Slide Presentation (ppt)

Record Retention PolicyOr

Document Retention Policy

Richard A. AldridgeCIO

Charles County, MD


Disclaimer: I am not a lawyer, so the materials available in this presentation are for informational purposes only. Nothing I say or present should be construed as legal advice or opinion. If you too are not a lawyer, it is important that you consult an experienced attorney concerning your particular factual situation. Do not rely solely on this information provided. This information is solely my professional opinion and direction given as a Information Technologist with over 46 years of experiences and education. Blaming me for what you eventually do will not be a defensible action on your part.


Do I Need One?


Do I Have One?


What Should It Look Like?


And Why Do I Care?

?

1. Who decides what happens to “information” inside county government?

?

2. Who decides how and where to store that “information?”

?

3. Who decides who gets access to that “information?”

?

4. Who decides when and should that “information” be gotten rid of?

The CIO or County Attorney?

The Big Question – “Who decides?”

The CIO?

Typically, those decisions would fall to the CIO, because they are responsible for the infrastructure that creates and stores that “information.”

They need to assure the Staff and Citizens that the county business processes are accurate and efficient when handling that “information.”

Their job is to protect that “information.”

BUT…

The County Attorney?

The County Attorney is the one who is on the hook in litigation. Given the starring role electronically stored information plays in legal disputes, it’s no surprise the County Attorney want to make sure that emails and office files are handled to their satisfaction.

The CIO or County Attorney?

This doesn’t mean IT has no voice.

In fact, the County Attorney has to rely on IT quite heavily.

CIOs can demonstrate leadership by reaching out to the County Attorney to construct policies and processes that are mutually acceptable.

So, what is this “information” that I keep referring to?

So, what is this “information” that I keep referring to?

Documents

Documentsinclude physical records (i.e. paper copies), as well as e-mail, and other electronic records.

The term "electronic records" means any records that are created, received, maintained or stored. Examples include, but are not limited to:1. electronic mail (e-mail)2. word processing documents and spreadsheets3. Databases

NOTE: The retention requirement associated with any record or document is determined by its “content”, not the method of delivery.


Do I Need One?Like Insurance, most policies are written in hopes that they never have to be tested.

As long as we didn’t see anything wrong there wasn’t a problem. That never lasts.

Sooner or later somebody will always see something wrong.

A policy merely guides actions toward those that are most likely to achieve a desired outcome.

Good policy documents will provide guidance for everyone involved on how the problem will be resolved.


Why Do I Need One?

Legal compliance

Many federal and state laws contain record keeping requirements. In addition to specifying what records must be kept, these requirements may also dictate how the records must be kept and for how long.

A good document retention can help comply with these laws as well as promote efficiency by eliminating unnecessary information.

A County Business Risk

In addition to assisting with compliance with specific legal requirements, a good document retention policy can help reduce general business risk by identifying documents that are important and should be preserved in order to protect the County in the event of litigation, an audit, an employee disputes, and other matters where documents can be used to support or oppose a particular position.


Do I Need One? YES


Do I Have One?


Do I Have One? YES

But, it is probably called a Record Retention Policy, lacking the inclusion of electronic records in its definition of items covered.


What Should It Look Like?


What should I look for when updating the retention policy to

include Electronic Records?

Email

Email is one of the places that inappropriate or damaging information is most often found in disputes or e-discovery.

This may be due to the common, but inaccurate, perception that once deleted, email is gone forever.

It may also be because people are much more casual in their use of email than they are when writing a letter or memorandum.

.

Email

It is important to educate staff and officials that email must be used in the same way as other county business correspondence and inform them that they should assume that any email they send is a permanent record that will be likely discovered in the event of a lawsuit or FOIA/PIA requests.

Email

Establishment of an email policy (usually found in an Use and Security Policy) can help reduce the inappropriate and potentially damaging use of email. (Does this policy need to be in the Retention Policy? Absolutely not, because this would be something to note in your Document Retention Policy.)

Email

A good email policy should prohibit the sending of email that would violate the county’s ethics, discrimination or harassment policies, such as sending sexually explicit or racially derogatory email, prohibit reading or accessing email directed to others, establish the county’s right to review and retrieve email, and place limits on the use of county email for limited personal purposes.

EmailEmail addresses are given to staff and officials for work purposes only.

A work-related email is an official record, and must be treated as such. Email users must take responsibility for sorting out personal messages from work-related messages and retaining official records as directed in a Document Retention and Disposition Schedules as pre-determined by the county.

Email

Email that does not meet the definition of a public record, e.g., personal email, or junk email, should be deleted immediately from the system.

Most if not all county email servers are NOT intended for long-term electronic record retention.

EmailGood continuity and disaster recovery practices perform backups on a regular schedule of the email and electronic records stored on central servers.

These backups are to be used for system restoration purposes only, not for e-discovery processing. These backups are kept for a specified period of time and then the backups are erased.

The legal custodian of documents or emails, are responsible for ensuring any email or electronic records, e.g. attachments which are properly or legally requested are presented to requesting parties.

EmailEmail messages and any associated attachment(s) with retention periods greater than three (3) years are to be printed and filed in similar fashion to paper Documents.

It is important to note that the email message should be kept with the attachment(s). The printed copy of the email should contain the following header information: who sent message; who message was sent to; date and time message was sent; and the subject.

Document Imaging would require no less.

Litigation

When litigation against the county or its staff is filed. Or a threat against the county or staff is perceived, the law imposes a duty upon the County to preserve all documents, emails and electronic records that pertain to the issues.

As soon as the County Attorney is made aware of pending or threatened litigation, a litigation hold directive should be issued to the legal custodian(s).

Litigation

The term "legal custodian" shall mean the originator of an email message or the creator of an electronic record(s) if that person is a county staff or official; otherwise it is the county staff or official to whom the message is addressed or to whom the electronic record(s) is/are sent. If the electronic record(s) is/are transferred, by agreement or policy, to another person for archival purposes, then that person becomes the legal custodian.

Litigation

The litigation hold directive overrides any records retention schedule that may have otherwise called for the transfer, disposal or destruction of the relevant documents, until the hold has been cleared by the County Attorney.

A Litigation Hold

Email and computer accounts of separated staff personnel that have been placed on a litigation hold by County Attorney should be maintained by IT until the hold is released.

This litigation hold should/would also prevent staff personnel who has been notified, to not alter or delete an electronic record that falls within the scope of that hold.

Violation could subject an individual to disciplinary action, up to and including dismissal, as well as personal liability for civil and/or criminal sanctions by the courts or law enforcement.

Crafting a Document Retention Policy

The 2002 Sarbanes-Oxley regulations initially served as a wake-up call for formalize document retention policies to meet compliance requirements. Butregulatory demands and the number of documents produced daily continue to grow. So a solid document management process is a necessity.

This is the time to look at document imaging.

Most of you will struggle at first with creating the policies, then getting buy-in from the end users (staff and officials) and then allowing the CIO to manage the technology. But, in the end it is the best way to meet the objective.

The first step is making sure a clear IT Use and Security Policy is in place, then make sure that the right items are covered/referenced in your document retention (management) policy.


Properly define "document" to include information of all types—electronic or paper, historical or transient county record(s). Your current Retention Policy should at least identify a majority of the types.

Clearly state who and what function is the relevant retention authority for the most widely used categories of documents.

Indicate the specific duration of retaining different types of documents.


Identify specific staff or functions that have appropriate read, write and edit access.

Clearly state the reasons that retention is necessary (e.g. MD PIA, Sarbanes-Oxley rules, HIPAA regulations). As those requirements change, the rationale for retention should be reviewed, and any changes to the retention period should be made.



State in the policy that if a file or folder contains multiple types of documents necessary for a coherent record, then the whole file or folder must be retained for the duration of the longest-held item. (document imaging handles)

Except when absolutely necessary, do not allow (or at least strongly discourage) the mixing of digital documents in storage.


