P3: The Project Privacy Podcast
The Podcast That Helps You Understand The Evolving Data Privacy Landscape
“We’re really only in the early stages of truly modernizing records management.”
Records management (RM) is only about retention. Records managers want to keep everything permanently and all information should be kept just in case. Everything is a record… You’ve probably heard these statements before. But are they true?
This week on P3, Sharon Byrch, Manager of Information Services, at the Capital Regional District joins the show to confirm or bust common myths about records management. With over 15 years of RM and privacy experience, Sharon brings her expertise to the podcast as she breaks down common perceptions about the industry.
Tune in to the episode above – also available on Apple Podcasts, Spotify, and everywhere you listen to your podcasts – or read the full interview below. Subscribe to the show to never miss an episode!
Show Links:
– P3 on Spotify
– P3 on Apple Podcasts
Learn about our solutions for records management here.
Full Transcription:
Marissa: Welcome back to P3 – the Project Privacy Podcast. I’m Marissa Wharton with ActiveNav and I’m joined by our guest, Sharon Byrch, Manager, Information Services, at the Capital Regional District in Victoria, British Columbia. Welcome, Sharon!
Sharon: Hi Marissa, thanks so much for inviting me. As you know, where I’m from it’s our custom to acknowledge the traditional territories and show respect for the Indigenous peoples who have come before us and on whose lands we live, work, and play. So, though this podcast brings us together from many different locations, I invite everyone to consider the lands where they are today, and I acknowledge and offer respect to the Lekwungen speaking people of the Songhees and Esquimalt First Nations here in Victoria, BC.
Marissa: During today’s episode, Sharon will be confirming or busting some common myths and perceptions about records management. Before we jump in, could you tell us a bit more about your background in records and information management and what your role does?
Sharon: Sure, Marissa! I’ve worked in records and information management roles since 2005. All for local government in British Columbia; first municipal, now regional, which is much broader. I also worked as a FOIA and privacy manager for my current employer. So, I’m very experienced in local government records and privacy management.
I have physical records “wins”; like defensibly destroying 20 years of backlogged, expired boxed records. And, converting a central storage area from an unproductive mess to a high-capacity records centre. Plus, the day-to-day wins like routine destruction approvals, which are always great.
But, really, my top priority is modernizing records management for electronic recordkeeping to improve organizational performance. Which, as you know, Marissa, is challenging work, both organizationally and technically!
Yes, listeners: streamlining how records administration work is done to reach a desirable end-state of organizational effectiveness, is complex. There’s a lot of phases and steps involved, which are best done incrementally. It easily takes 5-10 years of applied effort, if you can get there!
So, I spend a lot of effort building organizational support and capacity for implementing healthy changes. I’m very focused on EDRMS (or Electronic Documents and Records Management System) software implementation, within SharePoint. I’m working on my second implementation project now.
Marissa, just so our listeners understand this concept better: implementing EDRMS software within SharePoint, in my view, provides a strategic starting point for better managing documents, files and email. SharePoint is a powerful collaboration tool, so by layering on EDRMS and leveraging metadata, we can automate recordkeeping rules and policy to files saved in SharePoint, to create a truly “managed” space. This goes WAY beyond document management as the whole design and end-state are purpose-built. We’ll also be cleaning up legacy records stored on file shares and in applications, implementing a scanning program and eventually, proper archives. It’s too much to do in one go! You have to phase it.
That’s not all I do, either, Marissa. I’ve lead commercial scanning projects, including the business, technical and legal requirements for digitizing and using the scanned records in SharePoint with EDRMS rules layered on and automated.
I also create courses and do lots of corporate training. To prepare for EDRMS, I’ve trained a hundred people so far on managing email and Outlook records. Things like, how to safely delete transitory records, quickly in batches, using clean up tools and criteria, plus search techniques and more! I’ve taught hundreds of people mandatory FOI and privacy training, including transitory records management.
