History of Certification Standards and the Development of RAC

3.4.3 History of Certification Standards and the Development of RAC

The notion of a ‘trusted system’, or ‘trusted repository’, to manage digital records was proposed quite early in archival scholarship. Hedstrom proposed the use of trusted systems to control the management of digital records, although many of the

functionalities she proposed mirror those used by digital recordkeeping systems.²⁶⁰ Her approach is based mainly on system functionalities, which differ from TDR audit and certification criteria in that they seek to assess not just the functionality of digital

repository systems but also the finances, personnel capacity and regulatory frameworks surrounding digital records and archives management. Audit and certification criteria were only created after the development of OAIS, beginning with nestor (2003),

followed by DRAMBORA (2006), TRAC (2007), DANS (2008) and finally RAC (2012). These initiatives are outlined below.

In 2003, a German initiative called nestor or the Network of Expertise in Long-term Storage of Digital Resources began working on audit and certification criteria for digital repositories. nestor has a two-pronged approach to repository certification: ‘soft’

and ‘hard’. ‘Soft’ certification is achieved by coaching repositories to take up a standard voluntarily, such as using Persistent Identifiers (PI) for their digital materials.²⁶¹

Persistent Identifiers are permanent references attached to digital records that allow them to be retrieved in perpetuity. The goal of ‘hard’ certification is: ‘[E]nsuring the highest level of trust […] only admitting those [repositories] that follow very strict rules.’

The objective of nestor is first to encourage and lay the groundwork for establishing a trusted digital repository by promoting the use of good practice or standards, in the

260 Hedstrom, ‘Building Record-Keeping Systems’., 58.

261 All information from this paragraph comes from: Susanne Dobratz and Astrid Schoger, ‘Nestor Digital Repository Certification: A Report from Germany’, RLG DigiNews on Repository Certification, accessed 11 September 2011, accessed 11 September 2011, http://edoc.hu-berlin.de/oa/articles/reh7CbxRopdUA/PDF/23yn183UoMBU.pdf.

hopes that this voluntary compliance would lead to the implementation of more

rigorous practices and regulatory frameworks. The final outcome would be that through the continued application of voluntary measures for digital repository management the repository could receive ‘hard’ certification as a trusted digital repository as per the nestor requirements.

The Digital Repository Audit Method Based On Risk Assessment (DRAMBORA) was developed jointly by the Digital Curation Centre (DCC) and Digital Preservation Europe in response to the RLG-OCLC white paper Trusted Digital Repositories: Attributes and Responsibilities (2002). Many practitioners and academics felt that although the RLG-OCLC white paper provided a good starting point, it did not give enough actual metrics or quantifiable methods for assessing what constituted a trusted digital repository.²⁶² DRAMBORA is a risk-based assessment method similar to that used by financial or business auditors. Repository auditors collect documentary evidence and conduct interviews to locate risks and to identify mechanisms to mitigate them.²⁶³ The auditors rank the risks based on the likelihood of occurrence and their overall impact to the organisation (i.e. reputational damage).

Trusted Repository Audit and Certification (TRAC) (2007)²⁶⁴ was a joint RLG-NARA initiative. The TRAC certification method allows organisations to either self-assess their repository operations (soft certification) or to be externally audited (hard certification).

Following TRAC, organisations assess their digital repository operations based on three

262 Ross and McHugh, ‘The Role of Evidence’., 2.

263 Digital Curation Centre and Digital Preservation Europe, ‘Digital Repository Audit Method Based on Risk Assessment DRAMBORA’ (DRAMBORA, 2007).

264 RLG-NARA, Digital Repository Certification Task Force, ‘Trusted Repositories: Certification and Audit’ (National Archives and Records Administration, 2007), accessed 9 May 2011

http://www.crl.edu/sites/default/files/attachments/pages/trac_0.pdf.

criteria: ‘Organizational Infrastructure’, ‘Digital Object Management and Technologies’

and ‘Technical Infrastructure and Security’.

‘Organizational Infrastructure’ requirements seek to measure and assess governance structures, policy frameworks, financial sustainability and legalities (i.e.

transfer agreements and copyright) related to digital repository management. ‘Digital Object Management’ focuses on examining whether the repository has the capabilities of managing digital records from ingest to preservation and display. Finally,

‘Technologies, Technical Infrastructure and Security’ assesses the repository’s technical capabilities, including information technology architecture and overall network security.

This audit mechanism developed by the TRAC committee would serve as the foundation for the Repository Audit and Certification (RAC) standard (2012), which is discussed further below.

