Functional requirements for evidence in recordkeeping

Bulletin of the American Society for Information Science, Jun/Jul 1997

The following is a statement of requirements needed to ensure the preservation of evidence in electronic form and not the application requirements for archival or records management systems. Although specifically related to electronic recordkeeping systems, the requirements are also applicable to manual or hybrid systems. These requirements are the result of a three-year grant to the University of Pittsburgh School of Information Sciences for a project that began in 1993. Entitled "Variables in the Satisfaction of Archival Requirements for Electronic Records Management," the project was funded by NHPRC Grant No. 93-030.

Organization: Conscientious

1. Compliant: Organizations must comply with the legal and administrative requirements for recordkeeping within the jurisdictions in which they operate, and they must demonstrate awareness of best practices for the industry or business sector to which they belong and the business functions in which they are engaged.

1a. External recordkeeping requirements are known.

1a1. Laws of jurisdiction with authority over the record creating organizations are known.

1a2. Regulatory issuances of entities with administrative authority over the record creating organizations are known.

1a3. Best practices of recordkeeping established by professional and business organizations within the industry and business functions of the organization are known.

1b. Records created by organizational business transactions which are governed by external recordkeeping requirements are linked to an internal retention rule referencing the documented law, regulation, or statement of best practice.

1c. Laws, regulations and statements of best practice with requirements for recordkeeping are tracked so that changes to them are reflected in updated internal recordkeeping instructions.

Recordkeeping Systems: Accountable

2. Responsible: Recordkeeping systems must have accurately documented policies, assigned responsibilities and formal methodologies for their management.

2a. System policies and procedures are written and changes to them are maintained and current.

2b. A person or office is designated in writing as responsible for satisfying recordkeeping requirements in each system. 2c. System management methods are defined for all rou

tine tasks.

2d. System management methods are defined for events in which the primary system fails.

3. Implemented: Recordkeeping systems must be employed at all times in the normal course of business.

3a. Business transactions are conducted only through the documented recordkeeping system and its documented exception procedures.

3b. No records can be created in the recordkeeping systems except through execution of a business transaction.

3c. Recordkeeping systems and/or documented exception procedures can be demonstrated to have been operating at all times.

4. Consistent: Recordkeeping systems must process information in a fashion that assures that the records they create are credible.

4a. Identical data processes permitted by the system must produce identical outcomes regardless of the conditions under which they are executed.

4b. Results of executing systems logic are demonstrable outside the system.

4c. Results of executing systems logic are demonstrable outside the system. All operational failures to execute instructions are reported by the system.

4d. In the event of system failures, processes under way are recovered and re-executed.

Records: Captured

5. Comprehensive: Records must be created for all business transactions.

5a. Communications in the conduct of business between two people, between a person and a store of information available to others, and between a source of information and a person, all generate a record.

5b. Data interchanged within and between computers under the control of software employed in the conduct of business creates a record when the consequence of the data processing function is to modify records subsequently employed by people in the conduct of business.

6. Identifiable: Records must be bounded by linkage to a transaction which used all the data in the record and only that data.

6a. There exists a discrete record, representing the sum of all data associated with a business transaction.

6b. All data in the record belongs to the same transaction.

6c. Each record is uniquely identified.

7. Complete: Records must contain the content, structure and context generated by the transaction they document.

7a. Accurate: The content of records must be quality controlled at input to ensure that information in the system correctly reflects what was communicated in the transaction.

7a1. Data capture practices and system functions ensure that source data is exactly replicated by system or corrected to reflect values established in system authority files.

7b. Understandable: The relationship between elements of information content must be represented in a way that supports their intended meaning.

7b1. Meaning conveyed by presentation of data are retained or represented.

7b2. System defined views or permissions are retained and the effects are reflected in the record represented.