Previously, we discussed Creating Records at Home, Part I: Microsoft Teams and Part 2: Zoom. In this article, we’re going to discuss the hypothetical situation of a records manager’s worst nightmare come true: employees creating records outside of the office’s network. A best practice for efficient managers is to analyze hypothetical risk to know how to prevent and address the risk if it were to ever occur.
What is the risk?
Records created and stored outside the business network are in contravention of the government records accessibility requirement—this negatively affects that government’s ability to perform regular business operations efficiently. If an employee left the company before the records were transferred, this could increase the risk of losing the former employee’s records—moreso than if the records were stored on the office’s normal server. This could result in the government office losing the ability to properly manage and dispose of government records. It could also increase security risk, especially if the records are on an employee’s personal device. For a deeper dive into potential consequences check out: Data and Disposition: How Disposition Protects Loss of Privacy in a Data-Driven World and FAQ: Why Use a Disposition Log?
Transferring the records over as soon as possible is important; however, properly transferring the records over is almost as important as the act itself. Advising the employee to transfer all existing files outside of the network into the network increases the risk of the employee transferring duplicative and transitory records that will increase server capacity and cost. Therefore it is important to:
- Establish open communication channels;
- Create easy-to-follow guidance and procedures; and
- Identify necessary outside support (your IT department and TSLAC, for example).
Plan the work and work the plan
Create a safe communication channel with the employee. You want the employee to be honest about the amount and types of records they have created, the records’ locations, and why the event happened. It will help you, as the RMO, identify any gaps in the employee’s records management knowledge and your office’s existing conditions that may hinder proper records management execution. Some examples might include remote technical setup, policies and procedures, updates to remote company expectations, or identifying your role to employees so they know where to go for records management guidance.
Inform the employee of the consequences associated with losing the government records and the high security risk the event creates. For example, it is risky if the employee is storing records on a cloud-based application, because your office may lose access to the application and any record copies of a government record would be lost with the accessibility. See “How Does Records Management Benefit Us, Anyway?” for benefits and risks associated with records management.
A base level understanding of records management is necessary; the employee will be identifying record copies as distinct from convenience copies and determining if the records can be deleted immediately; so it is necessary for them to understand what the terms “transitory” and “custodianship” means. For more guidance on custodianship of records check out: FAQ: Who is the custodian of this record? and Records Custodians: Why It’s a Great Idea to Appoint Them.
Create simple, clear, and targeted guidance for the employee and their records. Anything too strenuous on the employee will raise the chance of losing any buy-in gained and will pose a risk of the records not being transferred if working-from-home conditions quickly change.
This is where identifying sources for support comes into play. If you need help establishing records management information, reach out to discuss with your Government Information Analyst about any retention periods or procedures you are uncertain about. You may also may need to have a discussion with IT in order to understand how the employee will be migrating records back into the network. This will increase your awareness of any potential applications that will host records throughout the transfer process that will then themselves require proper management—such as a cloud storage application, which generally allows you to upload, manage, share, and download files.
When analyzing what records exist on the out-of-network device, ensure the employee reviews every folder to ensure every record is accounted for. These folders will be easy to start with, because they will most likely contain records that are easy to distinguish from convenience copies: Downloads, My Pictures, My Videos, and My Received Files. For example, the employee can immediately delete that photo they downloaded from Google and did not edit.
Organizing and Naming
Ultimately, it may be difficult for an employee to identify records that need to be retained from records that can be properly disposed. For those unclear records, advise the employee to add “ – Potentially Dispose” to a file’s name. Advise the employee to transfer any records that they are unclear about and to reach out to you for guidance.
To achieve an easy migration process, advise the employee to rename any generic file names with descriptive names (e.g. Instead of “Notes,” label the file “Conference X Notes – 2021-01-01”). This file name will help identify any duplicative copies or records the employee is not the custodian of, or add what folder the file was located to the file’s name (e.g. instead of “Document 1,” label the file “Projects Doc 1 – 2021-01-01”). This file name helps identify the file’s shared drive location once the file is transferred.
Advise the employee to compile all of the files that need to be transferred to one folder. Tip: Label the folder ‘‘TRANSFER TO [CLOUD STORAGE APPLICATION]”.
For records that will need to be on your office’s disposition log before the employee can delete the file, advise the employee to move the records to one compiled folder. Tip: Label the folder “READY FOR DISPOSITION LOG.’” Inform the employee that anything within this folder will require your guidance and approval before the employee can hit [Delete].
An ounce of prevention
During remote conditions, prevention is the key to mitigating this risk. Some ways to do that are:
- Ensure your company’s remote working condition policies and procedures have clear guidelines and rules for employees managing records remotely. If they do not, update them. If they do, ensure employees have confirmed that they have read and understood the guidelines.
- It may be valuable for you to seek an IT-approved list-making application for employees to use during remote conditions. A list-making application allows employees to track and compile associated project and tasks material into one platform. This cuts down on the chances of employees creating various draft documents to save relevant hyperlinks or associated notes to their projects and tasks. Unless otherwise discussed with your IT department, ensure the employees remain conscious of only including non-sensitive information on the application.
- Send out reminders of employee expectations for creating work-from-home records. Remind employees to work inside of the government’s network. If for some reason a record is created outside of the network, advise employees to email the record to themselves immediately. Include the file name in the email’s subject line, to help easily identify the record.
- Some graphics that you may want to include in your expectation reminders or to get the conversation started: