Information governance opportunities
Information governance (IG) is a term that has been circulating widely among records managers in recent years. While the customers of commercial records and information management (RIM) companies are aware of the concept, they may not be doing something about it yet, said William Saffody, a RIM specialist and researcher based in New York City.
Saffody delivered a keynote session titled “Trends and Developments in Information Governance and Records Management” during the 2015 PRISM International Annual Conference, which was May 17-20 in San Antonio at the Hyatt Regency Hill Country Resort and Spa.
He explained that one of the ways IG is different from information management is the diversity of the stakeholders involved. These stakeholders include representatives from records management, IT, legal, security (including information security), risk management, compliance, business units and archival administration. Each of these stakeholders has different responsibilities related to IG, he said.
IG also involves establishing “a strategic and policy framework that defines accountability and responsibility,” Saffody said, while management involves the daily “execution of specific business operations or activities.” He added, “Management occurs within the context of strategies and policies defined by the governance framework.”
Saffody provided advice for commercial RIM service providers who would like to help their clients address issues related to IG, saying that few organizations can manage information governance effectively internally.
“Cost-effective records storage remains important, but information governance is concerned with issues beyond records management,” he said.
Saffody recommended that commercial storage providers emphasize services that address stakeholder roles and responsibilities, such as assuring compliance with legally mandated retention requirements; secure storage that prevents unauthorized access to personally identifiable information or protected health information; and secure, defensible destruction of old information.
“Information governance broadens the range of issues commercial storage services can address,” he said, adding that some IG stakeholders often have greater budgetary resources than the records management unit does. “Commercial storage charges seem reasonable compared to other expenditures for these stakeholders,” Saffody said.
However, he also identified some factors that are working against commercial RIM service providers in the area of IG. Saffody said the emphasis on digital information resources marginalizes paper recordkeeping for some stakeholders. “Cost-effective storage of paper records is no longer viewed as the solution to an important problem,” he continued. “Paper records in commercial storage are viewed as a legacy accumulation to be phased out. Some IG stakeholders believe this can be easily accomplished.”
Therefore, he advised conference attendees to provide a service for electronic records that mirrors the services they provide for paper records. However, Saffody added he isn’t seeing many records management companies offering a hosted solution for digital records management currently, though the software exists to do so. “It would allow electronic records to be handled in the same way as paper records,” Saffody said. “It would require little investment by the commercial records center.”
Illinois Attorney General sues records management firm
Illinois Attorney General Lisa Madigan has filed a lawsuit against FileFax, a Chicago-area document storage company, for allegedly exposing thousands of medical records containing patient names, birth dates, Social Security numbers and other sensitive personal information.
In the suit, filed May 5, 2015, she alleges FileFax failed to protect sensitive patient information after hundreds of files containing medical records were discovered in February in a dumpster outside of the company’s Northbrook, Illinois, office.
The records belonged to patients of Suburban Lung Associates, which contracted with FileFax to maintain and destroy its patient medical records.
The suit alleges that the “defendant’s conduct is ongoing and has the potential to impact Illinois consumers whose health care provider uses or has used FileFax’s services.”
fastfact
According to the 2015 Security Tracker survey, 63 percent of c-suite executives surveyed say they have protocol for storing and disposing of confidential data that is strictly adhered to by all employees, up from 51 percent in 2014.
Canada amends Personal Information Protection and Electronic Documents Act
The Canadian chapter of the Phoenix-based National Association for Information Destruction (NAID-Canada) has welcomed the House of Commons’ passage of Bill S-4 June 17, 2015. This bill has received royal assent and is now law. It amends Canada’s private sector privacy law, Personal Information Protection and Electronic Documents Act (PIPEDA), to include provisions requiring organizations to maintain a record of all privacy breaches and to send breach notifications. In addition, the privacy commissioner of Canada now can assess fines of up to $100,000 for organizations that fail to meet these standards.
“As evidenced by regular news headlines, too many privacy breaches are still the result of simple but careless actions, such as leaving documents containing personal information in garbage containers and recycling bins or stored on discarded electronic equipment,” says Kristjan Backman, chairman of NAID-Canada. “These breaches are easily avoidable by ensuring your information is safely destroyed at the end of its life cycle,” he adds.
|
In Brief Stericycle to acquire Shred-itStericycle Inc., Lake Forest, Illinois, has entered into an agreement to acquire Shred-it International, Toronto, for $2.3 billion in cash. Stericycle says the acquisition will strengthen its growth opportunities by providing an additional business-to-business compliance solution. Upon closing, Shred-it will become a wholly owned subsidiary of Stericycle. Read more online at www.SDBmagazine.com/stericycle-purchases-shredit.aspx.
Ray Barry departs NAIDRay Barry, deputy executive director for the National Association for Information Destruction (NAID), Phoenix, stepped down from his position July 31, 2015, to pursue a sales job with long-time NAID associate member company Vecoplan LLC, Archdale, North Carolina. (See page 31 for more information.) NAID CEO Bob Johnson says Shred School will continue and Barry will remain involved.
