Cassie Findlay

Preprint of an article published in Lligall 41, the journal of the Association of Catalonian Archivists.

In the revised edition of ISO 15489-1:2016 Records management, the concept of ‘appraisal’ takes on a wider scope than is perhaps familiar to some archivists. Rather than being limited to the examination and selection of extant records to make decisions about permanent retention as archives, it is broadened to being a more comprehensive, ‘up front’ analysis of context, business activity, requirements and risks to help make a wide variety of decisions about records and recordkeeping, including whether to create them, what metadata is needed to contextualize and manage them, who should have access to them and when, how long to keep them and more. Done regularly and accountably, with appropriate stakeholder consultation, the information that this type of appraisal gathers is essential to a properly functioning program for making and managing records – in any environment, including online, collaborative and decentralised contexts. Opportunities now exist for archivists and other recordkeeping professionals to use this approach in conjunction with new technologies to solve pressing needs for better systems for recordkeeping for some of the most vulnerable people in our societies.    

This article is based on a presentation of the same name, given at the Association of Catalan Archivist’s annual conference in Reus, Catalonia, in May 2017.

Note: since this article was written, the draft Technical Report on Appraisal for managing records has continued to be developed, with some changes to its structure. However the substantive content described here remains the same. It is hoped that the TR will be published later in 2018.

In order to explain why the need for better, more strategic tools for recordkeeping professionals is so urgent, it is necessary first to consider the contemporary business and technological landscape, and how information is being made and managed in it. In doing so, we can understand how new forms of records are being made, kept and used, and the challenges that these present. 

We live in a world characterised by diverse business frameworks comprised of multiple transactional systems and distributed business processes, which are breaking down and fragmenting the formerly consolidated organisational perspectives on projects, programs, clients or transactions. We are seeing the increased commodification and commercialisation of information within third-party frameworks, and usually in the cloud. People expect instant access online, to any information they want or need, and there is a growing sense that if it isn’t online, it may as well not exist. Data creation is expanding exponentially. In 2012 David Rosenthal of Stanford University analysed the costs of storing all of today’s data in the cloud. Based on industry figures he estimated that “keeping 2011’s data would consume 14% of the gross world product”[1]. He extrapolated based on rates of current data growth to estimate that by 2020, the cost of maintaining all the data created in 2020 would be 100% of the gross world product[2].  Such prolific and uncontrolled data growth is not sustainable, and is due in part to a lack of recordkeeping thinking in systems and process design. Innovations like blockchain technologies are presenting new paradigms for recordkeeping, by giving us the tools to build business environments in which the presence of a trusted third party to verify transactions is not required. This is having huge implications for the agency of individuals in their interactions with each other, and with the State. We are also living in the age of the rise of machine learning and artificial intelligence, with robots in our homes, our cars and workplaces, and increasingly replacing human labour.

In this dynamic, rapidly changing world, the concept of a record can, to some, seem archaic. However if we remember the core elements of ‘recordness’; those of proof, or evidence of transactions, of contextuality and of being bounded in time and space, we can see that in fact records, in the form of combinations of data representing events in complex business systems, are a crucial part of the digital landscape today.  Of course records continue to be made and managed in more familiar, documentary forms, as unstructured data, but anyone studying the trajectory of technology can observe the progression away from these forms towards a data-driven society. Groupings of data that drive and record business, whether they exist for a few seconds or a millennium, need to serve as good, reliable, available evidence. However many of our practices and tools are not up to this task. We, as archivists and other recordkeeping professionals, can often be:

• overly worried about destruction/deletion, which was a key driver when we had too much paper to store;
• too concerned with assessing indivdual records for ‘value’, when we have massive volumes to consider;
• stuck with assumptions about having custody and/or sole ownership and control over records; and
• stubbornly continuing to apply practices that were developed for files and documents to data-based, dynamic systems.

