The Canadian General Standards Board (CGSB) standards for documentary evidence (Electronic Records as Documentary Evidence (CAN/CGSB 72.34-2005) and Microfilm and Electronic Images as Documentary Evidence (CAN/CGSB 72.11-93) were recently used to establish the admissibility of records in a case before the Provincial Court of Alberta. The judge’s ruling (R. v. Oler, 2014 ABPC 130) concerns a drunk driving case in which the admissibility of the Calgary Police Service’s electronic breathalyzer records were challenged.
This is an important ruling for the Canadian records and information management (RIM) community because it validates these standards as important benchmarks for RIM managers to consider and follow in all Canadian organizations. It’s also significant because it was the first time in Canada that a RIM practitioner was an expert witness on records admissibility. See my interview with Uta Fox, CRM of the Calgary Police Service (CPS) for her take on the experience.
The Records in Question
The ruling concerns the admissibility of two types of records in CPS’s electronic records system (OpenText Content Server, formerly Livelink):
a) Electronic records (images) consisting of set up worksheets for the Intoxilyzer 5000C (a breathalyzer for estimating blood alcohol content from a breath sample), the simulator worksheets, and the instrument’s annual maintenance sheets as created from paper/hard copy records which were destroyed after scanning. These records are referred to in the ruling as Tabs 2, 3, and 4 of Exhibit 1.
b) A ‘maintenance log’ in Microsoft Word (MS Word) format which is referred to in the ruling as Tab 1 of Exhibit 1.
The Judge’s Ruling
The judge ruled as follows:
1. The witnesses’ testimony was accepted. Both witnesses were deemed “credible, reliable” witnesses. The witnesses were two CPS employees: Uta Fox, CRM (Manager, Records and Information) and Sgt. Richard Butler (a member of the team of police officers who maintain CPS’s electronic records system).
2. Re: Tabs 2, 3, and 4 of Exhibit 1 (the images), the Crown met “the onus that lies upon it in connection with admissibility of electronic records . . . These electronic records . . . can be introduced as evidence in the trial proper . . . The evidentiary rules of authenticity, integrity and reliability have all been satisfied.”
3. Re: Tab 1 of Exhibit 1 (the MS Word document), this record “is an ordinary business record, a Live document capable of additions, deletions or amendments, from time to time” which “may be introduced into the trial or proceedings as an ordinary business record” with “weight to be given to it subject to ordinary evidentiary rules governing business records.” This record “does not meet the standards for admission as an electronic document under CAN/CGSB 72.11-93 or CAN/CGSB 72.34-2005.”
4. “The Crown has provided full and fair disclosure to the Defence in Exhibit 1” and “The evidence in the voir dire [a legal term denoting the part of the trial connected with the admissibility of evidence] may be introduced into the trial proper.”
The Significance of this Ruling
According to Stuart Rennie, a lawyer and RIM consultant in British Columbia, this ruling is significant for several reasons.
First, Mr. Rennie says it is “the first Canadian court to consider the admissibility of electronic records with reference to specific standards [i.e. the two CGSB standards for the admissibility of documentary evidence].” Specifically, the court assessed “complex” records and information management (RIM) software, deemed it acceptable to destroy paper/hard copy source documents after imaging, and accepted electronic records as evidence. The judge reproduces in her ruling several sections of the CAN/CGSB-72.34-2005 standard which she says were “directly relevant to the considerations of the Court.”
Second, this ruling was made in a criminal case in which there is a higher standard of proof than in a civil case.
Third, Mr. Rennie believes this is the first time a Certified Records Manager (CRM) was called as an expert witness in a Canadian court and that the court has demonstrated a strong assessment towards the CRM.
Fourth, this ruling sets precedent: an Alberta court has ruled that the CGSB documentary evidence standards are acceptable in a criminal matter. While not binding on Alberta courts other than the Provincial Court of Alberta or on courts elsewhere in Canada, Mr. Rennie hopes the ruling will be cited in similar cases in the future. He also hopes that case law will be enacted to define the ‘standards’ under the Canada Evidence Act by which an electronic document may be determined admissible, thus helping the provincial evidence acts to define their ‘standards’ for electronic records admissibility.
