Many companies have dedicated time and effort to ensure they have secure content management, but most approaches fall short because they only manage electronic content such as Word, Excel or scanned documents, and not paper content, while 70% of an organisation`s documentation is still in that format.
Sybille McCloghrie, director of Tilos, says in order to manage documents securely, companies and government departments must put in a process that explains exactly how all types of documents, electronic or paper, will be handled under different circumstances.
McCloghrie says solutions that deal with the electronic storage of documents are commonplace and relatively easy to deploy, but many organisations ignore an approach that dictates a combined methodology that incorporates the storage and management of paper-based documents.
The Promotion of Access to Information Act makes it legally binding for organisations to have such a plan. The Act calls for companies to have a plan and produce a manual explaining how documents are saved, for how long, where, and in what format, as well as how they are retrieved when required.
McCloghrie says: "In terms of the Promotion of Access to Information Act, anyone can ask for a piece of information they believe they are legally entitled to, such as documents that might be relevant in a legal case or a tax investigation. This can be any kind of information; whether it is in electronic format or paper format, it must be managed in a consistent manner.
"The problem comes with paper-based documents, such as invoices, contracts, memos and minutes of meetings, that are not in electronic format. Unless the organisation has a process and methodology around how it stores and manages paper content, it will not fulfil the requirements of the Act.
"Furthermore, from a security perspective, it could end up with information sensitive to the company getting into the wrong hands, which it often does, as we can see from press reports that reveal goings-on in corporations or government departments."
She adds: "All organisations must comply with the act. They have to produce a manual that is published in the Government Gazette and outlines their policy on how they look after all their documentation."
McCloghrie says many private sector and government departments missed the previous deadline of 28 February last year, as well as the extended deadline. Government has once again extended the deadline for the private sector, but government departments have no further leeway to comply.
The same goes for the Electronic Communications and Transactions (ECT) Act, which is an attempt to establish a formal structure to define, develop, regulate and govern e-commerce in SA.
In order to comply, says McCloghrie, companies must develop a plan or implement systems on how all types documents are to be handled. For instance, in the case of a paper invoice, the first year it may be stored in the accounts department, the second year in a safe in the storeroom, thereafter at Metrofile, then it will be destroyed when it is no longer legally binding to keep it. "In this way, when documents get to a certain age, they get moved in a planned, methodical way from location to location," says McCloghrie.
"When there is an enquiry - either internally or externally - regarding a document, then the organisation can find it at a certain place within the system, depending on what type of document it is and how old it is. The timespan differs depending on the document type. Some documents must be kept for five years, others seven, and yet others for the life of the company or a client, such as a policy-holder. Some never age - they must always be available."
With documents that contain sensitive company information, organisations must balance the legal right of the person requesting it with the rights of the company and the requirements of the act.
"Organisations should have a process in place so that when a person asks for a document, they can find out whether they in fact have it, electronically or in paper format, how sensitive is the information it contains, whether they can hand it over to the person asking for it, whether there must be approval from management regarding its disclosure, or whether it cannot be handed across at all. Then they should be able to find the actual document and pass it along to the person requesting it, if it does not contain sensitive information.
"If it does, they cannot simply refuse to part with it. They may have to trim it to remove the sensitive details. If they refuse to hand it over, they have to provide valid reasons why and justify the decision. Losing a document is not a good enough reason for not handing it over. If you can`t find it, you could be in trouble by default.
"Ultimately, companies will have a process in place, which is already being used by some banks, whereby they destroy the paper version of a document and keep it in electronic format. The ECT Act allows for an electronic document to be produced in court, as long as it can be proven that it is unchanged from the original. This is done by means of digital signatures and other technologies," McCloghrie concludes.
Share
Editorial contacts