Information Literacy and Records Management

February 9th, 2018

George Despres, CRM
Program Director for University Records Management, Brandeis University

(The content in this blog reflects the opinions of the author, and not of Brandeis University.)

A 1989 report by the U.S. Presidential Committee on Information Literacy states that “to be information literate, a person must be able to recognize when information is needed and have the ability to locate, evaluate, and use effectively the needed information.” Sound familiar? Info literacy has largely become the preserve of the library community, with a focus on teaching scholars and citizens to navigate and to differentiate the published information that confronts us. Google-search “information literacy,” and review the first several results pages to see what I mean. With little, if any, coverage of this topic in our professional discourse, I only recently made this connection myself thanks to a librarian’s presentation on it.

A keen sense of info literacy is required to execute records management and info governance functions with ethical outcomes. Like records management, info literacy has considerable social justice implications. Also, as I’ve suggested, fact denial and fake news—land mines under the librarian’s definition of info literacy—should be serious concerns for the RIM and IG professional communities as well, given our core principles of integrity and transparency. We need to be info literate, and the employees of our firms do, too. And our firms, themselves, at a corporate level.

We should incorporate the term “info literacy” with our work, because the current application of “info literacy” constrains its broader implications. Should “info literacy” exclude caution when handling sensitive info and PII? Should it exclude responsibly destroying or deleting redundant, obsolete, and trivial (ROT) info? Should it exclude intuitive and functional folder naming to enhance knowledge sharing? Should info literacy exclude emailing a link to one copy of a document rather than sending a two-MB attachment to twenty people? Should it exclude avoiding rogue apps, weak passwords, and phishing attempts? Should info literacy exclude documentary version control? Should it exclude info-intelligent employees within the enterprise? I don’t think so.

Without detracting from its scholarly and civic value, info literacy should be extended to our enterprise mission scope. For example, typical library guidance for evaluating web sites lists the following five criteria: accuracy, authority, objectivity, currency, and coverage. Again, sound familiar? These criteria certainly pertain to quality records in the context of the accuracy of the content, the authority of the author/office generating them, the desire for unbiased information flow (insofar as one can be “objective”), the currency and freshness of the content, and the coverage or scope of the subject matter. All of these properties will enhance organizational efficiency in an enterprise records context—for example, refreshing stale corporate intranet content for currency.

The selective aspect of info literacy is huge. Researchers in the MIT Sloan Management Review have observed that successful executives assemble and maintain a “personal knowledge infrastructure,” that we’re transitioning to “an attention economy,” and that “knowing what to pay attention to” will outperform the act of simply acquiring more info. Some degree of info literacy would be assumed in any such undertaking.

We can augment what “info literacy” means. In his book Infonomics, Doug Laney emphasizes that few institutions have full inventories of their information, and that many organizations fail to monetize it or treat it as an asset. This challenge represents yet another dimension of info literacy that we should pursue further by assessing and valuating our info holdings.

While back-end technology may automatically address many info literacy challenges in the future, now is now: today’s AI and natural language processing, though improving, is not yet that of our children’s generation. And while we aren’t going to make “records managers” out of everyone, the notion, promotion, and adoption of info literacy should be pursued. We’re already doing and advocating for info literacy: we just need to re-brand, expand, and own the phrase for our enterprises. We are its champions, too.

Red Teaming Your Information Governance Program

July 13th, 2017

George Despres, CRM
Program Director for University Records Management, Brandeis University

(The content in this blog reflects the opinions of the author, and not of Brandeis University.)

About Red Teaming

Have you deliberately challenged your own program plans and procedures recently? With a book on the topic, Bryce Hoffman defines red teaming as:

“ a… way to stress-test strategies, flush out unseen threats and missed opportunities, and execute more successfully…. [by] making critical and contrarian thinking part of the planning process.”

Red teaming (RT), with origins in the military, involves thinking differently and more objectively about your program, looking under rocks, and grasping alternative views of the way things are. “Murder boarding,” or grilling an idea or presenter before actual product delivery, is a similar approach to cleaning up planning and execution. However, RT acts upon live environments, not just rehearsals. And while Six Sigma identifies errors and deviations in programs, RT goes beyond this by also surfacing alternative and novel ideas, observations, and ways for improving things.

Our mission is greatly challenged by the dynamics of info generation and by rapid changes to info environments. Faced with these challenges, it is easy to fall into real-time, project-to-project, status quo thinking without thoroughly questioning where we are and where we are going. Program successes can render us dangerously comfortable. Professional or departmental groupthink can likewise soften our ability to evolve in changing environments. We must beware subtle complacency by stopping and kicking the tires in order to harden our programs.

RT philosophy is familiar to the cyber security community, which employs penetration (pen) testing and white hat, self-hacking activities. However, RT has applications across the IG spectrum, beyond info security. The following focuses on applying RT to these other areas of IG.


The Psychology of It All, or the “I’m Objective” Fallacy

Drawing on decision psychology research, Hoffman outlines categories of bias and natural thinking frameworks that can impede our view of actual situations, including:

  • Confirmation bias, where we give greater credibility to info that supports what we already believe (think politics).
  • Anchoring bias, where an initial value or offer ($50,000) narrows the range of possibilities (think Shark Tank).
  • Automation bias, where we fail to question automated system output after relying on it–this threat increases in our data analytics world.
  • Outcome bias, where we assume a positive outcome resulted from the right decision rather than from luck and other factors.
  • Status quo bias, which shouldn’t need any explanation here.

There are other types of bias, and RT brings a rigor and detached analysis that helps us to overcome them.


Executing Red Team Lite, or Lean Red Teaming

How do we apply RT to our programs? The solutions depend upon our resources, and I’ll assume that most of us don’t have much. Hoffman notes a range of possibilities, from hiring consultant teams or RT facilitators, to dedicated executive or rotating teams, to ad hoc RT using bits of red team philosophy. Participant selection should balance the needs of impartiality with enterprise and industry savvy. While whole standing teams are ideal, I’d suggest that “RT lite” or “lean RT” may be more realistically employed with scant resources. This can be performed through devil’s advocacy.

Devil’s advocates have long been paired with RT exercises. In his book Originals, Adam Grant shows that effective devil’s advocates need to be legitimate and sincere in their assessment of, or opposition to, the status quo–they shouldn’t be phony role players. The good news: most of us are armed with legitimate devil’s advocacy. How? By using the pushback that our programs actually face from naysayers and outright opponents within our organizations. The pains in our behinds–our biggest detractors–are actually doing us a favor and feeding us RT ammo.

The following are pushback comments that I and some of my colleagues have actually been confronted with. You will recognize them. Think up some of your own and add them to the list.

  • Digital storage is cheap. We’re good.
  • Why should we invest so much money in e-discovery preparedness when our business only takes one or two cases to trial per year?
  • Big data can make all sorts of correlations that we can’t imagine today. We need to keep all of our data lake content to be able to harness its potential value. Data that looks useless now could be critical in the future and pay off big time. There’s a baby in the bathwater.
  • [Senior executive:] You can’t expect me not to use WhatsApp when I’m doing business on the road.
  • We have plenty of locked basement spaces on our corporate campus. Why do we need to pay more for offsite vendor storage?
  • So you’ve published the retention schedule. Is everyone really implementing its policies consistently?
  • [IT manager:] We don’t need your input on the new ERP system. This is a technology solution.
  • My department’s (generic) file share is much easier to use than the document management system, which I hate.
  • We have cyber security in place. Why should we worry about other info management functions? Sounds like a “nice to have” that we can’t afford.

