Published Research Reports

Global Requirements for Personnel Records: A Survey of Laws and Regulations(2021)

by William Saffady, Ph.D, FAI

Project Underwritten by ARMA International Educational Foundation and ARMA Metro NYC Chapter

ABSTRACT

This report is a companion to a previously published Research Report completed in 2019 (Retention of Accounting Records: A Global Survey of Laws and Regulation).  This newly published report identifies and summarizes legal and regulatory requirements for content, storage, retention, and use of records that contain information about employees, a category of recorded information that is created and maintained by virtually all businesses, government agencies, and not-for-profit organizations. The report is intended for records managers, information governance specialists, human resource professionals, compliance officers, attorneys, risk managers, and others who develop policies and procedures for creation, storage, retention, use, and disclosure of personnel records in specific countries where such records are created or maintained.

*  *  *  *  *  *

Information Management Magazine – Special Edition (2019)

ABSTRACT

ARMA International Educational Foundation (AIEF) and ARMA International are proud to announce the publication of a special issue of the Information Management Magazine dedicated to innovative research within the fields of RIM and IG.  This special edition contains three AIEF-sponsored research reports and two peer-reviewed articles.

The articles and their authors are as follows:

  • “Summary – Retention of Accounting Records: A Global Survey of Laws and Regulations,” by William Saffady, Ph.D., FAI
  • “Summary – Blockchain Technology and Recordkeeping,” by Danielle Batista, BARM, MIS; Darra Hofman, JD, MSLS; Alysha Joo, MASLIS; and Victoria Lemieux, Ph.D.
  • “Summary – Industry in One: Financial Services,” by Anna Lebedeva, IGP, CIPM, PMP
  • “AI, Records, and Accountability,” by Norman Mooradian, Ph.D.
  • “Documentation Theory for Information Governance,” by Marc Kosciejew, MLIS, Ph.D.

*  *  *  *  *  *

Industry In One: Financial Services (2019)

by Anna Lebedeva, IGP, CIPM, PMP

Project Underwritten by ARMA International Educational Foundation

ABSTRACT

This research report demonstrates the unique aspects of managing records and information in the U.S. financial services industry and equips readers with the knowledge needed to implement a successful records and information management (RIM) program. The report provides a practical guide for RIM professionals that may be transitioning into financial services from another industry or context for continuing a RIM career in the financial services industry. Managing records and information in financial services is extremely challenging due to intense regulatory scrutiny. Key sections of the report include a history of the financial services industry in the U.S., an industry overview and the major U.S. financial regulations affecting RIM, and highlights the most stringent recordkeeping requirements imposed on broker-dealers. The report also examines U.S. and global regulations impacting financial services firms (including privacy and cybersecurity regulations) and describes other non-regulatory drivers that make the business case for RIM in the financial services sector. The report presents findings from several industry surveys on the risks financial services firms have been facing in recent years and offers several risk mitigation actions RIM professionals can undertake to help their firms reduce the risks and potentially damaging consequences. The report also provides an in-depth overview of electronic communication technologies and how they should be managed to ensure compliance with legal and regulatory requirements. Finally, the report offers a future outlook for the financial services industry and the specific trends RIM professionals should closely monitor since these trends have the potential to make a direct and/or indirect impact on RIM.

*  *  *  *  *  *

Retention of Accounting Records: A Global Survey of Laws and Regulations (2019)

by William Saffady, Ph.D, FAI

Project Underwritten by ARMA International Educational Foundation

ABSTRACT

This report surveys legal requirements for retention of accounting records in 200 countries and territories. Globally, more than 1,000 laws and regulations specify retention periods or have significant implications for retention decisions related to accounting ledgers, financial statements, fiscal audit reports, accounts payable and receivable documents, and other records related to an organization’s accounting transactions and financial condition. For each country and territory, the report identifies, summarizes, and cites minimum retention periods mandated by accounting laws and tax laws, as well as applicable statutes of limitations specified in contract laws. The report also identifies legal requirements related to storage locations and formats for retention of accounting records. Links are provided to the full text of cited laws and regulations.

