Records management, also known as records and information management, is an organizational function devoted to the management of information in an organization throughout its life cycle, from the time of creation or inscription to its eventual disposition. This includes identifying, classifying, storing, securing, retrieving, tracking and destroying or permanently preserving records.The ISO 15489-1: 2001 standard ("ISO 15489-1:2001") defines records management as "[the] field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use and disposition of records, including the processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records".
An organization's records preserve aspects of institutional memory. In determining how long to retain records, their capacity for re-use is important. Many are kept as evidence of activities, transactions, and decisions. Others document what happened and why.The purpose of records management is part of an organization's broader function of Governance, risk management, and compliance and is primarily concerned with managing the evidence of an organization's activities as well as the reduction or mitigation of risk associated with it.
The concept of record is variously defined. The ISO 15489-1:2016 defines records as "information created, received, and maintained as evidence and as an asset by an organization or person, in pursuit of legal obligations or in the transaction of business".While there are many purposes of and benefits to records management, as both these definitions highlight, a key feature of records is their ability to serve as evidence of an event. Proper records management can help preserve this feature of records.
Recent and comprehensive studies have defined records as "persistent representations of activities" as recorded or created by participants or observers.This transactional view emphasizes the importance of context and process in the determination and meaning of records. In contrast, previous definitions have emphasized the evidential and informational properties of records. In organizational contexts, records are materials created or received by an organization in the transaction of business, or in pursuit of or in compliance with legal obligations. This organizational definition of record stems from the early theorization of archives as organic aggregations of records, that is "the written documents, drawings and printed matter, officially received or produced by an administrative body or one of its officials".
The examples and perspective in this article may not represent a worldwide view of the subject. (March 2016) (Learn how and when to remove this template message)
Not all documents are records. A record is a document consciously retained as evidence of an action. Records management systems generally distinguish between records and non-records (convenience copies, rough drafts, duplicates), which do not need formal management. Many systems, especially for electronic records, require documents to be formally declared as a record so they can be managed. Once declared, a record cannot be changed and can only be disposed of within the rules of the system.
Records may be covered by access controls to regulate who can access them and under what circumstances. Physical controls may be used to keep confidential records secure – personnel files, for instance, which hold sensitive personal data, may be held in a locked cabinet with a control log to track access. Digital records systems may include role-based access controls, allowing permissions (to view, change and/or delete) to be allocated to staff depending on their role in the organisation. An audit trail showing all access and changes can be maintained to ensure the integrity of the records.
Just as the records of the organization come in a variety of formats, the storage of records can vary throughout the organization. File maintenance may be carried out by the owner, designee, a records repository, or clerk. Records may be managed in a centralized location, such as a records center or repository, or the control of records may be decentralized across various departments and locations within the entity. Records may be formally and discretely identified by coding and housed in folders specifically designed for optimum protection and storage capacity, or they may be casually identified and filed with no apparent indexing. Organizations that manage records casually find it difficult to access and retrieve information when needed. The inefficiency of filing maintenance and storage systems can prove to be costly in terms of wasted space and resources expended searching for records.
An inactive record is a record that is no longer needed to conduct current business but is being preserved until it meets the end of its retention period, such as when a project ends, a product line is retired, or the end of a fiscal reporting period is reached. These records may hold business, legal, fiscal, or historical value for the entity in the future and, therefore, are required to be maintained for a short or permanent duration. Records are managed according to the retention schedule. Once the life of a record has been satisfied according to its predetermined period and there are no legal holds pending, it is authorized for final disposition, which may include destruction, transfer, or permanent preservation.
A disaster recovery plan is a written and approved course of action to take after a disaster strikes that details how an organization will restore critical business functions and reclaim damaged or threatened records.
An active record is a record needed to perform current operations, subject to frequent use, and usually located near the user. In the past, 'records management' was sometimes used to refer only to the management of records which were no longer in everyday use but still needed to be kept – "semi-current" or "inactive" records, often stored in basements or offsite. More modern usage tends to refer to the entire "lifecycle" of records – from the point of creation right through until their eventual disposal.
The format and media of records is generally irrelevant for the purposes of records management from the perspective that records must be identified and managed, regardless of their form. The ISO considers management of both physical and electronic records.Also, section DL1.105 of the United States Department of Defense standard DoD 5015.02-STD (2007) defines Records Management as "the planning, controlling, directing, organizing, training, promoting, and other managerial activities involving the life cycle of information, including creation, maintenance (use, storage, retrieval), and disposal, regardless of media".
