Data Protection and Records Management

Introduction
By now I am sure that everyone heard the news concerning the Construction Industry and its flouting of the Data Protection Principles in March 2009. As a result it seems that more than 40 major British companies face legal action for allegedly buying secret personal data about thousands of workers they wanted to vet before employing them.
On 9 May 2008 The Criminal Justice and Immigration Act received Royal Assent creating new sanctions for the privacy watchdog. The new legislation gave the Information Commissioner's Office power to impose substantial fines on organisations that deliberately or recklessly commit serious breaches of the Data Protection Act. A timely statement in relation to records management and the subject matter following.

Where does Records Management get involved with Data Protection?

Of the eight data protection principles in the Act, at least 3 of them cross over into records management territory.

Records Retention, in the terms of data protection “not kept longer than is necessary”. Records Management is responsible for developing and implementing records retention schedules defining periods of time for keeping records in line with the legislation of the jurisdiction in which your organisation operates as well as your sector's regulations and codes of practice:

Records security – quite often more focussed on paper documents and records but more and more with electronic records, the records management function advises on methods for controlling all records and ensures that the archived records are “secure” and not easily accessed by an unauthorised person:

“Transfer of records to (other offices in) other countries”, the records management function may be responsible for retrieving and transferring archived and semi-active records for their organisations and delivering them to other offices in a secure and protected environment.

Audits, Information Gathering and Records Surveys

Records Managers have been carrying out Information Audits for many reasons for many years. We spin them according to the latest information management “hot spot”. My distaste of this spin is appeased somewhat by the value of completing an information audit regardless of its underlying reason. That is provided it is an audit and not an information gathering exercise relating to statistics about your records. The two, along with a third, “the Records Survey”, have all been referred to as “Audit” and are confused frequently by in-house records managers, external consultants and service suppliers alike. All three have their value in terms of Records Management (RM) but whilst a (real) audit and a records survey can assist with compliance in relation to the Data Protection Act, an information gathering exercise is more about numbers; how many, where and in what type of cabinet system your records are held; rather than an evaluation against your records management policy and its application within your work processes and procedures.

What is an Audit?

An audit by definition requires a set of rules by which the subject matter of the audit, in this case information, can be measured. At its most basic an audit is performed to ascertain the validity and reliability of certain information and to provide an assessment of your organisation's internal controls relating to the specific subject. This means that to qualify the word Audit with the word Information may in fact seem meaningless unless we qualify the sort of Information we are seeking to audit. It is far better to call an audit relating to records management a “Records Audit” and one relating more specifically to Records affected by the Data Protection Act an “Audit for Records affected by Data Protection”. Perhaps I am splitting hairs but you get my pedantic drift I am sure. Making it more specific to the subject to be evaluated will make it easier to develop the checklist and set of rules against which the audit findings can be measured.

There is one very important aspect to consider before launching yourself into an audit. It is no good developing an audit relating to records affected by data protection (DP) if your organisation has not developed any sort of strategy / policy or processes to handle your organisation's records in general. A DP Records Audit can only be undertaken if you have a set of records management rules to measure the DP Records Management against.

Records Survey

The first step in the absence of any records' controls is a Records Survey, the third, but possibly most important in terms of records management, in the list of confusion mentioned in the second paragraph. The Records Survey will gather information about your work processes and the records within them. It will ascertain just how your colleagues are handling their records and specifically, in relation to Data Protection, identify where the personal and sensitive data is contained within the many records held in your organisation.

During the survey it is important to gain a complete understanding of your organisation's “business”, its objectives, new initiatives that may impact on DP and RM, its culture, its attitude to rules and regulations, its staff (your colleagues) and the level of risk it is comfortable with. Whilst these latter non-records points may seem unconnected to RM, they are not. It is impossible to develop a clear RM strategy without understanding your organisation and the way it works inside out.

