When setting the retention rules for their information governance programs, organizations may find that for certain categories of information, there is no applicable law or regulation that mandates retention. A common default in such cases is to set the retention rule based on the related limitation period, tying retention to the window of time to initiate a legal action. However, this glosses over the basis for applying limitation periods in the information governance context, which is to address potential risk resulting from claims or litigation.
Replace Rote Application of Limitation Periods with a Risk-based Analysis
Sometimes forgotten is the fact that limitation periods not do not provide a mandatory legal retention requirement. Assuming no other legal or regulatory obligation exists (such as a “legal hold” scenario due to pending or asserted litigation, audit or investigation), organizations are not compelled to keep information that is not required to be retained by law or regulation. Otherwise, where there is no material risk of a dispute or legal proceedings, there is no reason to apply a limitation period as a default retention period. Limitation periods should be applied as a result of a risk-based analysis conducted by each organization. When conducting this analysis, organizations will want to consider:
- Is there a significant risk of disputes in this area? Limitation periods should be applied where there is a logical link between the type of information and the potential claim. Collaboration with the organization’s legal department to identify high-risk record class categories in the enterprise retention schedule can be a good starting point for honing in on areas of over-retention. Common high risk categories include contracts, tax, insurance and employment.
- Are there privacy and other compliance issues? Limitation periods are often much longer than privacy maximums, which require destruction of personal data after a set period of time. Even where there is no express privacy maximum, data protection authorities generally expect a reasonable basis for keeping personal information. For example, the Privacy Commissioner of Canada found in one case that a 7 year retention period for personal data collected by an insurance provider, supported partly by associated statutes of limitation, was not a compelling reason to retain for that period.
The application of limitation periods based on a risk analysis can be a double-edged sword. After weighing relevant factors including potential disputes, claims, costs, and other business goals, organizations may not necessarily wish to apply a limitation period in every area involving potential disputes. On balance, however, the best practice is to apply limitation periods to record categories where there is a significant risk of claims.
Incorporating Limitation Periods into Information Governance Policies and Protocols
When applying limitation periods, organizations should:
- Ensure the retention rules effectively cover applicable limitation periods. This includes setting retention periods and events to appropriately reflect the different circumstances that can be expected to trigger the running of relevant limitation periods. Depending on the context, particularly where a claim may be latent (e.g., environmental and product liability), using a long-stop limitation period—the ultimate length of time for initiating a claim based on “discoverability”—may be appropriate.
- Establish an efficient legal hold process. The information governance program should refer to and reflect the legal hold process established by the organization as part of its litigation preparedness and response. The retention schedule needs to work in tandem with the legal hold process in order to effectively address litigation risks. Keep in mind that implementation of a legal hold effectively suspends further operation of the retention schedule for any records subject to the legal hold, for the duration of the hold.
- Document the approach to limitation periods in the organization’s retention policy. Once it is determined how limitation periods should be applied, it is important to document the approach taken in the organization’s retention policy. This serves to demonstrate and justify retention and destruction of records in accordance with the organization’s established policies and procedures, which may be important in cases where a dispute arises after a business has already destroyed relevant records in accordance with their retention program.