Records Managers—Become the Easy, Adjustable, Reliable Tool of the Organization
Records managers, compliance, finance, information technology, legal, and privacy departments are all concerned with the proper management of information. For records managers, though, their primary focus is the proper management of information. For other functions, proper management of information is a tool used in achieving their objectives, but not necessarily their primary focus.
For records managers to work well with compliance, finance, information technology, legal, and privacy departments, the records management department must become an essential tool for those departments. For tools to work properly, they must be
- Easy to use,
- Adjustable, and
- Reliable over time
This article provides records managers with the means to become valuable resources within their organization by providing the language needed to explain how they can help other teams achieve their goals.
How Records Managers Provide Easy-to-Use Tools
The records retention schedule and supporting policies are the primary tools of the records manager. The following qualities will promote a records retention schedule that is an effective tool for the compliance, finance, information technology, legal, and privacy departments:
Compliance: The records retention schedule ought to identify records subject to regulatory requirements and demonstrate the retention periods comply with those regulatory requirements. This would include identifying the laws and regulations that impact record retention and disposition requirements, along with the jurisdictions and agencies that have oversight over the organization. The best records retention schedules are put into action and regularly audited jointly by compliance and records managers.
Finance: Finance is concerned with having information available for documents used to protect investors (actual or potential) and prepare and support tax returns. Some records are required, and some information is helpful. The records retention schedule must reflect those needs with supporting policies that ensure that information is not only retained but also accessible when needed.
Information Technology: For IT systems to work effectively with electronic records they need rules. The easier the rules are to understand, and the fewer rules to apply, the more effectively IT can apply those rules. A records retention schedule using objective, instead of subjective, retention times will make it easier for IT to implement the rules. For example, if the time for a record starts when a record is created, received, or when an easy-to-define event occurs, then IT can automatically start a clock for electronic record disposition. If the retention period for a record starts when a person is required to give an opinion, then the process cannot be automated, and IT cannot establish an automatic disposition period. Examples of this include “final disposition,” “resolution,” or “obsolete” event codes.
Legal: When a legal action is initiated, or it appears reasonable that an action is about to start, legal benefits from being able to use the records retention schedule to identify (1) what records the organization retains and (2) how far back the organization retains those records. An effective policy will define the disposition process so legal can confidently feel assured they are preserving and turning over all relevant documents associated with an actual or reasonably anticipated legal action. The fewer exceptions the records management allows to the schedule and policies the easier it becomes for legal to use the records retention schedule and supporting policies to identify relevant records related to litigation.
Privacy: Personal information should be limited in its collection and retention. The privacy group has an obligation to limit the collection of personal information to what is necessary, use it for its intended and/or consented purpose, and only retain it for as long as it is necessary for its intended or consented purpose. An effective records retention schedule will identify which records categories retain personal information and limit the retention period of that information to its legitimate legal or consented purpose.
How Records Managers Provide Adjustable Tools
Compliance: For organizations, compliance rules change through changes in laws or regulations, new jurisdictions, or changes in organizational operations. Records managers should periodically check to verify if the laws or regulations applied to the records retention schedule and supporting policies are still accurate, if the organization is now operating or subject to rules in new jurisdictions, or if the organization has purchased or added operations that are subject to additional requirements.
Finance: The purpose of most finance groups is to seek ways to increase revenue coming into the organization while limiting expenses. Retaining records at off-site storage sites, paying to migrate information to new software products, and expenses associated with discovery create financial burdens for many organizations. Records managers can use their policies to limit those expenses by only retaining information of value to the organization and disposing of information that has little value and create financial burdens to the organization.
Information Technology: It is not uncommon for organizations to retain records and information for seven, ten, thirty years, and possibly for the life of the organization. Software and IT products, however, often change on a much more frequent basis. This means that every time your organization changes software that retains information, the organization must migrate that information to a new system. Records managers have a crucial role in identifying what information must be migrated and retained when these tools change, and what information can be disposed of, making the transition to new internal products easier.
