Many companies make backups of their electronic information and store operational data in electronic archives. However, few do this correctly or thoroughly and they are unaware of the resultant legal ramifications, says PAUL MULLON, information governance executive at Metrofile.
There is much South African legislation that requires companies not only to retain records, but preserve them in a responsible manner, with due care to their safety. If those records happen to be electronic, then due care means proper backups, that they are correctly stored, protected and available.
This comes as a result of guidelines, old and new legislation in South Africa. More specifically:
* The Close Corporations Act, number 69 of 1984.
* The Companies Act, number 61 of 1973.
* The Promotion of Access to Information Act.
* The Financial Intelligence Centre Act (FICA).
* The King II report on corporate governance.
* The right of access to records of public bodies.
* The Electronic Communications and Transactions Act (ECT).
* The Financial Advisory and Intermediary Services (FAIS) Act>
The Promotion of Access to Information Act contains a section detailing the right of access to records of public bodies. "A requester must be given access to a record of a public body if certain conditions are met.
If that information is held on a computer system, the Government department has a responsibility to ensure that the information is available, and this means that adequate steps must be taken to protect those systems."
Information stored on an unmarked backup tape or in an uncatalogued digital archive in a dark and chaotic basement will not be available.
Civil servants untrained in the mysterious art of record management will be hard pressed to deliver on government's policies. Mysterious is the correct word. There are few fully trained records managers available and they tend to be headhunted between firms and government departments.
By the same token, if backups are not performed, then the information might readily be lost instead of available. One system error or one power failure could lead to a staggering loss of information and data.
Perhaps backups are conducted regularly but tapes are stored in the server room right next to the systems whose information they contain, or transported off-site in car boots or on back seats to the IT manager's home where they are placed in a cupboard. Those are particularly unsafe practices and officials will frown upon those conducting themselves in that manner.
According to the Companies Act: "When it appears ... that any business of the company was or is being carried on recklessly ... the Court may ... declare that any person who was knowingly a party to the carrying on of the business in the manner aforesaid, shall be personally responsible".
Slightly more subtle, yet equally menacing, the National Archives and Records Services requirements spell it out for government departments:
"Governmental bodies should preserve and care for any item forming part of an electronic records system in such a manner as to ensure that they are not exposed to harm or unauthorised access and under such specific conditions as the National Archivist may prescribe".
It continues with general maintenance guidelines: "Backup the files and documents on disks often. This is the single most important action users can take to ensure that the information they need will be available. The central computer facility staff periodically performs systemwide backups. When users share a microcomputer, or have one on their desks, they must be encouraged to back up their files, preferably after every update. Keep a backup on the other side of a firewall or in an off-site location. Maintain preservation mastersets and store these in a separate location ..."
The guidelines continue and they spell out a number of important issues.
The general tenets remain the same for government and private commerce.
Ensure that the backups are performed according to a schedule. Ensure that the backups are successful. This is crucial. Very often the backups are done regularly but if they are never tested, and have failed, then the result is the same and the backup effort is wasted. Do not haphazardly transport and store backup media.
Failure to do so will result in:
* Loss of control.
* Lack of data protection.
* Lost data.
* Lack of adherence to corporate governance legislation.
* Business continuity being at risk.
* Backups being destroyed in the event of a disaster.
* Risk management spiralling out of control.
* Lack of environmental controls that destroys information.
Companies that perform their own backup and storage seldom take care of all of these risks or develop infrastructure of the necessary calibre because it is too costly and not their area of expertise.