RECMGMT-L Archives

Records Management

RECMGMT-L@LISTSERV.IGGURU.US
Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Does must retain equal must create
From:
John Lovejoy <[log in to unmask]>
Reply To:
Records Management Program <[log in to unmask]>
Date:
Tue, 18 Jul 2006 09:24:21 +1000
Content-Type:
text/plain
Parts/Attachments:
text/plain (72 lines) 
Ginny

I am not a lawyer - and I operate in a different jurisdiction to you, so take this with a grain of salt.

In the Australian Federal Government context (as documented by the National Archives of Australia DIRKS manual http://www.naa.gov.au/recordkeeping/dirks/summary.html), a requirement in legislation to retain (or do anything else to) a record is an IMPLICIT requirement to create that record. Obviously if the law requires a record to be created, that is an explicit requirement.

I take the view that even if there is an explicit requirement to create records, you do not automatically have to create that record.  You still should assess the risks involved in meeting or not meeting that requirement.  Most of the time, the risk assessment would point to the need to create a record, but not necessarily always.

With your data access logs, there is an obvious implicit requirement to create some sort of record of access to that particular personal data.  What are the costs involved in complying with that requirement?  If you did not already have a system of tracking in place, how much would it cost to build it?  How often are you likely to get requests for the information?  What is the cost of non-compliance (not just fines, but intangibles such as bad publicity, etc)?  If you are unlikely to ever get asked for the information and the cost to comply would be far greater than the possible cost of non-compliance (and your organisation is not risk averse) then you would probably decide not to comply. If it is easy to build in the functionality, you get lots of requests and the bad publicity would be a problem, then the decision to comply would be a simple one to make.  It would probably be simple to take the data from the log files and massage it into a more user friendly format.

I am aware of certain records being authorised for destruction 5 years earlier than explicitly required by law, because the cost of storage (compliance) was far far greater than the penalties that could be imposed (non-compliance).

There may also be good business reasons to create a record, even if it is not required by law.  In the case of your broker discussing business with a client over lunch, it makes perfect sense to make some record of the meeting for business purposes (the fact that it also fulfils the legal requirement is just a bonus).

Of course, if you do decide not to create records that are required to be created by law, you should document that decision and have it signed off by senior management.

Hope this helps

John Lovejoy
[log in to unmask]
My own views, not necessarily my employers.


-----Original Message-----
From: Jones, Virginia [mailto:[log in to unmask]]
Sent: Monday, July 17, 2006 10:28 PM
To: [log in to unmask]
Subject: [RM] Does must retain equal must create Was RE: [RM] FW:
[Politech] California Supreme Court


<interpret that to mean voice, email, snailmail whatever must be
retained.>

Which brings up a thought I encounter in my brain from time to time.  If
a law or regulation requires certain kinds of information or
communication to be retained, then does than equate in some way to
requiring the information or communication to be created in the first
place?  For example, if a broker has lunch with a client and is told
verbally to take a particular action, is the broker then required to put
that conversation in writing or even tape the conversation during the
lunch?  

Using another example, The Virginia Government Data Collection and
Dissemination Practices Act (formerly the Personal Privacy Act) requires
a record of all access (except access by Waterworks personnel) to our
customers' personal information be retained for three years or until
purged (Code of VA 2.2-3803A7) and to provide this information to the
customer upon request (Code of VA 2.2-3806A3c).  Generally, the
requirements to the first part is met by various behind the scenes logs
of every data transaction in every customer account.  However, these
logs are not very readable by a non-IT person (and even for some of the
IT folks) or easily accessible to produce upon request.  So, does the
requirement of the law to keep this information for three years and to
be able to produce it upon request by the customer somehow set a
requirement to create a "producible" version of the data?  And, if so,
does that in turn require the three years retention to be met by the
"producible" version or the data logs themselves or both?  And, if both,
does the term "or until purged" then require us to keep both versions
until the data on the log is purged from the system?

Ginny Jones
(Virginia A. Jones, CRM, FAI)
Records Manager
Information Technology Division
Newport News Dept. of Public Utilities
Newport News, VA
[log in to unmask]

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance

ATOM RSS1 RSS2