The records life-cycle consists of discrete phases covering the life span of a record from its creation to its final disposition. In the creation phase, records growth is expounded by modern electronic systems. Records will continue to be created and captured by the organization at an explosive rate as it conducts the business of the organization. Correspondence regarding a product failure is written for internal leadership, financial statements and reports are generated for public and regulatory scrutiny, the old corporate logo is retired, and a new one – including color scheme and approved corporate font – takes its place in the organization's history.
Examples of records phases include those for creation of a record, modification of a record, movement of a record through its different states while in existence, and destruction of a record.
Throughout the records life cycle, issues such as security, privacy, disaster recovery, emerging technologies, and mergers are addressed by the records and information management professional responsible for organizational programs. Records and information management professionals are instrumental in controlling and safeguarding the information assets of the entity. They understand how to manage the creation, access, distribution, storage, and disposition of records and information in an efficient and cost-effective manner using records and information management methodology, principles, and best practices in compliance with records and information laws and regulations.
The records continuum theory is an abstract conceptual model that helps to understand and explore recordkeeping activities in relation to multiple contexts over space and time.
A records manager is someone who is responsible for records management in an organization.[ citation needed ]
Section 4 of the ISO 15489-1:2001 states that records management includes:[ citation needed ]
Thus, the practice of records management may involve:
Records-management principles and automated records-management systems aid in the capture, classification, and ongoing management of records throughout their lifecycle. Such a system may be paper-based (such as index cards as used in a library), or may involve a computer system, such as an electronic records-management application.[ citation needed ]
A defensible solution is one that can be supported with clearly documented policies, processes and procedures that drive how and why work is performed, as well as one that has clearly documented proof of behavior patterns, proving that an organization follows such documented constraints to the best of their ability.
While defensibility applies to all aspects of records life cycle, it is considered most important in the context of records destruction, where it is known as "defensible disposition" or "defensible destruction," and helps an organization explicitly justify and prove things like who destroys records, why they destroy them, how they destroy them, when they destroy them, and where they destroy them.
Records managers use classification or categorization of record types as a means of working with records.[ citation needed ] Such classifications assist in functions such as creation, organization, storage, retrieval, movement, and destruction of records.
At the highest level of classification are physical versus electronic records. (This is disputable; records are defined as such regardless of media. ISO 15489 and other best practices promulgate a functions based, rather than media based classification, because the law defines records as certain kinds of information regardless of media.)
Physical records are those records, such as paper, that can be touched and which take up physical space.
Electronic records, also often referred to as digital records, are those records that are generated with and used by information technology devices.
Classification of records is achieved through the design, maintenance, and application of taxonomies, which allow records managers to perform functions such as the categorization, tagging, segmenting, or grouping of records according to various traits.
Enterprise records represent those records that are common to most enterprises, regardless of their function, purpose, or sector. Such records often revolve around the day-to-day operations of an enterprise and cover areas such as but not limited litigation, employee management, consultant or contractor management, customer engagements, purchases, sales, and contracts.
The types of enterprises that produce and work with such records include but are not limited to for-profit companies, non-profit companies, and government agencies.
Industry records represent those records that are common and apply only to a specific industry or set of industries. Examples include but are not limited to medical industry records (e.g., the Health Insurance Portability and Accountability Act), pharmaceutical industry records, and food industry records.
Legal hold records are those records that are mandated, usually by legal counsel or compliance personnel, to be held for a period of time, either by a government or by an enterprise, and for the purposes of addressing potential issues associated with compliance audits and litigation. Such records are assigned Legal Hold traits that are in addition to classifications which are as a result of enterprise or industry classifications.
Legal hold data traits may include but are not limited to things such as legal hold flags (e.g. Legal Hold = True or False), the organization driving the legal hold, descriptions of why records must be legally held, what period of time records must be held for, and the hold location.
A records retention schedule is a document, often developed using Archival appraisal concepts and analysis of business and legal contexts within the intended jurisdictions, that outlines how long certain types of records need to be retained for before they can be destroyed.
Managing physical records involves different disciplines or capabilities and may draw on a variety of forms of expertise.
Commercially available products can manage records through all processes active, inactive, archival, retention scheduling and disposal. Some also utilize RFID technology for the tracking of the physical file.
The general principles of records management apply to records in any format. Digital records, however, raise specific issues. It is more difficult to ensure that the content, context and structure of records is preserved and protected when the records do not have a physical existence. This has important implications for the authenticity, reliability, and trustworthiness of records.
