Risky business: Keeping the paper, ‘just in case’

You’re working electronically; yet somehow you’re still accumulating paper. There’s a warehouse (or two) full of the stuff and no one is really sure what’s in there. Most of it has been digitised… and you’re keeping the paper, “just in case” the scanning was poor, or there’s a computer virus, or in the event of a court case, or an audit, or a business need for the records.  
 
Far from being a safeguard, uncontrolled duplication of records is expensive and risky.
 
The problem
The lure of electronic records beckons with promises of smaller physical storage requirements, increased search power and easier backup for business continuity.
 
Many companies have taken steps to scan paper records as they arrive in the mail. But most haven’t implemented a systematic disposal policy to destroy the paper.
 
Some companies are continuing to print documents that began life in digital format (eg emails, reports, spread-sheets) and add them to paper files.
 
Technology has changed the ways in which we work and communicate – and led to an information explosion. It is estimated that the volume of information generated by businesses is growing by 60 per cent each year. At that rate, it is no longer feasible to keep everything ‘forever’ and it is important to minimise duplication.
 
Multiple copies lead to unnecessary costs and risks associated with:
Storage – paying for premium office space, off-site warehousing, removable media, network servers and hard drives to store and manage duplicate material, which may be rarely used.
 
Mismanagement – multiple copies are more difficult to control, file and retrieve. They increase the likelihood of security breaches or inappropriate disposal. This can result in fines and other sanctions for non-compliance with regulatory requirements; reduction in efficiency and productivity; and loss of competitive advantage if intellectual property or commercially valuable business intelligence is compromised.
 
Litigation – multiple copies mean more places to search during the discovery phase (increased time and costs). It may also raise questions about the evidential weight of records.
 
Business continuity – multiple copies make it more difficult to identify ‘vital records’ on which to focus backup and disaster prevention strategies; resulting in a higher risk of accidental loss, deletion or inaccessibility. Liability insurers are increasingly considering retention policies and discovery-preparedness in their underwriting decisions. Poorly managed records could affect the cost or availability of insurance coverage.

Why then are companies investing time and money to maintain parallel filing systems?
 
Some companies aren’t sure whether electronic records are legally admissible; or whether paper records carry greater evidential weight. Others are doubtful of the quality and reliability of scanned documents. Many are uncertain about the retention periods for paper records, email and digital documents.
 
A records management programme can clarify these questions and alleviate concerns – allowing an organisation to maximise the value of its business information and minimise the associated cost and risks.
 
The solution
Gaining control over corporate information can seem daunting. Yet it is absolutely essential for regulatory compliance and for competitive reasons. A records management programme is a key component of any GRC initiative, to reduce the complexity and costs associated with compliance.
 
Reducing the volume of paper records that must be stored and managed is the first step to moving fully into an electronic working environment. If you don’t take the plunge today, it will be twice as challenging next year.
 
Legal admissibility
Legal recognition and requirements for electronic records are contained in the Electronic Transactions Law and the Evidence Law. Your records management programme provides a framework of policies and procedures to maximise the evidential weight of scanned images and reduce the risks associated with destruction of paper files.
 
A record in electronic form will usually be admissible if it can be shown to be “accurately represented” – ie the record must have remained complete and unaltered from the time it was first generated in its final form; apart from minor changes which may arise in the normal course of communication, translation, conversion, storage or display.
 
Where records are required for legal or regulatory purposes, an electronic record is acceptable if it is maintained in an accessible, perceivable form. It must also be accompanied by contextual information (metadata) which substantiates the provenance of the record – confirming the time, place and the person(s) responsible for creating or receiving the record.
 
Companies should also examine their specific legal or statutory provisions to identify any requirements to keep records in their “original form”. Such requirements can be met by a record that was first generated as an electronic record, but not by a scanned copy of an original paper record.
 
Evidential weight
In estimating evidential weight, courts will consider a range of factors to establish the authenticity and reliability of the record. They may evaluate the normal functioning of the system in which a record is maintained, procedures for storage and access and the motives or character of persons responsible for creating or receiving the record.
 
Evidential weight may also be affected by copying or conversion from one format to another, as with photocopying, microfilming, printing an electronic record or scanning a paper record.
 
Companies should seek legal advice with regard to the types of documents most likely to be disputed in court and assess the risks associated with maintaining or destroying original paper records that have been scanned.
 
Records management
To maximise the evidential weight of scanned images and reduce the risks associated with the destruction of paper files, a records management programme should include:
 
An information management policy, which sets out the overarching framework of rules and responsibilities for controlling corporate information. It demonstrates to a court of law that information management is part of normal business operations.
 
A classification scheme that identifies the different types of records created or received by the organisation. It groups similar records together into categories that are easier to find, use and manage. The classification scheme can be used to indicate which categories of records are suitable for scanning (and which are not), based on the regulatory requirements that apply to particular types of documents.
 
A retention policy that is developed through an analysis of the company’s specific legal obligations, business needs for information to support daily operations, and the interests of any additional stakeholders. The policy must be applied consistently to all information stores across the organisation, including copies maintained in various formats. Secure disposal of records should be carried out on a regular basis, in accordance with an approved procedure. Local and international case law indicates that the courts will not disapprove routine destruction of records in accordance with established procedures.
 
Developing a security policy helps to protect the integrity of corporate information and reduce the risk of a challenge to its authenticity.
 
Questions about the quality and reliability of scanned images can be addressed by implementing procedures and technical standards for the conversion process, for quality control and IT system administration.
 
It is necessary to demonstrate that the image is an accurate representation of the source document via:
(a)    clearly defining the conversion procedure, which explains any changes applied to the image (eg conversion from colour to black-and-white, de-skewing, cropping),
(b)    capturing and managing the image in a system that can control and track its use and prevent any subsequent modification (eg in an audit trail),
(c)    maintaining and operating the system properly.

Maintaining an audit trail of activity for records, users and systems administrators is also important for proving authenticity and demonstrating the record’s ongoing integrity.
 
As a critical corporate asset, information should also be addressed in plans for business continuity and disaster recovery. The classification scheme can be used to identify categories of records that are vital for ongoing operations. Appropriate strategies can then be devised to ensure the backup and long-term accessibility of those records – including procedures for hardware or software upgrades and data migration.
 
Conclusions
Electronic records offer many benefits for business efficiency. However, they may also expose companies to significant risks, if they are not pro-actively managed.
 
A robust records management programme, with defined policies and implemented procedures, reduces the costs and risks associated with managing corporate information. It can be used to determine whether paper records are suitable for scanning into digital formats, and to enable the disposal of original hard copies – generating a range of potential savings for the organisation and mitigating the risks associated with retaining multiple, uncontrolled copies.

ignitionSM

This diagram illustrates the process for scanning paper documents and using the digital copies for ongoing business whilst disposing of the paper. Paper records are created or received, then scanned to create a high-quality image that accurately represents the original. The paper documents are filed in daily batches and securely destroyed once the conversion process is confirmed. The digital image is captured into an electronic records management system, where it is classified and indexed. Its use and management is tracked in an audit trail. The image is maintained according to records management rules and policies until its defined retention period expires. At that point, the image is securely disposed of.