Taking Out the E-Trash
Is your organization storing electronic records and information with expired retention periods indefinitely because it lacks a sustainable policy and process for getting rid of it? If “yes,” this article can assist in your efforts to develop a sustainable policy and process by shining a light on what other organizations are doing to comply with recordkeeping requirements, decrease storage requirements, and reduce litigation risk when destroying records whose business and legal requirements for retention have been satisfied.
Susan Cisco, Ph.D., CRM, FAI, and Brad Teed
Most organizations have an established process for destroying expired physical records, but they keep electronic records indefinitely because stakeholders cannot agree on how to extend the process to expired electronic records. A 600-employee county government agency has been stalemated for months on a destruction policy, “… our IT administrators, particularly for SharePoint, want to build automatic deletion into the system, according to our approved retention schedule. Our Attorneys say, ‘NO!’ We still have to print destruction lists, get signatures, and maintain as a permanent file, just as we do with hard copy records.” Respondents to the “2009 Cohasset ARMA International Electronic Records Management Survey” confirmed that with regard to electronic records destruction, there is considerable divergence. Approximately one-third (36%) of respondents reported having formal procedures for destruction of electronic records, half of which routinely issue and retain certificates of destruction. The remainder of the respondents (64%) did not have formal procedures or did not know if/how electronic record destruction is managed.
The purpose of this article is to analyze pertinent legal and regulatory requirements and industry standards for guidance on what constitutes legal destruction of electronic records (this article is limited to a discussion of the records that an organization legally recognizes as establishing some fact or decision or as evidence of a business transaction). Then the article will identify elements of an electronic records destruction policy and process that organizations can leverage to improve compliance with standards, laws, and regulations and reduce litigation risk when they destroy outdated and useless records.
Legal and Regulatory Requirements for the Destruction of Electronic Records
The National Archives and Records Administration (NARA) requires all U.S. federal agency electronic records, including e-mail messages, be destroyed in accordance with an approved records disposition schedule (2 CFR Part 2600, Subchapter B, Part 1234.34). Additionally, electronic records scheduled for destruction must be disposed of in a manner that ensures protection of any sensitive, proprietary, or national security information. NARA does not require certificates of the destruction for federal agency electronic records.
For organizations in the private sector, destruction practices for protected information about an identifiable individual employee, customer, or supplier are regulated. Examples of protected information include Social Insurance/Security number; account number, credit, or debit card, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; driver’s license or state identification card number; consumer credit reports, and personal medical information. In the United States, federal legislation such as the Health Insurance Portability and Accountability Act (HIPAA) and the Fair and Accurate Credit Transactions Act (FACTA) requires destruction or deletion of electronic files or media so the information cannot be read or reconstructed. Organizations must implement reasonable safeguards in connection with the disposal of protected information; however, neither HIPAA nor FACTA mandate specific disposal methods.
At the U.S. state level, more than 40 state governments have adopted privacy protection legislation that potentially impacts private sector organizations. Colorado, for example, has a law requiring the establishment of policies for safe destruction of documents containing Social Security numbers.
Rule 37 of the Federal Rules of Civil Procedure (FRCP) states that, “Absent exceptional circumstances, a court may not impose sanctions under these rules on a party for failing to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system.” This safe harbor is a compelling reason for organizations to include a well-documented policy for electronic record destruction in their records and information management (RIM) programs.
International requirements such as Canada’s Federal Personal Information Protection and Electronic Documents Act (PIPEDA) and the European Union (EU) Data Protection Directive 95/46 EC also address destruction of personal information. The EU directive, for example, requires personal information be rendered anonymous and retained in a form in which identification of the data subject is no longer possible when the data's purpose has been served. For organizations that must comply with EU requirements and countries with similar privacy legislation, the indefinite retention of personal information is considered excessive in terms of data protection requirements.
Industry Standards and the Destruction of Electronic Records
Compliance with the legal and regulatory requirements above can be achieved by establishing a consistent process with reasonable safeguards and destruction governance appropriate to the information’s level of sensitivity and/or security classification. Industry standards provide guidance on developing such a process. The international standard ISO15489-1: 2001 Information and Documentation – Records Management – Part 1: General was developed by an international committee of records management professionals and launched by ARMA International. It states that records systems should be capable of facilitating and implementing decisions on the disposition, including destruction, of records and, where appropriate, for disposition to be activated automatically. All copies of records in all media and formats that are authorized for destruction should be destroyed and an auditable record of disposition action maintained. Records pertaining to pending or actual litigation or investigation should not be destroyed. Certificates of destruction are recommended for destruction undertaken by third parties. (In physical records management, certificates of destruction usually include the date, time, location, method of destruction, and signature of the operator.)
