Significance of Policies
You may have heard of the word ‘policy’ so often that you might have forgotten what it really signifies. Before looking at document management policy issues, you should first understand the significance of policies.
Policies are guidelines for actions and responses. A policy guideline can help you take actions or decide on responses in many situations covered by the policy.
Naturally, good policies require some brain-storming. You have to think about the kind of situations likely to arise. Next, you have to consider the implications of different actions and responses under these situations.
You then formulate a policy guideline that’s most likely to lead to the outcomes you desire.
It’s the thinking, though, that precedes policy decisions, the careful consideration of likely situations and implications of different responses, which constitute the real significance of policy formulation.
Document Management Policies
In the case of document management, you think through the issues involved and the implications of different courses and come up with policies that promise the most desired outcomes.
Document management policies typically cover:
Access to Documents:
Documents invariably need to be protected from unauthorized eyes. For example, a soft drink company might not want anybody except a select few to access their product formula. In your business, you decide how sensitive each type of document is and then decide who should be granted access to that kind of document.
Permissions for Documents:
A person might be allowed to access a document, but might not be allowed to change or remove it. Permissions involve Read and Write permissions and only persons concerned with creating and maintaining a document should be given both of these kinds of permissions. Other persons authorized to access it should have only Read permissions. So you must decide which permissions each person accessing the document will be granted. You don’t want the payroll employee giving himself or herself a raise.
Retention of Documents:
A lot of ‘work-in-progress’ documents are created during particular operations. Most of these can be destroyed without any harm to the business. Policies are needed that clearly identify the documents that can be destroyed and the length of period after which destruction is permitted. Keeping unnecessary documents take up space and costs money, both of which can mount to significant quantities in the absence of document retention policies. Document retention policies should also specify how the documents should be destroyed. Just throwing sensitive documents into the waste paper basket is not a recommended course.
Implementing the Document Management Policies
In a non-computerized environment, exercising the above kinds of controls, except perhaps the one on retention and destruction, can be quite difficult. You might have to lock up sensitive documents to prevent unauthorized access, for example.
With the arrival of computers and networks, many of these tasks have become routine. Requiring the user to enter passwords before accessing a document controls access. The documents themselves could be stored in the deep recesses of a network, protected not only by passwords but also by firewalls and anti-virus software.
Persons accessing a document can be given different rights with respect to that document. Some might be given only read permission. Others could be given full permissions. It would then be possible to allow controlled access to all who need to work with that document.
One important right is the right to print a document. If anybody can print a document, unauthorized persons could print and take the printed copy out. That could pose a serious danger to the business if sensitive documents reach the hands of, say, your competitors.
In a computerized environment, the original document would still remain where it was and top management might not know about the information leak.
In a network, it’s possible to specify that documents can be printed only on secure printers that are accessible only to authorized persons. That way, one important avenue for losing confidential data can be blocked.
Yet another security measure that can be implemented under a computerized environment is to tag what each person does with a document. A history can be maintained to record the viewing and editing done on specific documents.
Document Policies for Confidentiality Requirements
There are legally mandated requirements that make formulation of document management policies (and their proper implementation) extremely important. You could face a huge compensation claim if certain kinds of data leak outside. Examples include health and financial data about your employees or customers.
The law requires you to maintain the confidentiality of any such data that comes to you in the course of business. There are also privacy laws that are becoming increasingly rigorous as the volume of e-mail spam increases.
In the absence of clear document management policies, you would find it almost impossible to comply with the law.
Document Management Need to be Audited
Merely laying down policies and then making some rules would not serve your purpose. You need to ensure that:
- The rules would really implement the policies, and
- The rules are being followed in practice
Arranging to generate appropriate performance reports and reviewing them periodically is a key component of the management exercise.
Auditing is also needed to show authorities that requirements mandated by law are indeed being followed and treated with respect.
Auditing can also reveal policy inadequacies and point to areas of weakness. Unless these are identified and highlighted, poor policies can continue in perpetuity.
Label the Documents
Identifying documents through labels is another important task of document management software. While labeling needs specific action in a non-computerized office, it’s automated to a great degree in a computerized environment.
Even this apparently small task would need clear policies if it’s to work effectively.