All enterprises, whether they be commercial, governmental, charitable, or any other structure, are required to follow information management regulations in some way; there are even laws regulating the president of the United States.[1] This article discusses several regulatory requirements that impact enterprises during information creation, custodianship, archival and disposition cycles. Good practice requires the identification of information types that constitute official records and the creation of a Records Retention Schedule (RRS) to manage the official records. RRS’s specify (among other things) how to properly retain records and what steps are necessary in retaining and disposing of records to comply with regulations.[2] The following will briefly discuss requirements impacting the duration of records retention, including privacy laws and, even though they do not mandate a definitive retention period duration, statutes of Limitations (SOLs). Finally, this article will then introduce and describe several handling and ancillary requirements related to records retention.

Duration of Retention Background Explanation: Retention Laws and Regulations

Records retention requirements mandate the retention of records based on regulated parties.  Tens of thousands of international and domestic records retention laws exist that either generally require the retention of records or set defined periods of time to retain records.  These have been passed by legislatures, agencies, self-regulatory organizations and other regulatory bodies and cover both records common to all companies, like employment and accounting records, and records unique to specific industries like records of nonconforming products for manufacturers. Often times retention requirements are accompanied  by a number of handling and ancillary requirements that need to be considered and followed to comply with the law.

Duration of Retention Background ExplanationPrivacy / Personally Identifiable Information

A unique category of records retention requirements are those regulating the retention of Personally Identifiable Information (PII). These requirements deal with the retention of records, but instead of setting the minimum amount of time to keep records they set a maximum retention period, compelling the destruction after that period of time.

  • Broad vs. Specific PII Requirements: Some have a broad and generic retention period, a common example being to retain PII for no longer than is necessary based on the purpose for which the information was initially collected, while others are more rigid, defining types of PII and setting an exact retention time-frame. Similarly, some privacy requirements have broad and generic language about the regulated records, a common example impacts any record containing PII, while others specifically identify the exact types of records governed. Where the regulations are broad and generic and not tied to a particular record type/code it is helpful to create a methodology to assure consistency in application. One method is to review an impacted RRS ahead of applying the regulations to identify the records that are believed to be impacted by or contain information within the scope of the broad mandates. The broad requirements will then be applied to the items identified in the methodology.
  • Conflicts with Compelled Destruction Requirements: The majority of PII requirements have exceptions if the compelled destruction requirement conflicts with another law in that jurisdiction that requires a longer retention. For example France’s National Commission on Informatics and Liberty (CNIL) regulations generally require employers that file under the CNIL simplified standards to remove payroll data and time slips containing personal information after 5 years. However, France’s commercial code broadly requires retention of accounting related records including supporting records for a period of 10 years which arguably may include PII associated with payroll data. Because this particular CNIL requirement includes a provision that excludes information required to be retained by another law, the retention of PII for payroll accounting purposes, in accordance with the Commercial Code’s 10 year requirement may not be in contravention of the cited privacy requirement. Even without the ambiguity presented in the previous example, compelled destruction requirements present a major pain point for companies, limiting or complicating the retention of records based on business needs, common practice, or strategic needs like global harmonization efforts.

Duration of Retention Background ExplanationStatutes of Limitation

Statutes of limitation in and of themselves do not mandate the retention of records, but, rather, provide context for consideration in identifying appropriate retention periods. For example, a common US statute of limitations for contracts is 5-6 years which generally requires that an action based in contract be brought before the expiration of 5-6 years from the date the contract was signed. The problem with statutes of limitation is that it is easy to get caught in the “every possible contingency” mindset because there are hundreds of claims that could be relevant if extremely rare circumstance arise, but that will rarely be relevant to the business world.

  • SOL Strategy:  For this reason, domestically and where a particular jurisdiction has an abundance of laws that govern the retention of records, a common strategy is to only rely upon SOLs where there are only a few retention laws on point, and where reasonable from a cost / risk perspective. It is also a good idea to analyze and then limit application of statutes of limitation to those deemed most relevant to a particular Company’s records, which usually consists of those related to written contracts, personal injury, products liability, discrimination, real estate, wage claims and tax. Otherwise, getting sidetracked by an every conceivable contingency analysis is likely.
  • Spain SOL Example: There are recognized instances in which a statute of limitation creates a duty to retain records, similar to a definitive retention period. For example, Spain’s Supreme Court found that even through there was a record-keeping provision directly on point that required banks to keep accounting records which was interpreted to extend to deposit accounts for six years, that requirement provided only the minimum period. The court went on to discuss how the retention requirement did not relieve the bank from the burden of preserving records based on its own interest in defending against or bringing a suit. For this case the ruling meant that the Bank could not infer that the omission of records shows that the bank followed its own procedures not only when it came to its deposit accounts but in disposing its records which was narrow to the issue of Banks and Deposit accounts. However, with how broadly the court speaks about obligations created by Statutes of Limitations, in general, the trend has been to more cautiously apply statutes of limitations in Spain and in surrounding countries. The Spain case helps to explain the utility of retaining records based on Statutes of Limitations, which is where those records provide a defense to, or otherwise help defend and action where the statute of limitation has not expired.  If the bank had kept records showing that it had properly dealt with its deposit accounts it could have used that as a defense in that case.
  • Lilly Ledbetter Example: The Lilly Ledbetter Act provides another example of a statute of limitation that directly impacts record-keeping by expanding the 3 year statute of limitations from the Equal Pay Act to start over every time a violating paycheck is issued.  Again, this is a statute of limitation, is not a records retention requirement, so it does not legally require that records be retained. However, the prudent approach is to retain records of compliance with the Equal Pay Act including pay slips to defend against claims should they arise which is why common practice is to keep these records for duration of employment plus 3 years.

