Enterprise Users Should Not Be Records Managers

I found J. Timothy Sprehe's FCW article Seeking the records decider interesting. The whole article is worth reading, and it's short, but I'll post some excerpts to get the point across:

Like everyone else — including NARA — GAO assumes and accepts that employees will decide whether e-mail messages are federal records. It is fundamentally wrong to lodge decision-making for records management at the desktop PC level. It means the agency has as many records managers as it has e-mail users — a patent absurdity.

Managing e-mail at the desktop level is failing everywhere...

Records management works best when it happens in the background in a way that is transparent to employees...

Conventional wisdom says the technology for making e-mail management decisions at the software or server level is not yet mature. In my judgment, that mindset demonstrates a lack of imagination and an unwillingness to tackle old questions in new ways...

The Air Force is moving even further with the implementation of its enterprise information management strategy. Using proven commercial products, the Air Force is investing heavily in automated metadata extraction for all information objects, including e-mail messages, and populating an enterprisewide metadata registry. Air Force officials believe they can construct a rules engine that will use the detailed metadata to automate records management decisions, including retention and disposition schedules. Desktop PC users will see none of that.

Another beauty of the Air Force strategy is that it holds the promise of supplying an enterprisewide solution for e-discovery, which involves providing electronic documents for evidence in legal cases...

Agencies will never train their senior officials — let alone every rank-and-file user — to make well-informed decisions about e-mail records management. Why not accept that fact and experiment with new approaches that really work?

I agree with that sentiment. What's better, an automated system whose rules can be explained, tested, and agreed upon, or a policy that relies on interpretation and implementation by users?

This article reinforces one of the great recent security insights of our time, by Nitesh Dhanjani:

The job of information security is to make it harder for people to do wrong things.

Automatic background patch installation, automatic background backups and archiving, and related unobtrusive yet effective measures are the way forward. Users neither care nor are equipped to defend themselves, and they really shouldn't have to worry about being security experts.

Can anyone comment on the Air Force's approach?