Image may be NSFW.
Clik here to view.
Any successful information management solution implementation requires establishing of a proper IM framework. Such framework will help with forming governance, setting up priorities, definition of constraints, and will give the overall direction to any future information programs.
The foundation of such framework is based on existing legal, statutory and regulatory requirements. Establishing of such basis, especially in larger organizations is not an easy task and requires involvement of several parties. I made an attempt to capture some of these laws, standards and regulations used in the US and in Canada. This list is far from being exhaustive; every organization – depending on type of business – will have to establish their own baseline, which will include specific industry regulations.
United States:
| Law, Statute, Regulation | Short Description |
| Sarbanes-Oxley (SOX) 404 and 409 – Corporate and Auditing Accountability and Responsibility Act | SOX deals with monitoring of creation and management of financial records, as well as disclosing of information about changes in the financial conditions or operations of the organization. It affects primarily publicly traded companies including accounting and security firms, auditors and brokers. |
| Health Insurance Portability and Accountability Act (HIPAA). | HIPAA refers to protection of individually identifiable health information. It enforces that organizations handling such personal information notify the patients about their privacy policies.Organizations affected by this policy include health plans and health care providers. |
| Children’s Online Privacy Protection Act (COPPA) | COPPA requires that online content providers, working with audiences that include children must use reasonable procedures to ensure that child’s parent is included in the process. |
| Department of Defense 5015.2 (DoD 5015.2) | DOD 5015.2 identifies requirements based on operational, legal and legislative needs that records management solutions vendors must fulfill. It affects software vendors of electronic document and records management systems. Several government offices in the US require compliance with this standard, but also some other, larger organizations implementing information management systems, often use this standard during selection process. For this purpose, this standard is often used outside of the US. |
| Securities Exchange Act (Sec Rule 171-3 and 17a-4) | SEC act outlines requirements for data retention, classification, and accessibility for organizations involved in financial securities trade. |
| Gramm-Leach Bliley Act | The act is regulating handling and sharing of personal information, and disclosing of privacy policy to consumers. It primarily affects financial services organizations. |
| IRS Rev. Proc. 97-22 | This guideline includes directives for taxpayers on maintenance of financial books and records using software applications. |
| Electronic Signatures in Global and National Commerce Act (ESIGN) | This act regulates use of electronic records and signatures in commercial transactions. |
| Fair and Accurate Credit Transactions Act (FACTA) | It allows consumers to request and obtain free credit report every 12 months. It also contains provisions to reduce identity theft and secure disposal of consumer information. The financial institutions are mainly affected by this act. |
| Fair Credit Reporting Act (FCRA) | FCRA regulates the collection, distribution, and use of consumer information, including credit information. It affects consumer credit reporting organizations. |
| Freedom of Information Act (FOIA) | It guarantees access to the full or partial previously unreleased information and documents controlled by the US government. |
| Government Paperwork Elimination Act (GPEA) | This act requires federal agencies, where practicable, to use electronic forms, filing and signatures to conduct official business. |
| Occupational Safety and Health Act (OSHA) | OSHA governs occupational health and safety in the private sector and federal government. |
| Uniform Electronic Transactions Act (UETA) | The purpose of this act is to integrate the differing State laws in matter of retention of paper records, and the validity of electronic signatures. It supports the validity of electronic contracts. |
Canada:
| Law, Statute, Regulation | Short Description |
| Personal Information Protection and Electronic Documents Act (PIPEDA) | It governs how the private companies collect, use and disclose personal information in the course of conducting business. |
| Secure Electronic Signature Regulations (SOR/2005-30) | These regulations stipulate how digital signatures are created and verified. It is related to Canada’s Evidence Act dealing with integrity and validity of electronic documents. |
| Access to Information Act | Regulates access to the full or partial previously unreleased information and documents controlled by the Canadian government. |
| Privacy Act | This act stipulates rules how the federal government must deal with personal information. |
| Limitations Act | Limitations Act defines period of time during which legal proceedings maybe initiated, and thus influencing definitions of retention periods. |
| Ontario Bill 198 | It provides regulations of securities issued in the province of Ontario. It roughly corresponds to Sarbanes-Oxley in the US. |
| Microfilm and Electronic Images as Documentary Evidence Standard | This standard deals with microfilming and electronic image capture. It also describes process of establishing a program helping with ensuring document integrity, reliability and authenticity. |
| Electronic Records as Documentary Evidence Standard | This standard delivers provisions to ensure that electronic information is trustworthy, reliable and authentic. |
It is important to remember that the process of establishing such baseline requires deep involvement of legal department, and several business subject matter experts. Since the laws and regulations change from time to time, the organization should appoint a steward responsible for maintenance of the framework, and establish a governance model describing what to do, when such laws or regulations change.