 |
 |
| MOTIVATION FOR A BEST PRACTICE BASED RECORDS MANAGEMENT PROGRAMME
|
EXECUTIVE SUMMARY
It is an established fact that the complexity of doing business in the modern era is increasing exponentially. Not only is the subject matter being dealt with becoming more complex as time moves on but the rapid proliferation of information and new communication technologies also cause severe volume and convergence challenges with existing systems and practices. Along with these phenomenon organisations are facing challenges like an increase in shareholder and regulator activism on a variety of fronts. These factors have in modern times caused a higher level of diligence to be required from people involved in the management of organisations. The extent to which management can effectively show diligence to shareholders, regulators, the courts and other internal or external stakeholders is inextricably linked to its ability to produce credible records of the actions of the organisation at the correct time. Records and record systems make up the backbone of any organisation in this respect. Should management be unable to produce credible records when required to do so, it would have a paralysing effect on the ability of the organisation to defend itself when challenged, or to effectively pursue opportunities in the marketplace when they appear.
Some people view the managing of records as a boring and onerous activity which is a necessary nuisance of day-to-day business. Of course, most individuals don’t understand what records management is, making it easy to dismiss an activity that is so misunderstood. Despite these views, what you don’t know can hurt you and, in the case of records management, what you choose to ignore can cripple your organisation.
WHAT IS RECORDS MANAGEMENT?
Some people have the mistaken impression that records management is about hoarding and filing everything that comes across one’s desk in the course of doing business. In some highly regulated industries it may seem that this is the case. In most cases it’s not just about keeping what is needed, but also for how long, in what format, how to store it, who should have access to it and when and how it should be destroyed (if ever). Proper electronic record management also ensures the retention and management of the necessary metadata associated with these records and the maintenance of their integrity over time to ensure that they can be used as reliable evidence.
There are many different definitions of records and records management. A particularly helpful one reads as follows:
Records Management is:
“A professional discipline that is primarily concerned with the management of document-based information systems. The application of systematic and scientific controls to recorded information required in the operation of an organization’s business. The systematic control of all organizational records during the various stages of their life cycle: from their creation or receipt, through their processing, distribution, maintenance and use, to their ultimate disposition. The purpose of records management is to promote economies and efficiencies in recordkeeping, to assure that useless records are systematically destroyed while valuable information is protected and maintained in a manner that facilitates its access and use.”1
1From article by Priscilla Emery, President and founder of e-Nterprise Advisors, excerpted from the Records Management Report, published by CMS Watch on 30 May 2005.
A record is defined in ISO/SANS 15489 as: "information created, received, and maintained as evidence and information by an organization or person, in pursuance of legal obligations or in the transaction of business".
DRIVERS FOR PROPER RECORDS MANAGEMENT
The following paragraphs represent a set of business drivers for the implementation of proper records management practices within an organisation.
-
1. Regulatory Compliance (click here to read more)
|
South Africa currently has approximately 860 active statutes and 3000 subordinate measures in force which organisations need to track and comply with where required.2
Various existing laws require organisations to retain certain records for specific periods, in specific forms and may require organisations to retain such records indefinitely. There are currently approximately 1600 such requirements in South Africa, a fact that is lost on earlier publications on the subject matter.
These requirements come from among others Tax and Financial, Labour, Health & Safety and Corporate laws. Organisations, depending on their sector and type, have to comply with between 250 and 750 regulatory records retention requirements.
Some laws like the National Credit Act (NCA) even require the mandatory destruction of records after certain periods or events.3 Corporate & accounting law reforms like the new Companies Act 2008 are also placing a higher premium on records management, accountability and audit trails.
Various proposed laws, like the Protection of Personal Information Bill, are set to create new requirements in respect of the retention of records and even in regard to how and when we should destroy them. While the objective of this Bill is to protect personal information, in practice it translates into quite dramatic compliance requirements in respect of information security and records management practices. In its current form it will require companies, employers and government to revisit their information security and records management practices and policies. Businesses processing personal information would now also have an obligation to consider the reasons for which they keep records which creates a substantial burden on already stretched information systems.
