Guest contribution by Martin Waldron,
In-Form Consult Ltd; Managing Director
MGB MoReq Governance Board, Chair
Erster Teil des Artikels. Die Teile 2 bis 4 erscheinen in den nächsten Ausgaben des PROJECT CONSULT Newsletter. Der Beitrag wurde ursprünglich als Whitepaper für die Fa. EMC verfaßt.
Records Management – the bedrock of Corporate Governance
Corporate Information
Information is an organisation’s second most important asset after people - they cannot function without it.
All organisations require information in order to operate. This information may be held as physical documents in storage areas or on computer systems dissipated throughout its IT network in information silos. It can be held in a wide range of formats from documents and e-mails through to audio or video.
Organisations of all types and sizes are suffering from information constipation “a state in which the usual flow of information (documents) is blocked or obstructed” coupled with information fragmentation and poor access controls. The result is manifest in headline grabbing items like lost discs containing personal details of 15 million UK taxpayers, details of all UK driving licences appearing in a data centre in the US, destruction of files in the Enron collapse, poor controls over sex offenders details resulting in the Norfolk murder of two school girls by a caretaker.
These and many similar cases have resulted in increased pressure from regulators and government to enact new legislation for improved information management.
The result has been that the first decade of the 21st century has seen a raft of new legislation and directives in both the public and private sector demanding more accountability and improved corporate governance by organisations. Section 3 outlines some of the Directives and legislation that has been enacted at a European, international and national level. These legislative requirements have within them articulated the need for organisations to adopt more disciplines at both a corporate and user level on how information is managed.
The result is Records Management – the discipline of organising (classifying) documents in a standard manner across the organisation and managing for ease of access, control and disposition. Adopting and operating a Corporate Records Management systems and disciplines across organisations has become a pressing requirement.
Organisations who have gone through the process of adopting and implementing a corporate approach to Records Management to address their Regulatory or Legislative requirements have also realised other benefits not envisioned at the outset.
Eg - Optimise storage usage, less rework, re-use of information, customers serve themselves …..
Records Management & European Standards
What is Records Management
Section 2 of MoReq2 provides a useful list of definitions of the main terms used in Electronic Records Management.
Main definitions are:
| | |
| · | A record, as defined in the Records Management ISO 15489: |
Information created, received, and maintained as evidence and information by an organisation or person, in pursuance of legal obligations or in the transaction of business.
| | |
| · | Electronic Records Management System – ERMS |
An ERMS is primarily an application for managing electronic records, though it may also be used to manage physical records. An ERMS is often closely integrated with an Electronic Document Management System (EDMS) or a business application. Technically, an ERMS manages records, while an EDMS manages documents (which are not records). However, especially when used to support day-to-day working, it can be difficult to separate their functionality.
Records management aggregates files in a structured manner, and good practice dictates that this structure should reflect business functions. The representation of this aggregation is referred to as a “classification scheme”.
| | |
| · | Retention and disposition schedule |
A formal instrument that defines the retention periods and consequent disposition actions authorised for records described in the schedule
MoReq
MoReq is the European ‘standard’ for Electronic Records Management (ERM) first published in 2001. MoReq2, published in March 2008, is the updated version of MoReq. Unlike other internationally recognized ERM specifications such as the USA DoD and the UK TNA, it is written to be equally applicable to public and private sector organizations.
The specification covers both records management and related areas such as document management, e-mail and physical record management.
Compliance Regulations and Legislation
The compliance regulations that need addressing by an organisation can be set by national and European governments, and international regulatory bodies. Below are summarised some of the main legislative and regulatory requirements that are in place across Europe.
International Legislation
Basel II
Basel II is an amended regulatory framework that has been developed by the Bank of International Settlements. It affects all internationally active banks and other financial institutions such as bankers, custodians, fund managers and brokers at every tier within the banking group. These companies are required to adopt consistent risk management practices for tracking and publicly reporting exposure to operational, credit and market risks. Basel II calls for more emphasis on banks’ internal risk management methods, supervisory reviews and market discipline in order to enhance their risk measurement and management capabilities. To implement these regulations effectively, companies will need robust systems to support the collection, storage and analysis of data.
Securities and Exchange Commission
Securities and Exchange Commission (SEC) aims to protect US investors and maintain the integrity of the securities markets. Current SEC regulations set out requirements for out-of-region disaster recovery as well as online retention of e-mail.
Sarbanes-Oxley Act
The Sarbanes-Oxley Act (SOX) was signed into US law on 30 July 2002 and introduces significant legislative changes to financial practices and corporate governance regulation. SOX aims to strengthen overall business operations by providing guidelines to efficiently manage internal controls and enhance financial reporting practices. The objective of these stringent new rules is to protect investors by improving the accuracy and reliability of corporate disclosures.
IT plays a big part in enforcement and the Act specifically demands that affected companies document the IT controls they have in place to ensure compliance. Section 404 of SOX particularly focuses on IT. It is primarily concerned with the integrity of the information on which auditors’ reports are based, with implications for the systems underlying this information. That has been underscored by the fact that any failing in the integrity of this information can mean hefty sanctions or even jail for the corporate officers signing off on the accounts. There is speculation that Europe’s own SOX-like act is just around the corner.