Fifth, this ruling validates CPS’s policy, procedures, and technology for creating, storing, and managing Intoxilyzer 5000C records in electronic format. As Mr. Rennie said, “There was a lot riding on this decision for the CPS. If the records weren’t deemed admissible, then CPS’s past cases of this type would be called into question.”
Darren M. Oler was charged with impaired driving under the Criminal Code of Canada. His lawyer sought production of CPS’s records for three different Intoxilyzer 5000C instruments, specifically “maintenance logs, maintenance records, certificates of annual inspection, maintenance manuals, technician work sheets, and site installations work sheets”. In response, the Crown Prosecutor provided a CD containing maintenance records for every Intoxilyzer 5000C used in Calgary since 1995.
The requested records were provided in electronic format because it is CPS policy to destroy original handwritten documents associated with the Intoxilyzer 5000C during the process of converting them to electronic format (imaged copies) for storage in the force’s electronic records system (OpenText Content Server, formerly Livelink).
The judge ruled that “The question of admissibility of an electronic record in general must be dealt with before the Court can address the issue of the Charter arguments raised by the defence”. The judge then directed CPS “to retain counsel and to make submissions to the Court on the question of admissibility of electronic evidence . . . which are now maintained [by CPS] in an electronic database”.
The Court heard evidence from two CPS witnesses on the operation of the electronic records system and the manner in which CPS introduces documents into that system for storage. The Court also examined the integrity of CPS’s system for recording and storing electronic records.
Uta Fox, CRM (Manager, Records and Information at CPS) was accepted as an expert witness deemed to have “specialized knowledge necessary to render opinion evidence to the Court in connection with processes and procedures for the maintaining of the integrity of electronic records.” She testified that “The principles and procedures outlined by the Canadian General Standards protocol is intended to enhance the potential for admissibility of electronic documents and reliance upon these documents as authentic for the purpose of business and Court proceedings” and that the CGSB’s standards provide that “records and documents including electronic images by or stored in a computer can stand in place of original paper source records or copies of paper source records.”
Ms. Fox also testified to CPS’s creation and management of electronic records according to the CGSB standards. Specifically, she testified regarding CPS’s ‘scanning to PDF process’ including comparison between the original document and the PDF image, page counting, perfect match protocols, and quality checks, and the service’s program for destroying paper records after they have been scanned. She was also questioned – reportedly at length – about the possibility of unauthorized access and changes to electronic imaged documents.
Sgt. Richard Butler, who is responsible for maintaining the records up to the point of ensuring secure storage in OpenText Content Server, was called to testify regarding the creation and maintenance of the Intoxilyzer 5000C records in question. He described the process whereby handwritten maintenance logs are transcribed to MS Word and PDF documents, and then shredded once transcription is complete. He also explained that the maintenance log is “essentially a partial summary of original records”.
The Defence had no issue with CPS’s electronic records system or with Ms. Fox’s testimony regarding the propriety of CPS’s imaging policy.
However, the Defence said CPS’s Alcohol and Drug Recognition Experts Unit did not follow CPS procedure when converting certain handwritten documents to electronic format and subsequent storage in the electronic records system. Specifically, the Defence said the approved maintenance logs – which were originally in handwritten format and then typed into a MS Word document – were “not exact duplicates of the original handwritten document, did not pass quality control standards, omitted information from the original handwritten document and were recreated in a different format with different columns, different descriptions, and omission of relevant information contained in the original maintenance log.” The Defence submitted “that this process of typing handwritten documents into a typed format gives rise to serious evidentiary issues in connection with authenticity and reliability of the Maintenance Log.” In addition, the Defence submitted that the electronic record produced for one Intoxilyzer did not include software modification information and contained potential inaccuracies in connection with annual maintenance being recorded on different dates.
