constructing the meaning of document retention: a ...

CONSTRUCTING THE MEANING OF DOCUMENT RETENTION: A POLICY RESEARCH AGENDA Susan P. Williams Information Policy & Practice Research Group School of Business The University of Sydney, Sydney, NSW 2006, Australia [email protected]

Catherine A. Hardy Information Policy & Practice Research Group School of Business The University of Sydney, Sydney, NSW 2006, Australia [email protected]

ABSTRACT Inadequate document retention and destruction (DR) practices expose organisations to a range of business risks. However, recent legal proceedings arising from high profile corporate collapses and business continuity concerns following natural and man-made disasters have highlighted that although DR is seen a crucial aspect of good corporate governance many organisations have inadequate or unenforceable DR policies and practices. The volume and types of documents being created by organisations, increased use of information technologies for the creation, storage and retrieval of documents and the changing legal and regulatory environments create considerable complexity and uncertainty about how to design effective DR policies and practices. This presents a significant challenge for organisations in both the private and public sectors and to date limited research has been directed at how organisations implement DR practices and construct DR policies. However before theory, policy and practice can be advanced there is a need for research to illuminate common and conflicting interests, challenges, concepts and theoretical explanations as a means of providing a more interdisciplinary and integrative view of document retention. KEYWORDS Document retention, information policy, sociotechnical change

1. INTRODUCTION Inadequate document retention and destruction (DR) policies and practices expose an organisation to a range of business risks incorporating: Continuity risk—that is the risk associated with the availability of information and its backup and recovery; Compliance risk—that is the risk of not complying with relevant laws and regulations; Auditability risk—that is the risk of not being able to verify and obtain assurance about the integrity of information due to incomplete documentation; Reputation risk—that is the reputational damage arising from accidental (concerns of competency) or deliberate (concerns of fraud) destruction of documents; and Loss of Intellectual Property—that is loss of rights in literary and artistic creations or the loss of such proprietary information itself.

405

The effective retention of business documents is not a new phenomenon (see for e.g. Fedders & Guttenplan 1980) but one that has received heightened visibility in recent years due to: the increased volume and types of documents being created by organisations concomitant with the increased use of information and telecommunication technologies (ICTs) (Eloff et al. 1996; Lyman & Varian 2003); the loss of business documents and the significant disruption to businesses caused by recent natural and man-made disasters (Herbane et al. 2004); and the current legal climate following high profile corporate frauds which revealed, amongst other things, inadequate DR practices (Freeman 2005). This presents a significant challenge for organisations in both the private and public sectors as DR is a complex phenomenon comprising multiple stakeholders and overlapping, often-conflicting definitions and imperatives shaped by different disciplines and business domains. Before theory, policy and practice can be advanced there is a need for research to illuminate common and conflicting interests, challenges, concepts and theoretical explanations as a means of providing a more integrative view of DR. Therefore the purpose of this paper is to contribute to the redefinition of theoretical imperatives and the advancement of knowledge about DR policy and practice by: − −

offering an interdisciplinary understanding of the phenomenon of DR and identify synergies between different streams of DR research; and proposing a theoretical framework that will provide a more holistic understanding of the DR phenomenon and its governance across different disciplines and in environments of sociotechnical change serving as a basis for future empirical research.

The paper is structured as follows. Section 2 provides a review of the DR literature, drawing out the different professional and disciplinary imperatives. These highlight the fragmented nature of the current discourse about the DR phenomenon and draw attention to the limited research into the construction of DR policies and the implementation of DR practices. Section 3 presents the imperatives for a more holistic and interdisciplinary programme of DR research and Section 4 provides a theoretical and analytical framework to guide future research into the construction and implementation of DR policies and practices. Section 5 provides a summary of the contribution of this work and outlines the future research programme.

2. THE DOCUMENT RETENTION IMPERATIVE Documents underpin business processes, at strategic and operational levels, providing a medium through which information is exchanged within and between organisations (Eloff et al. 1996). Hence information for and about organisations is contained in documents that serve as a means of institutional memory, informing future decisions, or as evidence of past activities for regulatory purposes (Montana 1999, p. 57). However a recent survey based on over 2100 respondents reveals that DR practices in organisations are deficient. Further, the majority of organisations surveyed are “not adequately prepared to meet many of their current or future compliance and legal responsibilities” (Williams & Ashley 2005). A review of the literature reveals DR as a concern for a range of professional and disciplinary areas. Common to each of these areas are the following five imperatives.