Kent Record Management expands with purchaseGrand Rapids, Michigan-based Kent Record Management Inc., a provider of records management and related services, has acquired the customers of Steven’s Record Management, Lansing, Michigan. The acquisition further expands Kent Record Management’s client base and scale of operations throughout mid-Michigan. This purchase marks Kent’s seventh acquisition. |
Subsequent to the House of Commons passing S-4, NAID-Canada released a statement recommending all organizations perform a compliance check to ensure they meet privacy standards, including an assessment of their document destruction practices.
“Too often, members forget that much of NAID’s international success results from its global understanding of secure destruction issues,” says NAID CEO Bob Johnson. “It is just one more way we act as the voice of the industry.”
NAID-Canada is NAID committee focused on promoting Canadian policy development and advancing the interests of Canadian secure destruction service providers.
Parkview Health Systems reaches settlement
Parkview Health System Inc., Fort Wayne, Indiana, has agreed to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule with the U.S. Department of Health and Human Services’ (HHS’) Office for Civil Rights (OCR). The health system will pay $800,000 and adopt a corrective action plan to address deficiencies in its HIPAA compliance program, HHS reports.
OCR opened an investigation after receiving a complaint from a retiring physician who said Parkview violated the HIPAA Privacy Rule by leaving cardboard boxes of medical records unattended on the driveway of the physician’s home.
The Resolution Agreement can be read at http://1.usa.gov/1NzBNra.
CRMI staff members receive certification
Members of Greenville, North Carolina-based Confidential Records Management Inc.’s (CRMI’s) senior management have been certified by the International Association of Property and Evidence (IAPE), Hot Springs, South Dakota.
The IAPE says it is the world’s largest organization dedicated to the proper management of property and evidence.
CRMI’s Gail Bisbee, president and CEO; Holly Willis, account manager; and John Wood, vice president of operations, earned the Corporate Certified Property and Evidence Specialists (CCPES) designation, which certifies that they have completed training and demonstrated the knowledge of property and evidence professional standards through testing.
“The handling and storage of property and evidence is a growing concern for many in the law enforcement field,” says Bisbee. “With budget, space and staffing constraints, property and evidence maintenance can be a challenge.”
She continues, “CRMI is proud to have the knowledge and resources to assist law enforcement agencies in their efforts to ensure the chain of custody and protect the integrity of the items they need to secure.”
A Shred Ahead adds Houston to its service area
A Shred Ahead, a document destruction company based in Durham, North Carolina, has extended its service area to include Houston. The company says it has established a permanent presence in this market, expanding its ability to serve the greater state of Texas.
John Chapman, co-owner of A Shred Ahead, says, “The entire A Shred Ahead team is thrilled to begin serving the Houston, Texas, market with our fast, reliable paper shredding and document destruction services. The careful, calculated expansion of our company’s service coverage has been a focus of ours for the past few years, and establishing a permanent presence in Houston is a major milestone for us.”
Mobile Shredding Association to randomly audit members
The Mobile Shredding Association (MSA), Brunswick, Georgia, changed to a certified-only membership model in January 2015. While certified status is based on self-certification, the association recently announced that it will perform unannounced, random audits of its members to ensure certification requirements are being upheld.
MSA President John E. Miller, WesTex Document Inc., Lubbock, Texas, says PRISM International’s Privacy+ program began with self-audits before moving to third-party audits. He says MSA’s certification will evolve similarly.
During the application process, MSA members agree that their companies will consent to unannounced, random audits conducted by MSA as a condition of membership. If a member company is selected for an audit, it must immediately make available the requested documentation pertaining to certification requirements, the association says. If a company cannot provide these required documents, its membership/certification will be revoked and removed from the MSA website pending further review.
During this review stage, MSA members have 10 days to demonstrate that they meet the certification requirements. Their memberships will be terminated if they are unable to do so.
Membership/certification requirements are listed on the membership application, which can accessed online at http://mobileshreddingassociation.com/images/membership-application.pdf.
File Management Pros receives certifications
File Management Pros LLC (FMP), a records and information storage and management company based in Jeffersonville, Indiana, has announced that it has received Professional Records and Information Management (PRISM) International Privacy+ Certification along with Statement on Standards for Attestation Engagements (SSAE No. 16) (SOC 1) type I certification. FMP says it has the proper internal controls and processes in place to deliver high-quality services to its clients.
FMP underwent a third-party audit conducted by KirkpatrickPrice, headquartered in Tampa, Florida. In accordance with SSAE 16, the SOC 1 type I audit report includes FMP’s description of controls and the auditor’s opinion regarding the fairness and suitability of internal controls placed in operation to achieve the specified control objectives. The Privacy+ Certification is designated upon the completion of this attestation.
According to FMP President Tony McEwen, these certifications have been achieved by less than 25 records and information management (RIM) companies in the U.S.
“Security, service and reliability have always been the operating watchwords of our company, and voluntarily achieving these certifications, very shortly after they were developed, is our way to publically demonstrate our dedication to being the best records and information management provider for all of our clients,” he says.
SOC 1 type I reports on the controls at a service organization established by the American Institute of Certified Public Accountants (AICPA). This report is in compliance with the SSAE 16 auditing standards and demonstrates that an organization has adequate controls and processes in place.
Owned and administered by PRISM International, headquartered in Chicago, Privacy+ is an international certification program open to companies that provide outsourced storage and protection of hard-copy records and offline removable computer media.