Personal liability and the future shape of record keeping

Personal liability and the future shape of record keeping

Over the years since I first became aware of Carl Newton's work (1968 to be exact, when, with those wild young men Len McDonald and Michael Cook, he produced the first serious article on records management in an UK archives journal) I have followed his writings and advice. It is curious to have reached the stage of following him into our anecdotage.

The events of the last month relating to the ENRON collapse (at least as reported in the media) has once again brought into sharp focus not only the problems of records management and maintenance in organisations, but also the dilemmas facing individuals charged with record keeping. Again, from the reports, it seems likely that those in charge of destroying audit papers knew exactly what they were trying to achieve, but it is also possible that those actually carrying out the destruction believed they were involved in the normal "tidy up" after an audit.

A major audit in any large organisation produces multiple paper copies of every part of the process, and one obvious task for the records manager is to reduce this to a core of vital documents, and eliminate everything, which is not likely to be required. Sometimes this involves active intervention and data aggregation under controlled and monitored conditions, and to pre-arranged standards and retentions. In essence this "tidying up" is an integral part of the audit process, and has to meet all regulatory and legal requirements. Much of the actual process is carried out on a 'need to know' basis by employees of a fairly junior grade, and the main fear of management is of sensitive share price information leaking to the media or city analysts. Very few will have a full picture. The irony is that, in the United Kingdom for instance, under the law as it appears to be developing, on a case-by-case basis, even junior employees would appear to have individual legal liability for their actions.

I think that it is fair to say that most organisations' optimum strategy is to keep the minimum amount of information, whatever the medium, for the minimum period of time consistent with legal requirements. Internal legal departments will tend to add belt, braces and whistles to commercial calculation, sometimes based on formal risk analysis, but more usually on gut instinct and experience. The conflict between entrepreneurial flare and legal caution may appear to be a productive tension, but for many organisations it is in danger of becoming a stultifying straitjacket, as lawyers emerge as the sole defining element in how an organisation conducts itself. This is less a matter of ethical behaviour than legal conformity – that is to say the letter rather than the sprit of the law. Even this level of caution may not be sufficient to satisfy the courts in the future.

A number of problems, actual and potential, have emerged in my experience over the last few years, which seem likely to shape record keeping and maintenance for all organisations. As a word of caution, it may be that these are emerging primarily in a highly regulated sector of commerce – financial services – and may not yet be of universal application. However, in a precedent-based legal system, it can only be a matter of time before the legal principles derived from such cases is extended to all sectors.

First, there is an increasing ambiguity and contradiction in the regulation and legislation, which records management, in its broadest sense, is required to meet.

Second, it is an uncertainty, which is shared with Learned Counsel. For example, in the organisation, which recently employed the writer, Counsel's opinion was sought about applying all the standards contained in DISC PD0008 (1996, 1999), the code of practice on the legal admissibility of information stored electronically. This was before scanning and workflow systems were applied to a particular business process, and the paper destroyed. The answer was a very expensive maybe. Until a case came before the courts which challenged or accepted this code of practice no-one could give an unambiguous answer. Third, much of the recent legislation, for example the Data Protection Act (1998), is retroactive in its requirements.

The key matter is that record keeping is increasingly shaped, not by the internal requirements within an organisation, relationships between organisation and customer/client, or employer and employee, but by the demands of third parties for purposes which may bear little relationship to the organisation's business. In the financial services arena the main thrust is that these demands are driven by legislation or increased administrative powers which have consistently modified the customer's contractual right of confidentiality in the relationship.

Both the frequency of demands and the volume of material being demanded are increasing rapidly. This is only possible because the public authorities are aware that centralising of business processes, and the records management which follows from it, whether maintained as paper, film or electronic media, offers the possibility of a one-stop shop for such searches. Data warehouse techniques make the search even simpler and more complete.

None of this is to question the validity or correctness of such searches in matters such as fraud and money laundering. But, it is clear that the police, Customs and Excise the Tax Authorities, and others are more than willing to push at the edges of the acceptable, and widen inquiries into more generalised 'fishing expeditions'. There have been a number of unintended consequences, at least I think they were unintended, for example:

1. 1.

   A distinction is being drawn between a copy document produced by an operator who is involved in processing the content of a document, i.e. is theoretically capable of making amendments/alterations to the copy, and someone who deals with information and documents in a read only mode.

2. 2.

   Copy documents are being challenged if they are not authenticated according to the exact form of accompanying docket specified in the appropriate Acts.

3. 3.

   In the Scottish courts there has been a successful challenge in which authentication of documents required under a Production Order has been signed by a line manager who has had no part or knowledge of the content or method of producing the copy document.

4. 4.

   The definition of a copy document is itself being challenged. This issue can best be illustrated by a specific example from the banking world. Most customers receive a regular, often monthly statement. It is virtually impossible to produce an exact replica of the document which they originally received. The statement sheets are not stored as photographic images, but normally as data which is updated direct from each customer's daily transactions. When a copy statement is required the data is married to a mask which produces the paper copy document. The data is exact and unchanged, but the appearance and layout may be different from the first version. These masks are designed to represent the current statement layout, but data which may be six to ten years old will be transformed automatically to fit the mask. This is a concept, which some authorities are having difficulty in accepting. The writer is not sure whether this is the luddism of legal backwoodsmen, unfamiliar with large-scale databases, or whether it represents a genuine and on-going problem for the future.

At the moment the situation seems to be one of considerable muddle with a standard response by the records management of an organisation being treated differently by different legal regimes at least within the UK. This is less a comment about differences between Scottish and English legal practice than the court experience of Crown Prosecutors (in Scotland Procurators Fiscal) within each jurisdiction. Given uncertainty it is not unreasonable to expect police, Customs and Excise, and Tax officials to attempt to meet every contingency in their demands for documents.

The problem for even junior records staff can be a subpoena to appear in court to certify to its authenticity, by explaining the process by which it was obtained. The concept of authentication by a line manager or 'signing official' looks as though it is being challenged. In one extreme case known to the writer a machine operator was summoned to testify to a computer system two years after leaving the employer. In such cases accurate recall seems unlikely.

At the moment technical standards of records management may be all the protection we have, but in the current climate of uncertainty they are almost certainly not sufficient on their own, and not sufficient to provide immunity from personal liability by employees operating under instruction on standardised business processes.

A brief phone survey of colleagues in the same sector suggests that my experience may be unusual, but I would be interested to hear from records managers who have had similar outcomes. The subject is certainly one that deserves the attention of the profession.

ReferencesDISC PD008 (1996), Code of practice for legal admissibility of information stored on electronic document management systems, BSI.DISC PD008 (1999), A code of practice for legal admissibility and evidential weight of information stored electronically, BSI.

Alan CameronRecently retired as Had of Central Records and Archives with Bank of Scotland, UK