The report is intended for records managers, compliance officers, information governance specialists, attorneys, risk managers, financial officers, and others who need to know how long, where, and in what format accounting records must be kept to comply with legal and regulatory requirements in a given country. It will be particularly useful for companies, not-for-profit organizations, educational and cultural institutions, and other entities that have business operations and maintain accounting records in multiple countries.

*  *  *  *  *  *

Blockchain Technology and Record Keeping (2019)

by Victoria L. Lemieux, Ph.D; Darra Hofman, JD, MSLS; Danielle Batista, BARM, MIS; and Alysha Joo, MASLIS

The Foundation thanks ARMA Canada Region for sponsoring and funding this research project.

Abstract

The report provides answers to key records management questions about blockchain technology commonly posed by records professionals. Blockchains are an emerging recordkeeping technology producing new forms of records, and new modalities of recordkeeping, with which records and information professionals will need to engage. As blockchain technology is still developing, technical changes as to how it operates can be expected. This report examines the future of recordkeeping in what may be a fluid blockchain world by sharing status and options to the current state of blockchain and record keeping.

*  *  *  *  *  *

 AIEF Research Paper IM and the Courts an update (2018)

A study by John C. Montaña J.D., FIIM, FAI

Funded by the ARMA Metro NYC Chapter.

Abstract

This report examines and analyzes United States Court decision concerning information management in the following four areas:

  • Data Breaches and Liability – Who owns data collected in cloud-based systems? Who has standing to litigate when breaches occur?
  • E-discovery and Spoliation – What constitutes ownership, custody and control of records and data, particularly as the lines blur between personal and business devices, and data distributed amongst systems is shared by business partners, contractors, vendor and others?
  • Records and information policies and procedures – how do the courts view them; how do they operate in litigation?
  • Data rights – What rights does an organization have to data that it receives/collects from clients and other third-parties?

The report focuses on cases from approximately 2000 to 2018, with older cases cited primarily as background for discussion of newer cases and topics.  Case topics have been selected to reflect current issues of interest and areas where legal doctrine is new or uncertain.

The report supplements earlier work by this and other authors.

*  *  *  *  *  *

Records Management Experience With Big Bucket Retention: A Status Report (2018)

A study by William Saffady

Abstract

This report examines the current status of big bucket retention, a widely discussed approach to lifecycle management of recorded information that groups related records in broad categories with uniform retention guidance. The report begins with an explanation of big bucket retention concepts followed by a survey of records management publications, web sites, and other sources that document the historical development of big bucket retention schedules and discuss their advantages and limitations. The most important sections of the report present findings from interviews with experienced records management professionals who have developed big bucket schedules in government agencies, companies, and not-for-profit organizations. The interviewees discussed the circumstances in which their big bucket schedules were developed, the characteristics of retention schedules they replaced, the size and scope of their big bucket schedules, the benefits obtained, issues and problems encountered during schedule development and implementation, and acceptance or resistance by user departments.

*  *  *  *  *  *

Canadian Requirements for Personal Information Protection (2017)

A study by Stuart Rennie, JD, MLIS, BA (Hons.)

Funded by the ARMA Canada Region.

Abstract

This report reviews the Canadian personal information statutes in Canada from a records management perspective. Until this report, there has been no Canadian equivalent to the ARMA International Educational Foundation (AIEF) reports on requirements for personal information protection: Requirements for Personal Information Protection Part 1: U.S. Federal Law, and Requirements for Personal Information Protection Part 2: U.S. State Laws. While Canada and the United States have a similar constitutional structure, Canada and the United States have different privacy regimes. Canada has a harmonized privacy regime grounded by similar statutes across Canada, based on the Organisation for Economic Co-operation and Development and the European Union (EU)’s data protection directive. In the EU, privacy is a fundamental right, accorded broad protection in EU statutes and case law. In the United States, privacy is protected by sector—characterized as a “safe harbour” or “shield”; that protection is less comprehensive than the EU. Compared to the EU and the United States, Canada occupies a middle ground regarding personal information.

This report is based on data acquired from legal research of primary personal information and privacy provisions contained in the statutes enacted by Canada’s federal, provincial and territorial governments (Privacy Statutes). This report’s focus is on the statutes currently in force because those are the statutes with which organizations must comply.

