Records management with Azure Purview – Part 4: Organizational requirements, schedules, procedures and policies.

In my Previous blogpost I talked about creating a fileplan in the Microsoft Purview solution. However to setup things correctly into the solution, you would need to know WHAT and WHY your are configuring certain settings.

For this purpose I have created a blogpost on how to actually gather your organizational requirements and put them into practice. This actually consists out of 3 mayor steps:

  1. Conducting a needs assessment
  2. Developing a records retention schedule
  3. Creating policies and procedures

Next to IT personnel, typical stakeholders will include your DPO, CISO and legal department.

Conduct a needs assessment

  • Conducting a needs assessment on records and information that an organization produces involves evaluating the information needs of the organization, identifying the information that is currently being produced and used, and determining any gaps or inefficiencies in the current system. Here are some steps you can follow to conduct a needs assessment:
  • Define the scope: Identify the purpose and objectives of the needs assessment, as well as the specific records and information that will be assessed. Define the timeline and resources needed to carry out the assessment.
  • Identify stakeholders: Identify the stakeholders who will be affected by the assessment, such as managers, employees, customers, and partners. Determine their information needs and requirements.
  • Analyze current records and information: Evaluate the current records and information being produced by the organization. Identify the types of records and information, their format, storage, and retrieval processes.
  • Assess gaps and inefficiencies: Identify any gaps or inefficiencies in the current system. Determine the causes of these gaps, such as inadequate technology, lack of training, or ineffective policies.
  • Identify solutions: Based on the findings of the assessment, identify potential solutions to address the identified gaps and inefficiencies. Develop a plan to implement these solutions, including timelines, resources, and responsibilities.
  • Implement solutions: Implement the solutions identified in the plan. Monitor their effectiveness and make adjustments as needed.
  • Evaluate the assessment: Once the solutions have been implemented, evaluate the effectiveness of the assessment and the solutions. Determine if the goals and objectives of the assessment have been met and identify any areas for improvement.
  • By following these steps, you can conduct a comprehensive needs assessment on the records and information produced by your organization and identify ways to improve their management and effectiveness.

If you are running blind here, and don’t know what kind of information is being handled in your organization, you could opt for using DLP policies and endpoint activities in the Microsoft Purview solution and put them into monitoring mode. That way actions are logged, but the end-user doesn’t see any impact on their end. You could then use the reports to evaluate the information that is being handled in your environment.

Develop a records retention schedule

Developing a records retention schedule involves identifying the legal, operational, and historical requirements for retaining different types of records within an organization. Here are some steps you can follow to develop a records retention schedule:

  • Identify the types of records: Start by identifying all the different types of records that your organization produces or receives. This could include financial records, personnel records, legal documents, contracts, correspondence, and others.
  • Identify legal and regulatory requirements: Determine which laws, regulations, and industry standards apply to your organization and the types of records you produce. This could include requirements for retaining tax records, employment records, financial statements, or other types of documents.
  • Determine operational requirements: Identify the minimum length of time that each type of record needs to be kept in order to support ongoing operations, such as customer service, legal proceedings, or audits.
  • Identify historical value: Consider the historical value of certain types of records, such as corporate history, genealogy, or cultural significance. These records may need to be retained indefinitely or donated to an archival institution.
  • Develop a retention schedule: Based on the above information, develop a retention schedule that lists each type of record, its retention period, and the reason for retaining it. Include any legal or regulatory citations as well as information about where the record is stored and who is responsible for managing it.
  • Obtain approval: Obtain approval for the retention schedule from senior management, legal counsel, and other stakeholders. Ensure that everyone understands the schedule and their responsibilities for managing records according to it.
  • Implement and review: Implement the retention schedule and regularly review it to ensure that it is up-to-date and meets the changing needs of your organization. Update the retention schedule as necessary to reflect changes in laws, regulations, or organizational requirements.

By following these steps, you can develop a records retention schedule that helps your organization effectively manage its records and comply with legal and regulatory requirements.

Here is an example of a retention schedule for an organization:

Type of Record | Retention Period | Reason for Retention
 
Financial Records:
General ledgers and journals | 7 years | Tax and audit purposes
Accounts payable and receivable ledgers | 7 years | Tax and audit purposes
Bank statements and canceled checks | 7 years | Tax and audit purposes
Payroll records | 7 years | Tax and audit purposes

Personnel Records:
Job applications | 2 years | Compliance with EEOC
Employee personnel files | 7 years after termination | Compliance with labor laws
Performance evaluations | 3 years | Employee development purposes
Training records | 3 years | Employee development purposes

Legal Records:
Contracts and agreements | 7 years after expiration | Legal protection
Litigation files | 7 years after case closure | Legal protection
Patent and trademark documents | Indefinitely | Legal protection
Board of Directors minutes and resolutions | Indefinitely | Legal protection

Marketing Records:
Sales reports and forecasts | 3 years | Business planning purposes
Customer inquiries and complaints | 3 years | Customer service purposes
Advertising and promotional materials | 2 years | Marketing analysis purposes

Miscellaneous Records:
Correspondence and memoranda | 1 year | Routine business purposes
Travel expense reports | 3 years | Accounting purposes
Property records | 5 years after disposal | Asset management purposes
 

This is just an example and retention schedules can vary depending on the type of organization, industry, and legal requirements. It is important to consult with legal counsel and other experts to ensure that your retention schedule is comprehensive and compliant with all applicable laws and regulations.