Failure to produce a record which had to be retained by law may cause the organisation to be reported to the relevant regulator or government department or be subject to statutory sanctions. Statutory sanctions for non-compliance may be as severe as a fine of R10million or imprisonment for 15 years.
On the evidentiary front the non-retention of records that had to be retained by law may lead to negative inferences to be drawn by the courts in subsequent litigation should they not be available as evidence. This could cripple the organisation in its efforts to defend itself in litigation.
There also seems to be an increase in regulator willingness to pursue regulatory records and accountability requirements in recent times.4
2Figures based on research conducted by Enable Consulting / Law Explorer (Pty) Ltd.
3We refer in this regard to the current mandatory destruction of certain Credit Bureau information required by s17 of the National Credit Act. There is also a similar set of requirements that can voluntarily be subscribed to in terms of the Electronic Communications and Transactions Act.
4The Shabir Shaik trial serves as an example, where one of the subsidiary charges was failure to keep the records prescribed in terms of the Companies Act. Also see in this respect the case of SARS v A Saleem (27 March 2008) where the Supreme Court of Appeal has ruled that the SA Revenue Service was entitled to seize goods belonging to a small business in the absence of any import documents or documentary proof of where they were purchased.
|
-
2. Potential for Outside Access to Information (click here to read more)
|
Since 2000, the Promotion of Access to Information Act (PAIA) makes it possible for lawyers, clients, employees or third parties to gain access to organisational records.5 Where access to records are requested in terms of this Act, a person who, with intent to deny a right of access in terms of the Act: (a) destroys, damages or alters a record; (b) conceals a record; or (c) falsifies a record or makes a false record, commits an offence and is liable on conviction to a fine or to imprisonment for a period not exceeding two years. PAIA however presupposes possession as a requirement for access which begs the question whether an organisation is legally obliged to keep all the records it has at the moment.6 In this regard our law, in general, allows an organisation to destroy records which it is no longer in terms of statutory requirements obliged to keep, as long as it is done systematically in the ordinary course of business and not with the objective to destroy evidence.7 It is also clear from the US Remington Arms case that the destruction of information which may be detrimental to the organisation in future litigation may not be one of the stated objectives of its records management policy. The need is therefore to create a sound system that facilitates the preservation of records that the organisation has an obligation to keep or still has some other use for while timeously destroying those records that the organisation is not required to retain.
5Such access is subject to certain statutory exceptions.
6We refer here to the Shabir Shaik trial in which the trial court judge said that they had found most of the corroborating evidence for the fraud allegations in volumes and volumes of documents kept by Mr Shaik since 1996. Most of these documents were not required to be maintained in terms of any regulatory requirement.
7See in this regard Standard Merchant Bank Ltd v Creaser 1982 (4) SA 671 (W).
|
-
3. Corporate Governance (click here to read more)
|
Since the publication of the Cadbury Report8 in the UK and the first King Report
on corporate governance in South Africa stakeholder expectations are on the
increase regarding the level of diligence and transparency to be applied in
modern organisations. It is almost inconceivable that stakeholders will be
satisfied that proper governance practices exist if the organisation is unable
to produce credible records to this effect. The latest report (King III) also
places a premium on accountability and transparency, aspects which are all
supported by proper records management.
8The report was compiled by Sir Adrian Cadbury in 1992 and was titled Financial Aspects of Corporate Governance.
|
-
4. The Proliferation of Information (click here to read more)
|
A recent study by the International Data Corporation has shown that the amount
of digital data being produced had risen to 281 exabytes (1 exabyte = 1018 bytes
or 1 Billion gigabytes) in 2007 and estimates the total amount of digital
information to grow at a rate of 58% per year, reaching 1610 exabytes by 2011.