In developing the revised International Standard on records management, we in the editorial group were cogniscent of these problems with these and other ways in which our practices were not keeping pace with the changes to the information landscape, and decided to focus strongly in the new edition on describing approaches designed to address the challenges of the digital age. For us, this was not about rejecting core concepts and principles, but repurposing them. Accordingly, many of the basic concepts in the revised Standard remain familiar. Records are defined as: “information created, received and maintained as evidence and as an asset by an organization or person, in pursuit of legal obligations or in the transaction of business.”[3] The Standard reconfirms our understanding that records are an active embodiment of business, along with its rules, its participants and its outcomes. Records are are contextualized and controlled traces of events or transactions, made and retained – for a few seconds or a millennium – for a variety of purposes, and to meet the needs of a changing array of stakeholders, and with various degrees of rigor. In the Standard, records are understood not as static objects but as reliable, evidential business data that is constantly moving through new contexts and acquiring additional metadata and relationships to people, organizations, functions, processes and systems. Records are always in the process of becoming – even the manuscripts in our collections, as much as these sets of data flowing through modern business systems.

ISO 15489 also describes systems for records – which make, control and maintain records, and their metadata, over time.  These can exist in any setting – in business units and in archives, in municipalities, schools, corporations and governments. At the most basic level, these systems are the same and do the same things, it’s just that their context, requirements and stakeholders are different. Understanding this, and also understanding that these things change over time, is core work for archivists and other recordkeeping professionals.Systems for records are not just document management tools. Indeed, the most critical recordkeeping requirements today are being met by systems that bear little resemblance to document-centric systems. Archivists and other recordkeeping professionals need to understand and work with any and all types of systems for records. They are simply technologies and practices that make and keep information (data) as evidence of something. They may do this very well, or very badly. All such systems are part of our responsibility. Increasingly, those systems that do not fall under the records professional’s responsibility are in fact where the most important records are being made.

In this environment, any approach to ensuring the creation and keeping of adequate evidence and memory, for lots of reasons, cannot be reactive. If we are to offer a viable approach to our job of ensuring accountability and memory, we need to be:

1. thinking across the business and its systems, not focusing on lower level outputs;
2. applying risk management to ensure proportionate use of our time and expertise; and
3. focusing on defining top-down identification of the recordkeeping requirements that our businesses must heed, for the immediate and the long term.

Too often the people we work with – the technology people, the risk managers, the business managers – come to us with questions about accountability in new and emergent technological environments, and our responses are unhelpful, based on old understandings of records as documents that we store ourselves. We are also, as a profession, too often guilty of favouring process and bureaucracy over outomes. We need to break out of these mindsets and think: what do we have to offer that is unique? What skills can we bring to the table to solve evidence, accountability and memory problems in these new and dynamic environments?  We are fortunate in that recordkeeping professionals already possess a robust approach to ensuring the creation and proper management of records of business activity for a given individual, community, organization or jurisdiction – in any format – in appraisal for managing records, as defined in ISO 15489 and in a forthcoming Technical Report[4].

Appraisal for managing records, as explained in ISO 15489, is about understanding business activities to determine which records need to be created and captured and how they should be managed, over time. It combines an understanding of current business activities and its contexts with the identification of business, regulatory and societal requirements relating to records and the assessment of risks associated with creating and managing records. Work that is underway on the Technical Report to support ISO 15489:2016; currently titled ‘Appraisal for managing records’ has produced a model, or way of understanding appraisal, that adopts a management tool, the ‘PDCA’ or ‘Deming’ cycle[5]. The use of this model has allowed the editorial group responsible for the Technical Report to convey the recurrent nature of appraisal, as well as its flexibility and contingent nature.