Handling Requirements

Handling requirements deal with aspects of record-keeping beyond the period of time they need to be retained. The sub-categories that are helpful for information management include, for example, media and format restrictions or allowances, location and records movement restrictions or allowances, protection and access restrictions, and requirements to destroy records in a certain way. Requirements that are ancillary to handling and retention requirements also include sanctions for non-compliance with retention and handling requirements. A well informed information management strategy will take all of these into account when drafting records retention schedules (RRS) and policies.

  • Destruction Requirements: These generally mandate the destruction of records after the legally specified retention period has expired or mandate a specific destruction method. Shredding is the most common, and some requirements get particular, for example some specify the shred size or require cross shredding. Other destruction requirements include burning, using chemicals to destroy records and different methods to wipe or destroy electronic data.  An example of a destruction requirement is the Business & Commercial Code of Texas which requires “businesses collecting sensitive personal information shall destroy or arrange for the destruction of customer records containing sensitive personal information … by: shredding; erasing; or otherwise modifying the sensitive personal information in the records to make the information unreadable or indecipherable through any means.”[1] To follow the letter of the law in these instances records that have destruction requirements must be flagged so that when their destruction is due they can be disposed of properly.
  • Records Location and Movement: These requirements impose restrictions or prohibitions on location and movement of certain records (e.g., must be retained in a certain location). These provisions tend to be associated with specific types of records and impose limitations such as to maintain records at the “head office,” “principal place of business,” or broadly within the jurisdiction in question and so forth.
    • Cross Border/Localization Distinction: A sub-type of the records Location and Movement category is Cross Border restrictions, which are typically associated with PII and prohibit moving data containing PII out of a particular country. More often than not there are conditions that can be met to move the data, however, sometimes the laws are rigid and do not allow PII to be transferred out under any condition.
    • EU Cross Boarder Example: A timely example of a conditional cross boarder / localization requirement are the European Union data protection requirements which only allow transfer of PII out of EU countries if certain conditions are met.  It is timely because one method relied upon historically for satisfying the standards for PII transfer, Safe Harbor, was recently overruled but EU’s Data Protection Agency and has been replaced by the Privacy Shield framework. To summarize, Privacy Shield is an agreement between the EU, the non-EU government and participating companies allowing for transfer of PII between boarders if certain requirements are met. These include transparency about PII being transmitted, compliance oversight by the EU and non-EU governments, sanctions for non-compliance, onward transfer restrictions and redress options for individual complaints.[2]  Another option for transferring data out of the EU is the Binding Corporate Rules which are internal rules adopted by participating enterprises that ensure “adequate safeguards for the protection of the privacy and fundamental rights and freedoms of individuals within the meaning of article 26 (2) of the Directive 95/46/CE for all transfers of personal data protected under a European law.”[3] The final option is to utilize model contract clauses which are standard contractual clauses issued by the EU commission that can be used by enterprises to “offer sufficient safeguards as required by Article 26 (2).”[4] While the information presented above about the EU cross border options is brief and likely to change in the future, it provides a good example and introduction to the robust requirements surrounding cross boarder transfer in the EU.
    • Russia Localization Example: An example of a more ridged localization requirement is a new law in Russia which requires that personal data on Russian citizens must be kept on servers located within the territory of the Russian Federation. While it allows for a few exceptions, they all relate to circumstances necessary to achieve government goals, necessary for justice, or necessary for political, scientific, literary or creative activities. Russia’s Ministry of Telecom and Mass Communications has provided some additional exceptions for activities like making decisions based on the data and depersonalizing data as well as personal data obtained without solicitation or based on a transaction between legal entities. These clarifications are still being interpreted, but the consensus thus far is that so long as the data exists on a server in Russia, copies or the equivalents of the data can be transferred outside the country. Though there is a workaround to transferring the data across borders, the requirement to keep the server with the original data within Russia still presents a pain point for many enterprises doing business in Russia.
  • Records Media / Format: These requirements impose legal obligations or allowances to retain records in a particular format. The most common are permissive provisions permitting an electronic format so long as certain conditions are met, though there are some requirements to keep records in a specific format, usually hard copy or paper. An example of a hard copy requirement is Illinois Administrative Code which requires that originals of pollution filings including original pen and ink signatures be retained[5]. Like the PII requirements, there are common laws that generally regulate these topics, such as Electronic Transactions Acts, Model Requirements for the Management of Electronic Records, Write Once Read Many (“WORM”) requirements, etc., which need to be followed.
    • Electronic Transactions Acts Example: An example of a permissive media / format requirement is the Uniform Electronic Transactions Act which has been passed by 47 states and allows for electronic retention of records so long as it “(1) accurately reflects the information set forth in the record after it was first generated in its final form as an electronic record or otherwise; and (2) remains accessible for later reference.”[6] Regulations related to “electronic transactions” are broadly stated to govern any record that could fall within the scope of that term. Because the regulation is not tied to a particular record type/series this is another scenario where a methodology is helpful to assure consistency in application.  For this purpose, a good plan is to review the schedule ahead of time to identify those records that are believed to be impacted by/contain information within the scope of the broad mandates so they can be applied consistently.
    • Protection: Another handling category requires that certain records have various protections. These include higher security and access restrictions, that they be duplicated and backed up for disaster recovery purposes, or even that they be stored in a controlled environment, meaning that temperature, humidity and isolation from pollution or water are taken into account. An example is found in a Canadian circular dealing with electronic income tax record-keeping which requires that data stored electronically on media that is re-writable be kept clear from hazards that could deteriorate or affect the media like temperatures outside of a moderate range, moisture, sunlight and even magnetic fields.
    • Sanctions: Sanctions are an ancillary aspect of retention requirements that impose penalties for non-compliance with record-keeping requirements including handling requirements. Punishments can vary from the most common, monetary fines, to the most extreme, criminal sanctions, including jail time if they are not followed. For example Cal Gov Code 12976 (a)  specifies that an employer that “willfully violates Section 12946 concerning record-keeping is guilty of a misdemeanor, punishable by imprisonment in a county jail, not exceeding six months, or by a fine not exceeding one thousand dollars ($1,000), or both.”[7]  Some fines can be significant, for example EU data protection laws have situations where fines are in the millions of dollars or that are calculated based on a percentage of the infracting companies’ revenue.[8] Knowing the sanctions is not strictly necessary so long as all requirements are complied with, although they can be considered in weighing the risks involved in making information management decisions and used as leverage in enforcing compliance. This is not to say that it is advisable to ever disobey a legal requirement, but sanctions can help not only to prioritize items with higher penalties but to provide backing and support for information management initiatives and projects.

