PRINCIPLES AND FUNCTIONAL REQUIREMENTS · INTERNATIONAL COUNCIL ON ARCHIVES 6 Principles and Functional Requirements for Records in Electronic Environments (ICA-Req) Module 2: Guidelines

INTERNATIONAL COUNCIL ON ARCHIVES

1


PRINCIPLES AND FUNCTIONAL

REQUIREMENTS

FOR RECORDS IN ELECTRONIC OFFICE ENVIRONMENTS

IMPLEMENTATION GUIDANCE FOR ICA-Req MODULE 3

OCTOBER 2013


2


Principles and Functional Requirements for Records in Electronic Office

Environments – Implementation Guidance for ICA-Req Module 3, 2013, published at

www.ica.org

October 2013


3

CONTENTS

INTRODUCTION ........................................................................................................ 4 Scope and audience .......................................................................................................... 4

Related Standards ............................................................................................................. 5

Terminology....................................................................................................................... 6

PART 1: IDENTIFYING RECORDKEEPING REQUIREMENTS USING ISO 15489.. 8 What Are Recordkeeping Requirements? .......................................................................... 8

Why Identify Recordkeeping Requirements? ..................................................................... 9

Recognising Recordkeeping Requirements ..................................................................... 13

Documenting Recordkeeping Requirements.................................................................... 15

Using Recordkeeping Requirements ............................................................................... 17

Reviewing Recordkeeping Requirements ........................................................................ 17

Recordkeeping Requirements Form ................................................................................ 18

Recordkeeping Requirements Form - Example ............................................................... 20

PART 2: IDENTIFYING RECORDKEEPING REQUIREMENTS USING ISO/TR 26122 ....................................................................................................................... 22

What is a Work Process Analysis .................................................................................... 22

Why Undertake a Work Process Analysis? ...................................................................... 22

Reviewing Context........................................................................................................... 23

Functional Analysis.......................................................................................................... 24

Sequential Analysis ......................................................................................................... 25

PART 3: FUNCTIONAL REQUIREMENTS FOR RECORDS IN BUSINESS SYSTEMS ................................................................................................................ 28

Creating Records In Context ........................................................................................... 28

Managing and Maintaining Records ................................................................................ 31

Supporting Import, Export and Interoperability ................................................................. 32

Retaining and disposing of records as required ............................................................... 33

Endnote ........................................................................................................................... 36


4

INTRODUCTION

In 2008, the International Congress on Archives (ICA) published three modules of its Principles and Functional Requirements for Records in Electronic Environments (ICA-Req). This guidance is designed for use in conjunction with ICA-Req Module 3, Guidelines and functional requirements for records in business systems.

This guidance comprises three parts. Part 1, Identifying recordkeeping requirements using ISO 15489, gives an overview of the processes that can be used to discover what records an organisation needs to create and keep to carry out its business well. Part 2, Identifying recordkeeping requirements using ISO/TR 26122, identifies strategies and processes that can be used to outline requirements for business systems. Part 3 Functional Requirements for Records in Business Systems helps understand the role and use of the functional requirements identified in Module 3.

Scope and audience

Part 1 is a useful starting point for anyone considering recordkeeping processes for an organisation regardless of the size or type or organisation, or the level of technology used. It is consistent with the International Standard for records management, ISO 15489: 20011 and includes a number of examples from government agencies but the processes are also applicable to non-government organisations.

Some of the people who may be well suited to use Part 1 to carry out recordkeeping analysis include:

records management staff members from within the organisation

long-serving staff members who have a good understanding of how the whole organisation works.

The work of identifying recordkeeping requirements will usually need to be done by someone who works inside the organisation, although it may be possible to hire an expert consultant to carry out the work or to hire a temporary staff member who can concentrate on the project.

Part 2 is derived from ISO/TR 26122:20082. It is designed to assist people who are carrying out detailed analyses of recordkeeping for the purpose of improving business processes, particularly:

records professionals and/or records managers responsible for creating and managing records in either a business system or dedicated records application software;

analysts responsible for designing business processes and/or systems that will create or manage records.

1 ISO 15489: 2001 Information and Documentation - Records Management

2 ISO/TR 26122:2008 Information and documentation – Work process analysis for records


5

It provides information that is required to carry out two different types of analyses:

functional analysis, which is the breakdown of functions into processes

sequential analysis, which is the investigation or breakdown of the flow of transactions.

Regardless of which type of analysis us undertaken, the first step is to review the regulatory and operational context in which the organisation operates.

Part 3 aims to help understand the role and use of the functional requirements identified in ICA-Req Module 3. These requirements outline the recordkeeping functionalities that need to be incorporated into electronic business systems for them to effectively create, capture or manage digital records. The need for each records management functional requirement should be assessed against the core objectives of the respective business system. Hence, not all functional requirements will apply to every system.

Part 3 is designed to assist those responsible for:

managing information technology and communications, including e-business and websites;

overseeing information, knowledge management and communications technologies procurement or investment decisions;

software vendors and developers who wish to incorporate records functionality within their products.

It will help organisations to use ICA-Req Module 3 for the following purposes:

Identify recordkeeping functionality requirements for inclusion in a design specification when building or purchasing business information software (BIS), or when upgrading existing systems software;

Review the recordkeeping functionality of existing BIS software;

Evaluate the recordkeeping capability of proposed customised or commercial off-the-shelf BIS software; or

Undertake a recordkeeping audit or compliance check of agency software to verify that such systems have adequate recordkeeping functionality.

Related Standards

These guidelines have been developed in conjunction with the following resources:

Principles and Functional Requirements for Records in Electronic Environments (ICA-Req) Module 1: Overview and Statement of Principles3

3 http://www.ica.org/10616/standards/icareq.html

http://www.ica.org/10616/standards/icareq.html


6

Principles and Functional Requirements for Records in Electronic Environments (ICA-Req) Module 2: Guidelines and Functional Requirements for Records in Electronic Office Environments4

Principles and Functional Requirements for Records in Electronic Environments (ICA-Req) Module 3: Guidelines and Functional Requirements for Records in Business Systems5

ISO 15489: 2001 Information and Documentation - Records Management - Parts 16 & 27

ISO/TR 26122: 2008 Information and Documentation - Work Process Analysis for Records8

PARBICA’s Recordkeeping for Good Governance Toolkit, Guideline 2 Identifying Recordkeeping Requirements9

Terminology

Business systems: automated systems that create or manage data about an organisation’s activities. They include applications whose primary purpose is to facilitate transactions between an organisational unit and its customers – for example, an e-commerce system, a client-relationship management system, a purpose-built or customised database, finance or human resources system. Business systems typically contain dynamic data that is commonly subject to constant updates (timely); and able to be transformed (manipulable), and they hold current data (non-redundant).

