Policies, guidelines, regulations, and standards in records management and security

3.2 E-records management

3.2.2 Policies, guidelines, regulations, and standards in records management and security

generate e-records, so that the records can be captured within the e-records management systems.

The e-records systems should also provide for possibilities of access options to e-records offline and online (Ambira 2016). These systems which are primarily software-based methodologies used to manage e-records should also be guided by organisational business procedures and activities (Ngoepe 2014). System software may include the capabilities of integrated document management system, records information management software, document imaging system, digital repositories, electronic document and records management system (Codafile 2015; New South Wales Government 2012).

Australian National University policy (2015) and Moi University ICT policy (2011) explain that universities’ systems should include among others student administration system, research data management and repository system, hostel booking management system, examination and clearance system, integrated financial management system, electronic repository, human resource management system, health records management information system, library information system, and research information system. Therefore, e-record and information systems should ensure e- records are accessible, available and always remain unchanged to enhance accountability, integrity confidentiality and control to mention a few (Omotosho and Emuoyibofarhe 2014).

3.2.2 Policies, guidelines, regulations, and standards in records management and security

ISO 15489-1 (2001) asserts that all organisations must identify the regulatory environment including statutes and laws that affect their activities and requirements to document their activities.

Moreover, the nature of the organisation and the sector to which it belongs will determine which of these regulatory elements (individually or in combination) are most applicable to that organisation’s records management requirements. On policies and procedures, ISO 15489-1 (2001) asserts that organisations seeking to place proper e-records management should document, maintain and promulgate policies, procedures, and practices for records management to ensure that its business need for evidence accountability and information about its activities is met.

Furthermore, organisations’ policies and procedures should reflect the application of the regulatory environment to their business processes (ISO 2001).

Macleod, Childs, and Heaford (2007) point out that the United Kingdom (UK) developed their legislation and toolkits based on the ISO standards to improve their RM as required by citizens’

right of access to information, while the USA developed legislation to govern and enforce proper record-keeping after serious scandals. However, Norris (2003), reports that not many higher education institutions in the United Kingdom had well defined and active e-mail policies in place.

This was also the case at the University of Loughborough. In most governmental bodies in developing countries, there is lack of or inadequate policies and other best practices to govern e- records management. Many authors lament that, even those governmental bodies that have policies, procedures or guidelines, and standards, were only available on paper or electronic format, but they are not implemented (Ngoepe 2014; Mula 2013; Mutula 2013; Nengomasha 2013;

Wamukoya 2013). Wamukoya and Mutula (2005) assert that the failure of Eastern and Southern African Institutions of higher education to capture and preserve electronic records has been attributed to the lack of policies and procedures among other factors. Asogwa (2012) concurs that in African countries relevant and proper records management laws existing are not enforced for proper records management. Giving an example of e-records the author concludes that it is useless to manage these records without procedural and legal laws, since they are not fully recognised in law courts as legal evidence because of their propensity for alteration at whims. In contrast, Kenya has put in place legislation and regulations that should guide e-records management practices. The regulatory framework includes:

The Public Archives and Documentation Service Act, Cap 19: it is the principal law that governs management, preservation, and disposal of public records. The act mandates the director of the Kenya National and documentation service (KNADS) among other functions to: examine any public records and advice on their care preservation custody and control, require transfer to the custody of the KNA and documentation service; public records he/ she considers should be housed in the national archives and authorise the destruction of public records judged to be of no further administrative or reference value to creating office. Section 5A of Cap 19 states that every permanent secretary or head of government department or chief executive of a state corporation or local authority shall supply to the director two copies of any published or generally documented documents or reports produced by the office, whether in hard copy or microfilm and the creating office may prescribe the period for which the document shall remain restricted from circulation to the public offices or the members of the public. Besides, section 8 of the public archives and documentation service Act, Cap 19, indicates that it is an offense to destroy public records without the directors of KNADS authority.