As an Intervener in the case, CPS filed a detailed brief with the Court on ‘electronically stored information’ (ESI) and the conditions precedent for admissibility in legal proceedings. The judge’s ruling includes extracts from that brief, including the factors to establish the integrity of a records management system and a detailed description of how CPS’s electronic records system meets those integrity requirements. The Court accepted the Intervener’s submission in its entirety.
If you’re like me, you’ve likely read articles by or heard conference presentations from Records Managers in the US who have testified in court regarding their organizations’ RIM practices. To the best of my knowledge, Uta Fox, CRM – the Manager, Records and Information @ the Calgary Police Service – is the first Records Manager to testify as an expert RIM witness in a Canadian court.
Ms. Fox testified twice before the Provincial Court of Alberta regarding electronic records admissibility issues in an impaired driving case (R. v. Oler, 2014 ABPC 130). (For information on the judge’s admissibility ruling, see this post)
I recently interviewed Ms. Fox about her experience as an expert witness. The following post is based on our conversation.
1. How did you become involved in this case?
Sgt. Butler is one of the Calgary Police Service (CPS) officers who maintains the Intoxilyzer 5000C records prior to their secure storage in OpenText Content Server (formerly Livelink). The Intoxilyzer is a breathalyzer for estimating blood alcohol content from a breath sample.
The Court instructed Sgt. Butler to return to court with the ‘original’ records for the Intoxilyzer 5000C and be prepared to talk to the court about how CPS follows the Sedona Canada e-discovery guidelines. Sgt. Butler knew he couldn’t provide the ‘original’ records because the paper/hard copy records in question were destroyed after imaging as per CPS policy and he couldn’t speak to the Sedona Canada guidelines. So he came to see me and after some discussions with counsel, it was decided that I would accompany him when he next went to court regarding this case.
[Note: CPS’s external counsel later determined that the Sedona Canada e-discovery principles have no impact on criminal cases so CPS did not testify about them.]
2. This ruling concerns the admissibility of selected electronic records as evidence. Which CPS records were involved in this case?
Defence counsel requested CPS to produce its records for the Intoxilyzer 5000C. As stated in the judge’s ruling, those records include “maintenance logs, maintenance records, certificates of annual inspection, maintenance manuals, technician work sheets, and site installations work sheets”.
3. How did you prepare to testify in court?
I met with CPS staff to review the processes for creating and storing these records, and for destroying the paper/hard copy records after imaging. I also met with legal counsel – both our in-house lawyers and external counsel – to review the types of questions I might be asked in court.
4. The ruling states that you have “specialized knowledge necessary to render opinion evidence to the Court in connection with processes and procedures for the maintaining of the integrity of electronic records.” What types of questions were you asked in court before being accepted as an expert witness?
I was asked about my education (I have a Master’s degree), and how long I had worked for CPS and in what capacity. I was also asked about my RIM qualifications. I explained that I’m a CRM (Certified Records Manager) certified by an international body – the ICRM (Institute of Certified Records Managers). My qualifications were accepted without cross-examination by defense counsel and the judge didn’t question my qualifications either.
5. For how long did you testify?
I testified for about 2.5 hours in total, split over two court sittings. When testifying I was questioned by CPS counsel, defence counsel, and the judge.
6. Was this the first time you or any other CPS RIM employee was called upon to testify in court as an expert witness?
For me, this was the first time. I believe this was also the first time a RIM employee testified as an expert witness since CPS established its Records Management Section in 1998.
7. If you could use only one word, which word best describes your experience as an expert witness in court?
“Exhilarating! It was a lot of work, but it was exhilarating to be able to show that this is a credible discipline and our work is recognized legally.”
8. What tips do you have for other Records Managers who may be called upon to testify in court as an expert witness?
- Make sure you understand the Crown prosecutor’s case, and the relevant facts and issues of the case.
- Review the business policies and processes in question.
- Be prepared to speak truthfully and use non-technical language.
- Follow court protocol re: who to address and where to look, and learn what you can and can’t do during a recess (e.g. you cannot consult with lawyers). Your lawyer can advise you about that.