Documentation: a collection of documents describing operations, instructions, decisions, procedures and business rules related to a given function, process or transaction

Function: Any high level purpose, responsibility or task assigned to the accountability agenda of a corporate body by legislation, policy or mandate. Functions may be decomposed into sets of co-ordinated operations such as subfunctions, business processes, activities, tasks or transactions.

Functional Analysis: the grouping together of all the processes undertaken to achieve a specific, strategic, goal of an organisation, which uncovers relationships between functions, processes and transactions which have implications for managing records

Functional requirements for records: defined in business systems as the processes or capabilities that are required of business systems in order for it to meet



6 http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=31908



9 http://www.parbica.org/Toolkit%20pages/Documents/G2%20RK%20requirements/RK%20Requirements%20html.htm



http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=31908



http://www.parbica.org/Toolkit%20pages/Documents/G2%20RK%20requirements/RK%20Requirements%20html.htm


7

the recordkeeping needs of the organisation. Required recordkeeping functional requirements can be incorporated into the specification for a business system prior to the procurement of the system, or they can be used as a checklist to gauge how well an existing system complies with the ICA-Req requirements in terms of recordkeeping.

Recordkeeping: The systematic creation, use, maintenance and disposition of records to meet administrative, legal, financial and societal needs and responsibilities.

Recordkeeping requirement: a need to keep evidence of the organisation’s actions and decisions.

Records: information created, received and maintained as evidence and information by an organisation or person, in pursuance of legal obligations or in the transaction of business.10 They must be retained for a period of time that is in line with an authorised retention schedule or “records authority”.

Sequence: series of transactions connected by the requirement that undertaking a later is dependent on completing earlier transactions

Sequential Analysis: maps a business process in a linear and/or chronological sequence which reveals the dependent relationships between the constituent transactions

Transaction: the smallest unit of a work process consisting of an exchange between two or more participants or systems

Work Process: one or more sequences of transactions required to produce an outcome that complies with governing rules

10

As defined in ISO 15489: 2001 Information and Documentation - Records Management


8

PART 1: IDENTIFYING RECORDKEEPING REQUIREMENTS USING

ISO 15489

The international standard for records management, ISO 15489 provides guidance on creating records policies, procedures, systems and processes to support the management of records in all formats.

ISO 15489 provides a descriptive benchmark that organisations can use to assess their records management systems and practices. It is designed to help organisations create, capture and manage full and accurate records to meet their business needs and legal requirements and satisfy stakeholder expectations.

What Are Recordkeeping Requirements?

Organisations need records to do their work efficiently and to make sure that they can be accountable for their actions. Being accountable means being able to prove what actions an organisation has taken in any given situation and explains why the organisation acted the way that it did.

To make sure that they can work efficiently and be accountable, organisations need to identify their recordkeeping requirements. That means understanding:

what files records they should be making

how long they should keep the records that they need

who should and should not have access to the records

what format the records need to be in.

A recordkeeping requirement is a need to keep evidence of the organisation’s actions and decisions. Recordkeeping requirements are usually documented in rules, procedures or other guidelines that show that an organisation might need to create, keep, provide access to or deal in some special way with a file or other type of record.

For example, a law that an agency is responsible for overseeing might say:

There shall be a register of licensees.

This suggests that the department responsible for implementing this law is abided by must keep a register of the people to whom it gives licences. This is an example of a legal requirement that requires the department to create a particular record.

As another example, a government department’s procedures for processing a licence application might say:

Step 1: Desk Officer stamps date of receipt on application and forwards to Licensing Officer


9

Step 2: Licensing Officer checks applications for completeness

Step 3: Approving Officer checks that all requirements are met and marks the application as ‘Approved’ or ‘Not Approved’.

The Desk Officer cannot stamp the date of receipt unless there is a record in the form of an application. The Licensing Officer cannot complete their job unless they receive a record containing the application from the desk officer. The Approving Officer cannot do their job unless they also have access to a record of the application. In this example, there is a business requirement to have a record of the application—the required process cannot be completed unless the organisation creates a record of each step in the process.

Sometimes recordkeeping requirements can come from citizens. Members of the public might expect the government to keep some types of records. For example, imagine reading a story like this in the newspaper:

PUBLIC ANGRY OVER PASSPORT RED TAPE

A local man has complained to the Ombudsman about his treatment by the Passports Office after he was refused a replacement for his lost identity document.

Mr Albert Christian lost his passport when his house burned down last month. When he went to the Passport Office to apply for a new one, he was told that he could not have a new passport until he provided the office with the number of his old passport. ‘This is ridiculous,’ Mr Christian told the Times. ‘They gave me the number of the passport in the first place. Surely it is their job to keep a record of what passport number they gave me. Why should I have to remember these things for them? Now I don’t see how I will ever get another passport, as my old one is lost and I can’t remember the number.’

In this case, the public expects that the organisation will keep records about its activities so that it can serve its clients better in the future.

Why Identify Recordkeeping Requirements?

By identifying their recordkeeping requirements, organisations can make sure that they:

comply with the law, by having and giving access to records that the law says they must have

operate efficiently, by making sure that records that are needed to complete all the steps in a process are created and passed on to those staff who need them

account for their actions, by keeping records for long enough to allow ministers, auditors, the parliament and sometimes the public, to review and understand their work.


10

HOW TO IDENTIFY RECORDKEEPING REQUIREMENTS

There are three main steps in identifying an organisation’s recordkeeping requirements. These are:

identifying and collecting sources of information

recognising recordkeeping requirements

documenting recordkeeping requirements.

IDENTIFYING AND COLLECTING SOURCES

Anything that tells the organisation how it should carry out its work can be a source of recordkeeping requirements, such as:

laws and regulations

strategic plans

policies

procedures

reports by parliamentary committees, the auditor-general, the ombudsman or other review bodies

reviews and reports by bodies outside government, such as the World Bank or Asian Development Bank

for a government organisation, surveys of the department’s records or other reviews by the national archives

media reports

the organisation’s staff.

How many sources need to be identified and what information needs to be collected will depend on how thorough the analysis needs to be and how much time is available to do the work. If there is not much time available, concentrate on finding the most important sources. These are likely to be laws and regulations because the requirements in these kinds of sources are usually compulsory. If the organisation does not meet such requirements, it will probably be breaking the law.