*  *  *  *  *  *

Requirements for Personal Information Protection: U.S. Federal Law (2017)

A study by Virginia Jones, CRM, FAI (2008) [Funded by a grant from the Metropolitan New York City Chapter of ARMA International]

Revised by Virginia Jones, CRM, FAI (2017) [Funded by the Foundation]

Abstract

This paper is the first of a two-part research project, funded by the Foundation, to identify privacy laws that impact records management programs. This paper covers protection of personal privacy information in U.S. federal law.

In Public Law 93-579, enacted in 1974 as the Privacy Act, Congress found that the right to privacy is a personal and fundamental right protected by the Constitution of the United States. The need for information privacy encompasses all segments of the population. This paper discusses 32 federal personal information protection laws and their records management impact. The paper is not a definitive compilation of all Privacy law, but includes many high-profile privacy laws and regulations. It does not cover identity theft laws or data security laws unless the law included a significant privacy of personal information element.  Each summary includes the year the Act was passed, the citation (either U.S. Code or Public Law), a summary of provisions, definitions of personally identifiable information and records related terms where applicable, and any implied or explicit RIM impact. The summary of provisions includes overviews of the major provisions of each law.

*  *  *  *  *  *

Requirements for Personal Information Protection: U.S. State Laws (2017)

A study by Virginia Jones, CRM, FAI (2009) [Funded by the Foundation]

Revised by Virginia Jones, CRM, FAI (2017) [Funded by the Foundation]

Abstract

This paper is the second of a two-part research project, funded by the Foundation, to identify privacy laws that impact records management programs. This paper covers protection of personal privacy information in U.S. state laws.

Although most U.S. federal law pertains only to U.S. federal agencies, a number of the laws also either directly relate to or indirectly impact state and local governments. The paper is not a definitive compilation of all state privacy law. The choice of the 26 privacy issues covered in this document is based on high profile privacy issues from the National Conference of State Legislatures, the National Association of Chief Information Officers, and various news sources. The document does not cover identity theft laws or data security laws unless they are included with privacy of personal information requirements. Some Freedom of Information laws having privacy or confidentiality requirements were also included in this document.

*  *  *  *  *  *

Updated Guide to Commonly Used U.S. National and International Records Management Standards and Best Practices (2017)

A study by Virginia Jones, CRM, FAI (2010) [Funded by the Greater Washington DC ARMA Chapter]

Updated by Mary Margaret Fletcher, University of Pittsburgh (2012) [Funded by the Foundation]

Updated by Virginia Jones, CRM, FAI (2017) [Funded by the Foundation]

Abstract
This guide is a compilation of key U.S. national and international records management standards, guidelines, and technical reports available for use in and by U.S. records and information management practitioners. It is not all-inclusive. Standards, guidelines, and technical reports for specific industry groups, such as legal profession, real estate, or banking, are not included, nor are quality control standards for imaging systems. The standards, guidelines, and technical reports that have been included were selected for their universal usefulness for most or all U.S. RIM programs. The purpose of this compilation is to offer a categorized list of pertinent standards and best practices to assist in determining those that meet the needs of the organization.  This paper is meant to help the average RIM practitioner decide which standards apply to their programs.

*  *  *  *  *  *

Information Governance and Public Engagement: How U.S. Federal Department Policies are Addressing Social Media Records (2016)

A study by Chad Doran, PhD, CRM

Funded by the Foundation.

Abstract
Social media technologies serve important functions in support of government services in areas such as education, public relations, health and safety, and internal and external communication networks. This research project focuses on social media usage in federal departments and agencies and the gap between written best practices and practical application. It furnishes a review of policies and practices related to social media across federal executive branch departments. The research findings provide records and archives practitioners, researchers, technologists, government officials, and policymakers with insights into policy development in the U.S. federal government which addresses records generated by social media.

*  *  *  *  *  *

Social Media Systems Records and Information Governance Challenges (2015)

A study by John Phillips, CRM, FAI

Funded by the Foundation

Abstract
Various types of social media are routinely used daily for business as well as personal, casual communication by hundreds of millions of people. By examining four major social media networking systems (Facebook, Twitter, LinkedIn, YouTube) in prominent use, this paper addresses an historical perspective as well as functionality, privacy, records capture, archiving and information governance issues and challenges. An extensive bibliography for additional information and future reference is provided.

