The Records Continuum and Technology Assisted Review

With GDPR now fully implemented, there is no shortage of software offerings claiming to help businesses manage the complex regulatory environment presented to businesses outside the EU. However, IG practitioners should remember that software is not a panacea. Despite promises offered by technology, IG practitioners must be proactive in protecting PII across the entire information continuum, a continuum made more challenging by Big Data, the Internet of Things and unstructured information which lacks proper metadata.

More than twenty years ago, as information scientists were grappling with the challenges presented by electronic information, researchers from Australia conceptualized the Records Continuum Model (RCM) to view important records amongst other information. The location of this information in the RCM determined critical aspects of the information’s use (such as disposition). The RCM is presented here as a means of conceptualizing how PII is treated amongst a sea of unstructured data, and how the RCM can be used to understand technology assisted review (TAR) and other forms of predictive coding.

Given that the RCM “facilitates a proactive and holistic view of managing digital information,”[1]  the model positions information along four states of existence, including: create, capture, organize, and pluralize. Frank Upward and colleagues created the RCM to aid in the recognition of electronic records amongst other electronic information (See Figure 1). This holistic view is needed now more than ever as businesses outside the EU begin to understand how GDPR affects them. Fortunately, software technology has advanced enough that file analytics and machine learning help compliance officers and records managers ensure the protection of PII across the entire information continuum. By viewing electronic information in the RCM, IG practitioners have a formidable tool to create, capture, organize, and pluralize PII in any business situation.

The concepts behind automation and machine learning are nothing new. At their core, these concepts involve artificial intelligence (AI), a concept that has piqued the imaginations of science-fiction fans for at least the last century. The RCM’s usefulness as an IG tool for GDPR compliance comes from conceptualizing how PII moves through a business––the information flow. TAR is “a process whereby computers are programmed to search a large amount of data to find quickly and efficiently the data that meet a particular requirement.”[2] With a detailed knowledge of how information is used in the business (aided by the RCM), IG practitioners can use TAR to identify hidden PII that may not be visible in large batches of unstructured information.