Records Management: Comprehensive Records Management Program 3
Managing Information Copies/Duplicates
Organizations must ensure that drafts, copies, and duplicates are included in their document retention program. Each term should be clearly defined and every employee should be educated on their use and purpose. Often, drafts, documents and duplicates that have been used in the development or creation of an official record can be discarded once the final version is created. Some examples are drafts and correspondence, reports and other documents, calculations, research material, rough notes, editing and formatting notes, and dictation tapes that have been transcribed.
Generally, once the final version of the record has been completed, it will be filed or put into the information management system. Drafts and working material become non-records and may be destroyed. In certain situations it is necessary to keep drafts and working materials. For example, they might be needed to track the development and changes on an important document. They should be filed and grouped together with the other document that pertain to the subject, program or service. Examples include records created in the preparation of:
- Legislation, laws, and regulations;
- Legal documents;
- Audit reports; and
- Policies, standards, guidelines and procedures.
To reduce the amount of hard disk and paper space used, while still allowing access to documents as needed, consider the following:
- Rather than widely distributing an entire document, send a link to a website or put the document in a shared folder;
- Destroy duplicate print and electronic items when you know the master has been filed;
- Dispose of draft versions and working papers when you know that the final version has been filed; and
- Continue to follow the organization's guidelines regarding discarding confidential or sensitive information.
E-mails should have their own set of record retention periods, as not all e-mails are records. One e-mail rule is that only the "official" copy of the e-mail is a record that needs to be retained. Another way to control the flow of duplicates is to inform employees that only the sender need retain the e-mail. If someone other then the sender must take action pursuant to the message, that person should also retain a copy. All other e-mail messages and attachments should be purged from the system when no longer needed.
Instructing employees that recipients are required to dispose of unnecessary duplicates will enhance their comfort level. They will know they are neither violating company policy nor breaking the law when deleting duplicate e-mail.
Today's work force is very mobile, and it is necessary that they consistently follow the records retention schedule, whether it is regarding an e-mail, drafts, or copies. If employees implements their own document retention schedule, disposing of documents could be haphazard. This could jeopardize the company if the documents were ever subpoenaed and an employee did not follow the organization's records retention schedule.
All the various media types should be addressed in the records retention schedule (including reproductions, microfilm, flash drives, BlackBerry devices, Palm Pilots, laptops, compact disks, and machine readable computer records).
For an organization's document retention policy to be effective, it should stay current with the laws that effect it. It should also continually train staff, provide them with periodic e-mail updates on what documents to delete, and constantly reinforce the difference between a draft and a final version.
The FTC's Disposal Rule
The Disposal Rule went into effect June 1, 2005 to provide enhanced protection against identity theft. The rule was issued by the FTC pursuant to the Fair and Accurate Credit Transaction Act (FACTA). The rule requires businesses to properly dispose of consumer information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. Consumer information is defined as "any record about an individual, whether in paper, electronic or other form, that is a consumer report or is derived from a consumer report."
A consumer report is "any written, oral or other communication of any information by a consumer reporting agency that bears upon a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living, which is used or expected to be used. . . as a factor in establishing the consumer's eligibility for credit or insurance to be used primarily for personal, family, or household purposes or employment purposes." The rule provides examples of measures the FTC believes are reasonable for disposing of consumer information. These include: implementing and monitoring policies and procedures that require (i) the burning, pulverizing and shredding of papers containing consumer information and (ii) the destruction or erasure of electronic media containing consumer information so the information cannot practicably be read or reconstructed. Another reasonable measure is contracting with a record destruction service, but only if due diligence was conducted in the hiring process.
Noncompliance with the rule can subject the violator to substantial civil liability. If a business willfully fails to comply with the rule, the victim may recover actual damages not to exceed $1,000, punitive damages and attorney's fees. If a business negligently fails to comply, the victim may recover any actual damages and attorney's fees.
The federal government is authorized to bring enforcement actions in federal court for violations and impose civil penalties of up to $2,500 per violation. The states are also authorized to bring actions on behalf of their residents and may recover up to $1,000 for each willful or negligent violation. In addition, the state may recover its attorneys' fees if successful in such action.
The Health Insurance Portability and Accountability Act of 1996 ("HIPAA")
HIPAA applies to "covered entities," which includes health care providers, employer-sponsors of group health plans, health insurers and administrators of group health plans. The rules provide privacy protection for all medical records and any other individually identifiable health information. The privacy protection mandated requires action by the covered entity both internally and in its external communication with patients. Internally, covered entities are required to adopt written privacy procedures, take precautions to ensure that business partners adequately protect the privacy of health information, provide sufficient training to employees regarding implementation of the rules, appoint an individual responsible for compliance with the rules, and establish a process for patients to make inquiries and/or complaints regarding the privacy of their health information. In their communications with patients, covered entities are required to provide a clear written explanation of how the protected information is used, kept, and/or disclosed, afford patients access to their records and the opportunity to correct errors, and seek and receive patient consent before any disclosure.
The Financial Services Modernization Act of 1999, a/k/a Gramm-Leach-Bliley
Gramm-Leach-Bliley governs the privacy of consumer financial information. The act broadly defines "financial institutions" to include any entity engaging in activities that are financial in nature. The definition of consumer is somewhat more limited, only applying to individuals who obtain financial products or services for personal, family, or household purposes. Business consumers are not afforded protection under the definition of consumer. The act prohibits financial institutions from disclosing consumers' nonpublic personal information to nonaffiliated third parties unless specific notice provisions are complied with. Under the act, three types of notice must be provided to the consumer prior to any disclosure:
- Initial notice;
- Annual notice; and
- Opt-out notice.
Each notice must contain:
- The type(s) of information collected;
- Any disclosure(s) required under other federal law, specifically the Fair Credit Reporting Act.