*  *  *  *  *  *

Implementing Litigation Readiness (2012)

A study by John T. Phillips, CRM, FAI, CDIA+

Funded by the Foundation

Abstract
A major benefit of RIM programs is to reduce risks that accompany poorly organized and inconsistently retained records before, during, and after litigation. In order to assure that their clients are managing records appropriately in preparation for impending litigation, some law firms are now encouraging their clients to implement Litigation Readiness activities, including conducting records inventories, policy reviews, creating data maps of electronic records and reviewing records retention rules. This research study assessed the extent to which law firms are using these Litigation Readiness activities to prepare clients for litigation, and the role of industry information management associations and standards in facilitating these actions. The research revealed a host of opportunities for individuals and groups, including the records management staffs of law firms, to provide consulting, retention scheduling and policy development, software services, training and support services, working alone or in partnerships. The role of standards and guidelines for Litigation Support was also evaluated.

*  *  *  *  *  *

Mergers, Acquisitions, Divestitures and Closures – Records and Information Management Checklists (2011)

A study by John T. Phillips, CRM, FAI, CDIA+

Funded by the Foundation

Abstract
Revised and updated with new research, this report continues to focus on a major challenge for the RIM community. As Executives form Merger and Acquisition teams, Due Diligence processes are initiated, business consultants are retained, and Legal Counsel becomes involved, the Corporate RIM Program must reach out to accomplish new record keeping objectives while working within constrained resources and time frames. The goal of this report is to provide a ready reference that can serve as a starting point for Records Managers and their Programs in discussions of the record keeping challenges that will arise. By exploring issues in advance of problems occurring, organizations will be able to assure that records required for quality decision-making and long-term retention are identified and properly preserved.

*  *  *  *  *  *

Social Networks and their Impact on Records and Information Management (2011)

A study by Helen M. Streck

Funded by the Foundation

Abstract
Social Networks are used by hundreds of millions of people around the work and some of these communications are considered to be records. This paper provides an overview of Social Networks, identifies the real or perceived issues that exist, identifies specific characteristics that impact the Records and Information Management profession or professional and lists some of the legal considerations perceived to be emerging from using Social Networks.

*  *  *  *  *  *

Metadata in Court: What RIM, Legal and IT Need to Know (2010)

A study by John J. Isaza, Esq.

Funded by the Foundation

Abstract
To arrive at an informed analysis, this paper begins by briefly exploring the role of metadata in authentication of records. This analysis will help the reader put in perspective how metadata ultimately could affect the admissibility of a record or document in court, and thus lead to an understanding of what and why certain metadata is critical. Next the paper will explore the general concepts of metadata and spoliation, including the leading legal think tank opinions on the issue. The paper then will address recent concrete examples where the courts have ruled on the discoverability of metadata. Finally, the paper will conclude with a list of discernible patterns of preservation requirements for information governance professionals to glean in setting policies and procedures regarding the capture of metadata for both records management and e-discovery preservation. Given the limited treatment of the issue in courts, this paper will focus on the typical varieties of applications that yield documents or records where metadata is most often sought or litigated. These include email (and attachments), word processing documents, spreadsheets, presentation documents (e.g. Power Point), graphics, animations, images, audio, video and public records. From discussion of these samples, the reader may be able to glean metadata fields to preserve for more customized applications or even enterprise-wide systems that facilitate record-keeping.

*  *  *  *  *  *

Seeking the Core: The Development of the Core Works Bibliography for the Records and Information Management Profession (2010)

A study by April Norris, MSIS, IMLS Preservation Doctoral Fellow, School of Information, University of Texas at Austin

Founded by the Foundation.

Abstract
The objective of this project was to produce an essential bibliography of published literary works that document the theory and practice of the records and information management profession. This report documents the scope and purpose of the project, explains the methods of research, and reviews the project results. This research is the product of a multi-year, collaborative effort.

