16 July 2015

Article on Document-Level Redaction of Electronic Documents

On June 30 online, KM World published an  article I wrote on Document-Level Redaction of Electronic Documents.  While this is not everyone's cup of tea, it is an important tool for many RIMmers.  [As it has fallen out of use a bit, I remind my gentle readers that RIM is an acronym for Records & Information Management.]

The article can be found at http://bit.ly/1JkeChc.

As always, your comments are valued.

Thanks for reading.

13 July 2015

The Most Dangerous Case of Over-Retention


Today the United States Office of Personnel Management revealed that its data breach affected tens of millions of individuals.  The OPM’s Director resigned.

The stolen data included personal information about:
  • Current government workers
  • Former government workers
  • Relatives and associates of current and former government workers

The OPM had information about the last group because they investigated people close to government workers who requested security clearances.  Such investigations seem reasonable because interpersonal relationships can be more compelling than patriotism.  If a government worker is going to be trusted with state secrets, it seems worthwhile to inquire whether s/he has close ties to people who support our enemies.

The legitimacy of collecting this Personally Identifiable Information (PII) – including Social Security numbers – is not the question here.  The question is:  How long should the PII have been retained?

According to media reports, the oldest of the stolen data is decades old.  Had it passed its usefulness?  Was there any reason to keep it?  Was there a Records Retention Schedule at the OPM?  Was data disposal ever practiced?

Unknown millions of Americans are now vulnerable.  Here’s a personal example:  In 1979 and 1980, my wife worked for the U.S. Census.  The position ended in June of 1980, and she has not worked for the public sector since that time.  Fast forward 35 years, and we are told that nefarious hackers may have her Social Security number, birth date, and other PII.

It is beyond my ken to imagine a reason the OPM should have retained my wife’s data.  It could not currently serve a legal, regulatory, operational or historical purpose.  Just the opposite: for decades, the unneeded PII has needlessly used tax dollars to pay for storage, slowed searches, loaded servers, and more.  The breach will entail tens of millions of notifications, credit monitoring, loss compensation, and more.  What a waste!  It reminds me of my friend’s comment when we noticed five DOT workers watching a guy with a shovel fill a pot hole: “Your tax dollars at work.”

I don’t say this to disparage government workers.  I can personally attest that most are hard-working, dedicated, and honest folk who give more than they get.

The OPM’s practice of records management gets a much lower grade.  Surely there will be investigations that try to assign blame, fix fallacies, and improve bad practices.

I suggest that the improvements start with a revised Records Retention Schedule and an emphatically enforced records disposal program.