With over 2.5 quintillion bytes of data created daily, the need for the secure, correct use and access to this data falls under the remit of information governance and electronic record management.
What is information governance?
Gartner defines Information Governance (IG) as “the specification of decision rights and an accountability framework to ensure appropriate behaviour in the valuation, creation, storage, use, archiving and deletion of information.
It includes the processes, roles, and policies, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.”
What is electronic records management?
ERM is the management of electronic records from their creation, receipt, maintenance, use, and disposal. It involves the control and security of access to, and transfer of, these records.
ERM also includes how your business captures and maintains evidence of and information about business activities and transaction records for legal and regulatory requirements.
Business drivers for electronic records management
There are three main drivers for ERM: regulatory compliance, business continuity and improving business efficiency.
1. Regulatory compliance
When considering your ERM strategy the data protection laws and regulations in your country, or countries, of operation must be observed and complied with. This area should be mapped out from a compliance perspective to ensure alignment with the requirements.
In Europe, the General Data Protection Regulation (GDPR) governs data protection and privacy. In South Africa, the Protection of Personal Information Act (POPI) will apply, and in the United States of America, there are hundreds of privacy and data security laws across 50 states.
2. Business continuity
Business continuity and records management go hand in hand; when there is a disruption to business operations you need an effective continuity response and disaster recovery plan in place to minimize the risk of downtime.
Easy and quick restoration of electronic records, especially those that are essential to the running of the business, is a vital part of Electronic Record Management.
3. Improved business efficiency
An effective ERM program should promptly escalate the right risks to the right people, and as a result, lead meaningful risk conversations with bosses to inform decision-making. When ERM is working properly, it will increase resource effectiveness in the management of core risks to the business, while reducing the impact of crisis events and protecting the reputation of the organization.
The lifecycle of electronic records management: 6 requirements
Electronic records have a definitive lifecycle which can be used to scope a system to manage them:
- Capture
- Maintenance and use
- Disposal
- Transfer
- Metadata
- Reporting
1. Capture – a record is created or “captured” in the ERM system
Records that are captured should be documented adequately and properly for as long as the information is needed. Capture is about mapping out where the record is, who has access to it, as well as how it is handled.
Capture deals with the authentication, identification, integrity, and presentation of a record within the organization as a dataset. This is the start of the “life” of a record and keeping an electronic register of all records is necessary so that appropriate controls can be applied.
2. Maintenance and use – records must be used responsibly and for their intended purpose
Electronic records, the data, and knowledge created in your company must be used responsibly for its intended purpose. Records should be categorized, be accurate, and allow users to perform a full-text search of the content.
The technology controls and business processes should be reviewed continuously to determine if any changes to them affect the value of the record in question. This ensures the security of data, provides confidentiality, integrity, and availability of the record.
3. Disposal – approved, systematic data disposal
We tend to keep information forever which is not sustainable in the long-term. Records should only be retained for as long as they provide value for legal, business, or historical reasons.
Data privacy regulations also put a period to the length of time personal information should be kept, as well as whether your company has consent to keep that data.
Even if you do not need to comply with regulations, record management best practices such as data retention and disposal should be implemented.
This does not mean that records can just be deleted at the user’s discretion, but that appraisal of data and disposal procedures must be approved and scheduled.
4. Transfer – a record of the flow of data
Transfer of records from one system, or from one party to another, should remain accessible and the integrity of this data maintained. A record showing the flow of where the data originated, where it now resides, and what the contents of the records are, is essential.
During record migration, all records and associated metadata within the originating system must be retained until the migration is complete and the destination system has been deemed reliable and secure.
This management of metadata is beneficial for tracking and managing data in the future and assuring that data is being handled properly.
The transfer system should enable audits that can be monitored for the governance of record management. It is possible to automate this function to scale back the burden on already stretched personnel resources.
5. Metadata – the “data about data”
Simply put, Metadata describes data and gives context to electronic records. It is often called “data about data”.
It describes almost any aspect of an electronic record from its description, to its relationship with other records, and how it was and should be treated over time.
Data cannot become a record without descriptive metadata attached to it. It provides information about where a record originated, who created it, where it is located, its context, etc.
It is particularly useful as a log of the data lifecycle management process. Metadata also allows users to locate and evaluate records quickly and easily without each person discovering it anew with every use.
Metadata should be managed and controlled with the same level of security as the data to which it belongs, to ensure the authenticity, reliability, and integrity of the electronic record.
6. Reporting – the proof is in the reporting
A key component of the records management lifecycle is to provide detailed reporting on electronic records to show that effective controls and compliance are in place.
Reporting demonstrates the integrity of access control, availability, and confidentiality of the records.
(A useful guide on the management of electronic records and the regular monitoring and evaluation of these records can be found here. While this document is aimed at government agencies, it is still a very useful guide for handling electronic records. This version was updated on April 6, 2020.)
Basics of electronic records management
- Ensure you know where the data is and who has access to it.
- Implement the rule of least privilege so only the people and systems have access to the info that require access for the time that they have access.
- All third-party access must be governed with an equivalent or higher security than internal controls for internal staff members.
- Prevent unauthorized access by having the acceptable level of access controls to the electronic record. Controls such as file integrity monitoring, and comprehensive permissions and proper backup are critical to ensure the data is not destroyed or changed by someone unauthorized to do so.
- Provide evidence that the organization and therefore the people do what they are meant to. Not only for the “audit sake” but for the sake of the business.
- Ensure the information is disposed of in its entirety – this includes the live and archived data, data transferred to third parties and data which resides on remote devices.
- Have the ability to quickly locate and manage electronic records. This includes the lock of access, destruction, deletion, permission change, archiving, moving and transferring of the electronic record.
In today’s data economy where every business activity creates a digital trace, Electronic Records Management cannot be ignored. Without secure access to details of its clients, suppliers, part-completed transactions, and so forth, businesses tend to fail – sometimes within days.
If you are unsure whether your business complies with ERM best practice, contact EnHalo today and let us create a roadmap to fix your records management process gaps.