Requirements for Electronic Records Management Systems (ERMS)

DRAFT 4/!/"#
$%er%ie&
This document represents a set of mandatory recordkeeping requirements for systems that capture and
manage electronic records. Records in the context of this document are defined as recorded
information, in any form, including data in computer systems, created or received and maintained by an
organization or person in the transaction of business or the conduct of affairs and kept as evidence of
such activity. Recordkeeping systems in the context of this document are defined as systems hich
capture, manage and provide access to records through time. !ore specifically, recordkeeping systems
include" #$ a set of authorized polices, assigned responsibilities, delegations of authority, procedures
and practices% policy statements, procedures manuals, user guidelines and other documents hich are
used to authorize and promulgate the policies, procedures and practices% &$ the records themselves% '$
metadata and record classification systems used to control and manage the records% and ($ softare,
hardare and other equipment. )*ational +rchives of +ustralia, ,-R./, 0lossary$
The requirements for recordkeeping outlined in this document are the identified needs for evidence
arising from various internal and1or external sources that may be satisfied through appropriate
recordkeeping actions )such as creation, capture, maintenance, preservation and access$. The sources
include legislative and other regulatory sources, industry codes of best practice, broader government
interests, external clients or stakeholders and the general public. )*ational +rchives of +ustralia,
,-R./, 0lossary$. + record that is automatically captured and managed by an 2R!/ can, in most
cases, be considered to be authentic and trustorthy by meeting these requirements.
Requirements
' (om)liance
The system must manage and control electronic records according to the standards for compliance and
the requirements for legal admissibility and security, and must be capable of demonstrating this
compliance.
'' T*e system must meet legal requirements as set fort* +y local, state, and national
la&'
''# T*e system must meet administrati%e requirements'
''- T*e system must meet national and international standards'
The standards will vary from system to system. For applicable standards, consult the
websites and publications for the following organizations:
International Organization for Standardization ISO! " http:##www.iso.ch
#
$ational Information Standards Organization $ISO! " http:##www.niso.org#
%merican $ational Standards Institute %$SI! " http:##www.ansi.org#
%II& International " http:##www.ansi.org#
''4 T*e system must meet all .+est )ractice. guidelines'
&any national organizations have developed guidelines for their specialty areas. These
guidelines represent re'uirements that are generally accepted practices or industry
standards.
'# Record (a)ture
The term capture represents the processes of registering a record, deciding hich class it should be
classified to, adding further metadata to it, and storing it in the 2R!/.
-t is recommended that, henever possible, the capture function be designed into electronic systems so
that the capture of records is concurrent ith the automatic creation of records.
'#' T*e system must ca)ture a record for all defined functions and acti%ities'
(ecords may be captured within a system manually or by automatically by the system
itself either as part of the system)s wor*flow or through a batch process. The type of
business processes should determine the e+act method of creation.
'#'# T*e system s*ould ca)ture records t*roug* an automated )rocess'
Ideally, the capture of records would occur automatically without human intervention.
This could be done utilizing a business process or a wor*flow engine.
'#'- T*e system must ca)ture all metadata elements s)ecified during t*e system design
)rocess, and retain t*em &it* t*e record in a tig*tly +ound relations*i)'
'#'4 T*e system must ensure t*at records are associated &it* a classification sc*eme,
and are associated &it* one or more electronic files'
,lectronic files can be defined simply as a set of electronic records. % file is a
group of records accumulated and *ept together because they deal with the same sub-ect,
activity or transaction. In other words, there is some common bond or relationship
between records in a file. ,lectronic files need not have real e+istence. often they are
virtual entities and e+ist because the metadata attributes of the records and the
application software allows users to view and manage folders as if they physically
contained the records assigned to them.
'#'/ T*e system must register t*e record +y assigning it a unique identifier and
documenting t*e date and time &*en t*e record entered t*e record0ee)ing system'
%n identifier is an attribute that distinguishes individual instances of a record or file
within a system. It is recommended that the identifier be a number or
alphanumeric se'uence that is automatically and randomly generated.
&
'#'1 T*e system must maintain a logical relations*i) +et&een t*e record and t*e
transaction it documents'
'#'2 T*e system must allo& a com)ound document to +e ca)tured as a single record'

