Thursday, 10 November 2011

Clouds on the horizon

The Data Protection Act (DPA), in its current form, was made law in 1998. I didn't notice at the time. Well, that was the year The Good Will Out by Embrace was released, Peter Jackson was in charge of Town and I got my first email address, accessible through the green screen of, presumably, a UNIX operating system on a University network. Happy days.

Whilst I haven't listened to Embrace for ages, and even Peter Jackson's second stint as Town manager is years ago, the DPA is very much on my mind now. I like the DPA because, as one ICO rep said at a conference I went to, you can fit it on the back of a postcard. The EU may feel that the UK DPA is falling short, but I like the way the 8 prinicples can still ask tough questions of the current advances in technology.

With the advent of 'cloud computing', Data Protection is more relevant than ever. Though the way information is stored, shared and managed across the internet was unimaginable in 1998, I challenge anyone to argue that the first 7 of the 8 DP principles do not still apply to personal data held in the cloud. Whether my details are held by an organisation in a server room a mile away or a virtual server space on the other side of the world, I'd want them to be managed according to those 7 principles.

The 8th principle - Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data - is the crunch issue when it comes to cloud providers.

As information compliance officers we can often be cornered into a 'No, you can't do this' approach with DPA, when the Act should be an enabler - i.e. how to do it safely and properly - rather a barrier to technical change. With that in mind, I attended the 'Data Protection Jurisdiction in Cloud Computing and International Data Transfers' lecture at the Institute of Advanced Legal Studies last week. The QMUL 'Cloud Legal' project is looking in depth at the DP issues around cloud computing.

The main conclusions I drew from it were that EU Data Protection law provides no easy answers to the cloud at the moment. The predictable fact that law moves slower than technology, coupled with a range of DP attitudes to the cloud amongst member states, means that there is no definitive 'DPA stance' on cloud computing.

However, this does not stop the consideration of the first 7 principles with any moves we might make into the cloud. The lecturers stressed the importance of contractual negotiations with providers, transparency around what is to be done with data effectively.

The move from the macro-approach ('all cloud is good/bad') to the micro ('how can this cloud provider enhance our services whilst managing our data effectively and efficently') is crucial, especially as the instances of how cloud can work (user, integrator, solutions provider, provider, sub-provider, "lights out establishment") are so complex as to make any single position or stance problematic.

The US Patriot Act was mentioned, but whilst it is emblematic of EEA concerns around data, I think it is something of a red herring in this whole debate. After all, we'd be naive to assume that the exemptions Section 28 'National Security' and Section 29 'Crime and taxation' in the UK act did not implicitly enable the sharing of personal data with non-EEA states anyway. And have you seen The Bourne Ultimatum? I didn't see much consideration of DPA exemptions when they were hacking into CCTV and phone lines!

1998 was such a long time ago and whilst technology changes, principles often last. In terms of the cloud and DPA, let's not fixate on the eighth and lose sight of the other seven.

Thursday, 27 October 2011

Ask the archivist

In the last year, as a records manager, I've been increasingly drawn to the work of digital archivists. It's a vibrant global community where projects range from digitizing family photo albums to making priceless cultural treasures available online.

I sometimes look enviously at these projects. They are positive, cultural contributions that enrich and educate our society. Records managers, by necessity, often work in more prosaic areas. The really interesting 'culture' stuff we know we will have to pass to the archivist.

The digital archivist projects often involve a scenario where a collection has been deposited in a perilous electronic state - old electronic formats, no metadata on photographic records etc.
Whereas this is usually the beginning of the story for the archivist I always can't help thinking 'what did the records manager tell the owner of the collection when he created the records?' It has impressed on me the need to apply lessons learnt from archivists to inform how I advise my organisation on how they work today.

For example, I really liked the recent Signal blog post which discussed whether the digital record is an 'artifact' and 'information'. The illustrative examples were a medieval manuscript and a 'Copyright Office card catalog'. Part of the user experience with the medieval record, as well as reading the text, was to see how the manuscript was presented. Therefore the challenge was to create as accurate as possible digital image of the pages. With the copyright cards, it was the information that was paramount. Optical Character Recognition (OCR) was scanned onto the cards to allow quick searching. The principle was that each record aims for a high 'information' score. The 'artifact' value, however, varies according to the nature of the record.

