Alaska Chapter of ARMA International Presented by: Dawn Kewan, ARMA Board Member & Treasurer February 6, 2014 Based on Generally Accepted Recordkeeping Principles © disposition Range of processes associated with implementing records retention, destruction or transfer decisions which are documented in disposition authorities or other instruments. ISO 15489 3 2 destruction Process of eliminating or deleting records, beyond any possible reconstruction. transfer Change of custody, ownership and/or responsibility for records. Moving records from one location to another. ISO 15489 3 3 Involves the following steps: Identify record that captures the transaction or business activity Classify the records appropriately Determine relevant retention period Identify anticipated date for disposition Document the retention period and anticipated disposition in the records system Determine what metadata to retain with record ISO 15489 4.3.6 4 Applied systematically Performed routinely Conducted as normal course of business Irreversible Secure Documented ISO 15489 9.9 5 Not without assurance that records are: No longer required to be retained No work is outstanding No litigation or audit holds (current or pending) ISO 15489 9.9 6 Physical destruction Extending retention Transfer to storage (organization or vendor) Transfer to another organization or agency Transfer management responsibility to authorized party Transfer to organizational archives Transfer to external archives ISO 15489 9.9 7 The Principles identify the critical hallmarks of information governance, which Gartner describes as an accountability framework that “includes the processes, roles, standards, and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.” http://www.arma.org/r2/generally-accepted-br-recordkeeping-principles/metrics 8 Accountability Compliance Transparency Availability Integrity Retention Protection Disposition 9 An organization shall provide secure and appropriate disposition for records that are no longer required to be maintained by applicable laws and the organization’s policies. 10 Provides a picture of what effective IG looks like Based on the eight Principles Defines characteristics of various levels of recordkeeping programs Associates various characteristics that are typical for each of the five levels http://www.arma.org/r2/generally-accepted-br-recordkeeping-principles/metrics 11 Transformational (Level 5) Proactive (Level 4) Essential (Level 3) In Development (Level 2) Sub-Standard (Level 1) • Recordkeeping concerns are either not addressed at all. • Developing recognition that recordkeeping has an impact on the organization • Has minimum requirements that must be addressed in order to meet the legal and regulatory requirements. • Initiating information governance program improvements throughout its business operations. • Integrated information governance into its overall corporate infrastructure and business processes. 12 Sub-Standard (Level 1) No documentation of the processes to guide transfer or disposition No process or inconsistent for suspending disposition in the event of litigation or audit (Records Hold) 13 In Development (Level 2) Preliminary guidelines for transfer or disposition Recognize importance of Records Hold process consistently Lack of enforcement and auditing or disposition 14 Essential (Level 3) Developed official procedures for records disposition and transfer Developed official policy and procedures for Records Hold Policies and procedures exist, but not standardized across the organization Inconsistent procedures amongst individual departments Defined specific goals related to disposition 15 Proactive (Level 4) Disposition procedures are understood and consistently applied Process for suspending disposition defined, understood, and used consistently Electronic information is expunged in accordance with retention policies 16 Transformational (Level 5) Disposition process covers all records and information in all media Disposition is integrated into all applications, data warehouses, and repositories Disposition processes are consistently applied Processes for disposition are regularly evaluated and improved Organization's stated goals related to disposition have been met 17 It saves time and storage costs; It enables organization to focus on higher priority records; and It prevents unauthorized access and use of company records 18 Burning – in an enclosed incinerator or secure facility Pulping – reduces paper to pulp and often used in recycling Pulverizing – crush or grind to a powder or dust Shredding – reducing paper to fine ribbons 19 Hard-drive shredding or cutting Disk encryption – encoding messages Image overwrite On demand – executed prior to removal or as needed to remove all image data from disk Immediately – automatically executed immediately after jobs are completed to remove image data from disk Scheduled – automatic, daily overwrite of all image data from disk Magnetic degaussing – erasing data on magnetic media by passing a powerful magnet over the media. 