This is equal to approximately 80 million times the entire U.S. Library of
Congress’ printed collection.
The same can be said of organisations which rely heavily on electronic
information and communication systems. These systems cause an exponential and
continuous proliferation of vast amounts of valuable and irreplaceable digital
information. If one adds to this the fact that many organisations still has
enormous repositories of paper-based information it becomes clear that special
care is needed in regard to the management of information (irrespective of its
form) because of its sheer volume.
|
-
5. The Proliferation and Convergence of Technologies (click here to read more)
|
The various information and communication systems (electronic and analogue) used
by organisations today had often been developed primarily for their business
application with little or no consideration for the effective preservation of
the records created by them. Systems also commonly function in distinct silos
with limited or no integration between them.
This often causes disparities in the way in which information is handled and
stored across the organisation. One need only think about the way in which
sometimes very valuable information received via e-mail, blackberry and other
new technologies are often treated very differently from formal correspondence received via normal mail or the other more structured systems used by the organisation. With the former systems there are substantially less inherent will or discipline regarding the proper storage and preservation of the records which adds a human behavioural problem to the mix.
These disparities in structure and treatment and the apparent lack of efficient integration between systems cause various inefficiencies and legal as well as business risk across the organisation. The inefficiencies stem from among other the fact that information is duplicated, can’t be leveraged across systems and are often not managed in any co-ordinated manner. This lack of co-ordination and the inherent risk that bad records practices could destroy the evidentiary value of the records in question necessitate a properly structured overarching approach to the management of all records within the organisation. Such an approach must first encapsulate the basic elements of records management which looks at preserving the evidentiary value and accessibility of the records in question and follows a technology neutral approach to their management.
|
-
6. Audit Requirements (click here to read more)
|
Regular audits require an organisation not only to retain certain types of
records and their supporting documents but also the ability to produce them when
needed. An organisation runs the risk of audit qualifications where it is unable
to produce the relevant primary and supporting records. One of the main aims of
records management is to facilitate proper and timeous access and use of records
and it plays an important role in minimising the risk of qualifications.
|
-
7. Best Practice (click here to read more)
|
Many of the ISO management systems standards like ISO 9000 (Quality Management
Systems), ISO 14000 (Environmental Management Systems) and ISO 27000
(Information Security) have at their core, good records practices.
Best practice in the form of various ISO and South African National Standards
dictates the creation of proper policies for records management and retention,
the assessment of the regulatory environment and the creation of records
retention schedules and various other activities regarding records within
organisations. See in this respect among other SANS 15489 (Records Management),
15801 (Legal Admissibility and Evidential Weight of Documents Stored
Electronically) and 23081 (Metadata).
|
-
8. Cost (click here to read more)
|
Many organisations spend significant amounts on record storage. These costs can
potentially be reduced by among other the use of more modern technologies for
storage, the removal of redundancies and the elimination of unnecessary records.
Imaging or the conversion of paper records to digital format could also lead to
significant reductions in storage cost but such projects must be treated with
caution as there are various legal pitfalls that await hasty or ill-conceived
imaging projects where source documents are destroyed after imaging.
The Electronic Communications and Transactions Act (ECT Act), which acts as a
broad overarching e-enabling act, allows us to make use of technology to fulfil
many of our legal duties. This is however subject to various requirements and a
thorough knowledge of this act and its interaction with other acts is paramount
for the success of any modern records management programme.