Other important sources include reviews by other government organisations such as:

the parliament or congress

a parliamentary or congressional committee

a minister, member of cabinet or other elected representative

a government auditor

the ombudsman

the Public Service Commission.


11

Recordkeeping requirements in reviews and reports about the organisation from these types of bodies can be very important because they indicate what important parts of the government expect the organisation to do. If the organisation does not meet these requirements, the government may take action against it. This does not mean that other sources of recordkeeping requirements are not also important. Internal sources like policies, procedures and information from staff can be used to identify recordkeeping requirements that are vital for the organisation to be able to do its job. This means that it is important to try to find all of the sources possible.

Another option for making the job quicker would be to look at only one section of the organisation at a time. For example, if the Department of Foreign Affairs deals with immigration matters, as well as diplomatic relations and international trade, it might choose to look only for sources that relate to immigration first, and look at the work of other areas of the organisation at another time.

LAWS

Start by finding all the laws that relate to the organisation being analysed. Countries often have websites where copies of laws are available. There is also the World Legal Information Institute website at http://www.worldlii.org/ which has copies of laws from many different countries.

The laws and regulations that may have an impact on an organisation could be in the form of:

Enabling legislation. This is a law that legally creates an organisation. Major government departments do not always have enabling legislation, but smaller organisations such as commissions, authorities and boards are often set up when the parliament or congress passes a law saying they should be created.

The senior staff in the organisation or in the Attorney-General’s office may be able to help in identifying such legislation.

Administered legislation. These are laws that the organisation is responsible for overseeing. Small organisations may not have any administered legislation—often their job is to carry out the functions described in their enabling legislation. Large departments may administer many different laws. For example, the Department of Foreign Affairs might oversee an Immigration Act, a Citizenship Act, a Passports Act, and Acts relating to diplomatic relations with other countries.

If the organisation provides an annual report to a minister, cabinet, parliament or congress, this may list all of the laws the organisation administers. Sometimes, when the government decides which departments it will establish, it will produce Administrative Arrangements Orders that list the laws each department administers. Other places to learn about the organisation’s administered legislation might include government gazettes or interviews with staff who oversee the laws for the department.

Administrative legislation. These are laws that often apply to all government organisations and tell them how to carry out some parts of their business.

http://www.worldlii.org/


12

Examples might include Freedom of Information or archives laws, evidence Acts, financial management Acts and crimes Acts that apply to everyone—including public servants.

The Public Service Commission or legal advisers, such as in the Attorney-General’s office, may be able to help in identifying such legislation.

REGULATIONS

Regulations are sometimes known as ‘subordinate legislation’. Regulations are rules that can be made by departments that relate to a particular law. The regulations of many countries are often included on the internet with the laws under which they are made.

Departments can only make regulations about things that a law says they can control. If it is possible for a department to make regulations under a particular law, this will usually be stated in one of the last sections of the act. For each law you have found you should:

first check to see if the law says your department has the power to make regulations

then, if the department has that power, find out what regulations have been made.

Regulations often have to be formally registered or gazetted by the government, and legal advisers such as in the attorney-general’s office may be able help identify what regulations there are under each act.

PLANS, POLICIES, PROCEDURES, REPORTS AND OTHER INTERNAL

SOURCES

Internal documents such as plans, policies, procedures, instructions, reports, websites and publications can provide important information about what records the organisation needs to do its job efficiently.

Plans and policies usually explain the types of activities that the organisation carries out, and may show those parts of the organisation about which you need to find more information.

Procedures and instructions can be very important sources as they can provide specific information about the records and other types of information staff need to do their jobs.

EXTERNAL REVIEWS AND REPORTS

Reviews and reports by other organisations of how an organisation does its work can explain what other people expect an organisation to do with its records, even if the organisation has not thought of doing these things itself. They can be very important in helping the organisation to meet the expectations of the community, and can even help it to improve the way it does its work.


13

If there has been a major review of an organisation’s work, it is likely that the staff of the organisation will know about it, and may be able to provide copies of the report.

Some of the key places to check for external review and reports are:

parliament or congress

government auditors

the ombudsman

the national/state archives

donors

the media.

INTERVIEWS WITH STAFF

Talking to the staff members of an organisation can reveal a lot about the information they need to do their work, and the problems that they may be having in finding it. This can be very important if an organisation does not have many policies and procedures written down. Try to interview staff members from every section of the organisation.

The purpose of these interviews is to find out what kinds of records the organisation should be creating to meet its recordkeeping requirements. Staff members may have information about:

which laws and regulations they administer

what procedures they follow in their jobs, especially if these are not written down

what information they are asked for by other sections of the organisation, members of the public or other stakeholders.

Recognising Recordkeeping Requirements

Government officers often do not think specifically about recordkeeping issues when they are writing laws, policies and procedures. This means that to find recordkeeping requirements in these documents may take some research.

CHECK FOR RECORDS KEYWORDS

Look through sources and find words in them that could relate to records. Some of the terms used in laws, procedures and other documents that might indicate there is a recordkeeping requirement are:

agenda application bill books

copy document endorsed evidence

files form information instructions

licence log minutes note


14

notice papers permit receipt

record register report return

signature ticket writing

When researching, be sure to consider the context of the words to decide whether or not it refers to records. For example, the word ‘books’ could refer to accounting records of a company, or it could refer to library books.

RECOGNISE DIFFERENT TYPES OF RECORDKEEPING REQUIREMENTS

Having discovered a relevant word, think about what the statement is saying. There are several types of recordkeeping requirements. They can be requirements to:

create a record—for example, ‘There shall be a register of licensees’

include certain information in a record—for example, ‘The form must include the applicant’s name and date of birth’

create a record in a certain form—for example, ‘Applications must be lodged using an official form’

keep a record for a certain amount of time—for example, ‘The Registrar must keep all approved applications for a period of seven years from the date of their lodgement’

destroy a record after a certain amount of time—for example, ‘The Registrar must destroy all unsuccessful applications one year after the date of their lodgement’

provide access to a record—for example, ‘The Register must be open for inspection by the public’

prevent access to a record—for example, ‘Applications must be stored in such a way as to keep their contents private’.

CHECK FOR ‘HIDDEN’ REQUIREMENTS

If time is available, research the organisation’s sources again, this time checking for ‘hidden’ recordkeeping requirements. ‘Hidden’ or ‘implicit’ recordkeeping requirements are requirements that do not mention a need for records themselves, but describe a situation where a record really would be needed.

