In 2017, I wrote an article about the problems with the Digital Continuity 2020 program, specifically its Business Systems Assessment Framework (BSAF) approach to achieving records compliance in business systems. The BSAF could never have worked, and ANAO has since found that the gains expected by the program will not be achieved by 2020 (or, possibly, at all).
The BSAF model says that agencies can address records control in their non-EDRMS systems in four possible ways:
1: Customisation (Build-in)
This approach is to modify your business system to include continuum-management controls. But most systems do not support this natively, using configuration – they would require customisation, which is not good practice (and is not even possible for hosted systems).
2: Integration (connect to EDRMS)
This approach is to join the business system to the EDRMS, and let the EDRMS manage the record. However this approach also introduces cascading technical risk by making systems (of which we have dozens to manage) interdependent with the EDRMS technology. This can prevent upgrades and patching, and affect supportability and security.
3: External (export to EDRMS)
This approach is to copy/move records from the business system to the EDRMS. But this is not a compliant continuum approach – it only captures the record at a point in time; removes it from its context or duplicates it (doubling the threat surface and halving discoverability); and only works for simple formats (documents, emails etc), not structured data.
4: External (governance)
This approach is to manage sentencing and disposition manually – but this is not feasible at the scale we are working with. We have a huge amount of data, growing all the time, subject to dozens of different retention and regulatory requirements. Human beings cannot manually control this mass of data and overlaying rules without the support of technology.
For DC2020, and its successors, to ever be successful, a radically different approach to controlling business records needs to be used.