Information Integrity through Systems: Building Audit Trails

This blog is a part of a series of posts on the importance of information integrity. Click here to read the introductory post.

The previous post in this series looked at capturing and publishing data with metadata, but government data is primarily created or captured for government use. Before its (possible) release as open dataBy opening up data and making it sharable and reusable, governments can enable informed debate, better decision making, and the development of innovative new services. Technical specifications: Polici..., government data is used, moved around and potentially changed. This all needs to be documented if the information is to be trusted.

Again, this relies on metadata. As it accumulates around data, metadata builds up audit trails that let us see who has done what with the data. The combination of data (content) and metadata (context) constitutes a record.

Kenya has made some ambitious commitments on managing records. Its current National Action Plan (2016-2018) makes a commitmentOGP commitments are promises for reform co-created by governments and civil society and submitted as part of an action plan. Commitments typically include a description of the problem, concrete action... to ‘enhance right to informationThe legal right to request information from the government allows the public to follow government decision-making, participate in ensuring better decisions, and hold the government accountable. Techni... by strengthening records management and access to information’. The commitment states:

Trustworthy and accessible government records are the basis for demonstrating transparencyAccording to OGP’s Articles of Governance, transparency occurs when “government-held information (including on activities and decisions) is open, comprehensive, timely, freely available to the pub... More and accountability through Open Data and Access to Information and allowing the public to make an informed contribution to the governance process. In the digital environment, records are highly vulnerable and must be managed to ensure that they remain accurate, reliable, accessible and usable for as long as required to provide the basis for open government.

The commitment recognises the power of records (data + metadata). It sets out a number of actions for strengthening records management in government, including reviewing laws, developing policies and procedures and engaging with citizens on their information needs.

Crucially, it aspires to build the government’s technical capacity to manage records. The commitment includes a milestone to develop minimum technical requirements for digital records management systems.

But what does this actually mean? What constitutes a system that can adequately manage information so that it’s evidential value is established and maintained? There’s a body of technical knowledge that has built up around these questions.

Standard sets of requirements for digital records management systems have a surprisingly long history: the first version of Norway’s NOARK standard appeared in 1984. The first English language standard was Canada’s RDIM ¹ (1996), and for many years, the best known and most widely used, internationally, was the US Department of Defense standard, first published in 1997.² In 2001, the European Commission-funded MoReq standard marked a shift towards transnational approaches to standard setting in this area.³ The standard was intended to be applicable in different countries and industries, and it has informed the development of similar national standards, particularly in Europe.

In 2008, the International Council on Archives (ICA) published a more generic set of requirements, for international use: the Principles and Functional Requirements for Records in Electronic Environments (known as ICA-Req). In 2010, ICA-Req was adopted by the International Standards Organisation as ISO16175.

What’s particularly noteworthy about ICA-Req is that it doesn’t expect organisations to develop stand-alone records management systems. It’s Module 3 sets out requirements for records management in ‘business systems’, in other words, any system an organisation might be using to do its core business, such as a land management system, a patient care system, or a payroll system. This has benefits in terms of system procurement and licensing costs and system uptake.

When systems comply with standards like ICA-Req, digital records are captured, managed and preserved; data and metadata are indelibly linked over time. All the events in the life of the record can be seen, which makes them, the processes that created them and the people who handled them, auditable. The implications for open government are obvious.

The Government of Kenya will be able to use ICA-Req and similar standards to formulate its technical requirements, but the real challenge may be in the ‘soft’ aspects of change management and capacity building – negotiating new lines of communication, collaborating across hierarchies and changing culture. The National Archives has been given the job of developing the requirements, but once that work is done, the challenge becomes getting the requirements embedded, which is something the National Archives can’t do alone. This means close liaison with the ICT Authority, finding mechanisms for ensuring compliance during system procurement across government, dealing with legacy systems and developing infrastructure.

It’s essential that the National Archives is involved in all the relevant conversations. The same is true in other countries – whichever agency is leading on government records management needs to be brought into conversations around open government, systems procurement and digital development. Records management technical know-how can then unlock the evidential potential of data, which is a requirement for real accountability.