Amadeus International  
Français

Electronic Record Management Best Practices

Overview
21 CFR Part 11
Audit Management
Change Control
Corrective Preventive Action
Competency Management
Customer Complaint Management
Electronic Content Management
Electronic Record Management
ISO
Risk Assessment
Sarbanes-Oxley
Validation
Home / Best Practices / Electronic Record Management  

Surviving the Regulatory "Perfect Storm"

Recent global requirement that address electronic records security, privacy, and governance have converged on regulated communities thus leading to a "regulatory perfect storm". As the analogy implies, these rare converging forces have intersected across multiple regulations simultaneously in a manner that fundamentally changes the way we view compliance. Regulated organizations across the globe have adopted Enterprise Document Management/Enterprise Content Management technologies and related applications for the management of regulatory controlled content. These systems in and of themselves are not able to withstand the impact of the perfect storm.

As these systems mature absorbing more and more critical information for regulatory submissions, product specifications, clinical information, and other important data, organizations must ensure the long-term management and access to this information in accordance with predicate rule guidelines. The predictions for the impact of records management are clear and convincing. Gartner latest prediction says that "adoption of records management technology will increase, with 50 % of all Global 2000 enterprises, either by adapting existing document management systems or buying stand-alone records management systems by 2005 (0.7 probability). One of the observations Gartner makes regarding the Sarbanes-Oxley Act and the IT department is the importance of the "legal discovery of electronic documents". It claims that "those enterprises that don't keep proper records or cannot produce them will pay heavy legal costs and, possibly, financial judgments".

What Is Electronic Record Management?

Electronic records management in most companies has historically been a very manual process delegated to a group of well respected professionals in the back office. Electronic record management includes four basic aspects:

  • Indexing: The process of establishing access points to facilitate retrieval of records. (ISO)
  • Classification: Systematic identification and arrangement of business activities or records into categories according to logically structured conventions, methods, and procedural rules represented in a classification scheme. (ISO)
  • Long term archival: The process of creating a backup copy of computer files for long-term storage.
  • Storage: The function of storing records for future retrieval and use. (AS 4390.1)

Characteristics of Trustworthy Electronic Records

The characteristics of trustworthy electronic records are:

  • Reliable: Electronic records whose content can be trusted as a full and accurate representation of the transactions, activities, or facts to which it attests and can be depended upon in the course of subsequent transactions or activities.
  • Authentic: Records proven to be what they purport to be and were sent or created by the person who purports to have created and sent them.
  • Integrity: Refers to the complete and unaltered characteristic of a record. Another aspect is structural integrity. The structure of a record, that is its physical and logical format and the relationships between the data elements comprising the record, should remain physically and logically intact. Failure to do so may hinder the records' reliability and authenticity.
  • Usability: A record which can be located, retrieved, presented and interpreted.

All good electronic records include these essential characteristics.

Prior to implementation of any technology, a file plan should be developed. The Records Manager is the coordinator of the corporate records program. The Record Manager designs and implements the file plan and associated retention rules for the business. Many businesses keep their information indefinitely in their document management repositories.

It is important that all life sciences companies recognize that electronic record management is essential to establishing and achieving sustained compliance programs. All of the information stored in what are today's document/content management repositories are in fact legally binding electronic records. The first step towards electronic records management is recognition of this fact.

What is DoD 5015.2?

DoD 5015.2 is a widely referenced design criteria standard for electronic record management systems. Although published by the U.S. Department of Defense (DoD), the standard is not DoD-specific and has commercial applicability. To ensure vendor compliance with DoD 5015.2, a certification process has been established to confirm adherence to a pre-defined set of rigorous criteria.

It is believed that the standard is very relevant for life sciences organization. The standard provides a set of criteria for the establishment of good electronic record management systems. Coupled with electronic signature-oriented systems, organizations have assurance that their systems meet stated criteria. Also, DoD 5015.2 provides a pre-defined set of requirements for record management. This is very useful for life sciences companies, and it can accelerate the requirements phase of any software initiative.

Electronic Records Management Best Practices

The following best practices will ensure that your organization can weather the regulatory perfect storm.

