A new age of records retention: good policy more than worth the effort
Earlier this year, I wrote about proposed new legal requirements with respect to the destruction of records. Those amendments (An act to amend the Personal Information Protection and Electronic Documents Act (Bill C-29)) died with the 40th Parliament, but organizations should still make sure they understand their obligations with respect to destroying documents.
Now the other side of the coin—retaining documents—which is equally important and perhaps equally difficult to navigate.
There are a number of potentially troublesome issues associated with retaining records. For example: there are storage and privacy concerns; organizations must ensure they keep records secure in accordance with relevant privacy laws. At the same time, organizations might not have considered the self-incriminating information that records might hold, and they will want to ensure they don't keep potentially incriminating records any longer than the law requires.
Not that I think our readers are up to no good! But when it comes to audits, organizations are likely better off providing the least amount of information they are legally required to, rather than all of the information they have in their possession covering the audit period. That means implementing a records management policy—and making sure to follow the policy.
A policy will help you understand which documents and information you need to keep and for how long, and which you can destroy. A policy will also force you to manage your electronic documents: Can you account for every copy of a document? Do you erase files securely, so that no trace of them remains, even to special data recovery software? Are your documents stored securely, so that no unauthorized persons can access them?
Find a detailed outline of the issues and obligations in policy 3.06 – Records management and retention of Finance and Accounting PolicyPro, Volume II — Corporate Governance. Policy 1.11 – Confidentiality and privacy is relevant. Information Technology PolicyPro also offers commentary and sample policies on data security.
<< Top of Page
What has the Institute of Corporate Directors done for you lately?
Corporate board members across the country, I know what you've been thinking: "Just what is the Institute of Corporate Directors up to these days? And what has the institute got to say about the issues of the day?"
Well, wonder no more. Maybe you didn't know the institute existed, but it does, and you can get a peek at its updates on the web here. Pertinent issues include "say on pay", mental health and the financial crisis and recovery.
A key feature of the institute's website is the links to "governance principles and practices of top-ranked Canadian companies, not-for-profit organizations, and public sector agencies, boards and commissions". Find out how other organizations set their mandates on governance guidelines, roles and responsibilities, management relations and board committees.
<< Top of Page
Need to know: privacy commissioner's report on pressing online privacy issues
In 2010, the Office of the Privacy Commissioner of Canada conducted consultations on current privacy issues, including online tracking, profiling, targeting and cloud computing. The office released its report on the consultations earlier this year, and it's available online. (I recommend the PDF version. It's got illustrations!)
The report is valuable enough for its descriptions of the issues and how they affect individuals and businesses. One of the major concerns is whether Canada's existing privacy law framework is sufficiently robust to protect citizens from online threats. Some experts believe it is; others do not. At any rate, the office of the privacy commissioner has proposed several actions to reduce the risks associated with online tracking, profiling, targeting and cloud computing:
- Monitoring and funding research developments on the implications of changing perceptions of public and private spaces (as well as the challenges of maintaining a professional and personal presence online)
- Conducting public opinion research on Canadians' perceptions of the public-private divide
- Conducting outreach activities, including developing best practices for organizations to support people's capacity to be as private or as public as they want
- Continuing public education efforts
- Working with Industry Canada to consider how best to integrate privacy by design principles and privacy impact assessments into private sector practices
- Monitoring and drawing on the work of international privacy organizations that are working on similar issues
- Focusing online privacy activities on adult Canadians who may be newer users in the online environment
- Continuing dialogue with the technical community on how to build the principles contained in PIPEDA into both user interfaces and underlying technologies
- Continuing to reach out to youth and seeking innovative and creative ways of doing so
And much more besides.
If you are concerned about expanding your operations to include more online activity, if you're looking for information about privacy law and how your current practices stand up, or if you're just looking for a primer on these pertinent issues, read the privacy commissioner's report. It's short and written for you.
When you're done, consider the First Reference best practice guide, Protecting employee and customer privacy, which contains the most crucial information Canadian companies in the private sector must have to understand the "why", "what" and "how" of Canadian privacy legislation. The guide is aimed primarily at providing information on privacy issues related to the employment relationship, however, it also helps organizations deal with customer privacy. In addition, there is information about common privacy issues such as record keeping, access to information, video surveillance, breach of privacy, medical information, social networking, etc.
<< Top of Page
Government anti-spam website offers tips for businesses, organizations and individuals awaiting regulations
The federal government has introduced a website dedicated to its new anti-spam law, the Electronic Commerce Protection Act, which we last covered in June. The website, Fightspam.gc.ca, describes the provisions of the law and its purposes, and outlines how organizations and individuals can make sure they abide by the law and protect themselves from spam and other electronic threats.
