Trustworthy Repositories Audit & Certification

Trustworthy Repositories Audit & Certification (TRAC) is a document describing the metrics of an OAIS-compliant digital repository that developed from work done by the OCLC/RLG Programs and National Archives and Records Administration (NARA) task force initiative.

The TRAC checklist is an Auditing tool to assess the reliability, commitment and readiness of institutions to assume long-term preservation responsibilities. Currently the repository is under the care of the CRL who are utilizing it in several independent projects. The TRAC checklist was superseded in 2012 by the ISO 16363, known as the Trusted Digital Repository (TDR) Checklist.

History
In 1996 the Consultative Committee for Space Data Systems established a task force that developed OAIS, a high-level model for the operation of archives. OAIS was accepted as ISO 14721 in 2002. The original task force stated that an independent auditing method was necessary to certify OAIS-compliance and thus engender trust. However, despite the lack of certified auditors and auditing metrics, repositories were already implementing OAIS concepts and labeling themselves OAIS-compliant.

Development of OAIS auditing metrics began in 2003. A joint task force of OCLC/RLG and NARA built upon a previous OCLC/RLG project, Trusted Digital Repositories: Attributes and Responsibilities, and wrote the metrics collectively known as Trustworthy Repositories Audit & Certification (TRAC). After the publication of TRAC in 2007, CRL was given the responsibility to carry out test audits using the metrics.

TRAC is the basis of the Trusted Digital Repository (TDR) document that was accepted as ISO 16363 in 2012.

Process
The TRAC metrics are split into three subject groups:
 * Organizational Infrastructure - the repository's administrative, staffing, financial, and legal functions
 * Digital Object Management - the handling of digital objects from ingest to access
 * Technology, Technical Infrastructure, and Security - the technology used to handle ingested objects

A TRAC audit consists of a repository completing the TRAC checklist by citing they fulfill each metric. Metrics can be fulfilled by citing relevant documentation, typical practice, or a combination of both. The TRAC auditors then examine this self-audit. After an on-site visit to discuss any concerns with the provided evidence, the auditors grade the repository on a scale of 1 to 5 for each of the three subject groups.

To retain certification, repositories meet with the auditors within 18 to 24 months for a consultation. After 4 years, the certification expires and the repository must begin a new audit.

Trustworthiness as concept
The concept of trust underpins the relationship between repositories and their users. The development of the OAIS model (Open Archival Information System) was accompanied by a demand for assurance that repositories claiming to use OAIS actually adhere to those standards; that is, a demand for trustworthiness. The team behind TRAC, led by Robin Dale and Bruce Ambacher, conceived of the trustworthiness of the TRAC-certified repositories as not only providing for well-sourced and well-formatted records and metadata, but transparent managerial procedures and sustainable, long-term structural support. The TRAC creators conceived of four core principles that underpin the checklist's criteria for a trusted digital repository (TDR): documentation (evidence), transparency, adequacy and measurability.

TRAC expanded upon the previous definition of a TDR that had been developed from the seminal 1996 PDI report that first called for audit and certification of digital repositories. It selectively drew upon models such as Germany's nestor, RLG and OCLC's original TDR description and the Cornell model for Trusted Digital Repository Attributes. According to Elizabeth Yakel, Ixchel Faniel, Adam Kriesberg and Ayoung Yoon, it still overlooked key factors in perceived trustworthiness. They demonstrated that understandings of trustworthiness vary across disciplines, and the 2007 TRAC checklist did not address or fully weigh the impact of differences within designated communities in perceptions of trust. Another key conclusion of their study was there is a difference between users' trust in data and their trust in repositories. Further research by Yoon identified a strong correlation between TRAC's first two metrics (organizational infrastructure and digital object management) and user trust of repositories, but little user interest in the third metric (technical infrastructure and security). Drawing on previous work on TRAC, Yoon identified a "lack of deception" as the key feature in establishing trust in both sources and repositories. In 2012, ISO 16363 expanded upon and superseded the 2007 TRAC checklist by adding more detailed criteria, as well as providing a new standard for bodies seeking to be certified to perform certification.

Alternatives
TRAC is not the only certification system to assess the trustworthiness of a digital information system. Other systems include:
 * DSA (Data Seal of Approval) (Netherlands)
 * nestorSEAL (Germany)
 * ISO 16363 (CRL, CCSDS and PTAB) (note that this is the successor to TRAC)

Because of the time and resources required by the certification process, information professionals have also developed other models for trustworthiness assessment of digital repositories. These include:
 * DRAMBORA (DPE)
 * DPCMM (Digital Preservation Capability Maturity Model) by Dollar and Ashley
 * Levels of Preservation (National Digital Stewardship Alliance—NDSA)
 * Scoremodel

Implementation and impact
The CRL lays out and oversees the TRAC metrics. To date, CRL has certified six repositories according to criteria set out in the TRAC checklist. However, its influence has spread far beyond CRL-certified repositories since TRAC is commonly used as a self-auditing tool, such as at the University of North Texas and Cornell University. TRAC's successor, ISO 16363, also provides the basis of the services provided by the Primary Trustworthy Digital Repository Authorization Body (PTAB), a private sector agency providing outside auditing services. The first certification of a repository by PTAB was for the Indira Gandhi National Centre for the Arts, completed in January 2018. Beyond these direct successors, TRAC remains among the most influential resource for independent systems of self-audit and assessment.