Confusion over data storage and retrieval requirement could cost organisations dear

Storage companies unclear about their obligations to retain and provide information

Companies unclear about their obligations to retain and provide information.

There is a great deal of confusion among organisations over how they should store information.

As a guide, if information needs to be retained as a statement of fact, then an organisation must be able to prove that a piece of information - e-mail, fax, document or graphical image - has not been altered.

The only effective way of providing this proof is to declare it as a record and store it in a document management system. The declaration should take place as soon as a document or piece of information is deemed to be complete, for example, when it will no longer be altered. For business e-mail this will be at the point of capture or send; for a form in the public sector, such as a birth certificate, it will be on creation.

The major driver for records management is compliance. However, few organisations have a clear understanding of their obligations, under current and pending regulations, to retain information. This is leading to confusion over whether data should be retained and for how long.

This ignorance will cost organisations dear as regulators get tougher on companies that fail to discover and retrieve information within the requested timeframe.

Document and records management is a complex area and the only way it can be implemented successfully, with appropriate retention periods for each type of information, is to appoint a records or information manager. This person should have sole responsibility for setting retention periods and disposal schedules, based not only on the retention periods set by law or regulators, but also on the knowledge capital contained within pieces of information.

The records manager must work alongside IT to ensure the appropriate technology is put in place to support the management of documents and records.

One major issue is the ability to discover and retrieve information. This may be for internal purposes, for regulations such as Sarbanes-Oxley, regulators such as the Financial Services Authority, courts, or in the public sector for subject access requests under the Freedom of Information Act.

This requires search and retrieval technology with effective indexing and classification. It may also involve archiving records once they are no longer required regularly.

To date, many document and records management implementations have been departmental, or delivered only to select users. But to be effective, they must be implemented across an organisation with access to specific information and information types via access rights and permissions.

This should also ensure that there is never a situation where information is stored on local devices and is not backed up or protected.

As well as helping organisations comply with regulations, a sound document and records management policy can aid employee performance. Without a document and records management system, workers can spend up to 80% of their time looking for information.

IT directors need to ask themselves whether their organisations can afford such a low level of productivity.

Susan Clarke is senior research analyst at the Butler Group.

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.