August 13, 2014
Documentation Retention Policies and their Potential Ramifications
This discussion on records retention policies is discussed in regards to a legal office environment, and briefly in respect of documentation prepared in the course of health administration.
In “Records Retention – An Essential Part of Corporate Compliance,” published by the American Bar Association in “Records Retention and Destruction Current Best Practices, written by R. Thomas Howell, Jr. and Rae N. Cogar, Howell & Cogar state the following:
It is important for an organization to achieve acceptable legal compliance without an appropriate and functioning records retention program, for two distinct but important reason:
- Records retention is an important substantive component of many of the laws with which most corporations must comply; and,
- Retained records are often the vehicle by which compliance is established.[1]
Howell & Cogar also make reference to other academics/professionals writing on the topic of records retention policies, that good retention policies shall include a pre-determined or industry-specific “minimum and maximum” shelf-life for certain classifications of documentations, as well as a “framework for the administration of the policy.” Basically, a decision needs to be made as to who in your organization will be responsible for overseeing the creation of, the adherence to and the maintenance of retention programs. For example, an Information Security technician, Information Technology technician or Records Management / Knowledge Management Specialist/Co-Ordinator in your firm or organization.
Another component to a comprehensive retention policy is to determine (i.e. classify) what documents are meant to be part of/addressed in your corporate records retention program. To aid your organization in both determining the minimum/maximum retention periods of specific documents, Howell & Cogar suggest referring to “both federal and state requirements, contractual obligations, intellectual property requirements and statutes of limitation.” Industry-specific “business consideration” must also be taken into account, in conjunction with potential industry-specific ‘legal considerations’ such as the “demands of litigation, investigation and [regular or pop quiz] audits.”
During the classification process, one must work with the specialists in their organization charged with effecting a document retention program and determine which among the many categories of documents their firm or organization handles daily, monthly, yearly and quarterly can be classified as a “business document” as well as which documents fall outside of the “record” definition. As Howell & Cogar write, this is important for several reasons:
- Through establishing definitions one therefore establishes classifications and this in turn makes “operational recordkeeping decisions easier”;
- Business documents are normally created in the process of: “complying with government regulatory or statutory reporting requirements, documenting daily business activities (minute books: a corporation’s directors’ and shareholders’ resolutions, directors’ and shareholders’ ledgers and registers, and corporate summaries, etc.; share purchase agreements, amalgamations, dissolutions, etc.), documenting research and development methods for possible patent application, as well as preserving the legal rights of the business.”
- Documents classified as “business records” have a notable and an important shelf-life and should be dealt with differently compared to non-business records with one comprehensive retention program policy dealing with each category of document individual, in the sense of providing guidance regarding their maintenance and disposal.[2]
Electronic Records
There could be an implied inference that the above discussion is merely referring to physical, hard copy documentation created in the process of a business’ normal activities. However, as Howell & Cogar allude to, an organization should also prepare a retention program policy which acknowledges the importance of e-records.
In a paper written by Contoural, Inc.[3] in 2007 entitled, “How Long Should Email be Saved?” the authors state that “as email has become more critical in the business world, many companies are weighing the question of how long [emails] should be retained, what should be done with [the emails], and when [the emails] should be deleted.” The article states the answer to this particular question depends on mandatory and numerous regulations (perhaps state and federal) which stipulate how long emails must be retained.
During the litigation process, there is the advent of e-discovery, which is continuously evolving. E-discovery may include information stored on cellular phones and other electronic devices, computer hard drives, and electronic mail. According to the paper’s author, organizations must balance the following two aspects inherent in email retention: “long-term retention and preservation of email, and many business circumstance demand recovery of historic messages”[4] (Emphasis added). Your organization will have to decide whether email retention (choosing which emails to keep and which to destroy) is done manually by users via record retention policy manuals or via technicians who can create a system which automatically determines which emails to keep and where, and which emails to delete or destroy and when; however, a computer may have difficulty effecting such a feat due to technological limitations – a combination of both ventures would be ideal. [5]
Legal Risk Management and a Lack Thereof
In “Document Retention & Destruction Policies for Digital Data: What You Don’t Known Can Hurt You,” published by a popular international legal practice management software company, LexisNexis, also writing on the topic electronic document discovery, the contributor notes two (2) very important things:
“Even the most the proactive company with a comprehensive retention policy that includes electronic data may not be enforcing policy to the extent necessary to avoid legal risk……An ABA [American Bar Association]survey conducted in May 2000 asked litigators whether their clients had an established protocol for handling electronic discovery requests.”
