The basic principles of ERM and capabilities ERM systems are spelled out in this section. ⁷

Accessibility and Readability over Time

Computer technology is one of the fastest‐changing areas of technological change.

It’s been said that if the automobile industry innovated at the pace the computer in- dustry does, we could all drive a Rolls Royce for the price of a VW Beetle. There are continual changes and improvements in computer technology components that add to

   ERM systems enforce record retention and disposition policies according to  established retention schedules and ig policies. 

the challenge of maintaining records access and readability as time progresses. Soft- ware isn’t just developed and released—no matter how good the quality assurance (QA) process is, there are always some glitches or things that don’t work exactly as the design intended, which are “bugs” that need to be fi xed, and, over time, software is usu- ally updated and improved to stay competitive and address user needs. There may also be changes in fi le formats for storage and display, either by vendors improving their proprietary formats or from industry standards that emerge. Changes in compression algorithms to reduce storage and communications bandwidth requirements also oc- cur. The operating system environments that application software operates within are more stable but they too require fi xes, security updates, and improvements. New com- puter hardware models come out every year, sometimes several times a year. And there continue to be improvements and innovations in storage capacity and techniques.

The intermixture and interaction of these variables make maintaining the authen- ticity and integrity of electronic records stored in ERM systems more challenging, particularly over the long term. ⁸

Although the national legislation of a particular country may not require that re- cords be transferred to “archival custody” for 10 or 20 years, there are steps that must be taken in the interim to test and assure that records are readable and have not been corrupted or degraded over time, or completely erased or rendered unreadable due to mishandling or malicious intent. This is all part of the LTDP process, which must be governed by strong IG policies.

Preserving records over time does not require that all the hardware and software they were originally created on be kept and maintained. ⁹ There are steps that can be taken to migrate records to new computing platforms, or to copy stored e‐records to new copies of the same media, which is termed refreshment .

See Chapter 17 , Long‐Term Digital Preservation, for more detail regarding the policies, processes, and techniques that are required to ensure preservation of records over the long term.

Appraisal of Records

Records have different types of values, such as legal, fi nancial, administrative, or his- torical. Once this appraisal has been made, decisions as to the fi nal disposition of re- cords—destroy, transfer, or archive—may be carried out in a consistent, complete, and systematic way. (Records appraisal will be discussed in Chapter 5 , Inventorying E‐Re- cords, and more details in Chapter 7 , Developing Retention Schedules for E‐Records).

The goal is to optimize the disposition process: to keep only what is needed and dis- card what is not, as maintaining unneeded or obsolete records carries additional capital and labor costs, and “old” records that should have been destroyed can pose a legal liability in the future, as they may be requested during legal discovery. Also, wrongfully or prematurely destroying records (due to, for instance, pending legal action) is illegal and can cause fi nes, sanctions, or even jail time to be levied.

   in the records appraisal process, records can be deemed to have legal, fi nan- cial, administrative, or historical value. 

In the public sector, it is unilaterally against the law to destroy e‐records without the prior written approval of the Chief Archivist or similar authority ultimately ac- countable for maintaining an organization’s records.¹⁰

Audit Trail

One of the key benefits of moving to an ERM environment is that the system will capture a lot of document and records usage and routing data that can be analyzed to further improve processes and optimize workloads. Another benefit of this capability is that a complete electronic audit trail of which records were accessed by whom, when, and for how long will be generated. “An audit trail is required to keep an unalterable history of system events.”¹¹ This is key to proving records are authentic and reliable. The audit trail can also keep track of print requests, and any attempts to modify or move a folder, document, or record. This is an expected capability in ERM systems. This is crucial to enforcing IG policies and maintaining record integrity. The audit trail must be kept secure and intact for future potential legal and regulatory challenges. That means that it must be managed as a record, too, preserved instantly upon creation to permanent uneditable media, such as write‐once‐read‐many (WORM) discs, and it should be ac- cessed only by authorized personnel and auditors, per IG policy.

