Why does confusion reign with records? A look at Records Management

ISO 9001:2000 addresses the control of records, but only includes three sentences of requirements:

1. Records must be established and maintained to provide evidence of conformity to requirements and of the effective operation of the quality management system.
2. Records must remain legible, readily identifiable and retrievable.
3. A documented procedure must be established to define the controls needed for the identification, storage, protection, retrieval, retention time, and disposition of records.

If you want to know more about records management than included in ISO 9001:2000, you should look at ISO 15489-1:2001, Information and Documentation - Records Management.

Records:
According to ISO 15489-1:2001, records are information created, received, and maintained as evidence in pursuance of legal obligations or in the transaction of business. Records contain information that is a valuable resource and an important business asset. A systematic approach to managing these records is essential to protect and preserve them as evidence of actions.

A records management system results in a source of information about business activities that support subsequent activities and business decisions, as well as, ensure accountability to present and future stakeholders.

Records Management:
ISO 15489-1 defines records management as the field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use, and disposition of records, including processes for capturing and maintaining evidence of, and information about, business activities and transactions in the form of records.

Policy:
Organizations should define and document a policy for records management. The objective of the policy should be to create and manage authentic, reliable and usable records that are capable of supporting business functions and activities for as long as they are required.

Authenticity:
An authentic record is one that can be proven to 1) be what it claims to be, 2) be created or sent by the person purported to have created or sent it, and 3) be created or sent at the time indicated. To ensure the authenticity of records, an organization should implement and document policies and procedures that control the creation, receipt, transmission, maintenance, and disposition of records.

Record policies and procedures should ensure that record creators are identified and authorized, and that records are protected against unauthorized addition, deletion, alteration, use, and concealment.

Reliability:
A reliable record is one whose contents can be trusted as a full and accurate representation of the applicable transactions, activities, or facts. They can be depended upon during subsequent transactions or activities as being reliable. Records should be created at the time of the related transaction or incident, or soon afterwards, by individuals who have direct knowledge of the facts, or by instruments routinely used within the business to conduct the transaction.

The system that manages the records should be capable of continuous and regular operation in accordance with applicable procedures and provide ready access to all relevant records.

Integrity:
The integrity of a record refers to its being complete and unaltered. Records must be protected against unauthorized changes. Policies and procedures should specify what additions or annotations may be made to a record after it is created, under what circumstances they may be authorized, and who is authorized to make them. Any annotation, addition, or deletion of a record should be explicitly indicated and traceable.

The record system should include controls for access monitoring, user verification, authorized destruction, and security to prevent unauthorized access, destruction, alteration, or removal of records.

Usability:
A usable record is one that can be located, retrieved, presented, and interpreted. The record should be capable of being connected to the business activity or transaction that produced it.

While you will probably never have an audit of your QMS or EMS delving as deeply into Record Control as the above might indicate, I would suggest an Opportunity for Improvement based upon ISO 15489-1. Use the document to ensure that you have legal, secure and manageable records.