Now, take some time with smart colleagues and respond to each of these with respect to your IG or RIM program. Capture your responses, state each problem, brainstorm alternative possibilities, and thoroughly review them with your group. Draw up and assign actions based on this review.

Hopefully, this serves as a modest starting point for you to apply more red team thought and approaches to your specific program. There’s further RT reading, such as Hoffman’s book (never met him) and, that can help you to apply it in a more thorough manner if resources allow. At the very least, question your IG program, belief system, and biases often. This will reduce the possibility of getting blindsided. The passive perish and the complacent crumble.

The Power of the Record

March 18th, 2017


George Despres, CRM
Program Director for University Records Management, Brandeis University

(The content in this blog reflects the opinions of the author, and not of Brandeis University.)

After some recent gloom and doom posts about future challenges to the profession and fact denial and fake news, it’s probably time to take a slightly more glass half-full perspective of our job. People in our line of work can always use a boost. And there is power in the record that can be promoted more aggressively. This may be an exercise in preaching to the RM/IG choir, but here goes….

Records and Records Management Needs Are Everywhere

Records stories permeate the daily news: the recent front page-headlining gaffe at the Oscars awards was a good (bad?) old fashioned RM error. The wrong envelope was delivered to the presenters of the most important award in the program. Shock, confusion, embarrassment, and possible disciplinary action at PWC ensued. This was one of the few instances this year when a non-political (records!) incident upstaged politics in the headlines. Speaking of politics, the last U.S. presidential election–regardless of your party affiliation or non-affiliation–was affected by the status of records; email records, in private vs. official places, and by hacking and claims of hacking, all for a lack of the information management controls that we promote in our organizations. Records are front, center, and everywhere.

Two other recent headlines within a few weeks of each other caught my eye. In February, authorities built a DNA profile of a person of interest related to the slaying of a New York City woman running near her mother’s Massachusetts home last summer. That same month, DNA evidence from another victim’s fingernails led to the arrest of a man charged with murdering her as she ran near her parent’s home in New York last year. One only needs to watch a Forensic Files rerun to appreciate the impact of records on catching bad guys. Powerful stuff. But we in the profession (other than lawyers) may forget the impact of the record on criminal justice and forensics when focused on enterprise administrative records.

In our “Is not!” “Is, too!” times–what Robert Samuelson calls the “age of disbelief”–the power harvested from records takes on added viability. Facebook recently added “disputed” tags to bogus social media news that users flag, or that sniff test sites like debunk. While Facebook’s move will be viewed by some as hyper-editorialized, anti-free speech material, our culture (at least in the West) is in desperate need of claiming the power and clarity of the record, probably more so than ever. These days enable us to take stock of our own importance as the profession of the record, to set things straight.

The individual can take solace in the record, to an extreme. Dale Carnegie wrote about how the record, precedent, and laws of probability have been used to combat humans’ greatest fears and worries. He relays the story of Frederick Mahlstedt, who became paralyzed by fear in a trench near Omaha Beach during World War II. With German bombers dropping payloads all around him each night, Mahlstedt became increasingly gripped by dread. By the fifth night, he realized he had to do something, psychologically, before losing his mind. So he reminded himself that five nights had passed, and that he and every man in his unit were still alive. He recovered to the extent that he eventually slept through some of the bombing raids. Similar observations have been made regarding the resolve of many British citizens during the Blitz in WWII. The “record” of survival equates with a sense of security among the most dangerous conditions. The record of not having died or been seriously injured among chaos fortifies human posture. Pretty powerful stuff.

The range of what records can be and how they can be used is powerful. A 59-year old man was indicted after a house fire in Ohio last year. He was the homeowner. Though he claimed to have accomplished several frantic tasks during the blaze, investigators and a cardiologist showed that his pacemaker data told another story. While there’s also a Fifth Amendment discussion here, “pacemaker-data-as-record” doesn’t come to mind every day. And while pacemakers have been around for awhile, a whole relatively new and future breed of IoT objects and wearables promises to proliferate records everywhere – more power. Amazon and Google home voice assistants, always listening by default, mean still more records and record implications.

Beyond the Walls of Our Profession

Records Management in partnership with Knowledge Management can be powerful across the organization. Five years ago, Lucinda Duranti and Sherry Xie made this point and noted the absence of RM-KM relationships in the literature. There hasn’t been a notable change on this matter, as far as I can see. But harnessing the power of knowledge as record and getting intrinsic knowledge into record form should be in the interest of the records manager. We need to harvest a better and more thorough KM relationship.

More broadly, our profession, IMO, needs to integrate more and better than we have with other related and “nearby” disciplines, like KM. Each year, we have excellent conferences–ARMA, AIIM, MER–I’ve attended them all multiple times, and they can be counted on for great sessions, engaging vendor floors, insights, leading edge case studies, keynote inspiration, and collegiality. But at each of these conferences, our RM/IG visionaries are essentially preaching to the converted, as I pretty much am with this blog posting.

We need to break out of our professional ranks and communicate our message in spaces like KM, libraries, information ethics, and others, as we have done to an extent with info security, legal, and historical archives. For example, I’ll be presenting on The Principles (can I still say “GARP”?) and the ethical implications of info mismanagement at the Info Ethics Roundtable next month. That my RM session can come to an info ethics audience as a novel topic, somewhat out of the blue, is inexcusable. The power of the ethical implications of RM/IG must be promoted more. Likewise, in a prior talk, I was stunned by how unfamiliar my audience of academic librarians was with RM: among about 200 people, two hands went up in a sea of blank faces when I asked them if they were familiar with our discipline or knew of RM programs at their institutions. While preparing to post this, I came across an excellent piece by Gordy Hoke, similarly calling for more integration with legal and IT, whom we should already be in bed with.

We should seek forums, conferences, and publications outside of our profession in which to spread our mission and build partnerships under the big tent. I’m not suggesting that this isn’t happening at all, but rather that it isn’t happening enough, since most people outside of our profession still don’t seem to get us-including those who should, and those who could be valuable visibility partners. Rather than just crafting RM within our vertical industries, we should take RM out to the verticals. This doesn’t mean that we can’t still focus on our current jobs and institutions. Just a matter of upping our efforts. We have a genie in a bottle: the power of the record will never be fully realized until we manage to socialize it outside of our own ranks. We can be bigger than we are. We may envision this as a glass ceiling to the RM/IG purpose.

Let’s win one for the Gipper. Onward, upward, and outward.


What Is Our Professional Future?

September 19th, 2016


George Despres, CRM
Program Director for University Records Management, Brandeis University

(The content in this blog reflects the opinions of the author, and not of Brandeis University.)

Like most people, I prefer to have a reasonable sense of job security, as long as my interest is engaged. I hope and need to remain in the workforce for many more years. At the risk of sounding alarmist, I have concerns about the records management profession’s long-range future. We are members of a resilient and passionate profession, given the challenges we face in an exponentially growing and complicated digital world. While this posting will pose some observations, I hope that it is received as more of a thought- and answer-provoking question–what will our professional future look like?