Much research is being conducted on the management of digital records. The International Research on Permanent Authentic Records in Electronic Systems (InterPARES) Project is one example of such an initiative. Based at the School of Library, Archival and Information Studies at the University of British Columbia, in Vancouver, British Columbia, Canada, the InterPARES Project is a collaborative project between researchers all across the world committed to developing theories and methodologies to ensure the reliability, accuracy, and authenticity of digital records.
Functional requirements for computer systems to manage digital records have been produced by the US Department of Defense,The United Kingdom's National Archives and the European Commission, whose MoReq (Model Requirements for the Management of Electronic Records) specification has been translated into at least twelve languages funded by the European Commission.
Particular concerns exist about the ability to access and read digital records over time, since the rapid pace of change in technology can make the software used to create the records obsolete, leaving the records unreadable. A considerable amount of research is being undertaken to address this, under the heading of digital preservation. The Public Record Office Victoria (PROV) located in Melbourne, Australia published the Victorian Electronic Records Strategy (VERS) which includes a standard for the preservation, long-term storage and access to permanent electronic records. The VERS standard has been adopted by all Victorian Government departments. A digital archive has been established by PROV to enable the general public to access permanent records. Archives New Zealand is also setting up a digital archive.
Electronic Tax Records are computer-based/non-paper versions of records required by tax agencies like the Internal Revenue Service. There is substantial confusion about what constitutes acceptable digital records for the IRS, as the concept is relatively new. The subject is discussed in Publication 583 and Bulletin 1997-13, but not in specific detail.
Businesses and individuals wishing to convert their paper records into scanned copies may be at risk if they do so. For example, it is unclear if an IRS auditor would accept a JPEG, PNG, or PDF format scanned copy of a purchase receipt for a deducted expense item.
While public administration, healthcare and the legal profession have a long history of records management, the corporate sector has generally shown less interest. This has changed in recent years due to new compliance requirements, driven in part by scandals such as the Enron/Andersen affair and more recent problems at Morgan Stanley. Corporate records compliance issues including retention period requirements and the need to disclose information as a result of litigation have come to be seen as important. Statutes such as the US Sarbanes-Oxley Act have resulted in greater standardization of records management practices. Since the 1990s the shift towards electronic records has seen a need for close working relations between records managers and IT managers, particularly including the legal aspects, focused on compliance and risk management.
Privacy, data protection, and identity theft have become issues of increasing interest. The role of the records manager in the protection of an organization's records has grown as a result. The need to ensure personal information is not retained unnecessarily has brought greater focus to retention schedules and records disposal.
The increased importance of transparency and accountability in public administration, marked by the widespread adoption of Freedom of Information laws, has led to a focus on the need to manage records so that they can be easily accessed by the public. For instance, in the United Kingdom, Section 46 of the Freedom of Information Act 2000 required the government to publish a Code of Practice on Records Management for public authorities.Similarly, European Union legislation on Data Protection and Environmental Information, requiring organisations to disclose information on request, create a need for effective management of such records.
Implementing required changes to organisational culture is a major challenge, since records management is often seen as an unnecessary or low priority administrative task that can be performed at the lowest levels within an organization. Reputational damage caused by poor records management has demonstrated that records management is the responsibility of all individuals within an organization.
An issue that has been very controversial among records managers has been the uncritical adoption of Electronic document and records management systems.
Another issue of great interest to records managers is the impact of the internet and related social media, such as wikis, blogs, forums, and companies such as Facebook and Twitter, on traditional records management practices, principles, and concepts, since many of these tools allow rapid creation and dissemination of records and, often, even in anonymous form.
A difficult challenge for many enterprises is tied to the tracking of records through their entire information life cycle so that it's clear, at all times, where a record exists or if it still exists at all. The tracking of records through their life cycles allows records management staff to understand when and how to apply records related rules, such as rules for legal hold or destruction.
As the world becomes more digital in nature, an ever-growing issue for the records management community is the conversion of existing or incoming paper records to electronic form. Such conversions are most often performed with the intent of saving storage costs, storage space, and in hopes of reducing records retrieval time.
Tools such as document scanners, optical character recognition software, and electronic document management systems are used to facilitate such conversions.
Many colleges and universities offer degree programs in library and information sciences which cover records management. Furthermore, there are professional organizations which provide a separate, non-degreed, professional certification for practitioners, the Certified Records Manager designation or CRM.
