It’s a common mistake in records and information management (RIM) to put all your focus on creating your records retention schedule (RRS) and neglect what comes next: implementation. Lax planning, poor preparation, and a lack of oversight will frustrate even the best efforts in creating an RRS and expose your organization to unnecessary risks. Don’t fall into this trap! Your ‘perfect’ RRS is meaningless if it is not thoughtfully and consistently implemented across your organization.

In Part 1 and Part 2 of this series, we discussed some of the key challenges and best practices for information collection and creating a simplified RRS. In this part three, we’ll discuss implementation—the other half of your RRS battle. This article will introduce you to some of the fundamental steps and useful tips for successfully implementing your RRS.

Take it From the Top Down

Any organization’s culture of compliance starts at the top, with the words, actions, and leadership of higher-level executives. Accordingly, it is imperative to establish a senior-level steering committee to oversee your organization’s RRS implementation efforts. This committee should include executives from all relevant areas, but IT, compliance, and legal are essential. This sends a loud and clear message about the importance of your organization’s records management policy and the RRS, as well as the priorities of company leadership.

In the middle, appointed records coordinators and stakeholders with knowledge of your organization’s records are essential to successfully implementing your RRS and other records program objectives. Records coordinators and stakeholders have a key role in business operations. This makes them ideally positioned to help put your records policy into practice and help resolve issues as they arise. That brings us to our first RRS implementation tip: Leverage those folks you identified and established great working relationships with during the information collection phase!

Position these individuals to be champions for your RRS among their colleagues and ideal records coordinators. Having them as allies and advocates will be tremendously helpful during your next phase of RRS implementation: your rollout.

Plan for Your Rollout

A solid strategy and implementation plan for your rollout must include a communication campaign, training, auditing, and metrics, to name a few. Also, take your time and carefully evaluate what resources you’ll need along the way. Two of the biggest missteps we most often hear about from clients are underestimating the scope of resources and the amount of time required for the rollout effort. So, for our second tip: Slow your Roll!

To help with this, consider rolling out in phases, starting with a pilot targeting a singular business area. This will help to make the process more manageable. It will also allow you to gauge any initial issues and fine-tune the process moving forward. Next in your process, but of no less importance:

Communicate! Communicate with Everyone!

The RRS and the organization’s overall records management policy must clearly state that records management is every employee’s responsibility. Everybody is sending email, creating documents, and utilizing messenger apps to generate records. However, with this comes the responsibility to manage and preserve these records. In your policy and follow-up communications, you must make clarify that the primary sender, recipient, or owner of each record is in the best position to manage and preserve it.

RRS simplicity and communication are the most important aids to successful implementation. Reminders and updates should be sent regularly. And don’t forget: communication isn’t a one-way street! Ensure that individuals throughout the organization know who to contact if they have questions or concerns.

But what are the best methods for communicating RRS obligations? Communication campaigns may be sent through routine channels such as internal employee memos and bulletins, but don’t be afraid to get creative on this! This brings us to your next tip: Find fun and interesting ways to communicate RIM updates and objectives.

Many perceive that RIM is a dry subject. But it doesn’t have to be. Records management communications can be more interesting and engaging through games, quizzes, trivia, etc. I may be biased, but RIM is fun! Your creativity doesn’t have to stop with your communications, either. One great area to use creativity is in our next topic for discussion: training.

Make Training a Thing

Training is truly an indispensable tool for implementing organizational change. It should be part of the employee onboarding process, and all employees should participate in refreshers. Consistency is key to engraving records management processes and RRS into employees’ day-to-day routines. The training materials, policies, procedures, and RRS should be centrally available and always accessible. Also, and for our fourth tip:  Create easy-to-follow slide decks and videos for training purposes.

Further, don’t be afraid to find ways to reward compliance through various incentives, including financial, awards, or other types of special recognition.