The ability to generate larger volumes of records in a shorter period of time
has increased the productivity of many organisations but that productivity gain
may be lost if essential records can’t be found during the course of business
or, in even more critical procedures such as an audit, investigation or legal
discovery process. Finding or replacing lost records is expensive in terms of
lost productivity and may result in even more substantial costs like fines,
court costs and even litigation losses.
|
-
9. Case Studies (click here to read more)
|
Various case studies here and abroad have shown the importance of good records
management and retention practices, e.g. Enron, Andersen9 , Worldcom and
Parmalat.10
The US case of Prudential Ins. Co. of America Sales Practices Litigation also
underscores the role of senior management in respect of record keeping. In this
case the Judge said:
"[Top management] recognized [the company’s] obligation to preserve
documents in connection with the lawsuits and investigations. Yet, none took an
active role in formulating, implementing, communicating, or conducting a
document retention policy…When senior management fails to establish and
distribute a comprehensive document retention policy, it cannot shield itself
from responsibility because of field office actions. The obligation to preserve
documents that are potentially discoverable materials is an affirmative one that
rests squarely on the shoulders of senior corporate officers."
9This obstruction of justice case originated from an e-mail sent to employees of
Arthur Andersen (the auditors of Enron) by an in-house lawyer, as Enron's
collapse became public, reminding employees of the company's policy of routine
document shredding. What makes the Andersen ruling important is its formal
acceptance that organisations destroy records in the ordinary course of business
and courts should take this into account. The US Supreme Court placed a premium
on the fact that Andersen had a documented policy on record retention and
destruction. The perceived motive for destruction of records will however,
according to this case, be critical in civil or criminal proceedings. The US
Supreme Court said that “under ordinary circumstances” it is not wrongful for
management to instruct employees to comply with a valid document destruction
policy. It is only when such an instruction is given with a “corrupt motive”
(such as thwarting an investigation) that a crime would be committed.
10Also see
SARS v A Saleem, S v Shaik, R v Katz and R v Diamond.
|
-
10. Discovery (click here to read more)
|
With the advent of the electronic age, discovery during litigation has become an
increasingly complex issue to deal with here and abroad. Once litigation
commences or where litigation is reasonably expected, all records which could
reasonably become subject to discovery proceedings or relevant to the dispute
must be retained. For this organisations need to have robust disposal hold
processes. A court can draw negative inferences or even impose penalties for
improper destruction of records. Our courts are likely to have regard to certain
principles derived from US cases. In Wiginton v. CB Richard Ellis the court
said:
“Defendant had a duty to suspend or alter its document destruction to
preserve potential evidence. Its failure to change its normal document retention
policy, knowing that relevant documents would be destroyed if it did not act to
preserve these documents, is evidence of bad faith."
Similar principles were also applied by the US courts in the Arthur Andersen
(Enron) case. For legal discovery purposes the availability and usability of the
correct records would be of paramount importance. Both of these aspects are
supported by proper records management practices.
|
-
11. E-Videntiary Vulnerability (click here to read more)
|
The ECT Act provides in general for the admissibility and evidential weight of
electronic documents as follows:
15. (1) In any legal proceedings, the rules of evidence
must not be applied so as to deny the admissibility of a data message, in
evidence—
(a) on the mere grounds that it is constituted by a data message; or
(b) if it is the best evidence that the person adducing it could reasonably be
expected to obtain, on the grounds that it is not in its original form.
(2) Information in the form of a data message must be given due evidential
weight.
(3) In assessing the evidential weight of a data message, regard must be had to—
(a) the reliability of the manner in which the data message was generated,
stored or communicated; (b) the reliability of the manner in which the integrity
of the data message was maintained; (c) the manner in which its originator was
identified; and (d) any other relevant factor.
(4) A data message made by a person in the ordinary course of business, or a
copy or printout of or an extract from such data message certified to be correct
by an officer in the service of such person, is on its mere production in any
civil, criminal, administrative or disciplinary proceedings under any law, the
rules of a self regulatory organisation or any other law or the common law,
admissible in evidence against any person and rebuttable proof of the facts
contained in such record, copy, printout or extract.
[Our emphasis]
Section 15(1) of the ECT Act makes it clear that electronic documents are prima
facie admissible as evidence.
