Ever wondered how long a company’s balance sheets have to be kept for tax purposes in Switzerland, or whether sharing personal data with third parties is restricted in Brazil? Maybe your first question is, “Where and how would I even look for those requirements?”
In the world of records and information management (RIM), legal research plays a critical role by providing the foundation for a solidly defensible records management program. Legal research ensures that statutory and regulatory recordkeeping obligations have been considered and accounted for, particularly within record retention schedules.
Although legal research can be simply defined—identifying and retrieving the laws applicable to a particular set of facts to inform legal decision-making—in practice, legal research can be a mammoth project to take on. In today’s world of remote work and multi-national corporations, your business can find itself with operations across many jurisdictions, subject to dozens of regulatory bodies, all with different sets of recordkeeping requirements. Locating relevant laws in even just one jurisdiction can be a lengthy process (here’s looking at you, California). Luckily, that’s where the research colleagues at Zasio can help. We specialize in legal research to find, capture, and curate thousands of recordkeeping requirements across many industries and countries, and keep those requirements updated as laws change.
Let’s take a peek at what this process looks like.
Who, What, Where?
As with any research, the project’s scope must be clearly defined to optimize the research process. To that end, the hunt for recordkeeping requirements begins with answering three basic questions:
Who are the regulated entities?
What business products, services, activities, and record types are at issue? And,
Where are the regulated parties, business activities, products, or services located?
The answers to these questions set the parameters of the legal research project, whether it’s narrow and highly specialized, or it covers a broad range of activities and parties.
Once a project’s scope is set, we need to find the sources which contain the applicable laws in each jurisdiction (such as the country or state).
Straight from the Source
The best way to find and capture current and complete recordkeeping requirements is to pull them right from the source. In legal research, “primary authority” means the law itself. Laws can be statutes, regulations, decrees, orders, and other rules issued by a legislative body or regulatory authority.
For Zasio researchers, that means using public-facing official government websites, as well as subscriptions to legal databases, to find laws relevant to a research project. While secondary sources (like university websites or law firm articles) can provide useful information and direction, we primarily review laws from their primary source (where possible). Where the legal text isn’t accessible through the primary source, we turn to trusted and reliable secondary sources that make the text available.
Because we’ve already conducted extensive research in over 140 countries, we have the most relevant primary sources already identified and readily accessible in Zasio’s proprietary research database. This database forms the backbone of Zasio’s Versatile Retention SaaS and on-premise software offerings. When we run into a new jurisdiction, we conduct a thorough and systematic search for authorities to use as sources. We look to the main legislative bodies of a country or state, as well as any regulatory authorities such as ministries, agencies, or government departments that may govern either the relevant activities or parties.
These authorities can be located through resources like the United States Library of Congress website (which has guides for many countries identifying the executive, judicial, and legislative authorities), or by running a native language query using everyone’s favorite search engine.
The Methodology
When examining a source for potential recordkeeping requirements, reading every law a country has implemented wouldn’t be a particularly efficient (or enjoyable) use of time. Instead, we leverage the search features and filters the source makes available to craft keyword and Boolean searches to find relevant laws with language consistent with recordkeeping requirements.
For sources that include the feature, Boolean search operators are used to tailoring queries for laws that contain at least one term that is: (i) related to the regulated activities or parties, (ii) synonymous with retention or preservation, and (iii) associated with records or information (as well as other limiting factors).
Zasio researchers have seen A LOT of recordkeeping requirements, and they all tend to use similar terminology, phrases, and patterns of language. We use this knowledge and experience to run searches covering a wide range of regulated activities and parties in a systematic fashion until we can be certain that we’ve located all relevant laws within a particular source.
Depending on the search filters and sorting capabilities of a source, we can also narrow our search results using date ranges or categories associated with responsible agencies.
For sources with less advanced search features, we turn to other options and find creative solutions. Some sources organize laws by topic or subject, or by the issuing ministry or department. Other sources may only arrange their laws alphabetically, although generally, these jurisdictions have very few laws in force.
Regardless of the source’s search features, the key is to approach each source in a logical and consistent fashion. As laws turn up that meet the parameters of the project’s scope, we review the legal text to identify possible recordkeeping requirements.
So, what types of requirements are Zasio researchers looking for exactly?
Recordkeeping Requirements by Type
Recordkeeping requirements identified by Zasio researchers fall into four basic types:
- Regulation requirements can be summarized as the duration of retention requirements. In other words: regulated party + record + minimum or maximum retention duration.
- Handling requirements deal with how records and information must be handled. These include requirements relating to: format, media, location, movement, cross-border transfers, language, data protection and destruction measures, sanitization and anonymization of protected personal information, and sanctions or penalties for recordkeeping violations.
- Data privacy requirements include requirements relating to notice, privacy breach notification and response, data subject choice and consent for use or processing, purpose limitations, individual data subject rights with regard to their own personal information, retention limits, data transfers, system and security requirements, process type requirements, and fines, penalties, and claims.
- Statutes of limitation requirements are just what they sound like—limitations or prescriptions that define how much time litigants have to bring certain causes of action and legal claims. Duration of intellectual property rights are also included in this type of requirement.
Each requirement is captured as a citation, which is broken down into key information fields that allow for easy location, application, and readability in Zasio’s Versatile Retention software or SaaS offerings. The most crucial of these include:
- Jurisdiction;
- Title of the law;
- A concise record description;
- Regulated party or parties;
- Retention period, handling requirement, or limitation period combined with the triggering event; and
- Relevant portions of text.
Happy Hunting!
Hopefully, your own forays into legal research prove successful; however, we also know that mastering the nuances of RIM legal research is not everyone’s cup of tea. For those who do not consider themselves RIM legal research gurus, and would prefer to capitalize on the collective wisdom and accumulated research of dedicated legal professionals, check out Versatile Retention, Zasio’s retention schedule management and research solution.
Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.