So, that’s what I get paid to do. I’m going to skip over my extensive volunteer work, other than to say I co-chair a committee that oversees privacy and records management training and resources for local governments across British Columbia. So, I’ve taught hundreds of BC local government professionals the records management courses I created, both beginner and advanced, among other things.
It’s probably good to mention, I am somewhat unusual when it comes to records managers. My technical skills and knowledge of systems, programs, design and communications are super helpful in my role!
Also, Marissa, if I may, I’d like to briefly share an inside scoop about my profession with you and our listeners: Just in case anyone has the wrong impression of us, career records professionals are not in their jobs to pull any “fast moves”. This is not how records management works! No one envies our role, it takes a long time to fulfill our mission, and it’s fraught with challenges along the way. (Marissa, I think we need “Mission Impossible” theme music here…)
You see, most organizations really WANT to manage their information more effectively, which is great! That’s why many records professionals get hired in the first place.
However, for organizations who want to modernize records management for electronic recordkeeping, it’s no simple thing to change how everyone does their work, even though the end-state is WAY more productive. Organizations can’t just stop business while they reconfigure and implement systems and new practices to manage records. People are busy working, and records are constantly flowing and accumulating, which adds project complexity.
Further, records professionals often work solo or on small teams, at least here in Canada! We can’t change anything on our own. So, besides further resources, we really need the entire organization’s cooperation and participation. And, it’s impossible to succeed without a productive partnership with IT, which is its own dynamic to work through.
On top of this, because there are so few upper-level records management positions available, many of us stay in lower-level jobs, despite our qualifications and extensive experience.
Many organizations still don’t know how to apply our skills strategically or technically because their idea of records management is still “filing”. So, despite that most organizations’ information is nearly 100% electronic now, and many records professionals are skilled in library, information and archival sciences and technologies, there are still records folks in roles focused on managing paper and boxes, who work in storage areas and basements. Which doesn’t help organizations to see our profession’s value. Or, use us to our, AND THEIR best potential!
I hope this background gives our listeners better insight into records management professionals and our roles. Over to you!
Marissa: Fantastic, thank you Sharon. That’s a great basis to work off of for the rest of today’s episode. And I really like that you mentioned those healthy changes. That’s a great mindset to have. Now for the myths. Up first… Records management is only about retention only.
Sharon: Good question, Marissa! This is a BUST, records management is not only about retention. The international records management association ARMA breaks records management into 8 guiding principles. They are:
Accountability, Transparency, Integrity, Protection, Compliance, Accessibility, Retention and Disposition. These are all really important principles and I’ll touch on most of them today. But, this is a great chance to explain to our listeners the value of retention. And disposition.
Records retention is really important and hugely beneficial. This work really dials up the health of an organization, by identifying what activities and records an organization is responsible for and the recordkeeping requirements.
RM professionals work with key stakeholders to identify requirements. Then we take all those values and “rules” and translate them into a “retention schedule”. The retention schedule gives organizations a framework to structure, organize and manage all their records. Records are organized into related categories, which are organized into their business activities.
The whole collection of business activities together represent everything an organization does or is responsible for. All records and activities are accounted for. That gives us a full map or view of the organization’s information assets, and what we need to do to manage them. Organizations that do this work are much healthier than those that don’t.
Here’s a quick insight for our listeners: for those that don’t know, the process of determining retention periods, how long records should be kept and why… is done by a records appraisal. Retention isn’t all legislated, like some think. That’s actually another common myth. Some records have legal retention requirements to follow, like financial records, others don’t, like most presentations or press releases. There are other important factors to consider besides legal requirements when deciding retention periods, things like administrative or operational requirements, financial uses or future use — for research or historical reference.
So, what happens when there are multiple retention values that all apply to the records under appraisal? Well, whichever value has the longest retention, wins! Not just the legal retention. The longest retention ensures the record is preserved for all required purposes.