2.1 The volume and multifaceted nature of business documents Organisations have vast quantities of paper and digital documents (Ingram 2004, pp. 5-6) that may exist in a highly structured form (e.g. information contained in contracts or financial statements) or more loosely structured (e.g. emails, memos, minutes of meetings and notes) (Eloff et al. 1996, p. 56). Email, for example, generates about 400,000 terabytes of new information each year worldwide (Lyman & Varian 2003). Further complexity arises as such documents may represent evidence of a commercial activity or simply correspondence, a draft version or a final publishable product with varying levels of importance and relevance to the organisation. The volume and forms of documents being generated raises questions for organisations in terms of what documents need to be retained in ensuring effective business processes, business continuity and meeting regulatory requirements (discussed below). Ingram (2004, p.4) highlighted such complexity in his statement that:

406

“[t]here are at least 40 major types of documents in a corporation that have widely varying retention periods. Some of these retention periods can be as little as 90 days for internal correspondence or as long as 30 years for something such as an EEOC claim, action, or evidence. As a practical matter, there are probably more than 100 different types of documents that need to be formally retained and then destroyed.”

2.2 Information systems: Governance, security and technologies Technology makes it possible for businesses to retain vast numbers of business documents and the nature and range of systems used to store and manage documents is increasing. According to Jameson (2004, p47) coordinating the retention and destruction of documents “can be burdensome at best and unmanageable at worst when such documents exist on multiple computers or storage devices that are subject to the control of numerous different users. This problem is exacerbated by the fact that different versions of the same document may be created without the users’ knowledge.” Concomitant with this technical complexity of storage are an increasing number of service providers creating challenges for managers in exercising proper governance and appropriately protecting information (IT Governance Institute 2005). Parallel to the issue of storage is the availability and security of documents. The risk that information may be lost (availability) or sensitive information is accessed without appropriate authority (security) was ranked as the two highest priorities in a survey of 200 senior IT professionals conducted by the IT Governance Institute (ibid, p.9). It has been increasingly recognised that to effectively manage these information risks requires attention at a governance level and considered in a wider business context (ibid, p.11). Therefore, there has been an increasing interest in and adoption of best practices and standards such as AS/NZS 17799:2001 Information technology - Code of information security management. A key objective of this standard is, amongst other things, the availability of information when required by authorized users (AS/NZS 17799:2001, p.10), which in turn is a critical issue for DR requiring an integrated, enterprise wide and potentially inter-organisational response. For example, Section 8.4.1 of AS/NZS 17799:2001 requires that “back-up copies of essential business information … be taken regularly … [and] tested to ensure that they meet requirements of business continuity plans.” In addition retention periods for “essential business information … should be determined,” which may involve multiple parties, and different national laws and regulations (p.25). Further, security technologies themselves may generate huge volumes of intelligence relating to security breaches. Such information may be accidentally or deliberately destroyed before the “seriousness of the incident is realized” compromising the quality, completeness and admissibility of evidence in any legal action (AS/NZS 17799: 2001, p.77) without appropriate policies and procedures.

2.3 Business Continuity Loss of documents as a consequence of natural and man-made disasters can cause significant disruption to businesses (Herbane et al. 2004). For example, widespread loss of documents following Hurricane Katrina meant many organisations (particularly small businesses) were without vital records. In addition, nearly one million citizens were without medical records making treatment of the sick and injured difficult (Jarret, 2005). Hence critical to business continuity is the information and data (hardcopy and electronic) related to core business processes and the business continuity plan itself in the event of a business interruption or disaster (Zawada & Schwartz 2003; HB 221:2004; Muthukrishnan 2005).