The Model Requirements for the Management of Electronic Records (MoReq) specification was developed by a UK-based team based entirely on international standards and best practices. The most recent version, MoReq2, defines a standard specification of requirements for electronic records management offerings. It states that in some environments, retention schedules are used to govern disposition without a review. In others, schedules trigger a review of the specified disposition action, including destruction, on a group of records that has reached the date or event specified in the schedule. In some environments it is desirable to retain information about records which have been destroyed, and MoReq2 requires that the electronic records management system has the ability to retain a “metadata stub” for this purpose. MoReq defines “metadata stub” as, “The subset of the metadata for an item that is retained after the item has been disposed of, to act as evidence that the item used to be held and has been properly disposed of.”
Establishing Governance for the Destruction of Electronic Records
Next, this article will identify elements of an electronic records destruction policy and process that are helping organizations improve compliance with standards, laws, and regulations, decrease storage requirements, and reduce litigation risk when they destroy outdated and useless records. Coupled with evidence that the policy and process are routinely followed, an organization can better demonstrate when necessary that the destruction of records was in good faith. Although not necessarily protected by laws and regulations, destruction of an organization’s proprietary records, such as intellectual property and confidential financial information, also needs to be managed consistently. Based on the authors’ experience with organizations that are establishing/have established a policy and process for electronic records destruction, eight elements surfaced repeatedly across organizations and industries:
- Governance Covers All Records and Record Formats — The governance process, including destruction, covers all records and record formats, physical and electronic. Although not addressed in this article, the process for physical records destruction needs to be consistent with the approach for electronic records.
- Records Retention Schedule — An up-to-date approved records retention schedule covers all jurisdictions, United States and international. A records retention schedule is a formal business policy that lists the types of records an organization creates and acquires and how long they should be retained. Experts recommend updating the schedule every 18 to 24 months, especially in highly regulated industries.
- Retention Hold Process — A standardized process for applying and removing retention holds suspends the records retention schedule in the event of current or anticipated litigation, governmental proceedings, investigations, or audits.
- Automated Records Destruction Process — A standardized process for electronic records destruction is automated when possible and sustainable. When an electronic record satisfies its retention period per the organization’s approved records retention schedule, it is expected to be destroyed immediately. When the destruction of electronically stored records cannot be automated, manual processes are designed so records are deleted at the end of their retention periods. Whether automated or manual, record destruction includes all preceding versions of records. The process needs to ensure the records, and the media that support them, are destroyed in a manner that prevents their reconstruction. Some organizations require complete, irrevocable destruction of certain types of records (sometimes called forensic deletion), which generally takes longer and costs more.
- Destruction Logs — To reduce litigation risk, legal departments need a defensible position to support the automatic deletion of electronic records based on standardized processes for record destruction and retention holds. Destruction logs provide evidence and verify completion of electronic record destruction. Keep information on the destruction log to a minimum, starting with the unique identification of a record (number, filename, or record title). Additional information to capture on the destruction log includes the significant dates of the record’s lifecycle, e.g., creation and destruction dates and system-generated information and properties (creation date, destruction date, and the system that destroyed it). The importance of the destruction log is to prove a specific record was destroyed and provide evidence in the case of an investigation. Destruction logs are considered to have record value to be managed in the records retention schedule.
- Third Party Destruction — When third parties are contracted to destroy electronic or physical records, certificates of destruction are recommended and usually include the date, time, location, method of destruction, and signature of the operator who destroyed the records. Certificates of destruction in physical records management are the equivalents of destruction logs in electronic records management.
- Training — Train users and information owners on destruction protocols. Training needs to be implemented for new hires and for all employees as part of regular compliance-training activities.
- Compliance — Monitor for compliance in ways that are non-disruptive to business activities and transparent to users. One example is, “Key electronic records repositories will be sampled throughout the year. The objective of the sample is to confirm the complete and accurate destruction of electronic records through secure overwriting or actual media destruction. In addition, the records due for destruction per the records retention schedule and the current listing of retention holds will be audited against the records actually destroyed. The audit task will be performed annually within 30 days of the scheduled destruction date. Where areas of non-compliance are discovered, the organization will take action to address them and bring them into compliance.”
What About Non-Records?
Although not discussed in this article, recorded information that does not have record value, such as convenience copies of official records, most drafts, and vendor catalogs, needs to be managed for retention purposes, as well. Using information lifecycle states, organizations can consistently apply retention depending on its lifecycle stage. A common information lifecycle model for electronic records has three lifecycle stages: 1) temporary, 2) work-in-progress, and 3) record. Information in the temporary and work-in-progress lifecycle stages might be managed in SharePoint (for example), and the records would be maintained in an electronic record repository, which might be in SharePoint and might be in another repository of record.
Organizations need to establish a systematic approach to the management of all records and information, including a consistent and scalable process for destroying records in all formats and media in accordance with an approved records retention schedule. The process must demonstrate the uniform application of RIM policies and processes, including adherence to confidentiality and security requirements and recognition of records on legal, tax, or audit holds. Going forward, destruction requirements need to be part of an organization’s systems development and implementation methodology.
Susan Cisco, Ph.D., CRM, FAI, can be contacted at firstname.lastname@example.org.
Brad Teed can be contacted at email@example.com.
Web Exclusive September 2009