Third party records services: two cautionary tales

In recent months, two worst-case scenarios got me thinking about outsourcing duties associated with records management. The first was the settlement of a Qui Tam complaint in the Pennsylvania area. In it, Iron Mountain and Shred-It agreed to damages payable to the federal government for failing to shred documents to the specification required by their contracts. For me, the crux of the scenario does not pertain to the particulars–the General Services Administration (GSA) has more stringent destruction requirements than do most other organizations–rather, that the breach of contract wouldn’t have been discovered if not for the complainant. The complainant owns a smaller document shredding company and, familiar with the shredding equipment and procedures employed by the larger vendors, surmised they were unable to dispose of records to the specifications required by the GSA.*

The other scenario was the discovery, via internal audit by the Office of Inspector General of the Environmental Protection Agency (EPA), that an off-site storage facility managed by a third party fell victim to a startling lack of agency oversight. The most salacious discovery is that the contractor’s employees had set up (and hidden from cameras with boxes) television sets, refrigerators, and exercise equipment. The employees had even used EPA paper stock to document exercise routines. Apart from the headline-grabbing recreation centers, the other serious issue at the facility was the existence of “old archived files located in the warehouse dated back to 1992” (p.4). As expected the EPA reacted responsibly: they conducted an inventory of the records to identify any instances where personally identifiable information (PII) had been disclosed, developed security plans, and cut off ties with the contractor.

Both events are directly related to the work we do with records management, regardless of our institutional context. Most obviously, the scenarios reinforce the necessity for close examination of potential contractors. In the first scenario, the GSA awarded contracts to companies that used equipment that did not meet the GSA’s own requirement. Second, it reinforces the need for records managers to either have the authority (or have a close relationship with authorized personnel) to negotiate contracts with third parties. Finally, it highlights the need for records managers to have clear lines of communication with any internal audit unit within their organization. In the first scenario, there is little to indicate that internal measures would have discovered the inadequate shredding. In the latter instance, an internal audit office of the EPA discovered the contractor’s practices, as well as highlighted the EPA’s own problems with respect to retention and storage of records with PII at the facility. Many records professionals have a relationship with their organization’s audit office, but I would hazard a guess that many do not. In any event, both instances make for good cautionary tales, and would make good campfire stories for your next records management-themed Halloween party.

* Caveat: the articles and blog posts I’ve read about the event are apparently based on the same press release, which was written by the law firm bringing the complaint. Understandably,

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s