2.4 Legal Requirements There are legal requirements for DR that include compliance with: statutes (e.g. public sector – FOI requests; private sector – Corporations Law); and the discovery process (litigation). These have received increased attention following highly publicised corporate collapses and legal cases that revealed instances of inadequate DR practices and bad faith destruction of documentary evidence. For instance, in the United States of America, a former member of the (previously) Big Five accounting firms, Arthur Andersen, LLP, was found guilty of obstructing justice because it had destroyed documents relating to the audit of Enron,

407

considered relevant, in the investigation of Enron’s corporate affairs (Freeman 2005). The conviction was instrumental in the ultimate demise of the firm (ibid 2005, p.6). Whilst the criminal conviction was subsequently overturned, the court ruling appeared to be based more on technical considerations relating to flawed jury instructions about whether Andersen had knowingly persuaded its employees to corruptly destroy the documents (Coultan 2005). The Sarbanes Oxley Act of 2002 that was created partially in response to the Arthur Andersen-Enron cases, has amongst other things, created criminal penalties for altering documents by nature of section 802 which provides for the amendment to Chapter 73 of title 18, of the United States Code, by adding two items § 1519 Destruction, alteration, or falsification of records in Federal investigations and bankruptcy and §1520 Destruction of corporate audit records. At a local level, two prominent cases, whilst dealing with different substantive issues, emphasised the importance of and need for appropriate DR practices. The HIH Royal Commission set up to investigate the collapse of HIH Insurance required the restoration of more than 43 million documents by a computer forensics team in its deliberations (Chapman 2003). In addition, during the course of its investigation, the Commissioner found the discriminate deletion of approximately 8,000 emails had occurred the day before the collapse. The HIH royal commissioner, Justice Neville Owen, has been quoted in stating that “There’s no point in retaining documentation for the sake of it … Big organisations are accumulating piles and piles of information every day. They have to have a sensible policy” (cf O’Neill 2005) In the second situation, McCabe v British American Tobacco Australia Services Ltd (BATA) (2002), the Victorian State Supreme Court ruled in favour of Rolah McCabe on the grounds that the plaintiff had been denied a fair trial due to the destruction of large amounts of evidence. The case explored issues relating to the destruction of evidence by a defendant prior to, but in anticipation of, the commencement of civil proceedings against it. BATA, and their legal firm, Clayton Utz, were found to have subverted the process of discovery by destroying 30,000 potentially relevant documents (both hard copy and electronic) with the deliberate intention of denying a fair trial to the plaintiff (Cameron 2002). The result was reversed on appeal. However this case raised concerns in terms of the extent to which an organisation should be expected to go in retaining and preserving documentary records which are no longer relevant to its business requirements but which may provide evidence of its past conduct in the event of ‘future’ litigation.

2.5 Document retention policy Designing effective DR policies is viewed as a crucial element in assuring that the appropriate performance and conformance outcomes are achieved (Schoenfeld & Rasalingam 2002; Chase 2003; Freeman 2005). It has gained heightened attention more recently in governance discourses in terms of managing information assets and information risks as well as meeting compliance obligations (Gillespie et al 2004; Kahn and Blair 2004). However, current emphasis is placed on prescriptive statements that generally relate to policy content and the need to retain documentation for an appropriate period of time to meet legal, professional and organisational requirements (see for e.g. Prieb and Frankle, 2004; Jameson, 2004). To date there has been limited empirical work conducted in this area, particularly in regards to how organisations construct and enact DR policies and how such policies ‘fit’ within the wider organisational policy structures and processes such as information security, business continuity and records management (Peltier 2004).

3. THE RESEARCH IMPERATIVES The DR discourse primarily focuses on the requirements for DR and prescriptive statements relating to the need for and content of DR policy. However there is limited empirical, theoretical or practical guidance as to how these requirements might be achieved and the ways in which policy is designed, implemented and evaluated. Further, such research needs to be sensitive to the following challenges identified from the literature (Ung, 2005):

Document retention serves multiple stakeholders with different perspectives and purposes. Within organisations there are multiple stakeholders with different interests in DR including inter alia records management, governance, security, audit and assurance, business continuity and risk management. Understandings of DR may vary at different levels and in different contexts.

408

Slippage of terminology There is a slippage of terminology about documents and DR. For instance, there is no universally accepted concept of document; rather there are divergent conceptualisations both within and between stakeholder groups. The meaning of documents do not need to be represented with fixed qualities across varying interests, but a sufficiently ‘stable’ set of meanings, malleable enough to be incorporated into different situations that may yet not be known, such as those arising from IT enabled business innovations is required.