In critically analyzing the document’s discussion on the importance of establishing document retention policies for electronic data communication such as email, there is an implied inference – though the article is quite clear through its author, that the article is not giving legal advice – that one’s organization should establish (1) a policy that monitors email communication of its users or, more ideally, (2) a system in which employees are educated and instructed on how to vigilantly monitor both internal and external information divulged during electronic correspondence. Not in the sense that you will want to suppress or curtail or censor your employees and/or fellow colleagues, but more along the lines of instilling in or making your employees/fellow colleagues aware that conversation deemed casual if sent, or kept too long, or deleted to early, could result in hefty legal costs for their employer/organization, the case of anticipated or present litigation.
Also discussed is another very important of the destruction of electronic documentation, in the sense that much of what we think is ‘deleted’ in actuality has not been be deleted and still resides somewhere on one’s computer’s hard drive or has already been backed up on a server, or even worse, stored somewhere out there on the World Wide Web.
While the article gives examples of what can happen when documents were not destroyed when they should have been destroyed, causing issues in the face of litigation. Or, examples of when documents were destroyed in tandem with an organization’s records retention policies in the midst or just before litigation, in the face of opposing counsel requesting particulars/evidence – the court ruled that an adverse inference had been established in that the destruction of the said documentation looked as if one side was purposely attempting to withhold information from the other side which could have made it look bad – the article does not give any specific suggestions, unlike the paper by Howell & Cogar, as to how long documentation should be kept before destruction in the case of the legal field and their clients to avoid spoliation[6], or in the case of health administration such as hospitals, rehabilitation facilities and other health clinics and health facilities when documents should be destroyed to avoid potential infringement of privacy rights.[7]
In conclusion, ultimately Howell & Cogar are right: one will have to consult with state and federal laws, rules and regulations, as well as professional associations/organization, industry-specific rules codes of conduct with regards to document retention schedules policy programs.
What Should I Do?
Below, we have taken select portions of sources cited to provide you with some guidance:
Laws Requiring Document Retention
- Retirement Plans
- Consumer Products
- Imported Goods
- Employee Records
- Environmental Records
- Health and Safety Records
- HIPAA (Health Insurance Portability and Accountability Act)
- HITECH (Health Information Technology for Economic and Clinical Health Act – Part of the American Recovery and Reinvestment Act of 2009 (ARRA))[8]
“Ten Tips for Avoiding Documentation Retention Disasters”[9]
- Practice competent pre-litigation planning—develop a policy and enforce it.
- Involve and consult your organization’s IS and IT technicians/departments in the development of a comprehensive retention policy.
- Establish clear accountability for the enforcement of the policy.
- “Educate all of the company’s computer users about the pitfalls of electronic communications.
- Teach employees how to manage their e-data.
- Be sure the policy is consistently followed – whether the record is electronic or physical.
- Consider segregating business email from personal email by adapting differing standards for each type of document.
- Immediately reconsider and be prepared to suspend regular retention and destruction procedures when litigation or a legal document request is pending or imminent. Have a backup plan to ensure that all staff are notified to that spoliation does not occur accidentally or maliciously.
- Not only do you notify employees such as in tip No. 8 above, you should also notify the IS and IT departments of your organization. Work with these departments to decide whether retention policies in place should be reorganized in the face of litigation.
- Periodically complete an objective internal audit (perhaps using secure outside resources) of one’s company records management policies. [10]
[3] www.contoural.com. Contoural, Inc. is an organization made up of consultants specializing in strategic information governance. Specifically, Assessment and Strategic Roadmaps; Policy and Schedule Development; Email & Unstructured Data Management; Sensitive Information Protection; Legal Hold & Discovery Programs; Technology Requirements & Adoption; Enterprise Behaviour Change Management; Legacy Data & Paper Disposition; RIM Organization Development & Governance; and, Records Management Programs.
[4] Ibid, page 3.
[5] Ibid, page 3.
[6] “Document Retention & Destruction Policies for Digital Data: What You Don’t Know Can Hurt You,” by LexisNexis.
[9] “Document Retention & Destruction Policies for Digital Data: What You Don’t Know Can Hurt You,” by LexisNexis, p. 3.
[10] Ibid, 3-4