It’s common for staff to think that once they have no further use for records, the records’ purpose is met so the records can be destroyed. Well, we don’t always want to destroy records at this point, just because their “primary use” or “primary value” was met. There are good reasons to hold some records longer. Like for historical reference, research, memory or celebrations, which are considered “secondary uses” or “secondary values”.
It’s often when records contain personally identifiable information (or PII), that records professionals lean towards shorter retention periods to manage privacy and security risks.
Or, if the information is ROT (redundant, obsolete or transitory information.) We really want to put a short lifespan on ROT and try to get on top of weeding it out from our systems. More on this later.
So, just to be clear for our listeners: an organization’s retention schedule is a powerful, governance instrument. It’s the key, master policy for managing information. Some call it a blueprint because it can be used to architect solutions. The retention schedule should contain all the management rules and underlying rationale. However, it only works properly, if every business activity and record the organization is responsible for gets captured. And, it’s not helpful if you can’t implement the retention schedule across any software and technologies to actually manage the records in electronic storage, since electronic records, as I mentioned, are nearly 100% of most organizations’ information footprint now.
If you don’t use records management technologies to manage your electronic records, then you’re largely relying on humans to do all the managing work. Manually, themselves. This is a disaster, because no one is a ROBOT! No person can manage the sheer incoming volume of information across all their systems, devices and accounts. Email is a great example. Who can manage all their email accumulation according to their organization’s retention rules, even if they knew what those were? Marissa, email is over 20 years old and no one manages emails effectively, yet. Even though, email is the single largest source of organizational records!
Modern retention schedules can be deployed in EDRMS recordkeeping software to create a “managed” repository. This creates a safe space to store records, where the records are retained, protected and accessible for their retention period. (“Yay”…)
This brings me to the other principle I wanted to quickly touch on before wrapping this question up: disposition. Disposition is the defensible destruction of records, when records are disposed of in accordance with records management policies and procedures and legal requirements, with a proper audit trail left behind.
Listeners, this is a fact: There is no end of life for records and information without disposition. Otherwise, we retain all records permanently. Or, we do ad-hoc destructions which can be legally challenged. However, some records are needed permanently and shouldn’t be dispositioned; once the business is done using the records, the records should be preserved and made accessible through professional archives.
So, Marissa, although retention is a hallmark characteristic of records management, no it is not the only factor in managing records. Just a really, important one, and is useless without its companion principle, “disposition” (and the other 6 principles I mentioned.)
Marissa: Amazing! We have one bust under our belt so far. Moving right along to our next myth… Records managers want to keep everything permanently and all information should be kept, just in case.
Sharon: Yes, I’ve heard this one a few times, Marissa. I’m going to say this one is a BUST. No. Records Managers do not want to keep all information permanently.
Actually, nothing could be farther from the truth. There’s a lot of effort, risks and costs associated with managing and using information, especially ongoing, unmanaged accumulation. Keeping everything forever is bad for recordkeeping compliance AND organizational performance and productivity. So, Records Managers only want to keep information as long as it is actually required and serves a purpose. Not just in case!
But, Marissa, here’s the problem: Technologies make records management difficult work. Most tech isn’t designed to manage, use and share information effectively as a “single source” of truth. We continuously copy and spread information across systems, devices and end-users. Just look at email or your file shares or your ECM (Enterprise Content Management System) if you have one, like SharePoint and you’ll see what I’m saying.
Because we keep spreading information, organizations generate and retain an enormous amount of ROT (or redundant, obsolete and transitory information.) Just like it sounds, ROT is a MAJOR problem, for these reasons:
The sheer volume and pervasiveness of ROT is overwhelming. ROT clogs our systems and takes focused effort to get rid of. For example, file shares can easily contain 50% or more ROT. Email is often more like 90% ROT. A huge portion of this ROT is pure duplication. Another large portion is superseded information.
ROT is tricky because it mimics final business records, especially when it’s redundant copies, unfinished or abandoned work, or unmanaged drafts. Staff end up sifting through ROT and wasting energy deciding if it’s valid and trustworthy to use.
