Compliant Records Management


Step 2
Implementing A Compliant Records Management Programme

This three part series helps you meet compliance requirements through better information management. How you store, access and manage your paper documents and digital files is key to navigating the challenge of compliance. Many regulations directly concern data protection and security, and where they do not, proving compliance requires carefully recorded, easily accessible documentation.

Compliant Practice

When you think of how many documents are generated, used and shared by each individual office worker every day, it’s no wonder there are so many regulations governing the protection of data. A well thought out records management programme will help to make sure that your information is an asset and not a liability, making compliance far more straightforward.

Top Tips From Leading Companies For Successful And Compliant Records Management And Data Security:

Treat information risk, including records management and data protection, as a boardroom issue. Europe’s highest performing organisations in the PwC risk maturity index treat information management as a senior level issue.

Have a multi-disciplinary team in charge of information and records management. Utilise expertise from across the organisation to ensure success and improve buy-in from stakeholders throughout the company.

Adopt a holistic approach to information management, and monitor its success. By ensuring integration across physical and digital records, companies gain commercial benefits including better customer service, avoided reputational damage, improved success in winning new business, and being a more trusted brand.

Source: Beyond Cyber Threats, Europe’s First Information Risk Maturity Index, a PwC and Iron Mountain report, March 2012.

What Is A Records Management Programme?


With regards to compliance, a ‘record’ refers to all documents in whatever medium, received or created by an organisation in the course of its business, and as evidence of its activities or because of the information contained.


The lifecycle of a record has four stages: Creation, classification, maintenance and destruction. Your compliant records management programme needs to address each of these stages.


There are four steps to implementing a programme:

Iron Fact

32% of organisations describe their information storage as chaotic and admit that documents are often placed in storage never to be seen again

Source: Iron Mountain research August 2012

1.Creating A Records Retention Policy

The retention policy dictates how long a record should be stored before it is destroyed. To develop an effective policy, the company must have a thorough understanding of the records that it stores.

Research must be conducted to determine the relevant national and industry regulations for different record types. It is recommended you seek legal counsel to ensure your programme meets the particular needs for your business.

Categorise the information you hold and document the clear consistent rules that must be followed for each category. This includes how long certain information can or must be kept before it is destroyed. A retention schedule must incorporate both paper records and digital files.

Case Study: Airbus Germany

Requirements for document retention and archiving include EASA Part 21 (aviation law), EN9100 (quality assurance in the aviation industry), and ISO 15489 (guidelines for document management).

Furthermore, all aerospace manufacturers apply internal processes to protect their commercial operations and provide safeguards against potential product liability. Aviation law stipulates that manufacturers must, on occasion, provide the authorities with large volumes of information in a very short time.

Iron Fact

40% of companies describe their information storage and access systems as over burdened

Source: Iron Mountain research August 2012

“Compliance with the regulatory specifications for documentation on the part of all aircraft manufacturers, including Airbus, is vital to fulfil our legal, official, contractual and business requirements. Our continued accreditation depends on it.”

Spokesperson, General procurement department, Airbus Germany

Questions To Answer:

Seek specialist legal advice to determine:

  • What are the applicable document retention laws in your country/territory?
  • Which document retention laws are applicable to your industry?
  • What are the financial penalties and other consequences of non-compliance?

Top Tip :

The Retention Schedule is the key document in your compliant records management programme. This categorises all paper and digital documents, recording how long they can or must be kept.

2.Indexing And Archiving Of Records

The next step is indexing the records so that they are easily locatable to ensure rapid retrieval. Expert providers can store these records off-site in a variety of ways from files on shelves to files in boxes using barcode tracking and system-driven workflows to ensure a fully compliant audit trail.

Records must be stored in such a way that they are accessible and safeguarded against environmental damage. Vital records may need to be stored in a disaster-resistant safe or vault to protect against fire, flood, earthquakes and conflict.

Scanning And Digitising Documents, Best Practice:

Scanning, or more accurately, capturing information through imaging, provides your business with an effective way to integrate paper and digital records management. It enables information to be shared between departments in separate locations simultaneously, becoming immediately accessible to anyone who needs it, and business processes can be automated, reducing costs and improving efficiency.

  • Get staff support:This is essential for the successful conversion to digital information. Without staff support, employees may make their own copies and print outs, resulting in unstructured archives in multiple locations.
  • Get legal advice:Take the time to survey the regulatory landscape for your country and industry, and build in the ability to meet any regulatory requirements from the outset.
  • Only digitise what you need:Documents from existing files that will rarely be retrieved should only be absorbed into the digital system if and when they are actually required.
  • Use internal and external experts:Staff who use the documents regularly are in the best position to recommend effective tags and labels, guided by external experts.

