The Record Management and Retention Review Process

Written By Stephen D. Burns

Until recently, most organizations in Canada only had to ensure that they kept their records for the minimum time frames required by the legislation or professional standards applicable to such records. Many organizations kept their records indefinitely.

With the adoption of private sector privacy legislation in Canada, most organizations are now required to ensure that they do not retain personal information (namely, information about an identifiable individual) for longer than such information is reasonably required to fulfill the purposes for which it was collected. As a result, record keeping practices in respect of personal information need to change.

In addition to the new privacy requirements, significant media attention has focused on improper record destruction. From the allegations of intentional shredding of documents by government officials, corporate officers and professional advisors to the inadvertent disposal of thousands of confidential police records in a landfill, the issues of record retention and record management are now the subject of the evening news.

Not surprisingly, with all of the attention on record retention and record management, these issues are now being reviewed by directors and senior management. Many organizations are now focusing their attention on the issue of how best to manage their record retention and record management practices.

Striking A Balance

Generally, the objective of an organization in undertaking a review of their record retention and record management practices is to develop an understanding of how best to balance:

A) the organization's need to retain full and accurate records to:

• facilitate action by its personnel, at any level, and by their successors, in support of the organization's business activities;
• make possible a proper scrutiny of the organization's conduct by anyone authorized to undertake such scrutiny; and
• protect the financial, legal and other rights of the organization; with

B) the organization's need to:

• avoid perpetually retaining an ever-increasing number of records, including records in multiple formats (paper, electronic, etc.); and
• comply with applicable legislation, such as privacy laws.

This understanding is generally developed through a careful review of the organization's record management and retention practices.

The Review

Without a fundamental understanding of the records that are typically generated or received in the conduct of an organization's activities and the environments in which it operates, it is difficult to develop an appropriate set of policies and practices to guide the organization in its record retention and record management activities. Accordingly, the first step towards the development of a record retention and record management practice is to conduct a review of the organization's records and its activities in respect of those records.

Although a relatively straightforward exercise, the review process will invariably be as complex as the activities undertaken by the organization. That being said, the record management/retention review process normally consists of a series of inter-related steps, including the:

• determination of the business activities conducted by the organization, the records that are typically generated or received in the conduct of those business activities, and the use of such information within the organization (often referred to as an "information flow");
• assessment of the organization's legislative and regulatory environment, including a determination of the legislative and regulatory bodies overseeing its business activities, and the applicable legislation and regulation governing such activities;
• assessment of the organization's contractual environment, including a determination of the contractual and equitable obligations impacting its business activities, the applicable agreements governing such activities (such as confidentiality, arbitration, and operating covenants), and the parties with whom the organization exchanges information;
• assessment of the organization's operational parameters impacted by record management and retention, including its communication and other information systems; and
• analysis of the organization's current business activities in respect of the legislative, regulatory, contractual and operational environment and the identification of the "gaps" between the organization's practices and the obligations existing in such environments.

Having completed the review process, the organization then faces the task of converting the findings of their assessment into action. This can be done through the development and implementation of record management (creation, access, storage) and record retention (time periods and form of destruction) guidelines, practices and policies.

The Record Management Policy

The organization will wish to ensure that the policy adequately addresses the creation, use, access, disclosure and storage of records and manages the risks associated with:

• the ability of the organization to identify and discharge its obligations to third parties with respect to the treatment of confidential information or personal information (as mandated by the various private sector privacy legislation);
• the creation of partial communication records that may result in the creation of adverse inferences, if and when, litigation, investigation or audit arises (i.e. the risk that a series of e-mails between two employees (who are no longer active in the organization) discussing the non-compliance of the organization with certain legislation is produced during litigation, and the organization is not able to produce a record of the meeting where the employees determine, not withstanding their e-mails, that the organization is compliant with such legislation); and
• the security of the information systems and the records contained therein.

The Record Retention Policy

The organization will wish to ensure that the record retention policy adequately addresses the risks associated with the destruction of records, such as:

• the inadvertent destruction of a record by personnel prior to the expiry of the relevant retention period;
• the drawing of adverse inferences from the destruction of a record, if and when, litigation, investigation or audit arises (and exposure to related sanctions); and
• the destruction of a record (even after the expiry of the applicable retention period) that is later required to assist your organization in supporting or defending its interests.

While none of these risks can be eliminated completely, they can be mitigated though appropriate personnel training, and through the consistent application and enforcement of the guidelines, practice and policies adopted by the organization.

The Challenge

Reliance solely on "legislative/regulatory retention charts" may expose the organization to significant risk should information not also be managed in the context of the contractual environment of the organization, and significant costs should the guidelines, practices and policies that are developed not take into account the operational parameters and limitations that exist within the organization.

For that reason, when the organization develops its guidelines, practices and policies, it is important to consider the risks associated with the future availability or non-availability of a given record or class of records and to weigh such risks in light of the organization's broader record management costs and objectives.

The challenge is how best to balance the competing desire to keep all records with the need to destroy such records