Laws are often a good source of ‘hidden’ recordkeeping requirements. Many laws say what the role or functions of a particular government organisation are. For example, a law setting up a new national library might have a section called ‘functions’, which could list these functions of the national library:

to collect publications relating to the nation

to make its collections available to the public

to provide advice and assistance to other libraries throughout the country.


15

Even though there is no mention of records here, the government and the community would expect that a national library would keep records about the functions that it is required by law to carry out. This means that even if there are no specific recordkeeping requirements in this act, there may be a ‘hidden’ requirement for the library to keep records about collecting publications, making collections available and assisting other libraries.

Policies and procedures may also include ‘hidden’ recordkeeping requirements. For example, a procedure for investigating complaints about an employee might require the investigating authority to check if there have been any other complaints about that person. Even though there is no mention of any type of record here, there would need to be a record kept of complaints about staff, or there would be no way of checking if there have been complaints in the past. Hence, there is a ‘hidden’ requirement to create records that document complaints made about staff.

Documenting Recordkeeping Requirements

Once all of an organisation’s recordkeeping requirements have been identified, they should be documented in a way that other people will be able to understand and use them in the future. Documenting requirements allows an organisation to:

prove that the organisation has carried out work properly and checked the sources identified

allow others in an organisation to see what the requirements are and make sure that they are meeting them

update requirements without having to search all sources again

use the information for other purposes.

To document recordkeeping requirements, organise them into logical groups. There are a number of types of groups that can be used to organise recordkeeping requirements. They include arranging them by:

the business activity to which they relate

the section of the organisation that carries them out

their level of importance.

There is a Recordkeeping Requirements Form at the end of this guideline that can be used to document recordkeeping requirements. Fill out a copy of the form for each group of recordkeeping requirements you have discovered. An example of how information can be recorded on a Recordkeeping Requirements Form is provided at the end of this guideline.

GROUPING BY BUSINESS ACTIVITY

Grouping the requirements according to the business activity they relate to is usually the best option, but can also be the most difficult to do. If the organisation already has a business classification scheme business activities will already be written out in that document, and the same headings can be used to group recordkeeping


16

requirements. Fill in one copy of the Recordkeeping Requirements Form in this guideline for each function in the business classification scheme.

GROUPING BY SECTION

Most organisations do not have a business classification scheme. If this is the case, the best option is probably to group requirements according to the section that is responsible for meeting them. For example, if there is a recordkeeping requirement that says the organisation must keep a record of all the passport numbers it has issued, find out which section is responsible for issuing passports. This section is responsible for making sure that it meets the requirement to keep records of passport numbers. Start a new Recordkeeping Requirements Form with the name of the section at the top of the form, and use it to list all of the recordkeeping requirements that relate to that section of the organisation. For each section that is responsible for a recordkeeping requirement, start a new form with the section’s name at the top.

GROUPING BY IMPORTANCE

Another option is to group recordkeeping requirements by their level of importance. This can be a useful system if there is not much time and to the analysis will only look at some of the organisation’s recordkeeping requirements. The problem with this approach is that it can make it difficult to keep track of who is responsible for meeting each requirement.

If using this option, think about how to decide which requirements are the most important recordkeeping requirements. The most important requirements might be the ones that:

are in laws and regulations, because the organisation will break the law if they are not met

come from members of the public, because the organisation could be embarrassed if they are not met

involve a lot of money, because this could be managed badly or even stolen if they are not met

relate to staff and customers of the organisation, because people could be disadvantaged or even hurt if they are not met.

Once the most important categories are decided, look for recordkeeping requirements already identified that fit into each category, and fill in a copy of the Recordkeeping Requirements Form for each group.

It is important that you put documentation about recordkeeping requirements on file. An organisation has a requirement to be able to find information about its recordkeeping requirements.


17

Using Recordkeeping Requirements

Documenting your recordkeeping requirements will be a waste of time if procedures are not examined to make sure that the organisation is meeting all of them. For each requirement identified, the organisation will need to check that it is doing what the requirement says it needs to do.

For example, if there is a requirement that says there must be a record kept of each passport number that has been issued, talk to the section of the organisation responsible for issuing passports to see if they are meeting this requirement. If there is a requirement that says that members of the public must be able to see a register of liquor licences, talk to the staff members responsible for issuing liquor licences to see if they know about the requirement and are providing access when it is needed. If members of the public are only allowed to see some of the information about liquor licences, is the section responsible keeping the information in a way that allows them to show some information to the public but not all of it?

There is room on the Recordkeeping Requirements Form to note if each requirement is being met. There is also space to make notes of suggestions for how the organisation can make changes to make sure it meets the requirements in the future.

If recordkeeping requirements are not being met, it may be helpful to talk to senior managers about getting more resources to manage the organisation’s records. If managers can see that they are breaking the law or making the public very unhappy by not meeting their requirements, they may be willing to pay more attention to the importance of good recordkeeping and to provide enough staff members and other resources to do the job better in the future.

Reviewing Recordkeeping Requirements

Recordkeeping requirements can change over time. The parliament may pass new laws or change existing laws for which the organisation is responsible. Citizen’s needs may change, and they may be expecting the organisation to keep information that it did not keep in the past. A new review by the auditor-general might find ways of improving the work of the organisation and suggest new recordkeeping requirements.

Organisations should review their recordkeeping requirements regularly to try to keep them up to date. It is best to update the requirements each time there is a change – for example, when a new law is passed or a new review of the organisation is released.

Otherwise, try to do a review of the requirements each year. A review does not need to take as long as the original process. To review recordkeeping requirements, go back to the sources already documented and see if anything has changed. Possible changes might be amendments to laws, or changes to internal procedures. Then, talk to the staff to see if there have been any new reviews, laws, policies or procedures, and check these for new recordkeeping requirements. Check any complaints files and media clippings files to see what has been added since the last time recordkeeping requirements were assessed.


18

Recordkeeping Requirements Form

Requirements group name: Date documented:

the name of the business activity these requirements relate to;

the section responsible for meeting these requirements; or

a description of the level of importance of these requirements.

Requirement description Source Activity/Responsibility Type

Is this requirement being met?

Describe what is being done to meet this requirement

How can this requirement be met?

Make notes of any suggestions for making sure this requirement is met in the future


19







20

Recordkeeping Requirements Form - Example

Requirements group name: Passport Processing Section Date documented: 14 May 2012

the name of the business activity these requirements relate to;

the section responsible for meeting these requirements; or

a description of the level of importance of these requirements.


A register of passport numbers is needed so that numbers are

only issued once. Passports staff must write in the register the

name of the person to whom they are issuing a new number.

