US DoD publishes guidance on Technology planning for Electronic Records Management (ERM)
This may be one of the most important guidance documents published in years. For many years, the US DoD 5015.2 Functional Requirements specification stood alongside the DLM forum’s MoReq (and MoReq 2010) and ISO 16175 as one of the key standards against which to benchmark Functional requirements for Electronic Records Management Systems. One thing which was missing however, was an internationally available set of implementation guidelines for ERM other than ISO standards, and documents requiring membership of organisations such as AIIM and ARMA.
In August 2023, the DoD published DoD manual 8180.01 information technology planning for electronic records management. This article provides a summary of the primary areas of the guidance document. Note: The document is designed for the US DoD, hence imposes no obligation on other organisations to implement it in part or in whole. If you are part of a USA organisation that is required to comply, then you should refer directly to 8180.01. I have made no attempt to re-write the document as you can download it from a link provided at the end of the article. Rather I have extracted the main headings and provide a simple description and my own interpretation of the requirements. I have used the main headings as provided in the guidance document. 8180.01 should be read in conjunction with 5015.2 (US Components) or other functional requirement specifications.
1 POLICY
Any development, acquisition, improvements or decommissioning of any IT system should consider records management requirements. Think of this in the context of Records Management by Design, which should include IT, Business and Records Management requirements throughout the lifecycle of an IT system. Privacy by Design should also form part of that thinking. Both records management and privacy have requirements for the retention of the data included in those systems.
2 RESPONSIBILITIES
The responsibilities described in this apply to US Government Agencies (Components), hence is out of scope of this article.
3 Building Blocks.
The document focuses on nine building blocks focusing on records management and each will be explored.
3.1 Retention planning.
The information contained in IT systems must be understood and included in retention schedules. This should happen regardless of whether these retention periods and schedules are imposed by a National Archival and Records Management Organisation (such as NARA in the USA) or internally through a formally designated process. IT systems in this case include formal EDRMS, ECM, EDMS, or ERM systems as well as business systems such as ERP or Line of Business systems which contain records.
3.2 Metadata
Metadata is a fundamental part of authoritative records and must be created and for all aspects of managing the records, including records controls such as referencing and disposition. Metadata regarding other aspects such as business processes, information security and findability are essential. Where records management or business processes are automated, metadata used or created during automation must be captured. As a side note, the rapid rise of AI requires further consideration of the metadata used specifically by AI and/or generated through the AI processes.
Metadata should include the following categories:
- Identity
- Description
- Use
- Event plan
- Event history
- Relation
For organisations outside the ambit of the US DoD, the ISO 23081 family is a useful set of metadata standards and Guidelines.
3.3 Capture
The guideline highlights an aspect that many records managers do not focus enough attention on. The fact that records could be structured as lines of data in a database, or as an electronic document, a physical document, or in a number of other unstructured formats. All of these need to be included in the records programme.
3.4 Storage
Records can be stored in the creating or receiving system, a system which supersedes the original system, a formal electronic records repository, or any combination of these. When considering records, it includes any metadata, retention schedules, status, all of which must be inextricably associated with the record such that its integrity, authenticity, reliability, usability, remain intact. Storage must consider the original system, and any transfers to archival repositories.
3.5 Find and Update
Records must be findable throughout their existence, which requires solid use of accurate metadata. This needs to include metadata related to or generated through records hold processes.
3.6 Disposition
Disposition includes either disposal or transfer to a repository. Systems need to be able to store, allocate and apply retention and disposition rules to records stored therein.
3.7 Maintain
Information must be “authoritative” which means it must have integrity, authenticity, and usability regardless of any changes to it, its metadata or the system creating or managing it. This must remain intact throughout the information lifecycle and include aspects of digital preservation.
3.8 Access control
Formal access control rules, controls and permissions must be in place. Roles need to be identified and implemented to ensure that all aspects of records management are included.
3.9 Reporting and metrics
Oversight and reporting on records are essential. Thus, analysis of records, where they reside, and the actions taken on them all need to be recorded and reported upon.
4 Purpose-built versus utility IT
The guideline distinguishes between purpose-built systems, where the organisation can build records rules and metadata requirements such as metadata into the design. Utility systems such as word processing applications or spreadsheet systems may not have those controls.
The organisation must ensure that these controls are in place regardless of which types of systems generate, create, or maintain records.
5 Stakeholders
Emphasis is placed on the fact that IT and Records professionals need to work together to implement systems as each bring distinct levels and type of expertise to the implementation. There are also other stakeholder groups that need to be considered, which include:
- IT Vendors
- IT providers (and implementers), including outsourced IT services.
- Customers
- Users
I would add other stakeholders such as National Archives agencies, and regulatory bodies such as Data Protection of Privacy Regulators to this list.
6 Summary and usage
The guideline goes into greater detail on each of these aspects and the full guideline is available on the Directives Division Website at https://www.esd.whs.mil/DD/
It includes a useful checklist which can be used to determine compliance. In addition, it has a table showing the required functionality with considerations for IT service providers and execution responsibilities.
7 Need help?
Please contact us if you need further information or are planning or currently in the process of implementing an Electronic Records Management system. We can assist with any of the strategy, design, architecture development, in addition to the records management policy, procedures, classification scheme or file plans, and retention and disposition schedules, rules and processes. Look at our services and training options at www.corconcepts.co.za or contact us at Contact Us (corconcepts.co.za)