Whether you are dealing with trivial emails or vital corporate policies, if you are collecting and working with data on a day-to-day basis, it is crucial for your organization to understand:
What type of content you are working with?
How long you should retain this content for?
Compliance with rules and regulations regarding document retention is crucial in Records Management. Failure to adhere to these legislations increases the potential for litigation, particularly during audits.
Not only should businesses comply with Records Management Legislation, but they should also consider their own requirements, as retaining content that no longer brings value to the organization can lead to high operational and storage costs. By solely retaining documentation that brings value to the organization, these costs can be reduced as well as the quantity of documents retained all together.
The reduction of unnecessary documents can also have positive impacts on your ability to search and find documentation in the organization and reduce the overhead needed to manage the documents.
Managing records, understanding their contents, and having the right tools in place to protect the information found within said records can be quite the task. However, by having a clearer picture of what type of content the organization holds, one should have the opportunity to fortify the policies in place and improve the compliance and protection of the records.
These policies should focus on record lifecycle; how the record is created, used, and deleted through the organization's business processes is important to understand. As deleting vital business records before their retention period is over, can increase the risk of litigation against the company and can lead to major loss of corporate knowledge and vital information.
With this said, the primary goals of Records Management focus on:
Meeting the organization and legislated requirements.
Reducing operational and storage costs.
Increasing the ability to find and manage documents and records.
Improving the compliance and protection of records.
Decreasing the risk associated with early disposition of records.
Record Management is a broad topic which can often cause confusion on where to get started. Below are some suggestions on how to make your Record Management journey a reality:
*Steps marked by an asterisk are optional.
Break down your Content:
To define records management guidelines, you must understand and define what type of record are found in your organization. This can most commonly be achieved by breaking down the organization in departments/functions, followed by their related activities.
For example: A Human Resources department (Function) may recruit new employees (Activity).
By defining the functions and activities within your organization you can then start defining what type of contents are being generated from each activity found.
Example: By recruiting, the human resource department may, exchange emails with potential candidates, collect resumes, and/or other documentation pertaining to the recruitment process.
Once you have defined what type of content is generated from your organization's activities, you can now define if this content should be considered a record.
Define your Records:
As mentioned above, a Record can be defined as any content which holds value to your organization. The value of the content found can be based on its relation to conduct day-to-day operations.
If the loss or destruction of specific content would prevent and impact users from performing their duties, the content should be defined as a record.
Example: If the Human Resources department accidentally lost all potential candidate recruitment information (including exchanged emails and resumes containing personal, private information) would it have impact on the Human Resources day-to-day operations?
Answer: Yes, the department would be unable to hire any potential candidates, therefore the interview contents could be said to have record potential and should be considered moving forward.
*Define your Records Sensitivity Level:
If content was established to be a Record, it holds some value to the organization and therefore could hold very valuable pieces of information that may not be suitable for everyone in the company to see. Therefore, most companies define a sensitivity level for their Record Types, such as "Public", "Internal", and "Confidential".
"Public"
Sensitivity Level could be defined as any record with information that everyone, in and outside of the organization, could have access to.
"Internal"
Sensitivity Level could be defined as any record with information that anyone working in the organization could have access to.
"Confidential"
Sensitivity Level could be defined as any record contain personal private information which only specific employees in the organization should have access to.
Example: Recruitment Records hold personal private information and therefore only hiring managers within the organization should have access to those documents.
This is fully up to the company's discretion and the use of custom sensitivity and permissions levels can be created based on the company's requirements.
Solutions such as Microsoft 365 with Microsoft Purview can easily achieve sensitivity requirements across emails, documents and records.
Define the Legal Requirements:
Once you have defined all your organization's potential records, you must research if there are any legislative requirements relating to the retention of those record types. q
This process can be completed by a specialized lawyer who can advise you on which laws could be affecting your record management requirements.
Example: In Canada, the Human Rights Legislation states that all Recruitment Documents should be retained for 2 years from the hiring decision date. Therefore, even if a candidate is not hired at your organization, is it the law that your organization should retain the recruitment documents generated from the human resource department for at least 2 years, after making a hiring decision.
Define your Business Requirements:
Once you have identified the Legal Requirements regarding your organization's contents, it is time to refine the retention periods for each record type.
You should evaluate if it would be beneficial for your organization to keep content longer than the legislative requirements.
Keep in mind, there are risks associated with keeping contents longer than the legal requirements. In certain scenarios, it could be more harmful then helpful to keep the content for longer, however the opposite can also be said.
Therefore, a strong risk analysis should be conducted to evaluate the risks and benefits of each record type's retention period, keeping in mind to never implement a retention period shorter than the legislative requirements identified in the section above.
Example: Would it be beneficial to keep recruitment records for longer than 2 years? Human Resources could argue that if they are looking into new candidates and haven't had new submissions, they could look at previous recruitment files and try to find a suitable candidate from over 2 years ago. Although this may make sense to certain companies, you also must consider the impacts of reaching out to those old candidates. Could an old candidate raise concerns towards the company still having their personal private information past those 2 years? And if so, could they have grounds to starts litigation against the company?
These are some questions to consider when conducting your risk analysis for defining your business requirements.
Merge all Previous Steps into a Retention Schedule
After defining the requirements above, you should be left with a list of all the record types in the organization as well as their associated retention periods.