CS Professional:Secretarial Audit Compliance Management and Due Diligence [Ch-3 Documentation and Record Maintenance]

CS's primary responsibility:

1. prepare & maintain secretarial,critical corporate and other records--what and how?
2. ensure confidentiality and if requiring any further action or check for conflicts/violations.
3. storing/maintaining/retrieving/certifying/retaining/overseeing/advising and explaining.

DOCUMENTATION PURPOSES

Guiding Principles for Good Documentation (docs): Clear; Concise; Complete; Contemporary; Consecutive; Correct; Comprehensive; Collaborative; Client; Centric; Confidential.

• records completed when activity completed
• superseded documents retained for longer
• concise,legible,accurate and traceable
• picture is worth 1000 words
• clear examples
• no assumptions

ELECTRONIC REPOSITORY

1. doc mgmt.=storing/managing and tracking through an electronic/physical source of docs of paper based info captured by a scanner.
2. Doc Mgmt System (DMS) works by using a computer software
3. ADVANTAGES
• tracking
• locking/unlocking
• editing
• version control
• rollback/retrieve options
• easy audit trail
• annotation/stamps
• cost/labor effective
• searchability
• portability
4. DISADVANTAGES
• software risk
• format risk
• reliability/access
• misplacement/deletion

 Section 120 of the Companies Act, 2013 read with Rule 27 & 28 of Companies (Management and Administration) Rule, 2014 

• provides for inspection/maintenance in electronic form
• Rule 27 provides for every listed co. having 1000 or more shareholders,debenture holders and other security holders may maintain records in electronic form.
• Section 2(36) defines "document"
• records maintained in electronic form as the Board thinks fit and:
1. provided in act & rules
2. adequately recorded
3. readable,retrievable & reproducible
4. capable of being Dated & Signed digitally
5. not capable of being edited or altered once finalized
6. capable of recording every update
• Rule 28 -- Security
• MD/CS/other as per appointed by board responsible for;
• adequate protection/validation/reproduction
• ensure against loss
• The signatory doesn't repudiate the signed records
• systems can discern invalid & altered records
• accurate,accessible,authentic,complete & reproducible
• non-writable & non-erasable
• ensure at least 1 backup with authentication & dates
• limit access
• arrange & index permitting easy location,access and retrieval
• ensure security,integrity & confidentiality

PHYSICAL REPOSITORY

central place where data is stored & maintained and location which is directly accessible to the user without having to travel across a network.

CODING & NOMENCLATURE

1. naming and adopting good file naming convention and that files would work with different operating systems.
2. DESCRIPTIVE FILE NAMES: small,well-defined project with existing identification schemes with less index and sorting errors.
3. NON-DESCRIPTIVE FILE NAMES: system-generated/system-based,sequential,numerical string & for large scale digitization projects and may employ digital ID number with less chance of repeated/non-unique file names within a data structure.
4. BASIC RULES
• avoiding extra long/complex folder names and instead use info-rich filename
• put sufficient elements for easy retrieval
• use ( _ /-) as delimiter instead of spaces/special symbols
• capitalize the first letter of each element
• ordered from general to specific
• order of importance rule
• family names first
• abbreviate whenever possible
• version control=v followed by 2 digits placed at last to distinguish between versions
• prefix name of  pertinent sub-folders to shared files
5. imp. case law=14.07.2020//Arjun Panditrao Khotkar vs. Kailash Kushanrao Gorantayal and Ors.//Supreme Court of India

DOCUMENTS CIRCULATION

control issuance such as instructions,procedures and drawings including changes thereto affecting quality. reviewed for adequacy and approved for release and used @ prescribed activity's location. reviewed by the same authority as the original.

