A fundamental element of any information governance program is for organizations to have a defensible records retention schedule (RRS). Essentially, organizations must retain and dispose of their business records in accordance with their local, regional, or global RRS and accompanying policies. Through an effective RRS, organizations can account for and organize their records in a systematic and legally compliant manner. Organizations can also reduce unnecessary storage costs by destroying records on a periodic basis and mitigate litigation and privacy risks associated with under-retaining or over-retaining records.
In developing, implementing, and maintaining a RRS, an organization must establish “retention rules” for its business records, which defines the period of time for which such records must be retained. There is a myriad of retention, privacy, and business requirements for organizations to navigate when setting retention rules. Organizations may become overwhelmed and challenged by these varying requirements and seemingly competing retention priorities. Furthermore, organizations must also address any outliers to the retention rules that they set in their RRS. These retention outliers will require specific records to be retained either for a longer duration or to be destroyed earlier than the standard retention rule. In the event that such outliers are identified, organizations should either specify these as “retention exceptions” in their RRS or reassess their RRS classification scheme to accommodate these types of exceptions (i.e., reassign records to other applicable record categories, develop a new record category, redefine a record category, etc.).
The primary sources to consider when setting retention rules, defining retention priorities, and identifying retention exceptions are as follows: statutory and regulatory requirements; privacy-driven retention maximums (“privacy maximums”); limitation periods; and local customs and best practices.
Statutory and Regulatory Requirements
Statutes, regulations, and regulatory guidance provide mandatory obligations for organizations to retain certain business records for defined periods of time. In assigning retention rules, organizations must prioritize compliance with minimum statutory retention requirements based on the jurisdictions in which they operate and conduct business including the provision of online goods and services. As discussed below, there are limited risk-based circumstances in which an organization in setting a retention rule would give priority to a limitation period or local custom over a statutory retention requirement.
In setting retention rules, organizations must also consider their industry of operation and ensure that they are complying with both general requirements and industry-specific statutory and regulatory requirements. General retention requirements are applicable to any type of organization and include records generated in the “usual course of business and operations”. Industry-specific retention requirements relate to regulated activities (i.e., financial services, pharmaceuticals, manufacturing, etc.) and in some jurisdictions may also apply to general record categories. For example, financial services legislation may require financial institutions to retain accounting and financial records. Similarly, pharma legislation may require pharmaceutical companies to retain shipping and customs records.
Organizations must also manage statutory retention requirements which prescribe longer-term retention periods applicable to a specific record and not an entire record category in their RRS. From a cost and privacy perspective, organizations should avoid setting a retention rule based on this type of longer-term requirement and instead consider managing these as retention exceptions.
The recent surge of stringent privacy requirements across the globe, mainly brought on by the EU General Data Protection Regulation (GDPR), requires organizations to re-examine their retention practices with regards to records containing personal data. The “retention limitation” principle requires organizations to retain personal data only as long as necessary for the purpose for which it was collected or processed. In certain jurisdictions, there are also laws which require personal data to be destroyed after a specific period of time (i.e., privacy maximums). Typically, these privacy maximums relate to records containing the personal data of customers, employees, and job candidates.
Organizations must ensure that they are diligent in their retention and destruction practices when dealing with these types of records. In terms of the RRS, organizations may elect to set a retention rule based on a privacy maximum or assign the privacy maximum as a retention exception. This will depend on whether the privacy maximum applies to all of the records in the record category or to a limited subset of records. In either scenario, organizations must clearly indicate that the retention rule or retention exception is based on a privacy maximum (i.e., maximum 5 years, maximum 2 months, etc.).
In terms of retention priorities, privacy maximums are always subject to and may be overridden by applicable statutory retention requirements which prescribe a longer retention period. Organizations must always exercise caution and be diligent if such a circumstance arises, ensuring that all avenues to address the privacy maximum were considered. It is not recommended for an organization to override privacy maximum requirements based on limitation periods or local customs as these are not mandatory retention requirements.
As discussed in our pervious article “Applying Limitation Periods in Information Governance Programs” limitation periods are not mandatory retention requirements. In setting retention rules based on limitation periods, an organization must conduct a risk-based analysis and consider whether there is a material risk of a dispute or legal proceeding. In such scenarios, applicable limitation periods may be prioritized over statutory retention requirements in setting retention rules or providing a retention exception for specific records. In the absence of a statutory retention requirement, organizations should still exercise caution and conduct a risk analysis before applying limitation periods as retention rules.
Organizations must ensure that the limitation period being applied as a retention rule to a record category in their RRS is appropriate and applicable to the records. There are various types of general and ultimate limitation periods (i.e., contract, tort, personal injury, etc.) for organizations to consider when setting retention rules. Organizations should only apply ultimate limitation periods (i.e., maximum time to bring a claim and applicable in limited circumstances) as retention rules where there is a real risk of latent actions or claims (i.e., environmental, hazardous exposure, etc.).
Local Customs and Best Practices
In setting retention rules and identifying retention exceptions, organizations should also consider local customs and best practices. Local customs may indicate that certain records be retained for a lengthier duration then the prescribed statutory retention requirement based on risk of litigation, government audit, regulatory investigation, or an industry standard. Local customs may also be used to set retention rules where there is no defined statutory retention requirement in a jurisdiction and applying limitation periods is not an option based on the absence of material risk of litigation or claims.
There are also best practices that organizations may apply in setting retention rules based on business needs and the value that the business record holds for an organization. For example, it is considered best practice for an organization to retain constating records (i.e., articles of incorporation, charter, by-laws etc.) permanently as evidence of its legal status and existence. In the absence of statutory retention requirements, an organization may decide to apply an “indefinite” retention rule to specific records which are then reviewed at periodic intervals and disposed of after their underlying purpose is completed of they are no longer of material ongoing value for an organization.
Documenting Retention Strategies and Decisions
Organizations should document in their retention and destruction policies any retention strategies and decisions made and implemented in determining retention rules and setting retention exceptions. By documenting and communicating these policies internally to employees, organizations can mitigate potential risk and be in a defensible position in case any legal dispute or claim arises.