Create policies and procedures

Creating and developing policies and procedures for managing records involves establishing guidelines for how records will be created, stored, accessed, and disposed of throughout their lifecycle. Here are some steps you can follow to create and develop policies and procedures for managing records:

  • Identify the scope: Determine the scope of your policies and procedures, including which types of records will be covered, who is responsible for managing them, and what the objectives of the policies and procedures are.
  • Identify legal and regulatory requirements: Research and identify any legal and regulatory requirements that apply to your organization and the types of records you produce. Ensure that your policies and procedures are aligned with these requirements.
  • Identify best practices: Research best practices for managing records, including how to create, store, access, and dispose of them. Consider industry standards, as well as guidance from professional organizations.
  • Develop policies: Based on the above information, develop policies that establish guidelines for managing records. These policies should cover the creation, storage, access, and disposal of records, as well as how to ensure their accuracy, completeness, and security.
  • Develop procedures: Develop procedures that provide detailed instructions for implementing the policies. These procedures should cover how to create, store, access, and dispose of records, as well as how to ensure their accuracy, completeness, and security. They should also outline any forms or tools needed to manage records.
  • Obtain approval: Obtain approval for the policies and procedures from senior management, legal counsel, and other stakeholders. Ensure that everyone understands the policies and procedures and their responsibilities for managing records according to them.
  • Implement and review: Implement the policies and procedures and regularly review them to ensure that they are up-to-date and meet the changing needs of your organization. Update them as necessary to reflect changes in laws, regulations, or organizational requirements.

By following these steps, you can create and develop policies and procedures for managing records that help your organization effectively manage its records and comply with legal and regulatory requirements.

An example of a policy on records management could look something like this:

Policy Statement:
 
Our organization recognizes the importance of effective records management in maintaining accurate and complete records, preserving organizational history, and complying with legal and regulatory requirements. The purpose of this policy is to establish guidelines for the creation, storage, access, and disposal of records throughout their lifecycle.
 
Scope:
 
This policy applies to all records created or received by our organization, regardless of format or medium, including paper documents, electronic records, and audiovisual materials.
 
Responsibilities:
 
All employees, contractors, and volunteers are responsible for creating, managing, and preserving records in accordance with this policy. The Records Management Officer (RMO) is responsible for overseeing the implementation of this policy, including developing procedures, providing training, and ensuring compliance.
 
Guidelines
 
Record Creation:
a. All records should be created in accordance with established naming conventions and formats to ensure their accessibility and readability over time.
b. Records should be created and maintained in a manner that ensures their accuracy, completeness, and authenticity.
 
Record Storage:
a. Records should be stored in a secure and accessible location that protects them from loss, theft, damage, or unauthorized access.
b. Electronic records should be stored in a secure server or cloud-based storage solution that ensures their integrity, availability, and confidentiality.
c. All records should be properly labeled and indexed to facilitate their retrieval and ensure their proper disposition.
 
Record Access:
a. Access to records should be limited to authorized personnel who have a legitimate business need to know.
b. Records should be made available to authorized personnel in a timely and efficient manner, consistent with organizational policies and procedures.
c. Requests for access to records should be documented and retained in accordance with applicable retention schedules.
 
Record Disposal:
a. Records should be disposed of in accordance with applicable retention schedules and legal and regulatory requirements.
b. Destruction of records should be conducted in a secure and confidential manner that ensures their permanent and irretrievable destruction.
 
Record Management Program:
a. A record management program should be established and maintained to ensure the effective implementation of this policy.
b. The RMO is responsible for overseeing the program, providing training, and ensuring compliance.
 
Consequences:
 
Failure to comply with this policy may result in disciplinary action, up to and including termination of employment or contract. Any violation of legal or regulatory requirements may result in legal or financial penalties for the organization.
 
Revision:
 
This policy will be reviewed and revised as necessary to ensure that it remains current, effective, and compliant with legal and regulatory requirements.

What’s next?

If hope this blogpost has given more insights in the way on how to bring your organization on board into records management and what it entails. We can now start using the output of these topics and start configuring records management in Microsoft Purview.

Please note that this blog is part of a series on Records management using the Microsoft Purview platform.