In a previous blog post, I talked about the need for an effective policy and process for electronic records management. This is an undertaking that requires serious assessment – there is no cut and paste approach to doing this. While may struggle to find the time to do this, it is required,
There are a number of good resources that can be good starting points in developing a policy. The American Records Management Association has its “Generally Accepted Recordkeeping Principals” model. International Organization for Standardization has ISO 15489-1 guidance. However, these are just the beginnings and are only a framework which must then tailored to your organization.
When developing a policy and process for electronic records management, at a minimum, policies should cover:
Your process should comply with all relevant laws and regulations and with court discovery rules. Various laws require keeping records in different ways, so educate yourself on what’s required for your company and the type of data you’re storing.
There are various laws addressing requirements about how information can be stored and with what level of security. Medical information, I-9s, personal identity information, customer financial dates and much more must be kept with security and confidentiality. Other records require no security.
Some records are "public" and must be kept open for all to access. The organization may have its own internal concern for trade secrets versus its "public" communication. It is important to know which are which and have coordinated protocols to assure each is generated and stored properly.
There are different statutes of limitations regarding how long different types of records must be retained and requirements can vary from state to state. Labor records must be kept for at least two years, however, Worker's Compensation cases can have a 12-year statute of limitations. A contract can have a six-year statute of limitations. Hazardous chemical records may have to be kept forever.
Whatever your company’s situation, it is crucial to know requirements that apply.
Develop (and keep updated the specific protocols) for destruction for each category of records. There is a "safe harbor" in the discovery rules that eliminates penalties or sanctions if records are disposed of according to a written plan, which is followed consistently. This must be under the control of trained professionals and which allows sufficient time for anticipated claims to be filed before any destruction. Again, this should, at a minimum, track the basic statutes of limitation for various types of records and potential cases.
The records policy should specify who is responsible for retention and who has specific, and sole, authority to destroy each type of record. There should then be double checks before actual destruction.
Finally, records policies should not only address network storage, but should also account for data stored on individual personal computers and other devices.
You’re required to stop any deletion of records when you are "on notice" that there may be litigation. The obligation arises when there is any practical reason to believe future litigation might occur over an issue, not when there is an official summons or complaint.
The "may be" can be triggered by any dispute with a vendor or customer that goes beyond a casual disagreement (i.e., letters start to be exchanged over the issue), any letter from an attorney; anytime an employee is fired during economic times where the next job is hard to find; any accident causing personal injury or property damage.
These and more events should prompt one to freeze the system and inform all involved to not delete anything without authorization. Once "on notice," the hold should stop destruction of any relevant records for the duration of the litigation.
Technology changes and current decisions expand, or limit, the scope of records management requirements. Outdated management programs result in liability. Stay up to date!