Case Study: An Essential Records Program in an Automated Corporate Environment

by Bill Manning B.A., U.E.
Supervisor, Records Management Services
Canada Science & Technology Museum Corporation

(Editors note: The following case study represents the summary of a detailed study and report prepared by the author on the essential records status of a highly-automated Federal Agency. In the coming year he hopes to have his findings presented for analysis and ultimately to have some of his recommendations integrated into the Corporation's Business Continuity Plan. Some of his personal perspectives have already inspired some debate among his colleagues, but he is confident that the overall approach will be well received by Senior Management. Until then, the reader is advised that what follows contains Mr. Manning's observations and recommendations, which will hopefully be useful for discussion, but have yet to be endorsed and implemented by the Canada Science & Technology Museum Corporation.)

Introduction:

Emergency Preparedness Canada defines an "essential record" as any document, regardless of format, containing information that would be required following an emergency or disaster to facilitate:

-disaster response,
-resumption of critical functions, and /or
-recovery to pre-emergency conditions.¹

The Canada Science & Technology Museum Corporation (CSTMC) in Ottawa is a Federal Crown Corporation that operates three museums: the Canada Museum of Science & Technology, the Canada Aviation Museum and the Canada Agriculture Museum. When the term "essential records" is used in this institution, it could perhaps more properly be replaced by "important documents," since museum programs could hardly be considered essential during a major emergency. In any case, the term simply means information that would be necessary to restore the museums to pre-emergency conditions as expediently as possible following a disruption.

Traditionally, implementing an essential records program involved periodically and systematically searching paper-based Corporate information holdings to identify documents determined to be "essential" (ideally about 3% of the agency's total record holdings), reproducing them by means of photocopy or microfiche, and transferring the copies to a remote physical location for safekeeping. The CSTMC operates in a highly automated environment where, for all practical purposes, the automated records on the computer centre's "network" are recognized as the "official" records of the agency. CSTMC does not, however, have an electronic records management software program, so these records are not under the control of the Records Manager. The small Records Management staff does control the life cycle management of paper-based records, but our role begins once they become semi-active. The CSTMC does not have a Records Management or Essential Records Committee, but it does have a Business Continuity Plan. Senior Management decided to review and update the plan, to include a module in the manual on Essential Records, and to assign the Records Manager a place on the Business Continuity Planning Committee. The CSTMC occupies a number of buildings throughout the city of Ottawa, so off-site storage effectively means internal rotation of information to other Corporation-owned facilities.

Fire at the Agriculture Museum:

On August 30, 1996, a fire at the Central Experimental Farm destroyed the administrative and program offices of the Canada Agriculture Museum. The paper records, programming materials, and the resource library were burned. Also lost were the computers (along with all the information on the hard drives) and back-up diskettes. Since the fire, staff at the Agriculture Museum make regular backups of their hard drives and store the back-ups off site every other week.²

The Network:

The "network" consists of two primary server locations, one located in the Informatics Section at the Corporate Administration Building on Lancaster Road, and the other in the Records Office at the Canada Aviation Museum at Rockcliffe. It contains all the major data base systems used in the Corporation, which include Dynamics (finance, purchasing, receiving), TMA (architectural, capital assets, vehicles), Collections Manager (artifact donation, cataloguing, conservation, restoration, loans), Point of Sale (cash registers at admissions & boutiques), Human Resources (personnel information and pay/pension records) as well as a number of others. The Corporate Internet website and the Intranet (an internal website available to employees only) are included, as are the LotusNotes e- mail accounts. The "O" drive is a "common drive" site for staff to post important documents (policies, guides and manuals) which are available on a "read only" basis to all staff. The "Y" drive (discussed below) allows each individual to post important documents for their own use and retrieval in a sector reserved for their exclusive use. Not included on the network are electronic records on the "desktops" or "C" drives of individual personal computers, such as records in WordPerfect and, of course, diskette records.³

The "Crash":

In May 2001, the hard drive in the desktop of a manager in Corporate Services at CSTMC "crashed," resulting in the loss of almost two years' worth of irreplaceable records. At a subsequent staff meeting, the Director of the division insisted that henceforth, all staff start sending their more critical documents to a backed-up network drive such as the "Y" drive.

