1. CGSB 72.34-2017 and Electronic Records
Sharon Byrch
March 29, 2019
ARMA VI Conference, Parksville, BC

2. WHAT is CGSB ?
Canada’s national standard for managing electronic records within recordkeeping/IT systems to ensure their future admissibility in legal proceedings as documentary evidence
cgsb/P eng.pdf
CGSB , p. iv

3. WHO should care about CGSB 72.34-2017?
Users of standard
Senior management & managers
IT & Records professionals
Legal, Risk & Security professionals
Others responsible for records & their management
CGSB , p. 1

4. WHY care about CGSB ?
Operates on the primary principle that an organization “shall always be prepared to produce its records as evidence”
Supports legal requirements under Canada Evidence Act (CEA) and provincial Evidence Acts
Demonstrates responsible business management
Operates as a solid records management framework whether or not records are ever required as evidence
CGSB , p. 9, iv

5. WHY care about CGSB ?
Proven defense strategy for successfully managing electronic (& scanned) records
Standard was upheld in Canadian court in R. v. vs Oler Case (2014)
Calgary Police Services successfully migrated 40 years | 4 million legacy records using this standard
CGSB , p. 9, iv

6. HOW does CGSB 72.34-2017 work? Requires demonstrating:
Authenticity of the record
Integrity of the electronic records system & best evidence rule
Record made in the “usual and ordinary course of business”
Proof of integrity of an organization’s records system
CGSB , p. 9-10

7. AUTHENTICITY of the record
Requires either:
External evidence; i.e. testimony of witness
OR…
Integrity of the electronic records system AND reliability of recordkeeping processes can be proven
CGSB , p. 9

8. INTEGRITY of the electronic records system & Best Evidence Rule
Prefers:
Originals over Copies (primary evidence over secondary evidence)
Will Accept:
Proof of integrity of records system
System was operating properly at all material times
Electronic record was recorded or stored in the “usual and ordinary course of business”
CGSB , p. 10

9. Applies to records offered as evidence
“RECORD made in the usual and ordinary course of business” & Hearsay Rule
Applies to records offered as evidence
Out of court statement submitted re: truth of facts
Business records ‘made in the usual and ordinary course of business’ are excepted from Hearsay Rule
CGSB , p. 4, 10

10. PROOF of integrity of records system
Applicable factors
Source is known
Contemporaneous recording
Routine business data
Data entry
Standards
Decision making
Software
System changes
Privacy
Security
CGSB , p

11. KEY REQUIREMENTS under CGSB 72.34-2017
RM program, policies & procedures manual
IT system management manual
Risk assessment for new technologies
CGSB , p

12. RECORDS MGMT (RM) PROGRAM, policies & manual
Concepts, principles, methods & practices demonstrate appropriate RM program is in place
In the ‘usual & ordinary course of business’
Uses policy +/or bylaw, and RM/IT standards
Requires
Effective support & coordination between IT & RM
Quality assurance & periodic audits
Appropriate documentation
CGSB , p

13. RECORDS MANAGEMENT (RM) MANUAL
Requires
Consolidating all records related procedures to ensure consistency and completeness
Consistency with the RM policy & standards
Kept up-to-date and accurate
References to related documentation (IT manual)
Formal, periodic reviews
CGSB , p. 16

14. RECORDS MANAGEMENT (RM) MANUAL
Covers
Procedures for making, receiving, capturing, managing, using, protecting, destroying & preserving records throughout lifecycle
Documents change-controls, version controls, metadata, digitization, classification & indexing, maintenance & use, retention & disposition
CGSB , p , Annex B

15. DIGITIZATION (Scanning & Imaging)
Requires
Procedures and processes which result in accurate and legible reproductions of source records without alterations to content or appearance
Appropriate metadata for management & retrieval
Quality controls & quality assurance measures
Documenting legal & business rationale for destruction of source records
Work is conducted by trained operators
CGSB , p

16. RETENTION & Disposition of records
Requires Records Officer to:
Ensure proper appraisal of records is done
Document how long to retain, transfer and dispose of records
Have authority to suspend destruction or transfers subject to legal hold
Report all significant issues to senior executive in charge of RM Program or responsible area
CGSB , p. 18

17. DISPOSITION of records
Covers
Documentation of disposition process
Preservation of destruction records
Documents transfer process (transferring & receiving body)
Guidance on preservation, conversion and migration
Quality assurance program measures
CGSB , p

18. IT SYSTEM Management Manual
Requires IT to:
Document all significant details of the logical and physical architecture of the IT system keeping records
Include relationships between IT system management, RM program & business
Demonstrate the integrity of system at any point in time (using manual & other records)
Keep manual up-to-date
CGSB , p. 18

19. IT SYSTEM Management Manual
Demonstrates IT system integrity for managing electronic records & meeting admissibility requirements as evidence
Supports Canada Evidence Act (31.2)
CGSB , p. 18

20. RISK ASSESSMENT for new technologies
Requires a completing comprehensive risk assessment prior to adopting new technology
Under FOIPPA, local governments conduct Privacy Impact Assessments (PIAs) for changes to existing or new technologies and systems
Recommends a multi-disciplinary approach of records, legal, security, privacy, IT and risk management
Under FOIPPA, SERVICE PROVIDERS and their agents and/or subcontractors are employees. Include them!
→Recommend capitalizing on PIA’s for CGSB purposes
CGSB , p. 24

21. RISK ASSESSMENT for new technologies
Using a multi-disciplinary approach is necessary to:
Fully examine the benefits versus risks of implementing new technologies
Develop a solid business case for their implementation or abandonment
CGSB , p. 24

22. RISK ASSESSMENT for new technologies
The end-result is a valuable information asset & tool that:
Informs communications to advise senior management/decision-makers of risks, threats and benefits
Informs development of new policies & procedures for risk mitigation and management where required
Establishes a re-usable process and benchmarks the new technology for future development and proposals
Serves as necessary chain of custody documentation to evidence the considerations, decisions, activities and subsequent activities related to the risk assessment process and the technology’s implementation or abandonment

23. IMPLICATIONS for CGSB 72.34-2017
Organizational impacts
Requires much tighter coordination between RM & IT
Requires collaborative planning for change & initiatives
Requires capacity for change & improvement
Cost implications
Time & resourcing requirements for RM, IT and any other key stakeholders involved
Need to budget for operations, service providers and technologies to comply with standard
CGSB , p. 24

24. REMEMBER this principle!
Trust is our key objective
Organizations cannot alter or destroy records without proper authorization & controls or the records and their management systems are not trustworthy
IT systems and technologies must protect electronic records from unauthorized access and changes & maintain an appropriate audit trail & system documentation
Must always be ready to prove electronic records are reliable, accurate and authentic from a legal perspective

25. THANK YOU! Questions? Sharon Byrch, Manager of Information Services|