I received the honor of co-moderating the Pharmaceuticals Industry Roundtable at the 2016 ARMA Conference.
ARMA's industry roundtables are fantastic sessions as they allow records and information governance professionals to discuss topics relevant to their industry, see what others in their field are doing similar or differently, and bring these insights into practice when they return to work.
My co-moderator and I came up with several discussion topics in preparation for the session. However, we were pleased to see that the participation was so lively that we didn’t need to go to our prepared topics - most of which came up naturally in the discussion anyway!
Here are the four hottest topics discussed!
On one hand the cloud is important for collaboration across diverse business units and delivers big IT infrastructure savings. On the other hand the cloud can be viewed as a risky approach to gaining cost efficiencies by opening up the management of records and information to new security threats such as possible data breaches. The reality is that like most recent and emerging technologies, the risks may be bigger than ever but so are the gains.
There are risks to everything and ultimately, in the case of the cloud, the positives outweigh the negatives - resulting in mainstream adoption.
According to RightScale's 2015 State of the Cloud report, 88 percent of businesses are using public cloud technology and 63 percent are using private cloud. While it is clear that the cloud is here to stay, the associated risks must be assessed with an Information Governance lens so that they may be managed effectively.
There is not always a one-size-fits-all solution for companies when mitigating these risks.
Some business areas or functions will opt not to go into the cloud. In the Life Sciences this is often limited to a segment of R&D records, Patient Services and HR personnel records, which contain Personally Identifiable Information (PII). Still others may choose to build hybrid clouds, private clouds or maintain their existing managed service model.
Data privacy is often discussed in the context of cloud computing since cloud storage is one of the primary use cases at Life Sciences organizations.
It is also one of the higher risks since employees may store sensitive information, regardless of an organization’s policy or best practices.The EU-U.S. Privacy Shield has replaced Safe Harbor to provide global companies with a framework to comply with EU data protection requirements when transferring personal data from the European Union to the United States.
How and where you store data is more important than ever.
Global companies often store data in the countries with the most stringent privacy laws they work in to have their bases covered. However, the intentional movement of data and the potential for cloud service providers to unintentionally move data across geographic borders is everpresent. There must be global records and information management policies and a corresponding Records Retention Schedule in place for governance and assurance to compliance and the different laws worldwide.
Retention and preservation of any information, including those born digital, are based on business, legal, regulatory, and historical requirements. With the increased use of electronic records, digital preservation has become a key issue.
In the Pharmaceutical industry there has been a move to electronic lab notebooks.
While physical lab notebooks can sit in a dark, climate controlled, locked room and still be accessible in 30 years, electronic lab notebooks and other digital records have different preservation requirements. Electronic aArchiving helps organizations deal with digital preservation challenges such as file format obsolescence, ensure regulatory (FDA, European Medicines Agency, etc.) compliance, make inactive records easy to retrieve by authorized users, and reduce the time and cost of maintaining obsolete systems only for their data by extracting and archiving the information.
Application decommissioning can be used to streamline your information management approach and eliminate shadow IT and silos of information. The records and information from these systems should then be either migrated into a new active system, archived if it needs long term retention or is under a litigation hold, or disposed of if there are no business, legal, or regulatory requirements for keeping it.
Paper and Electronic Records & Information
Companies are often scared to dispose of any information, even when they have a records retention schedule, legal hold process, and destruction policy in place. This fear of non-compliance cripples companies from realizing the benefits of defensible disposition when the situation calls for it. Defensible disposition is the use of a consistent, documented policy and procedure driven process to identify, assess, gain business approval for, and then actually carry out a disposition action.
Disposition is not always destruction as it can also include transferring records with long-term or permanent preservation into a (physical or electronic) archive. When records are deleted or destroyed it must be done in a secure manner so that the records and information cannot be forensically restored. Beyond getting rid of records and information that do not require retention, defensible disposition can also be preventative maintenance for eDiscovery costs as data breaches as you can’t leak information that is no longer needed and has been destroyed.
Despite living in the world of smart phones, the cloud, and the Internet of Things (IoT), we still have a lot of paper.
Like electronic records, paper records are often waiting for a defensible deletion policy to be put in place in order for organizations to begin to meet retention requirements. Sometimes a roadblock to defensible disposition of physical records is getting finance to approve costs to destroy boxes. It can take a couple years to recoup the costs of destruction in storage savings and while the benefits and savings are clear long term the cost today needs to be justified. Defensible disposition applies both to physical and electronic records and is a key indicator for measuring an organization’s information governance and records management maturity level.