The Policy Side of Electronic Records Retention

www.rfgonline.com

Wednesday, March 12, 2003

The Policy Side of Electronic Records Retention

RFG believes that IT executives face a number of challenges as they attempt to implement a comprehensive electronic records ("e-records") retention policy. Before the formation of a policy can take place there are several issues that IT executives have to address, such as enterprise liability and responsibilities as they pertain to outsourced agreements. In order to devise a strategically sound policy, IT executives will need to confer with executive management, legal counsel, and line of business (LOB) executives. IT executives should also consult any vendors to which they currently outsource to address all areas that will be affected in light of an e-records retention policy.

Business Imperatives:

Process and consistency will be key when retaining electronic records. IT executives should ensure that formal policy supports any actions, a set schedule is followed, and that actions are documented explicitly.
In order for the enterprise to verify the authenticity and origin of an electronic record, it must have in place a system to capture and catalog identifying metadata (for example, contextual information such as application used in creation, date, and time of creation). IT executives should make provisions to capture and archive metadata in the same manner and for the same duration as the electronic records themselves.
Enterprises will need to factor into any electronic records retention policy any outsourcing agreements in which they currently participate. Consideration must be given to retention, retrieval and deletion of e-records. IT executives should negotiate contracts with outside vendors that mitigate the enterprise's liability. However, IT executives should be aware that regardless of outsourcing contract terms, the ultimate responsibility lies with their company, or more specifically, the Board of Directors and executive management.

Once IT executives have undertaken the responsibility to implement a formal electronic records (e-records) retention process, they must face the challenge of formulating a policy or policies that will protect the enterprise in times of litigation or investigation. (See the RFG Research Notes "The Importance of Electronic Records Retention," "Best Practices for Electronic Records Retention (Part One)," and "Best Practices for Electronic Records Retention (Part Two).") However, before policy formation there are factors that IT executives should examine.

In electronic records retention, process and process consistency are key. An enterprise cannot claim ignorance when faced with an investigation, as penalties will be levied against those enterprises in which a policy is found to be lacking. In addition, those enterprises that have formulated a policy but have neglected to implement or follow it consistently also expose themselves to litigation and monetary penalties. Therefore, it will be imperative for the enterprise to make official, then follow an electronic records retention policy.

Any policy established by the enterprise should be documented, and as such, this document will also be subject to the same retention guidelines as set forth in the policy itself. Also, IT executives must delineate a policy for record retrieval and deletion, documented in the same fashion. IT executives should also record all actions taken as pertaining to archival and deletion, and retain these records accordingly. This will enable the enterprise to explain its actions should an investigation be conducted.

A well-formulated policy needs to address classification types, consistency between e-records and paper documents, duration of retention, job categories, location of archive, retrieval requirements, and storage media type. As a first step, the policy should address internal enterprise communication, external enterprise communication, and records within applications such as electronic order entry records or purchase orders. The policy should also break down communication types by job categories. To assist with these efforts, IT executives should develop business application profiles (BAPs) and user application profiles (UAPs) to better understand the overall enterprise and user needs and requirements. (See the RFG Research Notes "The Importance of Business Application Profiles," "An Update on the Importance of Business Application Profiles (BAPs)," and "The Importance of User Application Profiles.")

Internal communication can be classified as any messaging – including e-mail, instant messaging (IM), and other shared documents – solely sent and exchanged within the enterprise, whether or not they pertain to business-related functions. External communications are messages sent and exchanged with a party outside of the company. The third category of records encompasses files or databases that require a set of related applications to be interpreted. Moreover, it is essential that executives understand that it is important to capture the version and release of the application that created or manipulated the records; otherwise, the records could be eventually rendered unintelligible.

The retention of communications falling into the classification of internal business- related communications might be determined by job classification, message type, message content, or by the individual sending the message. Communications not related to business functions should be retained or deleted at the discretion of policy makers. Whatever is decided, all actions must be dictated by a formal and consistent retention/deletion schedule.

For example, in a manufacturing company the internal business e-mails of the person responsible for IT capacity planning may be deemed not worth retaining past six months; whereas all e-mails from a stockbroker in a financial services company may be kept for six years. Another consideration is whether or not the individual should be given the opportunity to delineate the communication type (personal or business) or make the decision as to whether a particular record should be retained. While RFG does not see the retention choice as necessarily a personal decision, some of the laws are vague enough to allow that option.

All external communications should be retained in a fashion consistent with paper communications of the same type. One complication of the electronic age is that messages tend to get forwarded multiple times across systems and can contain duplicate information, including attachments. IT executives need to establish a policy addressing which version(s) of the message will be kept and archived. Moreover, IT executives should review how documents residing on individual user systems will be captured in order to be archived. IT executives should decide if such capture will be done by the user, or through some sort of auto-archival process by an administrator. Regardless, IT executives should ensure that communications are kept as it pertains to a schedule of archival activities, and mesh with policies established for backup, business continuance, and disaster recovery. (See the RFG Research Note "Archiving Online Collaboration.")

