A document retention policy is a set of practices adopted by a company to guide how documents, records and other important information are to be stored, saved and destroyed. Companies adopt document retention policies for any number of reasons, but many do so in order to comply with state and federal laws mandating either specific retention periods for certain types of records or document destruction protocols. A comprehensive policy also plays a critical role in helping to determine the existence and location of certain records in the event of litigation. At a minimum, these policies can help to control document storage costs by eliminating retention of any records whose maintenance may no longer be necessary or required by law.
No two document retention policies will be exactly alike since each policy depends on the specific legal requirements to which a company is subject and tends to reflect a company’s particular priorities. In spite of these variations, the following points should be addressed in any document retention policy:
- The “Who”
Who within the corporate hierarchy will be responsible for managing and maintaining the records subject to the policy? Will it be one person or an entire department? Typically, the tasks of creating and implementing a document retention policy are assigned to the legal and compliance teams; however, in smaller companies without such departments, it is common to create a committee comprised of members from various departments to handle this work.
- The “What”
What records, data, documentation and information must be retained? This list should be explicitly spelled out in the policy, including reference to both specifically-named documents (i.e. a liability insurance policy) and categories or types of documents (i.e. tax-related documentation or HR files). Also, the policy should be clear that it covers both paper and electronic records. A properly written policy leaves no question as to the types of documentation which must be stored and those which are disposable.
- The “When”
When is it acceptable to dispose of documents subject to the policy? A retention policy should specify the retention period for each type of record, which is generally expressed in terms of months and/or years depending upon company preference and, of course, upon any applicable legal requirements. Likewise, the policy should include guidelines for the proper deletion/destruction of records that have passed their required preservation time.
- The “Where”
Where shall such records be maintained? Not only should the policy answer this question, but, more importantly, employees should be made aware of these requirements. For example, if the company uses a cloud-based storage system like Dropbox, the policy should explicitly instruct employees to store certain documents to a designated folder within Dropbox. Otherwise, it is entirely possible – even likely - that some documents may get lost in the “vast tundra” of an employee’s email inbox, or worse, become irretrievable if stored on the laptop of a departed employee. On a related note, employees should be instructed on the proper handling of information considered confidential, including which records should be treated as such and how to maintain confidentiality. Finally, employees must understand that any information stored in company email accounts or on company hardware is not considered private.
- The “How”
More specifically, how can a company ensure compliance with its document retention policy? Besides creating a comprehensive policy, a company should take steps to ensure its employees understand their role(s) as they relate to record creation, storage and disposal, as well as the consequences they may face if found in violation of the policy. Many companies will include document retention training as a component of new employee orientation or on-boarding, and may even ask their employees to sign a written acknowledgement that they have read and understand the policy. Last, but not least, it is good practice to review the policy annually to see if improvements or updates should be made.
While outside the scope of this blog post, it is worth noting that a comprehensive document retention policy will include specific procedures related to issues such as litigation holds, disaster recovery media and data security and privacy. Likewise, companies operating in certain industries may be legally required to address in their policies the proper handling of personally identifiable information or personal health information. Ultimately, the goal is to create a document retention policy that effectively manages your records and information, while furthering larger organizational objectives, requirements and principles.
If you have questions about creating or updating your document retention policy, please contact Kristin Kreuder at firstname.lastname@example.org or 203-803-8714.
Kristin Kreuder is a Member of our NY-area team with over 23 years of legal and business experience in both public and private corporations and in major NYC law firms. Kristin handles a wide range of legal matters, including mergers and acquisitions; commercial transactions; technology, media, licensing and sponsorship; capital markets, venture capital and private equity transactions; and a variety of general corporate and governance matters.