Taking audit trail capabilities a step further, some newer document analyt- ics capabilities that can be overlaid provide granular detail that can actually alert a system administrator or supervisor immediately if a person is suddenly printing an inordinate amount of documents, or if they are spending an inordinate amount of time viewing records, particularly records outside of their normal purview, and ad- ditional data.

It is important to note that audit trail capability in an ERM/EDRMS allows for some flexibility in how they are set up, and what data they track. They can track all the way down to someone making a minor change to a metadata field, which can affect the standing of the record in question in court or regulatory proceedings. So be mind- ful that all audit trails are not equal, and that in order to fully track all system activities that your organization may require through its IG policies, they must be configured to meet your business needs.

[Various authorities] . . . recommend that as a minimum requirement audit trail information should be captured for

 

■ The file plan

 

■ Groups of electronic folders

 

■ Individual electronic folders

 

■ Electronic volumes

 

■ Electronic records

 

■ Metadata associated with any of the above and that the following events should be captured:

 

■ The type of action which is being carried out, for example:

 

■ Relocation of an electronic record to another electronic folder, identify- ing both source and destination folders

 

■ Relocation of an electronic folder to a different series, identifying both source and destination series

 

■ Reallocation of a disposal schedule to an object, identifying both previ- ous and reallocated schedules

 

■ Placing of a disposal hold on a folder

 

■ The date and time of a change made to any metadata associated with electronic folders or electronic records

 

■ Changes made to the allocation of access control markings to an elec- tronic folder, electronic record or user

 

■ Export actions carried out on an electronic folder

 

■ Attempts to edit a record

 

■ The user carrying out the action

 

■ The date and time of the event

It must at all times be possible to prove that the system was tamperproof at the time the records were created and stored. It is therefore imperative that the system should log all attempts to access it, and that it captures the identity of a user and the time edits were made. ¹²

Authenticity

Most developed countries now recognize the acceptance of e‐records as legitimate records by law, so long as they can be proven to be authentic, unaltered, and accurate.

Authenticity provides users of records with the knowledge and confi dence that the records are true and authentic. This can be proven by following the chain of custody of the record from its creation and though its lifecycle. Having IG controls and auditing checkpoints in place help to prove that a record is authentic and reliable. ¹³

Business Classifi cation Schemes

Records should be classifi ed upon creation, and records series categories should be based on the business functions of its users. Classifi cation “refers to the process whereby electronic records stored in the electronic repository are assigned sub- jects in the classifi cation system that matches the document’s [record’s] subject.” ¹⁴ A primary goal of IG efforts is to standardize and systematize the classifi cation of records across the enterprise so that common terms are used and records are more easily searched for and retrieved. If classifi cation schemes are consistent, then the retention and disposal of records series or systems will be consistent, and legally defensible.

Consistency is the hallmark of successful IG efforts.

   an audit trail provides critical proof that records are unaltered and should  capture, at a minimum, information on the fi le plan, groups and individual  fi les and folders, and their associated metadata. 

A business classifi cation scheme (BCS) is the overall structure an organization uses for organizing, searching, retrieving, storing, and managing documents and re- cords in ERM. The BCS must be developed based on the business functions and ac- tivities. A fi le plan is a graphic representation of the BCS, usually a “hierarchical struc- ture consisting of headings and folders to indicate where and when records should be created during the conducting of the business of an offi ce. In other words the fi le plan links the records to their business context .” ¹⁵ The fi le plan shows business functions and re- cords and links the two, showing the records that specifi c business functions generate.

Central Repository

The approach of maintaining records in a central repository is the standard architec- ture of nearly all of today’s ERM vendors. The system may be located across multiple networked servers, but users can conduct federated searches across them and they ap- pear as a central repository to users. ¹⁶ This conceptually mimics the central fi leroom approach of the hardcopy, paper folder days, so it is easy to understand. Its purpose is to provide centralized control over records. This makes IG, compliance, and legal responses straightforward, and it is easier to follow the path of the lifecycle of a record when it is controlled and managed centrally.

