Myth Busting: A Records Retention Action Plan

Transcription

1 Myth Busting: A Records Retention Action Plan

2 2 Introduction Table of Contents Introduction Electronic Records Can Be Records, Too The Official Version Why the Question Matters Cure the 7-Year Itch Looking Beyond the Default Never Say Never What Sarbox Says The Privacy Element Long-term vs. Permanent Perform Archival Selection A Records Retention Action Plan Records Retention: Worth the Effort An effective records retention program minimizes organizational risk by making clear what requirements apply, where they apply, and how to apply them. It sets standard time periods for how long to keep categories of records based on documented research of legal and operational requirements. Because of this vital role that records retention scheduling plays in an effective RM program, it is one of the most talked-about topics in information management. Unfortunately, it can also be one of the most misunderstood concepts. Without the proper level of due diligence, ad hoc decision making and vague assumptions about retention can threaten an organization s compliance with legal and business requirements. Here are just some examples of misconceptions that can become part of an organization s business culture: m We don t need to worry about recordkeeping rules because we only have electronic files m Any record can be destroyed after seven years m We can t throw away any records because of privacy law and/or Sarbanes-Oxley m That records retention stuff is okay for administrative records, but in our line of work, we have to keep everything forever m These records are really old, so we have to keep them as an historical archive This white paper counters these misconceptions with a discussion of the real-world requirements that apply to records. These requirements can vary greatly from one organization to the next, making the sweeping generalizations listed above all the more inaccurate. Also included in this discussion is an action plan for developing and implementing a records retention program that addresses those same variations. Electronic Records Can Be Records, Too There are many immediate benefits associated with maintaining recorded information in electronic format, such as faster retrieval and cheaper storage. But increased reliance on electronic media in lieu of paper is no shelter from requirements to produce evidence or retain records. In defining the concept of a record, evidence laws and rules of court often use the phrase in any format or medium. Some laws go a step further, defining specific criteria for establishment of an electronic record. As sophisticated as some of these rules can be, a clear, simple theme emerges: assuming your organization s information systems are secure and reliable, any electronic documents created or received on those systems through the ordinary course of business activities is a potential record of those activities.

3 3 The official version Electronic records may even take precedence over paper copies as the official record for legal discovery and retention purposes. For instance, many laws state that records should normally be retained in their original format. The concept of originality is tied to the transactional exchange that led to the record being made or received in the first place. Money is exchanged when a person signs a check or performs an electronic funds transfer. Rights and responsibilities are exchanged when a person signs a paper contract or clicks the accept button on a secure website. In the cases of the electronic funds transfer and the web-based agreement, the transaction occurs in the electronic environment, making the electronic record more original than any paper output. Any electronic documents created or received on those systems through ordinary course of business activities is a potential record of those activities. Why the question matters The identification of official records in either electronic or paper format is more than just an academic question. With all of the legal and administrative requirements that apply to records, it is critical to distinguish official records from duplicate copies, obsolete drafts, outdated reference material, and other non-records. Anecdotal sources estimate that non-record materials account for 50% of most organizations paper and electronic holdings. By applying official record status selectively, your organization can apply records storage and disposal processes more efficiently and cost-effectively. Cure the 7-Year Itch The common default retention period of 7 years has some basis in reality. The accounting profession in particular is subject to a number of well known statutory and regulatory requirements to keep invoices, receipts, and other financial records for that very duration. For instance, Canada s Income Tax Act has very clear, explicit instructions to retain relevant records for six years after the end of the year in which they are created. Factoring in time for an internal audit after the year-end has passed, we see a very convincing mandate to keep the records for 7 years. Looking beyond the default But even within the accounting industry, 7 years is by no means the entire picture. 7 years may suffice for records relevant to certain federal income tax requirements - but organizations are often subject to more than one tax. Companies who collect and remit the Canadian Goods and Services Tax are governed by the Excise Tax Act, which includes assessment periods of up to 10 years. In order to manage the audit risks, affected organizations may need to retain certain accounting records for at least 10 years. Depending on how risk averse your organization is,