Some electronic records, such as web pages with graphics or e/mail messages with
attachments, are composed of more than one component. The system must capture all of
these components and maintain them as one record. This means maintaining the
relationships between the components to ensure future retrieval, rendering, management,
and retention or disposal.
or,

T*e system must allo& a com)ound document to +e ca)tured as lin0ed sim)le
records'

In this strategy, each part of the compound record will be captured separately then lin*ed
to the other parts.
'#'3 T*e system must su))ort %ersioning'
Sometimes, records have more then one version that must be captured. The system must
allow either the capture of all versions as one record or the capture of each version as
separate records. In the later case, a version number should be added to the metadata.
'#'! T*e system must +e ca)a+le of ca)turing transactional documents generated
+y ot*er systems' 4n t*e case of large, centrali5ed $6T7 systems, t*e ERMS must
allo& for t*e +ul0 ca)ture of records created or maintained in t*ese systems'
Transactional records such as invoices or purchase orders can often be captured as batch
file imports from other systems. The system must allow for this bul* transfer and must
provide methods for ensuring data integrity and the capture of all essential metadata.
'#'" T*e system must +e a+le to ca)ture a %ariety of different ty)es of documents' T*ese
must include records from on8line transaction )rocessing systems ($6T7),
data+ases, scanned documents, t*e most commonly used office documents and e8mail
messages'
In some cases, it would be impractical for a system to capture all document types. 0efore
building a system, management should decide the document types that must be captured.
'#' T*e system must +e integrated &it* t*e e8mail system, and e8mail must +e ca)tured
and registered eit*er +y requiring t*at users ca)ture selected e8mail and/or +y
)ro%iding an automated )rocess for ca)turing t*e e8mail messages'
'#'# T*e system must ensure t*e relia+ility of t*e ca)ture )rocess'
'
To ma*e a system li*e this wor*, the capture process must be reliable as records are
migrated from the creating system or storage medium to the ,(&S. (ecords cannot be
lost or changed during the capture process.
'- (lassification Sc*eme
3lassification is the systematic identification and arrangement of records into categories according to
logically structured conventions, methods, and procedural rules represented in a classification scheme.
The classification scheme, sometimes also called a file plan, is a diagram, table, or other representation
categorizing the creator4s records, usually by hierarchical classes, and according to a coding system
expressed in alphabetical, numerical, or alphanumeric symbols. The benefits of a good classification
scheme are #$ providing linkages beteen individual records% &$ ensuring records are named in a
consistent manner over time% '$ assisting in the retrieval of all records related to a particular activity% ($
determining appropriate retention periods for records% 5$ determining security protection appropriate for
sets of records% 6$ allocating user permissions for access to or action on particular groups of records% and
7$ distributing responsibility for management of particular sets of records. )TR-! and +/ ('89
Records !anagement /tandard$.
There are many types of classification schemes, but the one recommended by this document is a scheme
based an articulation of the functions and transactions of the organization derived from the analysis of
business processes. The business classification scheme represents and describes functions, business
processes, transactions or other elements, and shos their relationships. The number of levels ithin the
scheme can vary depending on the level of refinement required and ho the scheme ill be used. The
structure of the scheme is hierarchical, moving from the general to the specific. 2ach function has
business processes and each process )linked to the function$ has categories of transactions that are
encountered. -n other ords, a classification scheme based on a rigorous classification of business
processes means that records are classified on the basis of hy they exist )their function or the business
event that caused the record to be brought into existence$, rather than on the basis of hat they are about
)their sub:ect$. +s such, the focus of classification is the conte+t of a record;s creation and use, rather
than the content of the record itself. )*ational +rchives of +ustralia, ,-R./, 0lossary$
+ thesaurus often supports classification schemes. + thesaurus is a complex alphabetical listing of all
terms derived from a classification scheme. /uch tools act as a guide in the allocation of classification
terms to individual records. -n a thesaurus the meaning of the term is specified and hierarchical
relationships to other terms are shon. + thesaurus should provide sufficient entry points to allo users
to navigate from terms hich are not to be used to the preferred terminology adopted by the
organisation. )*ational +rchives of +ustralia, ,-R./, 0lossary$. -n particular, it is important to
create a function thesaurus, hich contains keyords, descriptors and forbidden terms that describe the
unique business functions and processes of an organization.
'-' T*e system must su))ort and +e com)ati+le &it* t*e organi5ation9s or t*e
a))lication9s classification sc*eme'
1hen the classification scheme is non/e+istent or only partially constructed, or when
designing a new system, it is strongly recommended that the classification scheme be
based upon business processes and the identification of the business transactions that
create records.
(
'-'# T*e system must automatically assign a))ro)riate classification metadata to records
and files and to classes &it*in t*e classification sc*eme at t*e )oint of creation and
ca)ture'