The recent case of LA Consortium v MTN11 highlighted the fact that although all
electronic records are now admissible as evidence in our law they would still be
subjected to the normal constraints of the law of evidence, i.e. the ‘hearsay’
and ‘best evidence’ rules.12
Because of the strong emphasis on the reliability of the manner in which the
information was generated, stored or communicated and on how the integrity
thereof was maintained, records could lose some or all of their evidentiary
value if challenged in litigation, if the correct records management procedures
and controls are not applied during the complete life-cycle of the record. These
challenges could be expected where an organisation is not able to provide a
strong argument that the integrity of its records had been maintained over time.
Many organisations dismiss the risk associated with not properly preserving the
integrity of their records. The magnitude of such risk could be extensive if
flawed records practices are applied over many years across the organisation
before such weaknesses are discovered and challenged in court.
For evidentiary value purposes the availability of records, their usability and
the fact that their integrity has been maintained over time would be of
paramount importance. It is also important that one is able to show that the
integrity of the records had been maintained over time. All of these aspects are
supported by proper records management practices.
11LA Consortium & Vending CC t/a LA Enterprises v MTN Service Provider (Pty) Ltd
In re: MTN Service Provider (Pty) Ltd v LA Consortium & Vending CC t/a LA
Enterprises and Others (2004/20602, A5014/08) [2009] ZAGPJHC 63 (17 August 2009)
(SGJ).
12See also Standard Merchant Bank Ltd v Creaser 1982 (4) SA 671 (W) at 674B
and the arguments by Prof Julien Hofman in par 15.11 to 15.14 on pages 464 to
466 of Electronic Evidence, Disclosure, Discovery & Admissibility by Stephen
Mason, regarding the way in which the normal rules of evidence regarding
admissibility (the requirements for production, original form and authenticity)
has been preserved despite the seemingly blanket admissibility afforded by
section 15(1) of the Electronic Communications and Transactions Act.
|
-
12. Organisational Support (click here to read more)
|
Good records practices support and in many instances enable important
functions within the organisation, e.g. proper informed management and
decision-making, stakeholder relationship management, statutory reporting and
compliance, the protection of intellectual property and other rights of the
organisation, supply chain control, risk management and good governance to name
but a few.
WHAT ORGANISATIONS NEED TO DO
The business case set out above argues very strongly for organisations to look
at ways and means to improve the responsible management of documents and records
within their circle of responsibility.
Resources
These days the records management function within an organisation is
anything but mundane, and in many organisations there aren’t enough resources to
handle the increased workload and compliance burden. It is no surprise then that
many organisations are considering the use of technology as a way to get a
better grip on the increased workload and record volumes.
Technology
Organisations do need to ready themselves for the future by implementing modern
technology. Although technology can be a great asset, a basic understanding of
the records management fundamentals and practices are required before
considering any software product. If you don’t have a records management policy
in place along with the appropriate retention and destruction rules for the
records, the software will be useless.
Best Practice
SANS 15489 and 15801 are both based on recognised international best practice
documents that assist one in creating the necessary controls and systems in
order to preserve the integrity of stored information.
It is advisable for organisations to align their activities with international
best practice in this area in order to make strong arguments for the fact that
the integrity of their records have been maintained over time. There are various
other international and national standards that support the working of these two
standards which should also be considered (i.e. ISO/SANS 23081 on metadata). It
is therefore recommended that organisations use these standards as a benchmark
for the assessment or creation of proper records management policies, systems
and processes.
Technology Neutral Approach
Because of the fact that records can be found in a variety of storage media
(e.g. paper, electronic, microfilm, analogue voice recordings etc.) and could be
situated on or in a variety of storage systems (e.g. physical filing solutions,
file servers, e-mail archives etc.) best practice dictates that organisations
follow a technology neutral approach to records management.13 This means that a
range of cross-cutting principles and controls would first be established for
the proper management of records within the organisation before the specific
nuances that may apply to a specific technology are addressed.
