Data Integrity for Record Management

Last night speaking at the DFW Audit SIG one of the topics I wished I had gone a little deeper on were controls, and how to gauge their strength.

As I am preparing to interview candidates for a records management position, I thought I would flesh out controls specific to the storage of and access to completed or archived paper records, such as forms, as an example.

These controls are applied at the record or system level and are meant to prevent a potential data integrity issue from occurring.

Generation and Reconciliation of Documents

 Data Criticality
 HighMediumLow
Unique identifierFor each recordNoNo
Who performs controlled issuanceIndividuals authorized by quality unit from designated unit (limited, centralized)Individuals authorized by quality unit from (limited, decentralized)Anyone (unlimited, decrentalized), often user of record
ReconciliationFull reconciliation of record and pages based on unique identifierFull reconciliation of records and pages based on quantity issuedNo reconciliation
Controlled printYesYesNo
Bulk printingNoYes, by controlled processYes
Destruction of blank formsPerformed by issuing unit, quality oversight required (High level of evidence)Performed by the operating or issuing unit, quality unit oversight requiredPerformed by the individual, quality unit oversight required (periodic walk throughs, self-inspections and audits)

Storage and Access to completed and archived paper records

 Data Criticality
 HighMediumLow
Where StoredClimate-controlled roomClimate-controlled roomOffice retention location
How Removed & ReturnedLimited conditions for removal (e.g. regulatory inspections) method of recording the removal and return of the record(e.g. archive management system, logbook). Most use of documents either in controlled reading area or by scans.Method of recording the removal and return of the record(e.g., archive management system, logbook).Method (e.g. logbook) recording of documents checked-in/checked-out
Access ControlCard key access with entry and exit documented.Card key access with entry and exit documented.Limited key access
Periodic User Access ReviewAnnuallyAnnuallyEvery 2 years

There are also the need to consider controls for paper to electronic, electronic to paper and my favorite beast, the true copy.

For paper records a true copy of a picture of the original that keeps everything – a scan. The regulations state that you can get rid of the paper if you have a true copy. Many things called a true copy are probably not a true copy, to ensure an accurate true copy add two more controls.

 Data Criticality
 HighMediumLow
Review requirementsDocumented review by second person from the quality unit for legibility, accuracy, and completenessDocumented review by second person (not necessarily from the quality unit) for legibility, accuracy, and completenessDocumented verification by person performing the scan for legibility, accuracy, and completeness
Discard of original allowedYes, as defined by quality unit oversight, unless there is a seal, watermark, or other identifier that can’t be accurately reproduced electronically.Yes, performed by the operating unit, unless there is a seal, watermark, or other identifier that can’t be accurately reproduced electronically. Quality unit oversight requiredYes, individual can discard original Quality unit oversight required

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.