Does your organisation have a data retention policy which ensures compliance with the various laws and regulations, and meets your businesses requirements? E RADAR's Will Roebuck discusses how to write a data retention policy
Imagine the scenario. During a staff meeting a colleague from the legal department alerts your IT team to the fact that one employee has recently filed a sexual harassment case against another.
An exchange of emails between the two employees and others may be crucial to the case.
What do you do? Since both plaintiff and defendant use electronic systems that you are administering, your assistance is required to produce the necessary evidence.
Making sure that you can disclose all relevant electronic documents to evidential standards is crucial to the case.
This is called ediscovery.
The challenge of retaining records
Both employees will need all the electronic documents owned or edited by staff regardless of where that data may be stored. This includes all forms of electronic information including email messages sent and received. Backup tapes must be checked as well.
Since this is an active case, you can no longer delete any electronic information that could potentially be relevant to this case since it may be requested for evidence as well. You may no longer be able to recycle backup tapes or clean up disk space until the case is over. Failure to preserve potential evidence could result in sanctions.
Does this sound impossible in your environment? Even an honest effort could take days, possibly weeks, wreaking havoc on your daily routine and workload. The organisation should consider a data retention policy, and it should include the following points...
How to write a Data retention policy
A data retention policy is a useful document that deals with maintaining information in your possession for a pre-determined length of time. Different types of data require different lengths of retention. The policy describes the procedures for archiving the information, guidelines for destroying the information when the time limit has been exceeded and special mechanisms for handling the information when under litigation.
1. Subject of policy
The policy is concerned with 3 elements:
- Legal - governments have specific legal requirements for data retention based around economic well-being (e.g. collecting tax revenues), detection and prevention of crime and terrorism, and national security.
- Business - organisations may have their own data retention requirements that can range from contractual obligations with customers or suppliers to administrative or operational information such as policies and procedures that define daily functions. Each business must set their own data retention requirements to sufficiently maintain their business operations.
- Personal - personal data covers all the other information that does not have business specific retention periods nor retention periods dictated by law.
You will need to strike the right balance between each of these pressures on your data retention strategy. Remember that data protection laws prevent you from retaining data for longer than is necessary.
2. Data types and digital systems
The fundamental reasons and overall purpose of having a data retention policy have not changed over the years but the electronic age has brought new twists to this old problem. Computer systems and applications have added increased complexity to the issue. Most notably, electronic email messaging has had a large impact on those who develop and enforce data retention procedures.
All information pertinent to a lawsuit must be retrieved and turned over to the authorities during litigation cases regardless of the medium such as paper, hard disk or tape. In fact, it will be shown that litigation and criminal investigations are critical forces that shape any data retention policy.
3. Key definitions
You need to be clear about the terms you set out in the data retention policy. Check out the Glossary of Terms for help.
4. Detailed requirements description
You will need to undertake a data audit across the whole of your organisation in which to define the data retention categories. This includes all data you are processing, including legal, business and personal.
5. Retention procedures
Computer systems can store tremendous amounts of data. Storage media continues to decrease in cost while increasing in density. Users no longer have to deal with the mounds of hard copies or overflowing file cabinets. In many cases, the data is stored on huge, remote file servers so the local hard drive size is not a limiting factor.
It is all too easy to instinctively click "save" to store electronic documents. The diversity of applications in use promotes the storing of the same information in different formats in multiple locations. The same Word document stored in a user's home directory on their laptop could be found in a folder as a message attachment on a mail server. It could be posted on a group web server in html format and replicated on a mirrored partition in the data center. Another may have it in hard copy format to present at a meeting.
Finally, data is likely to be saved on a nightly backup tape, which could be stored at an offsite facility. Do not forget about the hidden or often overlooked data. Users may not even be aware of some of the data stored on their computers such as cookies or cached data.
6. Data destruction procedures
You need to be clear on your procedures for destroying data. If the litigation is a civil case, a company could be accused of destruction if potential evidence has been destroyed either intentionally or through negligence.
7. Clear documentation
You should provide clear documentation on your organisation's procedure for disclosing information? How long will it take? What electronic records can't you disclose and for what reasons?
Management accountability is essential. Make sure that your data retention strategy has the buy-in of the Board and you list the relevant responsibilities of directors, with delegated authority where appropriate.
9. Create a table
Consider creating a table showing the information type and corresponding data retention period. You'll need to set out both statutory and nonstatutory data retention periods in every country in which your organisation is operating.
10. Specific team duties
What specific role and duties does the central corporate data retention team play during the request for disclosure. For example, will the data retention team attend court to give evidence?
11. Use an appendix
Since the information that must be retained typically involves data of a sensitive or proprietary nature, caution must be exercised in securing that data at all times. Make sure you provide an appendix to your data retention policy for additional referencing information.
Data retention is a complicated balancing act. On one extreme is the philosophy that promotes aggressive destruction of electronic data after a short time period. On the other extreme is the philosophy that promotes the saving of everything indefinitely.
There is no absolute right or wrong answer when establishing a data retention policy. On the one hand you need to save information required by law and vital to your business. On the other hand, you should delete irrelevant, outdated and non productive data as quickly as possible. Finally, you need to plan ahead for potential discovery requests in connection with litigation cases.