In case you haven't been paying attention, the law prohibits:
- Sending commercial electronic messages without the recipient's consent, including messages to email addresses and social networking accounts, and text messages to cellphones
- Altering transmission data in an electronic message, which results in the message being delivered to a different destination without express consent
- Installing computer programs without the express consent of the owner of the computer system or its agent, such as an authorized employee
- Using false or misleading representations online in the promotion of products or services
- Collecting personal information through accessing a computer system in violation of federal law (e.g., the Criminal Code of Canada)
- Collecting electronic addresses by the use of computer programs or the use of such addresses, without permission (address harvesting)
Since the regulations exist only in draft form at the moment, the website doesn't offer a clear path to compliance. That said, the site does contain useful information, including a set of answers to frequently asked questions, such as "Who needs to know about this law?" and "What is a commercial electronic message?". Definitely worth a look.
Organizations can still comment on the draft regulations until September 7. And the government has announced that it expects the Act to come into force in early 2012.
<< Top of Page
Modern quality management, part five
By Ron Richard, College of the North Atlantic
Continuing with our series on modern quality management, here are a few more suggestions.
Know your organization's most important ratio to systematically increase
Drawing on the work of Jim Collins, know your organization's single greatest economic denominator and the plan for how to develop a sustainable engine to deliver superior performance. Collins's Good to Great Diagnostic Tool asks organizations to determine how well they measure up against the following statement:
We understand what best drives our economic or resource engine. If we are a for-profit business, we have identified our one economic denominator—profit per X—that has the most significant impact on our economics. If we are a social sector organization, we know how best to improve our total resource engine, so that we can spend less time worrying about money and more time fulfilling our mission.
With this knowledge, align your quality management activities.
Ensure requirements traceability, constraint management and team synergy
In accordance with Stephen R. Covey's Seven Habits of Highly Effective People, begin with the end in mind and tightly manage scope and other constraints (e.g., budget and schedule) from the start and throughout. At the first opportunity or meeting, inform the team that the project will include mechanisms to ensure requirements traceability and manage constraints. At this same first opportunity to communicate with the team, set the tone so everyone knows the importance of effective listening and that you will be looking for input in order to understand the perspectives of others before finalizing the charter. This is also the time to convey any other important messages that will help synergize the team and have everyone thinking and acting from win-win perspectives where possible.
Note: these suggestions can apply whether your organization applies the triple or quadruple constraint of project management. In either case, quality must increasingly become built-in and pervasive, including in relation to people, processes and so on (e.g., products, albeit the technology used and created).
As a further example, drawing on Kathy Schwalbe's Information Technology Project Management:
Although the triple constraint describes how the basic elements of a project—scope, time, and cost—interrelate, other elements can also play significant roles. Quality is often a key factor in projects, as is customer or sponsor satisfaction. Some people, in fact, refer to the quadruple constraint of project management, which includes quality as well as scope, time, and cost. Others believe that quality considerations, including customer satisfaction, must be inherent in setting the scope, time and cost goals of a project.
Empower teams to self-manage
Projects should still have oversight and coordination mechanisms, but all team members should sincerely know that they are valued and expected to be flexible as well as responsible and accountable for items assigned to them. Projects, although we attempt to plan for them and manage related risk, always contain a degree of uncertainty. While typically the unknown or degree of uncertainty may be considered higher in the early stages, and ideally progressively lower as a project moves ever closer to completion, it is good practice (whether utilizing agile methods or other) if team members are flexible and remain prepared for uncertainty.
In any case, it is good practice to empower everyone to help ensure success, such as by contributing to or helping with planning, monitoring and managing toward achieving the project goals and objectives. Try using a structured process, establishing a shared understanding, using proven techniques, using data whenever and wherever possible, making realistic plans and commitments, focusing on quality, regarding design as a fundamental element of quality work, and practicing self-management. These strategies are recommended by the Team Software Process (TSP) Body of Knowledge, a companion to the Personal Software Process (PSP) Body of Knowledge. Both are products of the Software Engineering Institute which complement the IEEE Computer Society's Software Engineering Body of Knowledge and help delineate key skills and concepts that compose related knowledge areas and competencies. The notion of self-management is powerful and therefore exceptionally valuable when it comes to IT project teams.
Encourage continual learning
It is important to encourage continual learning and staying current as IT can be challenging, and as today's IT world is in the process of enabling every resource to provide intrinsic and pervasive quality and value.
The IT industry today is supported by various process and organizational manuals, such as Information Technology PolicyPro (ITPP), CobiT, ITIL, CMMI, PMBOK, ISO standards, and other best practices, tools and techniques. IT project managers and team members can use these resources as part of their continual learning to improve results and to please more stakeholders. These resources also provide IT project managers and team members with better inputs, thereby enabling the potential of increasingly better usage of expert judgment, self-management and virtual teams.
