Friday, June 05, 2015

ISO 30301 Information and documentation -- management systems for records -- requirements



  • The second part of this standard
  • Lots of repetition from the previous standard..
  • Scope: the standard "specifies requirements to be met by a MSR in order to support an organization in the achievement of its mandate, mission, strategy and goals."
  • We have a the basic steps:
    • Context of organization
    • Leadership
    • Planning
    • Support
    • Operation
    • Performance evaluation
    • Improvement
  • Understand the context of the organization:
    • External context:
      • Social and cultural, legal, financial, technological, economic, natural, and competitive environment
      • Drivers and trends that have an impact on the organization
      • Relationships with, perceptions, values, and expectations of external stake holders
    • Internal context:
      • Governance, org structure, roles and accountabilities
      • Policies, objectives, and strategies in place
      • Capabilities, resources, and knowledge (capital, time, people, processes, systems, and technologies)
      • Information systems, information flows, decision making processes (formal and informal)
      • Relationships with, perceptions, values, and expectations of internal stake holders
      • Standards, guidelines, and models
      • Form and extent of contractual relationships
    • Business and legal requirements:
      • Statue and case law, sector-specific
      • Laws and regs relating to evidence, records and archives, access, privacy, data and info protection, electronic commerce
      • Constitutional rules of orgs, charters, or agreements
      • Treatises or instruments org is legally bound to
      • Voluntary codes of best practice
      • Voluntary codes of conduct and ethics
      • Expectations of the community about what is acceptable
  • Management commitment:
    • Ensure MSR is compatible with direction of org
    • Integrate MSR reqs into business processes
    • Provide resources to establish, implement, maintain, and improve
    • Communicate importance of MSR
    • Ensure MSR achieves intended outcomes
    • Continual improvement
  • Policy:
    • Appropriate to the purpose of the organization
    • Provide framework for setting objectives
    • Commitment to satisfy requirements
    • Commitment to CI
    • Communicated within the org
    • Be available to parties as appropriate
  • Records objectives:
    • Who is responsible
    • What will be done
    • What resources will be required
    • When it will be complete
    • How the results will be evaluated
  • Training. Personnel aware of:
    • Relevance and importance of individual activities and how they contribute to achievement of MSR objectives
    • Importance of conformance with policy and procedures
    • Issues and potential impacts of non-compliance
    • Benefits of compliance
    • Their responsiblities
  • Documentation:
    • Scope of MSR
    • Policy and objectives
    • Interdependence between MSR and other management systems
    • Documented procedures
    • Documentation for planning, operation, and control of processes
  • Control of documentation:
    • Approve for adequacy prior to issue
    • Review, update, and re-approve
    • Changes and current version status are identified
    • Documentation is legible and identifiable
    • Documentation of external origin is identified and controlled
    • Prevent use of obsolete documentation
  • Records process design:
    • Analyze work processes as per ISO/TR 26122
    • Assess risks and ensure that they are acceptable
    • Specify processes:
      • Creation:
        • What, when, and how records shall be captured
        • Content, context, and control information (metadata) that will be included
        • Decide in what form and structure the records shall be created and captured
        • Determine appropriate technology for record creation and control
      • Control:
        • Determine what metadata is required and how it will be linked
        • Establish rules and conditions for use of records over time
        • Maintain usability of records
        • Establish authorized disposition
        • Establish conditions for admin and maintenance of records systems
  • There is also some guidance on performance management:
    • Assess effectiveness:
      • It reflects current business needs
      • Records objectives are consistent with policy, achievable, valid, and support CI
      • Changes in business, legal, etc.
      • Availability and adequacy of resources
      • Adequacy or roles, responsibilities, and authorities
      • Performance of individuals with responsibility for implementation, reporting, and promotion
      • Performance of records processes and systems against objectives
      • Adequacy of documentation
      • Effectiveness of records systems to achieve strategic, managerial, and financial objectives
      • Effectiveness of training and awareness programs
      • User and stakeholder satisfaction


  • Overall, this standard is pretty awesome. It could form the basis of an effective blue print for information management.

ISO/FDIS 30300 Information and documentation -- management systems for records -- fundamentals and vocabulary

Another day, another standard. I'm on a train and feel an obligation to get something done. Hence, standards review.



I feel obligated to point out that I'm not actually reviewing the standard in this particular case. It's a Final Draft but, given the grief that I'm giving our ILL specialist, I really can't complain! Let's see what this thing is all about.

So this is really about Management systems for records (MSR) as related to ISO 9000, 14000, etc.

