Using and Maintaining Your Records
This is the second post in our series on records management guidelines. In the last post, we introduced the concept of a records management program, described the legal requirements and non-legal benefits of developing one, and some of the details about what function a records management program needs to fulfill in order to be compliant. In this post, we’ll cover the regulations about how you get your records, and what to do with them while they’re in your possession.
As mentioned in the first post, this guide is not intended to serve as formal legal counsel, but as an accompaniment to it. Your organization is ultimately responsible for ensuring it is compliant with the regulations described in this post, and we encourage those interested to read through the Canadian General Standards Board document: Electronic Records as Documentary Evidence, from which most of the information in this post was drawn (specific sections are referenced by their numbering in the original. However, as a legal document, it can be quite dry and, at times, difficult to understand. This post is intended to serve, not as a substitute, but as a compliment to it.
Records “Capture” (6.4.2)
“Capture,” in the language of the CGSB, is used to refer to any way in which a record or document comes into your organization’s possession. This includes the creation of records within and by the organization, and any records or information which is collected or received from an external source. So for example:
Record Type | “Capture” Method |
A quarterly finance report | Created by a member of the organization |
Personal information about a client | Collected as a prerequisite for service |
Aggregate data about social media platform users’ interests | Passively accrued by the platform software |
All information your organization possesses, including bulk data, counts as some form of record, and you need to be able to explain the capture method for each. Your RM program needs to specifically require control procedures for all documents, those that come from within and from without; and it also needs to specify the procedures used for each format (e.g. physical, digital, text, audio, etc.).
The other important part of capture is metadata. Your organization needs to keep a complete metadata profile for each and every record it “captures,” including all information relevant for evidentiary purposes. So that includes the date (and if possible, the time) when it was collected or created, its size, format, and any other information that would be relevant to its authenticity, reliability, or accuracy.
Metadata for new records, or imported records without metadata, should be created as soon as possible. Imported records that already have metadata should have their metadata appended to include the date and time that the record was transferred to your organization.
Classification & Indexing (6.4.3)
As discussed in the previous section, metadata is information about your records (i.e. data about the data). This information can then be used to sort between specific files as needed. Classification, on the other hand, refers to broader, more contextual information about a record, including its purpose or function, and the circumstances of its creation. Metadata describes the content and technical details of the record; how you classify it describes its goal, and larger function for your organization.
For example, if your organization contracts with a third party service provider, then you likely have a digital version of the contract. The classification of this document involves recognizing it as a contract, recording who it is signed with, and why it was signed. The metadata may include any number of factors, but should at least contain any technical information (e.g. file size and format, date created, date modified, etc.), as well as any pertinent domain-specific information (e.g. the total if it is an invoice).
Ultimately, the distinction between these two aspects is blurred, as any form of classification is, technically, a form of metadata. The regulations make the distinction just to emphasize that the information you keep about your records needs to cover conceptual, technical, functional, legal, and financial aspects, where applicable.
Regulations require your RM program and manual to include the following points about classification and indexing.
- Description of your classification methodology: what are the classes, what do they include, and what is important about each?
- Description of your indexing methodology: what is the primary indexing element? I.e., what do you sort by first? What do you sort by after that? After that? Etc.
- Procedures for updating how you classify and index files: what steps need to be taken in order to change your sorting methods and metadata?
- Procedures for correcting incorrect classifications and indexing: what steps need to be taken for correcting bad classifications and metadata?
- Procedures for keeping track of changes in the classification and indexing of each record: what steps will be taken to ensure that changes in metadata are also recorded?
- Procedures for double-checking existing classification and indexing: how will the organization ensure that the classification and indexing information have been recorded and are accurate?
Metadata For Everything
According to regulation, it is necessary “…that the nature of any action undertaken upon the records is documented…” (6.4.4) Everything and anything you or other members of your organization do to, or with your records must be documented in the metadata. Thorough and comprehensive metadata builds a strong audit trail that makes files more legally reliable, should they ever have to serve as documentary evidence. Not only do you have to record what was done to a record and when, you also have to record who did it.