Within each phase, appraisal work emcompasses the following analysis and decision making:

PLAN	–       Confirm purpose and scope –       Analyse the business and technological context –       Perform functional analysis –       Perform sequential analysis –       Identify agents –       Identify risks –       Identify records requirements
DO	–       Link records requirements to business functions and work processes –       Assess risks associated with the implementation of records requirements –       Build records controls –       Design systems –       Develop policy and procedures
CHECK	–       Monitor the operation of records systems, controls and processes –       Review the appropriateness of records policy and procedures –       Monitor the changing business and technological context –       Monitor changing regulatory, business and societal requirements –       Monitor changing risks
ACT	–       Identify purpose and scope for appraisal process to address changing needs –       Commence new appraisal process

 

Underpinning all these phases are three important elements:

• Authorisation and leadership – to ensure the results of appraisal are validated and endorsed for implementation at the appropriate level;
• Stakeholder consultation – to bring in as many perspectives and requirements as needed for the business concerned; and
• Documentation – for accountability in the appraisal process, as well as its outcomes

The appraisal process described above can be applied to any scenario in which an archivist or other recordkeeping professional needs to contribute expertise on requirements and implementation options, from analysing an entire government jurisdiction for the purpose of making decisions about archival retention requirements, to deciding on access restrictions as part of new business systems design. The purpose of any instance of appraisal work directly influences the scope, and assessment of risk influences the depth and extent of the analysis. For example, the work to determine requirements for a system designed to keep digital records concerning the highest levels of public decision making will be of a greater depth and intensity than a short and practical appraisal cycle to check record-making requirements for a low risk area of public affairs, conducted at a local office. Regardless of whether the cycle takes a short or a long time, is in-depth or more superficial, the basic elements remain the same.

Appraisal sits at the heart of the recordkeeping professional’s toolkit, and produces a variety of outputs, including rules for access, business classification schemes and rules for disposal. It is worth noting that in the past some of us have assumed disposal to be the only outcome of appraisal. This is not so, and indeed the concept and practice of disposal itself is also undergoing a necessary transformation. Disposal is, as it has always been, about the execution of appraisal decisions in relation to matters of retention, destruction/deletion and transfer of control over the record to another entity, such as an archival institution or a private successor. However too many of us have implemented disposal via the application of very specific rules to classes of records for the purpose of ensuring their destruction/deletion by a particular date. In some cases, certainly, timely destruction or deletion is important – for example in the case of an agreement by a governmental body that personal information would be destroyed by a specific date – but in the digital world the implementation of disposal and retention rules should be re-framed. The emphasis for practitioners should not be on ensuring digital records are destroyed by a particular date, but rather that systems of digital records are maintained and managed accountably and that that system migrations are used as an opportunity to carry out disposal by leaving records ‘behind’, with reference to the most up to date appraisal decisions. By redirecting their energy to the building in of recordkeeping rules in new systems and services, or assisting technical teams in making decisions during system migrations, recordkeeping professionals can have far more impact in scope and scale than by worrying over the prompt destruction of documents in electronic document systems, covering only a small proportion of business activity.

By moving away from the burdens of paper-paradigm management tasks such as applying disposal rules to legacy records, and by re-focusing our efforts on well designed, proactive and strategic solutions for recordkeeping, based on accountable, thorough appraisal analysis, we can ensure that records of all sorts can be made and managed in much more appropriate ways, for all sorts of communities. One example can be found in the work currently underway in Australia on building better recordkeeping solutions for children who experience out of home care.

The Setting the Record Straight for the Rights of the Child (SRSRC) Initiative, led by Monash University was organized, in part, as a response by the Australian recordkeeping community and allied groups to the findings of the Royal Commission into Institutional Responses to Child Sexual Abuse[6]. The Commission, which completed its work in late 2017, served as a strong motivation for Australian recordkeeping professionals to examine their practices and professional contributions to better recordkeeping to support individuals under the care of State and non-State institutions. The partners in the Initiative have stated:

“Recordkeeping and archiving systems are failing to meet the lifelong identity, memory and accountability needs of children who get caught up in child welfare and protection systems”[7], and also that: “Children who experience out-of-home care need quality recordkeeping and archiving systems to:

• develop and nurture their sense of identity and connectedness to family and community;
• account for their care experiences, and
• prevent, detect, report, investigate, and take action against child neglect and abuse.”[8]

In order to demonstrate how appraisal work can enable recordkeeping professionals to contribute to contemporary problems, the following sections of this article describe a hypothetical project to build a suitable and sustainable recordkeeping and archiving system for children in care. The first phase of such a project is, in the ‘Deming’ cycle model that the ‘Appraisal for managing records’ Technical Report editorial group has adopted, the ‘Plan’ phase. This involves, initially, an analysis of the context(s) in which the appraisal is being conducted, including business, technological, legal and societal factors. The contexts for the recordkeeping that supports and enables the progress of a child through a welfare or other out of home care system are multiple. In line with records continuum thinking they can – and do – exist simultaneously. In the case of designing recordkeeping solutions for children in out of home care they may include, for example:

• the immediate socio-legal context of the child’s interactions with the agency or agencies that serve as their legal guardian(s), and their interactions with care givers, other children and related support agencies.
• the context of the family unit and community from which the child hails. In some instances, looking at this context may involve understanding, for example, the needs and expectations of Indigenous people or people from particular ethnic backgrounds.
• the wider societal context in which members of the community expect, particularly post Royal Commission, that recordkeeping standards for children in case are improved, and that the records of their experience are available for purposes of redress should they be required; or
• the personal context of the child’s life experiences, preferences and expectations. In a profession that has traditionally been geared towards institutional and government recordkeeping and archiving needs, this is a layer of context that has been largely ignored, and is lacking in proven methods for its analysis.

In the analysis of these context(s), questions that will assist in decision making regarding the design of  the system may include the following:

• Are there acceptable arrangements already in place for the long term retention of the child’s records, suited to the child and manageable in terms of costs?
• How readily can the child access the Internet? Is an offline component required in the solution that is developed?
• Which applications does the child use regularly to make or save records? Proprietary systems may present challenges to integration.
• What legislation and regulations apply to how the child makes and keeps their own records, if any?
• Who are the stakeholders in the business and in the recordkeeping and archiving solution? Can these stakeholders be consulted, or perhaps assist with user testing of the proposed solution?
• What expectations are there, if any, of usability and preservation of these records for purposes beyond the child’s needs, and their needs as an adult?

The ‘Plan’ phase also involves an analysis of business activity and the agents involved. Here the focus of the analysis is on the expected or likely ‘business’ that the recordkeeping solution will be required to support. This will include identifying functions and activities at a higher level, as well as looking at specific processes and transactions at a lower level. In personal recordkeeping, definition of a fixed set of functions, activities or work processes can be problematic. Indeed, as noted by Sue McKemmish in her 1996 article “Evidence of Me”[9], the formation of any ‘rules’ for recordkeeping personal, however generalized, may not be possible. However by consulting with known agents in the processes and other stakeholders including the children, caregivers and advocacy groups, it may be possible to arrive at a core set of customizable processes based on common interactions between identified agents, to which more ad hoc processes may be added. For example, a child may email family members regularly. Can we link this process to a functional context? Are there a set of steps typically taken, at which the recordkeeping transaction of copying and registering the correspondence might naturally occur? Which agents are generally involved? (For example, these might include the child, the child’s relatives, other correspondents). For this work, the analysis of process, recordkeeping events and dependencies, as described in ISO TR 26122:2008: Information and documentation — Work process analysis for records[10], an important part of any appraisal activity, is essential.

This phase also involves an analysis of requirements for records and an assessment of risks. Requirements for records of the child’s experience will obviously derive from their personal expectations, but should also take account of regulatory and societal needs as well. In analysing documentary sources and consulting with stakeholders, consideration should be given to all aspects of recordkeeping, including questions on access, relationships between processes and their records, usability and metadata for contextualizing and managing the records.