'-'- T*e system must ensure t*at t*e aut*ori5ation to reclassify, add, delete or ot*er&ise
modify t*e classification sc*eme is carefully controlled and monitored'
'4 Aut*enticity
To be authentic in archives and records management, a record must be genuine, or be hat it claims to
be. +uthenticity is conferred to a record by its mode, form, and1or state of transmission, and1or manner
of manner of preservation and custody. )<niversity of =ritish 3olumbia 2lectronic Records >ro:ect$. -n
order to trust that a record is authentic, the user must be assured that the systems that create, capture, and
manage electronic records maintain inviolate records that are protected from accidental or unauthorized
alteration and from deletion hile the record still has value. The folloing requirements must be met to
ensure that a record4s integrity can be proven.
'4' T*e system must maintain secure and in%iolate records, including record content
and metadata t*at documents content, conte:t and structure'
2reserving an inviolate record and all record components is absolutely vital for proving
the authenticity of records. To ensure that records are protected, the system must control
access to its records and log access through audit trail functionality discussed in Section
34.!. In some cases, a record may be modified as part of a business process.
&odifications of this type may be handled through version control, or a department of
organization may elect to transfer the record to an ,(&S until it is complete.
'4'# T*e system must ensure t*at records cannot +e deleted +y any means e:ce)t as
directed +y a retention sc*edule'
'4'- T*e system must undergo regular and systematic audits to %erify system integrity'
Software bugs and insecure access points, along with other problems, can destroy the
authenticity of the records a system contains. (egular system audits can help prevent
these problems.
'/ Audit Trails
+ system audit trail is a record that tracks operations performed on the system. -n essence, the audit trail
documents the activities performed on records and their metadata from creation to disposal. These
activities may be initiated by users, system administrators, or by the system itself by means of automatic
processes. The audit trail typically documents the activities of creation, migration and other
preservation activities, transfers or the movement of records, modification, deletion, defining access, and
usage history. =y maintaining evidence of activities undertaken on records and files, a detailed audit
trail is critical for ensuring that a system meets all basic requirements for a viable records management
environment.
5
'/' T*e system must maintain audit trails for all )rocesses t*at create, u)date or
modify, delete, access and use records, categories or files of records, metadata
associated &it* records, and t*e classification sc*emes t*at manage t*e records'
These processes include, but are not limited to, creation, import or e+port process,
modifications, transfer, destruction, deletion, access and use of a record, electronic files,
metadata, classification schemes, and disposition schedules.
%t a minimum, it trac*s:
what data or information was accessed, added, deleted or modified.
who performed these functions. and
when they were performed.
'/'# T*e system must automatically ca)ture t*e audit trail'
The system must trac* events without manual intervention, and automatically stores
information about these activities in the audit trail.
'/'- T*e audit trail data must +e unaltera+le'
The system must ensure that audit trail data cannot be modified in any way.
'/'4 T*e audit trail must +e maintained for as long as required +y la& or )olicy or to
facilitate continued access to records'
%t a minimum, the audit trail must be *ept until the records it refers to are destroyed.
,ven after record content is destroyed, however, some audit data should be retained
relating to the retention and destruction of the record.
'/'/ T*e audit trail must +e logically lin0ed to t*e records t*ey document, so t*at users
can re%ie& audit information &*en t*ey retrie%e records'
This logical relationship must be maintained even when the records and audit are stored
in different systems.

