Annotated Outline Part 4

PART 4

Records Identification, Retention, Protection, and Disposition

The identification, retention, protection, and disposition of records, regardless of where information is created or maintained, are necessary for an established records program. A records professional must understand these elements and be able to aid the organization in developing a strategy and implementing these concepts throughout the organization.

  1. IDENTIFICATION
    1. Inventory. Before records can be inventoried, retained properly, protected appropriately, or disposed of accurately, they must be identified. It is essential to know what an organization's records are, where they are, and who owns them. Know and understand the concepts, processes, and procedures involved with a records inventory. Interpret the correlation between the records inventory and the volume, scope, location, and complexity of an organization’s records. Be able to identify the objectives and strategies involved with conducting the inventory. Know the activities necessary to begin the records inventory and the staffing needed. Understand the difference between a physical inventory and the questionnaire or survey method, when each is used, and the procedures necessary for conducting the inventory. Examine various manual and automated methods of collecting the necessary data. Be able to implement a training program for all stakeholders involved with the inventory.
    2. Valuation. Understand how to evaluate records and determine their value over time. Know the meaning of and be able to apply such terms as operational, administrative, fiscal, legal, evidential, research, and archival value. Be able to define vital records and determine which records are mission-critical to the organization.
  2. RETENTION
    1. Development. A thorough understanding of the Principle of Retention is of paramount importance. An organization shall maintain its records and information for an appropriate time, taking into account its legal, regulatory, fiscal, operational, and historical requirements. Be able to explain what a general or functional schedule is versus a program-specific or departmental retention schedule. Know which stakeholders in the organization should be involved in the development of the schedule. Be able to explain the pros and cons of using a bucket approach. Identify the approvals required to validate the schedule within the organization. Understand the importance of input from the organization's business units, legal research, the regulatory environment, and historical considerations when crafting a retention schedule. Understand the elements of the retention schedule and how they will be displayed. Know the different stages of the records life cycle including active, inactive, and final disposition, as well as the appropriate controls that need to be applied during each stage. Know what event-driven retention periods and trigger dates are, and when they are best applied. Understand how privacy and data protection laws affect the retention schedule.
    2. Implementation. Know and understand the physical and electronic methods of publication and distribution of the retention schedule. Understand the audience, the media, and the format to be used for each. Know how to develop a strategy to promote retention schedule implementation and use throughout an organization. Be able to develop communication and training plans for the various user groups involved in implementing the retention schedule. Know the key administrators and contacts to incorporate and apply the schedule in all applicable systems, programs, and repositories.
    3. Compliance and Audit. Understand how to develop a change control process including approvals, version control, and notification processes. Be able to identify external and internal events, both scheduled and unscheduled, that may necessitate revising the records retention schedule. Be able to discuss the impact of administrative, legal, tax, and audit holds. Understand the need for a measurement process to assess compliance with the schedule. Understand the use of compliance measurements, audits, and approvals to ensure the record retention schedule is uniformly applied throughout the organization.
  3. PROTECTION
    1. Business Continuity. A thorough understanding of the Principle of Protection is critical to ensure an acceptable level of protection for records and information. A business continuity/disaster recovery plan must be developed, maintained, and reviewed regularly. Be able to perform a cost/benefit analysis to assess the best method of protection. Understand the different requirements for protecting records that are private, confidential, privileged, secret, or vital to business continuity. Know the differences and similarities between business continuity planning and disaster preparedness, and the terms associated with them. Be able to categorize the types of disasters, define their scope, and prioritize responses. Know the levels of support needed to enact a business continuity plan and be familiar with the resources needed to facilitate the plan, both inside and outside the organization. Understand the risk analysis involved in developing the plan, including business impact analysis. Understand how the responsibilities for preparedness are assigned throughout the organization and be familiar with contingency procedures. Know the various forms of protection including means of storage, alternate locations, and security procedures. Be familiar with pros and cons of cloud and data center backups to evaluate which one will best meet company needs. Be able to identify vital records storage equipment (including vaults, safes, etc.), as well as access restrictions involved in their use. Be familiar with the conditions that can damage records and the processes used to reverse or halt the further deterioration of records in any media.
    2. Implementation and Audit. Be able to document procedures to be followed in case of a catastrophe or other serious business interruptions. Be able to identify the emergency personnel, equipment, sources, and supplies to deal with them. Know how to develop a training plan and materials. Recognize how to test the plan, and understand how it is to be maintained and updated. Identify the immediate, short-term, and long-term recovery procedures following a disaster in which records of any media type are damaged or destroyed. Ensure procedures associated with the recovery of records damaged by water, fire, smoke, or chemicals are documented. Understand what a hot site and cold site is, and how they relate to the business continuity plan. Be able to identify the types of risk assessment and how they apply to vital records. Understand the purpose and value of reoccurring audits, as well as triggers and scheduling for updates.
  4. DISPOSITION
    1. Implementation. A thorough understanding of the Principle of Disposition and that disposition includes destruction, transfer to another entity, an archive, or permanent preservation is an absolute necessity. Be able to identify the controls used in implementing final disposition, such as box and file number validation, quality controls, authorizations, and certificates of destruction. Know and be able to implement best practices to ensure defensible deletion of information.
    2. Archives. Know the purpose of an archive. Be able to define and differentiate among the various types: a manuscript collection, a public archive, and a private archive. Understand the concept of native formats and how to address both digital and physical archives. Recognize the need for control, including policy and procedures around access and security. Define terms that describe archival values such as historical, research, intrinsic, evidential, and informational. Be familiar with services that are provided to researchers at an archive. Define provenance and original order. Be able to describe the media-dependent methods used to preserve long-term and archival records. Identify the environmental factors such as temperature, humidity, lighting, and pollution that affect the preservation of archival records recorded on all media. Be able to describe archival storage techniques, locating systems, and finding aids. Understand the role of metadata in ensuring a complete and accurate history of the preservation of records over time. Understand the difference between migration and conversion, and when each is warranted for the preservation of digital records.
    3. Destruction. Be able to list and define the various methods of destruction: shredding, incineration, chemical disintegration, erasure/degaussing, reformatting, cutting/crushing/pulverizing, recycling, and sanitization. Be familiar with elements of destruction in ISO 15489-1 and 15489-2, as well as appropriate statutes, regulations, and guidelines that affect your organization. Understand the implications of on-site and off-site destruction, and when each is warranted. Consider the various record formats and be able to apply the most secure method of destruction to each. Be able to design and document destruction procedures and protocols, ensuring all versions of records are destroyed/eradicated. Thoroughly consider contractual obligations when using a third-party vendor for destruction, such as method, destruction window, ability to observe destruction, security precautions, and certificates of destruction, confidentiality, audits, and costs. Be able to perform due diligence on third-party providers with regard to employee screening, training, operations, destruction process, insurance, facility and transportation considerations, recycling and other outsourcing concerns.

Sources used: Records and Information Management: Fundamentals of Professional Practice, 2nd ed. William Saffady, Ph.D. (page 94) and Evaluating and Mitigating Records and Information Risks, ARMA Int'l, (page 14, 4.3.3 Disposal) ISO 15489-1 and ISO 15489-2