PRINCIPLE OF DISPOSITION

Alaska Chapter of ARMA International

Presented by: Dawn Kewan, ARMA Board Member & Treasurer

February 6, 2014

Based on Generally Accepted Recordkeeping Principles ©

2

WHAT DOES DISPOSITION MEAN?disposition

Range of processes associated with implementing records retention, destruction or transfer decisions which are documented in disposition authorities or other instruments.

ISO 15489 3

3

TYPES OF DISPOSITIONdestruction

Process of eliminating or deleting records, beyond any possible reconstruction.

transfer

Change of custody, ownership and/or responsibility for records.

Moving records from one location to another.

ISO 15489 3

4

IDENTIFY DISPOSITION STATUSInvolves the following steps:

Identify record that captures the transaction or business activity

Classify the records appropriately

Determine relevant retention period

Identify anticipated date for disposition

Document the retention period and anticipated disposition in the records system

Determine what metadata to retain with record

ISO 15489 4.3.6

5

DISPOSITION IN THE ORGANIZATION Applied systematically

Performed routinely

Conducted as normal course of business

Irreversible

Secure

Documented

ISO 15489 9.9

6

WHEN NOT TO APPLY DISPOSITIONNot without assurance that records are:

No longer required to be retained No work is outstanding No litigation or audit holds (current or pending)

ISO 15489 9.9

7

DISPOSITION ACTION Physical destruction

Extending retention

Transfer to storage (organization or vendor)

Transfer to another organization or agency

Transfer management responsibility to authorized party

Transfer to organizational archives

Transfer to external archives

ISO 15489 9.9

8

THE PRINCIPLES - INTRODUCTION

The Principles identify the critical hallmarks of information governance, which Gartner describes as

an accountability framework that “includes the processes, roles, standards, and metrics that ensure the effective and efficient use of information in

enabling an organization to achieve its goals.”

http://www.arma.org/r2/generally-accepted-br-recordkeeping-principles/metrics

9

THE PRINCIPLES Compliance

Availability

Retention

Disposition

Accountability

Transparency

Integrity

Protection

10

PRINCIPLE OF DISPOSITION

An organization shall provide secure and appropriate disposition for records that are no longer required to be maintained by applicable laws and the

organization’s policies.

11

MATURITY MODEL FOR INFORMATION GOVERNANCE Provides a picture of what effective IG looks like

Based on the eight Principles

Defines characteristics of various levels of recordkeeping programs

Associates various characteristics that are typical for each of the five levels

http://www.arma.org/r2/generally-accepted-br-recordkeeping-principles/metrics

12

Sub-Standard (Level 1)• Recordkeeping

concerns are either not addressed at all.

In Development (Level 2)• Developing

recognition that recordkeeping has an impact on the organization

Essential (Level 3)• Has minimum

requirements that must be addressed in order to meet the legal and regulatory requirements.

Proactive (Level 4)• Initiating information

governance program improvements throughout its business operations.

Transformational (Level 5)• Integrated

information governance into its overall corporate infrastructure and business processes.

MATURITY MODEL – METRICS FOR DISPOSITION

13

USING THE MATURITY MODEL AS A TOOL

No documentation of the processes to guide transfer or disposition

No process or inconsistent for suspending disposition in the event of litigation or audit (Records Hold)

Sub-Standard (Level 1)

14

USING THE MATURITY MODEL AS A TOOL

Preliminary guidelines for transfer or disposition

Recognize importance of Records Hold process consistently

Lack of enforcement and auditing or disposition

In Development (Level 2)

15

USING THE MATURITY MODEL AS A TOOL

Developed official procedures for records disposition and transfer

Developed official policy and procedures for Records Hold

Policies and procedures exist, but not standardized across the organization

Inconsistent procedures amongst individual departments

Defined specific goals related to disposition

Essential (Level 3)

16

USING THE MATURITY MODEL AS A TOOL

Disposition procedures are understood and consistently applied

Process for suspending disposition defined, understood, and used consistently

Electronic information is expunged in accordance with retention policies

Proactive (Level 4)

17

USING THE MATURITY MODEL AS A TOOL

Disposition process covers all records and information in all media

Disposition is integrated into all applications, data warehouses, and repositories

Disposition processes are consistently applied

Processes for disposition are regularly evaluated and improved

Organization's stated goals related to disposition have been met

Transformational (Level 5)

18

REASONS FOR DESTRUCTION It saves time and storage costs;

It enables organization to focus on higher priority records; and

It prevents unauthorized access and use of company records

19

DESTRUCTION - METHODS Burning – in an enclosed incinerator or secure facility

Pulping – reduces paper to pulp and often used in recycling

Pulverizing – crush or grind to a powder or dust

Shredding – reducing paper to fine ribbons

20

DESTRUCTION - METHODS Hard-drive shredding or cutting

Disk encryption – encoding messages

Image overwrite On demand – executed prior to removal or as needed to remove all image data

from disk Immediately – automatically executed immediately after jobs are completed to

remove image data from disk Scheduled – automatic, daily overwrite of all image data from disk

Magnetic degaussing – erasing data on magnetic media by passing a powerful magnet over the media.