20 Physical Destruction Destruction should always be authorized Records on hold should not be destroyed Preserve confidential information Include all types of copies: Security Preservation Backup Vital Records ISO 15489 9.9 21 Records Systems Removed in accordance to retention and disposition guidelines Or with conversion and migration strategies Must be documented! Conversion plans Data mapping ISO 15489 8.3.7 22 Website Records Destruction Ensure record is destroyed completely Document what was destroyed and when Include in master RIM policy Transfer Ensure entire record (including metadata) is appropriately transferred Educate receiver its RIM responsibilities Permanent Preservation Ensure record content (including metadata) are properly stored Provide periodic backups Transfer data periodically Ensure accessibility is guaranteed ARMA Website Records Management 23 Mobile Communications Disposition applied to all records on device owned by organization Subject to Records Holds and e-Discovery ARMA Mobile Communications and Records and Information Management 24 Mobile Communications Must have a method to capture content E-mail Text messages Video Still images Downloaded content Recommended to be able to collect and lock down device or create a forensic copy or image of the content ARMA Mobile Communications and Records and Information Management 25 Social Media Content created, captured, accessed, transmitted, and/or stored can be a record Applies to Retention Schedule Must have ability to suspend destruction based on legal holds ARMA Using Social Media in Organizations 26 Don’t forget about … Copy/Scan Machine Fax Machine 27 Outsourced Electronic Records Storage - Ask What is their records destruction process? What about destroying eligible records stored in… backup systems? disaster recovery systems? Other media? Will they produce destruction certificates? Related metadata and indexing related data also destroyed? ARMA Guideline for Outsourcing Electronic Records Storage and Disposition 28 Records holds due to potential or current litigation or audit Changes to the retention schedule that is pending approval 29 Records holds due to potential or current litigation or audit Communicate to all appropriate staff about the hold Don’t forget to place records back into disposition process once hold has been released 30 Document reason for extending the retention period Identify who is requesting the extension Research the request Make a recommendation Re-submit for approval 31 Document chain of custody or transfer records transfer log to track records moving from one location to another. Describe the record that captures the transaction or business activity Classify the records appropriately Determine relevant retention period Identify anticipated date for disposition 32 Document chain of custody or transfer records transfer log Records appraised by qualified professional Appraisal based upon historical value of records Transfer vs. Accession transfer – moving records into physical custody of a NARA Records Center, sender retains legal custody until final disposition. accession – when permanent records are sent, NARA takes legal custody. Guidance and Policy for Accessioning Records to the National Archives http://www.archives.gov/records-mgmt/accessioning/ 33 Document! Document! Document! Retention periods apply to all records within the organization Never destroy records until retention requirements have ceased Require authorization for destruction Ensure security and confidentiality of all records within custody Define process and appropriate method and verify Develop a process to suspend destruction when required 35 Authorization for Destruction/Transfer Form Date of destruction Method of destruction Description of the disposed records Inclusive dates A statement that the records were destroyed in the normal course of business The signatures of the individuals approving, supervising and witnessing the destruction or transfer 36 Certification of Destruction/Transfer Provides evidence that the records in question have in fact been destroyed or transferred Destruction Method Date of Destruction Materials Destroyed 37 Don’t forget to …. Monitor Audit Train & Educate 38 Are all records, in all media, eligible for disposition according to retention included? Is your retention schedule up-to-date with the applicable laws? Authorities for disposition appropriately assigned and up-to-date? Did you confirm that records related to a pending or ongoing litigation or audit are suspended from disposition? Has the destruction process been documented? Are the records required for any further legal, administrative or business use? Were the records approved for destruction by an authorized member of the organization? Was the method of destruction appropriate for the type of media and the sensitivity of the record? 39 Destruction Records are transported securely and destroyed completely (irreversibly) Transfer Document chain of custody or transfer records transfer log Records appraised by qualified professional Appraisal based upon historical value of records 40 Principles are interdependent. Real value comes from implementing them as a whole framework. Together they support an organization’s overall records and information management program. Provides tool to benchmark and continuously make improvements to your program. 41 CohassetAssociates 2011/2012 ARMA International Survey Results Records Management & Governance of Electronically Stored Information (ESI) 42 March 6 – Principle of Retention April 10 – Principle of Transparency May 16 – Annual Spring Conference 43