Records and data retention can be complicated, particularly when balancing competing statutory requirements from around the globe, industry best practices, business needs, and the growing importance of privacy considerations. When faced with these realities, many organizations seek solutions that will make retention easier and more streamlined. While there are several ways to achieve this, organizations need to proceed with caution when choosing which aspects of their retention policies and procedures to simplify.
One aspect organizations often seek to simplify is the “retention event” or “trigger”, particularly when “active”. An active, or event-based, retention event is dependent on the occurrence of a particular event (taking place sometime after a record is created) to trigger the commencement of the retention period (e.g. the termination of employment). Upwards of 55% of large and medium-sized organizations see an opportunity to improve their retention schedules by reducing the number of event-based retention periods.[1] While this might seem like a straightforward approach to simplify the implementation of retention schedules, going about the conversion from active to “flat” retention events can be complicated and require additional levels of oversight to ensure compliance. Organizations looking to “flatten” retention rules must carefully consider the broader impact of these decisions on their information governance (IG) programs.
What Comprises a Retention Rule?
Retention rules are generally made up of several component parts, which work together to create the instruction for managing the duration of retention. The first component is the “retention period”, the length of time a record must be kept. These periods are often based on explicit statutory requirements (including maximum retention periods for personal data under privacy laws). However, they can also be based on limitation periods, especially in areas more likely to attract claims or litigation, industry best practices, or business need.[2] The second component is the retention event, which provides the trigger for beginning the countdown of the established retention period. Retention rules can also include an action to be taken upon completion of the retention period (e.g. delete, retain for an additional period, archive, etc.). These components together result in a retention rule such as: 5 years from date record created, upon completion move to archive for X years then permanently delete.
Further, several different types of retention rules can be employed in retention schedules. As indicated above, a flat retention rule requires the retention countdown to start at the time the record is created. With flat rules, there is no need to wait for a particular event to occur following creation of the record or data in order to start the retention countdown. Active retention events, as discussed above, require a trigger to start the countdown for the retention period (e.g. from close of file or investigation, from date superseded or discontinued, from date agreement terminates or expires, etc.). Sometimes “indefinite” and “permanent” retention rules are provided. Indefinite rules represent an undefined period of time, and are generally used in instances where a specific retention period could not be determined for a particular group of records.[3] This type of retention rule requires the periodic review of the associated records to determine when disposition becomes appropriate. On the other hand, permanent retention rules call for just that, the permanent retention of associated records and information. This will generally occur in relation to records of major ongoing importance, including those with long-term archival value.
The Challenges of Active Retention
The use of active events, while sometimes necessary or unavoidable, can have associated challenges. While some of these challenges affect most organizations, others are dependent on the circumstances of an individual organization: how it is structured; the types of records and data it produces, uses and retains; how it is regulated; and, the internal policies and procedures it has in place.
One of the main challenges associated with active retention results from ambiguity, whether due to unclear wording of retention events, or poorly defined responsibilities. If the text of a retention event is vague and unclear, it can be difficult for an organization to manage when the retention countdown for the records or data needs to begin. When establishing retention events, it is important to work with the relevant stakeholders to ensure the wording of the retention event is meaningful to them and aligns with how they operate. Even with this ambiguity removed, organizations may still struggle with flagging and implementing the retention period across all record and data types, depending on available resources. Global organizations may face additional challenges in establishing these rules where they must contend with varying approaches and terminology across the jurisdictions in which they operate. This will require additional consideration when determining the best approach for each organization, and may result in separate retention rules for jurisdictions where differences cannot be easily reconciled. Similarly, it is important to have clearly defined roles and responsibilities when it comes to the individuals or groups of individuals who are responsible for initiating the retention of active records and data, and ensuring their disposition in line with the organization’s retention policies.
Another perceived challenge with active retention relates to privacy considerations for personal data, and the need to balance the required retention of records with privacy concerns. While it is important for organizations to be aware of the personal data they collect and retain as part of their business records, it is equally important for organizations to understand that there are certain exceptions, and statutory requirements, for the retention of personal data contained in the records that organizations are required to keep. Another complicating factor may occur when customers who have multiple accounts with an organization close a particular account or end a certain aspect of the relationship, especially if certain overarching information is kept together in relation to all accounts. In these instances, organizations may need to determine which records and/or data need to be kept, and when the associated retention countdown should be initiated.[4]
Given these and the other possible challenges associated with active retention, organizations may choose to look for areas where they can more effectively reduce the number of active events in their retention schedules. While there may be some opportunities where this can be done with minimal effort or negative impact, organizations must proceed with caution in order to minimize the associated risks.