'/'1 T*e audit data must +e a%aila+le for ins)ection or e:)ort (&it*out affecting %ital
audit trail data) +y aut*ori5ed users &it* little or no e:)erience &it* t*e system'
This re'uirement is necessary to enable users such as internal or e+ternal auditors to
investigate system activity.

'/'2 T*e system must maintain +asic system documentation and audit trails of system
modifications as long as t*ey are required to facilitate continued access to records'
This includes trac*ing all changes made to system hardware or software and to
administrative parameters such as changing user access rights.
6
'/'3 T*e system must )ro%ide re)orts for actions ta0en on +asis of audit trail data'
The department or organization will determine what audit trail reports are needed and
how they are organized. 2ossible reports include, but at not limited to, a chronological
listing of activities for the entire system. a listing of activities involving an individual
record, file, or class. a listing activities ta*en by a particular user. and a listing of
activities ta*en at a particular wor*station.
4m)lementation ;ote< /ince the volume ill be quite large, on?line audit trail data may
periodically be moved to off?line storage. +lso, some audit trail data may be deleted once the
records referred to are destroyed according to an approved retention schedule. -n some cases,
management may decide that some activities do not need to be recorded. *otations about all of
these issues and their results must be kept ith the system documentation or ithin the audit trail
itself.
'1 Metadata
-n the context of archives and records management, metadata is structured or semi?structured
information that documents the creation, management and use of records through time and across
domains. Recordkeeping metadata can identify, authenticate and contextualize records and the people,
processes and systems that create, manage and use them. /pecific -< !etadata /pecifications are listed
in a separate document.
'1' T*e system must +e ca)a+le of e:tracting metadata elements automatically
from records &*en t*ey are ca)tured'

'1'# T*e system must )ermit metadata %alues to +e retrie%ed and ca)tured from loo0u)
ta+les or from calls to ot*er soft&are a))lications'
'1'- T*e system must allo& creators of records to enter manually )ertinent record
metadata t*at cannot +e ca)tured automatically'
'1'4 T*e system must su))ort t*e %alidation of metadata t*at is entered +y users, or
metadata t*at is im)orted from ot*er systems'
'1'/ Metadata must +e logically lin0ed to t*e records, files, and classes it documents, so
t*at users can re%ie& metadata information &*en t*ey retrie%e records'
'1'1 T*e system must allo& for t*e modification or reconfiguration of metadata sets, +ut
t*e aut*ori5ation to ma0e c*anges must +e restricted'
'2 Security and (ontrol
The system must include quality control mechanisms to ensure that consistent and accurate business
records are created.
7
'2' T*e system must allo& only aut*ori5ed )ersonnel to create, ca)ture, u)date or
)urge records, metadata associated &it* records, files of records, classes in
classification sc*emes, and retention sc*edules'
'2'# T*e system must control access to t*e records according to &ell8defined criteria'
% user must never be presented with information that he or she is not permitted to
receive. The criteria for access will vary according to the type of data or records
contained in the system.
'3 Retention and Dis)osition
The system must include an automated, schedule?driven disposition management plan.
'3' T*e system must )ro%ide for t*e automated retention of records &it* long8term
%alue in accordance &it* aut*ori5ed and a))ro%ed record retention sc*edules'
'3'# T*e system must )ro%ide for t*e automated destruction of records in accordance
&it* aut*ori5ed and a))ro%ed records retention sc*edules'
'3'- T*e system must +e ca)a+le of associating a retention sc*edule &it* all records,
record metadata, files, or classes of a classification sc*eme'
'3'4 T*e system must automatically )ro%ide for t*e notification and a))ro%al of
designated )ersonnel in ad%ance of dis)osition acti%ities'
'3'/ T*e system must )ro%ide for t*e interru)tion of dis)osition acti%ities on records or
classes of records t*at *a%e +een or are e:)ected to +ecome t*e su+=ects of litigation'
'3'1 >it*in t*e system, e%ery record in a file or class of records must +e go%erned +y t*e
retention sc*edule associated &it* t*at file or class'
'3'2 T*e system must allo& t*e administrator in c*arge of sc*edules to c*ange or amend
sc*edules associated &it* records at any )oint in t*e life of t*e record'



