Almost any corporate outsourcing program will involve using and moving data and documents. Document centers, research groups, ediscovery, contract writing, accounting services, and many other services exchange MS Word, PowerPoint, Adobe Acrobat (PDF) or other digital documents that contain METADATA . Metadata is information that is stored in your documents, but is not visible under ordinary circumstances. This information can include names, initials, company name, other authors, deleted data, editing history, comments, hidden text, and other information. Some of this metadata may be highly confidential, or may be inappropriate to send out to an outsourced service. There may be legal consequences for metadata discovered by the opposing counsel in a legal case . Metadata may even expose information on proprietary internal processes. If you're going to outsource, you need to understand how to manage metadata.
A few years ago, the office of the Prime Minister of England published a dossier of documents on security organizations in Iraq. This dossier was later quoted by Colin Powell in a session of the United Nations. The dossier gave the impression of being data compiled by UK intelligence agencies, instead it was plagiarized from two media articles and a paper from a college student. The dossier also altered elements of the original documents, perhaps changing the meaning of the original authors. For example, turning "aiding opposition groups," into, "supporting terrorist organizations." How was this discovered? All this data, and more, including a listing of previous editors was listed in the metadata of the dossier document, which was sent to the media.
If your outsourcing process involves the creation, reading, or editing of documents you need to develop policies and processes to control what is kept in metadata. However, before you purge metadata you need to understand each piece of this data. For example, MS Word saves data from previous version of a document so that you can track changes and undo previous edits. Once you turn off that feature, it's no longer a "safety net" for accidents. There are other methods for having the same protection (frequent saving, automatic saving features, preserving different versions, etc.). Make sure that you understand the impact of each option before you making changes to how your documents are managed. You also need to understand that there are three general methods for preventing metadata from being sent from your firm to an outside vendor:
Change Document Setting: There are a number of settings in each program that controls the type of metadata that you save in your documents. These setting very not just by program, but by version. How you change the settings and the extent of the data that is saved creates too many permutations to go through here. If you go to Microsoft or Adobe's website (or the website for any other application) you will find detailed information on what is saved and how to modify the settings. You need to determine which metadata, if any, should be kept and who is allowed to change these setting. Speak with your IT department about locking down controls on the computer in your group. You may also need to require specific setting on the computers used by your outsourced staff, to purge out metadata from previous versions. All of these settings should be on a master documents so that your outsourcer can ensure that they are applying the right controls, not just on day one of your program, but on every day after that. If a new computer is rolled out six months later, you want it to be sure that it follows the same rules. Consider how much emphasis you want to place on computer configurations in your annual audit of your outsourced center.
"Scrub" Documents: There are a number of tools available for cleaning metadata out of your documents. Microsoft provides several for its Word and PowerPoint applications. There are also third party applications that make the process a more automated, can work across different versions and document types, and can also scrub data from attachments in email. It can be very useful to add scrubbing of data as an additional last step before sending a document to your outsourced center. These applications can be used in conjunction with a policy of turning off metadata setting, as a final safety net.
Virtual Documents: A different approach is to use a virtual server, such as Citrix. When you use Citrix, it appears that the document you are working on is on your computer. In fact, only an image of the file and your keystrokes are being set back and forth to the Citrix Server. The document, and the metadata, never go to your computer. Some Metadata can still be seen by going to the various screens that control metadata. In this environment, those controls should be locked and unavailable for the average user. By never allowing the document to leave your firm you can limit access to metadata, or you can use this as an additional layer of control, alongside a metadata policy and metadata scrubbing tools.
More and more document types store metadata. Any document center outsourcing program needs to take metadata into consideration when work processes are developed. A well-designed process can protect your firm from accidental disclosure of proprietary, confidential and secure information. Once you understand how your documents store metadata, and why this data is (or isn't) needed, you can easily understand how to deal with metadata. Take a look, dig in and start lowering the risks to your operations!