Keeping records clean

Three years ago, Robert Horton, a state archivist at the Minnesota Historical

Society in Minneapolis, recognized an emerging problem. With the widespread

adoption of decentralized computing and the rapid rise of the Internet,

state employees were generating more electronic records (e-mail messages,

Web pages, online manuals) than ever before.

Agencies' reliance on such records grew despite the fact that little

consideration was given to their upkeep. In most instances, governments

simply archived all records for set periods of time and then purged them.

Little or no consideration was given to the accuracy of the data, its secure

keeping or the likelihood that it would be needed in the future.

So Horton took a close look at government information needs. His work

led to the creation of the "Trustworthy Information Systems Handbook," a

150-page manual that outlines issues agencies should consider and steps

they should take for sound electronic recordkeeping.

Minnesota agencies, local municipalities and even the state of Ohio

have turned to the document for guidance.

"We have found that [the handbook] does a nice job of raising awareness

about data presentation and preservation issues, as well as helping ensure

IT departments put sound procedures in place," said Steven Ring, manager

of data administration services at the Minnesota Department of Health.

Minnesota appears to be at the forefront of electronic recordkeeping;

Horton searched for a model but found none. "The state has had a long history

of being concerned about privacy issues," he said, "so there has always

been a keen awareness about the potential problems electronic records raise."

The manual begins by helping managers understand the importance of developing

trustworthy systems based on information that is accurate and up-to-date.

The manual recommends that agencies begin by encouraging collaboration

among a variety of people with diverse skills and expertise. Ideally, an

electronic documents team would include agency attorneys and auditors, who

have knowledge of agency and local government business, policy and procedures;

em-ployees, such as agency records managers and archivists, with knowledge

of information access and data practices; and information technology professionals

with skills in computing and information systems design.

The handbook focuses on an information system's ability to produce reliable

and authentic information. "Reliability" refers to a record's authority,

or the knowledge that empowered individuals are creating and storing the

information, and is established whenever a new record is created. "Authenticity"

ensures that a record will be available throughout its life, whether that

lifetime is six months, 10 years, 20 years or forever.

The guidelines then help managers evaluate the level of accountability

needed with different types of records and establish procedures for determining

the proper amount of documentation required for each. This step includes

determining which group or department is responsible for each information

system.

Determining responsibilities can be difficult. Although information

systems can perform tasks quickly and efficiently, often it is unclear which

employees should be held accountable for the systems and information they

create. By following the handbook, agencies can establish procedures, system

documentation and information system descriptions to clarify these responsibilities.

The document also outlines statutory requirements, legal mandates and

policies related to recordkeeping, as well as the steps an agency can take

to ensure secure recordkeeping.

Next, the team should determine the value of its data, weigh that value

against the costs (time, money, etc.) of implementing each criterion, then

choose those criteria that support a determined level of risk.

Metadata and documentation are the foundations for building trustworthy

information systems because they enable proper data creation, storage, retrieval,

use, modification, retention and destruction.

Metadata — or "data about data" — typically includes items such as file

type, file name, creator name, date of creation and data classification.

"Documentation" has two meanings. At a high level, it is the process

of recording actions and decisions — basically outlining the processes that

lead to data creation. On the system level, it refers to information about

planning, development, specifications, implementation, modification and

maintenance of system components such as hardware, software and networks.

Such documentation includes policies, procedures, data models, user manuals

and program codes.

Documentation and metadata establish accountability for information

systems. "No matter where in the information system development life cycle

an agency starts, it must make a conscious effort to create comprehensive

documentation," Horton said. "This is key to any trustworthy information

system."

Once agencies have developed the proper procedures, officials must reassess

their data security needs and risks on a regular basis.

Because the issue is complex, the Minnesota Historical Society needed

more than two years to complete the manual. When that process ended last

August, the organization began to promote its handbook via promotional brochures

and its Web site.

The Minnesota Department of Health closely tracked the handbook's development.

"Our agency works with sensitive personal information and wanted to make

sure it was properly protected," Ring said.

At the end of 2000, the agency used the historical society's manual

to develop an information security policy designed to protect data.

Officials for the city of Minneapolis were also looking for help dealing

with electronic records. "We had to put procedures in place to protect the

human resource data that various departments were using," City Clerk Merry

Keefe said.

In the fall of 1999, city officials began to look for guidance from

other agencies. After examining the manual, they decided to use it for a

trial.

"The handbook illustrated areas, such as our security system, where

we had to tighten up our electronic recordkeeping," Keefe said. With that

work now complete, officials are looking to extend use of the handbook to

other applications.

Other states have benefited from the Minnesota Historical Society's

work. Charlie Arp, assistant state archivist at the Ohio Historical Society,

met Horton at a trade show a few years ago and the two became friends, often

discussing projects.

While work on the handbook was under way in 1998, the Ohio State Archives,

in conjunction with the Ohio Office of Information Systems Policy and Planning,

formed the Electronic Records Committee to draft policies for the creation,

maintenance, long-term preservation of and access to electronic records

created by the state government. Committee members were drawn from a variety

of organizations, including academic libraries, historical societies, state

agencies and universities.

The committee has been tailoring the handbook so it can be applied to

Ohio agencies. "We have been taking out references to Minnesota-specific

items like state statutes," said Arp, who expects to complete that process

and begin promoting use of the handbook this spring.

Although the handbook can be helpful, getting departments to follow

it can be difficult. "The biggest roadblock agencies present is a lack of

time and manpower," Horton said. "In order to complete the process, agencies

have to make a significant investment. With budgets under pressure and IT

personnel being pulled in a number of different directions, that can be

difficult."

Inertia is another issue. "Initially, there were a few departments that

were resistant to adopting the system," said Minneapolis' Keefe. "We did

have to conduct a little prodding to get everyone on board."

Another issue is the disparity between how systems are designed and

the types of information they generate. For example, the Department of Health

has a complex database with more than one application, but Ring said the

handbook "isn't really clear about the best way to secure data used by a

variety of applications."

That problem may be unsolvable. "Because agencies' information needs

are so diverse, it didn't make sense for us to complete a one-size-fits-all

document," Horton said. "[The handbook] includes a lot of flexibility, and

it is up to individual departments to determine how to best use it."

Korzeniowski is a freelance writer in Sudbury, Mass., who specializes in

technology issues. His e-mail address is paulkorzen@aol.com.