CGSB and Electronic Records

Slides:



Advertisements
Similar presentations
The Impact of Auditing on Records Management Risk and Compliance Susan B. Whitmire, CRM, FAI Manager, Enterprise Records and Information Management BlueCross.
Advertisements

Digital Futures International Forum - Tuesday 18th September 1 Digital Futures International Forum The Digitisation Standard: Back & Forth Stephen Clarke.
What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.
Fedora Users’ Conference Rutgers University May 14, 2005 Researching Fedora's Ability to Serve as a Preservation System for Electronic University Records.
1 Auditing in the Public Interest Records Management in the Victorian Public Sector Audit objective Audit had two objectives : The first objective was.
Review Questions Business 205
Records Management for UW-Madison Employees – An Introduction UW-Madison Records Management UW-Archives & Records Management 2012 Photo courtesy of University.
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. trans for ma tion : a.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.
A centre of expertise in data curation and preservation MIS Seminar :: University of Edinburgh :: 2 October 2006 Funded by: This work is licensed under.
Electronic Records as Documentary Evidence Standard (CAN-CGSB 72.34) A Case Study from The University of Calgary By Regina Landwehr © University Archives.
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
Developing a Records & Information Retention & Disposition Program:
9.401 Auditing Chapter 1 Introduction. Definition of Auditing The accumulation and evaluation The accumulation and evaluation Of evidence about information.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Welcome! Records Management July 21, Good Management of Records Serve as evidence of relationship between City and its citizens Document current.
Fraud Examination Evidence I: Physical, Documentary, and Observational Evidence McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies,
Purpose of the Standards
Instructions and forms
By Drudeisha Madhub Data Protection Commissioner Date:
Information Asset Classification
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.
Creating and Maintaining Proper Systems for Electronic Record Keeping
Records Managers’ Forum 28 February Draft standard on the appraisal and disposal of State records Catherine Robinson Senior Project Officer, Government.
1 Freedom of Information (Scotland) Act 2002 A strategic view.
Recordkeeping for Good Governance Toolkit Digital Recordkeeping Guidance Funafuti, Tuvalu – June 2013.
IQPC February 25, ELECTRONIC RECORDS INTEGRITY AND AUTHENTICITY AND STANDARDS OF EVIDENCE John D. Gregory Ministry of the Attorney General (Ontario)
Generally Accepted Recordkeeping Principles Generally Accepted Recordkeeping Principles ® Registered Trademark of ARMA International.
Appendix E – Checklist for Review of Performance Audits Presented by: Ashton Coleman Department of Defense Office of the Inspector General August 16, 2012.
Relationships July 9, Producers and Consumers SERI - Relationships Session 1.
The Accomplished Connoisseur: Professional Expertise in Support for the Corporate Law Department Presented by: Lisa Daulby Canadian Association of Law.
Implementing the Standard on digital recordkeeping.
Allegra Huxtable Manager Government Recordkeeping Tasmanian Archives and Heritage Office.
E-records and the law John D. Gregory Policy Division Ministry of the Attorney General May 14, 2007.
1 Strategic Plan for Digital Archives Programme DAP PROJECT SCOPE OVERVIEW STATUS.
Paperless Government and the Law John D. Gregory Ministry of the Attorney General June 5, 2009.
Tad and Terry Legal Issues in ILP. 28 CFR Part 23 The federal rule that governs or provides guidance for these issues. § 23.3 Applicability: These policy.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
Managing the Paper Mountain Kaushika Patel, Rockland BOCES Maureen McCarthy, Lower Hudson Regional Information Center.
Energize Your Workflow! ©2006 Merge eMed. All Rights Reserved User Group Meeting “Energize Your Workflow” May 7-9, Security.
SCHOOLS FINANCE OFFICERS MEETINGS Records Management, “Paper-Lite” Environments and Procedures when a school closes Elizabeth Barber.
Record Authenticity as a Measure of Trust: A View Across Records Professions, Sectors, and Legal Systems Corinne Rogers University of British Columbia.
ISO/IEC 27001:2013 Annex A.8 Asset management
Generally Accepted Recordkeeping Principles Generally Accepted Recordkeeping Principles ® Registered Trademark of ARMA International.
Generally Accepted Recordkeeping Principles: The Principle of Transparency Alaska Chapter of ARMA International Presented by: Tara Carey, ARMA Board Member.
Surveying and Scheduling Records of OCIO Presented by Jennifer Wright Smithsonian Institution Archives Records Management Team February 16, 2005.
Information Resource Stewardship A suggested approach for managing the critical information assets of the organization.
ISO RECORDS. ISO Environmental Management Systems2 Lesson Learning Goals At the end of this lesson you should be able to:  Describe.
@ulccwww.ulcc.ac.uk IRMS Cymru October 2015 From EDRMS to digital archive: a wish-list for ways to preserve digital records.
Privacy and Personal Information. WHAT YOU WILL LEARN: What personal information is. General guidelines for the collection of personal information. Your.
Chang, Wen-Hsi Division Director National Archives Administration, 2011/3/18/16:15-17: TELDAP International Conference.
Records Management in Government Prepared by the Information Management Unit Saskatchewan Archives Board.
ARMA VI - NANAIMO 2016 David Young Records Management Archivist University of Victoria Electronic Records as Documentary Evidence CGSB‐72.34‐2015 (To supersede.
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
ARMA Vancouver Island (armavi.org) Ken Oldenburger Oldenburger Consulting
What standards, relevant to me, are there? Barbara Reed Chair, Standards Australia IT 21 Committee on Records and Document Management Systems.
© 2016 Chapter 6 Data Management Health Information Management Technology: An Applied Approach.
Data Minimization Framework
Records Management Program Deliverables
Learn Your Information Security Management System
MUS 215: ELECTRONIC DATA RECORDS MANAGEMENT SYSTEMS
Electronic Records Management Program
RECORDS AND INFORMATION
ELECTRONIC RECORDS INTEGRITY AND AUTHENTICITY STANDARDS OF EVIDENCE
Chapter 8 Developing an Effective Ethics Program
Information Governance Part 2
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
Getting Ready For GDPR Simon Marks Director
Presentation transcript:

CGSB 72.34-2017 and Electronic Records Sharon Byrch March 29, 2019 ARMA VI Conference, Parksville, BC

WHAT is CGSB 72.34-2017? Canada’s national standard for managing electronic records within recordkeeping/IT systems to ensure their future admissibility in legal proceedings as documentary evidence http://publications.gc.ca/collections/collection_2018/ongc- cgsb/P29-072-034-1-2017-eng.pdf CGSB 72.34-2017, p. iv

WHO should care about CGSB 72.34-2017? Users of standard Senior management & managers IT & Records professionals Legal, Risk & Security professionals Others responsible for records & their management CGSB 72.34-2017, p. 1

WHY care about CGSB 72.34-2017? Operates on the primary principle that an organization “shall always be prepared to produce its records as evidence” Supports legal requirements under Canada Evidence Act (CEA) and provincial Evidence Acts Demonstrates responsible business management Operates as a solid records management framework whether or not records are ever required as evidence CGSB 72.34-2017, p. 9, iv

WHY care about CGSB 72.34-2017? Proven defense strategy for successfully managing electronic (& scanned) records Standard was upheld in Canadian court in R. v. vs Oler Case (2014) Calgary Police Services successfully migrated 40 years | 4 million legacy records using this standard https://www.canlii.org/en/ab/abpc/doc/2014/2014abpc130/2014abpc130.html https://magazine.arma.org/2019/03/migrating-legacy-records-a-case-study/ CGSB 72.34-2017, p. 9, iv

HOW does CGSB 72.34-2017 work? Requires demonstrating: Authenticity of the record Integrity of the electronic records system & best evidence rule Record made in the “usual and ordinary course of business” Proof of integrity of an organization’s records system CGSB 72.34-2017, p. 9-10

AUTHENTICITY of the record Requires either: External evidence; i.e. testimony of witness OR… Integrity of the electronic records system AND reliability of recordkeeping processes can be proven CGSB 72.34-2017, p. 9

INTEGRITY of the electronic records system & Best Evidence Rule Prefers: Originals over Copies (primary evidence over secondary evidence) Will Accept: Proof of integrity of records system System was operating properly at all material times Electronic record was recorded or stored in the “usual and ordinary course of business” CGSB 72.34-2017, p. 10

Applies to records offered as evidence “RECORD made in the usual and ordinary course of business” & Hearsay Rule Applies to records offered as evidence Out of court statement submitted re: truth of facts Business records ‘made in the usual and ordinary course of business’ are excepted from Hearsay Rule CGSB 72.34-2017, p. 4, 10

PROOF of integrity of records system Applicable factors Source is known Contemporaneous recording Routine business data Data entry Standards Decision making Software System changes Privacy Security CGSB 72.34-2017, p. 10-11