Conclusion

In a typical client records retention schedule (RRS) approximately one-third to one-half of the schedule titles will be regulated in some way by a records retention requirement or impacted by best practice and potentially SOLs. While these numbers amount to a fraction of the RRS, , these are the records that are requested by regulators, requested during audits, or that may be needed to defend against/bring suit. Proper maintenance should consider not only retention periods but also handling requirements. If these records are not accounted for, the consequences may involve a wide range of sanctions ranging minor monetary fines to substantial monetary and criminal penalties. Fully considering and implementing the wide range of regulations pertinent to a enterprise’s RRS is crucial to minimizing risk.

Zasio is here to help, with several options based on client needs.  Our Versatile Retention software provides the relevant citations in an easy to use and apply format so that companies can create schedules and link laws themselves.  For clients who want more help Zasio Consulting offers RRS creation and consolidation services, and custom research, application, and recommendations services.    

 

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

 

[1] Texas Business & Commercial Code 521.052 (b) (Supp. L. 2009).

[2] EU-US Privacy Shield Fact Sheet (July 2016) from the European Commission website (accessed October 4, 2016, 12:56 PM) http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_eu-us_privacy_shield_en.pdf.

[3] Overview on Binding Corporate rules from the European Commission website (accessed October 4, 2016, 12:58 PM) http://ec.europa.eu/justice/data-protection/international-transfers/binding-corporate-rules/index_en.htm.

[4] Model Contracts for the transfer of personal data to third countries from the European Commission website (accessed October 4, 2016, 12:59 PM) http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm.

[5] 35 Ill. Adm. Code 101.1010 (c)(4)(s1b) (effective January 27, 2015).

[6] As an example of the UETA, I pulled language from the version published in Idaho code which uses the same language as the versions passed by other states.  Idaho Code 28-50-112 (a) (I.C., § 28-50-112, as added by 2000, ch. 286, § 1, p. 959).

[7] Cal Gov Code 12976 (a) (operative January 1, 1984).

[8] “European Commission – Fact Sheet – Questions and Answers – Data protection reform,” from the European Commission website (accessed October 4, 2016, 3:11 PM) http://europa.eu/rapid/press-release_MEMO-15-6385_en.htm.

[9] For example, 3 CFR 102.110 requires the Executive Office of the President to retain self-evaluations of its programs considering enforcement of nondiscrimination on the basis of handicap for 3 years after completion.https://www.gpo.gov/fdsys/granule/CFR-2011-title3-vol1/CFR-2011-title3-vol1-sec102-110/content-detail.html.

[10] RRS’s also include business and operational needs, and common practice.  However this article is limited to legal requirements.

Author: Rick Surber, CRM, IGP

Author: Rick Surber, CRM, IGP

Senior Analyst / Licensed Attorney