In 2009 ARMA International published a set of eight Generally Accepted Recordkeep- ing Principles^®, known as “GAR Principles” or “The Principles”,¹ to foster awareness of good recordkeeping practices. These principles and associated metrics provide an IG framework that can support continuous improvement.

The eight Generally Accepted Recordkeeping Principles are:

1. Accountability. A senior executive (or person of comparable authority) oversees the recordkeeping program and delegates program responsi- bility to appropriate individuals. The organization adopts policies and procedures to guide personnel, and ensure the program can be audited.

2. Transparency. The processes and activities of an organization’s record- keeping program are documented in a manner that is open and verifiable and is available to all personnel and appropriate interested parties.

3. Integrity. A recordkeeping program shall be constructed so the records and information generated or managed by or for the organization have a reasonable and suitable guarantee of authenticity and reliability.

4. Protection. A recordkeeping program shall be constructed to ensure a reasonable level of protection to records and information that are pri- vate, confidential, privileged, secret, or essential to business continuity.

Charmaine Brooks, CRM

5. Compliance. The recordkeeping program shall be constructed to comply with applicable laws and other binding authorities, as well as the organization’s policies.

6. Availability. An organization shall maintain records in a manner that ensures timely, effi cient, and accurate retrieval of needed information.

7. Retention. An organization shall maintain its records and informa- tion for an appropriate time, taking into account legal, regulatory, fi scal, operational, and historical requirements.

8. Disposition. An organization shall provide secure and appropriate disposition for records that are no longer required to be maintained by applicable laws and the organization’s policies. ²

The Generally Accepted Recordkeeping Principles apply to all sizes of organiza- tions, in all types of industries, and in both the private and public sectors, and can be used to establish consistent practices across business units. The GAR Principles are an IG maturity model and this is used as a preliminary evaluation of recordkeeping programs and practices.

Interest and the application of GAR Principles for assessing an organization’s re- cordkeeping practices have steadily increased since its establishment. It is an account- ability framework that includes the processes, roles, standards, and metrics that ensure the effective and effi cient use of records and information in support of an organiza- tion’s goals and business objectives.

As shown in Table 3.1 , the Generally Accepted Recordkeeping Principles Matu- rity Model associates characteristics that are typical in fi ve levels of recordkeeping ca- pabilities that range from 1 (substandard) to 5 (transformational). The levels are both descriptive and (can be) color-coded for ease of understanding. The eight principles and levels (metrics) are applied to the current state of an organization’s recordkeep- ing capabilities and can be cross‐referenced to the policies and procedures. While it is not unusual for an organization to be at differing levels of maturity in the eight principles, the question “How good is good enough?” must be raised and answered ; a rating of less than

“transformational” may be acceptable, depending on the organization’s tolerance for risk and an analysis of the costs and benefi ts of moving up each level.

The maturity levels defi ne the characteristics of evolving and maturing records manage- ment programs. The assessment should refl ect the current RM environment and prac- tices. The principles and maturity level defi nitions, along with improvement recom- mendations (roadmap), outline the tasks required to proactively approach addressing systematic records management practices and reach the next level of maturity for each principle. While the Generally Accepted Recordkeeping Principles are broad in focus, they illustrate the requirements of good records management practices. The GAR

   the Generally Accepted Recordkeeping principles consists of eight principles  that provide an information governance (IG) framework that can support  continuous improvement. 

Principles Assessment can also be a powerful communication tool to promote cross‐

functional dialogue and collaboration among business units and staff.

Accountability

The principle of accountability covers the assigned responsibility for RM at a se- nior level to ensure effective governance with the appropriate level of authority. A senior‐level executive must be high enough in the organizational structure to have suffi cient authority to operate the records management program effectively. The primary role of the senior executive is to develop and implement records manage- ment policies, procedures and guidance, and to provide advice on all record‐keeping issues. The direct responsibility for managing or operating facilities or services may be delegated.

The senior executive must possess an understanding of the business and legislative environment within which the organization operates; business functions and activi- ties; and the required relationships with key external stakeholders, to understand how records management contributes to achieving the corporate mission, aims, and objectives.

It is important for top‐level executives to take ownership of the records manage- ment issues of the organization; and to identify corrective actions required for miti- gation or ensure resolution of problems and recordkeeping challenges. An executive sponsor should identify opportunities to raise awareness of the relevance and impor- tance of RM and effectively communicate the benefi ts of good records management to staff and management.