Thereafter, a strategy that flows and links into the other strategies within your organisation is developed taking all your findings and non-records' points, listed in the previous paragraph, into consideration. The strategy is then underpinned by the records management policy and guidelines that are drafted to support the organisation's objectives and “business” that is at its heart. The policy then has to be implemented with appropriate assistance consisting of training and guidelines, possibly toolkits to be developed. Not until all of this is in place and been operating across all of your organisation for more than six months can you really schedule and carry out a records audit.

That is not to say that you cannot improve on the way you handle personal and sensitive data right away. Having discovered where it is held and who is holding it, you can put in measures to remove data from areas where it should not be held and secure the data in the appropriate place whether that place is electronic / paper or both. Once your records management system is in operation all personal and sensitive data will be handled in a uniform manner by the correct staff, for the right reasons, over the correct period of time and in accordance with all the legal and regulatory constraints.

What stage are you at Records Audit or Records Survey?

The answer in my terms is obvious. If you do not have a records management strategy and policy and there are no processes for handling your records throughout their life cycle i.e. from creation through use to disposal, then you need to complete a records survey to assist you with data protection compliance? If you already have a records management strategy with a clear policy that has been implemented across your organisation then complete an audit measuring the 3 DP principles relating to RM against your RM policy. The type of audit will depend on how your organisation has structured its Data Protection and the remit that you have given your Data Protection Officer. If RM and DP sit together then the records and data protection audits can be combined. If, however, your DP is part of another function or sits alone then the DP audit may need to extract those elements of the records audit that relate to the eight principles into the DP audit.

Whichever stage you are at Survey or Audit you are about to undertake a Project. Do you have a time and a budget for the work? Do you have the expertise to develop and undertake this work completely in-house or do you need assistance from external consultants or other service providers? Just who will do this work?

In-house audit versus external consultant's audit

I am great proponent of “empowerment”. I really like to see people learn and grow with new skills and knowledge so my answer to in-house audit v external consultant's audit is definitely both. Let me explain. An in-house auditor understands the ethos of their organisation: ultra modern or slightly old fashioned, driven from the top down or run by the middle managers, lean and mean or staff with little to do. They also have knowledge about how their organisation operates. By that I mean it's method for following procedures / enforcing regulations / adapting to change / spending money / listening to, accepting and acting upon a consultant's advice, the latter being very important in this case. If your organisation is prone to paying for a consultation and then not acting upon it, hiring an external consultant to undertake an audit is a waste of money and time.

Using “empowerment” methods relies upon the consultant facilitating small meetings with groups of staff across the organisation, listening to them, understanding their issues, their fears and their ideas. Working with them to develop and implement their ideas, leading them to deliver the Records or DP project within a project management framework.

Will your (Records) Project succeed?

You may have wondered why I dwelt on the differences between records audit, information gathering and records survey at the beginning. Your project will succeed if you know the difference and understand the purpose of each. Choosing the one most appropriate to your situation is very important if you wish it to succeed and assist with DP compliance too. CONFUSION is one of the main reasons why records management projects fail. Remove the confusion by clearly stating what the project is aiming to achieve, why you need to complete the project and how you are going to complete it. Your colleagues need to know this to support you and to provide the answers to your audit or survey.

There are other reasons why projects fail such as lack of management / staff commitment, no budget, poor project management skills, no implementation experience. These matter not if you don't clarify the terms of your project from the beginning.

And finally

This is a short article in which to discover a connection between records management and data protection. The two subjects are linked, as discussed at the beginning, in several ways, retention of records; security of records; transfer of records. Data Protection officers and Records Managers should work together to achieve compliance in the most effective way. Undertaking a records survey is a positive start and will identify areas of non compliance that you can “fix” right away. An audit means you have a policy and processes in place that can be measured and will show clearly that your organisation is aware and follows the Data Protection Act principles in terms of Records Management. Little to fear now from the Criminal Justice and Immigration Act.

About the Author

Alison North is Managing Director of the Genuine Group an information management company focussed on facilitating organisations to achieve compliance, with the many legislative and regulatory requirements worldwide, through records management
Contact Alison.north@genuine-group.com