An Electronic Document and Records Management System is a computer program or set of programs used to track and store records. The term is distinguished from imaging and document management systems that specialize in paper capture and document management respectively. Electronic records management Systems commonly provide specialized security and auditing functionality tailored to the needs of records managers.
The National Archives and Records Administration (NARA) has endorsed the U.S. Department of Defense standard 5015.2 as an "adequate and appropriate basis for addressing the basic challenges of managing records in the automated environment that increasingly characterizes the creation and use of records".Records Management Vendors can be certified as compliant with the DoD 5015.2-STD after verification from the Joint Interoperability Test Command which builds test case procedures, writes detailed and summary final reports on 5015.2-certified products, and performs on-site inspection of software.
The National Archives in the UK has published two sets of functional requirements to promote the development of the electronic records management software market (1999 and 2002).It ran a program to evaluate products against the 2002 requirements. While these requirements were initially formulated in collaboration with central government, they have been taken up with enthusiasm by many parts of the wider public sector in the UK and in other parts of the world. The testing program has now closed; The National Archives is no longer accepting applications for testing. The National Archives 2002 requirements remain current.
The European Commission has published "MoReq", the Model Requirements for Electronic Records and Document Management in 2001.Although not a formal standard, it is widely regarded and referred to as a standard. This was funded by the Commission's IDA program, and was developed at the instigation of the DLM Forum. A major update of MoReq, known as MoReq2, was published in February 2008. This too was initiated by the DLM Forum and funded by the European Commission, on this occasion by its IDABC program (the successor to IDA). A software testing framework and an XML schema accompany MoReq2; a software compliance testing regime was agreed at the DLM Forum conference in Toulouse in December 2008.
The National Archives of Australia (NAA) published the Functional Specifications for Electronic Records Management Systems Software (ERMS), and the associated Guidelines for Implementing the Functional Specifications for Electronic Records Management Systems Software, as exposure drafts in February 2006.
Archives New Zealand published a 'discretionary best practice' Electronic Recordkeeping Systems Standard (Standard 5) in June 2005, issued under the authority of Section 27 of the Public Records Act 2005.
Commercial records centers are facilities which provide services for the storage for paper records for organizations. In some cases, they also offer storage for records maintained in electronic formats. Commercial records centers provide high density storage for paper records and some offer climate controlled storage for sensitive non-paper and critical (vital) paper media. There is a trade organization for commercial records centers (for example, PRISM International), however, not all service providers are members.
A document management system (DMS) is a system used to track, manage and store documents and reduce paper. Most are capable of keeping a record of the various versions created and modified by different users. In the case of the management of digital documents such systems are based on computer programs. The term has some overlap with the concepts of content management systems. It is often viewed as a component of enterprise content management (ECM) systems and related to digital asset management, document imaging, workflow systems and records management systems.
Enterprise content management (ECM) extends the concept of content management by adding a time line for each content item and possibly enforcing processes for the creation, approval and distribution of them. Systems that implement ECM generally provide a secure repository for managed items, be they analog or digital, that indexes them. They also include one or more methods for importing content to bring new items under management and several presentation methods to make items available for use.
In business and accounting, information technology controls are specific activities performed by persons or systems designed to ensure that business objectives are met. They are a subset of an enterprise's internal control. IT control objectives relate to the confidentiality, integrity, and availability of data and the overall management of the IT function of the business enterprise. IT controls are often described in two categories: IT general controls (ITGC) and IT application controls. ITGC include controls over the Information Technology (IT) environment, computer operations, access to programs and data, program development and program changes. IT application controls refer to transaction processing controls, sometimes called "input-processing-output" controls. Information technology controls have been given increased prominence in corporations listed in the United States by the Sarbanes-Oxley Act. The COBIT Framework is a widely used framework promulgated by the IT Governance Institute, which defines a variety of ITGC and application control objectives and recommended evaluation approaches. IT departments in organizations are often led by a Chief Information Officer (CIO), who is responsible for ensuring effective information technology controls are utilized.
TOWER Software was a software development company, founded in 1985 in Canberra, Australia. The company provided and supported enterprise content management software, notably its TRIM product line for electronic records management.
Micro Focus Content Manager is an electronic document and records management system (EDRMS) marketed by the Micro Focus. Content Manager is an enterprise document and records management system for physical and electronic information designed to help businesses capture, manage, and secure business information in order to meet governance and regulatory compliance obligations.
