Records Management Policy & Procedures: Essential Guidance

According to the content management experts at TechTarget, records management is the “supervision and administration of digital or paper records, regardless of format,” and includes such activities as “the creation, receipt, maintenance, use and disposal of records.” TechTarget also notes that in this context, a “record” refers to any content that documents a business transaction.

One of the most important aspects of records management — and indeed, any records management program — are data retention policies, also known as records retention policies. A data retention policy is a business’ established protocol for maintaining information and typically defines:

• What data needs to be retained
• The format in which it should be kept
• How long it should be stored for
• Whether it should eventually be archived or deleted
• Who has the authority to dispose of it, and
• What procedure to follow in the event of a policy violation

Data retention policies are designed to ensure proper records management in accordance with relevant legal statutes and regulations, but come with the added bonus of enhancing organizational efficiency.

A well-defined, clearly communicated and routinely enforced records management program can help organizations both large and small:

• Retain Business-Critical Records
  Organizations send, receive and generate massive quantities of data on a daily basis, often in the form of electronic records. Records management helps ensure that all business transactions, activities and decisions are carefully documented and filed away for future reference.
• Preserve Records Using a Standardized Format
  From how your employees name individual files to specifying what file formats they use, adopting records management policies can help ensure that every member of your team is on the same page about records retention and follows a consistent approach.
• Enhance Operational Efficiency
  With all employees following the same file naming and storage conventions, business leaders can more efficiently categorize electronic records, ensuring that they end up in the proper location. The more organized a company’s record keeping, the easier it is to search for important documents and data at a later date; this efficient approach to records retrieval is absolutely essential for eDiscovery purposes.
• Ensure Regulatory Compliance
  As you’ll see momentarily, many regulations — both industry-specific and general — include language around records management and, in some cases, specific records retention requirements. Depending on the industry in which your organization operates or the type of data it handles, you may be subject to certain regulations. Having a records management program in place can go a long way toward ensuring compliance — and avoiding the unpleasant consequences of non-compliance.
• Avoid Holding on to Outdated Records
  Most records retention policies include specific instructions on how long data is meant to be stored, and how data is meant to be disposed of once that retention period is over. By defining specific retention periods and disposal instructions, your organization can avoid storing outdated and unnecessary records — which, in turn, reduces requisite storage volumes and costs.
• Reduce Operational Costs
  As noted, by defining records retention periods and safely disposing of data once those periods end, you can reduce the amount of storage volume dedicated to housing outdated and unnecessary records, lowering your organization’s operational costs in the long run.

There are a vast number of industry-specific regulations with stated requirements in regards to records management, retention and storage; here are just a few:

• The Health Information Portability and Accountability Act (HIPAA)
  Designed to protect patients’ individually identifiable health information from fraud and theft and to dictate how that information can be distributed, HIPAA requires healthcare organizations to restrict access to certain records.

  HIPAA also includes specific requirements about how records containing patients’ health information must be disposed of and destroyed to further ensure confidentiality. Consequences for HIPAA non-compliance include both civil and criminal penalties.

• The Sarbanes-Oxley (SOX) Act
  SOX, which was signed into law in 2002, introduced financial record keeping and reporting requirements for corporations. From a records management standpoint, SOX defines which records are considered “relevant work papers,” prohibits the destruction and falsification of those records and enforces a five-year retention period for publicly traded companies. Consequences for SOX non-compliance include both civil and criminal penalties.
• SEC 17a-4
  Enforced by the Financial Industry Regulatory Authority, or FINRA, SEC 17a-4 establishes record keeping requirements for broker-dealers, including the retention and furnishing of copies of records relevant to public interest.

  At a basic level, SEC 17a-4 requires broker-dealers to retain all business records for a six-year period on non-rewritable and non-erasable media. SEC 17a-4 also requires firms that store records electronically to maintain a relationship with the third-party provider responsible for storing their data. Firms that fail to comply with SEC 17a-4 face severe financial penalties for each individual infraction.

• The Family Educational Rights and Privacy Act (FERPA)
  FERPA is a federal law designed to protect the privacy of student education records and applies to all educational institutions and agencies funded by the U.S. Department of Education.

  Under FERPA, educational institutions and agencies are required to reproduce requested education records to a parent, legal guardian or student within a 45-day window and amend those records as requested. FERPA also prohibits schools from sharing education records without the written consent of a parent, legal guardian or student. Institutions and agencies that fail to comply with FERPA risk financial penalties, lawsuits, prosecution and loss of federal funding.

