at exploring the issues surrounding the practical application of the study within an institutional context. The results of these projects will be published in December.1
Though the public sector has largely escaped the fall-out from high-profile corporate scandals like that of Enron, such cases have turned the spotlight on the need to prove high standards of corporate governance, and increased accountability.
In addition, the workplace has undergone dramatic change over the last couple of decades. The IT revolution has increased the need for good RM, while offering the stiffest challenges to the application of its principles that RM has ever faced. These are issues that affect all records managers, in public and private sectors.
Little more than a decade ago virtually every transaction that an organisation was involved with would have resulted in the creation of an obvious physical record: a memo, an order form, a client file. Grouped at this ‘series’ level such records were easy to identify and manage. But much business today is conducted solely via email. Crucial decisions are made on a daily basis. The only evidence may be an informal exchange of messages in your ‘inbox’ alongside hundreds of other much more trivial messages. Finding the means to separate the valuable business record from the daily ephemera, and ensuring that it is managed accordingly, is vital for modern RM in organisations awash with information.
Nowadays, no organisation is complete without its website and intranet. An ever increasing amount of content exists only in digital format. The beauty of the web is the speed with which content can be updated. What is often overlooked, however, is that decisions are made in court against the content of such sources as they stood at the time the decision was made. Could you roll back the content of your site to prove what it said at any given time? With static HTML sites it was at least possible (though not necessarily desirable) to take snap-shots at regular intervals. Now, with the content of many sites being generated dynamically in response to user-selected criteria, even this route may be unavailable, leaving little or no audit trail. Once again these are issues that Jisc is investigating as part of its Supporting Institutional Records Management programme. Current projects are exploring exactly how RM principles can be extended to embrace the management of electronic research data, emails and websites.2
The ability to create, store and manipulate data stored in electronic format has provided us with almost unfettered potential to exploit it for novel purposes that benefit our organisations and society at large. However, such potential comes at a cost. The preservation of digital materials is an expensive but necessary element of any modern RM programme. While the costs of digital storage media are relatively low, this is not enough to ensure the preservation of digital material over extended periods of time. Regular ‘refreshing’ of storage media to prevent hardware errors and the periodic migration of data to new software formats to avoid software obsolescence are all labour-intensive and expensive but necessary operations. Without such measures valuable data will be lost or rendered obsolete in just a few short years.
No breathing space
Such issues have pushed RM into new areas. There is no longer the breathing space that existed in the past. When dealing with paper records you could return to a file 25 years after it was created to decide whether it was still worth keeping. Such decisions must now be taken up front. If a record requires long-term preservation there may be format and storage media issues to consider, while sufficient metadata must be captured to allow for its future interpretation and re-use. The records manager must therefore become involved in the process at a far earlier stage, even before the record has been created. If databases and content management systems are to be able to capture the information the records manager requires and provide the functionality to manage the records, the system must be designed appropriately from the outset.
Collaborative effort
A good RM programme must therefore be a collaborative effort, not only between records manager and IT staff, but also between records manager and every employee who creates or uses records. This too is a new challenge for the modern records manager. In a workplace which has encouraged the complete decentralisation of records creation through the proliferation of office applications, virtually every employee has the capability to create a hundred new records every day, to amend existing ones or delete old ones. In this environment it is critical that the influence of the records manager extends beyond the creation of policies and the design of systems to reach the daily actions of individual members of staff.
Training and the provision of advice and guidance will go a long way to achieving this. But, in addition, staff need to buy into the concept of RM and understand the importance of their actions for the organisation as a whole. Often this can be done by demonstrating the advantages good RM can bring to their own working day — from the effective management of their email, to a reorganisation of their filing cabinet or network account. Individually each ‘convert’ may seem to contribute little to the overall standard of RM and legal compliance within an organisation, but collectively it is on these small victories that a successful RM programme is built.
Records management is at a fascinating point in its development and is more relevant to organisations than ever before. Yet at the same time, records managers are discovering that many of the assumptions on which RM theory was founded more than half a century ago have been replaced by a completely new set of technology-driven circumstances. Perhaps the most important task of the records manager remains ensuring that RM practice continues to be modernised and meet the ever-changing needs of the workplace, while not losing sight of the original aims and objectives on which it was founded.
References
1 In the meantime an online version of the study and further details about these projects can be found at www.jisc.ac.uk/recman
2 Further details of these projects can be found at www.jisc.ac.uk/index.cfm?name=programme_supporting_irm
Steve Bailey is Electronic Records Manager for the Joint Information Systems Committee. He is also Programme Manager for Jisc’s Supporting Institutional Records Management programme (s.bailey@jisc.ac.uk).