Information lifecycle management (ILM) refers to strategies for administering storage systems on computing devices.
A retention period is an aspect of records and information management (RIM) and the records life cycle that identifies the duration of time for which the information should be maintained or "retained," irrespective of format. Retention periods vary with different types of information, based on content and a variety of other factors, including internal organizational need, regulatory requirements for inspection or audit, legal statutes of limitation, involvement in litigation, and taxation and financial reporting needs, as well as other factors as defined by local, regional, state, national, and/or international governing entities.
DIRKS, an acronym for Designing and Implementing Recordkeeping Systems, is a comprehensive manual outlining the process for creating records management systems including various business information records and transactions as outlined in the Australian Standard for Records Management - AS ISO 15489. DIRKS was developed by the National Archives of Australia in collaboration with the State Records Authority of New South Wales.
International standards in the ISO/IEC 19770 family of standards for IT asset management (ITAM) address both the processes and technology for managing software assets and related IT assets. Broadly speaking, the standard family belongs to the set of Software Asset Management standards and is integrated with other Management System Standards.
Email archiving is the act of preserving and making searchable all email to/from an individual. Email archiving solutions capture email content either directly from the email application itself or during transport. The messages are typically then stored on magnetic disk storage and indexed to simplify future searches. In addition to simply accumulating email messages, these applications index and provide quick, searchable access to archived messages independent of the users of the system using a couple of different technical methods of implementation. The reasons a company may opt to implement an email archiving solution include protection of mission critical data, to meet retention and supervision requirements of applicable regulations, and for e-discovery purposes. It is predicted that the email archiving market will grow from nearly $2.1 billion in 2009 to over $5.1 billion in 2013.
Information technology risk, IT risk, IT-related risk, or cyber risk is any risk related to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.
ISO 24517-1:2008 is an ISO Standard published in 2008.
The DLM Forum is a European membership community of Public Archives and parties interested in archives, records and information management throughout the European Union. Membership is open to all. The Forum is known for its creation of the MoReq series of records management standards.
Information governance, or IG, is the overall strategy for information at an organization. Information governance balances the risk that information presents with the value that information provides. Information governance helps with legal compliance, operational transparency, and reducing expenditures associated with legal discovery. An organization can establish a consistent and logical framework for employees to handle data through their information governance policies and procedures. These policies guide proper behavior regarding how organizations and their employees handle electronically stored information (ESI).
MoReq2 is short for “Model Requirements for the Management of Electronic Records”, second version. It consists of a formal requirements specification for a generic electronic records management system, accompanied by testing documentation and related information. Published in 2008 by the European Commission, it is intended for use across the European Union, but can be used elsewhere. MoReq2 is generally considered a de facto standard in Europe but it does not have any formal status as a standard.
Digital mailroom is the automation of incoming mail processes. Using document scanning and document capture technologies, companies can digitise incoming mail and automate the classification and distribution of mail within the organization. Both paper and electronic mail (email) can be managed through the same process allowing companies to standardize their internal mail distribution procedures and adhere to company compliance policies.
An electronic trial master file (eTMF) is a trial master file in electronic format. It is a type of content management system for the pharmaceutical industry, providing a formalized means of organizing and storing documents, images, and other digital content for pharmaceutical clinical trials that may be required for compliance with government regulatory agencies. The term eTMF encompasses strategies, methods and tools used throughout the lifecycle of the clinical trial regulated content. An eTMF system consists of software and hardware that facilitates the management of regulated clinical trial content. Regulatory agencies have outlined the required components of eTMF systems that use electronic means to store the content of a clinical trial, requiring that they include: Digital content archiving, security and access control, change controls, audit trails, and system validation.
ISO/IEC 27040 is part of a growing family of International Standards published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in the area of security techniques; the standard is being developed by Subcommitee 27 (SC27) - IT Security techniques of the first Joint Technical Committee 1 of the ISO/IEC. A major element of SC27's program of work includes International Standards for information security management systems (ISMS), often referred to as the 'ISO/IEC 27000-series'.
Storage security is a specialty area of security that is concerned with securing data storage systems and ecosystems and the data that resides on these systems.
ISO 15489 Information and documentation -- Records management is an international standard for the management of business records, consisting of two (2) parts: Part 1: Concepts and principles and Part 2: Guidelines. ISO 15489 is the first standard devoted specifically to records management; providing an outline for comprehensive assessment of full and partial records management programs.