KEY REQUIREMENTS under CGSB 72.34-2017 RM program, policies & procedures manual IT system management manual Risk assessment for new technologies CGSB 72.34-2017, p. 14-27

RECORDS MGMT (RM) PROGRAM, policies & manual Concepts, principles, methods & practices demonstrate appropriate RM program is in place In the ‘usual & ordinary course of business’ Uses policy +/or bylaw, and RM/IT standards Requires Effective support & coordination between IT & RM Quality assurance & periodic audits Appropriate documentation CGSB 72.34-2017, p. 14-16

RECORDS MANAGEMENT (RM) MANUAL Requires Consolidating all records related procedures to ensure consistency and completeness Consistency with the RM policy & standards Kept up-to-date and accurate References to related documentation (IT manual) Formal, periodic reviews CGSB 72.34-2017, p. 16

RECORDS MANAGEMENT (RM) MANUAL Covers Procedures for making, receiving, capturing, managing, using, protecting, destroying & preserving records throughout lifecycle Documents change-controls, version controls, metadata, digitization, classification & indexing, maintenance & use, retention & disposition CGSB 72.34-2017, p. 16-18, Annex B

DIGITIZATION (Scanning & Imaging) Requires Procedures and processes which result in accurate and legible reproductions of source records without alterations to content or appearance Appropriate metadata for management & retrieval Quality controls & quality assurance measures Documenting legal & business rationale for destruction of source records Work is conducted by trained operators CGSB 72.34-2017, p. 16-18

RETENTION & Disposition of records Requires Records Officer to: Ensure proper appraisal of records is done Document how long to retain, transfer and dispose of records Have authority to suspend destruction or transfers subject to legal hold Report all significant issues to senior executive in charge of RM Program or responsible area CGSB 72.34-2017, p. 18

DISPOSITION of records Covers Documentation of disposition process Preservation of destruction records Documents transfer process (transferring & receiving body) Guidance on preservation, conversion and migration Quality assurance program measures CGSB 72.34-2017, p. 19-20

IT SYSTEM Management Manual Requires IT to: Document all significant details of the logical and physical architecture of the IT system keeping records Include relationships between IT system management, RM program & business Demonstrate the integrity of system at any point in time (using manual & other records) Keep manual up-to-date CGSB 72.34-2017, p. 18

IT SYSTEM Management Manual Demonstrates IT system integrity for managing electronic records & meeting admissibility requirements as evidence Supports Canada Evidence Act (31.2) CGSB 72.34-2017, p. 18

RISK ASSESSMENT for new technologies Requires a completing comprehensive risk assessment prior to adopting new technology Under FOIPPA, local governments conduct Privacy Impact Assessments (PIAs) for changes to existing or new technologies and systems Recommends a multi-disciplinary approach of records, legal, security, privacy, IT and risk management Under FOIPPA, SERVICE PROVIDERS and their agents and/or subcontractors are employees. Include them! →Recommend capitalizing on PIA’s for CGSB 72.34 purposes CGSB 72.34-2017, p. 24

RISK ASSESSMENT for new technologies Using a multi-disciplinary approach is necessary to: Fully examine the benefits versus risks of implementing new technologies Develop a solid business case for their implementation or abandonment CGSB 72.34-2017, p. 24

RISK ASSESSMENT for new technologies The end-result is a valuable information asset & tool that: Informs communications to advise senior management/decision-makers of risks, threats and benefits Informs development of new policies & procedures for risk mitigation and management where required Establishes a re-usable process and benchmarks the new technology for future development and proposals Serves as necessary chain of custody documentation to evidence the considerations, decisions, activities and subsequent activities related to the risk assessment process and the technology’s implementation or abandonment

IMPLICATIONS for CGSB 72.34-2017 Organizational impacts Requires much tighter coordination between RM & IT Requires collaborative planning for change & initiatives Requires capacity for change & improvement Cost implications Time & resourcing requirements for RM, IT and any other key stakeholders involved Need to budget for operations, service providers and technologies to comply with standard CGSB 72.34-2017, p. 24

REMEMBER this principle! Trust is our key objective Organizations cannot alter or destroy records without proper authorization & controls or the records and their management systems are not trustworthy IT systems and technologies must protect electronic records from unauthorized access and changes & maintain an appropriate audit trail & system documentation Must always be ready to prove electronic records are reliable, accurate and authentic from a legal perspective

THANK YOU! Questions? Sharon Byrch, Manager of Information Services sbyrch@crd.bc.ca | 250-360-3639