- Remember that what you say in the court room during a break may be recorded (at least that was the case in this court room).
- If you don’t know the answer to a question, say you don’t know. Don’t commit to something you’re not sure of. Make sure you always answer only from your area of expertise.
- Wear appropriate attire. Again, your lawyer can advise you about that.
You’ve likely heard of Snapchat, the beloved app of teenagers (and others) for sending disappearing selfies. And you’ve likely discounted this popular service (which sends approximately 400M photos/day) as appealing only to consumers.
But wait . . . there’s evidence that the vendor community is already developing corporate equivalents of Snapchat’s disappearing functionality that may move this type of technology into daily business use just like other applications such as instant messaging (IM). IM moved into the corporate/enterprise space when vendors developed secure/enterprise equivalents (e.g. Jive and IBM Sametime) to overcome the perceived security risks of public IM services (e.g. Yahoo! Messenger and ICQ).
Confide is likely the first of many apps RIM professionals need to monitor. Run by a former AOL executive (Jon Brod) and the CEO (Howard Lerman) of the location services company Yext, Confide is a text-baed iOS app in which you read a message by ‘wanding’ over it with your finger. Check out the company’s home page to see how that works.
Each message disappears after being read once – you can’t store or forward it. And you can’t take a screen shot because a message is hidden until you ‘wand’ over it and only a limited number of characters are revealed at any one time. Further, Confide will alert you (and the recipient) if the recipient attempts to take a screen shot.
Confide’s creators argue that “Off-the-record conversations happen all the time in the offline world — phone calls, hallway discussions, meet-ups, grabbing lunch or coffee” and their goal is to “bring this offline experience online, in a fast and efficient way.” Also according to the app’s FAQ, they anticipate the following three primary cases for using Confide for “honest, unfiltered, off-the-record conversations”:
- Anytime you send an email or text saying “Confidential — don’t forward”
- Anytime you respond to an email or text with “I’ll call you”
- Anytime you say “Can you send me your personal email; I’d prefer this conversation not be on work servers”
Why was Confide developed? Here’s what the creators say:
“We think the concept of the digital permanent record is crazy. Why should all of our online communication be around forever, with copies of things being spewed and stored in people’s inboxes and various clouds? Imagine if everything you ever SAID (spoken words) were stored like that and the person you said it to had a copy of it. We think this is fundamentally broken and we set out to fix it. We created Confide to bring off-the-record professional communication to the digital world.”
While its true that spoken words aren’t captured unless a recording is made or or someone later transcribes a record of what was said, the instantaneous deletion of digital communications used for business purposes is fraught with risk. It will be interesting to see if apps like Confide gain traction in the corporate world and, if they do, how regulators and the courts will look upon them.
For many years, most organizations have had policies governing employees’ use of e-mail (e.g. no political solicitations, no profanity, etc.) and the Internet (e.g. don’t download or share information that’s offensive, illegal, discriminatory, etc.). And many organizations are in the process of implementing policies to guide employees on what organizational information/data can (and cannot) be shared in social media applications such as Facebook. In addition, many organizations have a Code of Conduct requiring employees to preserve the confidentiality and privacy of the organization’s information by not using or disclosing confidential/personal information other than in the performance of their jobs or as required by law.
However, despite such requirements, the combination of organizational data/information and an Internet connection is a recipe for disaster – and often a public relations nightmare – in the hands of some employees.
In a recent Maclean’s article entitled “Open Secrets” , Tamsin McMahon illustrates “. . . just how much power today’s workers have to spill the beans on their employer’s most sensitive information. From Twitter to Facebook to professional networking sites like Glassdoor and LinkedIn, any employee with an Internet connection now has access to a limitless array of tools to instantly – and anonymously – share workplace gossip and confidential corporate data with the world.”