It made me think about simple scanning projects often carried out in organisations. There are some oppressive 'legal admissibility' standards out there (0008) which can often intimidate organisations so much they often keep the paper copies and its accompanying storage space (which loses half the intended benefits of the project) or don't undertake any scanning at all. In most cases with these records (invoices, forms, project documentation), the 'information' value is the key - the 'artifact' value is low. These records are often only likely to kept for a finite period anyway, so why jump through hoops to ensure the shadow from the staple is authentic?

When we start to think about some of the more high-risk records (health, social care, educational) then the 'artifact' value rises - we do need to have a feel for the authenticity and integrity of a digital document. It is these records that we need to invest the time. Traditionally these type of records are also kept for much longer, so the long-term preservation of the records needs to be a big part of the discussion at the scoping stage of the project. How many digital archivists get involved this early?

I get on well with our archivists and try and corner them for coffee every now and then to discuss our respective challenges. The good news is that I've collaborated on a little feasibility project bid regarding the long term preservation of electronic records. Luckily, we were successful. As Allabouttherecords is my personal blog, I've set up a separate blog for this project, which you can view here if you are interested.

Wednesday, 5 October 2011

Keeping records til Domesday...

The preservation of electronic records is one of the major challenges for records managers. The user expectation, intensified by Google, of instant access and retrieval of electronic information makes the old style 'request for file 2 in box C on shelf 3 in bay 16' seem like something from another world, akin to the workplace tobacco and scotch bottles in an episode of Mad Men.

And yet paper is much more resilient. I know that, if the building stays standing, that file 2 in box C will still be accessible in 10 years time. I can't say this with certainty about my blog, my tweets, my word documents, my spreadsheets. I still have the floppy disks I did my thesis on but it would probably require a supplier search of 'JR Hartley Yellow Pages' proportions to find someone who could open the files. And would the format even be readable? Was it Word 95? Or - gulp, Wordperfect? My bound copy of the thesis, however, sits on my shelf impervious to technological change and threatened only by dust or toddlers with crayons.

What happened with the Domesday project is an excellent example why these challenges need to be looked at with electronic records.

The Domesday Book, completed in 1086, was probably the most ambitious 'information audit' - to use the records management terminology - ever undertaken.

For the 900th anniversary of the Domesday book the BBC undertook a nationwide project to undertake a similar exercise. As a 'knights and castles' obsessed schoolboy at the time, I loved the Domesday projects we did at my primary school, knocking on village doors and interviewing residents. The results would be stored on fabulous new computer media. We would occasionally get a chance to glimpse the school's BBC computer but I'm not sure it was ever actually switched on while I was there.

The original 1086 Domesday book sits in National Archive and will be quietly awaiting its 930th anniversary around the time of the Olympics in Rio. Anxieties about the obsolesence of the 1986 files grew, and in the early 2000s a massive project to convert them from their huge laser discs into a readable web based format ensued. In 2011 it was made largely accessible in a web based format. Until the next upgrade or major technical change...

Luckily, digital preservation issues are being debated and discussed across the globe and there are many useful blogs available. I'm a particular fan of Future Proof from Australia, which combines some good technical overviews with some useful posts about training and awareness. There are some excellent discussions on the Unversity of London Digital Archiving Blog. I've just discovered the Library of Congress blog The Signal which has several posts a week from lots of contributors. The National Archives have some good generic guidance around digital continuity and are doing some interesting stuff around archiving Government websites. Practical E-Records is more on the technical side of things and has recently been posting some really interesting stuff on email preservation.

This issue is something as records manager we need to keep working on. Especially important is the need for records managers to be the bridge between the user and the archive. Surely the whole thing needs to connect, not just when archivists find a collection on their doormats? Otherwise we're doomed. Or 'Domed', as the Normans would say.

Wednesday, 28 September 2011

'Right to know' day

Happy 'Right to Know' day. It's easy to forget as an FOI officer to recognise that you're part of a global network of people engaged in information rights. In many ways in this country we often take our Freedoms - not least that of information - for granted so its worth observing.

The last month has seen a few notable Freedom of Information stories.

'Govegate' is still running and running so I'll hold back from any comment on this at the moment, save remembering the Daily Show's Jon Stewart's comment about Gordon Brown's 'Bigotgate' disaster: "Gate?! You don't get to call that gate!"

The Hillsborough petition brought FOI out of the compliance officer/campaigner dialogue and into the mainstream.

