Organizations are accumulating data at a pace that would cause a hoarder to blush. Just like that old bicycle seat stored in the attic, data is often kept “just in case it may be needed someday.” This practice, however, comes at a cost.
Some organizations think that it is inexpensive to store data, in particular with the steady decline in hard drive prices. The fact is, however, data is expensive to keep. Organizations spend a significant portion of time managing, archiving and securing data. Data is housed on servers, each of which must be maintained. Data is also archived regularly according to the organization’s backup schedule, and it is audited and secured against loss. Each of these activities consumes the time (i.e. increases the cost) for those in information management.
Excessive data retention can also pose a risk to an organization regarding compliance and electronic discovery requirements. Personally Identifiable Information (PII) that is lost could result in significant fines. Also, old document drafts that may not provide organizational value could still damage the organization if disclosed. Data related to litigation is costly to obtain, organize, and produce. Searching through an organization’s legacy data adds additional complexity and cost.
For the above-stated reasons, it is important to remove unnecessary data. A structured approach is necessary to avoid the loss of important data and to provide consistency throughout an organization. The structure can be accomplished through a data retention policy. A data retention policy should specify how long certain types of data such as emails, documents, drafts, instant message conversations, or even voice mails should be kept and how the data will be properly disposed of.
At a minimum, a data retention policy should contain a scope section that outlines the types of data covered. Examples would be tax records, personal information, business records and legal documents. Also, the policy will need to spell out how long and in what form each type of document will be retained. Some policies may include guidelines on removal of data – or this may be left to a data destruction policy.
One of the most difficult parts of defining a data retention policy is specifying the length of time to retain certain types of documents. Compliance requirements may determine the minimum or maximum length of time while business requirements may stipulate other terms. Both the compliance and business requirements will need to be considered in defining the duration. The following are some best practices and can be used a starting point in the formation of a data retention policy:
- Audit documentation and associated financial documents will need to be kept for at least seven years if there is a SOX requirement. The IRS requires that tax documents be retained for at least four years after they were due.
- The list of hazardous chemicals provided by OSHA contains many substances common in the workplace and data retention policies should define how long documentation of hazardous chemical exposure data will be kept. OSHA requires that such documents be retained for 30 years.
- The Health Insurance Portability and Accounting Act (HIPAA) requires that information disclosure authorizations, patient requests, business associate contracts and other such covered documents be retained for at least six years from the last transaction or 2 years following the patient’s death.
- Exceptions may be made to these recommendations when pending litigation or audits require an information freeze or legal hold for specific data. In these instances, organizations will need to show that they have made reasonable efforts to prevent the destruction of discoverable information.
Businesses have a definite need for data retention policies. The regulatory requirements mentioned here should be included in business retention requirements for those that fall under such regulations. An effective data retention policy can go a long way in reducing data clutter, improving organizational efficiency and reducing risk. However, defining the policy will not be enough. Employees will need to be aware of the policy and motivated to follow it.