Many Records and Information Management (RIM) professionals hear the question, “Why is RIM necessary?” My short answer is that effective RIM saves your company money, makes it more efficient, and reduces its risk. I want to expand on that answer by listing some of the ways a good RIM program can work for you.

Disposition of Records

So why not just keep everything?  One reason is for certain types of records, disposition is required by law. For example, in some locations, it’s mandatory to dispose of Personally Identifiable Information after a short period. Also, disposition of records reduces the quantity of information to search when looking for records. Less information translates into increased retrieval efficiency for employees. It also reduces the risk that excessive billable hours will be needed to identify relevant information for discovery requests. Both are examples of how managing the growth of information reduces risk and increases efficiency.

Records Retention Schedules

A foundation for a good RIM Program is a Records Retention Schedule (RRS). When properly constructed and implemented, they allow for the reasonable disposition of records. Otherwise, regulators and courts might criticize the intent behind records disposition activities. To be reasonable, disposition should be based on business needs, legal requirements, and common practice.

Legal Requirements

RIM programs promote compliance with legal requirements. How? They research and analyze legal requirements to ensure proper retention, handling, and disposition of records. Proper retention of records prevents sanctions and other penalties for non-compliance. Sanctions for improper RIM can be significant, reaching up to seven-figures for certain offenses.

Legal Holds and RIM Policies

Along with the RRS, it’s necessary to create a legal hold policy. The hold delays normal disposition for records involved in pending or anticipated litigation. Also, rolling-out the RRS requires creating and revising supporting policies and procedures. Once drafted, training is necessary to educate current and future employees about the policies. It’s also necessary to conduct audits to ensure compliance with the policies.

Disposition Days

One way many companies promote compliance is to implement “disposition days.” These are days dedicated to organizing and disposing of records and other information. The RRS guides disposition and policies exclude records that are subject to legal holds.

Email Management

One common source of growth in records and information is email. However, email itself is not a record; it’s a tool used to transmit records. Avoid using it as a storage system, so it doesn’t become a dumping ground. Policies, procedures, and guidelines will help employees properly file records from email. Retain routine email short term unless needed for business reasons.

Business Continuity

RIM programs help reduce risks caused by disasters. They do this by planning to ensure continued operation if disaster strikes. Vital records needed for continued operation should be identified. Then, steps are taken to protect that information against the risks for potential disaster types.

Remember, Zasio is here to help with your RIM needs. Contact our Consulting department today for help kicking off or refreshing you RIM program.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

Employees from Peacock Foods recently filed a class action suit against their employer. The group claims the company violated the Illinois Biometric Identifier Privacy Act. The employees say the company collected their fingerprints when they clocked in and out of work. They also claim the company didn’t follow the mandates meant to protect this information.

This Act requires private entities who collect biometric identifiers, such as iris scans, fingerprints, and even photos to create a written retention schedule. This schedule must be available to the public, specify why this data is collected, and include plans to destroy the records as soon as the retention period ends. Before they collect data, the company must have a written release from an individual.

So, how long can the company keep the records? Just long enough to use them for the purpose for which they were collected.

This group of employees said Peacock Foods violated all three areas of this act. The employees claim they didn’t know why the company collected their fingerprints. They also assert that they didn’t permit the company to collect and retain their fingerprint records. To add to that, they weren’t given a written notice of this policy. They also allege that they didn’t know the retention period for those records.

Peacock Foods Lessons for Records and Information Management

Although this lawsuit stems from a specific U.S. state law, the issue of unlawful collection of sensitive personally identifiable information (PII) is an issue that affects every company. This lawsuit and other similar suits should put all companies on notice. Stricter laws that control how companies collect and retain this category of PII are increasing across the U.S. These records are subject to even stricter standards across Europe. The European Union General Data Protection Regulation (GDPR), which goes into effect May, 2018, will increase regulations on these records.