While much of Ms. McMahon’s article focuses on how the law is catching up to provide legal consequences for employees who discredit their employers/bosses on social media or release confidential information, she provides several thought-provoking examples of the damage an unthinking employee can cause. For example:
- A warehouse employee was fired after having uploaded to YouTube 93 videos taken at work over two years showing activities such as employees playing with insects on the warehouse floor and a video claiming that one customer’s foodstuffs were stored with sodium cyanide. The employer claims $250,000 in lost business from angry clients due to the videos.
- An Ontario court allowed a company to fire two employees who had spread gossip and jokes about their boss on an employee’s private Facebook page. Despite the fact the page wasn’t public, the court ruled that the company’s reputation had been harmed because enough of their co-workers had read the posts.
Some of Ms. McMahon’s examples illustrate that many breaches are made unwittingly, and sometimes by an employee’s immediate family, for example:
- An employee posted a picture on Instagram of a work-related trip, not realizing that he publicly revealed a site where his employer was planning to drill for oil.
- US soldiers uploaded to the Internet photos of new helicopters not realizing that GPS coordinates are transmitted with most photos taken with cellphone cameras. The next day, four of the helicopters were destroyed in a bomb attack.
- A high-profile executive’s children may compromise the family’s security by discussing their vacation plans on Twitter.
What does this mean for RIM professionals?
The need to keep tabs on their reputation and information will likely cause many organizations to implement web scanning whereby they (or their service providers) will sift through chat room conversations, Facebook posts, tweets, YouTube, etc. looking for inappropriate comments and inappropriately released information. The resulting collection of comments/information will constitute another group (or series) of information to be managed and retained for a suitable period. Because some of the inappropriate comments or inappropriately released information may be relevant in future litigation, it will be particularly important to document and manage the audit trail of the information’s collection, access, and storage and manage it according to the organization’s legal hold protocol if/when required.
RIM professionals working for organizations in competitive environments may also see an increase in the volume of competitive intelligence (i.e. information about their competitors) to be managed as their employers deploy web scanning for competitive purposes.
If you’re like me, you’ve probably read a lot of articles about SharePoint’s business benefits (e.g. collaboration, workflows, etc.) but rarely found articles that discuss the RIM implications of implementing this increasingly ubiquitous technology. You’ve also probably searched in vain for RIM information in books about SharePoint. And apart from some sessions at ARMA conferences and other RIM industry events, you’ve probably encountered very, very few speakers at SharePoint conferences who even mention RIM.
I’m often asked by clients and students to suggest resources about SharePoint’s RIM functionality and on implementing SharePoint from the RIM perspective.
I’m happy to share the following list of resources I’ve found helpful. What resources do you recommend?
Courses: Solutions for EDRMS Success: SharePoint Records Management Certificate – This ARMA International seminar teaches a 12-step methodology for successfully implementing an EDRMS (electronic document and records management system). While based on SharePoint 2010, it is fully applicable to other technology platforms. The certificate consists of a 2-day seminar and a computer-based exam taken after the seminar.
Blogs/web magazines: SharePoint is a hot topic in the blogsphere and web magazines. Here are three that regularly discuss SharePoint, often from a RIM perspective.
- CMS Newswire – A good source for discussions, including discussions of SharePoint functionality.
- Digital Landfill – AIIM’s blog on diverse topics (including SharePoint) for dealing with ‘information chaos’.
- The Doculabs Blog – This blog currently contains 24 posts on SharePoint (and many posts on other topic such as ECM, ediscovery, records management, etc.).
Books/reports/articles: You might want to check out the following resources.
- Managing Records in Microsoft SharePoint 2010 – In this book, Bruce Miller examines SharePoint’s corporate recordkeeping capabilities and recommends ways to overcome its recordkeeping limitations. A 2nd edition is expected soon emphasizing the use of 3rd party add-in software to overcome SharePoint’s recordkeeping limitations.
