logo
Practical Tools for Electronic Records Management and Preservation

Abstract

Introduction

Electronic Records Management Goals

Functional Requirements to Ensure the Creation, Maintenance, and Preservation of Electronic Records

The Records Requirements Analysis and Implementation Tool

The Records Requirements Elicitation Component

Records Requirements Implementation Component (RRIC)

General Guidelines

Functional Requirements to Ensure the Creation, Maintenance, and Preservation of Electronic Records

The Functional Requirements to Ensure the Creation, Maintenance, and Preservation of Electronic Records were developed to communicate to program and information technology managers what organizations must achieve to ensure that electronic records are created, maintained, and preserved to support their operational, informational, and evidentiary needs. These requirements should be implemented in any system developed to support an organization's business processes. The Functional Requirements rest on a concise definition of a 'record.' We define a 'record' as the complete set of documentation required to provide evidence of a business transaction.

Underpinning all three functional requirements is the concept of 'compliance.' The laws, regulations, and policies that authorize or define a specific government business process, either explicitly or implicitly, define the records management requirements for that process. The requirements identify the records that must be created and may define requirements for records management, access, content, and structure. Many professions or disciplines also have established standards or best practices for records management related to their fields. An organization must identify these requirements and determine how they will be implemented. In addition, changes in the legal and regulatory environment and in professional standards need to be monitored and reflected in modifications to the requirements. Each requirement can be mapped to a compliance factor based in law, regulation, standard, or best practice. The use of the term 'best practice' refers to practices formally adopted or generally accepted by a profession or discipline. Examples of best practices include Generally Accepted Accounting Principles and the American Health Information Association's Recommended Practices for Information and Documentation.

A 'record' is the complete set of documentation required to provide evidence of a business transaction.

Three Functional Requirements for Electronic Records Management & Preservation
  1. Records Capture - Records are created or captured and identified to support the business process and meet all records management requirements related to the process.
  2. Records Maintenance and Accessibility - Electronic records are maintained so that they are accessible and retain their integrity for as long as they are needed.
  3. System Reliability - A system is administered in accordance with best practices in the information resource management (IRM) field to ensure the reliability of the records it produces.

1. Records Capture

Records are created or captured and identified to support the business process and meet all recordkeeping requirements.

Justification: Organizations must capture or create records necessary to carry out a business process and to meet the specific recordkeeping requirements tied to that process. The capture and creation of electronic records requires that the system supporting the business process can capture or create records in the required form including required informational content and contextual elements (e.g., authorizations, date stamps). Records must also be identified when they are captured to ensure their accessibility, usefulness, and preservation.

  1. Create or capture a record for all defined business transactions at the appropriate point in the business transaction or information life-cycle.
  2. Import records related to business transactions created in other environments.
  3. Records comply with business process requirements as far as structure, content, and context of creation.
    1. Allow only authorized individuals to create or capture records at the appropriate point in the business transaction or information life-cycle.
  4. Identified-Unique identifier for each record.
    1. Minimal record identification data (meta data) is available for all records.
      1. Identity of record creator or source or owner (business unit).
      2. Date of receipt or creation.
      3. Level of security or restricted access.
      4. File classification.
      5. Indexing information such as subject or thesaurus terms.
      6. Records disposition information (may be linked to file classification).


2. Records Maintenance and Accessibility

Electronic records are maintained so that they are accessible and retain their integrity for as long as they are needed.

Justification: Agencies are required to retain electronic records to meet minimal legal retention requirements imposed by business process specific administrative needs and legal or regulatory requirements. Records need to be maintained so that they are reliable and authentic. In addition, they should be legally disposed of only under an authorized disposition plan. Agencies also need to ensure that records remain accessible and useable to support the primary purposes for which they were created and any predicted secondary purposes for as long as the records must be legally retained. Records designated as 'archival' must be preserved in an accessible and useable form on a continuing basis by the agency or transferred to the relevant archival authority.

  1. Maintain integrity of records as created {all related data, documents, proofs of authenticity (e.g., electronic signatures) that comprise a record of a business transaction can be accessed, displayed, and managed as a unit}.
  2. Accessible
    1. Records or part of record can be easily retrieved in normal course of all business processes in a timely manner throughout the entire retention period.
    2. Records are searchable and retrievable for reference and secondary uses including audits and legal proceedings throughout the entire retention period.
      1. Complete records can be migrated to new system.
      2. Related meta data can be migrated to new system.
      3. Functionality necessary for predicted use of records can be reproduced in new system.
        [Note: Functionality should be based on predicted use based on status of records. For inactive records, the ability to search and retrieve records may be sufficient. For records still actively engaged in a business process, full functionality may be necessary.]
    3. Copies of records can be produced and supplied in a useable format for business purposes and all public access requirements.
  3. Disposition
    1. Authorized records disposition plan can be implemented.
    2. Authorized individual validates or changes records destruction or transfer.

3 . System Reliability

System should be administered in line with best practices in the information resource management (IRM) field to ensure the reliability of the records it produces.

Justification: The acceptance of records for legal, audit, and other purposes is contingent on establishing their authenticity and reliability by demonstrating the trustworthiness of the system used to produce them. Systems that produce records must be shown to do so in the normal course of business and in an accurate and timely manner. System administration must incorporate established best practices in the data processing field. Policies, procedures, training and support programs, and controls must be documented.

  1. Recordkeeping system employed exclusively in normal course of business.
  2. Redundant (paper) recordkeeping system is discontinued.
  3. System management roles and responsibilities are assigned.
    1. Principle of separation of duties is implemented.
  4. Adequate system controls are in place.
    1. Audit trails developed and implemented within the system.
    2. Routine tests of system performance are conducted.
    3. Reliability of hardware and software is tested.
    4. Adequate security is provided to prevent unauthorized access, changes, and premature destruction of records.
    5. Controls for the accuracy and timeliness of input and output are established.
    6. Problem resolution procedures are in place.
  5. Disaster recovery plan is in place.
  6. All system management policies and procedures are defined and documented.
    1. Changes in policy and procedure are documented and implemented.
  7. Training and user support are adequate to ensure system procedures will be implemented by users.
© 2003 Center for Technology in Government