Evaluating Opportunities and Mitigating Associated Risks
When evaluating the opportunities to convert event-based retention rules to flat rules, organizations should undertake a risk analysis, carefully considering the record and/or data categories from which active retention events may be removed. This can be a difficult task, especially because some statutory requirements specify active retention requirements, and certain high-risk categories really should maintain an active retention event from a risk and compliance perspective.
Common Areas of Risk
One such risk associated with converting active retention rules is the over or under retention of records and data. In order to flatten a retention rule, certain assumptions must be made regarding the “life” of a particular record or set of data and how long they are generally active. This is easier in some cases than others. For example, if an organization has a record category relating to project management and knows that no project it undertakes typically lasts longer than 2 years, then instead of having an active retention rule of 3 years from date project completed, it may be feasible to implement a rule of 5 years from date record created. Although a similar approach may be taken for a number of other categories, some categories attract higher levels of risk, making the exercise more difficult, such as those relating to customer accounts or employee personnel files. A customer or employee relationship might last 6 months or upwards of 30 years. Organizations need to be careful when making assumptions about categories that can involve such drastic differences in the time period during which records can remain active, and which attract numerous statutory retention requirements. Organizations in heavily regulated areas, such as financial services and pharmaceuticals also need to approach these decisions with greater caution in order to ensure they remain compliant.
Organizations should also consider instances where the records or associated data are repurposed and given a second life for use in data analytics. This may require longer retention following the end of the record’s original purpose. Of course, organizations need to exercise care from a privacy perspective in how they approach analytics using repurposed personal data, a topic outside the scope of this discussion. Organizations should also be careful when attempting to flatten the retention rules for records that involve a heightened risk of litigation.
Risk Mitigation Measures
There are a number of approaches that organizations can take to reduce the risks associated with converting event-based retention rules to flat rules. One such approach is to undertake a retention schedule review to ensure the record categories are appropriately organized. Having effectively organized the categories, grouping record examples with similar lifecycles can help avoid unnecessarily applying active retention events more broadly to entire categories. In doing so, it is important for organizations to understand their retention schedules at a high level. For example, if an organization has chosen to implement a “big bucket” approach to organizing its retention schedule, it may be more difficult to identify areas where retention events can be flattened, because the range of examples covered by any given category is likely to be more complex. Once a review is completed, organizations might identify categories where it is easier to make the assumptions described above, or to rearrange some of the categories, moving record examples to create categories more conducive to flat retention. In doing so, organizations must ensure the schedule still aligns appropriately with the different business functions and stakeholder needs. Organizations can also consider what is driving a particular retention rule. Where it is based on a business decision there is likely to be less risk involved in converting the active rule to a flat rule. Where active retention rules are based on specific statutory requirements there may be more risk in their conversion.
The ability of organizations to effectively determine opportunities for and implement these conversions will also depend on their internal processes and procedures. If an organization has a procedure in place to update certain policies on a consistent basis, then it may be easier to flatten the retention rule related to these policies. For example, if policies relating to occupational health and safety are consistently updated every 2 years, then it is conceivable to set a flat rule of 2 years plus the required period to retain the particular policies. If organizations are currently lacking these consistent approaches to updating and reviewing particular record and data types, they may want to consider evaluating and implementing internal processes and procedures to help facilitate the conversion of event-based rules. It is important to note that policy records represent only one type of active record; it may be much harder to take this approach with other active record types (e.g. records relating to internal investigations).
Where organizations decide to convert event-based retention rules, it is advisable to implement a review process to ensure that the assumptions made at the time of conversion remain true. This will help ensure records and data are not scheduled for disposition prematurely or much later than necessary. It will be a balancing act, especially when flat retention rules are initially adopted, to ensure that the relevant records are not being over or under retained. It may be necessary to conduct these reviews more frequently at first, reducing the frequency as confidence grows in relying on the established rules. However, it would be prudent from a compliance perspective to continue these reviews over time. Ensuring that appropriate metadata is applied will be an essential tool in supporting this process.
Converting event-based retention rules while ensuring both compliance and business needs are being met can be arduous if done properly and methodically, something organizations need to understand before undertaking this process. Far from a quick fix, it requires careful consideration, discussions with relevant stakeholders, and continuing follow-up and review. It can be a lengthy and resource intensive undertaking, with no guarantee of the desired outcome. However, this is not to imply it cannot be done, or that all improvements to the retention schedule are necessarily complex. It is certainly worthwhile for organizations to periodically review and consider opportunities to simplify their retention schedules for ease of implementation. This should include an evaluation of opportunities to remove barriers to successful implementation through the adoption of simplified rules including flat retention periods.
[1] Cohasset Associates and ARMA. (2019, September). 2019 Information Governance Benchmarking Survey
[2] Norwich, F. and Douglas, L. (2021, April 6). Applying Limitation Periods in Information Governance Programs
[3] Iron Mountain. (2016). Event-Based Retention Guide
[4] Ibid.
