They key for me in my discussions was that it was clear that probing the issues of standards, the qualifiations, education and training of the Records Manager, and the RIM Program’s training program for employees were all subject to a high degree of scrutiny.

I agree with your premise in terms of litigation issues relative to spoliation or inability to produce evidence at trial.

In my organization, I’ve become part of the Information Security function, but I don’t carry responsibility for privacy. I do have litigation support responsibilities as well as the core records responsibilities.

Now if someone got hold of records that they shouldn’t have that were ostensibly under my control, that might be an issue. But if someone snags information from some other source, it is a lesson learned for me, but arguably not my accountability.

some may suggest that I am passing the buck, but in my organization, we’re able to staff a variety of infosec positions which have focus on those other areas. I support them and do my part, but I would be shocked to find that I am accountable for privacy breaches.

In an overall information security program, there is certainly room to capture both security classification and records classification. Those classifications can be related directly — and certainly captured and acted upon at the same time.