Interview with Senior

Passports Officer, 12 April

2012. See file number

03/02/23.

This work is part of the

passports control activity.

Creation

Content



No. The Register is being kept, but staff members do not always write the name of a person in it when they issue a new passport. This means

that other staff do not know this number has been used, and may use it again for another passport.



Increase training in proper procedures for staff. Develop written procedures for passports control activity.


21


‘On application made to him in writing, completed in the

prescribed form, the Passport Officer may endorse a passport’

Passports Act 1982, s. 12(1) This work is part of the

passports control activity.

Creation

Content



No. Passports officers sometimes endorse passports when the passport holder asks in person, without receiving an application in writing.



Develop new passport endorsement forms. Provide updated training for passports officers. Develop written procedures for passports control

activity.


22

PART 2: IDENTIFYING RECORDKEEPING REQUIREMENTS USING

ISO/TR 26122

In achieving business goals and objectives organisations undertake various work processes. A work process is a set of steps carried out that deliver an outcome for an organisation, such as issuing an invoice or responding to a request from a client.

The international standard for undertaking a work process analysis, ISO/TR 26122, provides guidance on work process analysis from the perspective of the creation, capture and control of records.

What is a Work Process Analysis

Work process analysis consists of taking a snapshot of a system or methodology at a point in time, irrespective if processes are stable or not. The norm for most business environments is that a detailed analysis is done once and the results are defined in procedures and work instructions, which are re-visited on an annual basis as part of an audit and review process to ensure adherence to requirements. There is no standard business norm for the analysis and documentation of work processes. Outputs may be one or many pages of script or flowcharts.

The analysis can be sized to meet various requirements i.e. from a comprehensive identification and analysis of all functions of an organisation down to micro-level analysis of a particular process in a single business unit. The scale and level of detail will depend on the organisation's risk assessment and the purpose of the records management task.

Work process analysis must be validated by participants in order to ensure the comprehensiveness, accuracy and reliability of the results. In addition this validation will facilitate the acceptance of the findings and collaboration in the implementation of new or improved systems.

Why Undertake a Work Process Analysis?

Work process analysis for records is used to gather information about transactions, processes and functions within organisations to identify the requirements for records creation, capture and control.

Two approaches are identified in ISO/TR 26122: functional analysis, which is the breakdown of functions into processes (across the whole business); and sequential analysis, which is the breakdown of the flow of transactions (of a single process or work within a business unit). This activity can also be aligned with a concept called requirements analysis which is part of the system development process and results in various outputs such as specifications, procedures. As with the previous method, a review of the context in which an organisation operates should be carried out prior to functional or sequential analysis. Use the questions below to complete a work process analysis.

An important final part of the process is to obtain written confirmation of findings, recommendations and implementation plans from appropriate levels of management.


23

Reviewing Context

A contextual review forms the basis from which to carry out functional and/or sequential analysis.

Elements to be considered include:

statutes, laws and regulations impacting the business environment

standards

best practice

codes of conduct and ethics

community expectations

organisational policy, rules and procedures.

For a public sector organisation, the functions and processes will be governed by legislation and laid down in policy. For other organisations, the functions and processes are defined by an organisation’s prospectus, mission statement or policy documents that define its strategic and business goals.

CONTEXT QUESTIONS

What legislation or mission statement governs the work environment and processes being reviewed? For most countries in the world there will be a specific piece of legislation for each government department i.e. for a Health Department, a Health Bill that defines the mandate or services that the Department must deliver to the public. For a private company there would be some type of legislation such as a Companies Act that prescribes the business environment that it operates in and this is translated into a mission statement for various stakeholders.

What other legal requirements have an impact upon or influence the functions or process? A common requirement may be the country’s Constitution or Bill of Rights, which may dictate certain norms and standards to be adhered to.

Are there mandatory standards and regulations with which the function or process is required to comply? For example, all countries that operate in a nuclear environment must comply with international standards on nuclear safety that are regulated by the International Atomic Energy Agency.

Are there organisational rules, codes of practice or codes relevant to the function or processes? For example, all organisations have a code of conduct that prescribes rules regarding discrimination, discipline, etc.

What are the specific procedures that govern the processes?

What community expectations might influence a function or process? A community expectation will be that any organisation that operates in its space will not contaminate or destroy the environment.


24

Where are the processes located in the organisation (i.e. centralised or decentralised, across more than one organisation, across more than one jurisdiction)? Is the organisation consolidated or divided into a functional or process hierarchy, is it one business or many, does it operate in one or many fields of authority?

What is the key outcome of a process, and who is responsible for the outcome? Who does the responsible individual report to? Who is legally responsible for the outcomes and what are the main results?

Which participants in the organisation are involved in the processes and where are they located?

Functional Analysis

There are four basic steps in a functional analysis:

identify the goals and strategies of the organisation

determine the functions of the organisation by which these goals are achieved

identify the processes of the organisation that constitute these functions

analyse the constituent elements of the processes to identify the transactions that constitute each process.

The aim is to discover the tasks and transactions during which record creation takes place.

FUNCTIONAL ANALYSIS QUESTIONS:

What are the operational functions of the organisation (i.e. those that meet the unique objectives of the organisation)?

What are the administrative functions of the organisation that support the delivery of the operational functions? For example, procurement, human resources, finance, records management, etc.

How are the operational and administrative functions related to one another and to the structure of the organisation?

Who are the participants involved with the performance of the operational and administrative functions and where in the structure are they situated?

Is a function or a significant group of processes undertaken by more than one organisation in the same or different jurisdictions?

Has a function or a significant group of processes been outsourced to another organisation?

What are the main processes which constitute each operational and administrative function?

How are these processes related to each other?

What are the constituent transactions of each process?


25

Sequential Analysis

Sequential analysis focuses on work processes at a transactional level and maps the progression, linkages and relationships with other processes.

The basic steps in a sequential analysis are to:

identify the sequence of transactions that constitute a process

identify and analyse the variations to the process

establish the rule base for the identified constituent transactions

identify the links to the other processes and systems.

SEQUENTIAL ANALYSIS QUESTIONS TO IDENTIFY THE SEQUENCE OF

TRANSACTIONS THAT CONSTITUTE A PROCESS:

What initiates the sequence and how is it recorded? I.e. What is the trigger for the process, and what is registered in the business system as a record of the transaction?

What information and other resources are required to start the sequence?

Where does the information and other resources come from?

What triggers the successive transaction?

How do the participants know each transaction has been completed?

Are their parallel sequences at any point of this process?

If so, where do the parallel sequences converge?

What are the key conditions that should be met to authorise the sequence?

