David Tebbutt - Information World Review

New media and regulatory compliance

Written by David Tebbutt in November 2005

In all the breathless talk about new media, and I'm as guilty as anyone, little mention is made of regulatory and legal compliance. If wikis are used by a closed community of practice or blogs made inaccessible to all but the cognoscenti, does this mean that they can discuss whatever they like?

Suppose a company needs to restructure, would it be wise to allow HR managers in different locations share their views through a wiki? If a researcher made some fantastic, and potentially very profitable, discovery, should they discuss it with colleagues in instant messaging conversations? And if a team blogger wanted to pass comments on the behaviour of a particular member of the night shift, would that be okay?

You might think that belonging to closed groups protects you and your scribblings. You're not, after all, part of the formal records management system of the organisation. Don't you believe it. The trouble is that regulators, law enforcers or, if you're a public body, anyone off the street can demand a copy of your supposedly confidential exchanges.

This may not happen unless your organisation falls foul of some law or regulation. The trouble is that the falling foul usually happens much later and the authorities can then demand to see the historic records.

In a conventional records management system, retention schedules ensure that electronic material has a life cycle, including disposal. In a blog, this is just about unheard of. Part of its value is that the material is rarely deleted, in order to protect the integrity of inbound links.

A wiki could conceivably be destroyed, once the outcome has been published to the formal system, but then huge amounts of potentially useful information could be jettisoned. Instant messages are less of a problem, they could either not be recorded or older messages could be purged. But Butler Group's knowledge management specialist, Mike Davis, advocates keeping the history files for the valuable information they contain. Like wikis, they form part of the corporate memory.

The truth is that no electronic system provides the secure equivalent of a landline telephone conversation or, even better, a face-to-face chat. Once captured, digital communications are potentially evidence. Yet how many participants are conscious of this?

New media doesn't mean new laws. Rachel Burnett, who runs a law firm which specialises in IT cases, advises a practical approach. She advises briefing staff on the implications of their choice of words and subject matter. She suggests that if sensitive or confidential information is being shared, that it be done under a clear agreement between the sharing parties that it must not go any further.

Personal information should be shared with due regard to the Data Protection Act. The Freedom of Information Act gives reasonable rights of access to information held by public bodies. Many of the anti-terrorism laws are untested, but they provide security forces with wide ranging powers to seize electronic information, including log files which reveal who is communicating with whom.

Of course, company secrets can be protected from competitors but, as the BBC's Euan Semple says, "Any information in these systems is just a copy and paste away."

It is very tempting to set up these new media systems at arm's length from corporate and IT control. Apart from anything else, they can probably be introduced far more quickly. But you cannot escape your wider responsibilities. Arm's length you may be, but your stored information, whether internal or hosted, still belongs to the organisation. And, as such, you need to create appropriate codes of practice and ensure the buy-in of all participants.