Many companies make backups of their electronic information and store operational data in electronic archives. However, many don't do this correctly or thoroughly and they are unaware of the resultant legal ramifications.
There is a great deal of South African legislation that requires companies to not only retain records, but preserve them in a responsible manner, giving due care for their safety. If those records happen to be electronic then due care means proper backups, that they are correctly stored, protected and available for the duration of their useful life.
This comes as a result of guidelines and both old and new legislation in SA. More specifically, some of these laws are:
* The Close Corporations Act, number 69 of 1984;
* The Companies Act, number 61 of 1973;
* The Promotion of Access to Information Act;
* The Financial Intelligence Centre Act;
* The King II report on corporate governance;
* The right of access to records of public bodies;
* The Electronic Communications and Transactions Act; and
* The Financial Advisory and Intermediary Services Act.
The Promotion of Access to Information Act contains a section detailing the right of access to records of public bodies. "A requester must be given access to a record of a public body if certain conditions are met. If that information is held on a computer system, the government department has a responsibility to ensure the information is available, and this means that adequate steps must be taken to protect those systems."
Civil servants untrained in the mysterious art of records management will be hard pressed to deliver on government's policies.
Paul Mullon, Metrofile's information governance executive
Information stored on an unmarked backup tape or in an uncatalogued digital archive in a dark and chaotic basement will not be available. Civil servants untrained in the mysterious art of records management will be hard pressed to deliver on government's policies. Mysterious is the correct word. There are few fully trained records managers available and they tend to be headhunted between firms and government departments.
By the same token, if backups are not performed, then the information might readily be lost instead of available. One system error or one power failure could lead to a staggering loss of information and data. Perhaps backups are conducted regularly but tapes are stored in the server room right next to the systems whose information they contain, or transported offsite in car boots or on back seats to the IT manager's home where they are placed in a cupboard. Those are particularly unsafe practices and officials will frown upon those conducting themselves in that manner.
According to the Companies Act: "When it appears...that any business of the company was or is being carried on recklessly...the court may...declare that any person who was knowingly a party to the carrying on of the business in the manner aforesaid, shall be personally responsible."
Slightly more subtle, yet equally menacing, the National Archives and Records Services requirements spell it out for government departments: "Governmental bodies should preserve and care for any item forming part of an electronic records system in such a manner as to ensure they are not exposed to harm or unauthorised access and under such specific conditions as the National Archivist may prescribe."
It continues with general maintenance guidelines: "Backup the files and documents on disks often. This is the single most important action users can take to ensure the information they need will be available. The central computer facility staff periodically performs system-wide backups. When users share a microcomputer, or have one on their desks, they must be encouraged to back up their files, preferably after every update. Keep a backup on the other side of a firewall or in an offsite location. Maintain preservation master sets and store these in a separate location..."
The guidelines continue and they spell out a number of important issues. The general tenets remain the same for government and private commerce.
Ensure the backups are performed according to a schedule. Conduct tests to ensure the backups are successful. This is crucial. Often the backups are done regularly but if they are never tested, and have failed, then the result is the same and the backup effort is wasted. Do not haphazardly transport and store backup media.
Failure to do so could result in:
* Loss of control;
* Lack of data protection;
* Lost data;
* Lack of adherence to corporate governance legislation;
* Business continuity being at risk;
* Backups being destroyed or unavailable in the event of a disaster;
* Risk management spiralling out of control; and
* Lack of environmental controls that destroys information.
Companies that perform their own backup and storage seldom take care of all of these risks or develop infrastructure of the necessary calibre because it is too costly and not their area of expertise.
Share