Chaotic, Counter-Control Culture 

A recent futurist reading binge has been an exercise in masochism, or deer-in-the-headlights simulation, or emperor’s new clothes realization. In The Inevitable: Understanding the 12 Technological Forces That Will Shape Our Future, Kevin Kelly, co-founder of Wired, traces the current and future evolution of our digital culture, and by culture I mean the way most people are interacting, and will increasingly interact, with information. He argues that, looking back from the year 2050, the first few decades of the digital revolution that we’ve experienced as a sort of Phase I will seem marginal when compared with what’s coming in Phase II after 2016. Our profession has been playing catch-up all along during Phase I. If Phase II is even more disruptive, where will that leave us?

Flow of information (“extravagant dissemination,” “ad hocracy”), Kelly argues, is everywhere and inevitable. Mass duplication and the decrease of fixity are two considerable pieces of it; a perpetual state of becoming (i.e., continually and repeatedly adapting to the next, fast-moving technology) is another related, future factor, Kelly says. When we consider that fixed, controlled records following recordkeeping principles and information governance are typical objectives in our programs, it’s not unreasonable to get a little scared by this. Reading through Kelly’s book as a records manager or archivist is an exercise in marathon squirming. He lays out, in hard-to-contradict ways, how the evolving digital world is and will be contrary to (our) traditional goals of information control, accountability, protection, and validation, among others. IMHO, we should already get gold medals for braving it to date. It’s like trying to eat a big ice cream cone in 100-degree heat and keeping your hands clean.

While we’ve long talked about the challenges of “volume, velocity and variety,” fluidity has trumped and will trump fixity in many places. Stable artifacts are succeeded by glimpses, fragments, and streams of distributed information. Sequence reordering, common acceptance of raw info, snipping and morphing pieces of information assets and radically repurposing them, and personalized tweaking and re-tweaking across multiple formats, apps, and media without version control are ubiquitous and here to stay. Doesn’t sound like RIM/IG to me.

Trouble in the House

And then there’s organizational chaos (pardon the oxymoron): within most institutions, parallel, siloed information storage is here to stay. Our decades old dream of one controlled, master enterprise repository that all employees responsibly and diligently use is normally just that – a dream. Unless you are in a highly-regulated, Big Brotherish, org culture–and even then–employees will use their generic file shares, and Dropbox, and Sharepoint, and Box, and Google Docs, and 2 MB Gmail attachments sent to twenty people, and thumb drives, and home PCs, and unauthorized personal devices, and BYOD devices, and unsaved electronic white boards, and VR and augmented reality spaces, and cooked books, and any of hundreds of IM/file loading cloud apps, and other rogue silos, with many new ones on the way.

A recent Iron Mountain US government employee survey cited the skills gaps that need to be closed by tomorrow’s info pro. The ability to manage enterprise records “regardless of format” is still emphasized as one of them: we’ve long had “regardless of format” in our definitions, but most of us still haven’t corralled what our organizations have generated to date, according to bleak industry surveys (e.g., AIIM, Cohasset) and to the fact that Iron Mountain is still calling out basic digital format coverage as a problem.

The Rise of the Machines (and Software)

As Alec Ross suggests in The Future of Industry, enhanced artificial intelligence (AI), in combination with blockchain technology, threatens to remove intermediary and gatekeeper roles in several industries, even out-Ubering Uber through pure peer-to-peer ride agreements and mesh networks. AI covers the thinking and blockchain covers evidence fixity through distributed crowd-witnessing (public ledgers). Massive information analysis, tagging, metadata assignment, and classification are a few of those roles that smart machines, once trained, may cover completely: many on the legal side of our profession have already experienced this through technology-assisted review. There are dissenters to the blockchain growth argument. However, the technology has been around for seven years, new applications are emerging, and many huge companies are spending lots of money on blockchain technology development in new sectors while providing blockchain-based services today, despite bitcoin hacks and ransomware incidents in the financial arena.

The “public ledger” role and “smart contract” applications of blockchain already in existence sound suspiciously familiar to our turf, and they’re handled by encryption keys and code, not by people. As expert Vicki Lemieux and her U of BC team simply put it, “Blockchain technology is fundamentally a recordkeeping technology.” No red herring here. Given what some tech assessments portend (and I hope they’re wrong), the only remaining human task for RMs may one day be to manage residual paper files and press the “Are you sure you want to delete?” button – if we still want to rely on any human intervention at all. So, not only is what we are trying to control becoming more uncontrollable and chronically changeable; the very technical solutions to these control and validation challenges will either radically redefine our work or put us out of work. But don’t jump off the bridge yet.


Our job isn’t going away tomorrow morning. We still have big paper footprints and offsite storage arrangements with vendors, who are still adding warehouse space to accommodate growing customer deposits. Organizations don’t want ugly headlines, and some actually do something about it through our services. We can also partner with technology in the near term to mitigate the chaos-for example, using R programming tools to mine text, categorize, cluster, and de-duplicate unstructured data collections. As a profession, we must closely follow blockchain and other relevant technology developments, from CRM, IGP, and CIP exam content, to our conference sessions, to our social media feeds. Gaining analytics skills can also enable us to continue our work into the next-gen environment. The Iron Mountain survey referred to above states that analytics skills are a key proficiency in closing info pro gaps between now and the future.

Perhaps we’ll assume more of a track, analyze, report, and consult responsibility and less of a custodial one. Perhaps we will monitor massive data grid activity. Perhaps cloud brokers will offer some sort of information control as a service (ICaaS). Perhaps we will all just work in information security. But as the machines mature even more, can we continue to use new technology advances to redefine our job, rather than being gobbled up by the technology? And can we keep up with emerging IoT (Internet of Things) platforms, where almost every object will be a substrate covered with sensors, chips, and monitors fire-hosing data all over the place? Big data being managed today is but one dimension of a much more complex future environment. Maybe we will rise to the bigger challenges, despite a rather slumbering digital precedent.

I don’t have any good answers yet, but would pose the following questions to my good colleagues, many of whom are much more tech and industry savvy than yours truly: how will we adapt to manage and control liquid information that is always in flux? What level of information control must we concede in a digital culture of independence and flow? With information lifecycle analysis increasingly covered by AI machines like Watson, where will we come in, or not come in? What will our jobs look like in 10-15 years, and how much will we need human intervention for information control?

The Information Management Umbrella

July 28th, 2016


George Despres, CRM
Program Director for University Records Management, Brandeis University

(The content in this blog reflects the opinions of the author, and not of Brandeis University.)

A colleague at another university recently polled a listserv group of records managers in Higher Ed. The survey probed the records management programs’ locations within the organization. The last “extra credit” question was whether or not we would recommend our current organizational locations. Your industry may dictate your relationship with your library people, if you even have a relationship with them. In academia, records management tends (not exclusively) to be grouped organizationally with library and archival units.

I recently presented an RM program review to my Brandeis library colleagues and noted this rather strange RM fit: humanities research, cultural heritage, instructional design, open scholarly access, and… RETENTION SCHEDULE?! In one sense, we are the Charlie Brown of an academic library department. A business suit among tie-dyes and flip-flops. On the other hand, I hope to show that we’re ultimately unified.

In her excellent Domesticating Information (p. xix), Carol Choksy distinguishes the “two cultures of understanding” between records management and library science. Records management, she states, “is pragmatic, utilitarian and rigorous; library and information science are creative and open to exploration.” While I wouldn’t contend that library and info science is never rigorous, that RM can’t be exploratory—it must be—and that information science is the exclusive domain of the library, Choksy’s “two cultures” point is correct.