21

PRINCIPLE OF DISPOSITION – PROCESSESPhysical Destruction

Destruction should always be authorized

Records on hold should not be destroyed

Preserve confidential information

Include all types of copies: Security Preservation Backup Vital Records

ISO 15489 9.9

22

PRINCIPLE OF DISPOSITION – PROCESSESRecords Systems

Removed in accordance to retention and disposition guidelines

Or with conversion and migration strategies

Must be documented! Conversion plans Data mapping

ISO 15489 8.3.7

23

PRINCIPLE OF DISPOSITION – CONSIDERATIONSWebsite Records

Destruction Ensure record is destroyed completely Document what was destroyed and when Include in master RIM policy

Transfer Ensure entire record (including metadata) is appropriately transferred Educate receiver its RIM responsibilities

Permanent Preservation Ensure record content (including metadata) are properly stored Provide periodic backups Transfer data periodically Ensure accessibility is guaranteed

ARMA Website Records Management

24

PRINCIPLE OF DISPOSITION – CONSIDERATIONSMobile Communications

Disposition applied to all records on device owned by organization

Subject to Records Holds and e-Discovery

ARMA Mobile Communications and Records and Information Management

25

PRINCIPLE OF DISPOSITION – CONSIDERATIONSMobile Communications

Must have a method to capture content E-mail Text messages Video Still images Downloaded content

Recommended to be able to collect and lock down device or create a forensic copy or image of the content

ARMA Mobile Communications and Records and Information Management

26

PRINCIPLE OF DISPOSITION – CONSIDERATIONSSocial Media

Content created, captured, accessed, transmitted, and/or stored can be a record

Applies to Retention Schedule

Must have ability to suspend destruction based on legal holds

ARMA Using Social Media in Organizations

27

PRINCIPLE OF DISPOSITION – CONSIDERATIONSDon’t forget about …

Copy/Scan Machine

Fax Machine

28

PRINCIPLE OF DISPOSITION – CONSIDERATIONSOutsourced Electronic Records Storage - Ask

What is their records destruction process?

What about destroying eligible records stored in… backup systems? disaster recovery systems? Other media?

Will they produce destruction certificates?

Related metadata and indexing related data also destroyed?

ARMA Guideline for Outsourcing Electronic Records Storage and Disposition

29

REASONS FOR SUSPENDING DESTRUCTION Records holds due to potential or current litigation or audit

Changes to the retention schedule that is pending approval

30

RECORDS HOLD Records holds due to potential or current litigation or audit

Communicate to all appropriate staff about the hold

Don’t forget to place records back into disposition process once hold has been released

31

EXTENDING RETENTION Document reason for extending the retention period

Identify who is requesting the extension

Research the request

Make a recommendation

Re-submit for approval

32

TRANSFER TO STORAGEDocument chain of custody or transfer records transfer log to track records moving from one location to another.

Describe the record that captures the transaction or business activity

Classify the records appropriately

Determine relevant retention period

Identify anticipated date for disposition

33

TRANSFER TO IN/EXTERNAL ARCHIVES, OR RESPONSIBILITIES Document chain of custody or transfer records transfer log

Records appraised by qualified professional

Appraisal based upon historical value of records

Transfer vs. Accession

transfer – moving records into physical custody of a NARA Records Center, sender retains legal custody until final disposition.

accession – when permanent records are sent, NARA takes legal custody.

Guidance and Policy for Accessioning Records to the National Archives

http://www.archives.gov/records-mgmt/accessioning/

STEPS TO ACHIEVE COMPLIANCEDocument! Document!

Document!

35

DOCUMENTATION - POLICY Retention periods apply to all records within the organization

Never destroy records until retention requirements have ceased

Require authorization for destruction

Ensure security and confidentiality of all records within custody

Define process and appropriate method and verify

Develop a process to suspend destruction when required

36

DOCUMENTATION - FORMSAuthorization for Destruction/Transfer Form

Date of destruction Method of destruction Description of the disposed records Inclusive dates A statement that the records were destroyed in the normal course of business The signatures of the individuals approving, supervising and witnessing the

destruction or transfer

37

DOCUMENTATION - FORMSCertification of Destruction/Transfer

Provides evidence that the records in question have in fact been destroyed or transferred

Destruction Method Date of Destruction Materials Destroyed

38

STEPS TO ACHIEVE COMPLIANCEDon’t forget to ….

Monitor

Audit

Train & Educate

39

CHECKLISTAre all records, in all media, eligible for disposition according to retention

included?

Is your retention schedule up-to-date with the applicable laws?

Authorities for disposition appropriately assigned and up-to-date?

Did you confirm that records related to a pending or ongoing litigation or audit are suspended from disposition?

Has the destruction process been documented?

Are the records required for any further legal, administrative or business use?

Were the records approved for destruction by an authorized member of the organization?

Was the method of destruction appropriate for the type of media and the sensitivity of the record?

40

SUMMARYDestruction

Records are transported securely and destroyed completely (irreversibly)

Transfer

Document chain of custody or transfer records transfer log

Records appraised by qualified professional

Appraisal based upon historical value of records

41

THE PRINCIPLES Principles are interdependent.

Real value comes from implementing them as a whole framework.

Together they support an organization’s overall records and information management program.

Provides tool to benchmark and continuously make improvements to your program.

42

“BETTER SAFE THAN SORRY” ISN’T ALWAYS SAFE!

CohassetAssociates

2011/2012 ARMA International Survey Results

Records Management & Governance of

Electronically Stored Information (ESI)

43

COMING SOON….March 6 – Principle of Retention

April 10 – Principle of Transparency

May 16 – Annual Spring Conference