In my role as an advisor, I speak with information managers across industries and across the world. Although the cultures and technologies are vastly different, the questions are not. In fact, they’re so similar I keep a set of crib sheets for my top three questions:
- Is classification the same as retention?
- How long do you retain video files?
- Is retention of structured data the same as retention of unstructured data, i.e., content? Can structured data in a database be a record?
Records are a subset of content with retention periods set by federal and local laws and by industry regulations such as professional principles or patent laws. It’s a high-stakes collection of data requiring legal and records management expertise, as well as technology support for capabilities like audit trails and automated workflows.
It’s often easier for users to treat everything as a record and keep it forever rather than try to figure out, “This email is a record and needs to be managed for the duration of its lifecycle. This older working copy is a non-record and should be removed as soon as I’m finished with it.” It’s easier in the moment, but highly risky if a document that should have been disposed of comes up in a legal discovery — not to mention, the burgeoning email and chats that are strangers to good housekeeping.
Retention Is Not the Same as Classification
Project teams spend a lot of time classifying their file sets for security handling (e.g., Confidential, Public, Internal) only to then ask, "How do we turn this into a retention policy?"
In their minds:
- We’re classifying documents for retention periods (we’re not).
- Each security classification has its own retention period (they don't).
The term "classification" has a very specific meaning in IT best practices. It means to define and formalize categories of information to outline expected data handling requirements. Without this classification scheme in place, data may be mishandled, leaked or lost, causing significant damage to the organization. The subject matter experts who set these and implement them in information systems are the Security team.
Records retention periods are also a way to profile and categorize information, but for another purpose and another stakeholder. Legal Counsel and/or the Records Management Office set and oversee retention policies to ensure documents are managed for the duration of their lifecycle and then disposed of appropriately. When a critical piece of evidence in a business agreement is thrown away before its retention period runs out, it exposes the company to huge legal risk.
You can have public records with low security classification that still must be kept for seven years, and you can have a high security classified file which contains private data that is not to be retained as part of the records program. Roughly 75% of over-retained records contain personal or sensitive data.
These two concepts intersect when data privacy regulations like the EU’s General Data Protection Regulation (GDPR) establish requirements for information retention and deletion to protect sensitive consumer information. A set of standard retention periods exist, but they require the ability to identify and properly handle sensitive and private information in records.
Related Article: Mancini's Law Says: Information Chaos Has Consequences
Videos Don't Have a Single Retention Period. The Content Matters, Not the Format
It's true how we implement retention practices day to day differs according to the system or file format (e.g., paper, PDFs, voicemail, email, videos, drawings). But the retention policy is all about what’s in the file, not its format or where it lives. There is one retention policy for a type of content no matter what form it’s in.
The more complex the set of records and file formats, the more difficult it is to control and navigate. For example, if employees are using their email accounts to keep records, then the Records Management Officer or information manager may recommend moving that activity out of email and into a system better suited for records management rather than develop elaborate solutions to counteract risky patterns of behavior.
It’s not always reasonable to centralize records in one place (some large banks do this to enable audits and tracking), but it is a problem if the Records Management Officer doesn’t know what employees are doing with records outside their office door. Keep the records close to where users work with them but aim for a simpler and more manageable solution.
Related Article: Is a Single Source of Data the Way Forward for Data Governance
Retention Policies Apply Consistently to All Types of Data
As researchers, we like to use frameworks to package and make sense of a lot of knowledge. But frameworks can also compartmentalize. Records retention is often treated separately for documents (unstructured data) and for structured data (e.g., tabular data, data in relational databases). We’re also seeing requests for records management best practices for semi-structured data, such as HTML code, JSON documents (text files used to transmit data for programs such as web applications), email and electronic data interchange (EDI).
The main questions are:
- What do we attach retention periods to? For example, do we assign retention periods to documents or document categories (e.g., records series)? What is a record in a structured database?
- Does a company’s retention practice apply to all types of data or does each data type have distinct processes?
In these questions, I bring the concepts together side by side to make sure we’re defining the scope clearly. Are we talking about just documents or all records? Applying the retention rules will look different for documents and for structured databases — different personas use these records and apply the policies, and the technology is vastly different. In that respect we can work on the implementation separately for those data types, i.e., to rows of structured data and to records series in document sets.
But the retention practice should apply consistently to all types of records, no matter where they are or whether they are structured or not.
Records management is serious business. We can minimize the complexity and administrative burden of managing records with a few steps: educate users that keeping everything forever is not a legitimate records management strategy, recruit a qualified Records Manager to set up a business practice, and take advantage of technology like automated workflows.