Or, staff will re-create work to avoid going on a fishing expedition for the right information. Or worse, organizations can be forced to produce and disclose ROT for legal matters, like discovery or FOI requests simply because the information exists.
So, clearly, ROT consumes and wastes costly organizational resources. And it’s because we manage ROT just like valuable business records until we get rid of it!
Marissa, this is exactly why an organization needs a retention schedule, which is kept up-to-date and covers ALL of the business activities and records (or documents, files and data) the organization is responsible for.
Ok, listeners, I hope you’re still with me: so, if you want to defensibly get rid of ROT, make sure your retention schedule covers transitory records, or have a separate transitory records management policy and procedures. Indicate how to manage drafts and when you need to retain them, and what information has only short-term value and can safely be disposed of when no longer needed. Teach version control. Teach decluttering your email safely using Cleanup tools. Get storage analysis tools so you can analyze your repositories for duplication and expired records. Fight the ROT! Right, Marissa?
Yes, because at the end all this effort, what records managers REALLY want is to minimize ROT and maximize information value and its effective use. So, we will defensibly disposition any information we should to reduce the volume of unneeded records.
Marissa: That was fantastic. As you said, you’ve heard that one a lot and I’ve certainly heard that one a lot from a different perspective and that was a great explanation as to why that is a myth. For the next myth: Everything is a record. And I’m sure you’ve heard that one a lot, too!
Sharon: Oh, I love this question! Thanks, Marissa! ISO and others have defined records more or less as: “information created, received and maintained as evidence and as an asset by an organization or person, in pursuit of legal obligations or in the transaction of business.” I like this definition and love that it mentions the role of records as strategic assets, which is how records professionals think of records.
But, guess what? That definition doesn’t work for Canada’s public sector and local governments. Our legal definition of “record” applies to “any information recorded or stored”, regardless of whether it’s physical or electronic. It even includes books! Which is considerably broader than ESI, or electronically stored information that is looked at in legal discovery. The implications of managing “everything is a record” are huge!
Each Province defined “record” broadly in their public sector privacy law for an important reason: to enable citizens’ rights to access government information. Our privacy legislation puts no value or worth on records or their content; it focuses on access rights. This means it’s up to each organization to have a solid, defensible AND comprehensive retention schedule actively in place to manage their records effectively. Because whatever information is in our governments’ custody or control, the public has a right to request access to it.
So, Marissa, this question wasn’t a “bust”. In my opinion, this is a great view for all organizations to take.
Organizations my advice to you is: manage ALL your information as records. Just do it, and don’t spend time and energy DECIDING if something is a record or not. Have an ongoing plan to get rid of ROT and spam, and other unneeded transitory material. And, have plans for organizing, retaining and managing valuable business records. Put it all in your retention schedule and information management framework. Your organization will be incredibly organized, you’ll have minimal clutter and you’ll be WAY better prepared if your information is needed for something unexpected. It’s a win, win situation!
Marissa: And that is of course what everyone strives for – those win, win situations. So we’ll move onto the next myth: Files created during work are the individual’s own property, not the company’s.
Sharon: Great question, Marissa! I can’t just bust it because the answer is, it depends! Let’s look at this as two questions: whether the files ARE about work, or not.
Meaning, if someone at work is creating their child’s birthday party invite list and invitation document on their lunch, and is permitted to use their work computer for some personal use, then the files should not be owned by the company. Even if it’s in the company’s custody by being stored on their system (and property). The creator of the birthday files should destroy or delete them as soon as possible because the files they create for their personal life could still be subject to discovery and disclosure in a legal matter at work.
Of course, if the records ARE about work then the company owns them! If the records document and support business activities, transactions and decisions, they are subject to the company’s retention schedule and legal requirements.
So, listeners, this is why personal and some decentralized filing systems are problematic because there is no common approach to organizing records, which makes searching, locating, retrieving and using records within and across business areas and locations difficult.
