In a previous post, "The Two Minute Commute", I talked about moving to a situation where I will find myself working at home with regularity. In that post, I walked through a number of issues that I wanted to address. Since then, I've been exposed to some additional information about how some organizations are going to handle the increasing need for lower real estate costs -- and the increasing need for lower IT costs.
I tend to be conservative in my approach to records management. I think that is a trait shared by many of us in this profession. We look for risk around every corner. We look to mitigate that risk, protect records, and ensure that we have a consistent records management program. The sea changes of the past 20 years in computer technology and the last ten years in email and Internet technology have messed with our nice neat world of color codes and file folders. On the one hand, we now have the ability to better track files and boxes through bar codes, RFID, and computer databases; on the other hand, we have an incredible proliferation of electronic records that we struggle to manage.
Twenty years ago, offices were just beginning to use personal computers. There were limited networks, but a desktop computer on every employee's desk was still not the norm. The tidal wave of personal computing was coming, however. If an employee had a computer, it tended to be a "green screen", or mainframe terminal. Desktop computers tended to be used as word processors, with the output printed, put into an envelope, and mailed. Some files were retained on floppy disks, but the record copy was a paper copy for most folks. In essence, the computer user rarely was responsible for retaining electronic records. The green screen user relied upon the mainframe to retain information; the PC user relied on paper copies. There were many users who, when faced with a corporate bureaucracy that wouldn't buy personal computers, would bring in their own PC from home -- or buy a PC on an expense account. These pioneers found great utility in the home PC and made them work in the office. It wasn't long before corporate IT departments found themselves buying PCs for every employee -- and upgrading those PCs every two to three years.
Flash forward 20 short years. Today, we have utter and total anarchy when it comes to electronic records. Very few companies have their act together. The end user has a variety of managed and unmanaged repositories for information. The volume of information being retained is growing exponentially. And now we want to drive those end users out of the office and into locations where we can't see what they are doing? Yep. And we want them to bring their own computer to work, too. WHAT?!!! Yes, you read that correctly. As corporate IT departments are faced with escalating costs for storage and management of information, they are also faced with the costs of PC and laptop replacement -- and support. Users are complaining to IT that they have a PC at home "that is better than what is at work". The upgrade cycle continues and that is a serious drain on an organization's resources. Add in the cost of support and you have a serious cost issue.
At the same time, many employees are working from home on home PCs that are powerful and use the same software as the employee has at work. The employee wants to use his or her home PC when working from home. The employee typically has some sort of broadband access. For many companies, the company-issued laptop sits idle when the employee is at home. This makes for an interesting financial calculation. The employer has a tremendous investment in computer hardware that often sits idle much of the day. The employee fully owns the "personal" in "personal computer" and hates the IT department for preventing the installation of unsupported software or the customization of desktops.
Many companies are now seriously looking at providing employees with an annual allowance to purchase and support their own computers. These companies are also investing in technology that will protect the computing environment from viruses and spyware (and ill-configured computers), while allowing employees access to company information and resources. These initiatives are sold as "win-win". The employee gets the computer of their choice and the company (in theory) saves the cost of purchase and support of hundreds or thousands of computers.
And we records managers lose more hair and start examining the Grecian Formula with intent.
So let's recap... what am I talking about here? There is a near future scenario where a company;s IT department will no longer automatically supply a PC or laptop to every employee in the company. If an employee will primarily be mobile or working from home, the company will provide an allowance to the employee to purchase his or her own computing device(s). The employee will also need to provide a means of remote access (typically some flavor of broadband). The company will provide a secure portal via the Internet and typically provide applications to the employee in a "Software as a Service" or SaaS model. In many cases, this will mean that the company is using a third party to host email and the various business applications that employees use. In addition, this access will often be facilitated using Application Delivery / Desktop Virtualization models such as Citrix or VMWare. (Neither company is being endorsed here, just used as examples of leading technology in this space.) In effect, the user accesses his or her "business" desktop through a secure Internet connection. The data is typically hosted remotely on a company server and the user's local computer retains no business data. (Back to the future, eh?) The user may also be restricted in what can be copied locally or copied to USB devices.
The drawback here is that the user must have an Internet connection to be functional. That doesn't help the mobile user who is sitting on an airplane and wants to work on email or a presentation. With some of these models, however, the latest releases also allow the end user to retain a copy of their virtual desktop on their local machine or a portable media device like a thumb drive. So that, in theory, could mean that the employee would have the capability of retaining a complete copy of their business information on a device that they have purchased personally -- and that gets us into the issues discussed by John Montana in his AIEF paper. That is mitigated (to some extent) by encryption. The local copy is encrypted and the decryption key is controlled by the employer. The minute that the employee is terminated, the encrypted data is rendered useless. The employer retains access to the data that has been replicated to its servers and normal retention periods can be applied. Of course, the challenge here remains that the employee (or former employee) is still in possession of corporate data (albeit encrypted) and may be subject to seizure or subpoena of his or her personal computer.
So what I've described actually takes us back 20 years or so to some extent. The upside is that the data is generally going to be retained primarily on the company's (or the company's agent's) servers. Controls may be put in place to prevent local retention of records of the company. The information is maintained and transmitted securely. Backups are automatic.
So what's to worry about? I suppose there are a few things. Companies like Google and Microsoft are moving headlong into this space. They will be hosting data in huge data centers. In theory, they may have the ability to see at least some of the data, so that is a potential problem, although most data will likely be heavily encrypted. The legal aspects of access to an employee's personal computer still need to be worked out. What expense will the employee bear when he or she is subject to subpoena of their personal property? Security of the information is a major concern. And lastly, but certainly not of least importance to us, the ability of these applications to integrate with records management software and processes remains to be seen.