After reflection on my academia colleague’s survey questions, I came to the conclusion that, while RIM/IG is a curious fit within the academic library and archives culture, I couldn’t think of another place in my organization where my program would perfectly align. Legal blesses final versions of the retention schedule before publishing, but that’s the primary touch point. I partner with our Chief Info Security Officer on projects and share his vigilance under the broader governance umbrella, but I am not responsible for endpoint detection and response, authentication protocols, malware interception, and honeypots. Interesting stuff, but beyond my job function. While we seek to influence good recordkeeping practices across the university, we also support client services (scanning, storage, shredding) that wouldn’t nestle under the COO office, either. And our legacy paper-based services, along with the business-side mission focus, preclude seamless IT departmental membership, though some academic RM programs are understandably going in this direction. We engage with stakeholders from all over the institution, with the objective of identifying, controlling, managing, purging, and facilitating optimal access to their information.

In a two-part series earlier in this blog, I covered some of the differences and similarities between records managers and archivists, who also tend to align with academic library units organizationally. Despite a somewhat parallel relationship history, the two professions have developed several nodes of integration over the last two decades, as I illustrated. The broader, shared information management responsibilities of records managers and archivists prove to be the connecting points for collaboration.

While I don’t seek to focus on the Info Governance versus RIM distinctions here, one commonality between IG and RIM (at least in the acronyms) is the “I.” We can add library professionals to this aggregation. The Info Management umbrella doesn’t detract from IGP, CRM, CIP, CA, CISM, MLS, or other related and specialized credentials.  It’s relatively accessible to the layperson. Information is not bound by format, covering structured and unstructured data, as well as complex multimedia products. News items toward the front of ARMA’s own Information Management publication cover a vast range of topics and disciplines. IM unites a broad consort of people who identify information, try to anticipate, organize, protect, and control it, and/or get it to people who need it, when they need it. All or most of us were caught flat-footed (to varying degrees) by the digital revolution and were slow to adapt to it. All of us value sufficient metadata and information context. All of us seek to sift out and steward good information and jettison the bad. All of us care more about the content value than the content vehicles, as IT does (not that we don’t care about the modes of transportation).

I am foremost an information manager. And united we stand—as a massive army for good information practice.

The Strategic, the Tactical, and Agile Records Management

May 20th, 2016


George Despres, CRM
Program Director for University Records Management, Brandeis University

(The content in this blog reflects the opinions of the author, and not of Brandeis University.)

I’ve been asked in the past to provide budget estimates for five years into the future. My response is internal laughter, and tears. Understood, this is a typical practice, but the provision of a high-quality estimate for five years out, unless you are a quant evaluating special, massaged, projection data (and even then…), is a bit of a stretch at best. Ask yourself to accurately describe your records program in 2021, presuming that we all operate in variable environments and then see how sure you feel about it. Look back on some best-intentioned estimates and strategies of the past.

There’s a treacherous point in the pre-execution phase of projects and programs when a team can freeze and spiral into ongoing chatter without action. I’ve lived through several such examples. Anyone who actually proposes a “plan of the plan” in these instances must be regarded with suspicion. “We need to continue this conversation” is another loose and indefinite statement, popular in academia, that can lead down the same endless hole. Conceptual frameworks can be foundational and highly valuable (e.g. EDRM and OAIS), and they can also be overkill, hollow, and worst, unrealized after great effort.

The Strategic

RIM/IG is very much an art form, and we shortchange ourselves if we aren’t open to chunking our work, switching gears midstream, and sometimes “just doing it.” In most organizations, furthermore, RIM/IG trenches don’t always provide us with a neat, pretty state within which to operate. Strategic thinking, even with risk management, is often forced to assume a relatively even state of ongoing operations. But some deft chaos tolerance is required in reality. It’s ugly at ground level, waiting on non-responsive stakeholders to weigh in on retention schedule updates, waiting for software versions to align like the stars, dealing with sudden leadership or organizational changes, etc. And strategic prescriptions get dated: witness the well-intentioned but long-broken DOD5015.2 software requirement set that is still sitting out there. Look at the unwieldiness of big, last-generation ECM and ERM solutions (that 5015 was designed for) in the cloud era. We are experiencing such fast and fundamental shifts in the record generation, stewardship, and threat environments that strictly long-term eyeglasses, rather than bifocals, can harvest tomorrow’s stale and musty failures.

Disclaimer: of course, we need some strategy and long-term thinking in order to evolve and execute balanced and successful programs. Goals over objectives over actions is a necessary exercise for anyone serious about developing a program-level endeavor. I’m not touting a pure “shoot from the hip” approach. Rather, a proportion of tactical, opportunistic, and real-time point solutions must be a part of any result-oriented records program. The info pro must be agile enough in the now to shift direction and create program movement that may not have been in the planning book even months ago. And we sell ourselves short if we think ourselves incapable of doing what psychologists would call “thin-slicing.”

The Tactical

I’ve heard “tactical’ being derided as a junior or short-sighted approach to program management. This is unfortunate, because the pace and churn of our digital records environments are happening at a chaotic speed. Perhaps an understandable fear of whack-a-mole problem-solving is tied to the notion of uninformed, quick and dirty execution. But correctly taming chaos with tactical solutions is a necessity.

There’s much to be said for leveraging existing resources or advantageous opportunities and then running with them, taking the shortest distance between two points. Opportunities occasionally present themselves that enable us to detour and execute beneficially, as long as we are operating within the mission. Mission and improvisation can coexist. They must. In institutions much larger and more complex than my own, I’d imagine that impromptu, tactical possibilities are exponentially greater. In-transit revisions for the better are not a bad thing.

But it’s is not to say that we should hurry into every effort and just slam square pegs into round holes. The trick is to identify those opportunities for unscripted success, even if incremental, to be realized discretely in the relatively short term, minus the blah, blah baggage. These small-scale opportunities should be seized with vigor. We might substitute “agile” for “tactical” to illustrate with a few examples.

Agile Records Management

For several years, the IT world has embraced agile scrums and sprints as a common practice. Larger objectives are broken into pieces, and the pieces are each addressed within a relatively short period of time, rather than years. Some efforts may be set aside in the process while more achievable ones are executed. Change is accommodated. Bottom line is something gets done. This model is broadly transferable to the information management world. So, what are some of the places where it can apply?

Retention schedule development takes time. Identifying and publishing relatively straightforward record categories (e.g. 7-year financials, permanent archival records) is a good and possibly quick place to start. Running with collaboration-friendly departments in developing or updating uncomplicated series of the retention schedule can also get things done.

We’re undertaking a massive scanning project with one of our departments. Initially defined as a “document management” project, we refined the scope to step one—convert 85 four-drawer file cabinets of records into PDFs and get them into a searchable, safe, file share. Get it digitized, period. Our simple Box cloud environment is already saving our client many hours of time while providing novel research connections that weren’t available with the file cabinets. We can extend this environment with supporting apps down the road, rather than spending a year drawing up a bulky, requirements-heavy, enterprise DM/CM solution that we can’t afford in the near term.

