Implementing A Compliant Records Management Programme
This three part series helps you meet compliance requirements
through better information management. How you store, access
and manage your paper documents and digital files is key
to navigating the challenge of compliance. Many regulations
directly concern data protection and security, and where they
do not, proving compliance requires carefully recorded,
easily accessible documentation.
When you think of how many documents
are generated, used and shared by each
individual office worker every day, it’s no
wonder there are so many regulations
governing the protection of data. A well
thought out records management programme
will help to make sure that your information
is an asset and not a liability, making
compliance far more straightforward.
Top Tips From Leading Companies
For Successful And Compliant
Records Management And
Treat information risk, including records management
and data protection, as a boardroom issue. Europe’s
highest performing organisations in the PwC risk
maturity index treat information management as a
senior level issue.
Have a multi-disciplinary team in charge of information
and records management. Utilise expertise from across
the organisation to ensure success and improve buy-in
from stakeholders throughout the company.
Adopt a holistic approach to information management,
and monitor its success. By ensuring integration across
physical and digital records, companies gain commercial
benefits including better customer service, avoided
reputational damage, improved success in winning new
business, and being a more trusted brand.
Source: Beyond Cyber Threats, Europe’s First Information
Risk Maturity Index, a PwC and Iron Mountain report,
What Is A Records
With regards to compliance, a ‘record’ refers to all documents
in whatever medium, received or created by an organisation
in the course of its business, and as evidence of its activities
or because of the information contained.
The lifecycle of a record has four stages: Creation,
classification, maintenance and destruction. Your compliant
records management programme needs to address each of
There are four steps to implementing a programme:
32% of organisations describe their
information storage as chaotic
and admit that documents are
often placed in storage never
to be seen again
Source: Iron Mountain research August 2012
1.Creating A Records Retention Policy
The retention policy dictates how long a
record should be stored before it is destroyed.
To develop an effective policy, the company
must have a thorough understanding of
the records that it stores.
Research must be conducted to determine the relevant
national and industry regulations for different record types.
It is recommended you seek legal counsel to ensure your
programme meets the particular needs for your business.
Categorise the information you hold and document the
clear consistent rules that must be followed for each
category. This includes how long certain information can
or must be kept before it is destroyed. A retention schedule
must incorporate both paper records and digital files.
Case Study: Airbus Germany
Requirements for document retention and archiving
include EASA Part 21 (aviation law), EN9100 (quality
assurance in the aviation industry), and ISO 15489
(guidelines for document management).
Furthermore, all aerospace manufacturers apply
internal processes to protect their commercial
operations and provide safeguards against
potential product liability. Aviation law stipulates
that manufacturers must, on occasion, provide the
authorities with large volumes of information in a
very short time.
40% of companies describe their
information storage and access
systems as over burdened
Source: Iron Mountain research August 2012
“Compliance with the regulatory specifications
for documentation on the part of all aircraft
manufacturers, including Airbus, is vital to fulfil
our legal, official, contractual and business
requirements. Our continued accreditation
depends on it.”
Spokesperson, General procurement department, Airbus Germany
Questions To Answer:
Seek specialist legal advice to determine:
- What are the applicable document
retention laws in your country/territory?
- Which document retention laws are
applicable to your industry?
- What are the financial penalties and
other consequences of non-compliance?
Top Tip :
The Retention Schedule
is the key document in
your compliant records
This categorises all paper
and digital documents,
recording how long they
can or must be kept.
2.Indexing And Archiving Of Records
The next step is indexing the records so that
they are easily locatable to ensure rapid
retrieval. Expert providers can store these
records off-site in a variety of ways from files
on shelves to files in boxes using barcode
tracking and system-driven workflows to
ensure a fully compliant audit trail.
Records must be stored in such a way that
they are accessible and safeguarded against
environmental damage. Vital records may
need to be stored in a disaster-resistant
safe or vault to protect against fire, flood,
earthquakes and conflict.
Scanning And Digitising
Documents, Best Practice:
Scanning, or more accurately, capturing information
through imaging, provides your business with an effective
way to integrate paper and digital records management.
It enables information to be shared between departments
in separate locations simultaneously, becoming
immediately accessible to anyone who needs it, and
business processes can be automated, reducing costs
and improving efficiency.
- Get staff support:This is essential for the successful conversion to digital
information. Without staff support, employees may
make their own copies and print outs, resulting in
unstructured archives in multiple locations.
- Get legal advice:Take the time to survey the regulatory landscape for
your country and industry, and build in
the ability to meet any regulatory requirements from
- Only digitise what you need:Documents from existing files that will rarely be
retrieved should only be absorbed into the digital
system if and when they are actually required.
- Use internal and external experts:Staff who use the documents regularly are in the best
position to recommend effective tags and labels,
guided by external experts.