However, this is not the only way an ERM system can be designed. Newer ap- proaches are evolving and newer structures, newer ways of architecting ERM systems are being presented. For instance, the European MoReq2010 standard allows for re- cords to be “aggregations” of progressive versions and for records management to oc- cur within business applications and for records to be managed in a decentralized way.

Collaboration

Having collaboration capabilities helps groups or teams of knowledge workers im- prove productivity when working with records. ¹⁷ Collaboration is not always a part of ERM systems, but it provides effi ciency benefi ts and collaboration is increasingly be- ing included in ERM systems, and now those collaborative features are being offered as integrated cloud services.

Disposition: Transfer, Destruction, Preservation

Records deemed of enduring value in the records appraisal process are transferred to be archived when they meet the end of their lifecycle. Some will remain there for sev- eral years and some will remain in archival storage for decades, which requires detailed preservation, testing, and auditing measures. The appraisal process, which takes place proactively, helps to determine which records series need to be archived and how long they should be preserved.

   a Bcs is the overall structure an organization uses for organizing fi les, which  is graphically represented by the fi le plan. 

Records don’t always stay in the same place. At times, they must be moved to a new, larger facility, or under the control of a business unit that is given responsibility for them. This transfer process has to be carefully monitored, controlled, and docu- mented. Following the records transfer process, there must be a way to certify that the records have, in fact, been transferred, and an unbroken chain of custody can be proven between the transferring entity and the new custodian, maintaining the validity of the authenticity of records. The records export, the authority to transfer, an actual inspection to verify the records’ content, the import of the records to a new system, the authenticity of the record creator, and the audit trail and metadata must all be verified to be accurate and then documented.

The receiving or importing custodian should implement controls to ensure the integrity of the transferred records while they are accessed from the new system. Con- trols may include access credentials, controls on editing or printing records, steps to ensure that alteration, corruption, replacement, or deletion of e‐records do not take place and that the media the records are stored on are tested, and then migrated, rotated, or replaced to guard against media failure, corruption, or technological obso- lescence.

Destruction of records following their useful life is another important issue: the destruction must be carried out properly and documented correctly or there is a risk that the destruction could be viewed as criminal (obstruction of justice). Also, records must not only be destroyed, but they must be destroyed systematically, consistently and completely, so that the disposition program is legally defensible. In an electronic envi- ronment, this is more difficult than simply shredding paper files. Certain controls must be in place to ensure that all traces of an electronic record are obliterated in the destruction process. No traces of metadata or content should be left on the hard drive, optical disc, or other media the records were stored on. Solid state drives are becoming more popu- lar and they are more easily erased completely than other electronic storage media.

In cases where a hold has been placed on the destruction of a record, then it must be documented who requested, authorized, and reviewed the destruction hold.

Once the destruction of a record is complete, a destruction certificate verifying that it has taken place should be issued and filed.

If an e‐record is scheduled for long‐term archival and has been appraised to be in need of LTDP, which is typically over five years, the strategy for its preservation will be dependent on its total retention period, the media it is stored on, and related technology issues. E‐records may be migrated to newer technology platforms so that they remain readable, but this strategy must be carefully planned and documented to ensure the authenticity of the records. Information technology (IT) will continue to change and the challenge is to continue to keep e‐records intact and readable over the long term.¹⁸

Document Scanning

In ERM, paper documents must be able to be digitally scanned and captured in elec- tronic format, which is called document imaging. This is accomplished via desktop scanners or standalone, high‐speed scanners, although it can be accomplished remotely via fax. One of the key benefits of an ERM system is providing faster access to records and controlling them through their lifecycle, and this often begins with externally generated letters, contracts, or other documents that must be scanned to be ingested

into the ERM system. ¹⁹ Document scanning can occur with individual documents, or in large batches, broken up by separator pages.

