As a practitioner in the field of information governance and records compliance I often look at the matter of the risks faced by organizations from a variety of angles. In my experience I have found that many organizations often take for granted the significant level of legal exposure that they stand to face if their records are not in order. As an information management professional with significant legal training I am duty bound to see to it that the level of awareness of this is lifted.
Various governing bodies the world over institute various laws and statutes that aim to ensure that institutional bodies that manage records, do so in a responsible manner. An example of this can be found in the United States, where the Federal Emergency Management Agency (FEMA) lists safeguarding essential records as a critical component of a plan to maintain continuity of government operations. Along with this there are many other laws and regulations that mandate the identification and protection of essential records.
Here is a listing of a number of laws and policies below from the United States and other countries :
- Health Insurance Portability and Accountability Act (HIPAA) this act requires regulated entities and their entities and their business associates to establish and implement procedures to create and maintain “retreivable exact copies” of electronic records that contain protected health information.
- Financial instituitions incured by the Federal Deposit Insurance Corporation are required to have organization wide recovery and business continuity plans for their computer installations.
- Pharmaceutical companies must maintain backup copies of drug manufacturing data. According to Annex 11 of Rules Governing Medical Products in the EU, manufacturing data must be protected against damage by physical and electronic means and backed up regularly.
- In Jamaica the Data Protection Act 2020 defines “biometric data”, in relation to an individual, means any information relating to the physical, physiological or behavioural characteristics of that individual, which allows for the unique identification of the individual.
- The General Data Protection Regulation (GDPR), which is by far the most widely publisized data protection law for organizations based in the EU dictates that member states must protect personal information against unauthorised processing which is defined broadly to include unauthorized disclosure by transmission and dissemination and other means.
The truth is that poor record keeping can result in legal proceedings that can have serious implications for companies and organizations. An important bit of case law to cite here is the case of Murphy Oil USA, Inc. v. Fluor Daniel Inc. This case follows a dispute where Murphy Oil wanted to go through 20 million pages of email records belonging to Fluor Daniel to see if any of those related to the case. The reason why there were so many pages of email was that Fluor had not followed its own retention policy, which stated that backup tapes were to be recycled after 45 days otherwise, the email issue would be moot. The company had in fact, held on to the records for the entire 14 months of their dealings with Murphy Oil. Had they followed their own retention policy it would not cost as much as the millions of dollars in in charges to do discovery in addition to time and the resulting legal fees that occurred as a result of this case.
In short please remember the importance of enforcing proper records management systems that may end up saving your company or institution millions in fines, litigation fees, public embarassment or it may result in the closure of your organization.