RECORDS SAFETY/RETRIEVAL

1. Operating Logs: names of people working on the document
2. Reviews Results: record suggested changes and rejection basis
3. Inspections: individuals  having access/inspection rights
4. easy Monitoring Work Performance to whom files are shared.
5. ease in Info Analytics and File Tracking
• consistent with applicable regulatory requirements
• protection for both administration and evidential
• professional approach for record caring
• keeping together according to original order
• ensure life cycles so long as they have continuing value as archives
• current phase
• semi-current phase
• non-current phase
• record preservation: enhance/prolong/storage/handle usable life
• Regulation 9 for SEBI (LODR) 2015 depending upon
• permanent
• not less than 8 years after transaction completes
• Regulation 30 (8)
• website disclosures for minimum 5 years
• policy statement relating to preservation and archival considering facotrs such as:
• analysis/restructure existing systems
• organize/control records
• providing physical protection
• manage in records centre
• managing archives
• supporting/sustaining program
• litigation docs where co. is a party preserved/destroyed as per court/tribunal/judicial orders or else preserved for 8/more years of conclusion.

MODEL POLICY [Regulations 9 and 30(8)]

1. employee's responsibility
2. periodical review
3. no disposal in case of litigation/claims
4. as per any other statutory requirements
5. web archival policy

SETTING UP A RECORD ROOM: at a convenient location and separate from other admin. units and large enough. accommodation must be secure & well-maintained. considering the following factors: humidity,temperature and light.

RECORD CONTROL/PRIVACY: personal/confidential info needs to be protected with protocols, firewalls and passwords and other security measures.

IDENTIFICATION/DESTRUCTION OF CONFIDENTIAL INFO

• Customer/Employee info
• office plans,IDs, and Internal Procedure Manuals
• contracts/commercial documents and trade secrets

STEPS FOR PROTECTING CONFIDENTIAL INFO

every organization should describe information and procedures to handle confidential info such as:

1. All confidential documents should be stored in locked file cabinets or rooms accessible only to those authorized.
2. All electronic confidential information should be protected via firewalls, encryption and passwords.
3. Employees should clear their desks of any confidential information before going home.
4. Employees should refrain from leaving confidential information visible on their computer monitors when they leave.
5. All confidential information, whether contained on written documents or electronically, should be marked as “confidential.”All confidential information should be disposed of properly.
6. Employees should refrain from discussing confidential information in public places.
7. Employees should avoid using e-mail to transmit certain sensitive or controversial information.
8. Limit the acquisition of confidential client data and restrict access on a “need-to- know’ basis.
9. Before disposing of an old computer, use software programs to wipe out the data.

PERSONAL DATA PROTECTION BILL, 2019

introduced in Lok Sabha by minister of Electronics & info Tech, Mr. ravi shankar prasad on 11/12/2019 and established a data protection authority.

• applied to personal data processed by 
• Govt.
• co. incorporated in india
• foreign co.
• data fiduciary decides the means/purpose of processing personal data subject to a certain specific/lawful purpose,collection and storage limitations.
• implementing security safeguards
• grievance redressal mechanisms
• age verification/parental consent for minors
• individual rights
• processing happens  only if consent is provided and used if:
• required by state
• legal proceedings
• respond to medical emergency
• social intermediaries
• data transfer outside India must be specifically consented to while being stored in India except for critical personal data.
• CG can exempt agencies if satisfied of necessity or direct to provide info
• OFFENCES
• bill violation=fined with 15 crores/4% annual turnover; whichever is HIGHER.
• failure to conduct data audit=5 crores/2% annual turnover; whichever HIGHER
• without consent punishable with 3 years imprisonment/fine OR both
• bill seeks to amend IT act, 2000 to delete compensation provision that directs co. to pay for protection failure.
• Expert Committee chaired by Mr. Kris Gopalakrishnan constituted by the Ministry of Electronics and Information Technology had published a draft report for public consultation. The Committee observed that non-personal data should be regulated to: (i) enable a data-sharing framework to tap the economic, social, and public value of such data, and (ii) address concerns of harm arising from the use of such data. Based on the feedback received from this consultation, the Committee released a revised version of the draft for public consultation in December 2020. A Draft Report by the Committee of Experts on Non-Personal Data Governance Framework was also published on 16.12.2020. 

• Reference. https://static.mygov.in/rest/s3fs-public/mygov_160975438978977151.pdf https://prsindia.org/policy/report-summaries/revised-draft-non-personal-data-governance-framework