International Financial Reporting Standards
From 2006 onwards, most major businesses in Europe will switched over to the International Financial Reporting Standards (IFRS) for signing-off their accounts. This shift to IFRS is the culmination of a decade-long initiative to harmonise many of the core elements of the different accounting methods that exist around the world. In the UK, IFRS will involve a greater depth of disclosure of financial information and ensuring that various items appear on the balance sheet in a globally consistent way. Individual departments and business units will have to feed more information to the accounts function in greater detail, increasing the strain on information systems from enterprise resource planning packages to business intelligence systems.
Data Protection Act
The Data Protection Act is one of the oldest laws relating specifically to IT: the first UK Act was passed in 1984, and a major revision, in line with a European Commission directive, was passed in 1998. The goal of the Act is to prevent organisations from trading data that was given to them for one purpose only, from unscrupulously sharing information of a personal nature, or from building up aggregated profiles of individuals that could prevent inaccurate information about individuals from being used or shared. The Data Protection Act applies very widely, most organisations are obliged to register with the Information Commissioner for and information doesn’t need to be held on a computer to be covered by the Act. It is frequently misinterpreted and sometimes taken to be more prescriptive than it actually is.
The e-Privacy Directive
The Directive on Privacy and Electronic Communications affects all businesses that use electronic media for direct marketing, including those communicating to their own customers. It covers phone calls as well as e-mails and interactions between web sites and their visitors.
The law, enforced in the UK from October 2003, requires service providers to secure personal and behavioural data (such as location or caller IDs), and gives recipients the right to refuse cookies from being installed on their machines. It forces e-mail senders to secure the permission of the recipient before sending them unsolicited direct marketing e-mail.
Freedom of Information Act 2000
The Freedom of Information Act (FOIA) covers all information held by public authorities including central government, local government, NHS, schools and the police. It requires these authorities to issue a publication scheme and provides a “right to know”. A public authority must respond within twenty days of receiving a written request for information indicating if it holds the information requested and disclosing the information, subject to certain exemptions and conditions. There are numerous exemptions, and the cost of finding and retrieving the information cannot be excessive.
FOIA overlaps with the DPA. It provides no additional right for an individual to ask for data about themselves. Information is not disclosed if it violates a principle of the Data Protection Act.
Environmental Information Regulations
This Statutory Instrument was introduced in order to conform to a EU directive giving the public better access to environmental information. The law interacts with FOIA and is not widely understood or even known about.
Financial Services and Markets Act 2000
The role of the Financial Services Authority under section 153 of the Act is to create and publish a detailed ‘rule-making instrument’ referred to as the FSA handbook. The handbook contains a number of key document and records management recommendations, most notably rule 5.3.1 (6). This requires a company to retain accounting records for a minimum of six years, and for the first two years these records must be stored in such a manner that they can be produced within 24 hours of a request.
European Member State Legislation
European Commission Directives in the areas of information management require member states to put in place legislation for wider embracement of electronic working. The following need to be considered in developing compliance corporate agenda:
EC Electronic Signature Directive
This legislation has a key role in the EC Information Management strategy in that it obliges EU Member States to legally recognise digital signatures and also ensure that digital signatures are admissible as evidence in legal proceedings. Electronic signatures become regarded by member states as equally admissible as paper documents and manual signatures; this will require that a secure and permanent means for storing electronic data is demanded.
Germany recognises a “qualified electronic signature” as equivalent to an original handwritten signature on a document provided a qualified certification service provider authenticates the signature. France has the same legal acceptance of electronic signatures. In practice there has been little take up by organisations – public or private to date.
EC EDI Directive
The EC EDI Directives require that a complete and chronological record of all EDI messages exchanged by the parties in the course of a trade transaction shall be stored by each party, unaltered and securely, in accordance with the time limits and specifications prescribed by the legislative requirements of [each members state’s] own national law, and, in any event, for a minimum of three years following the completion of the transaction.
EC e-commerce Directive
The EC e-commerce Directive provides that Member States should recognise that contracts may be concluded electronically. With the use of electronic contracts throughout the EU only likely to increase as a result of this legislation, this can only support requirement that organisations enable the secure storage of digital copies of such contracts.
National Compliance Supportive Legislation
Member States have also put in place best practice guidelines to support improved Information Management practices:
French National Standard
The National Standard (NF Z 42-013) code of practice presents the specifications relating to the conception and exploitation of computer systems, to assure the conservation and integrity of documents stored in such systems. This document is published as a set of recommendations, including both procedural and technical requirements. It relates to both scanned images and computer created documents.
Dutch National Records Management Specification - ReMANO
The Dutch government developed a Records Management set of standards: ReMANO 2004 Records Management Applicaties voor de Nederlandse Overheid. This specification was based MoReq and ISO 15489. This is now widely used in the Dutch public sector in developing ERM specifications and Records Management programmes.
Germany DOMEA
DOMEA is a standard for the internal use of document technologies within the administration; DOMEA stands for Document Management and electronic archival. This project was initiated by KBSt, the department for co-ordination and consulting for IT-projects of the Ministry of the Interior. DOMEA is now in principle widely adopted in nearly all public sector segments and including even non public sector companies.