The Complete Compliance and Ethics Manual

The Life Cycle of Recorded Information

First and foremost, an organization must identify the scope of the data and information governance program. Generally, a program needs to address the entire life cycle of all recorded information generated by, at, or on behalf of the organization from the moment of creation or receipt through use and management, storage/archiving and, ultimately, destruction. A program should address both official business data and information, as well as that data and information that are personal or for convenience of the organization’s workers.

Creating an Effective Data and Information Governance Program Infrastructure

The goals of any data and information governance program should be to: 1) ensure all business data is identified and has an appropriate life cycle, 2) ensure that all workers know when they are acting as a custodian for data and know how they are expected to manage that data, including where to store it, who and how to grant access to the data, and when and how to delete it, and 3) ensure that as data and information types and forms change, the program evolves and is appropriately updated. In order to accomplish these goals, there are several components for consideration, including:

• An effective team working collaboratively in departments, groups and functions such as IT, Privacy and Legal;

• A clear and appropriate policy or set of policies;

• A clear and well-defined retention schedule;

• Custodian assignment and identification;

• Effective tools and systems and processes to monitor and manage changes;

• Effective training and awareness for all workers at the right level about the program; and

• A well-defined process for issuing and managing records holds (and discovery for U.S. litigation).

Each will be discussed in turn.

Data and Information Governance Program Components

• Data and information governance team

• Data retention policy

• Data retention schedule

• Data custodian identification

• Tools and systems

• Education and training

• Hold management process for audits, investigations and litigation

Data and Information Governance Team

A key to the success of any program is the team. It is important to ensure that there are sufficient resources dedicated to the data and information governance program for the size and complexity of the organization. One size will not fit all. An organization of 1,000 employees located across three sites in the United States with six business areas will have different resource needs than an organization with 20,000 employees located across 10 sites in four countries and three business areas. Likewise, a business that deals in generating and selling data will have different needs than a business that makes and sells food products. At a minimum, it is recommended that every organization have a lead person who is responsible (whether full-time or otherwise) for data and information governance.

The following records and information management roles and responsibilities may be necessary:

• Assessment of current state of data and information governance.

  This should include the nature of business, types of data and information, forms of data and information, and current practices for data storage, retention and destruction. This assessment will require interaction with every business group and a close working relationship with information technology experts and, in many cases, with the legal department and privacy subject matter experts.

• Data policy and retention schedule development.

  This task can be assigned to a project team, committee, or single person (consultant or employee) as appropriate. Development of the appropriate retention periods may require consultation with in-house or outside legal counsel regarding local, state, federal, and country regulations.

• Business Area data coordinators/subject matter experts.

  These people can liaise with the program office or personnel and assist with ensuring personnel in their specific business area understand the applicable portions of the data retention policy, follow the policy and retention schedule, and see that all new developments are fed back for program updates.

• Hold management and coordination.

  Audits, investigations, and litigation (actual and potential) bring a host of specific retention requirements that may conflict with the general data and information management process. It is therefore important to have personnel in the program office, legal department, and IT groups who understand these issues and are prepared to mitigate the risks with appropriate issuance of data hold notices, systems holds, and review and collection of information potentially relevant to litigation.

Data and Information Management Policy

Development of the data and information management policy and a retention schedule is at the heart of most programs. The policy is where an organization should clearly articulate expectations with regard to the creation, management, storage and destruction of data and information. At a minimum a policy should:

• Identify and distinguish business records from convenience records;

• Provide compliance expectations and the potential consequences for failure to comply;

• Identify where employees can find the appropriate retention periods;

• Direct employees on how to manage electronic data and information;

• Direct employees on how to manage physical records onsite;

• Direct employees on how to store records and information offsite (if applicable);

• Provide details on any process required prior to destruction of official business records;

• Educate employees about the potential for litigation or other holds and the process for managing those holds; and

• Notify people where they can seek guidance or additional information.

Refer to the sample policy in the appendices at the end of this article.

Data Retention Schedule

In addition to the policy, or as a component of it, organizations should also create and adopt a data retention schedule identifying the length of time each category of information should be retained. Retention requirements are a mix of legal, regulatory, business and best practices rules applied to different categories of records and information. There are some clear legal/regulatory mandates for how long certain types of records/ information must be kept (e.g. The Occupational Safety and Health Administration, or OSHA, requires copies of records and information related to employee hospitalizations related to work-related injuries or illnesses be maintained for 30 years). The statute of limitations for certain types of legal claims can also drive some retention dates (i.e. contract claims generally have no more than a three-year statute of limitations, so records related to contracts are often kept three or more years from the termination date to ensure availability in the event of a dispute that arises during the statute of limitations). Further, contractual agreements of an organization generally have a term and/or termination date and possibly some continuing obligations which may drive retention periods. The business area(s) may also have their own vision and desires for retention periods based on the way the business runs. Regardless of the driver of the retention period(s), it is important to supplement the data management policy with a data retention schedule. This schedule should advise how long different types of data and information must be retained and the trigger date for the running of the retention period and provide concrete examples of records that fall into each record class. A sample retention schedule excerpt is included in the appendices at the end of this article.

In creating the data retention schedule, organizations must consider how many different retention codes and periods they want to create and enforce. Some businesses may opt to retain all records for only the minimum period required for legal, regulatory, or business reasons, which may result in hundreds of different retention categories and periods. Other businesses may opt to adopt fewer retention categories with retention periods that might be longer than specifically required, in favor of simplicity of the program. Such considerations are important decisions for each organization to make based on the risk profile of their records and their risk appetite.

Identifying Data Custodians

Another critical component in a data and information governance program is identifying data custodians; that is, those persons who are responsible for maintaining the single official business copy or information. For example, a human resources manager may be tasked as the company custodian for all official company personnel files, while an IT manager may be tasked as custodian for all electronic systems, servers and backups. Given the electronic tools and mobile devices in abundance today, as well as copiers, scanners, email and other technology, there are almost inevitably multiple copies of any single piece of information. Identifying and publicizing single data custodians can therefore help create efficiencies and reduce costs and ensure that duplicates are retained only as convenience records so long as needed, but do not become part of the business records and information archive. In addition to official custodians, litigation will also involve specific witness custodians who may have relevant information (official business or convenience records) by virtue of their role in the company or interactions on a specific matter.