Whether or not it’s the focus of your business model, your organization needs to manage information. Some information is insignificant and only needs to be retained for as long as it is immediately useful. Other information is so important that you could be prosecuted if you dispose of it improperly or before you’re allowed to.
We want to use this series of posts to make it easier to understand the complicated network of regulations regarding how you collect, use, and dispose of your information. In this first part, we’ll provide a broad overview of your responsibilities when it comes to information management. The remaining posts in this series will cover some specific definitions and rules about your use and retention of various types of documents or records. The last post will cover the regulations about document disposition; or, what to do when you’re done with a document.
The information in this post was primarily drawn from the Canadian General Standards Board’s regulation guide: Electronic Records as Documentary Evidence. Specific sections of the document will be referenced by their numbers in the original; other sources will be referenced with links where necessary.
Disclaimer: This guide is not intended to serve as formal legal counsel; each organization is responsible for its own adherence to the relevant legislation. We encourage you to reference the linked Canadian General Standards Board (CGSB) document when developing your records management program. Rather, this blog post is intended to serve as an accompaniment to, or preview of, the CGSB document and relevant legislation.
Part 1: What is a records management program?
Every business or organization needs to have a records management program, or “RM,” (6.1). This is just a set of policies and procedures created by the organization about how they collect, use, maintain, and dispose of their documents and information (6.2.1).
The range of business models, organizational structures, and information formats available make creating one universal rule set to regulate every possible situation impossible, so the government decided to give organizations the freedom to decide for themselves how they should manage their records. All you have to do is make sure that you have a consistent RM program, and that it meets certain minimum requirements.
Requirements for a compliant RM program
Authority. The first requirement of the program is that it must be enforced within the formal structure of your organization (6.2.1). It is not enough to merely have a set of rules for how to handle documents written down somewhere, following those rules must be official company policy. Furthermore, the RM must explicitly reference the legislation that makes the program mandatory and acknowledge the responsibility of the organization to follow it.
Leadership & Accountability. The other critical component of an RM is the designation of responsibilities, including the establishment of a Records Officer, or “RO” (6.2.2). The RO can be a particular person, or it can be tied to a particular position within the organization, but there must be an RO. This is for accountability purposes; it is the RO’s responsibility to ensure that the RM program is being followed and that it is compliant with legislation. Thus, the organization must grant the RO the appropriate authority to enforce and monitor its document management. If one individual is going to take on the responsibility of ensuring compliance, they’ll need the power to do so.
In many cases, however, the RO cannot do this job alone. Especially in very large or complex organizations, or ones with very complex information systems, the RO might not have the technical expertise or familiarity to ensure compliance on their own. The organization must also designate certain responsibilities to other individuals or positions that are important to ensuring compliance, such as I.T. and digital security specialists. Which specific responsibilities should go to whom will vary depending on the specific circumstances of each organization, but they must be assigned in a way which ensures compliance.
Consistency in Collaboration. The organization’s RM program must also be enforced on any third-party service providers (188.8.131.52). The policies and procedures that the organization follows internally when handling documents and information must be written into any contracts agreed with the service provider. This requirement applies to all service providers (184.108.40.206), so long as they will at some point come into contact with the organization’s documents. In fact, the regulations explicitly state that “[t]he organization shall not use an external service provider without ensuring that the [provider] signs a confidentiality and privacy protection agreement or is otherwise contractually bound to protect the organization from any breach of confidentiality or privacy,” (220.127.116.11).
The RM Manual. Finally, all of the policies and procedures of your RM must be written down in an RM manual (6.4.1). This serves as a consolidated record of the program so that if the government asks about your RM, or if investors are concerned about compliance, you can reassure them with a comprehensive guide to your policies and procedures.
It’s also an effective way to communicate the program’s policies to members of the organization, and they can refer to it when they need to. Not only will this make it less likely for you to be found non-compliant, but it also helps keep your members accountable. If one of them violates one of the RM’s policies, access to a clear and accurate RM manual means that they can’t use misunderstanding their responsibilities as an excuse.
Keeping the RM manual up-to-date with the organization’s records management policies is critically important. A reference guide can only be useful if it is accurate and comprehensive. If the policies need to change for any reason, the manual ought to be updated. If there is an inconsistency between actual practice and the policies laid out in the manual, it’s the manual that will be treated as authoritative. Even if your actual practices are up-to-date with new legislation, a manual listing out-of-date policies could get you in trouble.
What does a Records Management Program need to do? (6.3.2)
Your organization’s RM program needs to include specific policies that accomplish each of the following goals:
- Define its scope: describe the limits of the RM; what is and is not relevant to it.
- Establish standards: describe the records management and information technology standards enforced by the RM.
- Designate a Records Officer (RO): identify the RO and their responsibilities and authorities.
- Require compliance: the RM has to require members of the organization to follow its rules, as well as the law, and whatever national and industry standards will ensure the records’ security and legal integrity.
- Require accuracy: the RM itself needs to require the RO and other members of the organization to keep it up to date with changes in legislation and information technology.
- Describe the policies: the reason for the entire program; the RM must describe and explain the “…requirements for records creation, management, use, destruction, and preservation.”
- Enlist IT: the policies of the program have to require the I.T. department to collaborate with the RO in integrating and maintaining it into the organization’s information systems and regular course of business.
- Require quality assurance: must include policies that identify the authorities and responsibilities of the RO to monitor compliance with the program and regulations.
- A Records Management program is a set of document and information handling policies developed by and enforced within an organization.
- Every organization operating in Canada must have a Records Management program (RM), and an accompanying Records Officer (RO).
- The RM program and RO need to be granted authority within the organization to ensure compliance with legislation, including the authority to modify the program as the regulation changes.
- Any other responsibilities and authorities that would be required to ensure compliance must be assigned to the appropriate persons or positions.
- The RM program must be enforced on any service providers that the organization does business with through contractual obligations.
- The RM program must be written down in a manual which is readily available to the organization’s members and kept up-to-date
This post tried to answer the questions “what is a record management program?”, “why should my organization have one?”, and “what does an RM program look like?” The next few posts will outline some specific document types and some important rules about each, including how long to hold onto them. Hopefully, the benefits of developing a comprehensive records management program, and the risks of not having one, are clear. For more information about maintaining a compliant records management program, check out the Canadian General Standards Board document Electronic Records as Documentary Evidence.