As companies become more technologically sophisticated, they are seeking alternative means to store paper employment records. Because of the explosive growth of electronic records, the mandate for trustworthy storage and management of electronic records is greater than ever before.
To provide some guidelines to companies moving to electronic storage of files, we look to the Uniformed Photographic Copies of Business and Public Records as Evidence Act for guidance which states that a reproduction made by any “process which accurately reproduces or forms a durable medium for reproducing the original is as admissible in evidence as the original itself.” While most new data stored in the past decade are electronic, many organizations are still converting information from hard copies, so mixed data storage modes are being utilized. For example, many companies store scanned documents and electronic/hard copy faxes in addition to completely electronic exchange storage, such as email.
This Act is important because it bridges electronic and hard storage. It also helps to define what is considered “an original” document. Therefore, with the advent of electronic records, the interpretation of a “durable medium” has expanded to encompass electronic storage media. For a reproduction of an electronic record to be as acceptable as the original, the medium used for the storage of records must be reliable and must support the reproduction of an accurate replica of the original record. Therefore, employers should be aware that the choice of hardware is important when deciding on storage architecture and devices. Many regulations seek to be “technology neutral,” that is, they don’t specify which media may, or may not, be permissible. There are a number of laws and regulations that either specifically require or emphasize WORM technology (Write Once Read Many-an optical disk technology on which data can be written only once and thus become permanent) as the preferred technology for ensuring the trustworthiness of electronically stored records.
From a regulatory perspective, records are typically expected to be “readily” accessible (within hours or at least on the same day) during the required retention period, the period when the potential for a regulatory investigation or audit is highest. Thereafter, records should be retrievable within a reasonable period of time (typically days, not months).
From a business perspective, the frequency of and access speed for records retrieval is relatively high for new records. Retrieval time then decreases with the age of the record. The integrity of the record must be protected for the full retention period in a manner that makes it retrievable, processable (using available hardware and software) and accurately reproducible in a form that is human-readable. This requirement puts significant pressure on a firm to have in place policies related to data archaeology and forensics and to make technology decisions accordingly.
Chain of Custody
Central to the notion of evidentiary trustworthiness and regulatory compliance is the need to ensure accuracy of data. This means that the record and all actions related to the record can be accounted for during its life. Sometimes this requirement is referred to as the “chain of custody” or audit trail. An audit trail can be very useful as evidence to show that the records have been properly managed, thereby helping prove that no unauthorized alteration of the record or its associated metadata has occurred during the record’s life. Such a trail lowers the risk that an alteration to a record could go unnoticed and makes it less likely that the record would be questioned, either in the course of litigation or in regulatory investigations.
Most audit trails are kept at an application level (i.e. Firewall level). However, some technology, such as WORM, does not allow deletion or alteration of records (or associated index information written to the media), thereby providing an inherent and automatic audit trail of all stored records. The decisions as to whether to implement an identity management system, a hard-token security system (which requires a physical “key” of some sort), workflow software, or just to ensure that there are certain points at which the data become permanent are all important options that employers must carefully consider when deciding about their data processes and architecture.
How to Prepare
Compliance with laws and regulations mandates records storage reliability, retention, ready retrievability, and accuracy, all of which in turn impact IT policy and choices. In this regard employers should be preparing organizations now in the following ways:
- Organizations must maintain a comprehensive plan for managing electronic records, including current retention schedules.
- All storage systems are required to protect the integrity, accessibility and retention life of the electronic records being created, received, and stored.
- Industries and applications with higher risks for litigation or regulatory investigation (or both) must use extra diligence in establishing a chain of custody that inherently and obviously protects electronic records from alteration and premature deletion.
As with all hard copies of employment records, access to electronic records should be properly secured and access should be restricted.
Contributed by the Employers Association Forum, Inc. (EAF). EAF is a non-profit corporate membership-based association dedicated to serving the business and HR communities with world-class HR tools, hotlines & legal compliance, news & trends, surveys & economic data, benefits & insurance, risk management, training & consulting, and leadership & organizational development. Click here to learn more about EAF membership benefits http://eafinc.org/about-eaf/value-of-membership/
Interested in EAF Membership? Join now and receive 10% off NEW Member Dues!
Use PROMO CODE: EAFHolidays2016 on your Member Application.