Information governance is a relatively new term in the complex world of records and information management (RIM). It centers around maximizing the use and efficiency of information while simultaneously mitigating risks. This requires the ability to secure information from creation to storage to disposition.
Principles of Information Governance
- Record: All Information collected by an organization has the potential to be considered a record. This would include reports, emails, memos, jotted notes, forms, and more. Records can be stored on paper, computer, email, removable drives, tape, etc., but regardless of how the information is stored, it must still be protected.
- Controlled Records: These are records that must be kept for a set period of time before disposal due to legal requirements or value to the organization.
- Incidental Records: Records that have no lifespan beyond their immediate usefulness. Examples are memos, drafts of communication, flawed copies, etc. These records can still contain protected information, but they have no required retention period and can be securely disposed of as soon as they have no immediate use.
- Duplicate Records: These are copies of controlled records or records which contain the same information as controlled records. Duplicate records have no required retention period and, like incidental records, can be destroyed when they no longer have an immediate use. It is important to dispose of duplicate records by the time the original records have been destroyed.
- Classification: All records should be classified based on their sensitivity and protection status. This makes it easy for employees to understand when items should be disposed of and also enables the organization to develop protocols to protect the information during the time prior to disposition.
- Retention Schedule: Retention refers to how long a controlled record is required prior to disposition. A retention schedule assigns expire dates to records based on the types of information they contain. For instance, if an organization retains financial transactions for seven years, a financial record created today will expire exactly seven years from now. Using classifications in conjunction with a retention schedule makes it easy to know which items need to be destroyed on an ongoing basis.
- Disposition: This refers to the secure destruction of a record when it has reached the end of its retention period. Proper disposition protects the organization from the cost of storing obsolete records, future legal discovery, and increased risk of unauthorized access.
- Certificate of Destruction (CoD): This is a transactional document issued in paper or electronically that documents which records were destroyed and the time, date and location of their destruction.
Key Steps for Information Governance
Every organization needs clear policies and protocols for the retention and disposition of both incidental and controlled records. We recommend having a qualified legal professional create or at least review any retention policy prior to its adoption.
Controlled records should be classified and indexed preferably with clear retention codes or expiration dates.
While records are still in their retention period, it is important they have adequate security to prevent damage and unauthorized access.
When records reach the end of their retention period, they should be regularly and securely destroyed. Regularly means disposing of expired records on a regular schedule such as monthly or quarterly. Securely means that the information contained in the records is rendered unreadable by the destruction process.
Risks of Retaining Unnecessary Records
- Legal Discovery: Legal discovery can only apply to records that exist at that time. Regular disposition of unneeded records means fewer records can be called for evidence and also makes it easier to find and produce relevant records because there are fewer unnecessary records to search through.
- Adverse Inference: Eventually records will have to be disposed of, however, disposing of records sporadically could be interpreted as deceptive in the event of an audit, civil suit or criminal prosecution. On the other hand, evidence of a regular retention schedule mitigates suspicions about why records were destroyed.
- Unauthorized Access: The longer records are kept past their retention period, the more records will pile up and collect dust in your storage space. This means an ever-growing number of records you must store and protect, which means an ever-growing risk of a breach.