Column: Creating a records management policy and enforcing it

At its most basic level, information governance (IG) is the management of data across the information lifecycle. Although traditionally thought to focus squarely on records management, IG includes data security, privacy, knowledge management and e-discovery, along with related compliance and risk management issues.

However, a significant factor in IG risk does relate directly to records management, specifically the failure to appropriately manage records while allowing a “keep everything” culture to exist. Promoting data minimization and disposition requires much more than merely adopting a records management policy and retention schedule. Employees must be provided the means to comply to avoid a “rules without tools” environment.

To achieve policy compliance, organizations must address the four key aspects of records management: people, process, technology and controls.

INFORMATION GOVERNANCE RISK

Poor records management gives rise to substantial risk. This includes adverse litigation consequences from preservation failures, regulatory fines deriving from compliance breaches, negative impact on business needs, loss of sensitive business information, and, in the event of a data breach, business continuity concerns and violation of privacy laws with related reputational damage. By some measures and as found in a recent study by the Ponemon Institute, the cost per lost or stolen record containing sensitive and confidential information exceeds $150. While there is no question that organizations should take steps to enhance their information security practices, the surefire method of avoiding unauthorized access to data and minimizing many of the above-mentioned risks, is to avoid storing data in the first place.

RECORDS MANAGEMENT AND RETENTION POLICIES

In the absence of a records management policy, or rather an enforced records management policy, a “keep everything” practice will naturally evolve. In the absence of a litigation or investigation-related duty to preserve, organizations should consider their business needs and regulatory requirements when crafting retention schedules. Although this appears simple on the surface, many organizations implement unnecessarily lengthy and detailed retention schedules with hundreds of record classes falling under numerous retention periods. Compliance for employees can be difficult even when schedules are pared down, but without appropriate tools to facilitate compliance, there”™s virtually no chance the policy will be followed. When compliance is onerous and burdensome, employees will violate the policy and often resort to a “keep everything” approach, thereby defeating the policy”™s entire purpose. To achieve employee compliance, a path of least resistance must be provided.

ACHIEVING RECORDS MANAGEMENT COMPLIANCE

There are four key components to achieving compliance with records management policies: people, process, technology and controls.

PROGRAM GOVERNANCE: PEOPLE

Records management begins with program governance. Depending on an organization”™s size and structure, the following components may be implemented:

RECORDS MANAGEMENT STEERING COMMITTEE: This committee consists of key stakeholders, including from the legal, compliance and information technology (IT) departments. The steering committee has authority over retention schedules and is responsible for high-level program management and oversight.

RECORDS MANAGEMENT TEAM: A records management team comprises program administrators, including a records coordinator. This group administers the program, coordinates policy implementation and oversees records management training sessions.

DEPARTMENTAL RECORDS COORDINATORS: These individuals coordinate records inventorying and destruction within their respective departments, conduct training of department employees and serve as liaisons to the records management team.

EXECUTIVE SPONSOR: An executive sponsor provides direct support to the steering committee and serves as a “champion” for the program. Without an effective executive sponsor, a records management program will fail to gain organizational acceptance.

POLICIES AND PROCEDURES: PROCESS

A set of records management policies and procedures addresses responsibilities of employees, processes for managing records, destruction procedures, legal obligations, employee training and compliance monitoring. The policy also incorporates a retention schedule. Organizations must tailor their procedures to fit their business processes, needs and structure.

TECHNICAL SOLUTIONS: TECHNOLOGY

Compliance in records management requires providing employees with tools that promote desired records management practices, i.e., data minimization. This may include a content management system that permits assignment of record classes to automate data disposition upon expiration of assigned retention periods. Compliance will not be achieved in a “rules without tools” environment.

PROGRAM MANAGEMENT: CONTROLS

Program management, specifically employee training and compliance monitoring, must be tailored to fit the organization. This may include development of a training program with quarterly sessions, annual departmental assessments, an online repository of training materials and distribution of periodic reminders. Training as to“official” versus “unofficial” records may decrease retention of “unofficial” documents.

POTENTIAL ACTION ITEMS

When developing a records management program or assessing an existing one, organizations should ask a host of questions, such as:

What level of support is needed from an executive sponsor?

Is the steering committee vested with sufficient authority?

Will existing IT systems and repositories promote desired retention practices?

Are the records management team and the IT department positioned to cooperate and collaborate in purchasing and configuring tools?

Is additional records management training needed?

Are employees motivated to comply with the policy?

How are records maintained by third parties handled?

Is an overly complicated retention schedule impacting the feasibility of compliance?

Is an appropriate legal-hold procedure in place?

FINAL THOUGHTS

The primary focus in achieving compliance with records management policies and document retention schedules is creating path of least resistance. Adopting a policy and retention schedule is merely the first step. Organizations must focus on implementing an appropriate program structure and avoiding a “rules without tools” environment.

Daniel M. Braude is a partner in Wilson Elser”™s New York Metro offices and is co-chair of the firm”™s national e-Discovery practice. In addition, he serves as an adjunct professor at Pace University School of Law. He can be reached at daniel.braude@wilsonelser.com.