After completing the Information Collection phase described in Part 1 of this series, you will ideally have information surrounding all of your organization’s operational processes and good representative record examples from each business area. The trick now is to organize this information in a way that is comprehensive yet easy to follow. This should be a piece of cake, right?!
Organize by Processes
In a functional RRS, functions represent the highest-level processes performed by the organization. For example, “Accounting,” “Product Development,” “Marketing,” “Sales,” etc., are key functions present in most organizations. The information is further organized into more granular processes, called Record Series, that house related output Record Types. The goal is to group closely interrelated record types, particularly when they have a similar business or operational recordkeeping value and a similar retention lifecycle.
How Big?
Be strategic about grouping processes and records together: bigger buckets aren’t always better, particularly where they introduce an unacceptable amount of risk from over-retention. Often, a problem arises when buckets contain record types for which long-term retention is problematic. For example, privacy considerations often drive decisions to create strategic record series breakouts and smaller buckets for certain high-risk record types. Biometric information, CCTV video surveillance footage, and unsuccessful job applications are all record types commonly subject to restrictive recordkeeping laws mandating swift disposition. These are unsuitable for grouping into Big Buckets with other records. Be mindful of any records containing sensitive personal information, and avoid grouping these records into buckets with retention periods longer than legal recordkeeping requirements or your operational business needs.
Ultimately, your organization’s risk profile will help guide how aggressively you rely on big bucket record series. The key is to ensure that the benefit of a simplified RRS—enhanced administrative ease and increased compliance—outweighs any additional risks associated with longer retention periods or increased storage costs.
Set a Baseline Retention Period
Once you have finalized the simplified structure of your RRS, the next step is to set initial baseline retention periods for each record series. When an RRS covers many jurisdictions, having a baseline retention period instead of a unique retention period for each jurisdiction significantly eases administration. The baseline period should reflect the valuable information on business and operational retention needs previously gathered during the information collection process, and any known legal or regulatory recordkeeping requirements.
A full retention period is composed of an event trigger plus a period of time, such as “Duration of Employment + 5 Years.” The event trigger defines the event that will initiate the period of retention for disposition. Intricate event triggers can potentially overcomplicate the calculation of retention periods and become a barrier to successful RRS implementation, so strive to simplify event triggers whenever possible while being mindful of the underlying lifecycle of the records captured within your record series.
Research & Application
Once an initial baseline retention period is set, consider the relevant legal research to determine whether it is compliant with the recordkeeping requirements relevant to your newly devised record series.
When conducting research, cast a wide net that comprehensively covers research broadly applicable to your organization’s core general business processes as well as your specific industry. Focusing on the “Regulated Party” is the best way to decipher whether a recordkeeping requirement is relevant to your organization. A regulated party is a legal entity, organization, or enterprise regulated by a recordkeeping citation. “Employers,” “Taxpayers,” “Companies,” etc., are regulated parties relating to core business functions that are almost always relevant. “Manufacturers,” “Financial Services Providers,” and “Insurers” are industry-specific regulated parties that only apply narrowly. Carefully read any definitions in the law to help determine whether your business fits the criteria to be considered the regulated party.
Research should consider both “minimum” and “maximum” legal recordkeeping requirements. Minimum requirements dictate the minimum length of time for retention. Maximum requirements, often privacy-based, set the longest amount of time a certain record or personal information may be retained.
When aligning identified relevant citations to your RRS, seek to identify the record series that represents the best fit. Consider each citation’s regulated party, the scope of the regulated records, and other context gathered from the citation’s heading. The body of directly applicable research mapped to each record series will often help confirm the initial baseline retention period. If any requirements violate the baseline, adjustments to the baseline retention period or country exceptions may be necessary to bring the RRS into compliance. Several identified country exceptions longer than the initial global baseline indicate a possible global harmonization candidate and involve harmonizing the retention period to cover the exceptions. Trends across jurisdictions for maximum retention periods shorter than the baseline may also be helpful in assessing record series break-outs for privacy to account for mandated shorter retention periods. The finalization of the RRS should keep the overall goal of simplicity for increased adherence in mind.
Conclusion
The simplified “Big Bucket” RRS remains the best practice due to its process-based design and ease of implementation. Developing your organization’s simplified RRS is a significant undertaking best guided by professionals with expertise surrounding best practices and familiarity with relevant legal recordkeeping requirements. Ultimately, the level of effort, customization, and strategy dedicated to your RRS development will pay dividends in its risk mitigation, administrative ease, and compliance. Once successfully implemented, an RRS tailored to your organization’s unique records and regulatory profile that brings together information and input drawn from a wide cross-section of personnel and stakeholders will provide a solid foundation for legally defensible disposition. Successful RRS implementation is easier said than done; we plan to discuss this in the final part of this series.
[1] https://magazine.arma.org/2018/12/big-bucket-retention-objectives-issues-outcomes/
Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.
Author: Jennifer Chadband, IGP, CRM, ECMp
Senior Analyst / Licensed Attorney