We need to meet objectives via:
  • Defined roles and responsibilities
  • Systematic processes
  • Measurement and evaluation
  • Review and improvement



  • We get some justification of why you need records
  • Good records are: reliable, authentic, have integrity, are usable. Isn't this in ISO 15489 and GARP?
    • Reliable
    • Secure
    • Compliant
    • Comprehensive
    • Systematic
  • Process approach:



  • We get some definition of different roles in the overall project
  • And there are lots of good definitions:
    • Asset. Anything that has value to the organization (ISO/IEC 27000)
    • Document, noun. Recorded information or object which can be treated as a unit (ISO 15489)
    • Documentation. Collection of documents describing operations, instructions, decisions, procedures and business rules related to a given function, process, or transaction (ISO/TR 26122)
    • Evidence. Documentation of a transaction
    • Record. Information created, received, and maintained as evidence and as an asset by an organization or person, in pursuance of legal obligations or in the transaction of business
  • The appendix gives us some interesting definitions, graphs, etc.






ARMA -- Records management responsibility in litigation support



  • This one really has the potential to be a ripper! One of my colleagues saw this in on my desk and shook his head. Records + Legal + IT… what could possibly be more interesting!
  • It's about 50 pages of goodness. The TOC looks fantastic. This thing really should be a standard reference for anyone who has concerns or questions about discovery.
  • Normative references: ARMA glossary, ISO 15489, ISO 23081, ANSI/ARMA 9-2004 (Reqs for Managing Electronic Messages), ANSI/ARMA 5-2003 (Vital Records).
  • Great glossary:
    • Litigants: everyone involved
    • Plaintiff: party that filed a complaint and requested relief
    • Defendant: party receiving complaint
    • Notice of dispute: when "a party in put on notice that litigation is likely"
  • Litigation process:
    • Birth.
      • Notice of dispute. Place appropriate holds.
      • Cease and desist letters or Preservation letters will do the same thing.
      • Litigation hold. Suspend normal retention and destruction. It could also apply to third-party individuals or companies.
      • Suit filed/Complaint
      • Answer filed (generally in 30 days). Each claim must be denied or responded to.
    • Discovery begins.
      • Rule 26(a). Turn over "a copy of, or a description by category and location of all documents, ESI, data compilations, and tangible things in the possession, custody, or control"
      • Rule 26(f). Parties must meet to discuss:
        • Nature of claims and defense
        • Arrange for initial disclosures
        • Establish discovery plan and schedule
        • Form of production
          • 34(b) permits requesting party to specify format
          • Otherwise, "a responding party must produce the information in a form or forms in which it is ordinarily maintained or in a form or forms that a reasonably usable"
          • Party only has to produce one electronic form
          • Formats: native Office (for meta-data); native email; PDF; TIFF
      • The court issues a scheduling order by which all parties are bound.
    • Types of requests:
      • Production of Documents and Things: electronic records, email, backup tapes, voice-mail messages
      • Interrogatories: questions that the defendant must answer
      • Affidavits: sworn statements
      • Expert witnesses and reports
      • Depositions:
        • 30(b)(6). Corporation can't speak so a party will designate an individual, generally regarding practices, policies, procedures, etc. Often a corporate officer, IT manager, or records custodian.
        • "Companies without clearly defined and implemented policies and procedures pertaining to their electronic records may find themselves in a discovery quagmire."
      • Privilege: Withholding or limiting access due to confidentiality, etc. Attorney communication is generally privileged; corporate counsel strategy is not.
      • Claw back: Agreement that privileged information discovered post-discovery can be brought back.
    • Discovery dispute resolution.
      • Common disputes:
        • Too broad
        • Too burdensome
        • Records accessibility: "A party need not provide discovery of ESI from sources that the party identifies as not reasonably accessibly because of undue burden or cost." A general bench mark is active electronic files stored on a network server or employee desktop.
        • Deleted records. Defendant must make best effort to protect against deletion including using a forensic expert.
        • Cost shifting. IT and RIM must generally swear an affidavit or give testimony.
      • Failure to comply may result in sanctions:
        • Monetary: "Corporations, especially large, sophisticated companies, are expected to have file plans, retention schedules, and litigation hold procedures in place."
        • Preclusion of evidence/witnesses.
        • Adverse inference: assume that the destroyed documents would have been harmful.
        • Default judgement or dismissal.
      • Spoliation:
        • Intentional spoliation e.g., preservation letter results in a "shred day". See Enron and Arthur Anderson.
        • Negligent spoliation may be penalized if practices are particularly backward.
        • Safe harbor. 37(f): "Absent exceptional circumstances, a court may not impose sanctions under these rules on a party for failing to provide electronically stored information lost as a result of the routine, good faith operation of an electronic information system."
    • Avoidance of claims of spoliation and sanctions
      • Policies:
        • Enterprise RIM policies and procedures
        • Retention/disposition schedules
