Need for a Modern, Compliant and Executable Records Retention Schedule
Records retention schedules are important. They define and organize an organization's legal and regulatory retention obligations. More important, their implementation drives larger downstream compliance, privacy, discovery, disposition and employee productivity efforts.
Traditionally, records retention schedules were designed for the retention and disposition of paper records. Much of record retention schedule implementation consisted of sorting the paper documents into offsite storage boxes. Yet during the past few decades the world of information management has changed as organizations and employees have transitioned from paper to email, files and other types of electronic communications. Companies are realizing that these traditional, paper-centric approaches do not work with electronic information. This has created a significant gap between what is called for in policies and what information is actually being retained and disposed.
These traditional approaches fall short in many ways:
- They are outdated with an emphasis on paper records management, to the exclusion of the majority of records that are created or received in electronic media They focus only on records with legal or regulatory requirements, with little attention given to records with business need or business value Historically the emphasis has been on creating longer and complex schedules. Some schedules have thousands of lines encompassing every single record in the organization. The misconception was that a longer schedule was more compliant. These detailed schedules are difficult and time consuming for employees to follow Often there has been a heavy emphasis on creating a detailed policy itself, with little consideration on how the policy will be executed
The result of the above approaches is that companies do not follow their own records retention policy. Both paper and electronic storage requirements and costs spiral out of control, employee productivity declines, collaboration is harder, and the cost of discovery soars. It has often been treated as if merely having a records retention policy and schedule will automatically place an organization in compliance with its records management obligations. However, as many organizations are learning, more modern and effective approach is needed.
Ten Attributes of a Modern, Compliant and Executable Records Retention Schedule
At the highest level, a good records retention schedule provides the foundation for an effective records management and Information Governance program. But what makes a records retention schedule good? Through our creation, refresh and execution of hundreds of records retention schedules over the years we have identified common attributes:
1. The Basics: Address Current Legal and Regulatory Requirements
Does your retention policy and schedule follow all the rules? An immature retention schedule does not consider the rules, may be outdated, does not provide the legal basis for retention periods and/or does not mandate disposition of expired information. A compliant schedule should address current legal and regulatory requirements as well as any industry-specific regulations. For global companies, the most mature schedules include country-specific retention requirements.
2. Covering All Types of Records
Does your schedule cover all of the records in the organization? Companies often try to take short-cuts by copying from industry templates or sample schedules that purport to include all records a company in that industry should have. These types of schedules really do your organization a disservice because even though you may be in a similar industry, your organization has unique qualities that other companies in your industry, may not share. A good schedule identifies all record types within the organization - from the common such as payroll records to the atypical or unique records such as the running shoes one sportswear company retained as records.
3. Span Records Across All Media
Records exist across all types of media. While records programs have historically focused on paper-based records, today more than 90% of all records are created or sourced in electronic or digital format, including files, email, databases, instant messages and even tweets. Many records, for example, exist exclusively in email. Records should be classified on their content, not on their medium. Schedules should avoid declaring that email should be retained, for two years, for example, as email may contain many record types with varying retention periods. Effective programs take a media-agnostic approach and look for records all types of media
4. Good Schedules Are Clear and Prescriptive
Policies and Schedules are developed to be followed by employees. It makes sense that they should be written to be understandable and avoid esoteric legal descriptions or hard-to-understand acronyms. Good schedules should be clear and prescriptive, and it is ok to include a listing of a number of examples. They should clearly define "What is a Record?" and "What is not a Record?" Legal jargon does not make a schedule more compliant. Having employees understand and follow it does.
5. Include both Big "R" and Little "r" record types
Many records are determined based on regulatory or legal requirements. These can be referred to as "Records" - with a capital "R." Another category is "records" - with a lower-case "r" - information that has business value but for which there is no external mandate to keep. Effective schedules focus both on "big R" and "little r" records.
6. Build a consensus with business units
A schedule should not be a policy club to be wielded against the business units to demand they delete non-records. Rather, an effective schedule represents a consensus across multiple stakeholders and groups on what data and documents need to be retained both for legal and regulatory requirements, while also addressing business value. Development of the policy and schedule is in some respect a consensus-building process, finding the balance between retaining the minimum necessary to satisfy legal requirements against employees' nature to want to save everything. Time spent early in the process achieving this consensus in the policy development phase saves tremendous time and effort on the downstream classification and disposition downstream work.
7. Make it usable for any given employee
The most practical schedules use a format that is easy to read, and organized in a way that all employees can follow. Often a usable schedule follows a "Big Bucket" approach, with a small number of record categories; rather than a "Small Bucket" approach, with hundreds or even thousands of record line items. The key is finding a balance to be somewhat prescriptive, while perhaps more important developing an approach employees will follow. This approach typically produces a more concise schedule that may list records in groups instead of expounding each type in great detail.
8. Make sure it plays well with Privacy, eDiscovery and other compliance frameworks
A mature retention policy and schedule should be integrated into an overall Information Governance program, which includes data classification, privacy, collaboration and litigation readiness. A well-designed schedule should be a useful input into in all these functions. The data classification and privacy components of your Information Governance program should leverage the schedule to identify what types of records exist, if they contain confidential information, personally identifiable information and/or intellectual property that needs to be protected.
9. Train, Implement, Audit, Adjust. Repeat.
Both a retention policy and schedule must be defensible should it be challenged in court or by regulators. Once a schedule is developed and implemented, employee's adherence to it should be audited across the organization. This may reveal weakness in the implementation. Don't fear this type of audit result. Rather, document that these weaknesses were identified and subsequently rectified. Continue the process. The courts and regulator do not expect perfection. Rather they understand that records management is an inherently imperfect process, and compliance is not just a policy, but an ongoing process.
10. Keep it a Living Policy
A schedule is a living, breathing document that must be periodically reviewed and updated. New record types are created, old record types become obsolete, legal retention periods are either added or change, and companies grow (or shrink) through acquisition (or divestiture). Sometimes retention periods that seemed reasonable during policy creation are found to be either too short or too long. Schedules need to be updated to reflect these changes and should be refreshed every twelve to eighteen months. Even if regulations change monthly, unless you are willing to change your implementation process also every month (and be ready to demonstrate that you have done so), keep track of changes, but update and republish on this twelve to eighteen-month timeframe. Very few regulatory changes require implementation more quickly than that. Conversely, do not let the schedule go unrefreshed for three, four years or longer. After that length of time it is likely to be fairly out of date both in terms of what types of records you have as well as some of the regulatory retention periods.
Additional content on this topic is available in the InfoPAKs "Creating a Modern, Compliant and Easier-to-execute Records Retention Schedules" and "Information Governance Primer for In-house Counsel" and at www.contoural.com.
Contoural is the largest independent provider of strategic Information Government consulting services. We work with more than 30% of the Fortune 500, and numerous mid-sized and small companies and provide services across the globe. We are subject matter experts in Information Governance, including traditional records and information management, litigation preparedness/regulatory inquiry, information privacy and the control of sensitive information, combining the understanding of business, legal and compliance objectives, along with operational and infrastructure thresholds, to develop and execute programs that are appropriately sized, practical and "real-world". Contoural is a sponsor of ACC's Information Governance Committee and also sponsor of ACC's Legal Operations Committee Records Management toolkit. More information is available at www.contoural.com
Region: United States
Interest Area: Compliance and Ethics, Information Governance
The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.