The 2002 Sarbanes-Oxley regulations served as a wake-up call for CIOs to formalize document retention policies to meet compliance requirements. But regulatory demands—and the number of documents produced daily—continue to grow. So a solid document management process is a necessity. CIOs struggle with creating the policies, getting buy-in from the end users and managing the technology. Members of the CIO Executive Council, who meet regularly to discuss compliance approaches, share techniques that have made document retention policies work for them.
Get the Policy Right
The first step is making sure that the right items are covered in your document management policies. For this, CIOs can rely on business peers, outside counsel and special regulatory tool kits.
Tips for Crafting A Policy That Works
Offered by Ron Bonig of George Washington University, and Rajiv Jain of American Greetings Interactive
Properly define “document” to include information of all types—electronic or paper, historical or transient business record.
Clearly state who and what function is the relevant retention authority for the most widely used categories of documents.
Indicate the specific duration of retaining different types of documents.
Identify specific staff or functions that have appropriate read, write and edit access.
Clearly state the reasons that retention is necessary (e.g. Sarbanes-Oxley rules, HIPAA regulations). As those requirements change, the rationale for retention should be reviewed, and any changes to the retention period should be made.
State that if a file or folder contains multiple types of documents necessary for a coherent record, then the whole file or folder must be retained for the duration of the longest-held item.
Except when absolutely necessary, do not allow (or at least strongly discourage) the mixing of digital documents in storage. If document A needs to be retained for five years and document B needs to be retained for 20 years, keep them separate. You will reduce the cost of long-term storage and will avoid legal risks inherent in a failure to follow retention policies.
Give individual divisions or offices the authority to set retention policies for their own operational documents if approved by or coordinated with the General Counsel or Compliance Office.
“Initiating a high-level review of our document retention policies had to be a joint effort between myself and the general counsel. If we weren’t both involved, I don’t know how the effort could succeed,” says George Washington University CIO Ron Bonig. For instance, GWU receives subpoenas and e-discovery requests around contracting and personnel questions. To ensure colleagues’ participation and buy-in, Bonig stresses the fiscal importance of good policies and compliance. “The cost to the university in a federal lawsuit could be huge if we don’t properly address retention,” he says. “I put it in dollars, which really woke people up.”
Strict HIPAA regulations govern patient medical information security in healthcare organizations. To create policies consistent with those rules, Michael Gaskin, director of information services at Sequoia Community Health Centers, purchased a HIPAA security toolkit. “The toolkit made it easy for me to review documents and know what I must include in my plan, ” says Gaskin. The kit’s workflow examples continue to inform Gaskin about compliance needs and how to refine his document retention policies.
Balance Stakeholder Interests
For ArcelorMittal Americas CIO Leon Schumacher, the challenge is making sure the interests of different stakeholders—users, legal, IT—are considered when developing a retention policy. “Each has specific issues that they want to address. Good communication before and during such definition phases is critical for success,” he says.
The delicate balance between users’ storage needs and retention guidelines is hard to strike. For example, Schumacher’s team created management policies for personal storage limits, including how much e-mail people can maintain. But the team heard complaints that users weren’t getting enough space. Schumacher responded by introducing policies at two levels: one for management, which gets 500MB of storage, and one for general users, which get 250MB. The team is working on newer archiving solutions to further ease these constraints.
Plan for the Long Term
Policies must cover document retention over a long period. For a university, this is a huge issue given the length of time it must keep student loan data, transcripts and other federally mandated data. “One of the issues is to make sure that the documents in their electronic form can be upgraded and transitioned from one technology to the next over decades,” says GWU’s Bonig. So his team watches the storage landscape to stay abreast of any technology that would necessitate a business decision about whether to transfer retained documents.
Make It Pay
A good document retention policy can do more than avoid legal fines. At American Greetings Interactive, Senior VP and CTO Rajiv Jain has policies to archive everything on the desktop and retain all executive e-mails indefinitely. “Our e-mail retention policy has definitely come in handy. There was a disagreement over the fees associated with vendor negotiation. We were able to find the original archived e-mail from the vendor, which proved that we were right and did not owe the amount of money they claimed,” says Jain.
The effort to build and enforce good document polices can provide a strategic advantage.
Most of GWU’s back-office staff work at its Virginia campus 30 miles away. Only representatives for financial aid, undergrad admissions and other student offices sit in the D.C.-based Student Union. If a student has a difficult question, the rep may consult a staff expert in Virginia. Now they can look at the same document simultaneously, since Bonig and his team are digitizing documents for retention. “We improved our business process dramatically and can confidently say that we offer student services from anywhere,” says Bonig.