Check-Ins & Measurable Results

As they say, the proof is in the pudding! Put your program to the test by conducting periodic audits. Perform these annually, at least. Gather measurable data points and metrics to confirm compliance. Leverage the results to focus on and recalibrate areas not meeting standards. So, for our final tip: Develop Key Performance Indicators (KPIs) for your program. This helps you measure progress towards your organization’s goals.

Also, make sure your KPIs are discrete, concrete, and demonstrate positive benefits and risk mitigation.

Conclusion

An RRS that exists on paper or in name only leads to fictional compliance and a false sense of security. Don’t let your organization fall victim to the adverse risks, costs, and other consequences of a poorly implemented RRS. Through efforts like a detailed implementation plan, careful rollout, consistent enforcement, and regular reinforcement, your organization can avoid the most common pitfalls surrounding RRS non-compliance. Follow these tips and your implementation efforts are more likely to foster a culture where RRS adherence is second nature. To learn how our retention schedule management solution can help you develop and maintain your records retention schedule, contact Zasio.

 

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

Long gone are the days of intricate departmental records retention schedules—often very long, with duplicative record categories scattered across multiple business areas. Today, a simplified functional (or Big Bucket) records retention schedule (RRS) is the way to go and is now considered industry best practice. A 2018 multi-sectoral survey of practitioners confirmed that a simplified Big Bucket RRS significantly reduces the size of retention schedules and is easier to implement and maintain. [1]

After completing the Information Collection phase described in Part 1 of this series, you will ideally have information surrounding all of your organization’s operational processes and good representative record examples from each business area. The trick now is to organize this information in a way that is comprehensive yet easy to follow. This should be a piece of cake, right?!

Organize by Processes

In a functional RRS, functions represent the highest-level processes performed by the organization. For example, “Accounting,” “Product Development,” “Marketing,” “Sales,” etc., are key functions present in most organizations. The information is further organized into more granular processes, called Record Series, that house related output Record Types. The goal is to group closely interrelated record types, particularly when they have a similar business or operational recordkeeping value and a similar retention lifecycle.

How Big?

Be strategic about grouping processes and records together: bigger buckets aren’t always better, particularly where they introduce an unacceptable amount of risk from over-retention. Often, a problem arises when buckets contain record types for which long-term retention is problematic. For example, privacy considerations often drive decisions to create strategic record series breakouts and smaller buckets for certain high-risk record types. Biometric information, CCTV video surveillance footage, and unsuccessful job applications are all record types commonly subject to restrictive recordkeeping laws mandating swift disposition. These are unsuitable for grouping into Big Buckets with other records. Be mindful of any records containing sensitive personal information, and avoid grouping these records into buckets with retention periods longer than legal recordkeeping requirements or your operational business needs.

Ultimately, your organization’s risk profile will help guide how aggressively you rely on big bucket record series. The key is to ensure that the benefit of a simplified RRS—enhanced administrative ease and increased compliance—outweighs any additional risks associated with longer retention periods or increased storage costs.

Set a Baseline Retention Period

Once you have finalized the simplified structure of your RRS, the next step is to set initial baseline retention periods for each record series. When an RRS covers many jurisdictions, having a baseline retention period instead of a unique retention period for each jurisdiction significantly eases administration. The baseline period should reflect the valuable information on business and operational retention needs previously gathered during the information collection process, and any known legal or regulatory recordkeeping requirements.

A full retention period is composed of an event trigger plus a period of time, such as “Duration of Employment + 5 Years.” The event trigger defines the event that will initiate the period of retention for disposition. Intricate event triggers can potentially overcomplicate the calculation of retention periods and become a barrier to successful RRS implementation, so strive to simplify event triggers whenever possible while being mindful of the underlying lifecycle of the records captured within your record series.

Research & Application

Once an initial baseline retention period is set, consider the relevant legal research to determine whether it is compliant with the recordkeeping requirements relevant to your newly devised record series.

