Competency G

Know the legal requirements and ethical principles involved in records management and the role the recordkeeper plays in institutional compliance and risk management

Interpretation

The fundamental ethos of the archives and records management professional community is reflected in the tenets of ARMA International’s Generally Accepted Recordkeeping Principles®. These principles—Accountability, Integrity, Protection, Compliance, Availability, Retention, Disposition and Transparency—create a professional orientation toward ideals of service and duty with respect to the evidence of business transactions and general operations. Modern records managers, though we may be operating in less esteemed circumstances than the scribes of the Pharaohs of ancient Egypt, nevertheless bear witness to and may even give testimony about the flowing data that is the lifeblood of our organizations.

The creators of records today are primarily regular employees who are concerned with achieving their current objectives. Records managers by necessity must partner with these users and many other stakeholders to take the longer view of the entire records and information lifecycle and enlist their cooperation in achieving the greater mission of responsibility with regard to the Recordkeeping Principles®. Therefore by definition, records managers must also value the idea of partnership with community in all its many facets.

Records managers in any context must actively build awareness of the jurisdictional statutes and regulations that apply to the records under their care. This includes local, national and international laws that, among others, pertain to concepts such as individual right to privacy, transborder data security, intellectual property, public transparency and access to public information. It is a key part of the record manager’s function to ensure that a business or organization is fulfilling its legal obligations and minimizing the exposure to harm through lawsuits, theft of intellectual property, catastrophic events and loss of business productivity due to poor design of record systems. These and other risks can be mitigated through a thoughtful and comprehensive information governance framework that is integrated across business or functional silos.

Additionally, information governance can optimize risk and create an overall culture of accountability with regard to records and information that align with the ARMA International Information Governance Professional Code of Ethics (ARMA.org, 2016). These standards of practice outline the duty of IG professionals to “sustain and advance the essential elements of information governance, including accountability, transparency, integrity, protection, compliance, availability, retention, and disposition.” Most importantly the IGP Code of Ethics emphasizes ethical behaviors that certified information governance professionals must commit to and sustain, among them the demonstration of honesty, fairness and freedom from bias and championing the moral use of information. These are the foundations upon which information governance and responsible recordkeeping programs are built.

Supporting Evidence 1

The first piece of evidence that I submit to demonstrate by appreciation of the legal requirements and ethical principles required by records managers is a Legislative Review of NYS Freedom Of Information Law (FOIL 43 RCNY) that I researched for MARA 211. In the 1970s freedom of information laws, or sunshine laws, were created in many states to affirm and enable public access to government records. This visibility gives the public greater insight into the basis for government decision-making and operations. FOI laws encourage open democracy and public participation in government.

There is constant tension between the public right to know and the individual right to privacy where citizens’ private information is part of the public record. Because records managers sit at the crossroads of these two competing interests, they must be careful to strictly adhere to policies that manage the dissemination of information in terms of what can and cannot be shared and the timeframe and mechanisms for doing so. This is a fundamental responsibility of records managers in any private, business or government setting.

Supporting Evidence 2

The second piece of evidence is the risk assessment for a fictional corporation that I conducted in MARA 284 Information Governance, EXILL, Inc. Risk Assessment. Using information publicly available on the IDEXX website, I theorized many different challenges that could face their multinational enterprise. IDEXX is a technology company in the highly regulated animal health industry. The risk assessment reflected external threats such as disease pandemic, natural disaster and industrial espionage and internal threats due to regulatory non-compliance, lack of legal responsiveness and loss of business innovation and productivity. This project provided me with an in-depth and comprehensive understanding of the analytical skills necessary to be effective in a complex business setting.

Supporting Evidence 3

The third evidence of my broad understanding of this competency is the analytical essay summarizing the basis and challenges of the U.S.- E.U. Safe Harbor Framework written in MARA 284 Seminar in Information Assurance. Created in 1998 by the U.S. Department of Commerce, the Safe Harbor Framework is a mechanism by which U.S. companies may self-certify to comply with the EU Data Protection Directive of 1995. This law limits what personal information is collected by companies that do business with European markets. It also requires data security safeguards, means for individual control over personal information and limitations on the uses of personal data. The Safe Harbor Framework created a bridge between the vastly different values of the E.U. and the U.S., where data privacy is not Federally regulated. Despite the shortcomings of the Framework, and threats to its viability in the aftermath of NSA spying on European citizens, the Safe Harbor Framework persisted until 2015, when it was overturned and replaced by the E.U. / U.S. Privacy Shield (Export.gov). The principles and objectives of the original Safe Harbor agreement are still valid within this new framework.

Conclusion

This past year my workplace has undergone many organizational changes. As a result of these changes it has been necessary to re-examine business processes and work to extend project management to new team members. So far this has been an informal process and I am the main proponent of conducting roles analysis and business process analysis in a holistic and more formalized manner. Meanwhile I have been able to make small but important gains in various workflow areas. For example by creating a new task in our workflow that shares our design concepts with our legal counsel we have vastly reduced the risk of inadvertent copyright infringement. The legal team is able to assess the need for trademark search earlier in the design process. The conduct of a trademark search leads to extra costs up front but can ultimately help avoid a much more costly or embarrassing legal incident later on.

The legal requirements and ethical principles that relate to records and information are a critical and primary concern of RIM professionals. It is our responsibility to be vigilant in observing the changing landscape of legislation, industry requirements, natural and manmade disasters and security threats to records and to put those realities in the context of our own organization’s business risk profile. Meanwhile we must also be keenly sensitive to the risks and opportunities as they relate to our corporate objectives and strategy. The work I have done in MARA has given me many important tools and knowledge to apply to those mandates.

ARMA.org (2016). IGP Information Governance Professional Code of Ethics [Web page]. Retrieve from http://www.arma.org/r2/igp-certification/ethics

Export.gov (2016). Welcome to the U.S.-EU & U.S.-Swiss Safe Harbor Frameworks. Retrieved from http://2016.export.gov/Safeharbor/