The Camden 'empty properties' tribunal decision has the feel of a 'landmark' in terms of local government FOI. Ultimately the case hung over the Tribunal's judgement in the public interest in the empty properties 'issue' being made higher profile by the disclosure of the property addresses. Does the disclosure of exact property addresses really advance the debate further in a way that the non-address-specific statistical data provided by Camden would not? I'm a bit sceptical about this outcome of this one.

And finally, just to show that the 'right to know' means requests of all shapes and sizes, I give you Decision Notice FS50384351. Someone asked the British Library for an electronic copy of a book. The BL rightly refused under section 21 exemption 'You can get it on Amazon/Information accessible to applicant by other means'. This must have been one of the quickest ICO decisions ever.

Thursday, 18 August 2011

Is FOI pushing the limit?

As my last blog on vexatiousness got a positive response, I thought I'd take the easy option and repeat the exercise. This time I’m looking at another part of the Act which raises the hackles of requesters everywhere, Section 12 and 'Appropriate Limits'.

Like Section 14, Section 12 'Exemption where cost of compliance exceeds appropriate limit' is not an exemption as such, just a grounds for refusal. If you haven't seen this already, FOI Man gives a very good overview of Section 12 and how it is used. Basically, if pulling the information together for a request will take more than 24 hours (in the case of central government) and 18 hours (pretty much everyone else) to complete then it can be refused.

Section 12 is often where the FOI officer gets caught between the requester and the organisation. The requester can't believe that pulling the information they have requested will exceed 18/24 hours; departments within the organisation can't believe that it won't.

1) the number of times S12 had been included in a DN by year 

2) the breakdown of whether it was upheld (the authority was wrong in applying s12), not upheld (the authority was right) and partially upheld (neither here nor there)

3) the type of public authority involved in the DN. I used very broad categories of central gov, local gov, police, NHS, education and 'other' (which included the BBC, ICO and TFL)

Like all data sets, this does not produce a 'clean' answer. Not every complainant decides to go all the way to the ICO. They may be satisfied by a compromise or simply give up. Not every complaint that reaches the ICO results in a DN.

The results suggested the following conclusions:

1) Whilst I used the number of Section 14 DNs (165 over 7 years) to postulate that the exemption wasn't engaged very often, I believe it's different for Section 12. I counted 185 in total, upheld and not upheld over 7 years (including 2011) of FOI. I think that this reflects the way Section 12 is used by public authorities. Whilst using s14 vexatious is often an outright refusal and the end of the conversation, applying s12 can often be the beginning of a dialogue, narrowing down the request to what is achievable to the authority and useful to the requester.

2) The increase is quite modest, stable in 2007 (20) and 2008 (22), then a rise to 2009 (48) and 2010 (50). 2011 (34) looks like it may eventually exceed the 2009 and 2010 totals but not by much. In the context of the overall increase in requests, does this mean requesters and authorities are clarifying between themselves more? Are requesters getting more reluctant to challenge Section 12 or learning to 'target' their requests better? Are authorities not relying on it as much?

3) The ICO is in most cases supportive of public authorities when it comes to a Decision Notice. Around 82% of DNs dealing with S12 come down on the side of the authority. Like Section 14, Local Government is the most contested with the ICO siding with LAs only 66.7% of the time. Are LAs not as 'good' at applying Section 12? Is the ICO just harder on local authorities?

4) Central Government - interestingly, as it has the higher appropriate limit threshold - was involved in most (over a third) of the Section 12 DNs. In 84% of these the ICO sided with the authority and in only 6 of 68 cases the requester's complaint was upheld. Do requesters make more wide ranging requests ('all documents, correspondence, and memos since 1998...') to central gov? Is central gov simply 'better' at applying s12 correctly? Or is s12 a reflection on the way central gov holds its data? Even if an authority applies s12 'correctly', it may reflect that the data is not held in a way that makes it easier to answer requests. This is a theme running through the recent 'Open Data' consultation, and while I think it's too simplistic an argument (most public sector IT systems were procured to deliver an internal business need as cheaply as possible, and the functionality to produce re-usable anonymised open data for public development was often not considered), the 'way we hold our data' is often behind many applications of s12.

5) Local Gov (19.5%) and Police (15.1%) follow up, though there is a rogue 16.8% in my 'other' category (BBC, TfL etc) which I think reflects the hurried nature of my categorisation rather than anything else. 

Other thoughts 

1) I've not had time to go into detail on the DNs themselves, though it was worth noting that a lot of other exemptions were often involved in these requests. Often s12 may only be relevant to one question in a multiple question request. 

