Sentencing of records is the act of making and applying a decision about their long term handling.
Simply put, it’s about when to destroy them.
While most organisations are amazingly efficient keepers of information, very few outside of government are efficient destroyers of information.
When it’s done well, records that you capture are sentenced by the act of capturing them. This is called sentencing on creation. It means that the process will be largely automatic, and include destruction when the record reaches it’s end of life.
When it’s done badly, a vast trove of data and information will need to be classified and sentenced after the fact. It’s expensive, the chance for error is high, and the trove is what every hacker on earth is hoping they’ll find when they breach your organisation. Then there’s the chance that you’ll destroy information that legislation says you need to keep.
Sentencing is the discipline that every organisation needs to understand in a post privacy legislation, breach reporting world.
If your organisation has a great Records Manager, chances are that you’re already on your way there. If not – now is probably a good time to go and find one.
Records are evidence of compliance.
To destroy information which is evidence of compliance, is to destroy a record.
The risks of doing Records Management poorly are that information proving compliance –
- Won’t be available when you need it because it has been deleted or lost.
- Will be difficult (ie. expensive and time consuming) to find.
- Will be incomplete, and will require significant time and effort to assemble into a comprehensive record.
The consequences of failing at Records starts with failing audit. Depending on your industry, there can also be other consequences that range from inconvenience and fines, to quite literally killing people.
I’ve simplified greatly here because I’ve discovered that Records have different meanings in different contexts. I think that’s part of the reason why record keeping isn’t held in much higher regard as a discipline, and why certain industries are doing it so badly (and failing audits left, right and centre).
What I’ve found by industry –
- Government agencies know what records are, but generally under-fund it.
- Health organisations think that they’re about patients (all patients have records, but not all records are about patients).
- The greater private sector thinks they’re in accounting, but have people in risk actually performing records management duties.
Records are evidence of compliance. If you have legislation, regulation or standards to comply with, records are the evidence that you can give an auditor that’s going to get them out of the building quickly. The longer the auditors are with you, the higher your risk is.