Propel continual improvement
To propel continual improvement, and really make quality and value increasingly intrinsic and pervasive, it is important to strive to have all become part of the solution. This is so important that I made it Principle 1 of Inherent Quality Management Principles. It is also likely the reason the first of W. Edwards Deming's 14 Points for Management say to create constancy of purpose for improvement of product and service; the first of Joseph Juran's 10 steps to quality improvement says to build awareness of the need and opportunity for improvement; and the first of Philip Crosby's 14 steps for quality improvement says to make it clear that management is committed to quality.
We're going to give you a break now to digest, review and, if you like, implement, the previous quality management suggestions we've featured in this series. Please don't hesitate to send any questions you have to firstname.lastname@example.org.
Part one, April 2011
Part two, May 2011
Part three, June 2011
Part four, July 2011
Stay tuned for more how-to modern quality management suggestions in a future edition of Inside Internal Control.
Special thanks to Roger Hulan (Communication Specialist, College of the North Atlantic) for help producing the article series.
<< Top of Page
Charities and compliance agreements: know what you're signing!
Charities know they've got strict rules to follow, and they know there are stiff penalties for non-compliance. They should also know that the Charities Directorate and the Canada Revenue Agency will work with organizations to help them maintain their charitable status, if necessary through a compliance agreement which both the CRA and the charity accept. Such an agreement "identifies the problems, the steps the charity will take to bring itself into compliance, and the potential consequences to the charity of not abiding by the agreement."
However, the CRA may see a compliance agreement as a last chance, and penalties for non-compliance can be severe. Charities lawyer Adam Aptowitzer writes:
According to the guidelines which attempt to make sure the punishment fits the crime, compliance agreements fall somewhere between a "slap on the wrist" and jail time.
Often, the alternative to signing a compliance agreement is revocation of the charity's status, and so signing the agreement, if offered, is generally a foregone conclusion.
Aptowitzer notes that the CRA has even used non-compliance with an agreement as a reason not to renew a charity's status.
So, know that if you have trouble managing your charity, you have options, but those options aren't an excuse to continue to avoid your duties. You should also know that the CRA is keeping an increasingly close eye on charities.
<< Top of Page
Charities take note
Here's a list of changes that affect registered charities and other qualified groups that accept gifts in the federal government's 2011 budget.
I wrote about what the budget will mean for business in June. At that time, Adam Aptowitzer provided a detailed look at how the budget would affect charities.
<< Top of Page
BC HST referendum update
British Columbians, hold onto your hats! The results of your referendum on the harmonized sales tax will be announced TODAY (Friday). Canadians across the country will be keeping an eye on this one, and you can be sure that plenty of pixels will be devoted to the results over the weekend and beyond. Which side made the better arguments? Will populism prevail? Will BCers sink the status quo? Will British Columbia's economy falter in the event of yes or no? WHAT WILL HAPPEN?
Once the last vote is counted, you'll be able to see the final results here, including rundowns by district, so you'll know where to lay the blame. Just kidding; everyone knows it's the politicians who deserve the blame. At any rate, the wait will soon be over, and then life will go on, yes or no.
<< Top of Page
In case you didn't know, Finance and Accounting PolicyPro (FAPP) is no longer just two volumes (I — Finance, and II — Corporate Governance); it has an equally valuable and hard-working third volume called Operations and Marketing PolicyPro (OMPP), covering such important issues as Design and development, Sales and marketing, Storage and delivery, Manufacturing, Environmental management, Service, and Document and data control. OMPP is only available in the electronic version of FAPP, so if you haven't installed it yet, now might be a good time to do so.
Chapter 5 — Environmental management of OMPP has been fully updated in the upcoming release of FAPP. The chapter covers the important topics of Environmental protection, Hazardous material management, Recycling, Energy conservation, Sustainability and Emissions trading.
Information Technology PolicyPro has also been updated. Chapter 13 — User responsibilities has been refreshed. Chapter 13 is a treasure trove of information on System access and acceptable use, Data access and protection, Passwords, Email acceptable use, Internet access and acceptable use, Portable computers, Remote access and more.
<< Top of Page
About Inside Internal Control
Editor: Adam Gorley
Please do not reply to this email.
Inside Internal Control is a complimentary service published by First Reference Inc. and is sent to you monthly. Each issue provides headlines and summaries of news that affects internal controls and policies in Canada.
Please forward Inside Internal Control to your colleagues.
This publication is written for informational purposes only and should NOT be relied upon as legal advice or opinions. The reader should always obtain legal advice from a qualified lawyer or other qualified professional, which will be responsive to the case or circumstance of the individual. Please note that the content provided in this Bulletin or any content contained in or made available through any third party website linked to from this newsletter, is provided "as is" without representations or warranties of any kind. All representations and warranties in respect of content or third party content, express or implied, including, without limitation any representations to warranties or conditions regarding accuracy, timeliness, completeness, non-infringement, merchantability or fitness for any particular purpose are hereby disclaimed.
If you no longer wish to receive this newsletter, you may unsubscribe here.
Inside Internal Control ISSN: 1916-4866
Copyright ©2008–2011 First Reference Inc. All rights reserved.