How and where are the decisions and transactions recorded, as the sequences unfold?

What concludes the sequence and how is it recorded?

QUESTIONS TO IDENTIFY AND ANALYSE VARIATIONS TO THE PROCESS:

What conditions are attached to authorising and/or completing the sequence of transactions?

What happens if the conditions are not met?

What are the procedures that identify these conditions and any variations to them?

What participants initiate or trigger the variation to the process?

Who authorises the transaction? What happens if the authoriser is not available?

What happens if any of the information and other resources and systems needed to perform the process are not available?

If the work process needs to be re-routed, where does it go?

Are there other ways of performing the sequence of transactions that are sometimes used, and if so why?


26

What events can prevent the process from following its routine patterns? Events such as an emergency can facilitate short-cuts.

What is the response?

Are there established contingency procedures covering situations when something goes wrong? There must be a back-up or emergency process to cover such eventualities.

Who is accountable for dealing with breakdowns in the process or complaints about the performance?

What information or records are generated, stored or transferred to other processes if there are variations in the sequence of transactions?

QUESTIONS TO ESTABLISH THE PROCEDURAL RULES GOVERNING THE SEQUENCE OF TRANSACTIONS:

Which transactions are included to comply with the regulatory requirements? Transactions need to be classified in order to understand the reason for each. Some address support functions such as auditing, some are required for legal purposes such as tax returns, some address system needs, etc.

Which transactions are determined by the means of the process (technology deployed, physical and organisational arrangements)? .

Which transactions are taken to access the information necessary for the process? List all the relevant transactions used to identify the process.

Which transactions are needed to get and record authorisation and completion? List all relevant transactions that authorise the process and complete the transaction string.

What are the transactions for monitoring progress and outcomes? List the relevant transactions.

QUESTIONS TO IDENTIFY THE LINKS TO OTHER PROCESSES:

Does the process require inputs from other processes? What triggers each process?

If input is needed, what is the nature of the input (information or other resources)? Business process mapping facilitates all the inputs to a process down to transaction level, which varies at various stages of the sub-process.

What records or other information sources are accessed to undertake this process and how are they modified by the process?

Does the process involve more than one business unit, organisation or jurisdiction?

If so, how does the process involve other business units, organisations or jurisdictions?

Does the process produce output that is required by other processes? If so what is the nature of the output?

Does this process modify records or information/data? If so what is the nature of the modification? Business systems should not allow modification to an existing record.


27

What information or records are generated, stored or transferred to other processes? Where are they transferred?

What other use is made of the records or information generated by this process?

QUESTIONS TO VALIDATE THE ANALYSIS:

Are all necessary transactions in the process included?

Are the documented reasons for each transaction accurate?

Is the sequence of transactions and their relationship described accurately?

Are the variations to the sequences identified and documented?

Are the processes that constitute the function(s) identified and documented? Business process mapping can be viewed at a process, sub-process, task or transaction level.

Is the context within which the organisation conducts its work process accurately identified and documented? The context includes the mission statement, functions and activities that it conducts in the market or in a community.

Do the descriptions and terminology used reflect organisational usage so they can be understood easily? Use of a taxonomy and classification schema will ensure the correct language of the business and its framework.


28

PART 3: FUNCTIONAL REQUIREMENTS FOR RECORDS IN

BUSINESS SYSTEMS

Guidance on functional requirements have been grouped according to the four key areas outlined in ICA-Req Module 3. They are based on the following desired outcomes arising from proper records management:

Creating records in context (ICA-Req Module 3 Section 3.1)

Managing and maintaining records (ICA-Req Module 3 Section 3.2)

Supporting import, export and interoperability (ICA-Req Module 3 Section 3.3)

Retaining and disposing of records (ICA-Req Module 3 Section 3.4).

ASSUMPTION

This guideline assumes that the preliminary analysis involved in determining what records are required or should be kept as evidence by an organisation, based on its core functions or operational needs, has already been conducted. The next step is to ensure that the business system creating and maintaining such records incorporates the required records management functions to ensure the authenticity, reliability and integrity of the records.

COMPLIANCE

ICA-Req Module 3 outlines recommended obligation levels for the recordkeeping functionalities it identifies. The obligation levels indicate the relative importance of each of the functional requirements. There are three levels:

‘Must’ requirements are mandatory for compliance with the specification. If the system software does not meet this requirement, the business system will not be compliant with Module 3 of ICA-Req.

‘Should’ requirements are recommended, but may not be implemented when there are valid reasons for non-compliance.

‘May’ requirements are optional.

In assessing whether to include a functional requirement in a specification, an organisation needs to also take into consideration its own specific needs.

Creating Records In Context

This section explains how records should be created, captured and managed in context. Business systems that undertake business activities or transactions need to capture evidence of those activities completely and accurately. Such records must be protected from both accidental and deliberate unauthorised change.

CREATING A FIXED RECORD

Capturing records means that:

they become fixed in time;

are stored in a location where they can be retrieved, accessed and managed.


29

Creating a fixed record is the process of registering a document into a recordkeeping system, assigning metadata that describes the record and placing it in context of the business of the organisation. The context of a record equates to how the record was used and how it relates to other records held by an organisation.

Some systems capture records automatically. Others systems need the record to be captured manually. Locations that should not be approved for capturing records of ongoing value include:

shared and personal drives;

work group spaces.

RECORD METADATA

Record metadata may be:

Embedded in or part of the record.

Encapsulated in layers with the record.

Separately stored and linked to the content components of a record.

Captured when a record is created i.e. ‘point of capture’ or it may be added as the record is used or amended i.e. ‘process metadata’ is captured when recordkeeping actions are applied to the record.

Held in a database separate from the content.

Generally, metadata can be grouped into three categories:

Descriptive metadata (that describes the record) – for example, content of the record, who created the record, date of record, etc.

Provenance/Access metadata – for example, source of record such as a depositing agency, who can access or use the record, security classification, etc.

Technical metadata – for example, identification number of the record when it is captured in the business system, file format, fixity, etc.

A ‘fixed’ record needs to remain an authentic record; one that is what it purports to be and is completely free from any addition, deletion or corruption. Additional processes relating to a record may occur in a system. However, the original record should not be altered but a new version of the record should be created to augment the existing original. The data needed to record any additions, alterations or amendments to the record should not overwrite the original, but be added as new data.

A reliable record is one that contains a full and reliable representation of the facts which the record documents. Authenticity is concerned with the truth of the record as an object, whereas reliability is concerned with the truth of the contents of the record.

