elevenM’s Laura McVey and Valerie Ng outline why your organisation needs a retention and disposal schedule, how to create one, and some pitfalls to avoid.
There are a broad range of reasons why an organisation might want to minimise its personal information holdings. Everything from data breach, risk management, general compliance, even environmental impact might call for data minimisation. One of the big ones that is front of mind at the moment is privacy law reform. Organisations across Australia are starting to look at ways that they will have to uplift their processes to meet new laws. Data governance, including minimisation and deletion, is something that is at the centre of that uplift.
But how does an organisation agree on what personal information and data can be destroyed or disposed of? How does an organisation agree to dispose of information when each business unit has a different perspective on what needs to be kept and why? In our experience, organisations often try to address their data holdings/minimisation on a business unit or function level rather than holistically, at a whole of organisation level. This causes considerable difficulty, both on a technical level and from a policy perspective. But there is a better way — enter the retention and disposal schedule.
A retention and disposal schedule describes the business that is done by an organisation and identifies types of information (classes) created, received and used in pursuit of that business (records). For each class, rules are described, often involving a trigger such as a date or event to begin the retention count-down, and a disposal action — usually deletion, de-identification or archiving.
A retention and disposal schedule is not a new concept, dating back to the Second World War, when organisations began to see that the explosion in the volumes of paper records being made and kept was not sustainable. Since records are evidence of business, and an important source of organisational accountability, it was also recognised that decisions about deleting them needed to be documented, authorised and properly monitored and recorded.
The retention and disposal schedule will be familiar to information and records management professionals, but with the data-rich environments that almost all businesses are now operating in, there is a strong argument for bring them out of being purely a records-management tool and using them to support a more holistic approach to organisational governance and compliance. And there are some tweaks to approach that can better support their implementation for this purpose.
A retention and disposal schedule is not in itself a complicated artefact, but creating one, especially in an organisation that has never taken a systematic approach to deletion, can be a complex process, involving a lot of information collection and consultation.
Here’s what we’ve seen works, and what doesn’t.
What doesn’t work
A retention and disposal schedule based solely on legal compliance
In many industries, there are legal reasons why information needs to be retained for a certain period of time. Prematurely deleting information which regulators require can put organisations into hot water, so this is an understandable approach. However, what regulators or legislation requires may not align with what business teams need and doesn’t present a complete picture of the organisation.
Letting business units define their own disposal periods
Business units are necessarily close to the information they create and use. They know which systems are their ‘source of truth’, they know how or why information is created and used, and how long they need their information to carry out their function. At first glance, it might seem to make sense to leave disposal to them. However, business units tend to retain information ‘just in case’, disposal is often fairly low down on their priority list, and they may not have a good understanding of the compliance or regulatory requirements outside of their business area.
What works
Centrally-owned disposal schedule
The ideal scenario is a retention and disposal schedule which takes the whole-of-organisation view into account. A centrally-owned retention and disposal schedule which accounts for both legal and business requirements can start the process of disentangling the conflicting information needs of various stakeholders, and help an organisation steer clear of any undesirable knock-on effects of disposing of certain classes of information too soon (or holding it too long). The schedule can then be used to direct disposal activities in a way that meets everyone’s requirements.
Developing a retention and disposal schedule
There are several steps involved in developing a comprehensive retention and disposal schedule, and it will involve a lot of consultation.
Getting started
The initial steps involve understanding your organisation and the processes, policies, and current habits of all business units. This can be achieved through:
- Locate a business classification scheme. If your organisation does not have one of these, then it is advisable to complete one first. A business classification scheme is defined by ISO 15489-1:2016 Information and documentation as a “tool for linking records to the context of their creation”, by mapping business functions, activities and processes and linking these to classes of records. It provides the bones for creating a retention and destruction schedule.
- Assess current documentation. This could include governance documents (i.e. policies, procedures, standards), previous project documentation and any previously documented retention periods.
- Review all legislation that applies to your organisation’s information handling and note relevant retention periods. This will cover general legislation, such as the Privacy Act and the Archives Act but may also include industry-specific legislation. Legal can also be engaged at this time to assist in reviewing the relevant legislation.
- Speak to the business to understand their needs. Often business teams will be able to tell you how far they go back when reviewing information, what they refer to, and how they use it, all of which can assist in building out retention periods.
Building the schedule
Once these steps have been worked through, you can start creating the retention and disposal schedule. Using the business classification scheme and the information about legislative requirements and business needs, add retention periods to each activity within the business. An example of the categories could include function, activity, definition, retention period, trigger and date authorised.
If you have identified any retention periods that are likely to be contentious, make sure you consult stakeholders at an appropriate level of seniority for review and approval. The schedule can then be sent for endorsement and approval. Remember that you are going to want support for the implementation and ongoing use from C-suite level, both for ensuring action takes place, as well as leading cultural change, so approval will probably be required at a similar level.
Implementing the schedule
The fun begins once the schedule has been approved. It is now time to apply the schedule. If this is the first time your organisation has taken a systematic approach to deletion, you will need to prioritise. This can be approached in a range of ways:
- Use a data processing inventory to target high risk processes and data collections.
- Identify which systems have retention controls and target those systems first.
- Target systems with high volume personal information holdings.
- Target third-party service providers holding information that is due for destruction.
Some handy tips for applying the retention and deletion schedule include:
- Automate: Automation can be your friend. Automating retention periods will save you and your organisation time and effort. Try defining your triggers with an eye to something that can be automated, such as an event which your systems can act upon.
- Don’t lose sight of your third-party service providers: Use the retention schedule to build retention periods into the contact and request data deletion when applicable.
- Make it routine: The schedule should support routine processes of disposal, not just one-offs.
The old days of retaining and keeping everything have passed. Organisations have a responsibility to only retain personal information for the required period and, where appropriate, promptly delete or de-identify it. Additionally, law reform changes mean that organisations are going to have to start telling customers how long information will be held for at the time of collection, which means you need to know, too.
Contact us
If you’re interested in learning more about how to implement retention and disposal and other data controls, contact us at hello@elevenM.com.au or on 1300 003 922.