When conducting research, cast a wide net that comprehensively covers research broadly applicable to your organization’s core general business processes as well as your specific industry. Focusing on the “Regulated Party” is the best way to decipher whether a recordkeeping requirement is relevant to your organization. A regulated party is a legal entity, organization, or enterprise regulated by a recordkeeping citation.  “Employers,” “Taxpayers,” “Companies,” etc., are regulated parties relating to core business functions that are almost always relevant. “Manufacturers,” “Financial Services Providers,” and “Insurers” are industry-specific regulated parties that only apply narrowly. Carefully read any definitions in the law to help determine whether your business fits the criteria to be considered the regulated party.

Research should consider both “minimum” and “maximum” legal recordkeeping requirements. Minimum requirements dictate the minimum length of time for retention. Maximum requirements, often privacy-based, set the longest amount of time a certain record or personal information may be retained.

When aligning identified relevant citations to your RRS,  seek to identify the record series that represents the best fit. Consider each citation’s regulated party, the scope of the regulated records, and other context gathered from the citation’s heading. The body of directly applicable research mapped to each record series will often help confirm the initial baseline retention period. If any requirements violate the baseline, adjustments to the baseline retention period or country exceptions may be necessary to bring the RRS into compliance. Several identified country exceptions longer than the initial global baseline indicate a possible global harmonization candidate and involve harmonizing the retention period to cover the exceptions. Trends across jurisdictions for maximum retention periods shorter than the baseline may also be helpful in assessing record series break-outs for privacy to account for mandated shorter retention periods. The finalization of the RRS should keep the overall goal of simplicity for increased adherence in mind.

Conclusion

The simplified “Big Bucket” RRS remains the best practice due to its process-based design and ease of implementation. Developing your organization’s simplified RRS is a significant undertaking best guided by professionals with expertise surrounding best practices and familiarity with relevant legal recordkeeping requirements. Ultimately, the level of effort, customization, and strategy dedicated to your RRS development will pay dividends in its risk mitigation, administrative ease, and compliance. Once successfully implemented, an RRS tailored to your organization’s unique records and regulatory profile that brings together information and input drawn from a wide cross-section of personnel and stakeholders will provide a solid foundation for legally defensible disposition. Successful RRS implementation is easier said than done; we plan to discuss this in the final part of this series.

Continue to Part 3.

[1] https://magazine.arma.org/2018/12/big-bucket-retention-objectives-issues-outcomes/

 

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

A records retention schedule (RRS) is truly the linchpin of a sound and legally defensible records management program. Each RRS must be designed to provide a balance between robust coverage of business operations on the one hand, and simplicity of use and administration on the other. A bottom-up approach that incorporates input from businesses and stakeholders at all levels in achieving this balance can further encourage adoption and foster a culture of adherence within the organization.

This three-part series will walk readers through several best practices surrounding RRS development and maintenance. Part 1 is an overview of best practices for information collection in support of designing and developing a customized retention schedule. Parts 2 & 3 will explore detailed practical approaches for building a simplified RRS and regularly maintaining that RRS to keep it current and relevant.

Information Collection – Overview & Objectives

The key objective of RRS development is to create a customized RRS that is tailored to the organization and reflective of its processes and operational information requirements. A template retention schedule may be suitable for some organizations in the early stages of their RIM program, but it is unlikely to fully address the complexities of each organization’s unique processes and culture. A customized RRS that includes all of the organization’s general business and industry-specific processes helps ensure that end-users can quickly and accurately identify their processes and records in the retention schedule, significantly enhancing ease of use and compliance outcomes. It is vital that the RRS be transparent and intuitive so that personnel can understand where their records fall within the RRS. This is important because end-user adherence increases compliance.