- Market Overview: Information Governance for the Microsoft Ecosystem, Q1 2014 (click on the link to obtain the report from Gimmal or contact any of the other profiled vendors to request a copy) – In this Forrester report, Cheryl McKinnon says “With the latest 2013 release, SharePoint now has adequate records management and improved eDiscovery capabilities, but gaps remain.” The report outlines the use cases for 3rd party tools to extend standard SharePoint support for advanced retention, disposition, security policies, archiving, or site governance. It also profiles 13 vendors: Archive Systems, AvePoint, Collabware, Dell, EMC, Feith Systems and Software, FileTrail, Gimmal, HP/Autonomy, IBM, Mimecast, OpenText, RecordPoint, RSD, Workshare, and ZL Technologies.
- Solving the SharePoint Puzzle: Where it Fits in Content Management Strategy – This 2010 ARMA Hot Topic contains an article by Marcia Douglas on SharePoint governance.
- Control SharePoint: Rule Your Information Domain with Governance – This AIIM checklist also discusses SharePoint governance.
The PDF/A-3 standard (ISO 19005-3:2012) defines a file format based on the portable document format (PDF) to provide a mechanism for representing electronic documents in a manner that preserves their static visual appearance over time, independent of the tools and systems used for creating, storing, or rendering the files. However, preservation of the files’ static visual appearance is only possible if conforming PDF/A files are complete in themselves and require no external resources (e.g. unembedded fonts) to render their pages properly.
In a somewhat radical departure from its predecessor, PDF/A-2 (ISO 19005-2:2011) , PDF/A-3 permits the embedding of files of any format (including XML, CSV, CAD, images, binary executables, etc.) within a PDF/A file and does not require embedded files to be considered archival content. Further, a PDF/A-3 conformant reader is responsible for presenting only the primary document and permits the extraction of embedded files for use with other tools.
The U.S. National Digital Stewardship Alliance (NDSA) charged a Working Group to investigate the PDF/A-3 standard. Specifically, the Working Group researched the pros and cons of using PDF/A-3 in different preservation scenarios, including use as an extension to PDF/A-1 (ISO 19005-1:2005) and PDF/A-2 in circumstances for which those formats have been adopted or recommended, and use as a wrapping or bundling format for various digital asset/media types, such as textual, audio, video, photo, and GIS data.
In The Benefits and Risks of the PDF/A-3 File Format for Archival Institutions, the Working Group provides a comprehensive assessment of the possibilities, risks, and general pros and cons of PDF/A-3 and the scenarios in which it might (or might not) be appropriate. The report also presents a general scenario for embedding supporting data in PDFs for scholarly documents and several scenarios specific to particular contexts or institutions such as a U.S. National Archives and Records Administration (NARA) scenario for using PDF/A-3 as an acceptable container to circumvent DoD 5015.2 records management application restrictions.
The conclusions address the following topics.
- PDF/A-3’s appropriateness – Its appropriateness for the long-term preservation of content depends heavily on three factors: the type of content, the nature of the workflow that created it, and whether the archival submission process allows for detailed negotiation on allowable formats for embedded files.
- PDF/A-3 and workflows – PDF/A-3 may be most appropriate for use in controlled workflows but may not be an appropriate choice as a general-purpose bundling format. However, the PDF Association’s proposed creation of “a free and open source PDF validation tool might mitigate the long-term preservation risks constituted by the complexity of the PDF/A format as a bundling format. Absent such robust validation tools, conversion of PDF files to PDF/A in preservation workflows remains a somewhat problematic preservation tactic.” (page 19)
- Additional tools – If the preservation community agrees PDF/A-3 is inappropriate as a general purpose archival bundling format, the community will need to identify and/or create tools to allow complex digital objects to be bundled with metadata to establish the relationship among the components in a bundle.
- Archival institutions’ policies – The manner in which archival institutions will treat embedded files depends on “the context for creation, the expressed relationships that embedded files have to the primary document, the expectation of future users, and an archival institution’s policies.” (page 19) The Working Group recommends that archival institutions treat PDF/A-3 separately from other PDF/A versions in preference lists and for action plans.
- Future standards development role – The report illustrates that the arbitrary embedding of files is a problematic feature of PDF/A-3. Consequently, the Working Group suggests the ‘community of memory institutions’ may need to take “a more strategic, active, and vocal role in the standards development process” (page 19) in the future to avoid the introduction of similarly problematic new features.
