Strict HIPAA regulations govern patient medical information security in healthcare organizations. To create policies consistent with those rules, Michael Gaskin, director of information services at Sequoia Community Health Centers, purchased a HIPAA security toolkit. "The toolkit made it easy for me to review documents and know what I must include in my plan, " says Gaskin. The kit's workflow examples continue to inform Gaskin about compliance needs and how to refine his document retention policies.

Balance Stakeholder Interests

For ArcelorMittal Americas CIO Leon Schumacher, the challenge is making sure the interests of different stakeholders—users, legal, IT—are considered when developing a retention policy. "Each has specific issues that they want to address. Good communication before and during such definition phases is critical for success," he says.

The delicate balance between users' storage needs and retention guidelines is hard to strike. For example, Schumacher's team created management policies for personal storage limits, including how much e-mail people can maintain. But the team heard complaints that users weren't getting enough space. Schumacher responded by introducing policies at two levels: one for management, which gets 500MB of storage, and one for general users, which get 250MB. The team is working on newer archiving solutions to further ease these constraints.

Plan for the Long Term

Policies must cover document retention over a long period. For a university, this is a huge issue given the length of time it must keep student loan data, transcripts and other federally mandated data. "One of the issues is to make sure that the documents in their electronic form can be upgraded and transitioned from one technology to the next over decades," says GWU's Bonig. So his team watches the storage landscape to stay abreast of any technology that would necessitate a business decision about whether to transfer retained documents.

Make It Pay

A good document retention policy can do more than avoid legal fines. At American Greetings Interactive, Senior VP and CTO Rajiv Jain has policies to archive everything on the desktop and retain all executive e-mails indefinitely. "Our e-mail retention policy has definitely come in handy. There was a disagreement over the fees associated with vendor negotiation. We were able to find the original archived e-mail from the vendor, which proved that we were right and did not owe the amount of money they claimed," says Jain.

The effort to build and enforce good document polices can provide a strategic advantage.

Most of GWU's back-office staff work at its Virginia campus 30 miles away. Only representatives for financial aid, undergrad admissions and other student offices sit in the D.C.-based Student Union. If a student has a difficult question, the rep may consult a staff expert in Virginia. Now they can look at the same document simultaneously, since Bonig and his team are digitizing documents for retention. "We improved our business process dramatically and can confidently say that we offer student services from anywhere," says Bonig.