Requirements should be determined in consultation with the most important stakeholders; children in care and adults who were formerly in care. The determination of agreed requirements should be informed by the extent to which they will manage identified and agreed risks. A useful approach to risk assessment for recordkeeping is available in ISO Technical Report ISO/TR 18128:2014, Information and documentation — Risk assessment for records processes and systems[11].

In the case of the recordkeeping needs of children in care, a high-level set of requirements for the records system(s) required already exists in the form of the SRSRC Initiative’s guiding Principles:

• “Child/person centred – Recordkeeping and archiving respectful of, and responsive to, the preferences, needs and values of the people who experience childhood out-of-home care. Respectful and nurturing rather than bureaucratic and officious.
• Participatory – Recognising children in out-of-home care and adult Care leavers as participatory agents not passive, captive subjects of the record.
• Accountable and transparent – Recordkeeping and archiving frameworks, processes and systems which hold themselves to the highest standards of accountability and transparency, respectful of multiple rights in records.
• Evidence based – Recordkeeping and archiving based on, and supportive of, evidence based decision making and action.
• Integrated – Records and recordkeeping integrated into processes rather than being a separate paperwork or filing activity.
• Connected and co-ordinated – Record holding organisations acting as nodes in a network rather than organisational silos.
• Clever use of information technology – Recordkeeping and archiving systems that make the best use of digital capabilities.”[12]

We may perhaps regard these as the beginnings of a set of functional requirements for personal recordkeeping as proposed by McKemmish (1996).

Other examples of requirements which might be identified could include:

• Control over access to, and sharing of, the records at a personal level by the child or a guardian – not by a government or institutional actor.
• Long term use requirements for the records, potentially by the child’s descendants or as part of a family archive.
• Robustness against intrusion or tampering, for cases in which wrongdoing has occurred.
• Metadata that properly contextualizes the child’s interactions with care givers, official guardian, family and others.
• Metadata that assists in identifying and linking related records of the child’s experience to ensure the availability and usability of these over time. With regard to metadata, we have a starting point in the form of standards on metadata for records such as ISO 23081 Information and documentation – Metadata for records, but metadata specific to the experience of the child in care and the other contexts identified earlier should also be identified.

During the ‘Do’ phase of the cycle, the risks associated with records requirements are assessed, and this assessment helps with decisions about how the requirements should be met. For example; the risks associated with inadvertent release of private personal information belonging to the child in care indicates the adoption of a very robust technical architecture, using encryption for any transfer of the data. In this phase the rules for creation and retention of records and for access to records are structured in a way that they can be deployed in the chosen technologies. Once, this meant applying rules in disposal schedules to files after they become ‘inactive’. Here it is more likely to mean encoding a record creation point into a personal recordkeeping tool for the child. The rules themselves are maintained as records, along with systems design documentation, for accountability and future systems migration purposes.

The ‘Check’ phase concerns monitoring; monitoring of the operation of the personal recordkeeping system; and of the context in which it operates. Requirements and risks will inevitably change. For example, the final report of the Royal Commission into Institutional Responses to Child Sexual Abuse regarding recordkeeping[13] may result in new laws affecting how such systems should operate. Attitudes towards privacy and personal information evolve over time. New threats to identity emerge. All of these are part of the landscape that the recordkeeping professional must observe, and respond to when appropriate. The ‘Do’ phase is both an end and a beginning. It allows the recordkeeping professional to establish a new project to adjust existing systems, or to define a whole new scope. This is the recurrent nature of appraisal work.

The work of archivists and other recordkeeping professionals – such as the work described in this case study – is about:

• ensuring the creation of records to meet requirements for evidence of business activity; to protect rights and entitlements and for memory purposes; and
• taking appropriate action to protect records’ authenticity, reliability, integrity and usability, as their business context and requirements for their management change over time.