File Formats

Most software providers utilize their own proprietary fi le formats and compression al- gorithms to store, transfer, and display digital images of records and documents. That may use parts of some industry standard components, such as tagged image fi le format (TIFF) for images, and Group IV (G4) fax compression, but there are usually nuances that set each vendor’s format apart. Maybe it is in the fi le header, maybe it is in the metadata structure. Part of the vendor strategy historically has been to get the custom- ers’ content into the vendor’s format and, in essence, to “lock them in” to the vendor’s technology. The software vendors have not made it very easy to convert fi les from one competitive system to another—there have typically been those bits of proprietary software that encode the documents and records in a way unique to the vendor. There have been standardization efforts aimed at providing e‐document interchangeability, and they have demonstrated this capability in test settings, but they have largely failed in practice.

It is best to limit the use of proprietary formats, but standard formats have issues too. If you convert fi les to industry standard ASCII or rich text format (RTF) there is a loss of “structure and functions” and it may bring the authenticity of records into question. With pushback from customers, and progress in standards, there have been a couple of formats that have gained in preference for storing records over time . First, and primarily, Adobe portable document format (PDF) has gained prominence for storing re- cords. Adobe released control of its archival version of its PDF, called PDF/A, based on PDF 1.4, which has become the international standard ISO 19005‐1:2005, which ap- plies to e‐documents that may contain raster or vector graphics, and character data. ²⁰ For text‐based documents, eXtensible Markup Language (XML) has risen to be- come the preferred format for archival storage.

There are still no perfect and stable long‐term solutions for all document and records stored, since systems, formats, and standards continue to change and evolve.

Format migration is still a decision that needs to be studied for your particular busi- ness records scenario, so that records are able to be preserved over the long term. ²¹

Yet using PDF/A for e‐records follows the standard ISO 19005‐1: “Document Management Applications—Electronic Document File Format for Long Term Pres- ervation—Part 1: Use of PDF 1.4 (PDF/A‐1),” and plans are to continue down the PDF/A path to support newer PDF versions, such as PDF 1.7, and so on. But the only guarantee is that standards change and evolve.

Metadata

Discussions about metadata can get complex, but metadata for e‐records are the data fi elds that are associated with the record that contain defi ning and descriptive

   pdF/a is the iso standard for archiving documents as records. 

information about its characteristics, such as creator, date, record type, department, and length of the document.

According to ISO 15489, the international records management standard, meta- data is “Data describing context, content, and structure of records, and their manage- ment through time.” ²²

When users perform searches for records, they are searching metadata fi elds. That is why it is important to have IG policies in place that standardize these metadata fi elds so users can fi nd what they are looking for. It is also important for legal and regulatory reasons, so that the metadata fi elds can be used to create a records retention schedule for managing records according to established policies that are legally defensible.

Metadata is used to map the Records Retention Schedule to the documents and records to apply retention and disposition rules.

Physical Records Management

ERM systems must be able to track not only e‐records, but also hardcopy and physi- cal records, which may be located in fi ling cabinets and fi le rooms in order to provide complete records management application (RMA) functionality. ²³

Retention Scheduling

Records retention scheduling is a core ERM concept. Records must be able to be assigned a retention schedule for its lifecycle, and certain actions are indicated when it com- pletes its lifecycle. Some records are automatically archived, others are retained for a specifi ed period and then destroyed. ²⁴ Others may be scheduled for destruction but are queued up for an authorized person to approve or deny the destruction of the record.

Retention scheduling is a basic concept of records management, but it can get complex with the myriad of legal and regulatory requirements, some of which may apply to dif- ferent parts of a particular record.

Search and Retrieval

ERM systems must provide basic and complex search capabilities to enable users to fi nd records they are looking for. Also, the search capability should be robust enough for users to browse the records repository and also to suggest terms and concepts when users are not quite sure what records might exist as they conduct their research.

   Metadata are the data fi elds that are associated with the record that contain  defi ning and descriptive information about its characteristics. 

   Records retention scheduling is a core ERM concept.