Differing social, temporal and spatial contexts for document retention. DR mixes business and legal requirements with issues of economic and technical feasibility in different contexts. Hence different techniques are more likely to be used at different junctures. Further DR has a temporal element in that documents must be retained for a certain timeframe or involves considerations relating to ‘foreseeable’ litigation and a spatial element regarding the location in which documents are stored. These spatial and temporal elements are located within varying international (jurisdictional), industry (sectoral) and functional (business activity) contexts. These multiple issues present complexities for stakeholders in diverse settings that may not be apparent at the outset, but requires effective responses in environments of social and technical change raising the following questions: − How do organisations arrive at an understanding of DR and how are these practices designed and implemented in complex and evolving business information environments? − How are representations of DR translated into timely and useful insights that inform policy decisions? − How do organisations construct and enact DR policy and how are these abstract policies translated into practice? Hence a theoretical basis is required which offers a means of addressing this complexity and uncertainty in DR policy and practice.

4. THEORETICAL FOUNDATIONS Understanding how meanings of DR are constructed, the grounds upon which particular interpretations are based and how these constructions of meaning affect what actions are taken in complex situations and contexts requires a theoretical perspective sensitive to multiple meanings, stakeholders, histories, processes and contexts. In this paper we offer Actor Network Theory (ANT) (see for eg. Callon 1986, Law 1992, Latour 1999) and Colebatch’s (2002) social constructionist policy perspective as an analytical framework to assist in describing and explaining DR policies and practices arising within particular situations and contexts.

4.1 Actor Network Theory (ANT) ANT brings together in the same analytical view human and non-human, social and technical actors explained by common practices. Hence actors are not viewed in terms of determining outcomes of, in this instance, document retention, but as providing affordances that may (or not) present opportunities to be “taken up”(Munir & Jones 2004). As a theory of agency, a theory of knowledge and a theory of machines (Law 1992), ANT offers a rich vocabulary (see for eg. Akrich & Latour 1992; Latour 1999) that assists in describing and explaining the actions, activities and artifacts that constitute and represent DR. A fundamental concept is that of the actor network and principles of heterogeneity, that is diverse elements, such as technologies, institutions and humans, referred to as actors (or actants), form a network of aligned interests (the ‘actor network’) that constitute a particular course of action. There is no a priori definition nor prior assumptions as to which are the significant actors as this is revealed through empirical observation and analysis. The alignment of interests depends upon the enrolment of a sufficient body of allies and the

409

translation of their interests, which may involve for example negotiation, acts of persuasion and inscription devices, into a sufficiently ‘stable’ set of meanings and willingness to act in accordance with prescriptions of key actors. The power of these actors may weaken if the established representativeness degenerates as a result of, for example, a competing policy area. Although ANT offers a number of useful insights, its analytic impartiality, generalized symmetry, repudiation of a priori distinctions between the social and the technical and its limitations to capture the historical and cultural processes through which technologies are constituted has attracted criticism (see McLean & Hassard 2004). In this study it is proposed primarily as an analytical stance, as part of our argument that explanations of DR are developed through understanding: how it is being represented; that change is created through the construction of new representations; and that different actors may create and influence these representations, although not necessarily equally because of differing levels of power and authority.

4.2 Social constructionist perspective of policy Colebatch (2002) adopts a social constructionist approach influenced by structuration, instititutional organisation theory and governmentality in his analysis of the policy process. Hence policy, nor the problems to which it addresses, is viewed as natural phenomena with an existence of its own, but as produced by policy participants. The concept of policy is presented not only as a descriptive analytical tool, but also as a “concept in use” in that it: assists in understanding the way in which practitioners use policy itself to shape action, thereby providing a means to explain and validate the action; and provides a way for researchers and policy observers to examine organised activity leading to questions about policy as a process and not simply as an outcome (ibid pp. 20-21). Colebatch posits there are three important issues with respect to policy, namely: a horizontal and a vertical dimension; an empirical (‘is’) and normative (‘ought’) component; and language “as part of the action” (ibid p.61). These different dimensions and components of the policy process may “pull in different directions” and so can not be viewed in terms of “… one is ‘theory’ and the other is ‘practice’ [as] both are essential elements of the same process” (p. 62). The ‘vertical’ and horizontal’ dimensions impact upon the way that we understand and interpret policy. The vertical dimension views policy from a top-down perspective focusing on “instrumental action, rational choice and the force of legitimate authority.” The horizontal dimension is concerned with the way policy structures action. The two dimensions are mutually shaping in that the implementation of the authorised decision requires cooperation from “relevant others outside the line of hierarchical authority”. Further the shared interpretive frames of meaning that arise from the horizontal dimension are given effect via “the instruments of the vertical dimension” such as policy directives. Therefore, participants may have different accounts of the same process, whereby one account is ‘sacred’, drawing on the normative framework (vertical dimension) and the other account ‘profane’ drawing on the empirical framework (horizontal dimension)(ibid p.24).