Speaking of “can’t afford,” timing is not always covered by strategy—we have a new Brandeis president joining us in July, which leaves major initiatives awaiting his direction. Here, again, agility is indispensable—what can we do during a transition with small money bags? How can we add value in a constrained environment? Any 2014 strategy didn’t foresee the resignation of our former president in 2015. Substitute M&A and divestitures for leadership churn and you get the drift. Under such conditions, scaled-down, under-the-radar, “pilot” projects are an alternative to big-bang, heavily mapped-out, cross-institutional rollouts (ocean boiling).

Digital preservation solutions, increasingly a RIM/IG concern, are another example of where small and quick is replacing big and slow. Brandeis is assessing products that provide what the POWRR group would call “good enough” preservation. There have emerged some relatively affordable and turnkey solutions in this formerly exclusive area, for those of us short on budgets and staffing. Dig pres has become a commodity. Traditional project management 101 would have us assembling a tome of requirements first, right? Well, we inverted the classic model of requirements first and moved directly to free vendor solution demos, to inform us on the end-state offerings to which we would aspire, from where we are now. With some internal collection prioritizing, sizing, and metadata design, we expect to select and pilot a digital preservation solution before the end of the calendar year.

Recovery, or corrective agility, is an important part of agile records management. For example, our secure, sensitive records destruction bin footprint quickly and “successfully” grew to over 25 bins across a geographically complex campus, impossible to navigate and find by visiting vendor drivers seeking to empty them. We responded with a clustering approach, internally collecting and consolidating contents from campus regions into fewer pickup locations. This wasn’t in the original plans, nor is it rocket science, but it’s a necessary and improvisational reaction to ensure smoother services.

Industry agility is another necessary form of navigation. The blockchain technology buzz reminds us that we need to be agile not only in terms of daily operations and opportunities, but also in terms of the industry spaces that we do, don’t, may cease to, and might possibly occupy. As we likely see blockchain-type encryption, algorithms, and AI taking over some of our digital gatekeeping functions someday, this agility will be necessary for finding the sweet spots where our evolving expertise applies, and long-term strategy may not predict where this will actually be until we get there.

Strategic planning has its place. Tactical ain’t so bad. And agile RIM/IG is a necessary component of any modern records program.

Polar Opposites: The CRM Exams and Vendor Product Language

September 10th, 2015



George Despres
Program Director for University Records Management, Brandeis University

(The content in this blog reflects the opinions of the author, and not of Brandeis University.)

Two Cents on the CRM Experience

I’ve recently made the time (belatedly) to take the CRM exams. While CRM had been slipping on my to-do list for almost ten years, I’ve been busy doing RIM, though admittedly under a bit of an “impostor” self-image. The exam experience has been gratifying and humbling—gratifying to finally complete and pass, and humbling in the sense that I felt high pressure to pass as a several-year practitioner.

The components, processes, and details of records management are, of course, the focus of exam prep. Throughout parts I-VI, the candidate is immersed in the “what” and “how” of the discipline. This enables you to sniff out guano and contrasts starkly, as will be shown, with the way we are treated as an audience by many RIM software vendors. Let me acknowledge up front that there are good vendors. But anyone who has been in this business for a while knows that there are also some bad and ugly ones and that their overtures to us can be lacking at best. The difference between CRM prep and many solution vendors is the difference between precision and vagueness.

On-the-job experience most certainly helped me to navigate the exam challenge. Likewise, the ICRM exam preparation workshop—which I’d highly recommend to prospective candidates—gave me a bead on what subject areas to target, especially for the management part, which can come across at first glance as a pan-MBA undertaking. ARMA literature and William Saffady’s Managing Electronic Records (4th ed.) proved particularly valuable. Times have changed: I didn’t review the Robek and Brown “Energizer Bunny” book. Well, maybe I peeked. Multiple-choice testing tips on the ICRM site paid off. Certain topics in the test material like duplex-numeric and block-numeric filing conventions don’t always cross our desks in the trenches, but they do provide a good logical grounding for our vast discipline, and I feel fortified for studying them.

The ICRM has updated part V to challenge candidate proficiency in IT topics indispensable to the profession. Going forward, the Institute will need to maintain these updates aggressively to keep pace with our technical environment. Part VI, the written exam, essentially says, “You’ve been hired by Institution X, and their records situation is a train wreck. What do you do?” I’d imagine that many fellow CRMs found the weeks between taking part VI and hearing back on the results to be long ones. They were for me.

Ten people will likely have ten different opinions on the CRM experience. Mine has been a positive one, and I thank the ICRM for supporting the opportunity for measurable, professional validation.

Our Profession and its Tools

While the theme of this post has been brewing for several years, CRM preparation led me to reflect back on the things I’m working on at Brandeis, including early assessment of electronic content and records management solutions. An assistant and I have been working on a broad review of many information management software products, big and small, enterprise solutions and niche plug-in apps, with a focus on the lifecycle and control of records. While vague vendor Web language was nothing new to us, this immersive exercise left us astounded by just how hollow and unclear much of the vendor promotional language is. It’s almost ubiquitous. Getting to what some products actually do is like peeling an infinite onion. Contrary to their intentions of reeling in potential customers for follow-on conversations, the canned Web sites and some of their related demos and webinars should dissuade any logical and informed person from curiosity.

For example, I recently attended a webinar for a software product that most of us would recognize by name. The webinar was presented by a very senior member of the organization. At one point, I glanced down at my watch and was struck by the fact that, while thirty-two minutes had elapsed, I hadn’t heard one thing that I didn’t already know. I’m not bragging—anyone who’s worked in our industry for a year and paid some attention would come to the same conclusion. One would have thought the intended audience was completely ignorant of RIM, IG, and info management. Perhaps that was the case, but we are (I hope) normally decision-makers in such technology acquisitions, and vendors should know this.

Further confusing the vendor product landscape is what they provide today versus what they “plan” to provide “soon,” or even what they imply that they currently provide but don’t (vaporware): we are engaged as a client with a well-known and upcoming vendor promising an IG package that curiously keeps slipping (at least for us in higher ed). We’re now told that it’s coming “sometime next calendar year.” Yet they’ve recently sponsored an IG webinar as if they’re on top of it (!) Walk the walk.

Beta environments also confuse what is and isn’t ready for prime time. Broken and dated DoD5015.2 prescriptions and a tectonic shift from bolted-down, über-proprietary enterprise solutions to more open, lightweight, cloud-hosted ones muddies the waters and leads to a tough decision for the solution shopper: do we go with a last-generation, expensive, enterprise behemoth that doesn’t play well with other products and that slapped on a lame RM module as an afterthought? Or do we engage the frontier as bleeding-edge early adopters and cobble together and maintain a bunch of emerging plug-in apps, with fingers crossed for the future? This backdrop is no place for ambiguous product promotion.

The List of Condemned Phrases

Vendor websites, slide decks, and promos in general should be held more accountable for aimless language. Rehash of obvious facts appears again and again in the talking tracks. The syntax is shallow and imprecise. Understood: they want to mean many things to many people. But it wastes our time. It leads to vague or varied understanding and incorrect assumptions. Granted, some of their promises reflect what we need to communicate to stakeholders who have no idea about what we do or are trying to do. But the same old words patronize us and insult our intelligence when targeted at info managers. Furthermore, they are often addressed to a 1990-2005 audience, as if, for example, we don’t know that there is a thing called “social media” that can be tricky. We are all well beyond these statements, and the CRM experience, or simple reflection on our work, emphasizes why. The extent to which this vendor hocus-pocus pervades the language is significant.

