Records management and privacy: Conflict or convergence?
Managing privacy is often an afterthought – most systems built before the introduction of large-scale internet computing were primarily concerned with securing application and system data from external intruders and internal unauthorized personnel. Securing data with firewalls, strong passwords and in some cases encryption did the trick. But with the advent of massive amounts of data being digitized today, virtually entire data sets are available in one or more repositories online.
To prevent data loss and mitigate privacy concerns, many organizations have established formal information security and data privacy teams. These teams are charged specifically with securing data and preventing unauthorized access, transmission and use. Privacy is thus becoming an all encompassing field of its own.
What does privacy have to do with records management? A lot. On the surface, though records management and privacy appear to diverge, in reality they are both concerned with the proper and compliant management of information (and records). Appearances can be sometimes deceptive. When one looks at the principles of records management and privacy, it may to appear to differ in their fundamental approach. For example, a key facet of records management is ease of accessibility and availability of records whereas privacy is fundamentally concerned with safeguarding information and preventing unwarranted access and use.
But looking deeper, one finds that the key doctrine of managing records is in many ways inclusive of principles for privacy, e.g., guaranteeing authenticity, reliability, integrity of information. It is therefore in the interest of record managers to understand privacy and related aspects, and play an active role in the privacy program. Policies, governance models, procedures, controls, systems, training, audits etc., are all areas in which record managers can add value to the privacy teams and vice versa. The records management lifecycle steps can be quite beneficial to the privacy program. The following are some key areas and considerations where records management and privacy can mutually benefit.
Records inventory. The existence of a robust, well-maintained records inventory by the records management team is a significant value-add to the privacy program, as it provides a ready-made listing of all organizational records. The privacy team can simply take the record list as a starting point and begin marking records that contain personally identifiable information (PII) data. One option to do this would be to just add one or more columns to the existing records inventory listing. These additional columns can be used to mark which records contain PII data and their metadata characteristics. For example the inventory could include one field for denoting PII type (e.g., SSN, account number etc.) and other fields to indicate the format of the PII, its data type, if the record is the unique container of that PII data (e.g., is this PII data contained in other records), how the PII data is secured (e.g., are there any controls to redact SSN data when the report is printed) etc. Interestingly, it is reasonable to assume that information that contains PII data would be considered a record. Hence a lot of the upfront work has already been done by the records management team via the inventory process. Of course, if PII data does exist in non-records, then privacy team will have to develop the appropriate inventory listings.
Records retention. Determination of retention periods for records with PII data would also have been done through the retention process. Clearly the legal retention requirement would be determined through the various applicable laws, statutes, and regulations. The business or operational retention requirements, however, are rather subjective in nature and record managers should work closely with both the lines of business and the privacy/information security office to develop the appropriate period of retention. A conflict can and does arise when the privacy office states that PII data should be retained only for a short period of time – typically the life of the business process or business transaction and no longer. However the required legal retention requirements may be completely different. Hence record managers and privacy teams need to work together to find a good balance between the need to retain vs. the need to dispose of records with PII data.
Storage. Storage of records and PII data is really a model for how records management and privacy programs can come together to solve a mutual issue. Both records management and privacy demand the proper storage of records/data to ensure security, integrity, reliability and prevent unauthorized and unauthenticated use. This is one area where record managers have a great opportunity to take the lead and work with privacy, IT, compliance and operations teams to leverage existing record infrastructure, including processes and controls, to assimilate management of PII data with existing record systems. Typically Privacy requires a centralized repository of PII information and its associated metadata that can be easily accessed. It may be worthwhile to consider the use of records management repositories for this purpose. Most electronic records management (ERM) systems already provide a lot of the key functional requirements for PII data and hence reuse of these systems presents a valuable opportunity for cost savings and process improvements. Another key example relates to the reuse of established record offsite storage practices for securely storing paper documents containing PII data. Several record utilities also provide the ability to de-duplicate data (including PII) within e-mail for example, and hence reduce the instances of PII data occurrence and also optimize storage space.
Transmission. Transmission of records is not a core requirement of records management systems but it is for Privacy. Privacy policies typically require that PII data be encrypted prior to transmission and the transmission and authentication mechanism itself is secure between the sender and the recipient. There are several tools in the marketplace to support this requirement. Hence records managers can in turn benefit from the secure transmission infrastructure established by the Privacy teams. At the same time there are several utilities in the ERM space that provide data redactions services which can be used to redact PII data prior to transmission of a document. Thus Privacy and record management teams can mutually benefit from controls and processes established for transmitting confidential information.
Disposal. Privacy laws clearly emphasize the need to follow proper disposition processes for PII data. As an example, Rule 16 CFR 682 Disposal of Consumer Report Information and Records (FTC) states that “any person who maintains or otherwise processes consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.” Records management policies and procedures already incorporate the disposal of records as key facet of the program and the privacy team can directly benefit from the various procedures and methods of disposing both paper and electronic records. Many ERM systems provide sophisticated mechanisms for secure disposal of electronic records and these can be leveraged for electronic documents containing PII data. In addition records management processes also require maintenance of disposal logs and disposal certifications, both of which can be utilized by privacy teams when disposing of privacy data.
Governance and operational management. Governance and operational management are key tenets of both the records management and privacy program. Both these programs are somewhat unique in the sense that they are typically enterprise wide, have a very specific scope, necessitate manual and automated controls, require audit and monitoring capabilities and demand quite a bit of hand holding of personnel. Privacy programs can reuse a lot of the governance and operational aspects of the records management program. Developing program roadmap, establishing roles and responsibilities for stakeholders; determining program deliverables; use of steering committees to set direction and resolve issues; leveraging business, legal, operational and IT teams to develop program infrastructure and so on. On the other hand, records managements too can really benefit from privacy – specifically in the area of responding to control failures. Most privacy programs will have a very solid and well tested response process that kicks in whenever a data loss or data breach event occurs. These include event impact analysis, escalation points, communication plans and event mitigation approaches, all of which can be used by records managers for incorporating into record management processes.
Records management and privacy programs have more in common than meets the eye. Developing siloed and divergent programs negate the synergies that can be obtained when records management and privacy work together. Organizations should develop and manage these programs in a way that fosters joint collaboration, reuse and contribution to the better management and security of information within the organization