Table 3.1   Generally Accepted Recordkeeping principles levels   level 1 

substandard characterized by an environment where recordkeeping concerns are either not  addressed at all or are addressed in an ad hoc manner.

level 2 

In development characterized by an environment where there is a developing recognition that  recordkeeping has an impact on the organization, and the organization may  benefi t from a more defi ned information governance program.

level 3  Essential

characterized by an environment where defi ned policies and procedures exist  that address the minimum or essential legal and regulatory requirements, but  more specifi c actions need to be taken to improve recordkeeping.

level 4 

proactive characterized by an environment where information governance issues and  considerations are integrated into business decisions on a routine basis, and the  organization consistently meets its legal and regulatory obligations.

level 5 

transformational characterized by an environment that has integrated information governance  into its corporate infrastructure and business processes to such an extent that  compliance with program requirements is routine.

Source:  Used with permission from ARMA.  

   the Generally Accepted Recordkeeping principles maturity model measures  recordkeeping maturity in fi ve levels. 

The regulatory and legal framework for records management must be clearly identifi ed and understood. The senior executive must have a sound knowledge of the organization’s information and technological architecture and actively par- ticipate in strategic decisions for information technology systems acquisition and implementation.

The senior executive is responsible for ensuring the processes, procedures, gover- nance structures, and related documentation are developed. The policies should iden- tify the roles and responsibilities at all levels of the organization.

An audit process must be developed to cover all aspects of RM within the organization, including substantiating that suffi cient levels of accountability have been assigned and accountability defi ciencies are identifi ed and remedied. Audit processes should include compliance with the organization policies and procedures for all records, regardless of format or media. Accountability audit requirements for electronic records include employing appropriate technology to audit the information architecture and systems.

Accountability structures must be updated and maintained as changes occur in the technology infrastructure.

The audit process must reinforce compliance and hold individuals accountable.

The results should be constructive, encourage continuous improvement, but not be used as a means of punishment. The audit should contribute to records program improve- ments in risk mitigation, control, and governance issues, and have the capacity to support sus- tainability.

Transparency

Policies are broad guidelines for the operation of the organization and provide a basic guide to action that prescribes the boundaries within which business activities are to take place. They state the course of action to be followed by the organization, business unit, department, and employees.

Transparency of recordkeeping practices includes documenting processes and promoting an understanding of the roles and responsibilities of all stakeholders. To be effective policies must be formalized and integrated into business processes. Business rules and recordkeeping requirements need to be communicated and socialized at all levels of the organization.

Senior management must recognize that transparency is fundamental to IG and compliance. Documentation must be consistent, current, and complete. A review and approval process must be established to ensure the introduction of new programs or changes can be implemented and integrated into business processes.

Employees must have ready access to RM policies and procedures. They must receive guidance and training to ensure they understand their roles and requirements for records management. Recordkeeping systems and business processes must be de- signed and developed to clearly defi ne the records lifecycle.

   An audit process must be developed to cover all aspects of RM in the  organization. 

In addition to policies and procedures, the development of guidelines and opera- tional instructions, diagrams and fl owcharts, system documentation, and user manuals must include clear guidance on how records are to be created, retained, stored, and dispositioned. The documentation must be readily available and incorporated in com- munications and training provided to staff.

Integrity

Record generating systems and repositories must be assessed to determine re- cordkeeping capabilities. A formalized process must be in place for acquiring or de- veloping new systems, including requirements for capturing the metadata required for lifecycle management of records in the systems. In addition, the record must contain all the necessary elements of an offi cial record, including structure, content, and context. Records integrity , reliability, and trustworthiness are confi rmed by en- suring that a record was created by a competent authority according to established processes.

Maintaining the integrity of records means that they are complete and protected from being altered. The authenticity of a record is ascertained from internal and external evidence, including the characteristics, structure, content, and context of the record to verify they are genuine and not corrupted or altered. In order to trust that a record is authentic, organizations must ensure that recordkeeping systems that create, capture , and manage electronic records are capable of protecting records from accidental or unauthorized alteration or deletion while the record has value.

Protection

Organizations must insure the protection of records and ensure they are unaltered through loss, tampering, or corruption. This includes technological change or the failure of digital storage media and protecting records against damage or deterioration.

This principle applies equally to physical and electronic records, each having unique requirements and challenges.

Access and security controls need to be established, implemented, monitored, and reviewed to ensure business continuity and minimize business risk. Restric- tions on access and disclosure include the methods for protecting personal privacy and proprietary information. Access and security requirements must be integrat- ed into the business systems and processes for the creation, use, and storage of records.

Long‐term digital preservation (LTDP) is a series of managed activities re- quired to ensure continued access to digital documents and information for as long as necessary. Electronic records requiring long‐term retention may require conversion to a medium and format suitable to ensure long‐term access and readability.

   to be effective, policies must be formalized and integrated into business  processes. 

