Records management is challenging even with just the normal types of documents and records most organizations generate. Add in records that contain information that must be protected – because they contain protected personal information, trade or state secrets, or other confidential content – and the task of records management can become much more complicated. Here’s what records managers need to be thinking about when it comes to private, confidential, classified, and top-secret records.
Develop clear policies around confidential information
Clear policies and procedures should be established to address the various stages of the protected record’s lifecycle. They should explain the staff’s responsibilities when it comes to handling the documents and provide details about the prompt reporting of any unauthorized access or use of the information. Every step – from initial creation to final disposition – should be planned out to avoid unforeseen risks.
Confidential Files Must Be Identified and Labeled as Such
Clearly identifying and labeling content according to its security and privacy requirements can help prevent unauthorized access and use of the documents. For guidance on how to classify records that contain protected information, read “Standards for Security Categorization of Federal Information and Information Systems” from the National Institute of Standards and Technology. The National Archives and Records Administration also has guidance around controlling unclassified information, i.e., prevent inappropriate access or disclosure of records that whose contents fall short of being formally classified.
Secure the Confidential Records
- Physical security: Confidential or sensitive files should be stored in secure and locked cabinets for their entire life cycle in areas that cannot be accessed by unauthorized individuals.
- Electronic security: Records that contain sensitive information in electronic format should be protected with a password so only authorized individuals can access them. When not in use, the computer or cloud environment should be encrypted and secured against any unauthorized off-site or on-site access. Ideally, the records management technology used should also track if, when, and how these records are accessed.
Destroy Confidential Information Completely
In many cases, it is not enough just to delete or trash confidential or classified records, because the information they contain may still be retrievable. Instead, after the retention period has been completed, ensure that all copies, including unredacted and redacted versions, are completely destroyed. For physical files, that means shredding; for electronic files, that means physically overwriting their storage locations with random characters multiple times.
Train Staff
Last – but certainly not least – make sure staff are adequately trained on who is authorized to access different kinds of files, under what circumstances, and how they should handle these records. Staff members who are knowledgeable about protecting sensitive information are often the best defense against problems.
About PSL
PSL is a global outsource provider whose mission is to provide solutions that facilitate the movement of business-critical information between and among government agencies, business enterprises, and their partners. For more information, please visit or email info@penielsolutions.com.