With the advent of the Protection of Personal Information Bill/Act, compliance to retention requirements embodied in legislation will soon mean that some information will have to be destroyed after a set time. Companies will only be able to keep information about clients for as long as it is needed and for the purpose intended. Clearly this does not mean forever or just in case.
Additionally, good corporate governance means managing risk.
Should it stay or should it go
To decide what needs to stay and what needs to go, companies should first identify the legislative universe that applies to their industry and understand the retention requirements embodied in those laws. Then they need to ensure they understand the evidential reasons to keep specific information, as well as the business reasons. Only once this research is complete should they consider putting this knowledge into action.
Simply stated, if it is of no legal, evidential or business value to the organisation, why keep it?
A good rule of thumb says that one third of the information currently being managed is junk (duplicates or non-records). Another third needs to be kept, but should be on cheap real estate (either off-site in the case of physical records or on secondary media in the case of electronic records). Only 30% of the data stored has real current value for the business and should be stored so that is immediately available.
To classify data effectively to support the business and not hinder it, one starts by defining the functions of the business. By understanding what functions the organisation performs, you can quickly see what information is required to support them.
The functional information is then broken down further into activities performed within those functions, then finally down to the transaction level. Records will be generated by transactions and they are the evidence of the activities of the organisation. Now you know what data the company needs and generates every day.
This will also tell you what data needs to be immediately available and what can be stored on secondary systems. Not only will this save money, but by only storing relevant information instead of junk, the data users require will be available faster.
Retain or delete?
As a part of the process of classifying the information and storing it in the appropriate location, retention rules should also be set. If these rules are defined properly and are supported by sound policies and procedures, records can be destroyed when appropriate. Of course, this assumes the company’s retention policy has been designed according to good governance requirements and legislation.
In developing the policy, input needs to be gathered from a multi-disciplinary team made up of people from records management, IT, legal, risk, compliance and senior representatives from the business. Together, they make the rules and the records manager(s) and IT implement them. Destruction is never at the discretion of the user.
It is also imperative to remember that this process applies, with few exceptions, to both electronic and physical records. A record is a record based on its content, not the medium it is stored on. Therefore, while a records management software system can automatically deal with digital records, a formal process will have to be defined to help staff find and delete the appropriate physical records.
The crux of the matter is a proper records management process defined by clear rules and procedures for the retention, storage and destruction of all types of records. Most importantly, the management process must take charge of the records as soon as they exist, allocate those that need to be stored to the appropriate locations and only allow them to leave the system when they need to be destroyed.