2) Beyond a broad presumption, these quantitative stats can't show some of the good 'qualitative' clarification work that goes on between FOI officers and requesters to understand what is asked for and what can be provided. I think a lot of this goes on, I'm not sure how much on WDTK as opposed to individual email-to-email requests. 

3) The Open Data consultation has mentioned extending the threshold for appropriate limits. This should, in theory, reduce the number of s12 DNs in the future. But as we have seen, central government, with its higher threshold, has the highest proportion of s12 DNs - and almost all of them endorsed by the ICO! I'm not sure raising the threshold would be much more than symbolic at best and at worst not in the best interests of either authorities or requesters. I think I'd rather see more focus and guidance on 'clarification'.

Well, like a 60s novelty act, I've recycled my one hit blog post into a sound-alike follow-up. Back into obscurity now...

Wednesday, 10 August 2011

Is FOI getting more vexatious?

I have been thinking a lot recently about FOI 'vexatiousness', seeing Section 14 appear a lot more often in the ICO Decision Notice RSS feed. Is the committed FOI campaigner right, are public authorities using it more frequently and aggressively? Or is the overworked FOI officer right, do we need to jump through hoops just to hold off those angry repeat requesters?

I decided to carry out my own number crunching experiment to test out these generalisations, using a very simple manual count from the Decision Notices (DN) published on the ICO's website. I thought of making this as an FOI request to the ICO but they would have probably said it was Section 21 'Reasonably accessible'! and they're right - it didn't take long at all.

Well, I'll do anything to avoid getting round to doing the washing up.

I counted: 

1) the number of times S14 had been included in a DN by year 

2) the breakdown of whether it was upheld (the authority was wrong in classing a requester as vexatious) or not upheld (the authority was right) and partially upheld (only three cases and neither here nor there!) 

3) the type of public authority. I used very broad catergories of central gov, local gov, police, NHS, education and 'other' (which included the BBC, ICO and TFL)

Like all data sets, this wouldn't produce a 'clean' answer. Not every complainant decides to go all the way to the ICO. They may be satisfied by a compromise or simply give up. Not every complaint that reaches the ICO results in a DN. You could argue that if a vexatious request is obsessive or forms part of a committed campaign, then it is more likely that the requester(s) will not flinch from contacting the ICO and pressing for a formal DN.

The results suggested the following conclusions:

1) Section 14 'vexatious' isn't engaged very often. I counted 165 in total, upheld and not upheld over 7 years (including 2011) of FOI. Compare that to in excess of 100 DNs so far in 2011 referencing Section 40, 'personal data'. Authorities don't - and can't - use it lightly.

2) The 'shape' of the numbers is broadly in line - perhaps lagging slightly - with that of FOI request volumes overall. A quiet 2005 (0), an upward curve through 2006 (11)/2007 (19) 2010 (27) and a spike in 2010 (41). 2008 is an oddity, with only 5. FOI officers will not be suprised that the 2011 figure (62) has already well exceeded 2010 with only half the year gone.

3) The ICO is in most cases supportive of public authorities when it comes to a Decision Notice. Around 75% of DNs dealing with S14 come down on the side of the authority. Local Governmment is the most contested with the ICO siding with LAs only 69% of the time.

4) Nearly a third (31.5%) of vexatious DNs concern local government. Central Government is up next with 23.6% followed by the Police 16.4%. Does this figure mirror the proportion of requests? The greater number of local gov authorities to make requests to? Is it because its functions are more related to the day-to-day life of the public and therefore the 'vexatious' / 'persistent' mark is a line more likely to be crossed and contested?

5) The NHS has done OK with its requesters. Only 6.1% of s14 DNs relate to the NHS (including GPs). In 90% of these the ICO backed the public authority. Does the NHS get any less requests that central gov, local gov, police or education?

6) The nature of S14 - it's not an exemption as such, just a grounds for refusal akin to 'appropriate limits' - means that a single incident, requester or campaign can skew the figures. The number of vexatious DNs for Education were quite modest until a huge spike around one authority in 2011 put them up above the NHS and 'Other' (which includes the BBC, TFL and ICO in my arbitrary categories).

Other thoughts: 

1) It would be interesting to look at the amount of times S14 has been used on WDTK. Are 'vexatious'/'persistent' requesters more likely to use the public forum than the request submitted by personal email?

2) Are there more vexatious requesters or just more requesters? Therefore the s14 figures increase in proportion?