'! 7reser%ation Strategies, ?ac0u)s and Reco%ery
The system must incorporate a strategy or plan for backing up and preserving records.
'!' T*e system must ensure t*at records, com)onents of records, audit trails, metadata,
lin0s to metadata or to files, and classification sc*emes can +e con%erted or
migrated to ne& system *ard&are, soft&are and storage media &it*out loss of %ital
information'
'!'# T*e system must )roduce a re)ort detailing any failure during a con%ersion or
transfer and identifying records t*at &ere not successfully e:)orted'
@
'!'- T*e system must retain all records t*at *a%e +een e:)orted until confirmation of a
successful transfer )rocess'
'!'4 T*e system must )ro%ide automated )rocedures t*at allo& for t*e regular +ac0u)
and reco%ery of all records, files, metadata, and classification sc*emes'
0ac*up procedures must not be regarded as substitute for a preservation strategy based
on procedures for conversion or migration of records on a regular schedule.
'" Access and @se
The system must ensure access to and use of business records for current business and future research
needs.
'"' T*e system must ensure t*at records can +e easily accessed and retrie%ed in a timely
manner in t*e normal course of all +usiness )rocesses or for reference or secondary
uses'
'"'# T*e system must allo& all record content and all record and file metadata to +e
searc*a+le'
'"'- T*e system must allo& searc*ing &it*in an electronic file, across files, at any le%el
in t*e classification sc*eme *ierarc*y'
'"'4 T*e system must ensure t*at all com)onents of a record or file, including contents,
rele%ant metadata, notes, attac*ments, etc', can +e accessed, retrie%ed and rendered
as a discrete unit or grou) and in a single retrie%al )rocess'

' Documentation
+ll system policies and procedures must be defined and documented. This documentation helps to
ensure continuing access to records ithin the system, and can be used to help prove the authenticity of
a record.
'' System administrators must maintain )olicy and )rocedural documentation'
The documentation should include at a minimum an overview of the purpose and uses of
the system. policies and procedures for system operation and maintenance, 'uality
control, security, testing, and records retention. and software#hardware specifications
and operation.
''# Documentation must +e accurate and u)8to8date'
''- Documentation must +e &ritten clearly and concisely'
''4 Documentation must readily a%aila+le and accessi+le'
''/ Documentation must +e retained according to a set retention sc*edule'
8
'# System Testing
T*e )erformance and relia+ility of system *ard&are and soft&are must +e regularly tested'
The e+act nature of the tests will depend on what is appropriate for particular hardware and software,
and will be defined by system support personnel in con-unction with appropriate 5niversity departments
such as the 5niversity %rchives, Internal %udit, and the 5niversity Information Technology Security
Office.
'- ;on8Electronic Records
T*e system must +e ca)a+le of classifying and managing non8electronic, )*ysical records and of
managing electronic and non8electronic records in an integrated manner' T*is means t*e system
must +e a+le to classify, create and retrie%e audit information and ot*er metadata, control access
and define security, and a))ly retention and dis)osal sc*edules for non8electronic records
according to t*e same requirements t*at *a%e +een defined for electronic records'
;ote< The -< Requirements are modeled to a large degree on the !odel Requirements for the
!anagement of 2lectronic Records )!oReq$ commissioned by the -,+ >rogramme of the 2uropean
3ommission.
#9