Frederic Bourget, VP of Product at IPRO
Just like there are lots of ways to keep your paper documents, there are many approaches to the archiving of electronic documents. But these approaches aren’t all equal. When you use the right methods for the right reasons, your organization can ensure its data is retained and disposed of appropriately, in a legally defensible way. What makes an archive legally defensible?
File Cabinet and PST Files
The first major type of archiving that we encounter when talking with organizations is personal archives. That is for individuals to take data out of their day-to-day sight and put it in an area where it will be easy to find when needed. There is an expectation of immediacy of access while gaining the benefit of un-cluttering their desk. The technology that was developed for this in the paper world is the filing cabinet. It sits in one’s office and is readily available provided you have the key. So it’s convenient, but not very reliable. It’s vulnerable to water leaks, fire, and employees removing and destroying valuable pieces of information from the files. The equivalent in the email world is the archive mailbox or the PST file. File servers serve a similar purpose.
Legislation, Litigation, and Reduced Storage Costs
The second major type is called legal or enterprise archiving. This is the archiving of important documents and information that is required by legislation or may be needed in the course of business to document and prove transactions and decisions. Contracts and purchase orders are examples of these types of files. The other main benefit of enterprise archiving is to reduce the cost of storage in line as access requirements are reduced. In the physical world of paper, we have the archiving department. This is outsourced in most organizations today with companies like Iron Mountain. These provide long term guarantees on the conservation of documents.
The Key Requirements of a Legally Defensible Archive
The legal archiving of electronic records isn’t a random effort of collecting documents on a drive or in a backup system, even less keeping documents on a live system in a separate folder. There are rules to follow. And with all of the technology available, it can be difficult to understand what the actual requirements for legal archiving are. Luckily, the smart contributors to ISO 14641:2018 have defined the key requirements of a real legal archiving solution: long-term preservation, data integrity, data security, and traceability.
Key Requirement 1: Long-term Preservation
Long-term preservation, by definition, implies system independence. This means that data cannot be tied to a specific short-lived set of technologies. It needs to be stored in a standardized or industry-standard and publicly available format. The software will have the ability to convert archived data to these formats while tracking standard metadata that will provide the document’s context. The software has to have the ability to move data from one media to another as needed. In this way, it can guarantee, that over a long period of time, data will be kept independently of what happens to hardware, software, or software vendors. Data should be as system-agnostic as possible. Not tied to a vendor as it’s expected to be readable for years or even decades to come. This rules out vendors locking in data in their solutions as legal archives providers.
Key Requirement 2: Data Integrity
In this context, integrity means being able to keep content in its original form. This is the basis for an archiving system. The content stays as is. Storage plays a big role in this requirement. Standards define different types of media that may be used like physical & logical WORM, with fixed or removable media. These are storage locations you can write but cannot change once the content is written. In addition, the system should timestamp the content and provide a signature or hash so it’s possible to verify the content hasn’t been altered. Typically, the storage will provide high security so as to limit risks of modification. The capture process of the archives must be clearly defined to guarantee integrity. In the same way, the destruction process needs to be defined and audit trails have to continue to live post-destruction.
Key Requirement 3: Data Security
There is no black magic to ensuring data confidentiality. Access to files needs to be restricted to the people who have the right to see it. Systems need to be in place to allow for full user authentication. Systems must also provide data access controls for users, to make it possible to select who has access to what. In more advanced systems, you’ll find capabilities like multi-factor authentication, full role-based access, and four eyes login. An audit trail of what has been accessed by whom is an essential part of verifying confidentiality. Reporting on these audits is required to allow visibility into who saw what.
Archives have to be readily available, so the systems supporting them also need to have high availability. Current computer technologies allow for high accessibility while reducing the cost of storage. Most enterprise computer systems will provide basic fault tolerance, meaning high availability with business continuity. But the concept of availability goes further. It means having the tools to find appropriate documents and information quickly, efficiently, and reliably. It’s a critical business capability. Yet, many systems allow end-users to access data efficiently by providing personal archiving capabilities, but when it comes to corporate access across user locations, a large number of solutions will fall flat, unable to provide reliable results quickly. This is a problem that significantly reduces the business value of the data.
Key Requirement 4: Traceability
Traceability starts with having a system that keeps a clear timestamp on all actions carried out on archived documents. From capture to views, ending with destruction, the system has to be able to provide a full lifecycle trace on archived files. The timestamping has to be policy-driven and allow the setting of verifiable procedures for the full lifecycle of documents. Any changes to these procedures and policies should also be traceable.
Your Legally Defensible Archive
When the four requirements discussed above come together, your archive becomes legally defensible. These requirements layout in a simple manner the definition of what real archiving is. Surprisingly, not many solutions actually map to these requirements. Keeping data on an original operating system, like with personal archives, does not meet most of these requirements. Just like keeping files on your desk. There is no long-term storage or integrity guarantees, little security, and no traceability. It serves a purpose but doesn’t meet the high bar of legal archiving. If you are currently looking at setting up a corporate/legal archive for your organization, make sure you’ve got the four key requirements covered.