Collections:

Information on collection objects (artifacts) was, until recently, recorded in hard copy format in a series of ledgers, accession files and catalogue cards.⁴ A number of data bases were subsequently set up on the Network several years ago, the most important of which were the Interim, Artifact, Spare Parts, Trade Literature, Loans (outgoing), Exhibits (incoming loans) and Conservation/Restoration. The two systems for collection data, hard copy and electronic, were maintained concurrently for a number of years on a trial basis. Catalogue information is now entered in electronic screens only, with hard copy equivalents discontinued. The decision to keep what are arguably the most important records in a museum exclusively in electronic format is a strong expression of confidence on the part of Collections Management staff and Senior Management that data in the network is safe from inadvertent loss.⁵

Y2K:

In 1999 a Business Continuity Plan⁶ was prepared in anticipation of a possible Y2K electrical power failure. Two measures were implemented that are significant from an essential records perspective.

1. On the night of Dec. 31, 1999/Jan. 1, 2000, information from both servers was downloaded onto tape cassettes as a precaution against an electrical power interruption and resulting computer crash. The Business Continuity Plan formalized what has been accepted practice for a number of years, that being to copy data onto tape cassettes on a daily basis and store them on-site. In the event of a network failure, the maximum data that can be lost is that which has accumulated in 24 hours or less. The Plan further stipulated that every month, at both locations, end-of-month data is copied onto a tape cassette which is relocated to another building by Security personnel. Cassettes from the Lancaster Road server are transferred to the Security Office at Rockcliffe; data from the Rockcliffe server is relocated to the Security Office at Lancaster Road. Tape cassettes are retained at the alternate location for one year. In this way the consequences of a computer "crash" and/or physical damage are effectively minimized.

2. As an additional precaution, the Business Continuity Plan called for the creation of the "Y" drive on the network and 100K of memory was allocated to each "user/owner" to copy documents they considered "important information." This space was provided in recognition of the fact not all essential electronic records were necessarily included on the Network, and therefore would not be adequately protected against accidental loss. The decision regarding what was to be considered "important information" was left up to the individuals, but the intent was to protect approved final documents that would be critical to the reconstruction and resumption of programs or projects for which they were directly responsible and currently in operation. These might include exhibitions, events, interpretive or educational programs, products or published works currently being developed.

Data on the network can now be backed up easily, quickly and inexpensively and in such a way that the possibility of loss of critical information is extremely unlikely. Having initiated these precautions to prevent loss of information resulting from the "millennium bug," the Corporation has undertaken to ensure that the measures described above will be perpetuated. The challenge, from an essential records perspective, is to ensure that, whenever possible, important records are identified, present in electronic format on the network, and can be retrieved quickly in an emergency. As the first step in facilitating this effort, we made recommendations detailing which administrative records should be included, using the Emergency Measures Organization's "Guide to the Preservation of Essential Records"(n.1). Next, we determined where these essential records were located within the Corporation, whether adequate protection against loss was being provided, and included further recommendations where appropriate. Lastly, for program (operational) records, we attempted to provide some general guidelines for the consideration of the managers responsible for them.

Operating Assumptions:

1. In many cases there will be parallel automated and hard copy systems containing much of the same data. Since paper-based filing systems are often incomplete, decentralized and not under the direct control of the Records Manager until they become semi-active, the electronic record should be considered the official corporate record.

2. If the electronic record is on the network, we can assume, for the moment, that mechanisms are in place to ensure that it is well protected (I will have more to say about this below under "Recommendations").

3. If the electronic record is not on the network, steps should be taken to ensure that the essential record, or a copy of the record, is included on the network . In the event of an unexpected power interruption or a fire such as occurred at the Canada Agriculture Museum, documents stored on the users' "C" drive can be lost. While transferring or copying them to diskettes stored off site (the Records Office?) may be a reasonable precaution for routine records, the important records should be selectively transferred to the "O" or "Y" drive on the network.

4. If the essential record exists in hard copy only, it should be duplicated and one copy (preferably the original) sent to the records office or the secured cabinet in the security office, depending on the nature of the document, but preferably to a location in a different building from the one occupied by the originator.

5. If the document is available outside the Corporation, extraordinary measures need not be taken to ensure the survival of internal copies.

Selected Observations:

In many cases we found that essential administrative data was present in the major systems on the network, and the minimum acceptable standard was met or exceeded. To use one example, the procurement function: each purchasing transaction is documented on a screen in the Dynamics system, and paper records are kept on a series of hard copy case files which are arranged numerically by purchase order number, grouped by fiscal year and kept in the records office. The requirement for essential records includes a list of suppliers and service agreements. Extracting this data from the hard copy files would be a time-consuming chore and the information would have to be updated regularly to be of any value. On the other hand the same information could be obtained easily from the Dynamics program which is well protected from loss and continually updated. The same basic principle can be applied to most other major functions of an administrative nature such as financial, human resources and architectural.