 

*  *  *  *  *  *

Big Buckets or Big Ideas? Classification vs. Innovation on the Enterprise 2.0 Desktop (2008)

A study by Patricia Galloway, PhD, CDP

Funded by the Foundation with additional funds provided by the Mile High Denver Chapter of ARMA International

Abstract
The recent interest fostered by the U.S. National Archives in using so-called “big buckets”as a feature of their Flexible Scheduling scheme indicates some hope for a solution to classifying routinized work product not scheduled as permanent. Given that some records managers are looking toward adopting the practice for all records, however, it may prove to be in conflict with current research in information science on the work practices of knowledge workers, especially those whose work implicitly includes problem-solving and innovation. Conceived in another way, however, the “flexibility” provided by the concept may open the door to an application of “Enterprise 2.0” classificatory practices. This is of particular import since electronic record creation is already being supported by software systems designed to optimize flexibility for employee work practices.

*  *  *  *  *  *

Identifying and Classifying E-Messages as Records (2008)

A study by Jesse Wilkins, CRM, CDIA+, CDIA

Research conducted and donated to the profession by Mr. Wilkins

Abstract
Despite email’s having existed for more than 35 years, and despite the explosion in email volumes and attendant storage requirements, most of the guidance available to organizations today takes the form either of email policies or vendor white papers. Email policies provide a good starting point for email management, but many of them are limited to acceptable usage, privacy, and the occasional nod to litigation holds. And vendor white papers are often suspect because they tend to reflect the vendor’s strategies and approaches. Many of these white papers are written by, or in collaboration with, respected analyst firms but even these can raise more questions than they address because they are sponsored. This white paper is the result of research conducted to understand the current state of affairs with regards to email management today. While some conclusions can be drawn, much work remains to be done in order to identify effective and defensible practices for managing electronic messages effectively.

*  *  *  *  *  *

Legal Holds for Anticipated Litigation: New Case Developments to Determine Triggering Event & Scope of Production (2007)

A study by John J. Isaza, Esq.

Funded by contributions from the Los Angeles and Orange County Chapters of ARMA International to the Foundation

Abstract
In 2004, the ARMA International Educational Foundation sponsored a study entitled “Legal Holds and Spoliation: Identifying a Checklist of Considerations that Trigger the Duty to Preserve” (hereafter the “2004 Study”). See above. The 2004 Study identified a duty to preserve continuum for records retention in general. It also provided parameters for triggering a “legal hold” on destruction of records subject to destruction not only under the records retention policy, but also for any other documents or information in the company’s possession at the time.

Since the 2004 Study was published, companies continue to struggle with litigation holds for foreseeable, potential or anticipated litigation, as contrasted with “pending” litigation where the company has already been served or is aware of the lawsuit being filed in court. Foreseeable, potential or anticipated litigation is a thorny case or fact-specific issue. On top of that, the revised Federal Rules of Civil Procedure, effective December 1, 2006, have made the issue a top priority. Accordingly, the purpose of this supplemental study is to survey cases that address when the duty to preserve attaches for such potential or anticipated litigation, including the all-important determination of scope (i.e., what to preserve).

*  *  *  *  *  *

Legal Holds & Spoliation: Identifying a Checklist of Considerations that Trigger the Duty to Preserve (2007)

A study by John J. Isaza, Esq.

Funded by the Foundation

Abstract
In the aftermath of Sarbanes-Oxley, concerns over discovery and spoliation
have catapulted to the priority lists of most companies, specifically regarding what is considered pending or potential investigations or litigation. After all, severe penalties, including the possibility of jail time, are at stake for those involved in the destruction of relevant documents. Companies, therefore, must balance such severe consequences with proper management of all records, including electronic ones, during litigation. A central and difficult issue surrounding an otherwise sound retention policy is the determination of how and what records must be held from destruction, especially when faced with determining what is considered “potential” (or threatened) litigation or investigations as opposed to clear “pending” litigation. This article, thus, identifies a duty to preserve continuum that should provide companies a set of parameters for triggering a “legal hold” on destruction of records subject to pending or potential litigation or investigations.