Ministry of state for public service (DPM) circular on personnel records- ref.No.DPM.12/6AVol. (71) Of 12^th March 2008: The circular (personnel general letter), number 1/2008 of the 12 March 2008, provides guidelines on the retention of various categories of personnel records in the public service. The prescribed retentions periods should be applicable for personnel files for officers in similar job groups in the local authorities, the judiciary and states corporations. The circular further advises that any deliberate destruction must be communicated to the director of KNADS for guidance.

Government financial regulations and procedures, Chapter 23, sections 4:2-5: this regulations and procedures are provided to guide the management and disposal of account documents. The regulations elaborate that an accounting officer may permit the destruction of accounting books and documents provided such records have been audited and have no archival value. Accounting documents with outstanding audit queries should not be destroyed. The director of Kenya national Archives may be requested to examine the records before their destruction.

The Records Disposal Act, Cap 14, 1962 (Revised 2009): the act facilitates the management and disposal of court records in Kenyan courts. It mandates the Chief Justice and the registrar of the

high court, in consultation with the director of the KNADS to make rules for the disposal of court records. The statutes establish the authorities and procedures for disposing of records covered under the act. The act also defines the offices under the office of the Attorney-general and provides a records retention schedule of the records covered in the act as well as the procedures for the disposal.

Public Procurement and Disposal Act, Cap 412C, 2005: The act requires procuring entities to manage procurement records properly and effectively. Records must be recognised as a critical resource for proper management. The authority is mandated to issue circulars and guidelines on the content of the procurement documentation, and regulations 34 (2), which states that the authority may issue guidelines about the use of records management, filing, and storage of procurement documents. The act further empowers the director general of the public oversight authority (PPOA) to inspect the records and accounts of a procuring entity.

3.2.2.1 E-records standards and best practices

Standards and best practices are prepared internationally by the international organisation for standardisation (ISO) which is a worldwide federation of national standards bodies (ISO member bodies). Consequently, there are a number of standards that guide the management of records which include: ISO 15489-1 information and documentation, ISO/TR 15489-2 Records management, ISO 900:2015, ISO 23081- managing metadata, ISO/TR 15801:2005 Electronic imaging in addition to strategic plans and codes of conduct and ethics among others. Besides, the ISO standards, there are other standards developed in the management of e-records including DoD 5015-2 US Department of Defense: Design criteria standards for electronic records management applications, British standard BS 1008:2008, Evidential weight and legal admissibility of electronic information specification. The Parkerian Hexad Model advocates for organisations investing in better policy writing and enforcement, procedures and methods, implementation of the policies and improving the available technology infrastructure.

The ISO 9001:2015 to which many organisations and institutions worldwide including Moi University are compliant to, clause 4.2 document requirements, stipulate that the quality manual system documentation shall include among others, documents including records, determined by the organisation to be necessary to ensure the effective planning, operation and control of process.

Furthermore, clause 4.2.4 on control of records asserts that records established to provide evidence of conformity to requirements and of the effective operation of the quality management system shall be controlled and that the organisations shall establish a documented procedure to define the controls needed for the identification, storage, protection, retrieval, retention and disposal of records.

In Kenya, the local standardisation body Kenya Bureau of Standards (KEBS), has put in place a number of progressive standards in support of e-records management from the early 2000s.

Between the years 2010 and 2013 specific e-records management standards have been developed and adopted by KEBS. They include KS 2229:2010-Electronic records management systems- functional requirements; KS ISO/TS 21547:201 Health informatics-security requirements for archiving electronic health records-guidelines, KS2374:2012-Electronic records management systems-implementation guide, KS2391:2013-electronic signatures-metadata requirements, (Kenya Bureau of Standards 2014). However, the adoption and implementation of standards in Kenya institutions is very low.

3.3 Security classification of e-records process handling to facilitate description, control

Dalam dokumen E-records security management at Moi University, Kenya. (Halaman 72-76)