RECMGMT-L Archives

Records Management

RECMGMT-L@LISTSERV.IGGURU.US
Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Records Retention Compliance
From:
Maureen Cusack <[log in to unmask]>
Reply To:
Records Management Program <[log in to unmask]>
Date:
Wed, 19 Aug 2009 09:59:22 -0700
Content-Type:
text/plain
Parts/Attachments:
text/plain (81 lines) 
Beatrice

This is the best question I've seen on this list serv in awhile:

<manage electronic records in accordance with the
retention schedules.......Once we get this in place how do we ensure
compliance?>

In my job where there's so much litigation, many retention laws, big complex
systems, only one records manager (me) and almost no support or awareness of
the RM function (eg. we don't even have a published RM policy after 3 years
of my nagging, we have only a retention schedule, so compliance has not
much 'teeth') that I don't really have the luxury of mucking around
with 'user-side' fileplans, folder structures and naming conventions for
electronically stored information (ESI). I consider those RM activities to
be like playing in the sand, making sand castles, while giant rogue waves
are gaining speed and heading for shore. The rogue wave is litigation and,
to a lesser extent, regulatory audits. The waves are coming after our more
important (legally high risk) data which is the ESI controlled by IT, out of
reach of users (users don't 'control' it in any real way). The ESI
is data run by big complicated processing systems and the processing systems
themselves (which get upgraded and morphed in important ways that are also
subject to law suits). Therefore I need to focus on IT: getting IT to
identify that data to me so I can map it for myself and attorneys and so
that I can tell IT what/when/why and even how to destroy it in compliance
with the retention schedule. For both legacy systems and big complicated new
systems being built. So I launched a phased project and got 'mandates'.

I'm resurrecting an IT 'application list' which luckily was created a few
years ago by IT itself due to a HIPAA security inventory need. The list
petered out because, well, I guess IT upper management would simply
prefer to revert to chaos whenever possible. Why have a central index of all
company systems/tools/applications when you could stumble around in the
dark? The way I am getting cooperation from IT in completing the 50-odd
pieces of information for each of the 350+ applications is through a law
department 'mandate' that cites ediscovery laws. Getting this mandate was
key and was also difficult; it's not just IT whose eyes glaze over in
listening to reasons why stuff needs to be identified and managed properly-
even when listeners (attorneys) experience for themselves the frustration
caused by the problem.

The application list thingy requires IT upper management cooperation to get
the actual hands-on IT support person to update their application
information once every quarter. Their manager is responsible for completion.
Because IT are a little like Switzerland: they don't really follow any
compliance or company-wide rules, only their own, and  they won't perform
any task unless it's assigned to them by their own boss, a mentality that
goes up the chain to the CIO. IT hands-on application support people are to
be the sole person responsible for quarterly list completion. They'll have
to go do some information gathering, mostly amongst other IT staff (disaster
recovery people, security people etc), I decided, because if task completion
gets spread among several people it will never get done; the list would get
passed around like a hot potato.

Then I'm getting IT to cooperate in identifying, creating, and
destroying backup tape using the same legal 'mandate'.

So far so good, mandates are there and IT upper management are cooperating.
Yay.

Then the project phase 2, also mandated and OK'd already, calls for IT to
destroy online ESI in compliance with the retention schedule. It's phase 2
because, with many complicated legal holds going on,  first the ESI must be
identified then it can be destroyed.  The legal mandate for IT to
destroy will cite retention laws (which regulators care about- we are
heavily regulated)  and will cite the secondary litigation risk caused
by keeping too much ESI past its expiration (cost to preserve, produce,
review).

Is anyone else approaching the IT-controlled ESI morass in a similar
phased-project way, and as a result of recent federal and state ediscvoery
laws?

maureen cusack, M.I.St.
San Francisco, CA

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]

ATOM RSS1 RSS2