• The Gramm-Leach Bliley Act (GLBA)
  GLBA is a U.S. federal regulation that aims to protect consumers’ financial privacy by requiring financial institutions to explain their information-sharing practices with their customers. More specifically, GLBA requires financial institutions to:
  • Issue a written notice to customers explaining their privacy policies and practices — and remind them of those policies and practices on an annual basis
  • Implement a written information security program — one that extends to an institution’s third-party service providers — in the interest of safeguarding customers’ information
  • Implement additional security measures to detect and mitigate unauthorized access to customer information and financial records

Consequences for GLBA non-compliance include both civil and criminal penalties.

• The Freedom of Information Act (FOIA)
  FOIA is a U.S. federal law that grants members of the public the right to request access to federal agency records (barring certain exceptions). FOIA’s federal records retention requirements stipulate that agencies must respond to all requests within 20 business days, which can be challenging given the volume of physical and digital records agencies possess and must sort through. Any agency that fails to reply to an FOIA request could be subject to litigation. Fortunately,  well-defined records management policies allow for better organization, making it easier for agencies to quickly retrieve necessary records and respond to requests.

In addition to industry-specific regulations, there are also general regulations that impact all industries and sectors — perhaps the most famous being the General Data Protection Regulation or GDPR.

GDPR is a regulation that was created by the European Union (EU) to protect the personal and private data of citizens of the EU and within the European Economic Area and to establish a standard for data security laws across Europe. Although GDPR was created by the EU, it applies to any organization — including those in the U.S. — that processes the data of EU citizens.

At a high level, GDPR includes specific requirements about how data should be processed, how long data can be stored and how data must be disposed of. Organizations that fail to comply with GDPR face substantial fines, with the maximum fine to date coming in at €50 million.

Given the wide variety of regulations with specific records management stipulations — and the consequences of non-compliance — it’s easy to see why a strong records management program is so essential.

When developing a records management program for your organization, be sure to do the following:

• Complete a Full Inventory of All Current Records
  Before you can define records management policies, you first need an idea of what records you currently have on hand and are responsible for maintaining. You can achieve this by conducting a full inventory of your existing records and classifying and categorizing them based on what format they’re stored in, where they’re stored, what they’re used for, whether they contain sensitive information and so on.
• Determine Who Will Be Responsible for Managing Your Program
  This person will be responsible not only for enforcing your various records management policies, but also for setting access controls and closely monitoring which employees access which records (and why) to ensure data security.
• Establish a Records Retention Schedule
  How long your organization needs to hold on to records will depend on a number of factors, including what your business needs are, what regulations or legal obligations your organization is subject to, the different types of data you intend to retain and so on. When defining a data retention policy (or policies, as may be the cast), be sure to communicate to your customers, subscribers and users what type of information you intend to hold on to, how it will be stored and how it will be used.
• Identify the Best Method for Storing & Managing Records
  Some organizations prefer to store and manage all of their electronic records in-house using on-premise servers, while others prefer to work with third-party providers and store their data in the cloud. Some organizations choose to use a different system for each type of file format, whereas others prefer an all-in-one platform. Ultimately, how you actually plan on storing and managing your records depends entirely on your organization’s unique needs.
• Develop a Disaster Recovery Plan
  One of the challenges with storing and maintaining electronic records is that if systems — be they in-house or belonging to your third-party providers — unexpectedly go down, you risk substantial data loss. To prevent that from happening, it’s important to have a disaster recovery plan in place and to use backup software.
• Develop a Plan for Disposing of Records
  Unlike paper records, which can be easily disposed of through shredding or incineration, electronic records are more challenging to destroy, as deletion alone does not guarantee total erasure. Overwriting, degaussing and the physical destruction of storage media (CDs, DVDs, hard drives and so on) are more effective methods of disposal.

  When developing a disposal plan, be sure to check whether your organization is subject to any industry-specific requirements, which may include utilizing only approved disposal methods.

• Document All Records Management Policies
  Once your records management policies are defined, it’s imperative that you create clear documentation to support them and share them with your employees
• Train Your Employees
  Sharing documented records management policies with your employees isn’t enough — in order for your records management program to be truly effective, your employees need to know and understand all related policies, processes and procedures to promote organization-wide adherence. Conducting regular training sessions for current employees and new hires can be an effective means of ensuring complete understanding.
• Reevaluate Your Records Management Program as Needed
  Regulatory and business requirements change over time, so it’s important to reassess your records management program on a regular basis — ideally once a year — to ensure that it continues to meet your organization’s needs.

A clearly defined data retention policy is an integral component of any effective records management program. Take the first step toward building your records management program with our free data retention policy plan template.

Download the Template