Top Tip :
Programmes can be
complex and difficult
to implement, consider
the time and cost
benefits of using an
Case Study: Probate Service
The Probate Service stores wills dating back to 1858,
including those of Princess Diana, Charles Dickens
and Charles Darwin.
The Probate Service needed a single site that would
fully protect its documents in the centuries to come,
while allowing cost effective access. It also had
targets to meet. Of solicitor, notary, or barrister
applications, 95% have to be processed within seven
working days of receipt of all necessary information.
For personal applications, 85% have to be processed
within one month of receipt of all necessary
“Genealogy has become a national pastime and,
as a result, has created unexpected demand for
the Probate Service’s retrieval offerings. We’re
seeing a 20 per cent increase year-on-year for
Neil Bryan, Contract Manager for the Probate Records Centre
65% of information leaders are
anxious about the disconnect
between paper and digital
Source: Iron Mountain research August 2012
Indexing Paper Documents:
Barcode recognition provides an effective and efficient
way to index paper documents. Barcodes can be placed
on individual documents, or as a cover sheet for documents
with multiple pages. Barcodes can be scanned from
printed documents and read from online files/PDFs,
and data can be easily exported in a format compatible
with your databases.
A document management system can be used to index
electronic files. There are multiple solutions available so
it is necessary to conduct a full cost-benefit analysis to
ensure your chosen solution meets your business needs.
Issues to consider include compatible file types, metadata/
tagging and search functionality, integration with offline or
other records management solutions, document retrieval
Archiving – Tape And Cloud
Tape and cloud can address your most critical backup,
recovery and archiving requirements. To craft a strategy
that balances their benefits, evaluate your data access
and recovery capabilities against the cost of providing
them via tape and/or cloud technology. By doing so,
you’ll be able to deliver real efficiencies and cost
savings to your company.
Top Tip :
When creating an inventory of all your documents and
electronic files, ways of categorising this information
should naturally align with the goals of your programme.
3.Ensuring Certified Destruction Of Records
Once a record reaches the end of its retention
period, you should ensure its proper
destruction. An expert provider will enable
you to audit and prove your secure
destruction process providing written
approval, verification and the creation of
a Certificate of Destruction as proof of
compliance with the Data Protection Act.
Document Destruction Checklist:
Before destroying any documents in accordance with your
retention schedule, you should also be aware of
- Legal: Check with your legal department to ensure documents
are not required for any ongoing legal proceedings.
- Chain of custody:Confidential waste needs to be tracked from the
moment it is designated for destruction until it is
destroyed. For certain documents certification of
destruction is required.
- Standards:There are standards that govern secure destruction
like BSIA standard EN 15713:2009 level 4 / BS8470
level 4. Standards cover security processes and the
size of the pieces of shredded paper to ensure your
confidential information cannot be reconstituted.
- Costs:If a 200 employee company produces an average
of 400kg paper waste per week, of which 15% is
confidential, what are the costs of secure destruction?
If an average machine shreds 2.5kg per hour it would
take 24 employee hours per week to shred. On a junior
salary of £25,000/€30,000, annual destruction costs
could be around £15,000/€18,000. Source: Secure
Information Destruction, Iron Mountain, 2011.
- Environment:Recycling one tonne of shredded paper can save
around 15 trees, helping meet environmental targets
for your organisation. Source: Baxter CVG case study.
BSIA Level 4 Compliant
Certain documents need to be
shredded into small enough pieces
to be BSIA level 4 compliant
Top Tip :
Audit your programme
regularly and keep your
reporting centralised so
you can monitor medium
and long-term trends.
These can then inform your
4.Off-Site Storage Of Backup Data
Another area that is often overlooked is
storing backup media in an off-site location.
By keeping the data off-site, you reduce your
risk should there be a disaster.
Backup media should be tracked using
barcodes and stored in a temperature and
humidity-controlled environment with the
highest levels of security to ensure the safety
of your critical business data.
Data Backup Checklist:
Ensure your current data backup programme enables you
to answer the following questions:
- What conditions are your media stored
in to protect against environmental
- How quickly and easily can you access
your backup data in the event of an
- How is your data stored to protect
against security breaches without
compromising the availability of data
that will benefit your business?
- What processes do you have available if
you are unable to locate a specific file?
- Do you have/require a mix of encrypted
and unencrypted data?
25% of decision makers feel unable
to implement a holistic approach
to information management
Iron Mountain research August 2012
40% of companies consider natural disaster to be the
biggest threat to information security. Source: Extreme
weather and business continuity, Iron Mountain, 2012.
Floods – it was estimated by the Environment Agency that
the number of commercial properties affected by the 2007
UK floods was between 7,000 and 8,000. The cost to affected
businesses was on average between £75,000/€90,000
and £112,000/€135,000. Source: Environment Agency.