While these requirements may sound daunting, most digital file formats and software programs already have automatic metadata built-in. Depending on the type of document, its metadata requirements, and the software you use, these automatic metadata systems might not account for all of the information you are required to record. Individual user accounts can also ensure that the identity of the person interacting with a file is automatically recorded. Making sure that these accounts have security, rotating passwords, improves legal integrity of the file, and your information security at the same time. It’s your organization’s responsibility to make sure that an appropriate breadth of metadata is collected for each type of record by assessing what is recorded already, and developing procedures to record whatever else is necessary.
What is the necessary breadth? Like with most other aspects of these regulations, that is up to your organization to decide, based on some minimum requirements and guidelines. The point of recording metadata is the audit trail, so any information about a document which is relevant to its primary purpose and its viability as documentary evidence must be recorded.
Below are the types of metadata defined in the CGSB guide, with an example for each (B.1.2-4). Each of these is just one way of characterizing and sorting documents. Not all of it will be necessary for all documents, but, in general, the more of these bases you cover the better your chances of being found compliant with legislation around audit trails, and the easier time you’ll have organizing and finding records.
Types of Metadata
- Identity Metadata: metadata generated at the time of creation to identify the record. If the identity metadata is ever permanently deleted, the record will lose its legal integrity.
- Time Metadata: when the record was created, received, or stored
- E.g. “Created on: [DD/MM/YYYY-HH: MM]”
- Person Metadata: names of the author(s), the addressee(s), recipient(s), handling officer(s), etc.
- E.g. “Created by: [User]”
- Form Metadata: documentary and intellectual form of the record
- E.g. “Contract,” “Invoice,” “Report”
- Technical Metadata: format and other technological characteristics
- E.g. “File Format: PDF”
- Naming Metadata: name of the record, its content, or its function
- E.g. “Name: 2021 Performance Review”
- Relationship Metadata: relationship of the record to other records
- E.g. “Appendix to [other file]”
- Authentication Metadata: method of authentication of the record
- E.g. “Digital Signature: [signatory]”
- Time Metadata: when the record was created, received, or stored
- Descriptive Metadata: details used to locate and understand the record, collected after creation
- Administrative Metadata: details used to manage the record
- Technical Metadata: “…the technical context of the record, the migration to a new system, and methods of disposition…”
- E.g. “Location: [X]: Drive”
- Rights Metadata: details about the rights and obligations of the record, “…including ownership, copyright, and other intellectual property rights, usage and security restrictions..”
- E.g. “Copyright: Consentia Inc.”
- Preservation Metadata: details about how the record was preserved over time; any transformations from one format to another.
- E.g. “Digitized on: [DD/MM/YYYY]”
- Structural Metadata: details about “…the structural relationships between or within digital records…”
- E.g. “Website Link”
- Use Metadata: details about the users of the record
- E.g. “Modified by: [Username]”
- Technical Metadata: “…the technical context of the record, the migration to a new system, and methods of disposition…”
Conclusion
The official requirements for metadata systems are comprehensive and complex, but with the integration of digital systems into your business processes and some careful setup, it can all be automated. Our next post in this series will cover the regulations around digitization and use Consentia’s own processes as an example case.
If your organization still relies on physical document formats to store and communicate vital information, it’s exposing itself to unnecessary risk. Physical documents can be more easily lost or damaged, are more difficult and expensive to duplicate, and aren’t as secure as digital records. You’re also missing out on the benefits of digital, like remote access, near-instant sharing, cloud storage, and more. Learn more about the benefits of digitizing in these related blog posts:
- Why Document Scanning is Vital to Your Business
- Information Security and Digitization: Is Digital More Secure?
Visit our solutions page to find out how we can help you bring your paper files into the digital world, with scanning services or data entry services.