Custom Approach
Deciding what would qualify as a record and how long it should be retained draws
from a combination of mandatory prescribed requirements, best practice and a
certain amount of subjective practical considerations depending on the actual
documents in question.
The legislature and regulators set specific requirements for how records are to
be retained, how they should be managed and even when and how they should be
destroyed and this should form the natural starting point when determining the
retention rules for organisational records.
The regulatory environment surrounding an organisation also changes constantly.
During 2007 and 2008 we have seen in excess of 4100 regulatory instruments
promulgated in South Africa.14 Many of these instruments contain new regulatory
retention requirements or amend pre-existing requirements. The potential risk
associated with non-compliance with these regulatory changes necessitates their
monitoring and the update of the organisations documented records retention
schedule on a regular basis.15
As the business reasons for retaining records and the interaction between these
reasons vary significantly from organisation to organisation each one has to
look at its own business operations and determine what business retention rules
should apply for each type of record. These must then be consolidated with the
regulatory and other legal requirements for retention.
Records management crosses numerous disciplines. Demarcating the area of records
management and its related areas like information risk, information security,
data governance, content management and knowledge management is often very
difficult and would be done differently for each organisation.
14These include new acts or regulations, amendments and various other subordinate
statutory measures. Figures based on research conducted by Enable Consulting /
Law Explorer (Pty) Ltd.
15Enable Consulting / Law Explorer (Pty) Ltd in conjunction with a law firm
provides such a regulatory monitoring and bi-annual update service.
The Elements
A properly executed records management programme would establish a sound records
management system and comprise, among other, the following activities or
elements:
- Developing and promulgating a records management policy and objectives
- Creating, approving, and enforcing policies and procedures regarding records, including their identification, classification, collection, creation, retention, management and disposition
- Planning the records management system
- Develop strategies
- Review, identify and document the requirements for records capture or collection from:
- the regulatory requirements applicable to the organisation
- the general evidentiary needs of the organisation
- the general business information needs of the organisation
- determine resource requirements
- define roles and responsibilities
- conduct risk assessment;
- Implementing and operating the records management system
- design and implement records processes and systems
- train and build awareness
- manage resources
- document the system
- report to management
- Ensuring performance and effectiveness of the records management system
- GAP analysis
- Analysis between the records the organisation should have and those it actually has – i.e. compliance assessment (this tells us how well the organisation satisfies both the internal and external requirements for records)
- monitor regulatory and other requirements as they change over time with new laws and other regulatory amendments
- implement non-conformity control measures to deal with areas of non-conformance
- use internal audit to conduct regular reviews of organisational compliance
- Improving the records management system
- analysis and improvement measures
- corrective action
- regular preventative action
- regular management review of the records management system to ensure its continuing suitability, adequacy and effectiveness
- Monitoring
- changes to the regulatory environment
- changes in business needs
- their effect on the organisational record requirements
These activities can be
implemented in a way that best suits the needs of an organisation depending on
its size, distribution, maturity and complexity.
Typical Challenges
Organisations typically face various challenges in implementing proper records
management. These may include:
- Lack of proper management support
- Lack of awareness by records creators
- Multiple varieties of file and media formats
- Disbursement of records data throughout multiple sources
- Lack of robust guidelines and automated support tools
- The determination of custodianship within large organisations
- Multiple requirements from regulatory, business and evidentiary perspectives that relate to the same record
|
|
|
 |
| • |
1 September 2013 |
| |
ISO TC46 SC11 is currently reviewing ISO 15489. The resultant new standard is expected to be quite different from the current ISO 15489 |
|
|
| • |
8 August 2013 |
| |
The following standards were adopted in South Africa as part of the new management system standard for records:- SANS 30300: Information and documentation - Management systems for records - Fundamentals and vocabulary
- SANS 30301: Information and documentation - Management systems for records - Requirements
|
|
|
|
|
 |
|