Understanding CGSB 72.34-2017: Canada's Electronic Records Standard

CGSB 72.34-2017 and Electronic Records Sharon Byrch March 29, 2019 ARMA VI Conference, Parksville, BC

WHAT is CGSB 72.34-2017? Canada s national standard for managing electronic records within recordkeeping/IT systems to ensure their future admissibility in legal proceedings as documentary evidence http://publications.gc.ca/collections/collection_2018/ongc- cgsb/P29-072-034-1-2017-eng.pdf CGSB 72.34-2017, p. iv

WHO should care about CGSB 72.34-2017? Users of standard Senior management & managers IT & Records professionals Legal, Risk & Security professionals Others responsible for records & their management CGSB 72.34-2017, p. 1

WHY care about CGSB 72.34-2017? Operates on the primary principle that an organization shall always be prepared to produce its records as evidence Supports legal requirements under Canada Evidence Act (CEA) and provincial Evidence Acts Demonstrates responsible business management Operates as a solid records management framework whether or not records are ever required as evidence CGSB 72.34-2017, p. 9, iv

WHY care about CGSB 72.34-2017? Proven defense strategy for successfully managing electronic (& scanned) records Standard was upheld in Canadian court in R. v. vs Oler Case (2014) Calgary Police Services successfully migrated 40 years | 4 million legacy records using this standard https://www.canlii.org/en/ab/abpc/doc/2014/2014abpc130/2014abpc130.html https://magazine.arma.org/2019/03/migrating-legacy-records-a-case-study/ CGSB 72.34-2017, p. 9, iv

HOW does CGSB 72.34-2017 work? Requires demonstrating: 1. Authenticity of the record 2. Integrity of the electronic records system & best evidence rule 3. Record made in the usual and ordinary course of business 4. Proof of integrity of an organization s records system CGSB 72.34-2017, p. 9-10

1. AUTHENTICITY of the record Requires either: External evidence; i.e. testimony of witness OR Integrity of the electronic records system AND reliability of recordkeeping processes can be proven CGSB 72.34-2017, p. 9

2. INTEGRITY of the electronic records system & Best Evidence Rule Prefers: Will Accept: Originals over Copies (primary evidence over secondary evidence) Proof of integrity of records system System was operating properly at all material times Electronic record was recorded or stored in the usual and ordinary course of business CGSB 72.34-2017, p. 10

3. RECORD made in the usual and ordinary course of business & Hearsay Rule Applies to records offered as evidence Out of court statement submitted re: truth of facts Business records made in the usual and ordinary course of business are excepted from Hearsay Rule CGSB 72.34-2017, p. 4, 10

4. PROOF of integrity of records system Applicable factors Source is known Decision making Contemporaneous recording Software System changes Routine business data Privacy Data entry Security Standards CGSB 72.34-2017, p. 10-11

KEY REQUIREMENTS under CGSB 72.34-2017 RM program, policies & procedures manual IT system management manual Risk assessment for new technologies CGSB 72.34-2017, p. 14-27

RECORDS MGMT (RM) PROGRAM, policies & manual Concepts, principles, methods & practices demonstrate appropriate RM program is in place In the usual & ordinary course of business Uses policy +/or bylaw, and RM/IT standards Requires Effective support & coordination between IT & RM Quality assurance & periodic audits Appropriate documentation CGSB 72.34-2017, p. 14-16

RECORDS MANAGEMENT (RM) MANUAL Requires Consolidating all records related procedures to ensure consistency and completeness Consistency with the RM policy & standards Kept up-to-date and accurate References to related documentation (IT manual) Formal, periodic reviews CGSB 72.34-2017, p. 16

RECORDS MANAGEMENT (RM) MANUAL Covers Procedures for making, receiving, capturing, managing, using, protecting, destroying & preserving records throughout lifecycle Documents change-controls, version controls, metadata, digitization, classification & indexing, maintenance & use, retention & disposition CGSB 72.34-2017, p. 16-18, Annex B

DIGITIZATION (Scanning & Imaging) Requires Procedures and processes which result in accurate and legible reproductions of source records without alterations to content or appearance Appropriate metadata for management & retrieval Quality controls & quality assurance measures Documenting legal & business rationale for destruction of source records Work is conducted by trained operators CGSB 72.34-2017, p. 16-18

RETENTION & Disposition of records Requires Records Officer to: Ensure proper appraisal of records is done Document how long to retain, transfer and dispose of records Have authority to suspend destruction or transfers subject to legal hold Report all significant issues to senior executive in charge of RM Program or responsible area CGSB 72.34-2017, p. 18

DISPOSITION of records Covers Documentation of disposition process Preservation of destruction records Documents transfer process (transferring & receiving body) Guidance on preservation, conversion and migration Quality assurance program measures CGSB 72.34-2017, p. 19-20

IT SYSTEM Management Manual Requires IT to: Document all significant details of the logical and physical architecture of the IT system keeping records Include relationships between IT system management, RM program & business Demonstrate the integrity of system at any point in time (using manual & other records) Keep manual up-to-date CGSB 72.34-2017, p. 18

IT SYSTEM Management Manual Demonstrates IT system integrity for managing electronic records & meeting admissibility requirements as evidence Supports Canada Evidence Act (31.2) CGSB 72.34-2017, p. 18

RISK ASSESSMENT for new technologies Requires a completing comprehensive risk assessment prior to adopting new technology Under FOIPPA, local governments conduct Privacy Impact Assessments (PIAs) for changes to existing or new technologies and systems Recommends a multi-disciplinary approach of records, legal, security, privacy, IT and risk management Under FOIPPA, SERVICE PROVIDERS and their agents and/or subcontractors are employees. Include them! Recommend capitalizing on PIA s for CGSB 72.34 purposes CGSB 72.34-2017, p. 24

RISK ASSESSMENT for new technologies Using a multi-disciplinary approach is necessary to: 1. Fully examine the benefits versus risks of implementing new technologies 2. Develop a solid business case for their implementation or abandonment CGSB 72.34-2017, p. 24

RISK ASSESSMENT for new technologies The end-result is a valuable information asset & tool that: Informs communications to advise senior management/decision-makers of risks, threats and benefits Informs development of new policies & procedures for risk mitigation and management where required Establishes a re-usable process and benchmarks the new technology for future development and proposals Serves as necessary chain of custody documentation to evidence the considerations, decisions, activities and subsequent activities related to the risk assessment process and the technology s implementation or abandonment

IMPLICATIONS for CGSB 72.34-2017 Organizational impacts Requires much tighter coordination between RM & IT Requires collaborative planning for change & initiatives Requires capacity for change & improvement Cost implications Time & resourcing requirements for RM, IT and any other key stakeholders involved Need to budget for operations, service providers and technologies to comply with standard CGSB 72.34-2017, p. 24

REMEMBER this principle! Trust is our key objective Organizations cannot alter or destroy records without proper authorization & controls or the records and their management systems are not trustworthy IT systems and technologies must protect electronic records from unauthorized access and changes & maintain an appropriate audit trail & system documentation Must always be ready to prove electronic records are reliable, accurate and authentic from a legal perspective

Questions? THANK YOU! Sharon Byrch, Manager of Information Services sbyrch@crd.bc.ca | 250-360-3639