Document Retention Policy

November 21, 2008

Document Retention - understanding what documents to keep, for how long, and how to destroy what you no longer need. This is an area Michael Overly recently explored, providing a series of tips about basic elements to be considered in a document retention program. Using those tips as a jumping off point, and supplementing with other research, I came up with this list.

10 basic elements of a good document retention policy

  1. Understand what documents to keep, looking first to type of record (employment, accounting / tax, legal, electronic). Understand legal requirements, as well as business requirements, as to how long to keep documents. In the master policy, list the rationale to any decisions made for each type of information. The retention period for each type of document should be listed.
  2. Electronic documentation retention should be clearly defined on its own, particularly as it pertains to email and IM. List the location where electronic information will be stored and policies as pertain to backup tapes.
  3. Define how data is disposed - for both physical and electronic information. This includes how information is shredded and disposed of, how old electronic devices are purged and/or resold, how electronic information is purged from the network, etc.
  4. Choose a storage / backup method that matches with the continued demand for information. Accessing backup tapes is not cost effective, so retain information in a way that makes sense with its use
  5. Restrict the copying of data so that it cannot be duplicated to local machines (if desired) and/or restricted devices such as USB keys or mobile devices
  6. Detail actions associated with the policy - for example, if email >X days old is to be deleted, list that the network will automatically perform this function.
  7. Define disposable documents - those documents that don't need to be retained. For example, duplicates or "trivial" documents.
  8. Assign a process to keep documents, if a legal claim arises to exempt them from regular disposal
  9. Assign a person or group to maintain the program and answer questions
  10. Audit the program regularly to ensure the program has been implemented correctly and that it stays up-to-date with changes in the business or legal environment

Also in security news:

Supplemental research sources: nfib, it world, uofaweb, microsoft, abanet Image: ppdigital @morguefile

Share this article

Financial Services