4 4 retention periods for tax returns and other tax relevant records may be even longer. Various sections of the United States Code allow for investigation of alleged tax fraud without time limitation, allowing for a possible argument that certain records should be retained indefinitely. The complications associated with retention periods do not end with the number of years. Exactly how long a particular record is retained also depends on when the official retention period actually begins. Event-based retention refers to retention periods which do not even begin until a predefined event triggers closure of the file. Common examples of retention events include: 7 years may suffice for records relevant to certain federal income tax requirements - but organizations are often subject to more than one tax. m End of the fiscal year in which records were created and subsequent completion of internal audit requirements for that year m Termination of an employment relationship m Termination or expiry of an agreement m Completion and close-out of a project, such as facility construction or information technology deployment m Decommissioning of a plant or facility m Dissolution and winding up of the corporation Some of these events occur less routinely than others. When years elapse before the event occurs, the total time for retaining records is directly impacted. Consider the following fictional example: A collection of employee files have a records retention period of Termination of Employment + 10 Years. The file of an employee who quit during his or her first week would be kept for ten years. Meanwhile, the file of an employee who enjoyed a 30 year career at the company would have to be retained no less than 40 years. Never Say Never Long-term retention requirements are one of the realities for records management, but to say that a particular collection of records can never be destroyed is more often than not an exaggeration. This reality becomes evidence when we zero in on some of the common arguments that organizational personnel may make for keeping records forever. What Sarbox Says The Sarbanes-Oxley Act of the United States establishes records retention practices as a source of corporate accountability, but contrary to some popular assumptions, it does not outlaw all records destruction activity. Sarbanes-Oxley does make it an offence to destroy, mutilate, obscure or alter a record with the intent to obstruct justice. In other words, it is still perfectly legal to destroy records as long as the destruction is not intended to obstruct justice. Regular,

5 5 ongoing records destructions can still occur, as long as they are performed in accordance with an approved retention schedule and a review and authorization process that can capture any records responsive to audits, litigation or other proceedings even after their retention periods have lapsed. Retention schedules and disposal authorization forms work together as documented evidence that records were disposed of in the ordinary course of business, as opposed to attempts to obstruct justice by destroying evidence of illegal activity. The Privacy Element It is still perfectly legal to destroy records as long as the destruction is not intended to obstruct justice. Privacy requirements are an even less effective rationale for keeping records forever. Laws such as Canada s Personal Information Protection and Electronic Documents Act, Australia s Privacy Act, and sections of the U.S. Gramm-Leach-Bliley Act apply only to personal information, which is typically defined as potentially sensitive information about employees, customers, health care patients, and other identifiable individuals. Privacy laws help ensure certain individual rights, such as the right to access one s own personal information (subject to exceptions) or request corrections of any inaccuracies in personal information. Records retention policies can help ensure that personal information is retained long enough for individuals to exercise these rights, but that does not mean retaining the information indefinitely. Most privacy laws actually make it an offence to retain personal information longer than necessary to fulfil the purposes for which the information was collected and meet legally mandated retention requirements. For every year that an organization retains personal records in excess of actual requirements, it is breaching the privacy rights of the persons whom those records are about. Compliance with privacy laws may therefore lead an organization to decrease rather than increase some records retention periods. Long-Term vs. Permanent Finally, there is a tendency in some organizations to equate very long-term records retention requirements with permanent retention requirements. While there are indeed sections of legislation that explicitly require keeping specified records permanently or indefinitely, they are rare relative to the event-based retention periods discussed under Section 3. Retention events such as facility decommissioning and corporate dissolution may not occur for any number of years. Even once the event has occurred, there may be direct retention periods and legal liability periods which dictate keeping the records for a further number of years. The total retention period in each case is quite long, but an end is possible. Keeping all such records forever often misses an opportunity to dispose of large volumes of older records that really have no remaining retention requirements.