Records and information management professionals should consider the following steps as they deal with PII:

1. Keep a list of the of biometric identifier records the company maintains.
2. Ensure policies, procedures, and retention schedules consider the sensitivity of PII.
3. Identify the need for PII information. Make reasons to collect PII public knowledge.
4. Adopt tailored retention periods so records aren’t kept longer than necessary;
5. Stay up-to-date on relevant privacy laws. Your company is subject to privacy laws in most U.S. and international jurisdictions.

As a records and information management expert, you can prepare by staying on top of evolving privacy laws. A proactive approach is the best way to adapt to new changes. Preparation ensures that your company remains compliant and reduces risks.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

Countries are continuing to escalate restrictions on storage location and transfers of data, with China being the most recent to follow suit. China broadened its cybersecurity initiatives significantly in 2016 with the release of the Cybersecurity Law (Law). Scheduled to come into effect June 1, 2017, the Law introduced many new requirements concerning the handling of personally identifiable information (PII). Among the most controversial is the data localization mandate requiring “operators of key information structure” (CIIOs) to retain critical data and PII generated within the course of business in China. Specifically, the Law requires “personal information and other important data gathered or produced” during CIIO operations to be kept within the “mainland territory of the People’s Republic of China.” [1]

The definition of a CIIO in the Law is ambiguous and described as public-facing entities that maintain “critical information infrastructure that if destroyed, losing function or leaking data might seriously endanger national security, national welfare and the people’s livelihood…” Examples of the sectors subject to this definition include businesses operating in public communications and information services, power, traffic, water, etc., which may very well implicate multinational corporations (Multinationals).

On April 11, 2017, the Cyberspace Administration of China released the draft Measures for Security Assessment of Outbound Transmission of Personal Information and Important Data (Draft Measures). Designed to implement the Law, the Draft Measures take a more expansive approach and extend the data localization requirements to Network Operators, in addition to CIIOs.

The definition of Network Operators includes, “those who own or administer a network, and to network service providers.”[2]  Based on this definition, the reach of the law now extends to not only network service providers, but also those who own or administer a network, which is conceivably any private company, including Multinationals.

Although the Draft Measures are not final, they do offer a strong indication of things to come. The language of the Law and Draft Measures appear crafted ambiguously and broadly to impose sweeping measures on a range of entities, including Multinationals. For this reason, it is important for Multinationals to stay abreast of these changes and prepare for compliance once the Law and Draft Measures are effective.

Contact Zasio today to see how our consulting services can help you stay complaint and ahead of the laws evolving around the world.

 

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

 

[1] http://www.chinalawtranslate.com/cybersecuritylaw/?lang=en

[2] https://www.huntonprivacyblog.com/wp-content/uploads/sites/18/2017/04/Draft-of-Measures-on-Security-Assessments-for-Public-Comment-English-translation-c.pdf

As companies of all sizes begin to store data in the cloud, privacy issues have become big news. Apple co-founder Steve Wozniak commented on the cloud, saying that “the more we transfer everything onto the web, onto the cloud, the less we’re going to have control over it.”[1] A major problem for companies is a lack of control over data. Companies often depend on service providers to secure, protect, and maintain access to critical company information. The issues companies face as they try to keep data compliant in the cloud don’t end there. Privacy laws are more common and carry stricter requirements and penalties. This means it’s vital to comply with personally identifiable information (PII) mandates, including jurisdiction-specific requirements, no matter where your information is stored.

In response to jurisdictional issues and confusion over inconsistent Data Privacy Security and Transfer Requirements, a group of 44 lawyers from 32 countries took action. They created an initiative titled “The Data Privacy Compliance Cloud Privacy Check” (CPC/DPC) to provide straightforward guidance.[2]  By providing a “Cloud Privacy Check process,” the CPC/DPC helps cloud users navigate data protection obligations. The questions include:

1. Does the transaction include any personally identifiable information?
2. Does a third party involved in the setup of the cloud process have access to personal data?
3. Does the data leave the jurisdiction of the customer?
4. Is the cloud provider using subcontractors in the setup?

Questions 1 and 2 guide whether PII obligations exist. Questions 3 and 4 define the obligations to manage PII in the cloud. In addition to this handy checklist, the CPC/DPC provides comparisons of privacy requirements across 32 countries. Country-specific reports help companies understand and plan for the complexities of maintaining information across borders.

