The regulations, which went into effect this week, give clarification to the legal requirement that has been the law in California since 2000. Local agencies are not required by either the regulations or the law to maintain their official records electronically, but if they chose to do so they must be sure the system in which the information is stored is considered trusted under ARP1 (2009).
At its core, ARP1 (2009) requires a trusted ECM system to have the following components:
- A combination of hardware, media and software storage to prevent unauthorized alterations
- Verifiable through independent audit processes
- Write at least 1 of the 2 required copies to a safe and separate location
- Policies and procedures for proper records handling.
Both the AIIM and ISO (ISO 15801 adopts similar concepts) recommendations recognize that there are too many variations for how each organization constructs its system to select just one methodology. Therefore, those bodies recognize that the ultimate goal is to prevent unauthorized alterations to the records and use that concept as the central theme to constructing a trustworthy system. Having redundancy and transparency are two additional components, as is the need to clearly state how the records will be handled through the adoption of policies and procedures, so that the staff members are consistently trained and understand the roles and responsibilities.
Unfortunately a greater number of official records are never transformed into any type of physical document, so the regulations do apply to those records created by the government. Public agencies should be mindful of this trend and comply with California Government Code section 12168.7 and California Code of Regulations, Title 2, Div. 7, chapter 15, sections 22620.1 through 22620.8. Failure to store and manage official government records in a trusted system could leave the public agency without a solid answer to the question of how it knows the information on those official records is true, accurate and reliable.