Integrity refers to the record being complete and without unauthorised alterations. Integrity is shown by custody in an archival system or by assignment of digital signatures to documents. A system should therefore provide controls over data integrity, including a comprehensive audit trail of system use and/or check lists.


30

The properties discussed above of context, authenticity, reliability and integrity are not contained in the content of the record itself. Instead, these required characteristics need to be built into a system via the use of controlling metadata.

A business system therefore ‘fixes’ a record in the system by assigning it with a unique number and by assigning metadata that holds the information necessary to show the context, authenticity, reliability and integrity of a record. Records management metadata required to ensure the appropriate management and use of a record is covered in more detail under ‘Managing and maintaining records’.

MANAGING RECORD AGGREGATIONS

Record aggregations can exist at many levels. Aggregations of electronic records are accumulations of related electronic record entities that, when combined, may exist at a level above that of a singular electronic record object. In business systems, the record aggregations will be specific to the tasks and transactions being performed by that system.

Aggregations represent relationships that exist between the electronic records controlled in a business system. Aggregations are a logical construct, rather than a physical reality, outlining relationships.

These relationships are reflected in the links and associations that exist between the related electronic records, and between the electronic records and the system. Hence metadata needs to be assigned to reflect the relationships inherent in the layers of the aggregation.

The management of aggregations of records can be supported by a records classification tool that will allow data values to be assigned or inherited from a business or records classification scheme.

RECORDS CLASSIFICATION

A classification system is the set of terms and conventions applied in a particular organisational setting to classify, title and retrieve records and other business information. It defines the way in which records are grouped together (aggregated) and is linked to the business context in which they are created or transmitted.

A records classification scheme was traditionally based on organisational structure or subject; however classification schemes can also be based on business function. Functions and activities can provide a more stable framework for classification than organisational structures that are often subject to change through amalgamation, devolution and decentralisation. ICA-Req Module 3 assumes that a records classification scheme used in a business system will be function based.

The following links provide guidance on how to develop a record classification scheme or a functions thesaurus:

Overview of Classification Tools for Records Management http://www.naa.gov.au/Images/classifcation%20tools_tcm16-49550.pdf

National Archives of Australia. ‘Developing a functions thesaurus. http://www.naa.gov.au/Images/developing-a-thesaurus_tcm16-47228.pdf

http://www.naa.gov.au/Images/classifcation%20tools_tcm16-49550.pdf

http://www.naa.gov.au/Images/developing-a-thesaurus_tcm16-47228.pdf


31

Managing and Maintaining Records

This section provides a list of functional requirements to help manage records upon their creation to ensure that they retain their authenticity, reliability, integrity and usability. The functional requirements outlined are over and above the normal business system security and access controls, such as who can edit and amend information and audit logs.

METADATA CONFIGURATION

This section provides guidance on the required functions to configure the metadata. In records management, recordkeeping metadata is used to:

Manage records (location, description, disposal metadata).

Manage security (access and ‘use’ metadata).

Understand the records and the business they document (context metadata).

Understand the way in which they have been used and managed (event history metadata, audit trails).

Minimally, the business system must be able to define and collect all elements of metadata to create a metadata profile, as well as use the metadata contents to determine a functional process (for example, metadata pertaining to retention period and disposal action must be linked to the preservation module of the system). It should also support mechanisms for validating the contents of metadata elements (e.g. formats, range of values, etc).

The metadata profile of a record should also be linked to the records it describes and retained for accountability purposes.

Note: ICA-Req refers to ISO 23081 Parts 1 and 211, the international standards for records management metadata, but national and jurisdictional metadata standards also exist, so organisations will have to assess their particular metadata requirements and see whether they have metadata requirements in addition to ISO 23081 that need to be incorporated into their business systems. If that is the case formalised mapping, in the form of a metadata registry, and updating between the jurisdictional metadata schemas used and ISO 23081 will be essential.

11 ISO 23081 – 1:2006, Information and Documentation – Records Management Processes – Metadata

for Records, Part 1 – Principles

ISO/TS 23081 – 2:2007, Information and Documentation – records management Processes –

Metadata for Records, Part 2 – Conceptual and Implementation Issues.

(The Recordkeeping Metadata Standard ISO 23081 outlines the contextual data that can be associated with a record or a group of records, i.e. the metadata fields and the associated contextual data that can be included in the fields. Some of the metadata fields are compulsory, others optional. When analysing the recordkeeping requirements of an organisation, reference should be made to the records management standard ISO 23081 so as to identify the metadata fields that apply to the records identified in the analysis process. ICA-Req Module 3 makes reference to a number of metadata fields and indicates whether or not they should be compulsorily applied.)


32

RECORDS RE-ASSIGNMENT, RE-CLASSIFICATION, DUPLICATION AND

EXTRACTION

Whilst a record must be fixed to ensure its reliability and authenticity, normal business requirements will necessitate the retrieval, re-use or amending of records. This could take the form of:

Re-assignment of records from one aggregation of records to another

Re-classification of record groups

Duplication of records

Extraction of part or whole of a record.

This section provides a list of functional requirements that allows the above business functions to be performed without altering the original ‘fixed’ records. A point to note is that duplicates and extractions, if kept in the same systems, should be treated as new records, linked by metadata, to the original ‘fixed’ record. If in an external system, their existence will need to be noted in the record metadata profile of the original record. Assigned metadata needs to make note of any changes made to a ‘fixed’ record and who made them.

REPORTING ON RECORDS

This section highlights the need for business systems to be able to report the actions performed on electronic records, and to produce a report listing on the details and outcome of any migration process to ensure the integrity of the records.

ONLINE SECURITY PROCESSES

An organisation needs to ensure that its records remain accessible to authorised users for as long as they are required to meet accountability, legislative and business requirements.

The functional requirements in this section (use of audit trails, encryption and digital signatures, etc) are aimed to ensure that online security processes are in place. These will help to:

Prevent unauthorised access to records by employing: o Verification of identity; o Certain sign on procedures; o Password requirements.

Prevent the loss of records in business systems.

Prevent tampering or alteration of records by unauthorised person.

Establish the history of records; and

Prevent unauthorised destruction of records.

However, though access and security measures are essential, their requirements should nevertheless not impede a system’s ability to provide easy and timely access and retrieval of records held within it.

Supporting Import, Export and Interoperability

This section outlines the functional requirements to support the import and export of records, both within and between systems, without the loss of content or metadata.


33

Business systems exchanging, importing or exporting records need to be interoperable across different platforms and domains. As such, record information must be encoded in a manner that is understood and able to be modified, if necessary, for migration to newer technology platforms.