So, I’ve created a list of hereby Condemned Phrases and statements, or their variations, which should no longer be addressed to the aware, capable, been-there-done-that information management professional. I hope that they are at least good for a chuckle. You are welcome to circulate (proliferate!) the Condemned Phrases among prospective RIM vendors, and to expand upon it. We must cease to be subjected to such patronizing jive as this:

“The amount of information that organizations must now manage has exploded and has become difficult to control.”

“While traditional paper records management has been fairly straightforward, digital records present many challenges to the organization.”

“We live in a digital world.” [Literally, from a major info solution CEO in August, 2015!!!]

“Knowledge empowers the enterprise.”

“Proper information retention policies are a critical aspect of your compliance strategy.”

“Organizations must account for mobile.”

“Information needs to be delivered to the right people in the right place at the right time.”

“Information is now user-centric. It’s all about the stakeholders.”

“BYOD can introduce threats to the security of your organization’s information.”

“Organizations need trusted cloud providers.”

“Our data-driven solutions provide for intelligent management of your organization’s information.”

“[Product X] will help you meet your customer needs, and it is highly scalable to your environment.”

“[Product X] allows you to reduce compliance risks.”

“[Product X] enables you to streamline LOB/B2B processes while realizing improved ROI.”

“Our open platform and APIs enable seamless integration with all products in the history of humankind.”

“Users expect a simple, straightforward experience.”

“Email presents a special challenge to the organization.”

“Organizations must implement a total/holistic content strategy.”

“We simplify your content lifecycle while enabling you to control, organize, and secure your data.”

As a profession, we can and should put pressure on solution providers to cut to the chase. We have a discipline that we work in, study, and master: don’t walk us through chapter one of Intro to RIM. Granted, there are some solid and promising products out there, backed by company people who really want to provide solutions. That said, we’re too smart for the same old jargon. Let us agitate against rhetorical product razzamatazz. Some may say, “Well, that’s just sales talk.” No! Let’s call vendors to the carpet. Let’s ask them exactly what they are offering, based on our knowledge of the discipline.

Establishing Records Management at Brandeis—The First Eighteen Months

May 28th, 2015


George Despres, University Records Manager, Brandeis University

(The content in this blog reflects the opinions of the author, and not of Brandeis University.)

What a year and a half it has been! The Brandeis University Records Management (URM) program has much in front of it, but some solid foundational accomplishments behind it. As we know, developing and growing a records program is challenging:

  • most people don’t get our objectives despite the fact that records, their mismanagement, and associated risks are ubiquitous—witness the daily news.
  • “volume, velocity, and variety,” along with fast and fluid enabling technologies, make electronic records control or IG increasingly difficult—let’s be honest, we are reduced to mitigation (realist, not defeatist).
  • the many fronts that records touch within the organization make us feel like we need an army to even chip away at solutions. And of course, we’re all fully staffed, right?

While the inaugural eighteen months for the URM program here have not been perfect, a broad retracing of them may be helpful to others planning or beginning to execute programs at their institutions.

Learn the Institution

It begins with fact-finding: gathering information, learning the institution, meeting with stakeholders from various functions. We held over fifty stakeholder meetings between October of 2013 and April of 2015. These ranged from one-on-ones to a surprise fifty-person audience of administrators for an entire school (my meeting invitation indicated eight people attending, and I walked into a function hall—should have cased the joint). We were proactive with offers to present on the program at any venue. We made early acquaintances with Legal and Information Security leaders. Socializing the program, covered in an earlier piece, consisted of walking through stakeholder needs and processes and offering helpful services, so that our stakeholders were initially treated like clients, not delinquents. First impressions are everything and best made by offering assistance. Another point to consider is stakeholder busy seasons—I learned the hard way that it was unwise to request information from our registrar before commencement, when he is slammed verifying student credentials. An equivalent would be asking Procurement people to collaborate at the end of the fiscal year.

The institutional intranet is gold: manuals walk through key functions and records transactions; departmental service pages enable you to prepare for stakeholder meetings in advance and hit the ground running with targeted questions; organization charts tell you who is where and under/above whom while bunching institutional functions for the schedule; online forms enable you to begin compiling the document type inventory and to determine what paper forms can be replaced by electronic ones; policies and procedures trace processes, roles, governance, and how things should be done; and institutional mission and values help you to align the communication themes of your program. Books on institutional functions, like finance, law, student records, HR, advancement, etc., in higher education (substitute your vertical market) were invaluable not only in getting up to speed with the industry, but also in empathizing with various university functions and their professionals. It’s about points of view.

Services and Stakeholders

Our initial client service engagements—managed offsite storage and retrieval, secure document shredding, digitization, and, recently, electronic redaction—began in March of 2014. Since then, we grew to over forty-five service engagements with departments and people from across university functions, academic and administrative. Most of these engagements were outcomes of the initial stakeholder meetings, but several came to us by word of mouth. Many are ongoing. We’ve placed over 1,000 boxes in managed offsite storage, and we’ve sited twenty secure, sensitive-document shredding bins across campus, emphasizing the difference between these and open recycle bins. January customer satisfaction survey results, though modest in size (twelve respondents), showed that 100% would recommend our services to others in the university. Yes, my management chain is aware of this.

Supporting and maintaining these services has been clumsy at times. Visiting vendor drivers don’t know the Byzantine campus layout. I’ve frequently compensated by shoving boxes into my car and shuttling them to and from client buildings within the labyrinth (and losing my precious parking space). Substitute drivers from our shredding vendor (which, oh, by the way, just merged not seamlessly with another vendor) need to be manually escorted to all of the secure shredding stations on campus, since the directions couldn’t possibly be written or verbally communicated (“go by the big oak tree and kind of bear right… well, it looks like one building but there are really two named buildings within one….” etc.). In one case, we had an oversized vendor truck get stuck between a building, a ledge, and a tree for about twenty-five minutes. Another challenge has been queuing up boxes for vendor services—some of our clients have asked for services but lacked the resources to prepare their own records for storage or scanning services. We enlisted student assistant labor to address some of these instances, but there have been “we’re too-busy” bottlenecks delaying opportunities to get boxes out the door and to the vendors.

Electronic Stuff and Leadership Buy-in

I understand that all of this talk about boxed physical records will make many twenty-first-century records professionals cringe. So: with document scanning services, we were digitizing for clients, but then in some cases being asked what to do with the digital files. Alongside legacy Google Drive and Dropbox environments, Brandeis has established a Box environment as a competitively secure, yeoman’s, cloud-based file sharing and collaboration option, with some lightweight “document management” capabilities and architecture, like task assignment, open APIs, a growing app plug-in environment and a promising roadmap with respect to information lifecycle management.  ILM was absent from, false, or shabby in many last-generation electronic document and records management products.  And we communicate directly with Box product reps who will responsively speak with you even if you’re not part of a Fortune 500 company (no, I’m not on Box’s payroll, and much remains to be seen from them). Again, it’s mitigation, if not a 100% elegant solution.

In terms of program growth, a key turning point for us was a records program briefing to our senior leadership arranged by my CIO last June. We are very fortunate to be developing the program at a time when many changes are happening and are relatively well received by key decision-makers.  One highlight of the leadership briefing was a picture slide that showed a 1994 student paper headline about confidential records found in an open recycle bin. Next to this image was a photo of tumbled boxes from one of many basements we are surveying after fifty years of boxed records drop offs. The images won a collective gasp from the leadership team.

