Records and Information Creation and Use
Part 2 pertains to the creation, production, distribution and use of records and information on paper, electronic and all other media. It covers the documentation of business transactions and activities, as well as the development of a framework to properly identify and classify records at the point of creation. This section also addresses the importance of applying information security, privacy rules, and regulatory requirements to records and information, regardless of how it’s created and used.
- INFORMATION FRAMEWORK
- Taxonomy and Classification Strategy – Records creation, when administered effectively, enhances the usability and value of records by ensuring records are created in the right context, have the appropriate metadata, and structured in a manner that enhances transparency. RIM managers should understand the business rules around developing taxonomies and using auto classification in the records declaration process. Know how records are classified and how taxonomies work to ensure records are retrievable during their entire life cycle.
- Records Definitions and Declaration - Be able to define record, non-record, information and understand data, structured and unstructured, web content and all other related terms. The RIM manager should be able to distinguish between the requirements to manage structured and unstructured data. Characteristics such as authenticity, reliability, integrity and usability should all be considered as part of the creation and use phases of a record’s life cycle.
- Records Capture Strategies - The RIM manager should understand the value of recordkeeping systems, both paper and electronic, and ensure that they adequately document the activities and transactions of an organization and serve as evidence of business activities. In addition, record content and associated metadata should remain intact in a format that can be migrated and exported as required to support business, legal and regulatory requirements. In order to control documents throughout their life cycle, the RIM manager should understand version control and tracking. Analyzing the workflow of business processes allows the RIM manager to identify the records related to them. Know and understand the various manual and systematic approaches to mapping work processes, tracking documents and applying version control.
- Media Considerations - The RIM manager should be able to assess the various types of media and their advantages and disadvantages for their entire life cycle. Information is stored on many types of media (paper, microforms, magnetic, electronic and optical). The RIM manager should be knowledgeable about problems of migration and conversion associated with each media.
- Data Maps – Understanding how records are created, where they are stored, and where duplicates reside is critical to improving the availability of information. RIM managers should understand how data maps are created and how they can be used in developing an information framework, supporting legal research, ensuring records policies are applied to applications, and reducing the unnecessary creation of information.
- RISK ASSESSMENTS AND AUDITS
- Definitions and Objectives - There are many types of risks such as business, legal and accountability that are associated with the creation and use of information. The RIM manager should understand and be able to explain these.
- Risk Assessments and Mitigation - The RIM manager should understand and know how to assess the RIM risks in an organization, provide adequate security and other controls in the creation and use of records and track chain of custody to mitigate risk. Understand how to develop risk profiles, such as magnitude vs. likelihood, and how records play a role in a company’s risk profile.
- Records Audit Framework – Records programs are routinely audited to ensure records are created and captured in the appropriate recordkeeping systems. Records audits can include assessments of records risk, external/regulatory compliance, and adherence to internal records policy. Understand the RIM manager’s role in performing and participating in audits related to records.
- Regulatory and Legislative - Various legislative and regulatory rules and judicial decisions impact the creation and use of information within an organization. The RIM manager should know how to create a program that will comply with these requirements. Include compliance with internal policy/directives
- Acceptable Use Policies - Electronic communications, including, but not limited to email, have unique requirements guiding their use. The RIM manager should understand these and be aware of their role in promoting and monitoring their use. Understand what components go into policies, etiquette and guidelines to promote the responsible use of electronic communications.
- Litigation Support - In today’s litigious business environment, it’s critical that RIM manager understand the role they have in supporting litigation. Collaboration with legal is essential. Directives and tasks may include issuing hold notices, applying and removing the preservation notices to physical and electronic content and assisting others in compliance with such hold notices.
- INFORMATION SECURITY AND PRIVACY
- Definitions and Objectives - The RIM manager should understand the need to define information security and protect information and resources so that a business or organization can continue doing business. By applying the appropriate security measures, the RIM manager can assist in protecting privacy and guarding against identity theft, loss, or other risks. While the RIM manager should be familiar with how the technology of encryption and authentication works, it is even more critical that they know when and how the technology should be applied. The RIM manager should be able to clearly communicate how information is organized and classified both with regard to its record requirements and its security requirements.
- Personally Identifiable Information - Personally Identifiable Information (PII) refers to the unique information that can be used either alone or with other sources to identify, contact, or locate an individual. For legal purposes, the RIM manager should be familiar with varying definitions depending on jurisdiction and the purposes for which the term is being used. PII requires that the RIM manager actively monitor the attributes of records and information that would qualify as meeting the definition and also be able to securely manage it as such.
- Intellectual Property - Understand the laws concerning intangible property. Be able to define and characterize intellectual property laws such as patents, trademarks, trade names and trade secrets. Know and understand the RIM manager’s responsibility with respect to intellectual property.
- Security Classifications. There are many security classifications that can be applied to records and information. Understand when a record is public, proprietary, confidential or secret. Electronic communications expose organizations to threats to their information, either by having it stolen (hackers), hijacked, having unwanted programs (worms, viruses, etc.) imported into the organization’s computers, or other unauthorized access. The RIM manager should understand the security measures and controls necessary to protect the organization’s information.
- Access Control. The RIM manager needs to understand the purpose of an organization’s records and the business that the records support in order to adequately govern access to specific information. Access to records can be governed through information security policies and are applied through physical limitations and electronic restrictions. Know the advantages and disadvantages of the multiple ways to physically and electronically secure records.
- INFORMATION CREATION
- Physical Records – Physical records continue to be created. RIM managers should be familiar with methods to capture, identify, and manage physical records, including identifying convenience copies, controlling versions, and determining the record copy.
- Metadata - The RIM manager should understand the difference between recordkeeping, descriptive, structural, and administrative metadata; how and why metadata is used; and the value it provides. RIM managers should know what metadata is required to define, classify and manage information as a record, as well as how and when to develop metadata standards and guidelines within an organization.
- Social Media – Much of an organization’s activity may take place via its website. This creates records that the RIM manager should manage, store and be able to retrieve when needed. The RIM manager should know how to deal with the variety of materials created by intranets and internets, social media sites, and blogs, including identifying record material, methods of capture, storage options, security and version controls.
- Electronic Communications - The RIM manager should understand the use of a variety of electronic communication tools, including email, instant messaging, voicemail, and audio and video devices. These all potentially create records that may need to be captured and managed. RIM managers should understand how to address the challenges instant messaging, e-mail and other forms of electronic communication pose for the capture and management of information.
- Electronic Data Interchange - As the e-commerce continues to grow, RIM managers are faced with managing records created through electronic data interchange (EDI). The RIM manager should understand how records created through EDI are captured and stored. The RIM manager should also understand how records are created using automated data capture technologies such as barcode readers, optical character recognition, radio frequency identification (RFID), and speech recognition.
- Collaboration Tools - Collaboration tools, also referred to as collaboration software, are often used to for a team of people to work on a project collectively through the use of software such as instant messaging, conference calls or video conferencing. Know the RIM requirements for using a collaborative tool and how to apply them.