4.3 The Analytical Framework Bringing these two theoretical perspectives together provides a complementary and integrative view of socio-technical change and policy processes relating to DR arrangements in terms of: how DR is represented in organisations and how these representations are constructed and shaped; how representations of DR are translated into action for policy and practice; and how organisations (if at all) construct and enact document DR and how they are shaped. That is, attention is focused on the heterogeneous actors that constitute (and may be constituted by) representations of DR and the actions, activities and circumstances through which these actor networks come to stabilise sufficiently for policy and practice to be undertaken. Further, policy action itself is examined in terms of why organisations are pursuing DR policy, who sets the priorities, who is involved in the policymaking process and how the ‘relevant’ groups involved are persuaded to support, deliver and implement DR policy. A particular focus is on the interpretive frameworks used in understanding policy questions, who is involved, the locations in which they interact and the institutional arrangements within which meanings are mobilised.

410

Bringing together contextual explanations from the social constructionist policy perspective with ANT may be viewed as incompatible given the latter’s focus on actors’ agency. However, we argue, similar to Avgerou and Madon (2004) that ANT is a useful starting point from which to trace the actors involved but needs to be followed by an analysis of the social contexts in which these lived experiences take place.

5. CONCLUSION AND FUTURE RESEARCH This paper has examined the business and research imperatives for DR and offers an analytical framework that provides a means of reframing how it is viewed and enacted in both scholarly and practitioner fields of practice. Researchers and practitioners need an innovative way to address the uncertainty and complexity surrounding DR. This requires an interdisciplinary perspective so as to provide a fuller conception of the stakeholders, interests, structures, histories and technologies that constitute DR. While various views (explicit or implicit) have emerged from different disciplinary perspectives, there is limited evidence of synergy and convergence. This paper proposes an analytical framework that will advance theory, policy and practice by: Clarifying the grounds upon which particular positions of document retention are based and identify synergies between different domain areas (e.g. Records Management, Information Systems and Law) reflecting intellectual themes and a less fragmented discourse. Offering new theoretical perspectives of Actor Network Theory (ANT) and social constructionism that provide conceptual and methodological tools for exploring the socio-technical constructions of DR and how these different and divergent meanings may affect choices and actions in policy and practice. Developing an empirically relevant integrative framework through a series of interpretive case studies. This will provide a ‘map’ of DR practice, offering a set of guidelines for private and public sector organisations for managing along the continuum of performance and conformance objectives. Further, the framework will assist organisations design, implement and evaluate actionable policies that interface with practice and are attuned to national circumstances and other related areas such as privacy, security, business continuity and intellectual property. Much work remains to be done in this area. However, organisations at an international, national and local level will benefit from this study that will provide an in-depth examination of DR policy and practice in context, identifying tools and techniques that may assist them and areas where improvements are needed.

REFERENCES Akrich, M. and Latour, B., 1992. A summary of a convenient vocabulary for the semiotics of human and nonhuman assemblies. In Bijker, W. & Law, J. (Eds.), Shaping technology, building society: Studies in sociotechnical change, (pp.259-264), The MIT Press, Cambridge, MA. AS/NZS 17799. 2001. Information technology: code of practice for information security management, Joint Technical Committee IT-012, Council of Standards Australia and Council of Standards New Zealand. Avgerou, C. & Madon, S., 2004. Framing IS studies: understanding the social context of IS innovation. In, Avgerou, C., Ciborra, C. & Land, F. (Eds.), The social study of information and communication technology, Innovation, Actors, and Contexts, (pp. 162-182), Oxford University Press, New York. Callon, M., 1986. Some elements of a sociology of translation: Domestication of the scallops of the fisherman. In, J. Law (Ed.), Power, action and belief: a new sociology of knowledge? (pp.196-233), Rutledge & Kegan Paul, London. Cameron, L., 2002. McCabe v Goliath: The case against British American Tobacco Australia Services Ltd, University of Queensland Law Journal Vol 22, No 1, pp. 124 -128. Chapman, S., 2003. Evidence in the Inbox, Information Week (Australian edition), August. Chase, C.R., 2003. To shred or not to shred: Document retention policies and federal obstruction of justice statutes, Fordham Journal of Corporate & Financial Law, Vol 8, No 3, pp. 721-763.