6 6 Perform Archival Selection Equating age with historical value is a fast track to disappointment. Many people have discovered this first hand when they submit old coins or family heirlooms to a professional appraiser. These items may be more than a hundred years old and hold great sentimental value, but unless they are very rare or contributed to well known history, they will not fetch a high price. Rather than retain every record for historical purpose, an archivist identifies those more unique records which document the company s organizational development, operational mandate and relationships. The same principle applies to archival records. As a professional discipline, archival science emphasizes the techniques of archival selection and appraisal. Rather than retain every record for historical purpose, an archivist identifies those more unique records which document the company s organizational development, operational mandate, and relationships. Many routine transactional records may not meet this grander vision. Even when transactional records do provide evidence of operations, various sampling techniques can identify a representative snapshot of otherwise huge collections. In short, many older records do hold great archival value for your organization and the communities in which it operates. But for every old record which meets this criteria, there are many records just as old which simply do not. A Records Retention Action Plan The different requirements discussed above may appear contradictory in places. It is not unusual for requirements to vary from one statute or regulation to the next, and when we apply all those requirements to the same records, things get complicated. That complication can be addressed through careful research, documentation and application of different requirements in the form of a records retention program. In developing and implementing a records retention program, be sure to address the following tasks: m Establish criteria for a document to be identified as an official record. Such criteria should provide concrete, specific guidelines to support daily decision-making, yet remain flexible enough to provide for the exceptions that can occur in an active business environment m Develop and implement a policy directive authorizing secure destruction of non-record materials that are no longer immediately useful. In order to facilitate regular, timely purging of such materials, non-records should require little more than the policy itself to authorize their destruction

7 7 m Research and tabulate records retention requirements from all applicable statutes and regulations. Records retention requirements may appear as either a direct, explicit requirement to keep a given record for a specified time period, or indirectly in the form of legal limitation periods The creators and users of records should play a role in identifying how long records will be needed as sources of recorded information to inform administrative processes & operational activities. m Investigate operational needs. The creators and users of records should play a role in identifying how long records will be needed as sources of recorded information to inform administrative processes and operational activities, possibly in excess of any legally mandated retention requirements m Apply archival appraisal, selection and sampling techniques where appropriate. These processes can be integrated into retention schedule development, identifying upfront which categories of records have potential archival value m Establish the retention schedule. Apply relevant legal, operational and archival requirements to categories of records. Industry-recognized standards in records management, such as ISO 15489, recommend that records categories be based on the business activities that give rise to records creation or receipt. Those same activities will also help indicate applicable legal, operational and archival requirements. Records retention periods for each category should be long enough to meet all identified requirements, yet not so long as to introduce privacy non-compliance, undue storage costs, and other risks m Implement disposal processes whereby records are reviewed regularly against retention schedules to identify their eligibility for destruction. The review should include input from stakeholders who can identify any possible legal or operational needs to retain the records in excess of their scheduled retention periods. Actual records destruction should be signed off on by those same stakeholders, performed in a secure manner, and certified as having been performed in accordance with organizational retention policies

8 8 Records Retention: Worth the Effort Decisions about how long to retain records should never be based on vague assumptions or informal office culture. If your organization ever finds itself in a lawsuit or an audit, it will need to account for all records retention practices and provide a consistent, objective rationale for any disposals which have been performed. A formal records retention schedule supports this objectivity, provided it is developed based on due diligence and legal research well before any proceedings come to light. Contact one of our representatives today. UNITED STATES CANADA AUSTRALIA EUROPE Developing such a program is a significant undertaking, but organizations should not be daunted. While developing a records retention program or overhauling an existing program is hard work to say the least, the investment of time and other resources will more than pay for itself in improved legal compliance, risk management, and business efficiency.