CHAPTER 16:
SAFEGUARDING OF ORGANIZATIONAL RECORDS
Every organization must protect its important records from loss, destruction or falsification.
It is important to define ‘record’. According to the Federal Records Act 1950,8 a record is:
‘recorded information, regardless of medium or characteristics, made or received by an organization that is evidence of its operations and has value requiring its retention for a specific period of time’.
According to the National Archives and Records Administration (NARA) records include:
‘all books, papers, maps, photographs, machine-readable materials, or other documentary materials, regardless of physical form or characteristics, made or received […] or in connection with the transaction of public business and preserved or appropriate for preservation by that agency or its legitimate successor as evidence of the organization, functions, policies, decisions, procedures, operations, or other activities […] or because of the informational value of the data in them’.
Emails are certainly corporate records, and retention policies must include emails.
Some records must be retained to meet statutory or regulatory requirements, while others may be needed to provide adequate defence against potential civil or criminal action or to prove the financial status of the organization to the range of potential interested parties, including shareholders, tax authorities and auditors, and to meet contractual liabilities. Records do not (and should not) be kept for ever, since this can make it difficult to find what is required as and when it is required. Time limits should therefore be set for the retention of individual categories of information. After this time, records should be destroyed – in line with the procedure adopted by the organization to ensure that any confidential information within those records is not inadvertently made public.
Some time limits will be set by statute or regulation and the organization should establish, with its legal advisers, what the current categories of documents and retention requirements are. The requirements of the IRS and all federal and state statutes on corporate document retention should be identified and met.
For instance:
• The SEC will enforce, under various regulations, including the Sarbanes-Oxley Act, retention periods of two, three, four or seven years, depending on the company and type of record.
• The SEC’s rule 17 a-4 requires broker dealers to retain trading records (therefore including emails, etc) for six years.
• The US Department of Labor’s Occupational Safety and Health Administration requires that some health-related records be kept for either 30 years or the duration of a person’s employment plus 30 years.
• Employment law enforced by the US Equal Employment Opportunity Commission stipulates that documents about job applicants and personnel records be kept for one to three years.
• For companies in the health-care industry, under the Health Insurance Portability and Accountability Act’s Privacy Rule, for instance, the Department of Health and Human Services requires that certain records be held for six years.
• The Federal Energy Regulatory Commission has its own set of requirements, including one that requires companies to keep certain types of pricing information for five years.
Due consideration should be given to the possible degradation of media over time and any manufacturer’s recommendations for storage should, obviously, be followed. There may be implications, in change programs, for data stored on – or only accessible through – media which is being replaced; adequate resources may need to be retained to access this information throughout its designated retention period and the need for this should be assessed at the outset of any IT change plan.
These same principles (retention schedule, data inventory, appropriate protective controls and clear allocation of responsibility) should be applied to information stored digitally or on microfiche and, where organizations have more than one medium for storage, there should be a master index and guidelines for how each type of data should be treated. Where digital data storage vaults are to be deployed the organization will need to ensure that the technology enables it to cost-effectively meet its data storage responsibilities.
ISO15489 is an international standard that deals with document retention.9
9 Available from www.itgovernance.co.uk/products/237.