The report is recommended reading for organizations (particularly archival institutions) planning to use the PDF/A-3 standard.
Cohasset Associates , ARMA International , and AIIM recently published the results of the 2013/2014 Information Governance Benchmarking Survey (download a copy here). The survey was underwritten in part by Iron Mountain .
The findings are based on responses from 1,300+ invitees including ARMA International members, AIIM members, recent attendees of Cohasset’s Managing Electronic Records (MER) Conference , selected Iron Mountain customers , and members of the Records Management LISTSERV .
Respondents work in many industries such as government, financial services/banking, professional services, and manufacturing. The majority (58%) work for ‘small’ organizations (up to 4,999 employees) followed by ‘medium’ organizations (5,000 – 24,999 employees), and ‘large’ organizations (25,000+ employees). Most respondents’ survey answers represented operations in the U.S. (58%) followed by global operations – excluding U.S. (27%), and Canada (12%). When asked to select (select all that apply) their job responsibilities related to information lifecycle management, the most frequently cited responsibilities were: implementing RIM technologies and tools (51%), enterprise RIM program including international, if organization is global (48%), RIM strategy definition (47%), and managing RIM file room or electronic repository (45%).
The survey questions address topics such as business commitment to RIM, retention schedules, records deletion/destruction, legal holds, information lifecycle management, and RIM Program maturity.
For some questions, the 2013 responses are compared to responses in past studies (the 2003, 2005, 2007, 2009, and 2011 surveys or a sub-set thereof) to illustrate trends over time. More than 12,000 individuals have responded to the survey since its inception.
According to the authors, this 8th biennial survey provides “authoritative, up-to-date benchmarking metrics on information lifecycle practices with an emphasis on electronically stored information (ESI)”. The following Survey Highlights table from the report summarizes the results and recommends implementation actions to modernize information governance (IG). The authors encourage organizations to use the table to “formulate internal action plans and to develop communications highlighting . . . [their] program’s strengths and opportunities.”
|SURVEY HIGHLIGHTS||RECOMMENDEND ACTIONS|
|1. Overall, IG programs are more prevalent, better-designed, and inclusive of ESI. However, many essential implementation elements are not being addressed.||
|2. Effective IG is increasingly recognized as an imperative for corporate compliance and risk mitigation. Coordination and integration is on the rise.||
|3. While improvements are reported in the management of some ESI, information governance must modernize or forever be losing in a game of catch-up.||
|4. Legal Hold processes are more commonplace, but over-preservation is an immense challenge to the implementation of effective information lifecycle controls, thereby contributing to future risk and complexity.||
Due to the broad data/information collection, review, and retention provisions of the USA Patriot Act, RIM professionals have expressed concern about the risks to privacy rights and confidentiality when Canadian organizations store e-mails (and other cloud-based data) on servers in the United States. Recent developments suggest the Government of Canada (GoC) shares their concern when it comes to the government’s e-mails.
As reported by Michael Geist in the Toronto Star (article available for purchase here), the GoC’s Email Transformation Initiative will consolidate “more than 100 different email systems used by more than 300,000 employees into a single, outsourced email system”. When defining the system requirements, the government invoked a national security exception to require secure storage of the e-mails on servers in Canada.
A Request for Proposal (RFP) was issued to four pre-qualified vendors: Bell Canada, Dell Canada, HP Canada, and IBM Canada. In June 2013, the $350+M contract was awarded to Bell Canada, in partnership with CGI Information Systems And Management Consultants Inc.
Documents recently obtained by the B.C. Freedom of Information and Privacy Association reveal that US companies who were shut out of this procurement urged US government officials to launch a trade complaint. As Mr. Geist reports, “While the companies explored several alternatives that might address Canadian concerns, including encrypting all data and retaining the encryption key in Canada (thereby making it difficult to access the actual data outside the country, the government insisted on Canadian-based storage” and “pointed to privacy concerns stemming from the USA Patriot Act” regarding that requirement.
