Retention of Documentation in ISO Standards
One of our frequently answered questions has to do with the control of Forms and Records used in Management Systems. Why does such documented information need to be maintained and retained, and how in the world can we manage them all?
Well, forms are designed to make sure that you collect the data that is required. Forms become records when used as work instructions, indicating steps and order of steps for a process, telling what data to collect, specifying the acceptable limit, and recording results of activities, such as monitoring and measuring.
ISO 45001 requires the maintenance and retention of documented information, (see also Documented Information) and highlights several key practices and specifies that record management is required to enable the verification of activities of an organization and the effective operation of its OH&S management system.
Record Management or RM is the managing or maintaining of official records to enable evidence of business activities. While ISO 15489 is not required to be included in the OH&S system, it can serve as guidance for organizations, especially larger ones.
Records management addresses six key issues:
Importance of Records Management
ISO 15489 Information and Documentation – Records Management and Guidelines for Implementation.
Part 1: General
Part 2: Guidelines for implementation
This 2-standard series provides guidance on records management in support of a process framework to comply with ISO standards.
It says records are information created, received, and maintained as evidence in pursuance of legal obligations or in the transaction of business. Records are a valuable source of information and an important business asset. A systematic approach to managing these records is essential to protect and preserve them as evidence of actions.
When a record management system is in place, you ensure that you have:
- Information about business activities.
- Proof of business decisions.
- Accountability to convince future stakeholders.
An effective RM system can provide continuous and ready access to all relevant records in the minimum possible time.
Principles of Records Management
Organizations need to define and document a policy to create and manage authentic, reliable and usable records that are capable of supporting business functions and activities. Record management policies and procedures should ensure that record creators are identified and authorized. In addition, steps need to be put in place to protect records against unauthorized addition, deletion, alteration, use, and concealment.
Authenticity: An authentic record is one that:
- Is what it claims to be.
- Is created or sent by the person purported to have done so.
- Is created or sent at the time indicated.
To ensure the authenticity of records, an organization should implement and document policies and procedures that control the creation, receipt, transmission, maintenance, and disposal of records.
A reliable record is one whose contents can be trusted as a full and accurate representation of transactions, activities or facts. To ensure reliability, records need to be created:
- At the time of the related transaction/incident or soon after.
- By individuals who have direct knowledge of the facts regarding the transaction.
- By instruments routinely used within the business to conduct the transaction.
The integrity of a record refers to its being complete and unaltered. Records need to be protected against unauthorized changes. In the event a record needs to be altered, policies and procedures need to specify the additions or annotations that may be made to a record after it is created. Only an authorized person should be allowed to handle the records while making alterations. In addition, it is important that any annotation, addition, or deletion should be explicitly indicated and traceable.
Further, to maintain integrity of records, the record system should include controls to enable access monitoring, user verification, authorized destruction and security to prevent unauthorized access, destruction, alteration, or removal of records.
A usable record is one that can be located, retrieved, presented and interpreted quickly. The record should be capable of being connected to the business activity or transaction that produced it.
While you will probably never have an audit of your Occupational Health and Safety Management System delving as deeply into Record Control as this information might indicate, I would suggest an opportunity for improvement based upon ISO 15489. Peruse the document to ensure that you have legal, secure and manageable records.