By Chris Godinich, President/CEO
We often get this question surrounding retention of records, especially from organizations that do not have formal retention policies in place.
The basic answer is when they are no longer required (required being the key word) and when they no longer provide the organization value. These are the two tenets of a good retention policy.
Owning, managing, or operating a business poses the constant challenge to remain fully compliant with a well-established Records Retention and Records Destruction Program.
- The unnecessary retention and accumulation of records, increases risk and liability, and leads to inefficient use of resources (ie. costs money).
- Even solutions that incorporate digitization of records, must ensure that information is well secured and managed, to avoid unauthorized access of sensitive data.
Retention best practices must also ensure that records necessary for auditing or other evidence-based activity are not destroyed and are readily accessible.
This leads back to the original question of when and how should business records be destroyed.
1. When Required Retention Periods Have Been Met
Following and reviewing applicable federal and state document retention rules, should be the norm within your organization.
Some of the most relevant laws, acts and agencies that require records retention are below:
- Americans with Disabilities Act (ADA)
- Age Discrimination in Employment Act (ADEA)
- Civil Rights Act of 1964
- Employee Retirement and Income Security Act (ERISA)
- Equal Employment Opportunity Commission (EEOC)
- Family and Medical Leave Act (FMLA)
- Fair Labor Standards Act (FLSA)
- Federal Insurance Contributions Act (FICA)
- Federal Unemployment Tax Act (FUTA)
- Gramm-Leach-Billey Act
- Health Insurance Portability and Accountability Act (HIPAA)
- Internal Revenue Service (IRS)
- Occupational Safety and Health Act (OSHA)
- Sarbanes Oxley Act
And even for record types that may not be clearly defined within retention statutes, the Uniform Preservation of Private Business Records Act (UPPBRA) may offer a helpful guideline.
Certain states, such as Texas and Illinois have adopted this type of standard. One where organizations keep records not covered under statute-specific retention periods, for at least three years.
There are also additional considerations for businesses and agencies that process credit card payments and that may require additional retention guidelines under PCI Compliance.
2. When the Data has Served Its Purpose
Data that does not serve a purpose beyond legal or long-term use can and should be shredded periodically. Examples of these documents are financial paperwork such as bank statements and deposit slips. So long as these documents are reconciled with your bank prior to destruction and they have provided you with an end-of-year statement, they are no longer of use to your organization and can be shredded.
3. When Data Imaging Has Backed Up the Data
In recent periods, there has been a larger shift towards storing data electronically rendering hard copies obsolete. Digital copies of most forms are sufficient, and the hard copies can be shredded. Bear in mind that some documentation needs to be stored physically and in its original state, and include wet signatures; therefore, a sound retention and destruction program must be in place, to avoid compliance issues down the road.
4. When the Information is Confidential
Information of sensitive nature, such as access records and identifiable data that may be maliciously used for the purpose of identity theft and or hacking, must be securely destroyed in a timely and secure manner. Any information that is found in a physical or electronic trash can, may be accessed and used by the wrong person and set you and your organization for unnecessary risk and liability.
While following best practices and retention schedules, by industry and data type, is important, there are also times when destruction of data may be completely restricted, either for a period or indefinitely. Some of these scenarios include:
- Availability of a particular record or records, for litigation purposes
- If legal notice is received, expressly prohibiting the destruction of a particular document or information.
- If an audit is to be conducted. In this case, the destruction of the record must be postponed, until the audit process is complete.
- If there are records with a specific business purpose or historic value, that does not interfere with any records retention regulation at the industry, federal and state levels.
In conclusion, this topic on records retention is loaded with details and detailed exceptions that this post can’t jump into. There are common sense practices that are good frameworks with the adoption of proper policies and procedures. But, inaction and procrastination (both in adopting processes and procures and in timely destruction) are really the only firm bad answers here.