The initial and annual notices must be provided as their names suggest, and an opt-out notice must be provided before any information is shared.
Data Breach Laws
Many states, including Arkansas, California, Connecticut, Delaware, Florida, Georgia, Illinois, Indiana, Louisiana, Maine, Minnesota, Montana, Nevada, New Jersey, New York, North Carolina, North Dakota, Rhode Island, Tennessee, Texas, and Washington, have enacted Data Breach Laws. Though they vary slightly, most require businesses and government agencies to notify state residents and government authorities if they discover an unauthorized security breach of computerized personal information. The laws in Georgia and Maine only apply to information brokers. Though the definitions differ, personal information is generally defined as an individual's name plus one or more pieces of information, such as a Social Security number or bank account information. Most of the laws require that there be some threat of harm from the breach before notification is required. The laws require that notice be sent to the victims by differing means such as writing, telephone, or e-mail. They also allow substitute notice if a certain number of people are affected or the cost to send the notice exceeds a certain amount. Several Federal Data Breach Notification bills have been proposed.
There are four major reasons to audit a records management program:
- To ensure that an organization is following its internal standards and practices;
- To ensure compliance with an organization's regulatory or oversight bodies;
- To ensure that an organization's records are legally defensible; and
- To improve business processes.
Although Records and Information Management/Technology Groups should conduct their own assessments of the program, it is often desirable that an independent source also conduct a periodic audit to ensure corporate accountability. Audits and assessments should be part of an organization's written records management policy.
The records themselves are not the only area of a records management program that should undergo periodic assessment. Assessments should also ensure that policies and procedures are being followed throughout the lifecycle of a record.
The records systems should be examined to verify that records are not only retrievable, but legally defensible. Records retention policies should meet an organization's business needs, as well as all legal and regulatory requirements.
Auditing for internal compliance ensures that all applicable records and information management policies and procedures are being met. Compelling an organization to follow applicable policies and procedures has a three-fold effect. First, it ensures that records are available as needed for business purposes, thereby promoting efficiency within the organization. Second, it ensures that records are being created and maintained in accordance with regulatory standards. Lastly, it ensures legally defensible records if the organization is involved in litigation or is investigated for regulatory compliance.
An assessment for regulatory compliance should begin by looking at the policies and procedures and comparing them against the regulatory or oversight standards to verify they are being met. Assuming that an organization's policies and procedures take into account their regulatory needs, this type of audit is usually an extension of the internal audit.
Regularly conducted assessments and audits can also document to the court, if needed, that an organization is in compliance with both its internal policies and procedures as well as those of its external regulatory bodies. This is the foundation of legally defensible records. Strict and consistent compliance with records processes and procedures also ensures the integrity of organizational records. Verifying that processes and procedures are being followed ensures that not only are the records defensible, but that they are also available in case of litigation. In light of several recent court cases, this is a major issue in litigation and the resulting sanctions for spoliation of evidence.
Following good records management practices promotes business efficiency. Since an audit is usually done on a wide scale and encompasses several process and procedures, it occasionally highlights areas where improvements can be made to business processes. Assessment of the records program can also assist in determining the quality and quantity of work, which can then be measured against any organizational benchmarks.
An effective training program is an essential component of any Records Retention program. However, just having a written policy is not enough. If users are not instructed in the fundamentals of why the policy is in place, what they must do to comply with the policy under normal circumstances and what they must do when the policy is suspended because of pending litigation, the policy will end up being ineffective and the corporation could end up being held liable for sanctions.
In Zubulake vs. UBS Warburg, UBS was held accountable for the negligent destruction of e-mails, even though the user was following the published company records retention policy. The key failure the court found was that there was a "reasonable expectation" a lawsuit would be filed, and therefore, normal retention procedures should have been suspended. While a Litigation Hold may have been in place, the user was not trained in proper procedures for suspending the normal destruction procedures, and therefore, UBS was held accountable.
Who Should be Trained
All users within the organization who generate, distribute or retain paper or electronic business records should undergo the Records Retention training program. Differing levels of training based on user responsibilities and involvement may be offered.
Training Program Objectives
The main objective of the training program is to instruct users in the proper procedures for complying with the company's Retention Policy. At the end of the training, users should be able to:
- Recognize what makes up a "business record";
- Understand the importance of their full and complete participation in the records retention program; and
- Be aware of the repercussions and potential legal liability to their company if procedures are not followed correctly and consistently.
Issues to be Addressed in Training Program
The RM Program should address the following:
- The correct identification of a business record;
- Proper creation, capture and disposal of business records;
- Appropriate "hold" procedures when a Litigation Hold is issued;
- Proper wording of documents to minimize "bad documents";
- Accurate labeling of privileged and confidential business records;
- Proper procedures to follow when a Litigation Hold has been suspended and normal destruction of documents reinstated;
- How this impacts the use of their home computer, BlackBerry, PDA, etc.; and
- Company-accepted format for reporting of violations, asking questions, etc.
There are many options available to "get the word out," and a multi-faceted approach to increase the overall scope of learning is recommended. In addition, for compliance purposes, documentation should be maintained that outlines what training was undertaken and who attended the sessions. Some potential outlets:
- New employee training;
- Employee Handbooks;
- Online training modules on company intranet;
- Training videos with message from business unit leader;
- Leaflets, booklets, company newsletter, participation in other business unit events and training; and
- Regular Webinar updates.
Ensuring Employee Compliance
Regular auditing of user compliance is essential, as is employee retraining. Other possible means to ensure compliance include:
- Tying compliance to the employees' Performance Review;
- If the company uses an MBO (management-by-objectives) program, adding compliance as an objective; and
- Testing or user surveys with incentives.