Any institution with decades of minimal records management will have similar photo ops, and no sane and responsible person wants to be associated with or dismiss these images. Pictures are powerful, and the outcomes were significant. Deans of the colleges were especially receptive—we initially thought that the independent academic units in a distributed institutional culture would be tougher to engage on the subject of records control—but I was almost immediately put in touch with people who gave me audiences in all of our schools, which now constitute half if not most of our service engagements. To be fair, some luck and right-place-at-the-right-time has assisted us in advancing the program. Full support from my management and a reasonable operational budget have also been key. We can’t assume that these pieces are in place at other institutions.

Communication Tools and Policy

Underlying communication tools were leveraged early in the game to support the program: a “LibGuide” (Library Guide) reference page with an overview of the program and guidelines, an email service account, a listserv, to which I push a highly selective and small subset of records management news kindly brought to us by Peter Kurilecz and many others, a more formal intranet presence, under construction, and this blog. All of these get the URM word out in one way or another. Others, like brief and bang-bang, YouTube-style training videos, are planned.

Our retention schedule is one area in which I am disappointed with our progress. We’ve populated a few items, but other program activities have occupied the bulk of our time expenditure, and some collaborators have, with reason, delayed the process. We will be focusing on filling it out over the next phase of our work, as retention policy and getting people to follow it is core to the program. Collaborating with stakeholders to build their respective departments’ policies will help to ensure compliance, since they sign off before final legal review, and our services have already established bonds with many of them. The bottom line is that we can’t do everything, especially when our dedicated staff consists of one part-time student assistant and me. But retention policy is one area to catch up in order to keep the evolving program balanced.

The Way Forward, and a Challenge to Colleagues

Other next steps include forms management, especially eradicating paper forms; knowledge management guidance; TAR/text mining to cluster legacy content for disposition; Gmail curation; and developing needs assessments, requirements, and use cases for electronic document and records management systems, piloting with our Advancement department (vendors: please hold off for now). Our approach is obviously to plan but to also look for relatively quick, point-to-point wins that don’t require lots of posturing, hot air meetings, rabbit holes, plans of the plans, and 100% perfect conceptual frameworks that are never realized.  This approach has served us well to date.

So, that’s where we are. I hope that some of this will resonate with, if not help, colleagues fighting the same battles. I believe that we need less generic “Big Data!” “BYOD!” “ROI!” sales-type and corporate-heavy rhetoric and more institutional case studies and stories in the open RM literature (and outside of the expensive RM conferences). We need more tales from the trenches that can scale or be adapted to other institutions, including modest ones. What are we doing now, on the ground? Where are YOU at?

Snapshot: College and University Retention Schedules

February 5th, 2015


George Despres
University Records Manager, Brandeis University

(The content in this blog reflects the opinions of the author, and not of Brandeis University.)

Shortly after joining Brandeis to establish a records program, and being new to RIM as it applies to academia, I realized that it might be a good idea to review retention schedules from other colleges and universities (CUs) as part of my research. Higher Ed is an industry that generally encourages sharing of open information, in this case providing a view of retention schedules in the aggregate. Searching the Web with different browsers for published CU schedules, I built a document linking to over 40 CU schedules from various institutions. This document provides a novel, if small, glimpse into CU retention schedule trends and will hopefully be useful to other CU records managers and their colleagues who are establishing or reviewing schedules of their own (the Brandeis retention schedule is in its infancy). Each institutional schedule has its unique merits. If your CU retention schedule is published online and missing from this list, please send me a current link (, and I will be happy add it to, and improve, our document.

Granted, this sample is bound by my non-exhaustive search engine results, and it excludes schedules from some well known CUs that elect not to share such information online. Hence, “snapshot.” Some CUs have a records launch page with no schedule posted or linked. There’s also a preponderance of state CUs in our collection with regulations that would not apply to a private university like Brandeis. I don’t imply that you can just pick retention policy off the trees and plug it into your institution. Yet, while a schedule for college X would not necessarily apply to Brandeis, getting a broad profile of retention practice across many Higher Ed institutions is proving valuable for framing our own schedule, subject to internal iterations and final review.  For example, we found that no CU retained applications from prospective students who never attended (“non-matrics”) for more than 7 years. Unless Brandeis had some exotic arrangement that would require us to retain these longer – something that would be verified by our own research and standard, final authorization with our legal counsel – it’s a good bet that our retention period needn’t exceed standard practice and the reasonable needs of our admissions departments.  Each institution is unto itself. Yet, our findings show that while record category coverage varies among institutions, there is a general consistency among retention policies across most of the institutions, despite a few outlier practices.

Record Categories

One observation relates to the inclusion or exclusion of certain CU record categories. Coverage of different categories is rather varied in the schedules. Differing nomenclature could lead to a scarcity of hits on certain categories, so we tried to mitigate this factor in our searches by bundling various and synonymous names for certain categories in our survey (e.g., Copyright AND Intellectual Property; Advancement AND Development, etc.). We also performed keyword searches for specific document types (e.g., grade rosters) that might appear within certain categories, to mine applicable data.

While some of the schedules surveyed may currently be under expansion, coverage of core categories was less than expected. None of the schedules that we include are fledgling or skimpy as a whole in their category coverage, so the underrepresentation is unexplained. (Since this piece was first published, it was pointed out to me that some institutions mask certain departmental schedules while publishing a general schedule, so this may account for some of the category absences.) Athletics records are covered in only 35% of the schedules. Ironically, both library/info services categories and records management records/retention schedule are absent from 72% of the schedules surveyed, indicating that some of us info pros are not “eating our own dog food.” While safety and security record categories appeared underrepresented for such combustible record types (missing from 42% of the schedules), HR/personnel records are covered more consistently in 88% of the schedules. One might wonder how the other 12% would not have included this sensitive category in their schedules. Continuing/Adult education explicitly appears on only 21% of the schedules. However, some CUs may embed this category within the broader “student records” category, which is covered in all of the schedules in one way or another (thank goodness). In some cases, a lack of perfect one-to-one terminology mapping may have slightly skewed our results.

The following chart depicts coverage (inclusion) and exclusion percentages of selected CU record retention schedule categories from our survey collection (click to view):

Covered Not Covered

Retention Practices

While schedule category inclusion varies considerably among institutions, record retention periods are generally more uniform across most organizations. One contributing factor may have been consistent regulatory interpretations among state CUs. Federal and other codes (e.g., IRS: 7 years) also reach every institution, so this would account for some uniformity. Standard valuation and requirements for specific record types also drive consistency of practice. The following types, for example, tend to warrant permanent or very long preservation almost across the board: accreditation records, class lists, transcripts, alumni/donor files, and intellectual property and copyright records. Overlapping archival influence warrants permanent preservation of historical record groups, or portions of them. One key and common division among student records is that between records of students who enroll and prospective students who do not. Obviously, the latter category needs much shorter retention, as indicated above.

My Record Category descriptions are rolled up (generalized) to encompass various naming conventions for document families among the CUs. The following table shows retention ranges.