We conduct this work in a world that is always changing, and for people and organisations whose needs are always evolving. Digital business and technologies mean that our task must shift focus – away from managing the products of business to being a vital partner to the business and the design of systems. As governments’ and corporations’ relationships with citizens and each other are renegotiated and the agency of the connected individual increases – or is threatened – our understanding of rights and requirements in recordkeeping become even more critical. Appraisal for managing records, as described in ISO 15489 and the forthcoming Technical Report on ‘Appraisal for managing records’ is a robust, tested approach that has been practiced in Australia and other nations over decades. It allows us to come to the table and work in multidiciplinary teams with a unique and powerful contribution to make. It is going to be a critically important tool if we, as a profession, are to fulfil our mission and respond seriously to the challenges of the digital age.

Bibliography

International Organization for Standardization, ISO/TR 18128:2014, Information and documentation — Risk assessment for records processes and systems 

International Organization for Standardization, ISO/TR 26122:2008, Information and documentation — Work process analysis for records

International Organization for Standardization, ISO 15489:2016 Information and documentation — Records management — Part 1: Concepts and principles

International Organization for Standardization, ISO 23081:2006 Information and documentation – Metadata for records

ISO 23081-1:2006 Information and documentation – Records management processes – Metadata for records 

McKemmish, Sue (1996), “Evidence of me” The Australian Library Journal, 45(3), 174-187

Rosenthal, David “Lets Just Keep Everything Forever In The Cloud”, DSHR’s Blog, May 14 2012, http://blog.dshr.org/2012/05/lets-just-keep-everything-forever-in.html

Royal Commission into Institutional Responses to Child Sexual Abuse, Final Report, 15 December 2017 https://www.childabuseroyalcommission.gov.au/

Setting the Record Straight for the Rights of the Child Initiative, n.d. Retrieved from https://rights-records.it.monash.edu/

Footnotes

[1] David Rosenthal “Lets Just Keep Everything Forever In The Cloud”, DSHR’s Blog, May 14 2012, http://blog.dshr.org/2012/05/lets-just-keep-everything-forever-in.html [accessed 17 December 2017]

[2] David Rosenthal “Lets Just Keep Everything Forever In The Cloud”, DSHR’s Blog, May 14 2012, http://blog.dshr.org/2012/05/lets-just-keep-everything-forever-in.html [accessed 17 December 2017]

[3] International Standard ISO 15489:2016 Information and documentation — Records management — Part 1: Concepts and principles, 3.14

[4] An overview of the project to develop this Technical Report is available at: https://committee.iso.org/sites/tc46sc11/home/projects/ongoing/appraisal-for-managing-records.html [accessed 17 December 2017]

[5] Wikipedia contributors, ‘PDCA’, Wikipedia, The Free Encyclopedia, 16 December 2017, 21:39 UTC, <https://en.wikipedia.org/w/index.php?title=PDCA&oldid=815746744> [accessed 17 December 2017]

[6] Royal Commission into Institutional Reponses to Child Sexual Abuse, n.d. Retrieved from https://www.childabuseroyalcommission.gov.au/  [accessed 17 December 2017]

[7] Setting the Record Straight for the Rights of the Child Initiative, n.d. Retrieved from https://rights-records.it.monash.edu/ [accessed 17 December 2017]

[8] Setting the Record Straight for the Rights of the Child Initiative, n.d. Retrieved from https://rights-records.it.monash.edu/ [accessed 17 December 2017]

[9] McKemmish, S. (1996). Evidence of me. The Australian Library Journal, 45(3), 174-187

[10] ISO/TR 26122, Information and documentation — Work process analysis for records

[11] ISO/TR 18128, Information and documentation — Risk assessment for records processes and systems

[12] Setting the Record Straight for the Rights of the Child Initiative, n.d. Retrieved from https://rights-records.it.monash.edu/ [accessed 17 December 2017]

[13] Royal Commission into Institutional Responses to Child Sexual Abuse, Final Report, 15 December 2017, Volume 8 ‘Recordkeeping and information sharing’ https://www.childabuseroyalcommission.gov.au/recordkeeping-and-information-sharing [accessed 17 December 2017]