No two people will organize their records the same way if left entirely to themselves to manage. Funny enough, individuals often report they have no problems finding their own files (and say they don’t need records management) but complain that they can’t find others’ files for this very reason!
Marissa: Alright, thanks for that one. I can imagine what your answer to the next one will be, but, of course, we’ll leave it up to you: Records management is only important for large companies.
Sharon: Ok, this one is a definite BUST, Marissa. Records management is important for all companies of any size and type. You can’t be a company or operate a company and not have any requirements to retain and manage records. And, those records need to be organized, reliable, complete and accessible or they aren’t helping you.
Many commonly found business records are legislated, like financial records, employment records, business registration records, Board of Director meeting minutes, bylaws and operating permits, just to mention a few. Also, every company has taxes. Companies must report certain business activities, file taxes and retain supporting documents. And be ready for the revenue authority, like the IRS or CRA to audit.
Also, some industries are more highly regulated than others. For example, it doesn’t matter if you are doing engineering work as your own professional practice, or you are part of a large engineering firm, you’re under the same regulations. And you better have good records management or you’re in big trouble. A lot of skilled trades and professional practices across industries are like this, so you really need to know the rules of your industry to manage your risks and records well.
But seriously, Marissa, I’m sure our listeners would agree: how does any business excel without good recordkeeping? How do you keep track of your commitments, arrangements, clients or performance without managed records? How do you recover quickly from a business disruption or disaster if you don’t know which records are vital? You can’t!
Every company should retain records that document business decisions, transactions and other activities so these records are available for subsequent use or reference for as long as the records are required or beneficial. Which, again, should be documented in your company’s retention schedule.
Marissa: Well that was a pretty cut and dry bust there, so we’ll see about the next one… Records management is too expensive.
Sharon: This question is pretty subjective so I’m not going to say, “BUST”. I’m going to unpack it. Every business accumulates, stores and uses records, whether or not they manage them well, and there are costs associated with this. You’d have to measure how healthy your current state of recordkeeping is and what it’s costing as a baseline to decide if managing your records better is expensive.
So, instead, listeners, I’m going to counter with: why you SHOULD pay for and GET good records management:
Good RM streamlines records administration work and reduces efforts and costs associated with time spent saving, searching, retrieving, validating, and sharing information; it greatly improves the usability of information and boosts productivity. Unfortunately, we don’t often do a good job at measuring and monetizing the benefits of records management in this regard.
And, if you also consider the costs of legal discovery, the more information you own, the more volume there is for discovery, which drives up costs. Say you lose or settle a legal action or claim because of poor records management. Or, face fines & penalties for non-compliance with legal and regulatory requirements – these can be huge costs!
What about the costs an organization faces if it can’t find critical records urgently needed for operations because they can’t be located, verified or trusted?
Or, the costs of onboarding and terminating staff? I’d love to ask our listeners if they know any organizations whose records and information is so organized, accurate, complete and accessible that new staff have no problems learning their role, or with the transfer of knowledge from their predecessor or simply navigating and learning their organization? Marissa, I don’t know anyone who says this about their organization yet! Do you?
Then there’s the costs of a privacy or security breach. Do you know where your PII or sensitive information is? Can you identify it? I mentioned already that a good retention schedule can and SHOULD include security classification and whether categories contain PII or other forms of sensitive information, which helps with privacy and security management.
Marissa, I really wonder how well organizations understand how interdependent privacy, security and records management really are? They go hand in hand, and a shortcoming in one area can be the downfall of the others.
For example, good records management enables strategic technology management and decision-making, including security and privacy. It also enables information access and disclosure. If you classify and tag your information properly using a security classification schema, you know what information is really high risk before moving it to third-party cloud services, or sharing it with others. You also know what information can be routinely released, or proactively released. Or, what information has to be requested by legal means. To me, that’s priceless knowledge.