IT executives should also address the issue of non-business use of business systems. Personal e-mails and other forms of communication, if allowed by the enterprise, will need to be subject to the same retention policies as business communications. This will present a challenge as IT executives will be required to maintain such records in their systems along with business information, tying up valuable storage resources and administrator time and effort. Therefore, IT executives should discourage such forms of communication to protect the enterprise.

IT executives should incorporate such mandates into corporate policy, and make an effort to strictly enforce it. For example, should an employee be using the system to collect and send child pornography from the office, not only is the system archiving vast volumes of data but the company is setting itself up for potential inclusion in a lawsuit. The fact that the company archived the pictures and did not take any actions relative to compliance screening to prevent further transmissions could damage the company's image and financial position.

The capture of metadata to identify and authenticate the record will be key to long-term preservation of a record in question. Contextual information, such as it relates to the legal and organizational system in which the creating body belongs, the mandate, structure, and functions of the creating body, the business procedure in the course of which the record is created, the application to which the record belongs, and the application's structure will also be useful in determining the purpose and origin of the record. Such information will prove itself invaluable when and if a need arises to recreate the exact scenario and purpose surrounding a record's existence.

The capture of such metadata can be done in a number of ways. One is to deploy an off-the-shelf software solution that requires users to enter identifying information (into a pop-up window, for example) before transmission of any communication. This will help to ensure that metadata is cataloged upon record creation, and at the original source. Use of such a tool can also help to deter non-business system use and can assist in the screening process. The window serves as a reminder to users that such transmissions will be captured and kept on record for set period of time as set forth in the e-records retention policy and as mandated by law.

Outsourced arrangements will present a particular challenge to IT executives, especially as it pertains to the capture of metadata and contextual information. For those outsourcing deals, IT executives are still expected, legally, to maintain records pertaining to business functions. Records generated outside of the enterprise by an outsourcer must still be subject to the same e-record retention policy as exists within the enterprise. IT executives must work with their outsourcing vendor to negotiate an agreement acceptable to both parties, to capture and catalog metadata, and archive such information accordingly, so as to conform to policy and existing e-record retention regulations. The latest utility computing initiatives from a number of vendors may help to strengthen outsourcers' abilities through better change management, in order to support IT executives in their electronic records retention efforts. (See the RFG Research Note " Utility Computing: The (R)evolutionary Next Step in Outsourcing".)

RFG believes IT executives should ensure that their e-records retention policy is comprehensive, well documented, and covers issues such as outsourced arrangements and non-business system use. IT executives should investigate the effect of various business arrangements and procedures in light of their formulation of this policy. Furthermore IT executives should validate that the procedures established as a result of the policy effectively address all the tenets of the policy. This will help to ensure that the enterprise is not left exposed in times of investigation or litigation, should such a scenario arise.

RFG analyst Christie Hangey wrote this Research Note. Interested readers should contact RFG Client Services to arrange further discussion or an interview with Ms. Hangey.

RFG Research Notes provide concise, high-level analysis and recommendations on specific topics of interest to enterprise IT executives. The Notes also provide a framework for further detailed Inquiries by RFG clients, and for follow-up presentations and workshops by RFG research staff available to all interested IT decision-makers. For more information, contact Client Services by telephone at (US) +203/291-6900 or by e-mail at clientservices@rfgonline.com.

Copyright © 2003 Robert Frances Group, Inc. All rights reserved. Agenda products are published by Robert Frances Group, Inc., 22 Crescent Road, Westport, CT 06880. Telephone 203/291-6900. Facsimile 203/291-6906. http://www.rfgonline.com. This publication and all Agenda publications may not be reproduced in any form or by any electronic or mechanical means without prior written permission. The information and materials presented herein represent to the best of our knowledge true and accurate information as of date of publication. It nevertheless is being provided on an "as is" basis. Reprints are available.

RFG Daily Response

We value your comments. Your participation in this survey will help RFG better serve your needs. Feedback using this form can be anonymous, so please tell us what you really think.
You also have the option to identify yourself if you are interested in getting an immediate response from us. To do this, please send us an e-mail at info@rfgonline.com to initiate an inquiry or for immediate service. Please include all relevant contact information including name, title, organization, e-mail address, and telephone number to ensure a prompt reply. Submitting the survey provides RFG with your IP address. RFG may use the IP address to identify your organization but will not attempt to track you down unless you provide your contact information on the form.

Overall, how satisfied are you with this Agenda Note? Very satisfied Satisfied Somewhat satisfied Somewhat dissatisfied Dissatisfied Very dissatisfied Not Relevant Would you like more Research Notes written on this topic? Yes No Would you like an analyst to contact you to discuss this Note or topic? Yes No	(Enter contact information below, otherwise RFG is unable to contact you. For immediate response, e-mail inquiry@rfgonline.com or call 203/291-6900 ext. 411.) First and Last Name Title Organization E-mail Address Telephone Number
Please provide any additional comments. This survey is generated by Web Surveyor.