The nature of and increasing reliance on cloud storage presents unique challenges for information and records management. Information governance holds data—local- and cloud-based—to the same standards. It is important to maintain cloud-based information in line with company policies and all governing laws and regulations. As the CPC/DPC Checklist shows, an assessment can go a long way to ensure your business manages all information appropriately.

Contact Zasio today for a privacy impact assessment to help you navigate challenges proactively. Whether your data is stored locally or in the cloud, we can help you stay compliant.

 

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

 

[1] http://www.forbes.com/sites/joemckendrick/2012/08/06/apple-co-founder-steve-wozniak-distrusts-the-cloud-is-he-right/#50c5c7b47ef8

[2] https://cloudprivacycheck.eu/

Data breaches are an everyday occurrence that demonstrate no enterprise or individual is impervious to vulnerabilities. In 2015, there were 781 known data breaches in the U.S., the second highest year since the Identity Theft Resource Center began tracking them in 2005.[1] Between this influx of breaches and rapidly evolving and emerging privacy laws, it is no wonder enterprises are struggling to protect and effectively manage personally identifiable information (PII).

The sources of PII maintained by enterprises range from internal employee information to customers and vendors, and are pervasive because PII likely impacts a significant part of the enterprise’s records retention schedule (RRS). Identifying what records are subject to PII laws is fundamental to any strategy for effectively managing PII. While this task seems simple enough, making such a determination is ultimately dependent upon the jurisdiction(s) that are relevant to the PII. For enterprises that operate in various U.S. states and/or internationally, it becomes increasingly complex to reconcile requirements across different jurisdictions.

To provide initial guidance on identification and management of PII through an RRS, I’ve provided a few examples of U.S. privacy laws that may impact a company, followed by a checklist to help with this process.

U.S. State Laws

Within the U.S., there is no uniform definition for PII, but rather it is defined by various federal and state laws and agencies. On one end of the spectrum, California takes the lead with an aggressive privacy approach. In California, personal information includes an individual’s first name or initial combined with one or more other elements “when the name or data elements are not encrypted”, including social security number, driver’s license number, medical or health insurance information, along with an extensive list of other companion elements.[2] Several other states adopt a similar multi-factor approach but limit the definitional scope to fewer components that constitute PII when combined, thus imposing less restrictive standards.

U.S. Federal Laws

In contrast to the state approach, U.S. Federal laws take a broader approach in defining personal information. An example of this can be found in the Gramm-Leach-Bliley Act of 1999, which defines personally identifiable personal information as “nonpublic personal information.”[3] The General Services Administration, in its privacy policy applicable to contractors, defines PII at a minimum to include “information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc.”[4]

Initial Checklist

By first understanding and identifying the various types of PII mandated per jurisdiction, records and information management professionals can confidently devise an RRS strategy during their efforts to initiate and maintain a program that effectively manages this information. An initial checklist to help with this process may include some of the following:

• Identify the relevant jurisdictions and regulators. For purposes of PII, this should consider not only the enterprise’s places of operation, but also the jurisdictions from which the PII is collected.

• Identify privacy laws which may be applicable to the enterprise. These should include those that are broadly applicable to the enterprise’s business as well as those that are specific to its industry.

• Survey and summarize the privacy laws applicable to the enterprise.

• Where multiple jurisdictions are involved, consider focusing on the most stringent PII standards you identified when evaluating the RRS to facilitate a strategy that can be uniformly implemented and followed.

• Identify examples and record series within the RRS that meet the criteria required by the identified PII laws. Identifying the particular records and business processes that involve PII and mapping those requirements to the schedule will be helpful for the initial and ongoing efforts.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

 

[1] http://www.idtheftcenter.org/ITRC-Surveys-Studies/2015databreaches.html

[2] CAL. CIV. CODE § 1798.82(h)

[3] 15 U.S.C. § 6809(4)(A) (2006)

[4] http://www.gsa.gov/portal/content/104256