Table 2

Additional Observations

As with the record categories, certain metadata fields may or may not be employed among the CUs. Some go the length of stating the regulatory authority that warrants the retention policy. Others only state record type and retention period, which is understandable for employees and units who are stretched out with their workloads – better something than nothing, and less to maintain. There were surprisingly not many instances of Big Bucket corralling in the schedules that we reviewed.   In fact, some institutions are granular in their schedules, employing document type level division. There’s a propensity among a few to hold certain administrative records permanently – perhaps driven by paranoid (“just in case”) offices of record.

This is only a snapshot of a data sample, but it shows areas of consistency and variance among CU retention schedules. Along with our retention schedules listing, it is at the least a wonderfully nerdy way for a records manager to spend his or her time. At best, it can be used as a reference tool and baseline for retention schedule creation and maintenance in Higher Education – subject to local tailoring. Future batch retention schedule assessments can provide a basis for more detailed and broader studies, as well as improved professional discussion and understanding of policy trends in our trade.

My special thanks to Liana Shatova for compiling some of the data referenced in this posting.

Records Management and Social Justice

November 19th, 2014

George Despres
University Records Manager, Brandeis University

(The content in this blog reflects the opinions of the author, and not of Brandeis University.)


Brandeis University upholds social justice as a core value, reiterated by our president, Fred Lawrence: “Today, as always, the campus community remains devoted to the concept of social justice, a legacy we inherited from the namesake of this university, U.S. Supreme Court Justice Louis D. Brandeis, who stood for the rights of individuals.” The University’s curriculum, programs, culture, and partnerships clearly reflect this commitment.

When staring at the list of GARP/“The Principles” (or whatever you want to call them) back in the spring, it struck me that our professional principles are not just guidelines for protecting our institutions, but are, more significantly, in the spirit of social justice. As will be shown, this is not a sappy or maudlin reflection on records management. And it’s not merely rhetorical. It’s a fact that can get buried in the day-to-day thrusts of what we do. This may be obvious, old news to most RMs, but it still warrants deliberate and periodic reflection.

As I’ve referenced earlier, we can’t read through the news without stumbling upon a records mismanagement story or several – every day. These stories reflect everything from ignorance and negligence to malicious obstruction and criminal activity. The principles are interrelated, and a single injustice or bad act can cut across and against several of them. We can briefly walk through the principles and show how they counter irresponsible and evil record-related activities that adversely impact social justice. It’s all about “doing the right thing” by our records.


The Enron/Arthur Andersen episode exploded public awareness and sensitivity to record-based corruption. “Cook the books” is a mainstay in our vocabulary. Accountability of senior executives, in particular, has created an opportunity space for RIM people to win over conscientious decision-makers who sleep less well at night due to records-related risks and villainous headline news. I’m aware of institutions with senior execs who treat RM like a hot potato – nobody wants to take ownership of it.  Corporate culture run amok, bad values ($ first) replacing good ones (high quality product delivery), and the wrong people in C-suites perpetuate this trend, for which Enron and Arthur Andersen were early poster children. As mentioned, the principles aren’t mutually exclusive: the accountability theme will resurface in assessments of other principles to follow.


For example, record integrity overlaps in the “cook the books” environment with accountability. Tampering and obstruction of justice run counter to this principle. Intentionally corrupted information is familiar to us, and it is not limited to financials: witness BP’s years-long falsification of test results from its blowout prevention devices, aside from the Deepwater Horizon explosion. Recent allegations of chic restaurant permit forgery in Miami and the VA’s falsification of appointment records that we’ve all read about add to this list. We are not limited to content integrity: malicious technical compromise of files and media threaten the very housing and presentation of information.


It’s no exaggeration to state that identity theft is a common fact of life. Unsavory and/or shadowy figures participate in what Transunion calls “the fastest growing crime in America (and likely elsewhere).” Whether through internal compromise, bad IT, or third-party blunder, failure to protect personally identifiable information (PII) is a central challenge to our job. Information security and records management should be joined at the hip, as over-retention is propane to the information leakage grill. Personal records and our profession are in the middle of this conversation. We employ record fortification and proper disposition as deterrents. And of course, it can happen anywhere –Target, TJX, Walmart, J.P. Morgan Chase, Heartland, and Home Depot (the list goes on) are not exactly mom-and-pop institutions that have been burned. The ascendance of private cloud services is a byproduct of this problem.


Central to our mission, compliance spans the other principles and therefore takes several forms. Earlier this year, Rhode Island agencies were faulted for flagrant, even “hostile” noncompliance with open records laws, in the face of straightforward public information requests. In September, a Palmer, Massachusetts, hospital received a slap on the wrist for poor record keeping related to hazardous waste and air quality non-compliance. Most recently, Walgreens is fighting a $1.4 million verdict for a HIPAA violation in which one of its Indiana pharmacists snooped through the prescription records of her husband’s ex. We’ll leave the employee vs. institutional guilt discussion for another time. The compliance principle challenges us to wear many policy-awareness hats in order to avoid the wrong side of the tracks.


Violation of the retention principle is reflected in a steady fountain of examples, like this Virginia bank CFO who thought that he had deleted over 20 GB of records in the wake of a Ponzi scheme. Or this Saugus, Massachusetts, town manager, or Halliburton’s destruction of evidence after the Gulf oil spill disaster, or the EPA chief’s deletion of IMs, or (allegedly) this Louisiana governor’s administration, or the IRS director’s missing emails pursuant to FOIA. And we’ve all been following the story about the destruction of (literally) fishy evidence, which SCOTUS has taken on. It’s the “sweep it under the carpet” gift that keeps on giving, and records managers police it.


The disposition principle is intended in part to ensure that records, like sensitive records, are not over-retained, thereby dovetailing with the protection principle. Last year, the UK’s Information Commissioner’s Office determined that the majority of audited charities were over-retaining personal information at risk, for lack of a retention policy. A recurring and inexcusable headline theme is the surfacing of private physical records in public bins and spaces, like this billing company depositing medical records at a town dump. The flip side of the retention principle, disposition brings in the retention schedule and its enforcement, fine-toothed destruction policy, and adequate controls over absolute physical and digital destruction – to protect people.

Availability and Transparency

We may combine availability and transparency principles against a recurring array of not-so-open or honest records debacles. A retention principle breach can be related to breach of these principles. Granted, some open record requests can be unusual (whimsical?), and plaintiff subterfuge is worth a whole discussion on its own with respect to bogus lawsuits and grandiose ESI requests (which can be tempered with reasonableness arguments). However, I’d argue that the “worse evil” is the deliberate obstruction of rightful information access.

An investigation of waste and fraud by the Massachusetts Attorney General has been thwarted by public agencies not turning over records and accruing significant public legal expense trying to avoid turning them over. The Ontario Ministry of Energy email deletion scandal, which challenges retention, protection, and disposition principles as well, provides a good example of availability/transparency obstruction, powerfully illustrated through this comic strip series [no extra charge for the RIM outreach tactic tip]. Circumvention of open records requests can take on cloaked facades: Florida public universities have evaded open records laws via partnerships with private corporations.


While it’s not news that some people do pretty horrible things, the centrality of records as a potential mechanism for these ends is under-appreciated by the general public. Enter us. Reflecting on the principles should give us the resolve for what we do. In the middle of a bad day, we can remind ourselves that we are fighting the good fight.

Protected by Akismet
Blog with WordPress

Welcome Guest | Login (Brandeis Members Only)