It was found that the Corporate Intranet, which is on the network, contained such standard essential record items as annual reports, corporate plan summaries, current approved policies, an organization chart, telephone and facsimile directories as well as commonly used forms. Many documents of interest were posted on the "O" drive, such as instructions, listings, manuals, directives and reference documents, and of course the Records Management Subject File Classification manual.

Many records would be available from outside sources. All published documents, including Annual Reports, Corporate Plan Summaries and numerous other outputs, are subject to "legal deposit," and can be obtained by contacting the National Library of Canada. Many corporate services, such as legal, banking, payroll and investments, are conducted by outside contractors. For records pertaining to ownership or occupancy of corporate facilities, signed originals are important, but backup data can be obtained through the Directory of Federal Real Property, the Municipal Land Registry office, the building owner (landlord), or the attorney retained by the agency.

Emergency Preparedness Canada adopts the position that only individual departments and agencies can determine for themselves what records in their custody should be designated essential. For operational or program records within this corporation, we similarly feel that this decision is best determined by the managers responsible for museum programs. The key to making this work, apart from creating awareness (see below), is to offer some general guidelines for their use. Managers will be asked to consider a number of scenarios, such as an overnight fire in their office, a power interruption erasing files on their "C" drives or extensive damage to a program such as an exhibition. The point of the exercise is to get them to think about what data would be critical to the continuation of their daily responsibilities and the restoration of programs, for which they are responsible, and are currently being offered, to pre- disaster conditions. Priority should be given to instructions, procedures manuals, forms and master lists of critical contacts and anything that constitutes a financial commitment or a legal agreement.

To use the example of the exhibition, the approved storyline and a diagram or architectural drawing of the final exhibit design would be necessary. It is important to remember that it is the information reflecting what was actually installed and is currently being offered that is important, not the draft, preliminary or superceded versions, working copies; not transitory documents, research materials or routine administrative correspondence that were generated in the process of developing it; not information about the artifacts on display that could be obtained from Collections Management; not a list of the construction materials that could be obtained from the Purchase Order screen/file; and not information on the previous exhibit at that location or the one to be installed next month. While large numbers of electronic records can be stored with relative ease, it is still important to be ruthless in selecting only those records that would be critical in re-establishing daily operations and programs currently being offered, and which are not available elsewhere. When the exhibition is replaced by another, old records should be removed from the "Y"drive, and replaced with the equivalent data for the new exhibition.

This is not to diminish the importance of records associated with programs offered in the past, which are important from a "history of the institution" perspective, but are not required to recover from a disaster, nor does it necessarily include plans for future programs, which, if lost, can always be reconstructed or replaced at a later date. Most of the information at the manager's disposal at any given time is routine administrative correspondence and transitory records which could be lost without significant negative effect on museum operations.

Recommendations:

• Awareness: Identify Essential Records: Creating awareness is an important element of an Essential Records program. Records Management, in this agency, controls little in the way of active records in any format. Again, only the managers responsible for specific programs can determine what records are vital to the reconstruction and continuity of those activities, and monitor and update the list as programs change. We should be periodically reminding staff of the need to devote due attention to this aspect of their jobs, while stressing the necessity to be selective so that a disproportionate amount of time is not consumed by this activity. Perhaps the identification and preservation of essential records could be included in the project management process and the performance appraisal process.  
• Awareness: Use the Safety Net: Safeguards will be effective only if people use them. As we have seen above, if back-up diskettes are left beside the computer, or important documents are not copied from the desktop onto a backed-up network drive, information can still be lost. In the case of one incident described above (the "crash"), an "executable file" has been installed on the screens of managers in the division affected, and the possibility has been discussed that it may be made available to all desktops in the Corporation. In practical terms, this simply consists of a special "to-Y-drive" icon - click and send! It lacks the transparency of an electronic records management system in that the user is required to make the conscious decision to save the document on the Y drive, but makes it easier to do once that decision has been made. Never rely on your hard drive alone to store important data. It is not a matter of "if" it will fail, but "when." A hard drive is like any technology with moving parts - it will eventually wear out even if no mishap occurs. Again, back-up mechanisms offer protection only if they are used.
• Acquire an Electronic Records Management System: While CSTMC operates in a highly automated environment, it has yet to acquire an electronic records management software package, although plans to procure a suitable system are in place for the near future. Most such applications can be set up so that when a document is created, the originator (or the Records Manager) can designate it "essential" and include a feature that will allow for automatic update. For example, if a policy is superceded by a new version, the working copy of an exhibition storyline is replaced by an updated version, or a draft copy of a business plan is replaced by a final copy, the latest one will be automatically designated "essential" and replace the previous one. To facilitate quick retrieval during a crisis, a "master list" of essential records should be available, which need not necessarily consist of the documents themselves, but rather electronic "pointers" that would identify them quickly.
• Ensure Access to the Network: Where automated and hard copy records co-exist, we assume that the electronic version is the "official" record, and therefore is the one eligible to be selected for preservation as "essential." Under normal (i.e. non-emergency) conditions, electronic documents are easier to manage, and numerous safeguards have been built into the Informatics system so that permanent loss of data is extremely unlikely during most foreseeable emergencies. It must be remembered, however, for this data to be accessible, one must have access to the network, which means that the Computer Centre must be operational, and that a reliable supply of electric power must be available. Should a sustained loss of electric power occur, such as during Ice Storm 1998, it can be argued that the only reliable essential records program is the traditional off-site cache of paper documents. Having said that, reasonable precautions can be taken to ensure at least intermittent access to the network. A diesel generator capable of providing sufficient power to run the servers for at least brief periods, over and above what is required to operate building systems, would be mandatory. To prevent the accidental loss of data, it would be critical that the electricity from the generator be "conditioned" through a UPS unit.⁷ A printer would be required so that once essential information is identified, a hard copy can be quickly produced, and the computer centre can be shut down so that fuel is conserved and the generator made available for other priorities.⁸