The information collection process gathers the details necessary for customization from knowledgeable individuals and record owners across the organization. At a minimum, this includes information detailing typical example record types and the business processes they support, an assessment of the short-term and long-term ongoing business and operational value or each record type, and any specific retention requirements of the business. Additional details can be captured during this time as well, including information on paper or electronic format requirements, storage locations, the presence of personal data, and any other information supporting classification. In the interest of efficiency and even bolstered backing and buy-in, an information collection exercise can also often align and achieve synergies with other parallel organizational projects and objectives including a data mapping project, a data privacy assessment, a full records inventory, or a records classification project.

The preferred method of information collection is to first distribute a survey that clearly lays out the information desired to be captured and allows participants ample time to provide responsive information. Once the surveys have been returned and analyzed, schedule a follow-up interview with each survey respondent to obtain additional details and clarifications. An additional important objective behind these interactions is building rapport with the record owners and other knowledgeable individuals within your organization – they will be critical to later implementation, so baking in their concerns and priorities from the outset can help prevent friction and significantly streamline the roll-out of the RRS. They will also be more likely to act as champions and proponents for compliance when they feel that they have “skin in the game” on the RRS. You may even be able to identify certain individuals well situated to act as records coordinators or to liaison with existing records coordinators. Information collection is the ideal opportunity to build partnerships to reinforce the RRS’s importance and lay the groundwork and support for additional RIM processes and initiatives as you continue to develop your program.

Conclusion

Ultimately, a robust information collection process will yield a comprehensive picture of an organization’s records and the processes they support. It is an essential step in the process of creating a bespoke RRS that is organic, intuitive, searchable, and end-user friendly. Equally important, it builds consensus and recruits champions for your RRS. In summary, thorough and comprehensive information collection lays the solid foundation needed to support the ultimate end goal: adherence and successful implementation of your RRS!

Continue to Part 2.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

It’s no surprise that a global pandemic has created a lot of records, along with many questions surrounding these records. As organizations adapt to the new and constantly changing COVID-19 landscape, new processes and record outputs abound. We often get questions from our clients asking “is this a COVID-19 record?” and if yes, “how long should we be keeping this record?” Explicit authorities on company recordkeeping obligations have been slow to trickle down and are a bit of a patchwork with federal and state guidance provided only here and there.

This blog surveys a few of the common recordkeeping questions we’ve received and provides guidance on addressing COVID-19 records within your records retention schedule.

Is a confirmed COVID-19 case recordable?

Answer:  Maybe.

For U.S. Organizations:

The U.S. Occupational Safety and Health Administration (OSHA) has clarified that COVID-19 may be a recordable illness for covered employers if a worker is infected as a result of performing their work-related duties. This seems straightforward enough, but there are various criteria to determine whether the illness is recordable. For COVID-19 to be a recordable illness, the following must be met:

1. The case must be a confirmed case of COVID-19. Per the Centers for Disease Control (CDC), a confirmed COVID-19 case means laboratory confirmation of an individual’s test, with at least one respiratory specimen that has tested positive for SARSCoV-2, the virus that causes COVID-19.[1]
2. The case must be work-related as determined by a work-related analysis which includes a number of questions designed to determine whether the case is likely work-related;[2] This analysis is important since only work-related illnesses must be recorded and reported to OSHA.[3]
3. The instance involves one or more of the general recording criteria including medical treatment beyond first aid or considering the employee’s number of days away from work. OSHA’s definition of a recordable illness includes “both acute and chronic illnesses, such as, but not limited to, a skin disease, respiratory disorder or poisoning.” This definition is limited to abnormal conditions or disorders that exclude the common cold and the seasonal flu.[4]

By OSHA’s own admission, arriving at a work-related determination can be difficult given the ubiquity of community spread.[5] Nonetheless, any recordable COVID-19 illnesses must be retained for a period of 5 years consistent with the OSHA 300 log recordkeeping requirement. Similarly, it would be prudent to keep the work-related analysis for the same period of time in case of an audit.[6]

But what about organizations with international operations?