This situation is interesting on a number of levels.
First, it reinforces the concerns RIM professionals have expressed for many years about the potential privacy risks that may arise from the provision in the USA Patriot Act to gather and disclose data/information to law enforcement without appropriate oversight or disclosure and to retain that data/information indefinitely.
Second, it illustrates the GoC’s commitment to protect its e-mails by ensuring their storage on Canadian servers despite the risk of upsetting its largest trade partner.
Third, and perhaps of most interest, it demonstrates that the GoC has secured a protection not available to the average consumer or to most organizations operating in Canada. As Mr. Geist reports, “. . . the majority of Canadian dot-ca domain name websites are hosted outside the country, with Canada ranking among the lowest countries in the developed world for domestic website hosting. Moreover, Canadian Internet providers such as Bell exchange their Internet traffic in the U.S., ensuring that even simple domestic emails frequently enter the U.S. network before returning to Canada.”
The Sedona Conference® recently released a public comment version of its Commentary on Information Governance, a project of The Sedona Conference Working Group One on Electronic Document Retention & Production (WG1).
A new definition of Information Governance
The Commentary adds another definition of ‘information governance’ to our lexicon. According to The Sedona Conference®, information governance is “an organization’s coordinated, interdisciplinary approach to satisfying information compliance requirements and managing information risks while optimizing information value.”
Breaking down the silos
The Commentary emphasizes the need to break down silos and achieve coordination among an organization’s information-focused disciplines such as RIM, data privacy, information security, and e-discovery to ensure “a top-down, overarching framework, informed by the information requirements of all information stakeholders . . . [to] enable an organization to make decisions about information for the good of the overall organization and consistent with senior management’s strategic directions.”
The 11 principles at a glance
To assist organizations in developing and implementing that framework, the Commentary provides “a comprehensive set of basic principles to guide the development and operation of a robust Information Governance program in any organization.” The eleven principles are:
- Organizations should consider implementing an Information Governance program to make coordinated decisions about information for the benefit of the overall organization that address information-related requirements and manage risks while optimizing value.
- An Information Governance program should maintain sufficient independence from any particular department or division to ensure that decisions are made for the benefit of the overall organization.
- All information stakeholders should participate in an organization’s Information Governance program.
- The strategic objectives of an organization’s Information Governance program should be based upon a comprehensive assessment of information-related practices, requirements, risks, and opportunities.
- An Information Governance program should be established with the structure, direction, resources, and accountability to provide reasonable assurance that the program’s objectives will be achieved.
- The effective, timely, and consistent disposal of physical and electronic information that no longer needs to be retained should be a core component of any Information Governance program.
- When information governance decisions require an organization to reconcile conflicting laws or obligations, the organization should act in good faith and give due respect to considerations such as privacy, data protection, security, records and information management, risk management, and sound business practices.
- If an organization has acted in good faith in its attempt to reconcile conflicting laws and obligations, a court or other authority reviewing the organization’s actions should do so under a standard of reasonableness according to the circumstances at the time such actions were taken.
- An organization should consider reasonable measures to maintain the integrity and availability of long-term information assets throughout their intended useful life.
- An organization should consider leveraging the power of new technologies in its Information Governance program.
- An organization should periodically review and update its Information Governance program to ensure that it continues to meet the organization’s needs as they evolve.
Each principle is discussed in detail in the body of the document.
Appendices address the synergies – and conflicts – in the intersections of IG stakeholders (i.e. RIM, privacy, security, and e-discovery), a maturity continuum as it relates to an information function’s level of independence maturity, the risks associated with digital assets, and the quantitative/ROI business case for IG in terms of optimizing corporate value, risk reduction, hard cost avoidance, and soft cost avoidance.
Opportunity to comment
Because the document is a public comment version, comments and suggestions for improvement are welcome. You can join the dialogue online (paid and free accounts are available) or submit comments by email to firstname.lastname@example.org