Top Tip :

Programmes can be complex and difficult to implement, consider the time and cost benefits of using an external document management company.

Case Study: Probate Service

The Probate Service stores wills dating back to 1858, including those of Princess Diana, Charles Dickens and Charles Darwin.

The Probate Service needed a single site that would fully protect its documents in the centuries to come, while allowing cost effective access. It also had targets to meet. Of solicitor, notary, or barrister applications, 95% have to be processed within seven working days of receipt of all necessary information. For personal applications, 85% have to be processed within one month of receipt of all necessary information.

“Genealogy has become a national pastime and, as a result, has created unexpected demand for the Probate Service’s retrieval offerings. We’re seeing a 20 per cent increase year-on-year for retrieval requests.”

Neil Bryan, Contract Manager for the Probate Records Centre

Iron Fact

65% of information leaders are anxious about the disconnect between paper and digital records

Source: Iron Mountain research August 2012

Indexing Paper Documents:

Barcode recognition provides an effective and efficient way to index paper documents. Barcodes can be placed on individual documents, or as a cover sheet for documents with multiple pages. Barcodes can be scanned from printed documents and read from online files/PDFs, and data can be easily exported in a format compatible with your databases.

Indexing Electronic/Digital Documents:

A document management system can be used to index electronic files. There are multiple solutions available so it is necessary to conduct a full cost-benefit analysis to ensure your chosen solution meets your business needs. Issues to consider include compatible file types, metadata/ tagging and search functionality, integration with offline or other records management solutions, document retrieval and security.

Archiving – Tape And Cloud

Tape and cloud can address your most critical backup, recovery and archiving requirements. To craft a strategy that balances their benefits, evaluate your data access and recovery capabilities against the cost of providing them via tape and/or cloud technology. By doing so, you’ll be able to deliver real efficiencies and cost savings to your company.

Top Tip :

When creating an inventory of all your documents and electronic files, ways of categorising this information should naturally align with the goals of your programme.

3.Ensuring Certified Destruction Of Records

Once a record reaches the end of its retention period, you should ensure its proper destruction. An expert provider will enable you to audit and prove your secure destruction process providing written approval, verification and the creation of a Certificate of Destruction as proof of compliance with the Data Protection Act.

Document Destruction Checklist:

Before destroying any documents in accordance with your retention schedule, you should also be aware of the following:

  • Legal: Check with your legal department to ensure documents are not required for any ongoing legal proceedings.
  • Chain of custody:Confidential waste needs to be tracked from the moment it is designated for destruction until it is destroyed. For certain documents certification of destruction is required.
  • Standards:There are standards that govern secure destruction like BSIA standard EN 15713:2009 level 4 / BS8470 level 4. Standards cover security processes and the size of the pieces of shredded paper to ensure your confidential information cannot be reconstituted.
  • Costs:If a 200 employee company produces an average of 400kg paper waste per week, of which 15% is confidential, what are the costs of secure destruction? If an average machine shreds 2.5kg per hour it would take 24 employee hours per week to shred. On a junior salary of £25,000/€30,000, annual destruction costs could be around £15,000/€18,000. Source: Secure Information Destruction, Iron Mountain, 2011.
  • Environment:Recycling one tonne of shredded paper can save around 15 trees, helping meet environmental targets for your organisation. Source: Baxter CVG case study.

BSIA Level 4 Compliant Document Destruction

Certain documents need to be shredded into small enough pieces to be BSIA level 4 compliant

Top Tip :

Audit your programme regularly and keep your reporting centralised so you can monitor medium and long-term trends.

These can then inform your planning, strengthening your programme.

4.Off-Site Storage Of Backup Data

Another area that is often overlooked is storing backup media in an off-site location. By keeping the data off-site, you reduce your risk should there be a disaster.

Backup media should be tracked using barcodes and stored in a temperature and humidity-controlled environment with the highest levels of security to ensure the safety of your critical business data.

Data Backup Checklist:

Ensure your current data backup programme enables you to answer the following questions:

  • What conditions are your media stored in to protect against environmental damage?
  • How quickly and easily can you access your backup data in the event of an emergency?
  • How is your data stored to protect against security breaches without compromising the availability of data that will benefit your business?
  • What processes do you have available if you are unable to locate a specific file?
  • Do you have/require a mix of encrypted and unencrypted data?
Iron Fact

25% of decision makers feel unable to implement a holistic approach to information management

Iron Mountain research August 2012

40% of companies consider natural disaster to be the biggest threat to information security. Source: Extreme weather and business continuity, Iron Mountain, 2012.

Floods – it was estimated by the Environment Agency that the number of commercial properties affected by the 2007 UK floods was between 7,000 and 8,000. The cost to affected businesses was on average between £75,000/€90,000 and £112,000/€135,000. Source: Environment Agency.