Legal: In law school, lawyers are trained to focus on issues, not process. As a result, many lawyers are less process-oriented and more focused on issues directly related to a specific legal situation. The adjustable tool records managers have to address these specific needs is the legal hold. The legal hold allows the organization to suspend retention and disposition rules to address a specific legal situation. This tool gives the records manager the ability to adjust to the lawyers’ specific needs for ad hoc situations without jeopardizing the defensibility and integrity of the entire records retention schedule and supporting policies.
Privacy: Privacy by Design or Default is a concept within the privacy community that states the privacy group must be consulted and included in any organization change, policy decision, or system integration where the handling of personal information could be impacted. For organizations subject to the rules of the General Data Protection Regulation (GDPR), this is a requirement. This would include data. Therefore, whenever there are adjustments that impact records, especially records containing personal information, the records manager must include the privacy group and incorporate a privacy impact assessment in any final decisions made. This should be done before any final decisions are made.
How Records Managers Provide Tools Reliable Over Time
Compliance: Records managers and compliance share a unique interest in enterprise-wide operations. While most functions are limited in their scope, typically both records management and compliance work across functions. Compliance comes to rely on records management to support audits, and sometimes assist in conducting audits. Over time, compliance and records management become a team, becoming each other’s champions and working towards enterprise objectives.
Finance: Records managers must be able to show a return on investment (ROI). This means establishing metrics and benchmarking standards that show the cost of hard copy and electronic records management at your organization in relation to comparable organizations. An effective records management program will save organizations money, but it is the responsibility of the records management team to show finance, and the organization, where those savings are achieved. If this is done properly, finance will become the records manager’s strongest advocate.
Information Technology: Reliability for records managers is tied to integrity. Integrity for records managers means the content of the record is unchanged throughout the lifecycle of the record. As a result, records managers need to work with IT to ensure that even if the data that created the record changes, the records themselves never change. When this is addressed and understood, the organization can verify that the record retained is the same now as it was when the record originated.
Legal: Lawyers deal with issues, situations, and crises. Typically, by the time something gets to the legal department, something went wrong. Records management cannot stop bad events from happening, but records management can help the legal team make their case or mitigate the damages. Records management works to assure the organization has records with value and disposes of the records that have no value. If done properly, this allows the legal team to find the important information they need to properly address the issue, situation, or crisis. No lawyer wants to have less information than their opposing counsel, but they also do not want a data dump of garbage records and data of their own creation. They rely on records and information management to prepare for this before the issue, situation or crisis occurs to make their job easier. When this is done properly, legal become a great backer for the records program.
Privacy: For many years records management was focused on minimum retention standards. Issues such as eDiscovery and the cost of off-site storage provided some incentive to dispose of records and information of little value, but it did not drive substantial changes. The emergence of data protection laws, and their subsequent enforcement, has changed record management from an industry focused on records retention to one of records retention, disposition, and protection. Over the long term, records managers can play an important role in advocating, with the privacy group, for sound records management policies that promote reasonable retention times, limit the collection of unnecessary personal information, and restrict the secondary use of personal information without the consent of the data subject. This can be done by doing a records inventory, identifying records with personal information, mapping to the systems that hold that information, and defining the purpose for which the records and information are held and can be used for within the organization. If the records manager does this, the privacy group will become a promoter of the records and information program.
Conclusion
There are times when the objectives of compliance, finance, information technology, legal, and privacy departments can be at odds. Compliance wants to retain information for excessive periods of time, and privacy wants to dispose of everything quickly. Legal wants to spend money on discovery to defend its position, while finance determines the costs of litigation outweigh the benefits of deciding the case on its merits. All groups want well-defined record categories, while information technology wants to put all record retention periods into a few big bucket categories.
Records managers are the team that brings all these concerns together and finds a solution that recognizes and balances all these needs and objectives. To do this, records managers must demonstrate to these functions that they understand their objectives, and that the records retention schedule and supporting policies provide the easy, adjustable, and reliable tools needed to address these objectives. When this is done, records managers become the easy, adjustable, and reliable tool for the entire organization.