3) The way the ICO deals with complaints is surely a interesting factor here. The latest Annual Report shows that the ICO improved the speed of dealing with its caseloads. Has this made it less likely to broker compromise between PAs and complainants and more likely to be decisive and issue a DN?

4) Is it the case that authorities are getting more confident in using S14? The 'case law' you can accumulate from FOI DNs around S14 can show the sort of criteria a public authority should be looking for to engage s14 correctly.

Now, back to the washing up...

Tuesday, 2 August 2011

Disclosure in the public interest - Hillsborough

In April 1989 my main concerns were trying to work out how to play the chords to Def Leppard songs and getting my wizard character to 4th level in Dungeons and Dragons. If I wanted to go and see football at the weekend, I would ask my mum if it was OK to go down to Leeds Road and see Town get beaten. The Hillsborough disaster of that month was a shock to me as to so many others who'd stood on terraces and surged towards steel fences and gates at matches before. It could have been any of us. At any game.

I lived in Liverpool for a large chunk of the 90s and the events of Hillsborough were in that city beyond an 'accident' or 'disaster'. They were - and I imagine that they still are - seen as an injustice. For football fans of all teams in the context of the 80s, Hillsborough was the culmination of a decade of prejudicial treatment - wire cage fences, ID cards and media derision. Fans were seen as 'animals' and this prevailing attitude is seen to have fed the circumstances - the state of the stadium, the nature of the policing - that led to the tragedy of that day. Hillsborough was then, combined with surge in football's popularity following the 1990 World Cup, a watershed in the development of the game as we know it now.

Therefore it was with interest that a recent ICO decision notice
has ruled that copies of all briefings and meeting notes provided to Margaret Thatcher in April 1989 relating to the Hillsborough disaster should be disclosed, overruling the Cabinet Office's application of Section 31 'Law enforcement' and Section 35 'Formulation of government policy'. Some information was ruled by the ICO to be correctly exempted under Section 40(2), 'Personal information'.

This has been covered in depth by the BBC, but I felt it was worthy of note in recognising that this FOI request concerned information that is at one level 'history' and at the same time something very 'present' and emotive in the lives of so many.

In terms of Section 31 the Cabinet Office argued:

The public authority has argued that disclosure of the information in question would harm the relationship between the police and general public and that this would result in a reduction of willingness on the part of the public to cooperate with and assist the police, by, for example, providing information to the police.

Despite the age of the information - remember Hillsborough happened the year the Berlin wall fell and George Bush Snr was inaugurated - the ICO ruled that this, arguably very general, application of the exemption was still relevant and engaged. The singular nature of the event is the only thing that can still allow this exemption to apply.

Section 35, must seem for FOI campiagners one of those exemptions that has the potential to undermine the legislation, suggesting locked doors, informal conversations and Parliamentary privilege. The Cabinet Office argued that disclosing the information would have a 'chilling effect' on ministerial discussions. I believe chilling effect arguments can be valid. People need a space to think freely without the fear that an idea floated, then quickly shelved in working towards an objective, is not likely to be disclosed. Such thoughts do not need to be paraded on the same level as the finally agreed objective, which of course should be transparent under FOI.

Yet whilst once again accepting that the exemption was engaged around the type of information requested, the Commissioner did not consider it 'conceivable that the disclosure would have resulted in a chilling effect to Ministerial discussions at the time of the request, given the age and unique subject matter of the information in question'. The ICO emphasised that the information was 20 years old at the time of the request, in the context of the current Government aiming to reduce the traditional 30 year threshold.

For the ICO, in the case of both exemptions, the public interest test falls down on the side of disclosure rather than exemption. By his own admission there is a 'very significant and weighty public interest in favour of disclosure of information relating to the Hillsborough disaster.' I'd have to agree with this one. I don't think that the public interest is always on the side of disclosure but this was a day that affected so many. Firstly in the tragic loss of life and secondly. in the fundamental changes in the way the national game was organised and developed over the next decade.

A difficult and high profile case for the ICO but an example of the Act allowing access to information around central government decision making and the power of public interest. Will this disclosure be more use to the historian in making sense of events or the families in search of justice? Impossible to say. FOI can, at least, provide the information they need to get started or just to carry on the fight.

Tuesday, 26 July 2011

Definitive articles

Stepping out of day-to-day tasks to review the latest research in the field can be a luxury for many records managers. Yet these journal articles can provide a good phrase or idea that can set you off on a new route or initiative to apply in your own organisation. Sometimes it can be simply the relief of recognising that your records management thoughts, hopes and fears are being shared by others, and those the leading minds in the field. 

