Will Retention Policies Go Away?
|
If you listen to lawyers talk about it, corporations have every right to establish document retention policies, including policies that mandate the destruction of documents, in the normal course of business. In my interview with Judge John Facciola of the D.C. Circuit he was clear about this, while pointing out that a document hold due to pending litigation changes matters, of course. But such policies may be more trouble than they're worth. As David Ferris of Ferris Research argues, the very small and diminishing cost of storage makes it a tough choice to try to enforce such policies. It's easier and maybe even cheaper to have a policy of retaining everything than to get your own retention policies right and to implement them consistently. He actually predicts that most organizations will abandon retention policies. (The blog then inexplicably ends with three bulleted reasons not to abandon them.) |
Comments (2)
In fact, to ensure consumer privacy, document retention policy and practice need to be very clear about when data should no longer be held. Under PIPEDA (Canada's primary privacy legislation), organizations are in fact obliged to destroy or delete sensitive personal information when it is no longer required. Quoting from the Commissioner's website at http://www.privcom.gc.ca/information/guide_e.asp , an organization should:
- Use or disclose personal information only for the purpose for which it was collected, unless the individual consents, or the use or disclosure is authorized by the Act.
- Keep personal information only as long as necessary to satisfy the purposes.
- Put guidelines and procedures in place for retaining and destroying personal information.
- Keep personal information used to make a decision about a person for a reasonable time period. This should allow the person to obtain the information after the decision and pursue redress.
- Destroy, erase or render anonymous information that is no longer required for an identified purpose or a legal requirement.
I think this is reasonable and (after all) companies can't lose information they no longer have...
Posted by Tony H | May 21, 2008 6:09 PM
Thanks Tony.
I guess I missed out on the compliance angle. I'll pass this on to Ferris.
Still, implementing policies like this consistantly is hard. I'm sure mistakes get made all the time and in good faith.
Posted by Larry Seltzer | May 21, 2008 6:13 PM