For our listeners, I’ll bust a myth to finish off this question. Traditionally, we say good records management reduces storage costs, but actually, that’s changing and isn’t necessarily true. We’re managing less paper, so those costs are dropping. Electronic is different. Especially, if you move electronic records from secondary, on-premises storage like file shares to more premium cloud storage. The whole transition is going to cost and the new storage is more expensive.
But, it’s really valuable and healthy work to do as part of modernizing. It will allow you to decommission legacy systems and reduce associated costs and risks. For example, file shares are old tech these days and are a pain for IT to manage. Lots of organizations want to move on from managing file shares but can’t because of all the records they contain. But, what if you dealt with those records in a legally, defensible way so you could move on? I think the cost would be worth it. This again speaks to my point about how good records management is a strategic IT enabler.
Marissa: Well that was great, Sharon. You hit the nail on the head with so many of those points. Thank you so much for busting and breaking down the myths we’ve presented today. To wrap up, any final tips or words of wisdom about records management for our listeners?
Sharon: I hate to sound cliché, Marissa. But, these are unprecedented times! There are so many large, pressing and urgent priorities for organizations and society to deal with, like climate change and this pandemic, for starters. This is on top of the constant modernizing of our technologies and businesses, in a world of changing privacy expectations and constant security threats to manage.
These are really challenging times! In Canada, many organizations, especially local governments are under enormous pressure to do more with less. I expect that’s a common issue with our listeners.
Well, as we discussed, good records management has an ongoing cost. But it’s worth it when you look at it as a part of a performance framework. The better you manage your information, the better your organization performs.
Why? Because good records management is strategic. It results in a productive,
high-performing, end-state that supports records compliance and creates efficiencies for staff. It focuses on using information effectively as a strategic asset.
So, my advice is: organizations, dedicate resources to keep improving your recordkeeping performance. Develop AND KEEP maturing your records and information management program framework, including systems. Once you get to a “healthy” state (not a “perfect” state); maintain that. Then focus on incremental, but continuous, measurable improvements and monitor your progress. Develop a strategy with key stakeholders!
Your information and your organization will become more fit-for-purpose as you go. And, it will be worth the effort and cost.
Trust me, records professionals have your organization’s best interests at heart. Involve them in technology and information planning and use. We’re essential to transformation efforts because our job is to learn everything important about managing your information and help action it!
Records management is deep organizational science, you have to keep resourcing and maturing it to experience its full benefits. It’s been a missing ingredient in most organizations for 20 years already. Why? Because our technology uses these past 20 years introduced so many new electronic systems, storage areas, access points and records we lost control over the information flow. Then records management broke.
So, how did this happen? Well, rapid modernization of technology in organizations happened. AND it exceeded and completely overwhelmed our recordkeeping capabilities. And still does, because every day we accumulate and spread more electronic records! By the year 2000, once everyone had a computer, email account, access to personal and shared file storage and an array of business systems, we were suddenly creating a tiny fragment of the physical records we used to. Immediately, IT saw a huge surge in growth. Organizations required more IT to lead, manage and support all the new infrastructure development, stakeholders and users.
Well, tragically, records management was a bit of a wallflower while this exciting development happened because somehow we were largely left out of technology. Instead, we were left trying to control paper records so we didn’t keep pace with all the action!
Well, now, nearly 100% of our information is digital. And guess what, we can’t manage it to anywhere near its potential use or for optimal performance. Or, to meet our legislated requirements or our business needs and goals.
We’re really only in the early stages now of truly modernizing records management. This is why we’re myth-busting today, so our listeners have a better understanding of our strategic and technical role in improving organizational performance. It’s my sincere hope to see the other side of this important effort in my career. For the record!
Thank you, Marissa, and to all our listeners.
Marissa: And thank you, Sharon! You’ve been such a wealth of knowledge. And thank you to our audience for tuning in. If you liked what you heard be sure to leave us a rating or review, hit the subscribe button and tune in to the next episode of P3 – the Project Privacy Podcast, produced by ActiveNav.