The Emerald Literati Network Awards for Excellence highlighted some excellent articles published in the Records Management Journal last year. Here are two that I found useful.

Digital recordkeeping:
are we at a tipping point? 
Kate Cumming and Cassie Findlay

Austrailia has produced some of the most innovative and authoritiative work on records management in the last 15 years. This article comes from the State Records Authority of New South Wales, whose website and related 'FutureProof' blog is well worth a visit. Starting with Malcolm Gladwell's Tipping Point, the authors suggest that we are at a crossroads. On one side the sheer proliferation and volume of digital information is threatening to overwhelm us. On the other, RMs are increasingly being required to advise on the management and preservation of information in 'business systems'. The key conclusions for me were that 1) things are bad in terms of data volume and the general mismanagement of that old favourite, email and 2) Capping of storage space has to be the first step in forcing organisations to manage information more efficiently and 3) RMs can't rely on corporate EDRMS but need to get out there and integrate RM at the point the information is first produced and stored, usually in the Finance system or the HR system etc. 
A really useful article from an organisation which is clearly a hotbed of RM ideas.

The author is often to be found debating issues and prompting discussion on the Records Management Society email list and this article reflects the depth of thought and feel for the discipline that he clearly holds. My highlighter pen was fading by the end as there are many eminently quotable passages - 'storage does not replace memory' , 'Why should I delete anything if I can store it all?', 'for an organisation to be creative sometimes, some things need to be forgotten' - and the author pulls in Robert Frost, Google and the ancient Greeks to illustrate his case. Ultimately the argument is a vigorous defence of the 'management' aspect of records management. Managing documents and records effectively is not an esoteric specialism - everyone in an organisation needs to make the right decisions around records. Keeping everything is unproductive and ultimately wasteful. To quote another of Serewicz deft asides, 'We do not read every book in the library; we read what is essential to answer the questions on the exam'. When faced with making sense of the the current explosion of information, the RM is lucky to have such articulate defender of the importance of our discipline in a rapidly changing landscape.

Wednesday, 20 July 2011

Email - it's just one message after another

Email - you can't live with it, you can't live without it.

As a tool for communication, the impact of email has been so immense that it is difficult to imagine (or remember) the days when it wasn't around. It's brilliant - the instant transfer of a message or attached documents across global distances.

For records managers email is a huge problem, with both technological and cultural factors weighing against our mission to organise and capture important records.

The irony is that, within an age where the sharing of information is so abundantly possible, email records have become more closed and tied around the individual.

Whereas a copy of the formal letter correspondence would be added to a file of correspondence or a case file relating to the recipient, emails still revolve around the individual user. These emails will often sit in inboxes and 'sent mail' rather than being formally attached to an equivalent electronic case file. This is not likely to be just habit, as systems often have issues storing message formats in an acceptable way. Even SharePoint implementations, according to case study anecdotes I have heard about in the last few years, have had some issues with linking to Outlook. Email often remains at arms length from EDRMS systems because integration can be so tricky.

When the staff member leaves, the risk is that the email account presents firstly a handover challenge for the remaining members of the team and secondly a real challenge for the organisation in complying with requests for correspondence under FOI, DPA or legal discovery. Add into the mix the fact that IT departments, under pressure to effectively manage storage space and redundant user accounts, often have policies in place to delete accounts after a specific period. That's before I get started on .pst files, two words that wake records managers up at night in a cold sweat.

So what approach to take? With so many difficulties around the automation of managing emails we are back to the communicating with the users. We have to guide them to make the right decision sitting in front of their inboxes.

I heard that one legal firm had a policy of emails in an inbox being deleted at the end of the day if they had not been pulled into the appropriate case file. An approach that is draconian, but certainly applicable to a narrow, billable hours type organisation. The principle however - cutting down people's storage space forces them to make decisions about what emails are important - has its merits. If you have the sense that there is unlimited space, why organise it? Meanwhile in the background, servers are clogged up with data, perfomance suffers, more servers are bought just to process and back up information that must be 70/80% redundant.

I think as RMs we should be thinking how this overlaps with lots of the 'how to get on top of your inbox' ways of working literature on email use. A good example is this from the Microsoft website I believe that someone who is very organised in the way they use email will be easily able to identify the important records in their inbox. RMs should try and work with the HR and IT functions in their organisations to work out what guidance is being given on using email. The Open University has an excellent 'decision tree' to help determine if an email is a record, though users might find it onerous if faced with an inbox of 1000 plus.

