Document and Record Control

Document and Record Control

Any organization must have a way for organizing and controlling its Documented Information. This is called Document Control, or Record Control. When we speak of documented information, we mean any information important enough to be controlled and maintained by the organization in some documented form.  Most commonly, documented information is just referred to as documents and records, or as documentation, period, where documentation includes documents such as manuals, procedures, and work instructions, as well as all kinds of records, such as production records, quality records, and so forth. 

Most commonly, this includes important communications, records, work instructions, procedures, and manuals, but it should include any other information important enough to warrant control and documentation, including, for example, training materials, or external documents used in your operations, such as industry standards or benchmarks.

It means to store information in any retrievable form, such as by paper, magnetic, electronic, photographic, or any other means. Even software code, electronic forms, internet sites, and automated processes can be considered “documented” information.   

To control and maintain documented information generally means that you have a plan for: 

  • the creation, naming, and formatting of documentation
  • the review and approval of documentation
  • access, storage, and protection of documentation
  • protecting the confidentiality of certain information
  • the distribution of documentation
  • the revision of documentation, and finally
  • for the retention and disposition of documentation

An auditor will apply certain loose criteria in assessing your document management system, such as “is it appropriate,” or, “is it adequate,” for your circumstances. 

For example, Are documents appropriately named so as to avoid confusion and to afford quick identification and access? Or, Are the permission controls adequate to prevent malicious tampering or destruction of records?

Let’s go through each one of the control points, and discuss what you should consider, when planning how to control and maintain your documents:

You need to decide who can create new documentation. Can just anybody create a new document, and if so, what kind of document? And can that person then just distribute the document immediately or does the document need to go through a review process before publication and distribution at large? Does collaboration need to be involved in the creation of some or all of the documents? What kind of hierarchal oversight should there by, if any? Should the process be different for some departments, or some types of documents, than others? 

You need to decide the formats you intend to use for the creation, editing, and storage of documented information. You may disapprove of some formats as too easily tampered with, or as too difficult to access, revise, and distribute for review. Format can also imply medium of communication. If the information is on a website portal, that is a format that may or may not be appropriate depending on questions such as: “Who has access to the portal” and “From what locations and at what times is the portal accessible?” and “When is the information needed and by whom?” Online formats are sometimes incompatible with transfer to a more permanent format. 

You need to decide how each document will be quickly identified for what it actually is. This seems to go without saying, but, for example, in large organizations, documents from different departments can end up with the same or similar name, but obviously contain very different information for very different situations. Often a system for identification includes a department designation, a document type, a descriptive title, and perhaps even a document number to keep everything organized. 

You need to decide how documentation becomes official – officially approved, controlled, and maintained by the organization. How does a proposed document, or a revised document, progress toward becoming a fully approved, published, and distributed document? Are different types of documents treated differently? Should different departments follow different procedures? Who are the approving authorities and how do they receive relevant information and provide important feedback during the review and approval process? How do you expedite the process and ensure documents are being reviewed in a timely manner? 

You need to decide how you will store information, where you will store it, and who will have access to stored information. Procedures, forms, and records, for example, will probably have different usage and storage requirements. Make sure your storage of that information matches with the usage and permission requirements. 

You need to decide who should have access at what time, and with what permissions — to ensure timely and effective use of the documented information, as well as its protection. You don’t want someone to be incapable of accessing important information at the point when that information is most critical. 

You need to protect your documents from access or tampering by unauthorized personnel. Ensure that the permissions you grant pair with the authority of the individual at all times. In other words, as a general rule, only someone with authority to modify a document should ever have edit rights.  

You need to protect sensitive information from access by malicious or unauthorized persons. This includes the sensitive information of others, and sensitive information of your organization. Be aware of local and federal regulations concerning how you handle the sensitive information of others. As for internal requirements for confidentiality, you can categorize sensitive documents into a confidentiality ranking system. For example: 

  • Confidential (only senior management have access)
  • Restricted (most employees have access)
  • Internal (all employees have access)
  • Public (everyone has access)

This may even be included in how you identify documents so that it is clear up front the permissible uses of the document and the confidentiality expectations. 

You need to ensure that when a new or modified document is approved, that all relevant parties are notified and that the updated document is officially published or distributed according to procedure. Training may be necessary as a result of the changes. If your documents are printed and used in hard copy form, then you need to control the distribution of hard copies to ensure that when a new version is approved that all outdated hard copies are removed and replaced with updated versions. A checklist can be helpful to ensure that the change is fully implemented at the time of distribution. 

You need to track changes to your documented information. Whenever changes are made, it is good practice to track what the nature of the revision was, who made it, and when. Obsolete copies may be kept for reference, but must be kept separately from official published documents. These practices ensure that only updated copies are used, and that only the latest revisions are distributed and in use, and that changes can traced back and evaluated for effectiveness.  

You need to decide on long term storage requirements and methods, retention periods, and method of disposition of documented information. To avoid clutter, you should consider when older documents should be moved to an archive. Consider your organizations needs, liabilities, and local and federal regulations, when choosing a retention period for your various documents. Who will track these documents, and who will destroy, or dispose of, documents that are beyond the retention period? Are any documents so sensitive that extra effort is required to ensure their destruction? Is there an approval process that must be followed before destruction occurs?

So we have just reviewed about twelve control points.

So, how do you manage all of this? I like to use a Master Document List. This is a list to keep track of it all. Generally, documents are listed on the left, followed by their various control requirements and their current status. You may create a Master Document List, even if you intend to use a software management system, just to help you organize your thoughts about how to control various documents in your organization.