Firms must improve records management

Better processes are needed to comply with the law and reduce risks

Firms are struggling to cope with the financial and legal burden of managing records and documents, including emails, instant and SMS messages, and VoIP communications, according to a new report from the Information Security Forum (ISF).

Firms face difficulties in deciding which electronic records to retain and archive for legal or other reasons, according to ISF senior research consultant Andy Jones. "Information security people are having difficulty understanding [and interpreting] the laws and how they affect records management, and for big corporations the problem is internationally [conflicting laws]," he said. Sometimes it is difficult to decide how to manage certain documents because privacy laws say certain messages should not be recorded, he added

A major new problem for firms in the US is the issue of legal discovery orders, whereby organisations must present records to lawyers in certain cases. Failure to comply may result in court cases collapsing and the company concerned being held legally responsible. "This is coming our way [in the UK] because the law exists here too, it just hasn't been used widely," warned Jones.

Firms also said they struggled to find technical solutions which could be maintained over the long periods of time required for some records, such as pension or healthcare documents. And ISF members reported that their IT departments often find it hard to persuade staff to use new records management tools and procedures.

The ISF said firms should make it clear which staff have responsibility in this area. "Document and record management sounds technical but it's largely a business issue," said Jones. "[IT security] is not the primary stakeholder in this – its role should be as secondary stakeholders to help people and advise, but it shouldn't be owning the problem."

Andy Maurice of records management specialist Iron Mountain, said that many UK firms still haven't transferred their paper documents to electronic format " let alone get the concept that an e-document can form a business record".

Maurice added, "The rule is that whatever [policies you have for] physical documents should apply to electronic [formats]. Organisations should have a clearly defined policy and have the processes in place [that means they will] implement and adhere to that policy."