Ask the Expert - Retention
About the Expert:
Joyce L. Tompsett, principal product marketing manager with EMC Corporation, works in the information governance group. She has responsibility for the records management solution products and also works with the SourceOne products. Prior to joining EMC, Tompsett spent 12 years as an industry analyst in Europe and the United States, focused on strategic marketing and consulting engagements. She also worked in marketing for Dell Computer and Tricord Systems. Tompsett has a bachelor’s degree in Russian, east European studies, and political science from the University of Michigan in Ann Arbor, Mich.
Tompsett can be contacted at joyce.tompsett@emc.com.
Questions:
Q. What is the difference between records management and retention?
Records management, as defined by ISO 15489-1 Information and Documentation – Records Management – Part 1: General, is “the efficient and systematic control of the creation, receipt, maintenance, use, and disposition of records, including processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records.”
As the volume of content within organizations continues to grow, managing it becomes a business-critical undertaking. Although not all content in an organization would be considered a formal record (which ARMA International defines as “recorded information, regardless of medium or characteristics, made or received by an organization in pursuance of legal obligations or in the transaction of business”) and be managed in a complete records management system, most organizations are looking to achieve two goals with their information and/or records management solutions:
- To manage the information throughout its lifecycle
- To manage content in adherence with their governance and compliance rules
This means the appropriate version(s) of content should be retained for a finite period of time in a known location. Organizations can create policies to manage content throughout its lifecycle, which may include applying retention to it for a defined period of time to meet operational, legal, regulatory, or internal requirements. After that time, it becomes eligible for disposition, either by destruction or by transfer to an archive for long-term preservation.
The content under retention may or may not have relevance to a particular business process or other context, but it needs to be retained as part of a policy. A records management product is usually applied to content that is part of a business process or workflow. This may be such items as a contract, an insurance claim, or a medical record.
Content that has retention applied to it usually has immutability – which means that it cannot be changed. Any change would result in a new version and a new record. It should also be noted that it is possible to render content immutable without also making the metadata immutable. Many Records Managers choose not to make metadata – such as document author or date created immutable, because if someone makes an error in the metadata (e.g., using a document template with a different author or date on it) could result in a new record being made although the content itself has not changed.
Q. What is the difference between certification and compliance?
Certification is awarded to records management software that adheres to and is tested against usually a complex set of behaviors with an expected set of outcomes. Some examples of certifications include DoD 5015.2-STD Electronic Records Management Software Applications Design Criteria Standard, Model Requirements for the Management of Electronic Records (also known as MoReq2), or Victorian Electronic Records Strategy (VERS).
Vendors of records software will submit their software for certification testing. If an organization purchases certified software from a vendor, it does not automatically imply that the organization’s environment is also compliant.
Compliance means that an organization is demonstrably conforming to some sort of law, regulation, policy, or standard, which may be external or internal. An organization may use a tool, such as records management software, to aid in achieving and demonstrating compliance, but the software in and of itself does not guarantee compliance. Organizations cannot purchase compliance because it is achieved through their behaviors.
Q. What content needs to have retention policies?
Any or all content potentially needs to have retention applied to it. That may be true for paper, as well as electronically stored information (ESI). If retention is being used to help with storage management, then retention may be set in part by internal company policies and best practices as the information moves through the various storage platforms (i.e., active/inactive). If information is a record, or proof of a corporate decision, then it will definitely need to have retention applied to it.
Traditionally, records managers were responsible for a subset of corporate data – usually for content that was tied to regulatory, internal policies, or audit (internal or external) requirements. As the volume of ESI has grown exponentially, more and more types of information and larger volumes of information are being maintained for specific periods of time. Organizations need to ensure they are following some sort of process for maintaining and deleting information and not just relying on end users to make the decision.
Q. What is federated retention?
Information will always be found in multiple repositories based on the application that generates it. While content may be found in multiple locations, records managers do not generally want to have to maintain multiple records repositories. It is often not practical to move all records into a single repository. For example, most organizations would not recommend storing all e-mail, and all transactions for all customers in their content management systems, and yet each of those repositories may hold content that is considered a record or for which retention and disposition policies need to be applied. A single records repository was much more reasonable to consider before the information explosion, when records were considered to be a controlled subset of an organization’s total information set. Therefore, the answer is to be able to manage content in place; this is the idea behind federated retention.
With federated retention, content resides in the original repository, but the policies and management reside in the master records management system (RMS). In order for this to function, the content in the original repository needs to be locked down, and functionality, such as user delete, needs to be disabled to the degree that control can be assumed by the master RMS. The original repositories and the master RMS are connected by means of an adapter or connector.
This is a more straightforward task when the original repository is an inactive system that is simply aging, and it can be done with home-grown applications, off-the-shelf repositories, and content management systems.
Q. What is the role of retention in e-discovery?
Good retention policies are essential to e-discovery or other investigative business processes (i.e., audits or internal queries). These disruptive business processes can descend on an organization and eat up resources if information is not well-managed. When retention policies are in place, disposition is run consistently and retention is enforced. This makes processing requests for a subset of that information and proving that the information is in its original form and disposed of according to schedule much easier.
Organizations that have retention in place also will find it is easier to answer discovery or other investigative requests. This will lower their risk of not being able to respond quickly or of providing the wrong information.
April 2011 Ask the Expert sponsored by:
Submit a Question
Would you like to Ask the Expert? Please submit your questions here and we'll pose them to our industry experts for inclusion in this column.