        • Hold/investigation processes
        • Effective reporting
        • Internal audits
      • Evidence of preservation:
        • Authentication
        • Chain of custody
        • Silent witness theory. An expert will testify to the integrity of the data and ensure that it hasn't been altered or tampered with.
    • Discovery closes
    • Summary judgement. Most claims will settle.
    • Trial. Litigants may set up a war room to rehearse, set up demonstrations, etc.
    • Judgement/verdict.
    • Appeals.
    • Subsequent/related litigation/investigation
    • International litigation/investigation
  • Corporate RIM:
    • Work with legal
    • Roles include:
      • Attorney (internal/external)
      • SMEs
      • Top management
      • Records managers
      • Public communications
      • Technical custodians
      • End users
    • Preparation phase challenges:
      • Incompatible terminology between legalese and business users
      • Tough to find SMEs
      • Mandatory training is crucial
      • Employee notification
      • Off-site records notification
      • Audience determination for hold notification
      • Notification and communication of litigation
      • Hold support process management. Either RIM or Legal has to own it.
      • Where will the docs/records be stored?
    • Process details:
      • Capture the details of the hold:
        • Case name
        • Case description
        • Attorney in charge
        • Type of litigation
        • Litigation target
        • Records and information impacted
        • Format of records/information (paper, electronic. Microform)
        • Location of records to be retained
        • SME value for hold support
        • Dates of affected records/info
      • Communicate with management
      • Verify the process
  • Good detail on the law firm's strategy and approach:
    • Use a standard set of folders and a standard process
    • Pleadings index updates: headings -- Client matter name, case caption, case number, pleadings volume number, client/matter number; document item number; index document number;
    • Document prep for storage: remove drafts and extra copies; identify duplicates;
    • Maintain security and privacy for client records
  • Technology:
    • Need to support both the documents involved in litigation and the analysis
  • Validation:
    • General policies and procedures. "An excellent RIM program sitting n a shelf and not being followed is almost worse than not having a procedure or program at all."
    • Retention schedule
  • Process:
    • Case file creation
    • Conflicts checks
    • Trial team identification
    • Litigation hold orders
    • Document review strategy
    • Document review team/trial strategy
    • Pleadings and motions
    • Case law and court rules (with great citations): retention policies; spoliation sanctions; FRCP; discoverability; production format for electronic documents; timely production; timely review; admissibility and authentication; inadvertent production of privileged information
    • Discovery/scope and analysis of req'd docs
    • Paper and electronic document review: authenticity (integrity/not-altered; not forged); access (paper and electronic); demarcation and identification (pagination, Bates numbering); boundaries for electronic pagination (i.e., when is it a new document?) -- use logical document definition or LDD; branding (just file names?); privilege and redaction; indexing (date, author, subject, type); capture (OMR); document storage and security
    • Evidentiary material: no hearsay (e.g., probative, not prejudicial); chain-of-custody; use of Active Data Copy to maintain original folder-level metadata, etc.; Forensic Image Process; backup tape might require specialized Non-Native Environment Extraction (NNE); might require forensic specialist testimony.
    • Case conclusion: disposition; return of document; retention
  • Litigation process -- corporate
    • Subpoenas: subpoena ad tetificandum (testimony only) or subpoena duces tecum (bring relevant records)
    • Delivery must be appropriate
    • Custody and control -- third parties may also get a subpoena
    • There may be objections due to privilege (i.e., the third party doesn't have to produce)
    • Document preservation. Lawyers will typically issue a Notice to Preserve Evidence Letter
    • SOX, PCAOB, etc. can enforce criminal sanctions
    • Subpoena duces tecum -- Federal Rule of Evidence 803(6), "record custodian or other qualified witness" must personally deposition or trial to testify for authenticity.
  • Reqs for admission of business records (FRE 902(11)):
    • Qualification of the records custodian
    • Record made at or near the time of the occurrence
    • Record kept in regularly conducted activity as part of a process. FRE 902(11): "It is not enough that a particular employee regularly makes and keeps the records as his or her own practice because must be the regular practice of the business… to make and keep the record at issue."
    • Email may, or may not be, certifiable. Insufficient email control results in:
      • Inability to certify email
      • Inability to authenticate email
      • Inability to use email at trial
      • Having email excluded, leading to a negative inference from email loss or spoliation
    • Notice of requirement -- you must make anything you intend to introduce available to the other party
    • There must be some way of assessing completeness of the records set collected
  • Appendices:
    1. Sample Litigation -- new file checklist
    2. Sample preservation letter -- client
    3. Sample preservation letter -- third party/opponent
    4. Corporate RIM litigation support checklist
    5. Sample litigation document flow/filing guidelines
    6. Sample legal checklist

Overall, a great document!