Compliance

Records management programs include the development and training of the funda- mental components, including compliance monitoring to ensure sustainability of the program.

Monitoring for compliance involves reviewing and inspecting the various facets of records management, including ensuring records are being properly created and captured, im- plementation of user permissions and security procedures, workflow processes through sampling to ensure adherence to policies and procedures, ensuring records are being retained following disposal authorities, and documentation of records destroyed or transferred to determine whether destruction/transfer was authorized in accordance with disposal instructions.

Compliance monitoring can be carried out by an internal audit, external organiza- tion, or records management and must be done on a regular basis.

Availability

Organizations should evaluate how effectively and efficiently records and information are stored and retrieved using present equipment, networks, and software. The evalua- tion should identify current and future requirements and recommend new systems as appropriate. Certain factors should be considered before upgrading or imple- menting new systems. These factors are practicality, cost, and effectiveness of new configurations.

A major challenge for organizations is ensuring that timely and reliable access to and use of information and records are accessible and usable for the entire length of the retention period. Rapid changes and enhancements to both hardware and software compound this challenge.

Retention

Retention is the function of preserving and maintaining records for continuing use. The retention schedule identifies the actions needed to fulfill the requirements for the re- tention and disposal of records and provides the authority for employees and systems to retain, destroy, or transfer records. The records retention schedule documents the recordkeeping requirements and procedures, identifying how records are to be orga- nized and maintained, what needs to happen to records and when, who is responsible for doing what, and who to contact with questions or guidance.

Organizations must identify the scope of their recordkeeping requirements for documenting business activities based on regulated activities and jurisdictions that impose control over records. This includes business activities regulated by the gov- ernment for every location or jurisdiction in which you do business. Other consider- ations for determining retention requirements include operational, legal, fiscal, and historical.

Records appraisal is the process of assessing the value and risk of records to determine their retention and disposition requirements. Legal research is outlined in appraisal reports. This may be accomplished as a part of the process of developing the records retention schedules, as well as conducting a regular review to ensure that cita- tions and requirements are current.

The record retention period is the length of time that records should be retained and the actions taken for them to be destroyed or preserved. The retention periods for different records should be based on legislative or regulatory requirements as well as on admin- istrative and operational requirements.

It is important to document the legal research conducted and used to determine whether the law or regulation has been reasonably applied to the recordkeeping prac- tices and provide evidence to regulatory offi cials or courts that due diligence has been conducted in good faith to comply with all applicable requirements.

Disposition

Disposition is the last stage in the life cycle of records. When the retention requirements have been met and they no longer serve a useful business purpose, records may be destroyed.

Records requiring long‐term or permanent retention should be transferred to an archive for preservation. The timing of the transfer of physical or electronic records should be determined through the records retention schedule process. Additional methods are of- ten required to preserve electronic records, which may include migration or conversion.

Records must be destroyed in a controlled and secure manner and in accordance with authorized disposal instructions. The destruction of records must be clearly doc- umented to provide evidence of destruction according to an agreed‐on program.

Destruction of records must be undertaken by methods appropriate to the con- fi dentiality of the records and in accordance with disposal instructions in the records retention schedule. An audit trail documenting the destruction of records should be maintained and certifi cates of destruction obtained for destruction undertaken by third parties. In the event disposal schedules are not in place, the written authorization should be obtained prior to destruction. Procedures should specify who must supervise the destruction of records. Approved methods of destruction must be specifi ed for each media type to ensure that information cannot be reconstructed.

Disposition is not synonymous with destruction, though destruction may be one disposal option. Destruction of records must be carried out under controlled, confi dential con- ditions by shredding or permanent disposition. This includes the destruction of confi - dential microfi lm, microfi che, computer cassettes, and computer tapes, as well as paper.

Methods of Disposition

 

■ Discard. The standard destruction method for nonconfi dential records. If pos- sible, all records should be shredded prior to recycling. Note that transitory records can also be shredded.

 

■ Shred. Confi dential and sensitive records should be processed under strict se- curity. This may be accomplished internally or by secure on‐site shredding by a third party vendor who provides certifi cates of secure destruction. The shred- ded material is then recycled.

   disposition is the last stage in the life cycle of records. disposition is not syn- onymous with destruction, though destruction may be one disposal option. 

 

■ Archive. This designation is for records requiring long‐term or permanent preservation. Records of enduring legal, fiscal, administrative, or historical value are retained.

 

■ Imaging. Physical records converted to digital images, after which the original paper documents are destroyed.

 

■ Purge. This special designation is for data, documents, or records sets that need to be purged by removing material based on specified criteria. This often applies to structure records in databases and applications.