Records management policy was once treated as an administrative function. Now, it sits at the center of governance, compliance, and public trust. 

For secretaries of state, the stakes are *particularly* high. 

Weak or outdated records policy

• Creates legal exposure
• Delays responses to public records requests
• Undermines the transparency commitments that define your office

This article walks through what a modern records management policy must cover, where state agencies often fall short, and how policy design, ownership, and execution directly affect your ability to respond to audits and litigation. 

Why Records Management Policy Matters More than Ever

The volume of records your office manages has increased, but the infrastructure built for “paper workflows” is unable to keep pace. 

Email threads, shared drives, cloud collaboration tools, and interagency platforms generate thousands of records daily. 

Each one falls under the purview of public records law. 

As digital records continue to grow, expectations for transparency have risen alongside them.

Public records requests move quickly, and response timelines have shortened. Journalists, advocacy groups, and residents often expect answers in days rather than weeks. When responses take longer, it can raise questions about process and consistency.

At the same time, records practices face attention from many directions. Auditors look for evidence of compliance. Courts review records decisions during litigation. Legislatures ask detailed questions about transparency and accountability. Advocacy groups publish comparisons and scorecards. Each group applies a different lens, but they share a common expectation: that your office can find records, produce them when required, and clearly explain how decisions were made.

For a secretary of state, this responsibility carries additional weight. You serve as both the custodian of records and a standard-setter for agencies, boards, and commissions. When records policy breaks down, the impact is visible: not just internally, but to the public you serve.

Many Secretaries of State are tackling these challenges head-on. For example, the Montana Secretary of State modernized its Administrative Code management with Esper, creating a single, digital source of truth for all rules and dramatically improving transparency for citizens and agencies alike.

Here’s what matters most: Records failures are rarely caused by bad intent. They are caused by unclear policy and inconsistent execution.

Records Law vs. Records Management Policy

Statutes and retention schedules define what you must do. They establish legal obligations and set minimum retention periods for categories of records. 

They tell you that election records must be kept for 22 months, that meeting minutes require permanent retention, and that certain correspondence can be disposed of after three years.

What they don’t do is explain how staff should manage records day to day. 

They do not assign clear ownership when a record spans multiple divisions. They do not provide guidance when a new collaboration platform launches or when records exist across email, shared drives, and third-party systems. All that is the role of records management policy. 

Policy translates law into operational rules. It defines what counts as a record in your environment, where records must live, who is responsible at each stage of the lifecycle, and how compliance is tracked and proven. 

Common Records Management Policy Gaps in State Government

The policy says “file in the designated folder” but does not address whether that means a physical cabinet, a shared drive, a cloud platform… or all three? 

Staff interpret the same rule differently because the rule was not written for the tools they use.

Multiple systems claim to be the “system of record” with no clear hierarchy. Election data lives in one database, correspondence in email, meeting materials in a shared drive, and policy documents in a content management system. When a public records request arrives, no one knows which system to search first or how to confirm completeness.

Retention schedules exist, but agencies keep them separate from operational guidance. Staff know they must retain records for a set period, but they don’t know how to classify a record, when the retention clock starts, or who authorizes disposal. The schedule never connects to the workflow.

Application of policy is inconsistent across divisions or boards. One division interprets “transitory records” one way; another division interprets it differently. No one confirms staff understanding, tracks acknowledgments, or proves compliance during audits.

These gaps create direct risk for secretaries of state. 

• Public records responses are missed or delayed because no one knows where to look. 
• Litigation holds are incomplete because staff were never trained on the process.
• Over-retention increases exposure because no one feels authorized to dispose of records. 

When auditors ask who approved a policy update, when it was published, or who acknowledged it, the answer is often silence.

Modern Records Management Policy Needs

A modern records management policy must be specific enough to guide daily decisions and flexible enough to adapt to new systems. 

In practice, that looks like:

• Clear scope and definitions
• Ownership and accountability 
• Lifecycle guidance
• Alignment with retention schedules
• Documentation and proof

Clear scope and definitions

Start by defining what qualifies as a record in your environment. Include email, drafts, text messages, data exports, and content created in collaboration platforms. Be explicit about what does not qualify — these could be personal messages, duplicate copies kept for convenience, and transitory scheduling notes. Address hybrid records that exist in multiple formats or systems. Staff need to know whether the authoritative version is the PDF, the database entry, or both.

Ownership and accountability

Assign responsibility at the agency level, division level, and role level. Specify who is accountable for ensuring records are captured, who classifies them, and who authorizes disposition. Provide escalation paths for uncertainty. When a record spans multiple divisions or involves a new system, staff need to know who makes the call.

Lifecycle guidance

Walk through each stage of the records lifecycle. Explain how records are created and captured, how they are classified and stored, how retention periods are applied, and how disposition occurs. Include guidance on legal holds and exceptions. Policy should answer the question: What do I do with this record right now?

Alignment with retention schedules

Show how policy operationalizes the approved retention schedules. If the schedule says “retain for three years,” the policy explains when the clock starts, where the record must live, and who confirms the retention period has been met. Describe how schedule updates are communicated and enforced across divisions.

Documentation and proof

Require acknowledgments from staff who handle records. Maintain version control so you can show which policy was in effect at any given time. Keep audit-ready records of compliance, including who acknowledged the policy, when it was updated, and who approved the changes.

