e-Records 2012: DIR Answers Your Questions about Social Media, Cloud, and Mobility

e-records conference imageThis article is the second in a series of recaps of the 2012 e-Records Conference, a conference dedicated to electronic records management that has been co-sponsored by TSLAC and the Department of Information Resources since 2000. Presentations from the e-Records Conference are available on the e-Records 2012 website.

By Angela Ossar, Government Information Analyst

If you have burning questions about social media, cloud storage, and mobile devices and their implications for records managers, keep reading. Most of the questions we receive on this subject were addressed in the panel discussion “Emerging Technologies Panel: Policies and Records Management Challenges – Social Media, Cloud, and Mobility.”

The panel featured a discussion and Q&A with three Department of Information Resources experts:

  • Todd Kimbriel, Director, Data Center Services and eGovernment
  • Chad Lersch, Assistant General Counsel
  • Jon Lee, Policy Analyst, Technology Policy and Planning

Here’s what the panel had to say on these hot topics.

On Social Media Records Retention…

As a policy analyst, Jon Lee understands the importance of considering the feasibility of a policy before implementing it. If employees aren’t ready for the policy, it will fail. He gave the example of this record series that DIR added to their retention schedule this year:

Social Networking Communications
Consists of content (messages, posts, photographs, videos, etc.) created, submitted or received using a social media application that is strictly a duplicate, transitory in nature, or a record copy of the information exists elsewhere.  Includes blogs, wikis, Twitter, Facebook, YouTube, Flickr and other related applications.
Retention: 2 years
Caution: content on a social media application that meets the TGC § 441.180 (11) definition of a State record and is not a duplicate record, transitory or retained elsewhere must be captured by a responsible party and maintained for the full retention period of the appropriate record series.
Caution: The State has no control over retention policies of social media sites. State records must be captured and maintained in a system under DIR’s control.

In other words, 2 years…but: a) The department who created the record is responsible for capturing it; b) Check the rest of the retention schedule to make sure this doesn’t fall under another series; and c) Understand that the agency has no control over how long Facebook keeps your data.

The series represents the only record series for social media that we’ve yet seen on a state agency retention schedule and we consider it a model for other agencies. According to Lee, however, “only 5 people” know about the record series — so they can’t call it a huge policy success.

Chad Lersch, the DIR attorney, didn’t see many new issues when it comes to records retention — people aren’t creating new records; the core of the record is still there and retention schedules are media-neutral.  The most common question DIR gets is: Is the State going to create a social media records series?  Lersch said no: we are not recommending a one-size-fits-all social media records series because social media content is impossible to put in a box and changes constantly.

On Paying a 3rd-Party Service Provider (Cloud, Social Media Archiving, etc.)

Google the phrase “social media archiving,” said Lee, and you’ll find a wealth of vendor solutions ranging from $4/month to in the $1000’s.  Some service providers will collect all of your social media data and compile it into a single document. There are decided benefits to using these services, but their costs can be prohibitive.  How much money should Texas really spend on social media? Many agencies, after all, use social media to communicate because it’s free. Cost is about risk: the more money you pay, the more you mitigate risk.  For low-value data, then, maybe it’s okay to accept a higher risk of data loss. 

As for cloud storage, the cloud market is still immature. License agreements and contracts govern the relationships of the providers and users, and Terms of Service tend to favor the provider. The panel urged agencies to read the fine print — make sure your needs and wants are addressed in the negotiation process.

On Mobile Data and Text Messages…

We are not looking to the Legislature to give us guidance on records created on mobile devices, the panel said. It is up to each agency to figure out how these types of data are handled.

Apparently there has been a lot of spirited debate at DIR about BYOD (Bring Your Own Device) policies vs. requiring employees to use agency-issued devices. At the end of the day, there is no clear-cut solution, but you should be talking about it. “Define the rules of engagement,” they said: some technologies [that would help capture records created on mobile devices] will be harder to implement, and some employees will resist more than others (regarding what they can and cannot store on a personal mobile device).

Lee said: there is too much focus on consequences and discipline. Ultimately, people just want to get their work done. So the records manager’s role is to enable — to help the agency work better, faster, and more efficiently, but within the confines of the rules.

In the Q&A, someone asked if DIR had seen a good BYOD policy, a “shining star.”  They said that DIR does have a policy and that they are happy to share it. Their policy says that an employee may bring and use a smart phone, iPad, or laptop to work, with the understanding that the device is only a “duplicative display device” — the documents created on the devices are already in the cloud (via Office 365) and under DIR’s control; the device is merely used to display (not store) those records.

On Ensuring Staff Compliance…

How do you ensure staff compliance with the policies you adopt? DIR says: engage with other functional subject matter experts (SMEs). All functions produce records. Avail yourself to the project team and show your value. Be sure retention policies are existent, up-to-date, and realistic.

The panel provided three tips:

  1. Build training into any project plan. If employees are expected to be compliant with a policy, they must receive training on that policy.
  2. Find the influencers in your agency: your allies. They will be your champions.
  3. Find those who have differing opinions: engage your road blocks. Many times, noncompliance is just a communication issue. Meet face-to-face. And “cookies and breakfast tacos help.”

On Public Information Act Requests…

Another question coming out of the Q&A was: If records created on a mobile device are requested through a Public Information Act request, does that make the device discoverable?

The answer is: as stated in the previous section, DIR’s policy states that the record copy of the record is in the cloud, not on the device. DIR prohibits employees from downloading, making changes, and saving changed documents to their devices. So, when a PIA request is received, the employee’s device isn’t discoverable because it is only a convenience copy; the record copy lives in the cloud.

A related question from the Q&A came from a municipality who said that their City has a BYOD policy to save money on purchasing: Councilmembers buy their own devices and receive a stipend for them. So, if the Mayor and a Councilmember are texting each other using their personal devices, how do you capture those texts?

DIR said: this is just a bad policy. DIR uses Office 365, but otherwise it is very difficult to achieve compliance with non-agency-issued devices. The best plan of attack for the City might have to be human training, and perhaps to focus that training on the most important records creators (e.g., not trying to train all City employees, but making a concerted effort to train the elected officials).

In the end…

We’ll be posting a separate article about the RMICC Biennial Report (PDF), but I urge you to take a look at Appendix A, the report of the Best Practices Committee (it starts on page 16 of the PDF). The report, written by experts from TSLAC, DFPS, Texas Supreme Court, and several large universities and other agencies, makes recommendations from three work groups — on Electronic Records, Social Media, and Email. Stay tuned for that article, but do crack open the report!

Back to the DIR panel: Not everyone in the public sector, they said, understands the value of records retention. Records management must be embedded in the business process of the agency. It can’t be monthly or quarterly — records management must be in the fabric of the day, through the technologies the agency is already using. But again, it is the records manager’s job to make sure that he or she is enabling employees to get work done, not standing in the way of it.