elevenM’s Laura McVey and Valerie Ng outline some considerations for organisations that are wondering who should be responsible for the retention and disposal policy, but don’t have a data or information governance team.
Your organisation’s retention and disposal policy, aka the document you never knew you always needed, now comes with a big question: who should own it?
This question is often asked by our clients, and it doesn’t always have a straightforward answer, especially for organisations that don’t have a Data Governance, Information Management or Information Governance team. Owning retention and disposal policies and schedules require working with a mix of legal, risk, compliance, IT and data governance requirements, as well as business teams. The right answer will differ between organisations.
Ideally, though, the retention and disposal policy and schedule should be owned by whichever function can give the policy the backing and resources it needs to find success. This blog explores the different owner areas and the reasoning behind the retention and disposal schedule sitting there.
But first, we must understand what ownership typically involves.
Responsibilities of policy ownership
Owning a retention and disposal policy and schedule includes:
- Maintaining a register of disposal activity, including deletion and de-identification. The destruction of information involves input from multiple business areas and can probably be authorised by business unit managers, but oversight for the disposal process should be the responsibility of a single role to ensure accountability.
- Monitoring compliance with the schedule. It’s easy to put disposal off year after year. The owner of the retention and disposal policy must monitor the organisation’s compliance, and make risk-based decisions about which parts of the organisation need extra resources to meet their compliance obligations.
- Advocating for the policy. The owner of the policy must get the message out to the organisation that disposal is important and why. Customer-facing organisations may be best compelled by focusing on privacy obligations which require organisations to reduce personal information holdings where no longer required. Banking and energy organisations may be better compelled by Consumer Data Right obligations. Disposal also often supports the goals of other functions (which may be useful in finding allies), for example in privacy, cyber security and IT.
Responsibilities of schedule ownership
Routine disposal requires cooperation from the whole organisation, regardless of who owns the policy and schedule. But it is important that that responsibility has been formally assigned, as this ensures that disposal is happening in line with the schedule (or, at least, improves the likelihood). The policy owner, as the accountable person, may delegate this responsibility. This means ensuring that:
- the information that is eligible for destruction is aligned with an applicable retention schedule class
- disposal records are being kept that can show that disposal is happening compliantly and transparently — just because information is disposed of does not mean it vanishes without a trace
- the schedule is up to date. A schedule that is based on an organisation’s business functions will likely not require much updating but tweaks may be required now and then
- business teams understand and execute the disposal schedule. This can mean developing or delivering training, getting involved in system design and implementation, system migrations, or managing disposal projects. All these activities often revolve around getting to understand the business’ information requirements.
Ownership of the retention and disposal policy and schedule involves a range of roles and responsibilities, which may be helped and/or hindered by where ownerships sits within the organisation. Here are a few considerations when trying to select a business area to own retention and disposal.
Legal — considerations
Good for: | Heavily regulated industries Maintaining the schedule with new obligations |
Consider whether: | Natural allies, like Privacy, sit in the same business area |
Retention and disposal schedules often start with legislative and regulatory requirements – what does an organisation legally have to keep records about, and how long do those records need to be retained for? Being able to meet these requirements often impact organisations’ licence to operate, so any organisation in a heavily regulated industry will likely already have some awareness of their retention and disposal policy or schedule, or the need for one. For this reason, it can often make sense for retention and disposal activities to be headed up by Legal.
There are advantages to this approach. A legal team may be best placed to keep a retention schedule in-step with changes in legislative or regulatory recordkeeping requirements, and to speak to the consequences of non-compliance.
There are also procedural practicalities. Legal teams are usually already involved in reviewing lists of information eligible for disposal. When an organisation anticipates litigation, legal dispute or regulatory investigation, the organisation must implement a ‘legal hold’ on all relevant information, which means disposal of that information must stop. This is why legal teams are asked to review lists of eligible information to be destroyed as part of the disposal process, even when they don’t own retention and disposal. The drawback is that legal teams are not always best-placed to understand the business impacts of disposal and may (understandably) feel that it is outside their scope to get acquainted with the ins-and-outs of business processes and their information requirements.
Risk and Compliance — considerations
Good for: | Heavily regulated industries Monitoring compliance with the policy and schedule |
Consider whether: | Natural allies, like Privacy, sit in the same business area |
A strong retention and disposal program must be able to monitor and report on compliance with the policy and schedule across the business. As a function, Risk and Compliance are already responsible for ensuring the organisation is adhering to its obligations. By having the policy owner sit in the Risk and Compliance function, the policy owner should be able to leverage existing capabilities to bring attention to non-compliance risks.
Policy owners may also be able to leverage established processes to highlight lack of compliance to the policy and schedule in the organisation, or to initiate an audit.
As with ownership sitting in the Legal team, though, there may be a temptation to take a top-down approach to retention and disposal, which leaves business teams figuring out the details on their own. This is a complicated ask of business teams whose information needs are often entangled with those of many other teams’.
Information Technology — considerations
Good for: | Data-centric organisations with mature data management processes Ensuring the policy and schedule are included in system development/implementation |
Consider whether: | Natural allies, like cyber security and data governance, sit within the same business area |
Information Technology (IT) is the next major contender for owning the retention and disposal policy and schedule. Unlike Legal or Risk and Compliance, IT can help business teams action their retention and disposal obligations. As system architects, administrators and developers, they can include retention and disposal requirements in early development lifecycles. They may be able to help parts of the disposal process by, for example, identifying system triggers to calculate disposal dates, and using those triggers to automate reports when information reaches its expiry date.
IT may also like to dispose of information for their own reasons — to save space or to avoid having to endlessly migrate outdated information to new systems.
While IT’s strength may be its existing involvement in designing information processes, paper records may make an awkward fit in IT. Many organisations continue to rely on paper records, or may be maintaining large legacy paper stores ‘just in case’, and consider it too complicated to sort through what’s still required by the business.
For organisations that have no paper records, though, Information Technology may make a good fit for retention and disposal policies and procedures, especially if there are already staff with responsibilities for information governance to provide further guidance on business information requirements.
What’s the answer?
Ultimately, the answer is going to be — the right choice is what works for your organisational structure. The examples above are some of the factors you should consider, for a few areas where there are natural synergies between disposal and the central goals of that business area. Privacy Officers often sit within legal teams, as well as risk and compliance functions, and can be a natural ally. Cyber security often works closely with IT. And both often need the help of somebody who understands the business requirements of the data the organisation wants to dispose of or retain.
Contact us
If you’re interested in learning more about creating or implementing a retention and disposal policy and schedule in your organisation, please contact us.