RMs need to convey the basics to users. Emails belong to the organisation, not them. Some of them are very important records. Some of these may be required for FOI or DPA requests. You can't keep every message. Managing them effectively as records may also mean being more efficient in your overall time management, and vice-versa.

Whilst we are still struggling with managing emails as records, beware of the new spaces in which discussions play out and decisions are made. Instant messenger, blog comments fields and replies to Facebook status posts are all creating informal platforms for formal records. Until someone comes up with a 'silver bullet' solution, RMs need to influence and advise for all they're worth.

Tuesday, 12 July 2011

Decisions Decisions

You could say I should get out more but I'm always excited when my RSS feed delivers me a batch of new ICO decision notices (DNs). I think that the publication of these DNs is one of the most useful outputs from the ICO website. Whilst not formally legal precedent, the DNs show how the FOI is a living, evolving, contested entity embracing a huge array of information. If you want to demonstrate that FOI is not just journalists and prospective suppliers, read some Decision Notices.

The Decision Notices show how a case can be made effectively by an authority to explain why an exemption is engaged. They can show the tenacity and commitment of a requester trying to access information. And they show the ICO as a body trying to be flexible and fair in its rulings. As last week's annual report demonstrated, the ICO is getting quicker and more efficient at reaching decisions on these cases.

The 'big' ICO DNs and tribunal decisions are covered in depth across the web and twitter. I like to try and look at some of the DNs that cover interesting areas of process or procedure. Recent ones that interested me are as follows:


This decision once again re-iterates that is considered by the ICO to be a perfectly valid platform for making information requests and responding to them.


The authority had a issued Section 12 'exceeding appropriate limits' response and been been rigorous in providing a minutes-per-file calculation of the time it would take. The requester then asked the public authority to conduct a random sampling of the records in order to come in under the limit. The ICO concurred with the authority that the request could be refused 'on the grounds that the Freedom of Information Act provides a right of access to information, it does not entitle an applicant to require a public authority to perform specified tasks'. I think this covers an interesting area which shows the limits of both what constitutes 'extraction', 'creation of new information' and 'advice and assistance'.


This is two ICO Decision Notices on responses to what I think is the same 'round robin' request for the same information. Two different approaches by the public authorities and two quite different outcomes. A good example of the ICO treating each case according to its individual circumstances.

Wednesday, 6 July 2011

All about the training

You can implement all the systems and policies you want, but the vast majority of records or information management decisions are made at the member of staff's desk. Things go wrong there; many of the high profile data breaches in recent months have come from simple errors - emailing the wrong name from a contact list, faxing to the wrong number. Training staff directly, and building awareness of records management and information compliance, is as important a part of the RM job as any and there are many ways of doing it.

Classroom training
If you get a chance to do this, maybe as part of the standard induction for staff, then leap at it. You'll never get a better chance to let new staff know who you are and why your subject is important. The mix of staff from different departments and different grades will help you learn more about your organisation too. The timeslots you have to work with will vary, but try to avoid going through this policy or that policy or the fact the DPA 1998 was preceded by the 1984 Act etc. Use powerpoint, it is a great tool for putting points across, but don't just read out a series of slides. Get them involved. Ask them what data they are used to dealing with in their work, what FOI requests they may have dealt with before. They will start to ask questions and your answers will be directly engaging with what they do day-to-day.

Knowledge of the legislation is important. But always suggest to them that DPA and FOI is their act too, not just fuelling some perceived hostile public gathered at the gates. With records management you are unlikely, in this sort of training, to be taking them through how to use the local EDRMS or listing retention periods. Get them to think about what records they use at work, or at home, and how they do it. Signpost the policies and the systems and just make sure they leave the room knowing you are the person to ask about these things. I've often ended up starting a dialogue with staff at an induction session that has led to some really productive records management work further down the line. Or maybe, following your training, a member of staff picks up that stray FOI request and actions it immediately. Learn from your experiences from training courses you've attended. Identify the things that really helped you grasp the subject being taught.

Online training
It is unlikely that you or your team will have the time and resources to train every member of staff face-to-face. Online training is a way to get people to learn at their desks when they are available to do it and there is lots of good online training software available. The 'bottom line' is that this approach can help cover your organisation better if you can demonstrate how many people took this training, read the policy and ticked the box. But of course it's much more than that, a chance to reach many more people in your organisation than through an induction session. Whilst it's different from the 'classroom training' in many ways the objectives are similar. You have to get key messages across and they have to be practical and useful for the member of staff. Give them options to find out more if they want to go beyond the basics. Aim for 20/30 minutes at the most and include a quiz to test how much they've taken in. The advantage of reporting on training like this is that you can set up department vs. department stats (60% of the HR division have taken the training, only 30% in legal etc.) to drive uptake with senior management.

Intranets are used in many different ways, from simple staff directories and internal web pages to collaborative wikis and 'spaces'. You can never guarantee that all staff will be regular users but this is an important place to put all the up-to-date policy documents, guidance and presentations. If you have a news feed on the intranet, submit regular items. The ‘it could have been us' sort of story - 'records left in a skip' or 'the wrong fax number' - are good opportunities to take real incidents in the news and link them to your policies and advice.

Not strictly training, but a case of being there if someone has a question. If you can give a quick and helpful response, they'll hopefully a) come back again b) think about these issues in other areas or their work and c) tell others 'why don't you try asking the RM about this...'

A lot of records management is an influencing role, making people aware of why it's important and what they can do. In terms of compliance, staff need at least to know the basics - how to recognise a request or an issue - and to know who to contact. Training is therefore as important an area as any in the record manager / information compliance officer objectives. Take every opportunity you can to get the message across to staff because they are creating, storing and managing records and information every day. You can't stand over their shoulder every time but hopefully you can make them think: 'oh yeah, I remember that guy at the induction, talking about storing important messages, now where do I put this...'

Tuesday, 28 June 2011

Rewriting retention

I'm currently trying to update records management policies and procedures at my organisation and I've come up against the issue that has driven me to distraction for years: how to present the retention schedule?

Retention is so important. It's at the heart of what we do in both records management - keeping things only as long as we need to - and information rights. Just check out the fifth principle of the Data Protection Act.

The recent debates about the police retention of DNA data or the recent US proposals to retain incoming traveller information are the high profile examples of why it matters. In a more modest way, it applies to your shared drive, your inbox and that old ring binder on your office shelf with '2001/2' written on it.

But the retention schedule - as a document - is notoriously one of the most difficult and alienating text for non-RM staff to deal with. Firstly, it's likely to be a long document, full of those multi-page table formats that word processing programmes never particularly handle well. Secondly, the language of many of the generic 'standard' retention schedules used as a basis for organisational policies rarely bear much relation to the terms used by staff in their day-to-day work.

The danger is that schedules are so inaccessible can slide into irrelevance without a lot of time spent from the local records manager. The RM needs to ensure that they are followed and worked into departmental IT systems as well as paper files.

Researching on google, I came upon a useful article by Susan Cisco entitled 'Big Buckets for Simplifying Records Retention Schedules', (Information Management Journal, Sep/Oct2008 'Hot Topic', pp. 3-6). This document discussed the strategy of reducing the number of record types in retention schedules down to a relatively - 50 to a 100 - small number of 'retention buckets'. When you consider that something like the Local Government Classification scheme had at least over 600 types you can see that it is a significant 'slimming down'. The 'buckets' act as broad categories of records, the advantage being that staff are much more likely to categorise when the options are simpler. The intended result is that more records are stored and less records are misfiled.

Does it simply come down to that recurring challenge for records managers of engaging with staff? I think retention schedules could benefit from more simplicity. Would it be easier for staff to manage records day-to-day if their retention schedule was simple enough to laminate as one page and stick on the wall? Or set as default folders on a shared drive?

A post on the Thinking Records blog covered the Department for Education’s SharePoint implementation using just 11 'buckets', to a mixed reception from some of the RMs present. I think it's a bold move and a decent attempt to drag the retention schedule into the heart of how our organisations work day-to-day.

Sunday, 26 June 2011

All about the records

This is the first post of a blog about records management and information rights. I suppose my interests would be summarised as follows:

1) Information rights = good! I'm very interested in the way that the 'case law' is developing through Decision Notices and tribunals.

2) In terms of records management I believe that the era of the big, accredited EDRMS is over and we need to look at other ways to manage our information and records.

3) I could have also called this blog 'All about the users' because I believe the most important and fun parts of my role as a records manager are as a trainer, working with people at their desks. Making the mechanics of records management easy and accessible for users is one of the biggest challenges and I'll be looking at this a lot in my blog.

All views are my own. Hope you find these posts useful.