Part 7 – Records management requirements

Records are created, received and used in the conduct of business activities. To support the continuing conduct of business, comply with the regulatory environment, and provide necessary accountability, organisations should create and maintain authentic, reliable and useable records, and protect the integrity of those records as long as required.  To do this, organisations should institute and carry out a comprehensive records management programme.  Principles of records management programmes:

  1. Determine what records should be created in each business process and what information needs to be included in the records
  2. Decide in what form and structure records should be created and captured and the technologies to be used
  3. Determine what metadata should be created with the record and through records processes and how that metadata will be persistently linked and managed
  4. Determine the requirement for retrieving, using and transmitting records between business processes and other users and how long they need to be kept to satisfy those requirements
  5. Decide how to organise records so as to support requirements for use
  6. Assesses the risks that would be entailed by failure to have authoritative records of activity
  7. Preserve records and making them accessible over time, in order to meet business requirements and community expectations
  8. Comply with legal and regulatory requirements, applicable standards and organisational policy
  9. Ensure that records are maintained in a safe and secure environment
  10. Ensure that records are retained only for as long as needed or required
  11. Identify and evaluate opportunities for improving the effectiveness, efficiency or quality of its processes, decisions, and actions that could result from better records creation or management

ISO15489 states that a record should be:

Authentic – the records is what it says it is.  It must be created or sent by the person that it says it has as well as the time and date created and sent.

Reliable – the contents can be trusted as a full and accurate description of the transaction or activity.  They should be created at the time of the transaction to which they relate or as soon afterwards by individuals who have direct knowledge of the facts.

Have integrity – a record must be protected against alteration.  The records policy should state under which circumstances changes can be made to the record and who is able to make them.  Any authorised changes must be indicated and traceable.

Have useablity – a useable record is one that can be located, retrieved, presented and interpreted.