An organisation may import and export records in order to:

Export to an electronic records management system.

Export to another organisation.

Export to a different department in the event of machinery of government changes, or re-organisation.

Migrate records to a new system at the end of the current business system’s lifespan.

Import records from other business systems, for example in collaborative business environments.

Transfer records to an archival institution or to a secondary storage.

Interoperability of export and import of records between systems is facilitated through the use of open formats. Open formats:

Are based on open standards where the full specification of the standard is publicly available without restriction.

Are community developed rather than by a single vendor or interest group.

Have multiple implementations. For a format to be truly open, multiple separate software implementations created by different authors or organisations should exist.

Have no licensing constraints, i.e. there are no intellectual property licensing or patent restrictions on the use of a format.

Interoperability and the interoperable exchange, export and import of records plus the associated metadata, relies on the records and associated metadata being in a structured and organised format. Standardised metadata is an essential prerequisite for business system interoperability within and between organisations. The metadata standards underpinning ICA-Req as mentioned earlier are:

o ISO 23081 – 1:2006, Information and Documentation – Records Management Processes – Metadata for Records, Part 1 – Principles

o ISO/TS 23081 – 2:2007, Information and Documentation – records management Processes – Metadata for Records, Part 2 – Conceptual and Implementation Issues.

Retaining and disposing of records as required

This section outlines functional requirements that helps ensure records are retained and disposed of according to retention periods (i.e. how long records need to be kept) and disposal actions (i.e. destruction or transfer of records after the expiry of the retention period) as authorised at a senior level and in accordance with legal obligations.


34

ICA-Req and ISO 16157-3:2010 assume that a valid and approved disposal and/or retention schedule will be in place to cover the records in a business system. The standard assumes that:

Disposition actions are carried out effectively and that systems allow for it either internally or by integrating with external software components.

Records can be reviewed when they reach their disposition deadline and the action can be amended or changed if required.

Records are appropriately destroyed, in accordance with an authorised disposition schedule, and only after agreed sign-off by authorised staff.

The destroyed records’ metadata is kept together with evidence of the disposition actions whether carried out within the business system or through integration with another system.

Reporting can be undertaken on the disposition activity.

The PARBICA Recordkeeping for Good Governance Toolkit, Guideline 712: Disposal Schedule for Common Administrative Functions gives a good outline of the rationale for records disposal and the steps involved in developing a disposal schedule/authority.

Guideline 813 of the PARBICA toolkit then gives an outline of how to implement a disposal schedule.

Compliance and Disposition Authorisation Regimes

An organisation usually can only dispose of its records according to a ‘records authority’. Such authorities may come in the form of:

Organisation or agency-specific business authorities.

General records authorities that cover business performed across agencies or allied organisational units.

Normal Administrative Practice authorities which allow for the disposal of low-level records of short-term value. Records can be routinely destroyed using such authorities if they do not provide evidence of agency business and do not form part of its corporate records.

The business system should be capable of providing built-in functionality to support the definition and application of disposal classes applicable to the records created or received by the system. Minimally, the system must support the controlled disposition of records legally authorised for disposition and maintain a history of all changes to the disposition classes.

12

Guideline 7: Disposal Schedule for Common Administrative Functions covers:

What is disposal?

What is a disposal schedule?

Why have a disposal schedule?

Contents of the Disposal Schedule

Criteria used to decide disposal actions

How to use the disposal schedule

Disposal schedule for common administrative functions 13

PARBICA Recordkeeping for Good Governance Toolkit. Guideline 8:Implementing the Disposal Schedule for common Administrative Functions gives an outline how to implement a disposal schedule.


35

Disposition Application

Disposal (or disposition) of records does not necessarily mean destruction – it merely indicates what is to happen to a record or record aggregate at the end of its set retention period, which could be either destruction or retention of the record as an archive (making it a record of permanent/long-term value). The usual records disposal actions are:

Destruction of records which no longer have value.

Records with an enduring value being transferred to an archive.

The disposal classes identified in a disposal authority also identify the disposal action required for that group of records. A record class consists of records performing or recording a similar business function i.e. set of transactions, and therefore have the same minimum retention period and same disposal action.

Ideally business systems will need to be designed to ensure the retention rules and disposition metadata fields are built into the system so that automatic disposition processes can apply. Where a business system does not incorporate automatic disposition processes into its software specifications, it will need to include procedures that manually map disposition authorisation to the records controlled by the system and manually apply disposition action to the records.

Review

This section highlights the need for a business system to provide an alert when a records retention period is coming to an end, to enable a review of the disposal action, set down for that class of records to be conducted. A review process prior to initiating the disposal action allows for a reassessment of the value of that record, or aggregation of records, a re-setting of the retention period, or a review of disposal action to take.

The issues associated with the disposition of records is outlined in ISO 15489.2-2002, section 4.3.9.

Destruction

This section outlines the importance of the business system to have the dual function of ensuring confirmation is received from the appropriate level of authority for the destruction of records, and ensuring the complete destruction of the said records once confirmation is received.

Disposal of electronic records requires business systems to know where copies (deliberate, temporary, deleted and backed up copies) of records to be destroyed are located and how to completely erase the data. Often the way in which media store data makes it difficult to erase material completely. Secure disposal and computer forensics experts may need to be consulted when sensitive data is to be deleted. Secure deletion mechanisms usually over-write the data with randomly generated data to ensure that it is removed.

Once a record has been sentenced for destruction, it should be destroyed in such a way that it cannot be re-created. This is particularly important for digital records, where ‘deletion’ is not the same as destruction. Also the method of destruction will depend on the records’ security classifications and format.


36

However, even where the destruction of records is permitted under a records authority, they may not be destroyed if they are likely to be needed for legal or other purposes. This may be known as a ‘disposal freeze’ or ‘records hold’. An archives or an organisation may call a ‘disposal freeze’ for a certain group of records which will hold until the freeze is lifted or further instruction regarding the disposition of the records is issued.

Disposition Metadata

This section notes that business system must necessitate the capturing of metadata for disposition processes, including the changes to the metadata and linking the disposition metadata to the functionality it represents.

As part of any disposal activity, a business system must be able to produce reports on all activity undertaken, including activity undertaken by external disposal mechanisms integrated or interfaced with the system (Reporting on disposition activity ICA-Req, Module 3 section 3.4.6).

Endnote

In assessing whether to include a functional requirement for its business system, an organisation needs to also take into consideration its unique specific needs, the changing technological and legal environments, as well as other factors that may impact its work and obligations.


37


38