These days, digital and physical records are being created at an overwhelming pace. Meanwhile, regulations such as HIPAA, FACTA, GDPR, and the California Consumer Privacy Act of 2018 demand improved security around personal identifiable information (PII) and employee data.
With this increased focus on policies and procedures related to records management and information governance (IG), it’s time for you to build an effective, legally defensible program.
Here are 6 key steps to get you started:
For a truly effective RIM program, take an IG approach that defines roles and responsibilities for daily tasks. A senior-level executive must take responsibility for top-down accountability and empower records administrators with the tools and policies they need. You should obtain input from all areas of the business that generate records to centralize all physical and digital documents that are being generated, whether at HQ or satellite locations. Then, get buy-in on new procedures by creating a committee to represent relevant departments.
An inconsistent — or inconsistently applied — IG policy will create problems when responding to litigation, audits, or compliance issues which require strong documentation. In addition to having compliance-driven retention policies for each record type, your RIM program should track the lifecycle of each physical and digital record from inception, flag it for destruction when its retention term expires, and provide the ability to override that expiration if need be.
The only sure way to track the location and lifecycle of individual records is with a comprehensive metadata taxonomy and indexing system that covers the various types of records your organization produces and the jurisdictions in which you operate. These steps not only facilitate proper adherence to retention schedules, but also make search and retrieval far more efficient, saving time and money.
Assuring uniform compliance to multiple regulations across your organization and in all locations is a complex task. A centralized system that can recognize record types and automate tasks such as coding and indexing will ease tasks by building them into workflows and assure greater accuracy and consistency.
Your records partner should provide
climate-controlled, off-site storage facilities and vaults that are NAID and PRISM Privacy+ certified and equipped with advanced fire-suppression technology. They should offer NAID-certified destruction of hard copy records, computer hard drives, and other electronic media. Access to documents should include a verified, auditable chain of custody, and your partner should assist with disaster recovery and business continuity.
No program will remain relevant without ongoing performance and compliance monitoring, as well as periodic audits and reviews to ensure your policies have kept up with changes in your business and compliance requirements. Your partner in records management should also make it simple for you to generate regular KPI reports on storage volume, scanning rates, records access, legal discovery costs, and other measures.
If your organization is stuck in a reactive, transactional RIM program, these steps will help put you on a path toward transformational information governance.