Every organization is liable for the information it keeps. In a data-driven world, company records and information are everywhere … in servers, in storage, on backup tapes, on individual PCs and stored offsite in a warehouse. These documents are archived in both digital and hard copy formats. Without a formal data retention policy that states how long to retain critical records, your company may be at risk of being penalized for failing to properly produce and preserve its data. If litigation arises against your organization, you will be required to produce all the relevant, requested data.
- If you have a data retention policy with documented retention periods for each type of record and information, then it will be easier to collect the data being requested. You won’t likely be liable for any records unavailable outside of your retention periods.
- If you don’t have a data retention policy, then it will be too late. You will likely be held liable for not being able to produce the requested information related to the litigation requests.
No organization wants to be caught off-guard. Here are some basics on how to build a data retention policy for your specific organization.
Know what information is important to keep … and what not to keep.
A record is defined as information capturing your organization’s business activities, functions, decisions and policies based on legal, regulatory, fiscal or operational requirements. These records should be retained based on an organization’s data retention schedule. Examples of records include:
- Policy records
- Contracts and selling agreements
- Financial and accounting transactions
- Project documents
- Business correspondence
- Policy and procedure manuals
- Product-related information, research and patents
Transitory information has short-term value or is not required to meet operational or regulatory obligations. These should be retained only for the life of a project or business activity. Examples of transitory information include:
- Working drafts
- Copies or duplicates
- Reference materials (supporting documents, agendas and meeting minutes, personal notes)
- Outdated templates (forms, letters, checklists, etc.)
- Information pulled from a public source
- Routine correspondence
Develop a Data Retention Schedule
A data retention schedule shows the length of time your organization needs to retain specific records based on legal, regulatory or operational need. Some retention periods are predefined by various regulations: Sarbanes-Oxley (SOX), Personally Identifiable Information (PII), Personal Information Protection and Electronic Documents Act (PIPEDA), Personal Health Information Protection Act (PHIPA) and Health Insurance Portability and Accountability Act (HIPAA) to name a few. For example, employee records should be retained for at least 7 years. Hospital records need to be kept for 5 years (Medicare Conditions of Participation) or up 30 years (Occupational Safety and Health Administration) for certain patient conditions. HIPAA privacy regulations require records to be retained for 6 years from when they were created. State and federal laws will vary. As you build your retention schedule chart, you may discover it could be quite lengthy, outlining critical records and retention periods from each department. Every employee will be required to adhere to its recordkeeping timeline for the entire lifecycle of the records. These records should never be destroyed before the stated retention period.
Regularly Track and Destroy Old Records
Storing records is a costly ordeal, especially those stored offsite in warehouses or archived on backup drives in data centers. Data retention policies can greatly reduce storage and infrastructure costs by restricting the amount of data retained. It’s important to know what records are being stored, how to find them and when the records expire based on your retention schedule. Thousands of dollars can be saved annually by regularly identifying and purging records in storage. Guidelines on how to properly destroy expired records (paper and digital) should be well documented.
Other Considerations …
Your data retention policy might also cover common situational circumstances.
- Do you have requirements covering retention for information moving to new systems, such as the cloud?
- Are there different requirements for information stored in a public cloud versus private cloud? Onsite versus offsite with a managed service provider?
- How is data retained during business transformation, such as mergers, acquisitions or divestitures?
- What happens during layoffs when there is no longer a repository owner? Are there tasks for terminated employees to complete before they leave?
- Do you have trained personnel assigned in each department to manage and enforce data retention? Users should not be left to decide on their own what records or emails should be deleted at random without direction or data retention policy guidelines.
A good data retention policy shows readiness on your part to practice sound records management so that you can comply with regulatory requirements and avoid litigation risks. As stated in The Seven Deadly Sins of Records Retention, the last thing you want is to give the impression that you are hiding something if a record cannot be retrieved. Guidelines are critical in instructing employees how to retain and destroy records. But just as vital is leveraging innovative technology to make your job easier. Many organizations today are turning to managed IT services to obtain cloud storage, data backup and disaster recovery solutions. These services feature archive, search and discover capabilities that can simplify retrieving information when and where you need it.