Blogs

This week the United Arab Emirates (UAE) issued new guidelines to take effect later in the year that will disable key parts of the service provided by RIM, the popular service for Blackberry smartphones.  The UAE’s position basically was that because the phone records are stored off-shore (presumably Canada), they violate the records management regulations.  In reality, the bigger issue is that the Blackberry services uses encryption and that means that emails and web pages can’t be monitored by security forces in the UAE.

Obviously terrorists can see substantial benefits in having an inexpensive, fully secure communications network that cannot be hacked by local authorities so the UAE does have a point.  Other devices like the iPhone, Android devices, and most PCs use fairly simple communications protocols that can be easily monitored by authorities.  Even though the emails (records) are stored on a server remotely, the security authorities can easily see most communications.  (In the US, intelligence and law enforcement personnel can and do go into email systems and monitor traffic.  The FBI’s Sentinel program and some rumored NSA programs have the ability to monitor a wide variety of email, phone, and other traffic for suspicious activities.  Most telecommunications systems have NSA back-doors for secret access and there are rumors than Chinese telecommunications switches sold in Iraq and other places have similar backdoors for access by Chinese intelligence services.)

For multi-national companies, the problem is already hard enough when it comes to dealing with local regulations for records, privacy, and data localization.  Consider a company with operations in the US and France.  Companies based in France that disclose documents containing personal data (such as in litigation or personnel records) must also comply with the requirements of the French Data Protection Act or risk heavy criminal sanctions for failing to do so. Data controllers (which includes records managers) are not required to file a specific “discovery” notification as long as their data processing activities have been regularly filed with the French authorities. Nevertheless, there must be a legal basis for any transfer of personal data to the U.S., and companies must notify the government of such transfers. The data controller may rely on the “establishment, exercise or defense of a legal claim” exception as a legal basis for a single and limited transfer of all relevant information relating to a particular litigation. However, safeguards must be put in place to cover onward transfers, such as when transferred data being stored in the U.S. are further disclosed to a legal/regulatory authority (i.e., court order or government agency) or to other third parties.  In practical terms, that means that the data controller/records manager not only has to know the disposition of the record, but be able to track and limit the transfer of records to other countries (even if in the same company) or to third parties.  Making it even harder is the fact that the information can be limited based on personal information – regardless of whether it is a record.

For records managers who deal with multi-national operations, issues like this are exponential.  It isn’t just a case of knowing records management in a single jurisdiction for records: records managers must know how to manage data by data type (not just record) and know how information can be moved and when.

In the future, look for more governments to follow the UAE’s example. (Saudi Arabia followed yesterday for security reasons and Brazil is increasingly using requests for records to help assess taxes and even make policy decisions on infrastructure.)  Governments have learned that companies – especially large companies – have significant records and access to key information that can be important for security or other purposes.  In the US and Europe where privacy concerns are more sensitive, government agencies continue to increase their review of private information.  National security, in effect, trumps personal security.  The USA Patriot Act imposed new records-keeping requirements for international currency movement and the result has been proven success in capturing would-be terrorists on US soil.  Such success means that more regulations for international records management are all but certain to increase. 

In the past it was only very specific companies – like tobacco companies – that approached records management with this level of sophistication.  But for today’s records managers, complex issues that used to be “hard” will just be the normal course of business.