*  *  *  *  *  *

Freedom of Information: History, Experience and Records and Information Management Implications in the USA, Canada and the United Kingdom (2006)

A study by Glover, Mark, Sarah Holsen, Craig MacDonald, Mehrangez Rahman, and Duncan Simpson of the Constitution Unit, Department of Political Science/School of Public Policy, University College, London UK.

Funded by a grant from the Houston Chapter of ARMA International and the Foundation

Abstract
Freedom of Information (FOI) laws are becoming more and more common worldwide. From nine such laws 20 years ago to 66 in 2006, the legislation is often touted by supporters and campaigners as a window into government, and by legislating administrations as proof of their commitment to transparency and accountability. How it works in practice, however, is often far from the ideal vision either group holds prior to implementation. This paper explores freedom of information in practice in Canada, the United Kingdom and the United States, three countries that legislated at three distinct periods of FOI’s evolution.

*  *  *  *  *  *

Proving the Authenticity of a Document in Electronic Format Introduced as Evidence (2006)

A study by Stephen Mason

Funded by the Foundation

Abstract
The question of proving the authenticity of a document in analogue or digital (generically ‘electronic’) format is of great concern to information and records managers. This stems from core professional principles regarding the integrity of recorded information and techniques developed over time to be able to prove the authenticity of a record that is recorded on a tangible physical carrier, most likely to be paper. As a result, there has been a concern with the quality of the paper, together with procedures such as copying facsimile messages to bond paper, because the text printed on some types of paper used in facsimile transmissions tend to fade. Part of this effort is directed towards the objective of having an acceptable and authentic record that is admissible in a court. The same issues are of concern today, except the concerns of documents in electronic format include a mixture of the tangible and intangible. This paper aims to discuss the legal requirements for introducing electronic documents into court as a form of evidence, mainly in the context of the jurisdiction of England and Wales, and some of the considerations that may be taken into account if a document in electronic format is challenged by either party to legal proceedings.

*  *  *  *  *  *

A Minor Nuisance Spread Across the Organization: Factors Leading to the Establishment and Support of Records and Information Management Programs (2005)

A study by Richard Cox, PhD

Funded by the Foundation

Abstract
Examines the reasons why archives, records management, and information management programs are established in various kinds of organizations and explores reasons for some growing and prospering while others fail to survives. The study draws on two sources: the existing literature considering why and how such programs are established and selected interviews with individuals working at different kinds of archives, records, and information management programs in the Pittsburgh region where Dr. Cox serves as a professor at the University of Pittsburgh.

*  *  *  *  *  *

Access Rights to Business Data on Personally: Owned Computers (2004)

A study by John C. Montaña, JD

Funded by the Houston and Calgary Chapters of ARMA International

Abstract
It has been established without question that information created on the organization’s computers by employees belongs to the organization. However, a growing number of employees use their personal computer, cell phones, PDA’s, and other electronic equipment at home to do work for their employer. A little researched issue, but potentially of major concern to employees and employers is the access and ownership of this information. Do the courts have the right to gain access to this information? Does the employee have any rights and protection for private and personal information which is retained on the same computer system? Is there an obligation / expectation that the employer should be managing this information? This study researches and documents the law in the USA and Canada that applies or may apply and suggests appropriate action for employees and employers to take.

*  *  *  *  *  *

Legal Obstacles to E-Mail Message Destruction (2003)

A study by John C. Montaña, JD with assistance from John R. Kain, MA and Kathleen Nolan, MD, MLS

Funded by the Foundation

Abstract
This project seeks to examine e-mail and the legal doctrines around it, to determine which approach to its retention is the sounder. More precisely it seeks to identify the legal and statutory obstacles which would prevent the adoption of an information management policy requiring the automatic and systematic deletion of all email messages, in all repositories, older than a predefined period.” The short answer to this question is a simple one: e-mail cannot be destroyed en mass after an arbitrarily assigned period in any case where a legal duty requires otherwise. The devil is, however, in the details: Legal duties arise from a great variety of sources, and the duties themselves vary quite considerably. Each such duty creates in the data object upon which it is imposed some sort of legal status — it is an evidentiary object, a regulatory compliance object, a government record, or whatever. The question then is what, if any, status does the law impose upon e-mail?