Electronic Records, Third-Party Systems, and Contracts

(Authors: Maria Freed and Sarah Swanson)

Content Disclaimer

The guidance provided below does not constitute legal advice. Instead, it is intended to provide general information as a resource for records management teams.

Take a moment to think about the systems your local government or agency uses to manage its electronic records. What would your ideal Electronic Document and Records Management System (EDRMS) look like? Could something be lacking in your contract with your EDRMS vendor? What do you think you would like to see in a contract with an EDRMS vendor the next time you shop for a new system? What are some of the things you look for, or require, in your contract with your EDRMS vendor to avoid being stuck with a system that will not work well for your local government or agency? As you know, these questions only scratch the surface of all the considerations you could make when deciding what is best to manage your records and the direction your records management team needs to take. To prepare before you select an EDRMS system, or to reassess the system and the contract you may already have, use the following checklist as a launchpad to reflect and to plan your next step.

Contract Checklist

The contract covers the security of the records.

  • Those who have access to the records are…
  • Access is granted by…
  • Those who have the authority to make changes are…
  • The vendor is required to inform us within [specify timeframe] in cases of security breaches.
  • Regarding back-ups, the vendor will…
  • Regarding disaster recovery, the vendor will…

The contract acknowledges the local government (or agency) as the owner of the records with absolute authority over the same.

  • The language in the contract regarding the ownership of the local government’s (or agency’s) records is not open to more than one interpretation.
  • The local government (or agency) can easily carry out disposition of their records, including any back-up copies.
  • The local government (or agency) can easily assign retention periods based on the appropriate retention schedule.

The contract is unambiguous about what the vendor will do to accommodate if the local government (or agency) needs a feature or a customized service that will allow it to manage its records better.

The contract’s termination clauses also cover the following needs:

  • If the local government (or agency) does not plan to renew the contract (or maximum number of renewals reached), the contract language is clear about what will happen to the records when the contract ends.
  • If the local government (or agency) terminates the contract early, the contract language is clear about what will happen to the records.
  • The local government (or agency) will still be able to retrieve its records easily if a) or b) happens.
    • The contract clearly states how the local government will be able to retrieve and to transfer its records safely and completely.
    • The contract clearly states when the local government (or agency) will be able to retrieve all its records (e.g., “Agency X will receive all its records within [clear timeframe].”).

As applicable, the contract considers or conforms to local government or agency records management laws.

Records Management Laws and Rules

Local governments and state agencies should be familiar with all the records management laws and rules, but here are just a few excerpts regarding electronic records and third-party providers:

  • Bulletin B requires the following of local governments:
    • §7.73. Policies and Procedures
      (b) A local government’s policies and procedures must:
      (1) Establish a component of the local government’s active and continuing records management program to address the management of electronic records created, received, retained, used, transmitted, or disposed of electronically, including electronic records maintained or managed by third-party custodians or other external entities;
    • §7.74. Minimum Requirements for all Electronic Records
      (a) Each local government must:
      (1) Manage electronic records according to the local government’s records management program and records retention schedule regardless of format, system, or storage location;
      (2) Maintain ownership and responsibility for electronic records regardless of where the record originates or resides, including, but not limited to, external electronic records systems, third-party custodians, and social media platforms;
      (9) Require all third-party custodians of records to provide the local government with descriptions of their business continuity and/or disaster recovery plans pertaining to the protection of the local government’s essential records.
  • Bulletin 1 requires the following of state agencies:
    • §6.93. Policies and Procedures1) An agency’s policies and procedures required by this section shall include these elements:
      (A) Establish a component of the agency’s active and continuing records management program to address the management of electronic state records that includes the management of electronic state records created, received, retained, used, transmitted, or disposed of electronically, including those electronic state records in the possession of the state agency, vendors, or other third parties (i.e., telecommunication, social media, etc.);
    • §6.94. Minimum Requirements for all Electronic State Records
      (a) Each state agency must:
      (1) Manage electronic state records according to the state agency’s records management program and certified records retention schedule regardless of format, system, or storage location;
      (2) Maintain state agency ownership and responsibility for state records regardless of where the record originates or resides, including but not limited to cloud computing services and social media sites;
      (9) Require all third-party custodians of records to provide the state agency with descriptions of their business continuity and/or disaster recovery plans as regards to the protection of the state agency’s vital state records.
    • §6.95. Additional Record Requirements for Archival, Permanent, and Vital Electronic State Records
      (4) Vital: Vital electronic state records must be included with special provisions in state agency records management policies and procedures and the state agency records management program and the state agency must:
      (E) Require all third-party custodians of records holding records on behalf of the agency to provide the state agency with descriptions of their business continuity and/or disaster recovery plans as regards to the protection of the state agency’s vital electronic state records.

Final Tips

  1. Know and understand the details of the termination clauses of your contract. This will clarify how convenient or difficult it could be to move on to a new provider’s system if your local government or agency decides that is the best route to take.
  2. Make sure the system you choose to use makes it easy to follow the local government and state agency records management laws and rules.
  3. Verify that your contract leaves no doubt that your local government or agency is the owner of its records.
  4. Consult your IT department and your legal team:
    • when deciding to select a vendor for your electronic records.
      • How easy or difficult will it be to manage our records using this system (e.g., organization, assigning retention periods, carrying out disposition [destruction or transfer], labeling or indexing for easy tracking and locating of record types, etc.)?
      • How easy or difficult will it be for us to move our records from one vendor’s system to another if we want to use a new vendor?
    • to build a contract that works for your local government or agency.
    • to resolve issues where the contract or the vendor’s system fall short.

Related Resources:

What do you think would be helpful to have in the checklist above? Add what has worked for you, or any other feedback you would like to provide, in the comment section below.

⚠The content provided above, including any comments that may be written below, should not be taken as legal advice.

Like it? 1

Leave a Reply

Your email address will not be published.