LAS VEGAS -- Issues of governance, risk, compliance and data privacy came to a head in a panel discussion at the ARMA Live 2013 conference. The two-hour panel featured several members of ARMA and an engaged audience of records managers, general counsel and compliance officers. The discussion turned to various hot-button issues, including whether privacy is a sacred right, whether records management can really save companies money and whether data destruction is a meaningful concept.
Panelists included Alexandra Bradley, president and the principal consultant for Harwood Information Associates Limited; Dave McDermott, an information lifecycle governance consultant for IBM's software services group; Patricia "Pat" Vice, president of Patricia Vice, CRM & Associates; and John Montana, principal at Montana & Associates. The panelists were asked several questions about privacy, recordsmanagement challenges and more. This is what they had to say:
Is privacy a human right or bad for business?
Alexandra Bradley: In Canada, where I'm from, privacy is defined as the right to be forgotten -- not to be the target of surveillance or other activities. It's a personal and fundamental right that is protected by the U.S. Constitution, and 10 states have constitutional rights to privacy. So it's pretty clear to me that there are laws and there is a general understanding that some information by its nature deserves to have protection.
Many organizations are governed by laws and regulations. But where there is no standard, there is an opportunity for us as information professionals to develop codes of conduct and to employ principles to ensure that data is maintained appropriately, not aggregated, not repackaged, not reused without our consent.
Dave McDermott: I totally disagree. Businesses today have the right to use private information. If users put information on those devices, they need to be aware that their privacy is not protected. Anytime you put information out in the Internet, on Facebook, you have to be prepared that this private information will be pushed out to others. If you think your private information isn't going to be used, think again. We're in a world where privacy is gone. Think how they captured the Boston bomber. Look around this hotel, look at the cameras. You better realize that privacy is not there like it used to be.
Does a records program really save money?
Pat Vice: We do save money for our organizations. Most records management programs were started because a company has gone through a costly litigation -- all at great cost to the organization. They can avoid fines by ensuring retention requirements. Records managers can reduce the risk and burdens; by following an approved retention schedule, keeping a lean-and-mean records program, they can quickly respond to investigations.
For more on records management
Read our guide to records management tools and best practices
Find out how to cure records management paralysis
Bradley: Our programs don't save, but in fact cost, us money. We have policies and retention schedules in place but can't demonstrate compliance. Organizations can't demonstrate that technology is taking care of their records. And organizations pay lip service to the strategic value of information but manage it much less effectively than when it was physical.
We have never been able to catch up with the volume of documents and email. We work from a system perspective but not from an end-user perspective. If we want to be successful, let's take a look at Apple. Start with end-user experience, and work backward [with records management systems].
Can consistent data destruction be a reality?
John Montana: When we look at proliferation of mobile devices and information on social media and you look at the data collection that companies are doing. Then you look at what that looks like at the average commercial org, where you have tens of thousands of servers, exabytes of data. With 10,000 SharePoint sites and no one has the faintest idea what's in any of them, at the end of the day, with data sets of that size, even knowing what is on a server is a challenge. The techniques by which we do data purging are not done with a scalpel but with a blunt axe. It's just a whack, and it's gone if you're going to do it at all. So for a lot of companies, the question is, is anyone actually really doing it? Often they don't know how or don't have the tools.
Vice: Working with corporate managers, organizations can design records management retention programs that meet best practices -- and for goodness sakes, keep it simple. That's where managers get bogged down -- they get too immersed in the details. The 80/20 rule really applies. Apply the retention to 80%, and then focus on the 20% of the defensible destruction of those records. Storage facilities are filled with records that don't provide necessary information. We need to start with data management: physical and electronic records. Due to the nature of distributed records, we'll never be 100% compliant -- ever.