  1. Integrate electronic content/record management. Recent trends have forced the convergence of two overlapping technologies. Electronic records management systems manage the full lifecycle of records while content management systems typically focus on their active lifecycle. The overlap is that both systems manage active content lifecycles. However, records management takes the process a step further, enabling the indexing and classification of electronic records. Classification of electronic records refers to the process whereby electronic documents stored in an electronic records management repository are assigned subjects that match the documents subject. Classification is used to facilitate disposal and retention policies. It is current best practice to integrate these technologies in a seamless manner.
     
  2. Understand the legal implications of electronic records prior to system implementation. This is the most critical best practice of all. Electronic records created in the course of everyday business are official records that may be evidence in the case of any litigation against the company. As such, it is best practice to ensure that the records are maintained in a manner that ensures their integrity, authenticity, accessibility, reliability and usability throughout their retention. It is mandatory that users understand the regulatory implications of electronic records prior to implementing the system so that policies can be built into the automated system to ensure compliance.

  3. Establish a file plan early. One of the first steps in establishing a well-rounded electronic record management plan is to establish a file plan prior to implementation. A file plan facilitates the thought process as to the classification and metadata associated with electronic records.

  4. Formulate an electronic records preservation file plan. It is essential best practice to establish a record preservation plan to protect all records against unauthorized access or destruction. It is also best practice to:

    • Consistently backup all files to reliable media;

    • Prohibit the use of diskettes for long-term storage of electronic records;

    • Limit or control transfer of corporate records to diskettes or other transportable media;

    • Maintain records in file neutral format where appropriate;

    • Migrate Web-based records and their associated metadata to avoid technological obsolescence.

  5. Establish well-rounded record management team. Electronic record management affects a broad constituency. It is thus common best practice to establish a team that consists of members that represent each key domain of the business. Given the impact of records on the stability and management of the organization, it is recommended that a designated executive champion be named to ensure the proper visibility, attention, and resource allocation to this important initiative.

  6. Train technical team. Training is an essential part of any compliance initiative. It is recommended best practice to train technology practitioners as to the legal implications of electronic records in addition to subject matter experts and traditional knowledge workers. Back office personnel can have the greatest impact on the execution of electronic record management policy. Yet, many of them have no exposure to the legal impact of what they do on a day-to-day basis. In a recent U.S. court case during on-going litigation, the backup Administrator of the defendant company was recycling/over-writing backup tapes because he had no spare tapes. This resulted in destruction of evidence... and he lost the case for his employer.

  7. Establish policies and clearly communicate them. The Andersen/Enron debacle is proof that good best practice is to establish electronic records management policies and clearly communicate them. It is recommended that this due diligence be implemented to ensure that your entire team is doing all it can to enforce consistent policy across the organization.

  8. Avoid point solutions. Electronic record management affects the enterprise and it can have disastrous results if applied in a piecemeal fashion. It is strongly recommended best practice to avoid point solutions for electronic records. Electronic record management policies should be applied in a consistent manner across the enterprise.

  9. Don't keep electronic records forever. All corporate electronic records have a lifespan. This lifespan is typically dictated by predicate rules or internal corporate governance requirements. Many professionals in regulated companies view it as wise policy to keep everything "just in case". This is not good policy and it can lead to evidentiary issues for records kept beyond their required retention period. You should NEVER modify or destroy record in the event of pending litigation. However, during the normal course of business, it is best practice to establish automated retention schedules that trigger the destruction of records that are beyond the required retention period. From a systems perspective, it is best practice to trigger the Records Manager or Administrator as to the expiration of a given record. Thus, the Administrator or Manager is able to apply an electronic signature authorizing the official destruction of this information from all electronic repositories. For organizations that store the same electronic record in multiple record storage locations, it is good best practice to index these records to ensure that all electronic copies are destroyed.

  10. Establish and communicate record retention policies. We are now all intimately familiar with the famous Andersen/Enron case, whereby company executives at Andersen, in an attempt to "remind" employees about retention policies, ended up destroying evidence... and the company with it.
Copyright © 2008 Amadeus International Inc. | Privacy Policiy | Terms & Conditions | Site map
Print