Much attention has been focused in the past few years on e-discovery. Less discussed, but the equal companion to e-discovery, are competent policies setting forth standards for record retention and record destruction.
Several business needs drive the record retention policy. First, there is an operational need for records. A record may be created for current or future business use. Records created for current use may be needed in the future.
Second are legal needs for records. Litigation may arise out of transactions or events which are based upon or memorialized in written or electronic records. Governmental agencies, federal, state or local, may require the retention of records for later audits. Proof of ownership or title may necessitate the maintenance of records over a long period of time, e.g., deeds, loan documents, etc.
Offsetting these two needs, however, is a third need. Maintenance costs and efficiency encourage the destruction of records at the earliest possible time. Whether maintained in paper or electronic form, records are generated at a rapid rate. Without sensible destruction policies, the expense of record preservation can be significant and the sheer volume of records may make ease of access to data difficult.
However, despite efficiency concerns, businesses must be alert to potential claims of spoliation. Case law, particularly in the last decade, penalizes parties in litigation which have destroyed records pertinent to the litigation where the destruction occurred either in the absence of an established record retention policy or in violation of the standards established in such a policy.
The three business needs - operational needs, legal needs and cost/access efficiencies - taken together with the legal risks of spoliation - warrant the development, implementation and maintenance of a sensible record retention policy.
The goal of a record retention policy is to identify and keep those records that are necessary to the conduct of the organization's business, to protect those records which are required to be kept by statute or regulation or which are relevant to pending or foreseeable investigations or litigation, to establish reasonable retention periods for such records, and to provide for the destruction of unneeded records in a documentable and systematic manner.
A record retention policy:
- Should be written;
- Should state the goals/philosophy of the policy;
- Should be provided (not just available) to all employees;
- Should stress the importance of compliance and note possible discipline;
- Should identify to whom questions can be directed;
- Should clarify that e-mail in-boxes are not record retention systems;
- Should describe how and when to preserve e-mail;
- Should set forth easy to understand document categories;
- Should set forth clear retention periods;
- Should not allow for employee judgment on the retention period;
- Should address off-site records (such as records "maintained" at home on home computers);
- Should set forth a destruction protocol; and
- Should identify responsible parties.
Writing and implementing a record retention policy presents several challenges. Records must be categorized to develop appropriate retention periods, legal standards applying to those records must be assessed, administrative responsibilities must be assigned, and an education and compliance program for employees must be established.
Let's look at some of these issues in greater detail:
1. Cataloging Existing Records:
In order to develop an effective record retention system, an organization must determine what records it has and how the records are best cataloged for purposes of a retention system. "Records," as defined for a record retention policy, include all documents or things which require preservation from a business or legal standpoint. "Records" are not limited, obviously, to tangible items since digital data is typically the primary form of record keeping today. "Records" likewise does not consist solely of documents, either in written or digital form, since "objects" may also require retention for a variety of business purposes.
Organizations should also consider the retention protocol for items which have legal significance but might not typically be thought of as "records." This would include, for example, any advertising material (regardless of where it appeared or on how many occasions it was utilized), as well as superseded web pages and internet publications or representations concerning the organization or its products.
2. Categorizing Records:
Records should be categorized in a fashion which allows for efficient and reliable access and, ultimately, destruction. Categorizing records as "letters", "memos", "e-mails", "drawings", "formulas" or the like is not helpful. Categorizing the record by form rather than topic defeats easy access or a useful method of insuring record destruction at an appropriate time.
Records should instead be categorized by subject matter. Subject matters might include: corporate organizational records; financial records; product development records; sales records; litigation files; and the like. Subject matters should be divided into subcategories. For example, corporate organizational records can be broken down into articles of incorporation and amendments, by-laws and by-law amendments, board minutes (with supplemental materials), board committee minutes (with supplemental materials), etc. Financial data can be broken into accounts payable, accounts receivable, payroll, expense reports, etc. The correct subcategorization will depend upon the nature of the business, the category itself, the numbers of records involved (the more records, the more subcategorization is required), and the frequency of need to access the records (again, the more records, the more subcategorizing is generally required).
3. Determining Retention Periods:
Once records are categorized, there should be an analysis of the appropriate retention period for each category of record. The retention periods will be guided by several factors. First, the organization must determine how long it has a business need to keep each record. In some circumstances, it may be desirable to keep the record longer than there is an immediate business need. The organization must further consider the legal need to retain records. This will be driven by federal, state and local laws and the potential for criminal or civil litigation. There will also be a need to keep certain records that reflect title issues so long as the property is owned by the organization (e.g., a deed, etc.).
In conducting this analysis, the organization must keep in mind that the different countries and even domestic states in which it operates may have different rules affecting retention periods. Identification of retention periods should ideally be a group project, with managerial, legal and accounting input.
Retention periods do not have to be a set period of years, but the time period should be easily calculable. Use of "current plus _____ years," or "expiration plus ____ years" or a similar notation is acceptable. What is not acceptable are ambiguous retention periods or employees being allowed unfettered discretion in setting retention periods.
Essential to the success of every program is compliance. This requires advance thought as to how current employees and future employees will be trained on the retention policies of the organization. It further requires consideration of disciplinary action which might be taken for violations of the policy by an employee. This may require amendment of other corporate documents or HR policies which address issues of employee discipline. It also advisable to have employees sign-off on the retention policy to verify that they have read and understand the requirements.
Each department of the organization should have at least one designee who knows the retention policy, who understands the nomenclature, who understands the philosophy of the policy, who knows how to categorize files consistent with the policy, and who marks or codes the box with appropriate retention criteria.
5. Assigning Administrative Responsibility:
Unsurprisingly, assigning responsibility for managing the record retention program is essential. The record retention policy should set forth who is responsible for administering each aspect of the policy. This includes consideration of who will have local and overall responsibility for:
- the policy,
- on-going education,
- compliance and discipline issues,
- outside storage vendor oversight, and
- record destruction issues.
- Businesses with multiple office locations must address administrative responsibility for the policy at each office.
The record retention policy should clearly identify the job position which will be held responsible for each of these functions.
Each organization should have one person or department which has ultimate responsibility for overall administration of the policy. This is typically determined by the department which has the staff, budget and ability to administer this function.
6. Outside Vendors:
It is not unusual for records no longer in active use to be stored with outside vendors. In selecting an outside vendor, reliability in protecting and retrieving documents is essential. It is also advisable that the record owner be able to access the vendor database relating to the record owner's records. The allocation of responsibility and protocol for record destruction should be clearly specified with the outside vendor and always be in writing. The outside vendor must also be able to provide appropriate guarantees of privacy.
7. Review and Spot Check:
At appropriate intervals, there should be a review and spot check of records to ensure that those records which are in storage have been maintained and have not been destroyed and that those records which were to be destroyed have in fact been destroyed.
8. Destruction of Records:
Upon the destruction of records, a log should be completed indicating that a check was made to ensure that the retention period had expired for the record and that the record was then destroyed. These logs should be retained for a reasonable period after the destruction.
In sum, a record retention program is essential for every organization. The program should be well thought out and provide for ease of access to appropriate records, for protection of records while needed, and establish an appropriate time for destruction. The record retention program should be written, provide for appropriate categorizing and cataloging of records, identify understandable periods for retention and destruction, provide for the education of employees, allocate responsibilities within the organization, establish disciplinary consequences for violations of the policy, and be routinely enforced by the organization.