Archives New Zealand and its Australian counterpart are driving a proposed worldwide discretionary standard for electronic record keeping (ERKS).
A draft discussion paper will be released early in February, to be further discussed at a meeting of the International Council on Archives (ICA) in Germany, with an April date set for review of feedback then release of the standard at the ICA conference in Kuala Lumpur in July.
New Zealand is represented on the council by Archives New Zealand analyst Stephen Clarke, who is the secretary of the international working group on records management standards. The group comprises the UK, US, Sweden, Holland, Germany, Malaysia, South Africa, Australia and New Zealand.
Clarke says the group has been working on ERKS since October 2006.
“There are many competing international standards and we see this as a resource anyone can use,” he says. The work came about through a general consensus that there were too many competing standards.
“We’d like to see everyone singing from the same song-sheet.”
New Zealand has its own ERKS standard, published late in 2005. It is a simplified version of the European Union MoREQ standard. Though not mandatory — it has over 200 yes/no questions for self-certification — it is widely used by government departments to indicate compliance.
Most of the major electronic record-keeping vendors have commissioned experts to do similar gap analysis.
However, the EU is about to launch an updated version of MoREQ. Clarke says there is concern that this is becoming too prescriptive and he hopes the ICA version will be chosen by European countries because of the strong European representation on ICA.
ERKS is a key component of the Public Records Act, introduced in 2005, which becomes subject to audit from 2010.
Vendors of pure-play enterprise content management products — such as Objective Corporation and TechTonics, which sells OpenText and Hummingbird — say they are either fully compliant, or can provide a work-round to address gaps.
Microsoft, whose SharePoint product some government departments are considering or implementing, says it is working with a number of organisations to better understand the Public Records Act.
Microsoft solutions specialist John Stuckey says some organisations will use ERKS “more as a general approach”, and that ERKS is a learning exercise.
He indicates Microsoft will wait on Archives’ review of ERKS, suggesting it may subsequently become mandatory to comply. That, however, is not what Clarke is saying.
Industry sources suggest Microsoft did gap analysis on SharePoint and found it didn’t meet all New Zealand requirements, even though these are not mandatory. They say it also failed in an independent compliance test.
Internationally, SharePoint is compliant to the US Department of Defense 5015.5 standard but that is more about document security than records management.
“It’s part of the motivation for ERKS but DOD 5015 is not really a records management standard,” says Clarke.
Records management law is complex. Inquiries made by Computerworld to a variety of organisations suggest it is not well understood. To try to clarify matters, Computerworld posed a series of questions to Clarke:
What is a corporate record?
In the course of a working day, people create, receive, or use records, data, and information of all types. The International Records Management Standard (ISO 15489) defines records as “information created, received, and maintained as evidence and information by an organisation or person, in pursuance of legal obligations or in the transaction of business”.
The Public Records Act (PRA) defines a record as: “information, whether in its original form or otherwise, including ... a document, a signature, a seal, text, images, sound, speech or data compiled, recorded, or stored... in written form on any material, or on film, negative, tape or any other medium so as to be capable of being reproduced, or by means of any recording device, or process, computer, or other electronic device or process.”
In summary, records:
• provide documentation, or evidence, of activities;
• include both original sources of information and copies of information; and
• come in a variety of media and formats such as paper, electronic (analogue or digital), and can be documents, letters, emails, digital images, sound recordings, or web pages.
Is it is possible to have multiple versions being regarded as corporate records prior to the production of the completed version?
Yes, this is common, but not all drafts need to be kept for the same period of time.
How should you dispose or retain these?
It is all contingent. For example, all drafts of legislation must be retained for the life of the legislation. However, the drafts of a circular memorandum may not be needed at all, once the final copy has been published.
Retention will usually be contingent on what is being drafted and the business risk of not being able to provide a record of the decision-making process behind a final publication or other document.
Explain the continuum approach (from birth) versus the US approach (from death). Why is this different?
The key difference between the life-cycle model and the continuum model is that the life-cycle model is linear: a straight line from creation, through use, to current, semi-current or secondary use, to review and archiving or destruction.
This is not useful in the electronic environment where records can exist before they are “born” (through links to business process analysis and systems design) and can be recovered after “death” either by recovering forensically or due to the usual use of a form of “soft delete”.
Equally, electronic records can move backwards in the continuum from “archival” to current use easily when required or re-used at the end of their “life” to create new data. The life-cycle approach became unworkable when considering, dynamic databases and data warehousing, for example.
Can people or agencies be fined for destroying corporate records?
Yes, people and agencies could be fined under the PRA for unauthorised destruction of records, but a prosecution for a breach of law would be needed before the PRA’s offences and penalties could be applied. This would have to be a very serious matter indeed — especially as it would involve one government agency prosecuting another.
Can s61 and s62 ever be invoked without mandatory standards issued under the act?
The PRA is a law enacted as of 2005. Any breach of a New Zealand law can be prosecuted regardless of the guidance or standards that are in place.
Is Archives getting feedback that government is taking the PRA seriously, even though it is not mandatory?
The PRA is a law as of 2005. It is a statute enacted under the Crown in NZ law. Therefore, it is not a mandatory requirement but a legislative requirement, e.g. Driving your car at 90kms is not mandatory but exceeding it is breaching the law!
Will there be independent audits run against agencies and will any of the results become public knowledge?
All public offices covered by the PRA (including departments, State enterprises, Crown entities and offices of parliament) will be audited starting in 2010. Legislatively, Archives must commission these independent audits against the PRA’s requirements and report the results to parliament annually.
Will there be mandatory standards? What standards are planned to be mandatory by 2010? From what year will those audits begin?
Yes. The PRA Storage Standard is already mandatory for all public offices and local authorities. There are two mandatory standards out for public consultation at the moment that will be enacted by June 2008. We do not expect to audit on a standard until it has been in place for two years to give organisations time to get up to speed.