This article is cross-posted from the engine room blog.
Keeping data after projects end often involves spending time and effort to comply with legal requirements and archiving rules. Why does it matter? Imagine this scenario:
A human rights organization is collecting information about human rights abuses by the local government. The government hears about their work and wants to stop it. Rather than attack the organisation physically, which they knew would draw international attention, they decided to disrupt its work by tying them up in a nefarious legal case that included a subpoena for information on contracts from seven years ago. While the cases were all eventually thrown out, this caused harmful disruptions to the organisation’s work and forced them to spend their limited resources on lawyers’ fees. (this scenario is adapted from the case study shared in the Responsible Development Data book)
This is just one way in which opponents can hamper organizations’ activities using data retention legislation. While you may not be able to prevent your adversaries from using these kinds of tactics, you can prepare for them. By understanding the data retention laws that apply to your organization and managing your information accordingly, you can mitigate the risk that a legal request for information will harm your work. This blog post dives into the process of developing a data retention plan to ensure that your organization is holding onto (and organizing) the information it is required to keep, and destroying the information it doesn’t need.
This post is meant to prepare an organization for the process of developing a data retention plan or policy – also known as a Retention, Archiving and Destruction (RAD) plan. It outlines the purpose of this plan; the steps to create it; a few ideas for systems that an organization might find useful; and lots of useful resources to further explore.
Why would your organization need a RAD plan?
Holding onto information for too long can be harmful to advocacy organizations:
- There is an increased risk that the information is leaked, maliciously deleted, or accessed by those you do not want to have access (adversaries). There are many examples of leaked info; here’s the Sony one.
- As time passes it becomes more difficult to ensure that information is accurate.
- Even though you may no longer need the information, you must still make sure it is held securely.
- You must be willing and able to respond to access requests for any personal data (or potentially other data) you hold. This may be more difficult if you are holding more data than you need.
However, discarding data too soon can also be harmful:
- A nefarious legal case can severely disrupt the organization’s work because of the amount of resources needed to respond appropriately to a request for information (subpoena).
- An organization could be forced to close because it is unable to provide the adequate and accurate information required by law.
This makes it important that organizations create a RAD plan so that there is a well-considered balance between these two extremes (destroying data too soon, or holding on to it for too long). It is equally important to create an information management system to ensure that the RAD plan is implemented efficiently.
What is a RAD plan?
(Note: I am using the phrase “RAD plan” to denote everything included in a plan, policy and procedures that relate to how an organization retains, archives and destroys its information. I also use the terms “data” and “information” interchangeably.)
A RAD plan should describe:
- the types of data the organization must retain (and why)
- the length of time the data should be stored (and why)
- the format in which such data should be stored (and why)
- how the data will be retained, archived and destroyed
- who is authorized to delete data (also known as a RAD officer in this document), and who is responsible for confirming all organization data is properly destroyed before the organization’s equipment is disposed of
- who the policy covers
- the procedures that are to be followed in the event of a breach
- the penalties that result from violations and require all covered parties to sign documentation attesting they understand the policy and pledge to uphold its tenets. Policies must also state clearly that no organization officer, employee or other representative is to modify, delete or destroy any data in violation of local, state, federal, international or industry regulation.
How does an organization develop a RAD plan?
Step 1: Develop a Retention Schedule
You may find it useful to create a “Records Retention Schedule” for the entire organization to map out exactly what information you have, and the retention requires for each type of information. That process includes the following steps:
- Identify major information groups: Perform an information inventory, a complete and accurate listing of the locations and contents of your organization’s records. Categorized these records into groups.
- Create a universal classification scheme: This is a grouping of records by business function, record class, and record type as a way of dealing more practically with high volumes of records. Many companies can establish ten (or fewer) broad record functions, such as Operations, Accounting, Financial, Tax, and Legal. More info on page 13 of this guide.
- Perform legal research: The organization must understand the data retention laws that apply to their information. Legal research will help determine what the retention period should be for each record class. This work often requires the assistance of legal counsel, consultants or external records management experts. Legal considerations may include (More info on page 14 of this guide):
- The locations of your offices
- The location of your staff
- The type of information you are collecting, using, creating and storing (e.g. taxes, financial records, email conversations, contracts).
- Overlay operational retention requirements: Determine how long your organization needs to retain information to meet departmental, operational or user group needs. The final retention period will be the longer of the two (operational and legal requirements).
Your retention schedule template might look something like this:
Step 2: Develop a system to manage retention
Put a system into place (procedures, etc) for how your organization will carry out the RAD plan. Identify tools that will help you implement your RAD plan efficiently: find a home for long-term archival information; find a tool to secure information destruction; and find a file management platform that allows you to include metadata like “record type” or destruction date.
Ideally, an organization would be able to identify an efficient system to archive and organize files so that it’s clear to the RAD officer when a file should be destroyed. Here are a few ideas:
- TAGS: In many file storage platforms, it’s possible to tag files. Consider creating a system of tags to flag when files should be destroyed. For example, the tag “destroyJan2016” could be used for any file created in January of 2015 and has a 1 year retention requirement.
- FOLDERS: Once a file is ready to be archived, the organization could use a shared folder structure to identify how long a file should be retained, or when the file should be destroyed.
- EMAILS: You may find that in order to archive emails that can be used for legal discovery, you will need to migrate your email backups to a digital archive that is designed for low-cost, long term archiving (with tools for easy searching, discovery and retention management).
- SEARCH: Wherever you store and archive your information, you’ll want to ensure that it’s searchable so that if an information request comes your way, you’ll be able to find what is required. This should include a combination of a smart information architecture and a platform that has a powerful search functionality.
You’ll also need to determine the appropriate method of destructions information for both physical and digital data. You can organize the method by record class or media type. More information on page 24 of this guide.
Step 3: Implement Plan and Train Staff
Figure out how you’ll share this information with your team and how you’ll train all necessary staff on how to implement the RAD plan.
Sheffield Health and Social Care shares their implementation plan in their retention and disposal policy. It looks something like this:
- Records Management Best Practices Guide by Iron Mountain – I found this guide particularly useful. The “General Principles” sections are helpful in thinking through many concrete aspects of these theoretical concepts.
- The importance of data retention policies, by TechRepublic (July 2006)
- Retaining Personal Data – Principle 5 of the Data Protection principles via the UK Information Commissioner’s Office (ICO): “you to retain personal data no longer than is necessary for the purpose you obtained it for.” This is part of a useful data protection guide for organizations, but focuses on personal data.
- Deleting Personal Data by the UK Information Commissioner’s Office (ICO) – An explanation of what is meant by “archiving”, “deleting”, “destruction”, and “beyond use”.
- How to destroy sensitive information in Security in a Box by Tactical Technology Collective
- Training curriculum on data retention and backup with a focus on digital security, via LevelUp
- Creating the records retention schedule you need via TAB (December 2012)
- 10 things you should know about long-term data archiving, TechRepublic (July 2010)
- Legal considerations related to managing your data, via the Responsible Data Forum (October 2014), but not a lot of information here about data retention
Examples of policies
- The UK National Offender Management Service’s archiving, retention and disposal policy
- Central Kentucky Riding for Hope, INC record retention and destruction policy (only 10 pages!)
- Sheffield Health and Social Care retention and disposal policy (includes an implementation plan!)