Before considering RAC, another certification tool must be mentioned. The Data Seal of Approval (DANS) was established by two Dutch science organisations; the Royal Netherlands Academy of the Arts and Sciences (KNAW) and the Netherlands

Organisation for Scientific Research (NOW). This certification and audit criteria tool was specifically designed for use in the assessment of research data repositories.

Organisations that wish to certify through DANS must first self-certify their operations against 16 guidelines that consider the following questions, among others: can the data be found on the internet; is the data in useable format; and is the data reliable? ²⁶⁵ Once repositories have completed their self-assessment they can then submit their audit for

265 Royal Netherlands Academy of the Arts and Sciences and Netherlands Organisation for Scientific Research,

‘Assessment| Data Seal of Approval’, accessed 24 January 2015, http://www.datasealofapproval.org/en/information/assessment.

peer review. If they pass the peer review the repository is awarded a data seal of approval.²⁶⁶

Finally, leading on from the work done by OAIS, as well as other certification initiatives, the CCSDS began developing the Repository Audit and Certification (RAC) standard or ISO 16363 (2012). The development of RAC began in 2007 with the approval of the CCSDS management committee, and an ad hoc committee was formed, which consisted of former OAIS and TRAC committee members.²⁶⁷ Once RAC was finalised it was presented to ISO TC20/SC13 and it became an ISO standard in 2012.²⁶⁸ As

mentioned in Chapter 1, RAC relies heavily on the work of TRAC, and the assessment criteria in RAC differ very little from that earlier document.²⁶⁹ RAC, however, does incorporate elements from other repository certification standards such as nestor, DRAMBORA and DANS.

RAC is divided into three sections: ‘Organizational Infrastructure’, ‘Digital Object Management’ and ‘Infrastructure and Security Risk Management’. ‘Organizational Infrastructure’ addresses requirements related to regulatory framework (i.e. policies and procedures), staffing expertise and development, repository financing and preservation frameworks.²⁷⁰ ‘Digital Object Management’ details the processes needed to ensure the efficient management of digital records from the point at which they are transferred by the records creator, to their preservation and then to end-user access. ‘Infrastructure and Security Risk Management’ provides requirements to help organisations manage risks related to technical infrastructure and security.

266 Royal Netherlands Academy of the Arts and Science et al, ‘Assessment'

267 Interview 23, 1 June 2012.

268 Interview 23, 1 June 2012.

269 McGovern, et al., ‘TRAC_RAC Comparison Document’.

270All information from this paragraph comes from: TC20/SC 13 International Standards Organisation, ‘Space Data and Information Transfer Systems -- Audit and Certification of Trustworthy Digital Repositories’ (International Standards Organisation, 2012).

Ultimately the purpose of each of these audit and certification standards was to provide the evidence necessary to demonstrate that digital repository systems are capable of maintaining authentic and reliable records. Certification, in the end, allows the creators, custodians and users of records to prove that the contents of TDRs are managed with integrity.

3.5 Conclusion

This chapter sought to provide an overview of developed world research and scholarship on digital records preservation, leading to the development of TDR standards. Topics such as access and preservation, authenticity and reliability were explored to provide some context about developments in the library and archival communities that led to the decision to develop TDRs. These discussions within the different professions contributed to the creation of reports such as Preserving Digital Information, which would in turn inform TDR standards like OAIS.

Ultimately, an explanation of the history of OAIS and RAC shows that TDRs are a convergence of views from different communities of professional practice, each of which was concerned with digital records preservation. Space data scientists, librarians and archivists all sought frameworks to guarantee the integrity of records once they were transferred from records creators to digital repositories.

The question of the nature of trust and how it was measured began to pervade discussions of digital records preservation. This in turn influenced how the information studies community understood their relationship to TDRs. O’Neill’s analysis of trust provides a valuable perspective on the use of audit and certification criteria in today’s Westernised societies. The question of whether audit and certification standards like RAC actually generate more trust in digital repository operations remains to be seen. By

O’Neill’s estimation such metrics are artificial measures; they are attempts by an increasingly suspicious society to measure trust.

The next chapter turns its attention to Africa and examines the impact of foreign donor technology transference policies on the implementation of Information

Communication Technologies (ICTs). The analysis includes a review of literature related to technology transference, as well as an examination of African research on digital records preservation. The goal is to determine the state of digital records understanding in Africa and to assess how prepared the African recordkeeping community is to develop systems and processes for the preservation of digital records.

CHAPTER 4: TECHNOLOGY TRANSFERENCE IN AFRICA AND AFRICAN