or Huddle, or Amazon, or Google, or all the other emerging cloud-based
document management collaboration applications. (note to self, don’t show your age by using document management.)
I attended an ARMA half-day seminar last week in the S.F. Bay Area that included a round-table discussion at the end of the day. One of the questions raised was about the new generation of SaaS cloud-based collaboration applications and how they handle records management and retention.
The original question revolved around the ability to manage documents on an SaaS application from a corporate point of view and the person asking the question seemed to think that it was the responsibility of the SaaS vendor to provide these capabilities, which they don’t and may or may not in the future. Even if you sign a contract (for free or paid services) with the SaaS providers they do not have records management capabilities in place and the responsibility will fall back to you (the corporation) to ensure that users use the applications within your governance framework.
As a side note, one of my clients wanted to make the documents and spreadsheets we were working on more accessible as we were emailing and updating in a single-file manner to three different people. The client suggested that we use Google Apps and she opened up one of the free sites instead of waiting for IT to give us some space. We loaded that site up with originals, versions, and what not over a 4 month period. When the project was over the site was still there and many of the documents were never transferred to a corporate site.
The potential issue is that even if the documents you are collaborating on are left in place in the cloud-based site (instead of, or in addition to, keeping documents on your IPad or phone), there is no records management capability for these documents. If Bob, on his own creates a site and starts using it with a group of other employees, the site will be in Bob’s name and his company would not have the right to shut the site down or ask that the records within the site be preserved – until legal gets involved and some type of legal action is started.
The problem arises when the “corporation” allows workers to access and use SaaS type applications for corporate business or has no policy that requires some type of governance when an SaaS service is used for corporate business. This exposes the corporation to unmanageable and un-necessary risk.
Suppose a small group from Marketing goes outside the company and uses box.net to collaborate on a new marketing campaign and when brought to light, it somehow becomes the basis for a lawsuit by another company. Who is responsible for knowing where these records/documents are, ensuring they are not changed or deleted, and that they are preserved for a legal hold? Don’t blame box.net if the documents are deleted or changed after the legal hold is in place– they are just providing the service to the “owner” – whoever that may be.
Well, don’t blame any of the SaaS companies for causing this situation and subsequent potential problems. Based on the discussion in the ARMA session, it would appear that access to and use of these SaaS application is not really on anyone’s radar when used outside of the corporate governance policies. There are cases when use of the SaaS service is approved and brought in-house but even then, are adequate controls put in place to “capture and declare” records? Are these records held in place or captured and downloaded to a corporate server for a legal hold?
Is this really anything new?People have been creating and emailing documents using their own personal computers and email accounts. How is this different? I think that because the SaaS applications offer the ability to work and collaborate very effectively, outside of IT and corporation, that there is the possibility for many projects to begin on these sites without corporate knowledge or governance. These sites offer tools and “conveniences” that may not be available within the corporation and hence have great appeal to a wide range or audiences. Thus the potential for having a major problem grows as employees successful use these services and tell their business associates how to create their own sites.
Not to be a “Sky is falling” person, but what are you doing to ensure that employees are aware of the potential issues of using these SaaS services to do company business?