As we get closer to the California Privacy Protection Act’s enforcement in January of 2023, organizations should look to The Principles of ARMA International to see if and how their Records and Information Programs are in compliance with CRPA.
Published by ARMA International in 2009 and updated in 2017, the Principles are grounded in practical experience and based on extensive consideration and analysis of legal doctrine and information theory. They are meant to provide organizations with a standard of conduct for governing information and guidelines by which to judge that conduct. Here’s a rundown:
Principle of Accountability: A senior executive (or a person of comparable authority) shall oversee the information governance program and delegate responsibility for information management to appropriate individuals. My recommendation: These individuals should be in the department with knowledge of how information is used and records created in that department.
Principle of Transparency: An organization’s business processes and activities, including its information governance program, shall be documented in an open and verifiable manner, and that documentation shall be available to all personnel and appropriate, interested parties. My recommendation: Use the workflow tools in your document and/or content management system to embed the business rules in your program to improve transparency.
Principle of Integrity: An information governance program shall be constructed so the information assets generated by or managed for the organization have a reasonable guarantee of authenticity and reliability. My recommendation: Turn on the create/received date, modified by date, printed date as well as disposed date in your document and/or content management system so you know who did what when with a record. If your system also has the ability to track external attempts, turn it on!
Principle of Protection: An information governance program shall be constructed to ensure an appropriate level of protection to information assets that are private, confidential, privileged, secret, classified, essential to business continuity, or that otherwise require protection. My recommendation: Turn on version control and redaction as well as integrating with AD. Again, if your system has the ability to track external attempts to access content, turn it on!
Principle of Compliance: An information governance program shall be constructed to comply with applicable laws, other binding authorities, and the organization’s policies. My recommendation: Turn on Records Management in your system or budget for it if its an extra cost as this will enhance your ability to put content on a disposition hold, and prove it was followed, as well as prove you disposed of records per your organization’s retention schedule.
Principle of Availability: An organization shall maintain its information assets in a manner that ensures their timely, efficient, and accurate retrieval. My recommendation: Agree to a naming convention so that everyone understands that “Correspondence”, for instance, includes letters, emails, text messages and chats if those documents are evidence of a business transaction, including approvals.
Principle of Retention: An organization shall maintain its information assets for an appropriate time, taking into account its legal, regulatory, fiscal, operational, and historical requirements. My recommendation: Education on why, not just training on how, records are designated as assets of the business, not property of the individual.
Principle of Disposition: An organization shall provide secure and appropriate disposition for information assets no longer required to be maintained, in compliance with applicable laws and the organization’s policies. My recommendation: Quarterly clean-up days to find and remove convenience copies, parse through emails for content that is a record and ensure it’s in the content management system. Implement robotic processing automation to search through all possible silos to find and remove the copies once the retention period has been met for that record.
Need guidance on some of ARMA’s Generally Accepted Recordkeeping Principles? Contact the team at Western Integrated Systems.