Organizations with international operations should consult jurisdiction-specific requirements. Research specific to the jurisdictions of your company’s operations is prudent to ensure appropriate retention periods are consulted as well as restrictions on the collection and retention of this class of employee health information. For example, the French CNIL prohibits employers from storing files related to information collected during automated processing of temperature screening of employees. However, CNIL states that the “data protection law does not apply to manual verification of temperatures where no information is retained.”[7]

How long do we need to keep temperature checks of employees taken for building entry purposes?

Answer: Possibly as long as the duration of employment plus 30 years if it meets the definition of a medical record, but a much shorter duration if not.

Employee temperature checks are not usually permitted, but exceptions have been made during the pandemic. Per Equal Employment Opportunity Commission (EEOC) guidelines, employee temperature checks are permitted to determine whether an employee should be excluded from the workplace in the interest of public health.[8] Temperature checks may constitute a medical record,[9] and thus be subject to a 30-year retention period.[10] The definition of an employee medical record under OSHA is very particular:

[A] record concerning the health status of an employee that is made or maintained by a physician, nurse or other healthcare personnel, or technician, including medical and employment questionnaires or histories, the results of medical exams, lab test results, medical opinions/doctor’s recommendations, first aid records, employee medical complaints, and descriptions of treatment or prescriptions.[11]

If this information is collected by an individual that doesn’t meet the above criteria, then it is unclear whether it constitutes a medical record subject to a 30-year retention period.[12]

Privacy Considerations

Determining the appropriate retention period for any COVID-19 related record is important for a number of reasons, including privacy considerations. Given the sensitive nature of health information, employers often minimize the amount of health information they collect. For example, when collecting employee health questionnaires, rather than record an employee’s temperature, employers may record a “yes” or “no” response to the question of whether the temperature meets the threshold for a fever.

Zasio recommends minimizing or even eliminating the amount of personal information an employer collects in proportion to the purpose for which it is collected. If collecting information constituting an employee’s medical record is unnecessary, then collecting a minimal amount of information may be considered more transitory in nature.

Conclusion

The advent of COVID-19 records presents an opportunity for us in the records and information management industry to put our skills to the test. Determining how to categorize these records and assessing the appropriate retention period requires an analysis of a number of factors; it is important to consider the business process(es) associated with the records, the purpose for which the record was created or is needed, business and operational considerations, along with an understanding of the relevant laws and regulations, including privacy. To top it off, organizations grapple with the potential of long-term risks and this certainly plays a part in how COVID-19 related records are being maintained.

For guidance and assistance navigating the complexities of your organization’s COVID-19 related records, please contact Zasio for assistance.

[1] https://www.cdc.gov/coronavirus/2019-ncov/hcp/testing-overview.html

[2] https://www.osha.gov/memos/2020-05-19/revised-enforcement-guidance-recording-cases-coronavirus-disease-2019-covid-19#_ftn4

[3] 29 CFR 1904.4

[4] 29 CFR 1904.7

[5] See Occupational Safety and Health Administration, May 19, 2020 Memorandum for Regional Administrators State Plan Designees, accessed at: https://www.osha.gov/memos/2020-05-19/revised-enforcement-guidance-recording-cases-coronavirus-disease-2019-covid-19

[6] 29 CFR 1904.30

[7] https://www.dataguidance.com/opinion/france-cnil-issues-guidance-employers-personal-data-collection-during-coronavirus-lockdown

[8] https://www.eeoc.gov/laws/guidance/pandemic-preparedness-workplace-and-americans-disabilities-act#q7

[9] 1910.1020(c)(6)

[10] 1910.1020(d)(1)(i)

[11] https://www.osha.gov/sites/default/files/publications/OSHA4045.pdf

[12] Id.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The records and information management world has experienced a gradual yet seismic ideological shift in recent years. Long gone are the days of thinking solely in terms of HOW LONG MUST WE KEEP this information. Today, companies also think strategically, practically, and with privacy legal compliance in mind when it comes to managing their records and information. In this day and age, special considerations such as big data and privacy increasingly drive initiatives. Companies are now asking an equally important question of HOW SOON SHOULD WE DELETE this information, as well as HOW MUST WE DISPOSE OF IT?