411

Colebatch, H.K., 2002. Policy (2nd Edition), Open University Press, Maidenhead. Coultan, M. 2005. Andersen wins in Supreme Court, The Sydney Morning Herald, 2 June. Eloff, J.H.P., Holbein, R. and Teufel, S., 1996. Security classification for documents, Computers & Security, Vol 15, No 1, pp. 55-71. Fedders, J.M. and Guttenplan, L.H., 1980. Document retention and destruction: Practical, legal and ethical considerations, Notre Dame Lawyer, 56, pp.5-64. Freeman, E.H. 2005. Retention of corporate e-documents under Sarbanes-Oxley, Information Systems Security, September/October, pp. 5-9. Gillespie, J, Fair, P, Lawrence, A and Vaile, D., 2004. Coping when everything is digital? Digital Documents and Issues in Document Retention. White Paper. Baker and McKenzie Cyberspace Law and Policy Centre, UNSW. HB 221. 2004. Business Continuity Management, Joint Standards Australia/Standards New Zealand Committee OB-007. Herbane, B., Elliott, D. and Swartz, E., 2004. Business Continuity Management: time for a strategic role? Long Range Planning, Vol 37, No 5, pp.435-457. IT Governance Institute. 2005. Information Risks: Whose Business Are They? ITGI, Rolling Meadows, IL. Retrieved from: http://www.itgi.org/template_ITGI.cfm?Section=Best_Practices&Template=/TaggedPage/TaggedPageDisplay.cfm& TPLID=44&ContentID=6574 (downloaded 9 March 2006). Ingram, T., 2004. Help your clients deal with document retention and deletion, Journal of Internet Law, Vol 7, No 10, pp. 3-12. Jameson, B.E., 2004. Document retention and electronic discovery. The Practical Litigator. Vol 15, No 5, pp.59 Jarret, J., 2005. When disaster strikes, will your vital records be safe? Cadence Group. Retrieved from http://www.cadence-group.com/articles/recmgmt/disasterRecords.htm (downloaded 9 March 2006). Kahn, R.A. and Blair, B.T., 2004. Information Nation: Seven Keys to Information Management Compliance. AIIM, Silver Spring, MA. Latour, B., 1999. Pandora’s hope, essays on the reality of science studies, Essays on the reality of science studies, Harvard University Press, Cambridge, MA. Law, J. 1992. Notes on the theory of the actor-network: Ordering, strategy and heterogeneity, Systems Practice, Vol 5, No 4, pp. 379-393. Lyman, P. and Varian H.R., 2003. "How Much Information". Retrieved from http://www.sims.berkeley.edu/how-muchinfo-2003 on 28/10/2005. McLean, C. & Hassard, J. 2004. Symmetrical absence/symmetrical absurdity: Critical notes on the production of actornetwork accounts, Journal of Management Studies, 41(3), pp. 493-519. Montana, J.C., 1999. Managing the law of technology, Information Management Journal, Vol 33, No. 3, pp. 54- 57. Munir, K.A. and Jones, M., 2004. Discontinuity and after: The social dynamics of technology evolution and dominance, Organization Studies. Vol 25, No 4, pp. 561-581. Muthukrishnan, R. 2005. The Auditor’s Role in Reviewing Business Continuity Planning, Information Systems Control Journal, Vol. 4. O’Neill, R., 2005. Justice Owen keeps it on the record, The Age, 14 June. Peltier, T.R. 2004. Developing an enterprisewide policy structure, Information Systems Security, Vol 13, No.1, pp. 44-50. Priebe, D. and Frankle, D.H., 2004. Securities Litigation: Five tenets of a written document retention policy. Insights: the Corporate and Securities Law Advisor. Vol 18, No 7, pp.2-9. Schoenfeld, S.R. and Rasalingam, R.P., 2002. Document retention policies have long-term benefits, New York Law Journal, 18 November. Ung, C. K. 2005 Representations of document retention: an interdisciplinary perspective. Unpublished Honours thesis. University of Sydney. Williams, R.F. and Ashley, L.J. 2005. Electronic Records Management Survey: A call to action. White Paper. Chicago: Cohasset Associates, Inc. Zawada, B. and Schwartz, J. 2003. Business continuity management standards – a side-by-side comparison, Information Systems Control Journal, Vol. 2.

412