One of the responsibilities of the Document Control team is to ensure the integrity of “Controlled Documents” (see a definition of controlled documents).
Maintaining the integrity of controlled documents means that we work to avoid any uncontrolled modifications, and any unauthorized access.
Integrity of controlled documents
When we provide consultancy to companies on Document Control, it is not rare to see that important files are not necessarily protected against uncontrolled modifications.
- Cases where the whole team (including authors, reviewers, engineers, users, etc.) has a direct access to important files, with the right to modify, update, revise without going through a controlled gate. These cases are causing harm to basic control of documentation, revision control, traceability, auditability, accountability and of course ultimately safety.
- Cases where the comments are archived but where the author of those comments can come back on it months or years later and modify what he/she said at the time. These cases are causing harm to traceability and eventually liability of the company.
- Or cases where documents are sent outside the company without going through Document Control first, causing harm to traceability and to the liability of the company.
These cases are not rare but more often than not they are the result of ‘not thinking’ about the access rights more than the result of an actual desire for documents to be in danger of uncontrolled modifications or unauthorized access.
And it is true that talking about access rights can seem a bit “dry” to most people and, we have seen that, at the beginning of a project for example, management feels at first that it is a secondary issue that can be dealt with at a later stage.
A discussion that needs to happen as early as possible
Unfortunately it is not a subject that should be pushed to a later discussion. First because, very often, that discussion actually never happens. But most importantly because the lack of anticipation and definition of access rights can have very severe consequences that can harm the whole project.
This striking story was given to us by a Document Controller who had to face that situation: The project just started and everyone was just fire-fighting with a lot of problems and issues. The Project Manager had given the go ahead to create the folder structure in the EDMS for this new project, but did not want to spend time on access rights right now (having so much to do already). So when the DC asked about access rights, the manager just said “let’s give them the same as for the previous phase of the project”. Unfortunately, the previous phase was an internal phase, involving only internal users. The new phase was a phase involving several contractors and suppliers. In the heat of the start of the project, nobody really thought about the impact that this would have on access rights and filing structure.
The surprise was huge when after a couple of weeks the Project Manager received a letter for unlawful disclosure of information from a supplier who was not happy to see that other suppliers had access to sensitive and contractual information through the EDMS. Indeed, everybody had been given an access to everything, even external companies.
So what should we do to tackle this access right subject?
The first step is to sit down with management and to define:
- Typical roles and what they need to be able to do in the EDMS (for example, a simple user will just need to read documents, but an engineer may need to create, review, etc)
- Groups of users who should have the same access rights
- Sensitive information, where it should be stored in the filing system and who should (and should not) have access to it.
- Access right levels for each group of users against each folder / node in the filing structure
- Clear definition of what is considered a controlled document in the company, with definition of the process to manage them and guarantee their integrity.
The earliest this process is started, the better, and it is actually recommended to do it even before EDMS access is given to users.
You might also be interested by our "User Access Form" available in the Document Control Toolbox
Other blog articles that might interest you:
Allocating User Access: Step by Step
How to improve recognition of the Document Control profession
Document Controller: A Career Roadmap