Why does privacy data deserve its own deletion policy?

Organizations replete with privacy data increasingly recognize that the traditional records retention schedule alone is not sufficient to address privacy data for several reasons.

• Data typically resides within systems and can easily get lost in the mix; this also makes it difficult to locate and recover this data!
• Data is not considered a “record” per se; but, rather it is the outputs from the data’s system that typically qualify as records subject to the traditional records retention schedule;
• With the exception of privacy data, data is not typically subject to legal retention or mandatory deletion requirements, and are primarily governed by business and operational requirements;
• Pressing “Delete” is not good enough! The deletion or anonymization treatment of privacy data must meet specific criteria to satisfy the legal requirements and guidelines;
• Privacy data may now be subject to deletion requests, requiring companies to track down the location of any piece of data related to an employee, consumer, patient, etc., wherever it may reside whether internally or with third parties.

Important Components and Where to Start

1. Personal Data Information Collection
If you are going to set up privacy data governance, it is important to get a handle on your organization’s privacy data. An important first step is to create an inventory of all personal data maintained by the company. Include descriptions and definitions of the data, its location, method of storage including types of systems and applications, and other information related to the processes surrounding the data and its flow through the organization. This is also an opportune time to glean details surrounding the business and operational value of the information and how long the record owners legitimately need to hold on to the data. This fundamental information collection is important in the proper governance of privacy data: the data cannot be properly managed unless the company knows the what, where, and how of its privacy data.

Asking questions about record outputs and business processes that utilize and rely on the privacy data is vital knowledge. Understanding the records that relate to the privacy data is helpful in building a bridge between the data and the records retention schedule categorization and determining the appropriate retention period for these data and records.

2. Personal Data Categorization
Once you have a good handle on your organization’s privacy data and its output record, this information will facilitate an alignment or mapping of the privacy data to the records retention schedule for purposes of determining the appropriate retention period and ongoing maintenance. Your organization’s retention schedule can be leveraged to manage retention periods for privacy data!

3. Retention Period Determination
Determining the appropriate retention periods for privacy data is an important part of the equation. Privacy laws, and principles in general, limit the amount of time that PII may be kept to the amount of time necessary to satisfy the purpose for which it was collected. Seemingly straightforward, the lines may be blurred where privacy data is collected to serve multiple purposes. For instance, privacy data related to an employee’s social security number will likely need to be retained for the duration of employee’s employment and is a fundamental component of a personnel record to be retained for the Duration of Employment + x Years. But this data may also support the payment of pension benefits which may extend many years beyond the employee’s employment and until that last benefit payment. In this case, the privacy data would need to be considered within both categories. The longest retention period of the two would ultimately support the appropriate retention period for the ongoing processing of that data. Ultimately, the appropriate retention period satisfies the minimum applicable legal requirements as well as supporting business, operational, or other legitimate basis for maintaining such information.

4. Deletion
Finally, that good old “Delete” key may suffice for erasure of certain data, but for privacy information, this is simply not good enough. With regards to methods of deletion, the standard age-old approach for end-user deletion includes deleting the file and emptying the recycling bin. Taking this a step further involves deleting and reformatting the computer drive that keeps the data files. Unfortunately, neither approach is necessarily sufficient for privacy data according to privacy laws including the GDPR. Although deleted, these files have not been erased completely and are still recoverable from the hard drive, and potentially vulnerable in the case of a malware or other type of cyber-attack. Further steps must be taken to ensure the information is truly deleted and not recoverable.

In summary, if your organization is concerned about their privacy data, including where it is, how long it is being maintained, etc., a privacy data deletion policy should be considered. The foregoing includes several components to get you well on your way. Please reach out to Zasio’s professionals and we can assist you and your organization with your privacy initiatives.