If document A needs to be retained for five years and document B needs to be retained for 20 years, keep them separate.

You will reduce the cost of long-term storage and will avoid legal risks inherent in a failure to follow retention policies.

A good document retention policy can do more than avoid legal fines.


And Why Do I Care?

Lack of a Document Retention Policy can spell trouble

Not all retention is good. So many permutations, so little time.

Without a policy its a fact that more than 80 percent of typical County documents (Word, Excel, etc.) reside on staffs‘ desktops and laptops. That's a problem.

1. Despite the good efforts of most enterprise-class backup software that reaches down into client computers, it's reasonable to assume the success rate -- for a variety of reasons -- is going to be something less than perfect.

2. Files are created and changed while laptops are not connected, files get saved to and read from CDs, thumb drives, and email attachments. And,

3. Laptops get lost or stolen. Different discussion.


Some electronic files, most notably email, almost always reside on a server in an enterprise environment.

Even when someone "deletes" email messages and believes it's really gone, we, well at least I know better. Nothing is really gone.

Other communication, like instant messaging really may be gone foreverunless explicitly saved by one of the party or a subpoena is served upon the IM provider. But, let's ignore that less-than-perfect backup success rate of IMs for the moment. That’s a different discussion for a different time.

The larger question is what does your IT do with these files once they are backed up? The problem is not as simple as one might think. Sure, it's a feather in thecap of IT to recover a file accidentally deleted by some poor slob with a triggerfinger. That's a common everyday work day issue.


But what happens when litigation leads a court to an order that documents generated years earlier be produced at trial or during discovery? It's not so easy. And the liabilities are enormous as most of you well know.

We've all heard about the case of the Wall St. brokerage firm fined millionsbecause it could not produce email messages.

One issue is whether a County has powerful enough search capabilities to find what it's looking for. The other, and perhaps more important aspect is whether IT knew for an absolute fact if the emails do indeed exist or not.

It's one thing to say they exist and we can't find them. It's quite another to admit you don't know whether there's anything to be found in the first place.


That makes everyone, including IT who provided the systems in questions look rather foolish and incompetent -- certainly not a good thing in the eyes of any court.

There is yet another scenario, and that's to say "the emails in question no longer exist and we can prove that for a fact.“

But that's tantamount to proving a negative, isn't it? And we all know that proving a negative is an impossibility -- not unlike, a baseball player attempting to prove that he never took steroids. Just ask a certain Mr. Roger Clemens.

Well, sure, perhaps mathematically you can't prove it, but there is a next best thing. And that is a “Document Retention Policy”, known to all, agreed to by staff when they sign for their copy of a staff orientation handbook, and -- here's the key -- enforced by powerful document-retention management software.


Now when the court order documents are produced, you now have an additional possible answer:

1) It exists, here it is (which could produce a smoking gun, not a good thing)

2) It exists, we can't find it (not exactly the stuff Einstein was made of)

3) It may or may not exist, we're just not sure (see comment above)

4) It no longer exists, that tape was recycled at some point (not easy to prove)

5) It no longer exists, here is the date and time it was destroyed in accordancewith our published Document Retention Policy.

I'll take option five every time.

A Document Retention Policy Summary

It's essential that every county (including yours) establish a Document Retention Policy that includes email and electronic record(s).

If the policy says all email communication is destroyed after one year, fine. But stick to it.

Retention length can vary for a variety of reasons, local and state laws, and the effects of Sarbanes-Oxley key among them. Once these obligations are met, it's entirely up to a county to keep documents and communications for five years or fifty.

Very few counties have a clear Document Retention Policy. Of those, even fewer county staff can cite the policy particulars (if they know it exists at all).

In the modern world, keeping more and more information longer and longer is just what we do.

Richard A. AldridgeChief Information Officer

DFAS -Information Technology Charles County Government

P.O. Box 2150200 Baltimore StreetLa Plata, MD 20646

(301) 645-0545(301) 645-0723 fax

[email protected]

"Making A Difference with IT"

mailto:[email protected]