In March 2004 agreement was reached by the members of Technical Committee 46 at Standards South Africa (SANS – previously the South African Bureau of Standards) to adopt SANS 15489 as the first South African standard relating to the management of business records. The effect of this was to bring the discipline of records management firmly into the line of vision of private sector organisations that have been grappling with an effective means of linking good corporate governance with effective records keeping.
Momentum for the adoption of SANS 15489
The momentum behind the adoption of SANS 15489 began shortly after the promulgation of the Promotion of Access to Information Act 2 of 2000 (PAIA) on 9 March 2001, the Financial Intelligence Centre Act 38 of 2001 (FICA) on 1 February 2002 and the Electronic Communications and Transactions Act 25 of 2002 (the ECT Act) on 30 August 2002.
CHapter 2 of PAIA opened the debate of what constitutes a “record” for private or public bodies by requiring these bodies to produce a manual listing their records holdings. While the public sector has for years had certain record keeping obligations imposed on them – specifically by National Archives legislation (National Archives of South Africa Act 43 of 1996) and the concept of a record defined within that legislation – this was not the case with the private sector. What PAIA required was that private bodies now had to define what a record meant in the context of their environment (bearing in mind that the definition of a “record” in PAIA is so wide, it can potentially include any information) which meant that – for Professor Iain Currie – even “retired taxi drivers and the street-corner hawkers of roasted mielies” had to identify what records related to their activities.
FICA imposed specific records management / keeping requirements on “accountable institutions” which for the first time in South Africa made it a criminal offence (imprisonment for a period not exceeding 15 years or to a fine not exceeding R10 000 000.00 in terms of section 68(1)) to willfully tamper with or destroy a record within the 5 year retention period referred to in FICA. This gave much debate as to what constituted a record.
The ECT Act complicated matters by bringing the debate into the electronic environment by giving legal recognition to electronic business records and ushered in the whole concept of “integrity”: imposing a functional equivalent of paper records, namely proof of origin, reliability and the guarantee that the record will always be available for subsequent reference.
Shift from paper to electronic
Unfortunately the required paradigm shift from a paper to an electronic environment has not fully materialized and a tendency of dealing with these changes has been to adopt what Terry Cook refers to as an “electronic records, paper minds” approach: attempting to apply tools and methodologies that have worked in a paper based environment to an electronic environment with little or no comprehension of the unique peculiarities surrounding e-records and the resultant impact of these on traditional records management practices.
Confusion around how to treat (paper and) electronic records in the private sector exacerbated by the above issues resulted in a scenario where the private sector was desperate for some guidance on how to manage records and as a result, it was the private sector that largely pushed for the adoption of SANS 15489 as a South African standard.
Whilst the South African National Archives (SANA) has made compliance with the requirements of SANS 15489 mandatory for all public bodies, the same cannot be said for the private sector.
Why adopt a standards based approach?
There a several reasons why it makes business sense to adopt a standards based approach to managing records:
- Codification of best practice: Standards usually are the result of a codification of best practice, and as such, provide guidance and a “road map” of implementing tried and tested methodologies and approaches. This is particularly relevant to the South African private sector as there are very few organsations that to date have implemented or have any experience in implementing formal records management programs. SANS 15489 therefore serves as a useful framework for the private sector to follow.
- Lessons learned abroad: Given that SANS 15489 is based on the same ISO standard, organisations in South Africa are able to draw on the lessons learn’t from organisations in other parts of the world that have implemented / are implementing ISO 15489. From this, South African organisations are able to benchmark implementation costs and their return on investment against other organisations.
- Creation of local body of expertise: As increasing numbers of South African organisations start implementing SANS 15489 in part or whole, a body of local knowledge will be created which will result in records management skills and expertise being made available to other organisations who wish to implement similar programs.
Whilst SANS 15489 lays a solid foundation for implementing sound business record keeping programs, it has a number of weaknesses specifically relating to implementing information security and document integrity measures insofar as they relate to records. In other words, it tells you what to do, but not how to do it. In order to address these weaknesses SANS 15489 needs to be implemented in conjunction with at least two other standards: SANS 27001 which deals with information security and the BSI Code of Practice which deals with evidential weight and document integrity.