Conclusions:

The introduction of a traditional essential records program would be impossible at CSTMC since the electronic records and many active paper records are not under the direct control of the Records Manager. The corporate culture has developed over the last decade in such a way that, for all practical purposes, the electronic systems on the network are the official records of the agency. The Records Management staff are too few to effectively implement and maintain a traditional hard copy essential records operation. The possibility of senior management providing the necessary resources and support for such a program is extremely remote. However it appears that from a technical standpoint, as long as information is included on the computer network, the chance of permanent accidental loss of data resulting from an emergency is extremely remote, especially if the above recommendations are implemented. The challenge, from a records management perspective, is to coordinate the effort to identify those records that should be included on the network, and to ensure that they can be located quickly in the event of a crisis.

In the Information Age, responsibility for the preservation of essential records is, more than ever, a cross-disciplinary effort; the people with the most visible responsibility being the Informatics Support Specialists and Security Managers. However, Records Management retains a critical responsibility to participate actively in an advisory capacity. We are the specialists trained to manage information as a resource and to critically evaluate its content in terms of its record value. After all, it is the content, not the format, that determines what constitutes an essential record.

 

Notes:

1.	Guide to the Preservation of Essential Records, Emergency Preparedness Canada/National Archives of Canada, 1999
2.	Tarasoff, Tamara, Richeson, David, "Conflagration: A First-Hand Account of Disaster Management and Recovery," Proceedings of the 1997 Conference and Annual Meeting, ALHFAM, 1998, pp.249
3.	Husk, Graham, Technical Support Specialist, Canada Science & Technology Museum Corporation, personal communication, Feb. 2001
4.	Sections 5 & 6 of the National Archives Act exclude "library or museum materials." While the precise definition is the subject of some controversy, our policy equates "museum materials" with collection objects (artifacts), which includes objects in document form (trade literature, maps, drawings, photographs, archival materials, as well as those records that are generated during the process of collecting objects (artifacts), such as accession ledgers, accession files (donor files, supplementary information files), catalogue cards, interim records, and their electronic equivalents, donor forms/gift agreements, appraisal forms, condition reports, loan agreements, etc. As museum materials, they are not managed under the authority of the National Archivist of Canada, and therefore fall outside the sphere of control of Records Management, but many of the same principles apply.
5.	Johnston, Jim, Director, Collections Management, Canada Science & Technology Museum Corporation, personal communication, Feb. 2001
6.	Year 2000 Readiness: Business Continuity Plan, Canada Science & Technology Museum Corporation, 1999
7.	UPS is an acronym for Uninterruptable Power Supply; defined as an electrical device installed in a computer centre between the power source and the computer, for the purpose of ensuring an uninterrputed and constant flow of electricity to sensitive electronic devices. Its two functions are: a) to condition power (i.e. to regulate the voltage within precise parameters to prevent damage to, and ensure the correct functioning of microelectronic components, and b) in the event of a power outage, ensure that there is enough power to shut down the computer systems "gracefully". UPS systems use rechargeable batteries that must be monitored and replaced at regular intervals to ensure that the battery charge will last long enough to shut down all systems. When the power source fails, the UPS can supply sufficient power to keep the computer centre functioning for 5 minutes to 1 hour, depending on the battery. If continuing computer operations past the life of the batteries is desired, a generator can be used to keep the computer centre operational. Either the UPS must be equipped to run directly off a generator, or the generator must be set up to run the main building electrical system, which in turn powers the computer centre through the UPS.
8.	Husk, Informatics, March 2001