Tick all these boxes, and you’ll be left with a records management policy which is not only comprehensive, but flexible. 

But, Policy Alone Isn’t Enough

We don’t need a crystal ball to predict that operational challenges will follow even the best-written policy.

Certain scenarios are recurring:

• Staff turnover means new employees start without records training, and no one confirms they have read the policy. 
• Decentralized agencies interpret the same policy differently because there is no shared understanding of what compliance looks like. 
• Manual tracking of attestations means someone maintains a spreadsheet that is always six months out of date. 
• Policy updates are published but never reach the field, so half the organization operates under old rules while the other half follows new ones.

This is the reality for secretaries of state. 

You may set statewide standards, but agencies, boards, and commissions execute them. You can write the clearest policy in the country, but if there is no shared infrastructure to distribute it, track acknowledgments, and prove compliance, consistency is impossible.

Execution is where records policy succeeds or fails. 

To Execute Policy Smoothly, Build Consistency Across Agencies and Offices

Consistency starts with governance, not technology, as you might guess. The first step is establishing a single system of record for policies and procedures. Staff need to know where to find the current version of a policy, and they need to trust that what they find is authoritative. 

Some steps you can take today:

Standardize the structure of your policies, the review cycles that keep them current, and the approval workflows that ensure accountability. When every agency follows the same structure, policies become easier to write, easier to read, and easier to enforce. 

Require documented acknowledgment by staff. A policy is only effective if people know it exists and understand their responsibilities under it. Acknowledgments create a record of who has been trained and who needs follow-up.

Use metrics to answer the questions auditors will ask. Who is compliant? Where are the gaps? What needs follow-up before an audit? These are the questions that determine whether your records program can withstand scrutiny.

As secretary of state, you have the authority to set statewide standards. Use that authority to support agencies with shared tools and guidance. 

Preparing for Audits, Public Records Requests, and Litigation

Auditors and courts ask three main questions:

• Show us your current policy.
• Prove that staff were aware of it. 
• Provide evidence that it was applied consistently. 

In the court, intent doesn’t matter as much as documentation does. You cannot defend a records decision by saying staff meant to follow policy. You defend it by showing they did.

Modern records policy shortens response times by eliminating the scramble. Public records requests are easier to handle because staff know where to look, what qualifies as responsive, and who has authority to release information.

Legal holds are not improvised during litigation. The process is already documented, and staff have been trained to follow it. During an audit, approvals are easy to produce because the workflow, authorization, and acknowledgment are already in place.

Documented workflows matter more than intent because workflows create proof. A well-meaning staff member who deletes records too early creates liability. A documented workflow that shows the deletion was authorized, scheduled, and executed according to policy creates defensibility.

Audit readiness is a byproduct of good policy management, not a separate project. When policy is clear, centralized, and supported by documented acknowledgments, you are already prepared. 

The work of compliance and the work of audit readiness are the same work.

A Practical Path to Modernizing Records Management Policy

Modernizing records management policy doesn’t require rewriting statute or overhauling every system at once. Start with what you have and make it clearer, more consistent, and more accountable.

Step 1: Take inventory of existing records-related policies across your office and the agencies you oversee. 

Collect everything: formal policies, procedural memos, training materials, and retention schedules. Identify overlaps where multiple documents address the same topic, gaps where critical guidance is missing, and outdated language that references systems or workflows no longer in use.

Step 2: Clarify ownership and lifecycle rules.

Assign responsibility for each stage of the records lifecycle and state those assignments explicitly in policy. Make sure staff know who decides whether something is a record, where it belongs, and who authorizes its disposition.

Step 3: Centralize policies in one authoritative location. 

Eliminate version confusion by ensuring there is only one place to find the current policy. Track acknowledgments so you know who has read and understood the policy. Track updates so you can prove which version was in effect at any point in time.

Review policies annually or after major statutory changes. Records law evolves; your policy should evolve with it.

You really don’t need to boil the ocean: start with clarity and accountability, and the rest will follow.

Where Systems of Record Fit

Policy modernization requires infrastructure that supports the work: 

• One authoritative source for policies, real-time collaboration across divisions and agencies, and built-in proof of compliance. 
• Manual tracking through spreadsheets and shared drives introduces risk and delays. 
• Purpose-built policy systems reduce that risk by automating acknowledgments, version control, and audit trails.

This becomes especially valuable for secretaries of state coordinating across many agencies, boards, and commissions. When multiple entities need access to the same policies, interpret them consistently, and prove compliance on different timelines, shared infrastructure eliminates duplicative effort and reduces the chance of inconsistent application.

A policy system doesn’t replace clear policy. It provides the infrastructure that delivers policy to the people who need it, keeps it current as circumstances change, and produces the documentation auditors and courts require.

The goal isn’t technology for its own sake. The goal is defensible, auditable, and consistent records management across government.

What to Do Next

If you’re responsible for statewide records standards, start by asking three questions. Can you prove compliance today? Do agencies interpret policy the same way? Would you be comfortable defending your records practices in an audit or court?

If the answer to any of these questions is no, you are not alone. Modern records management policy is achievable without disruption. It doesn’t require new legislation, wholesale system replacement, or years of planning.

If you want to benchmark your current records management approach or identify gaps, a structured policy readiness review is a practical starting point. It gives you clarity on where you stand and a roadmap for what comes next.