The Importance of a Document Retention Policy
The Sarbanes-Oxley Act prohibits the destruction of documents that are subject to review in litigation. The U.S. Securities and Exchange Commission is quite clear about its final rule on retention of records relevant to audits and reviews.
Section 802 of the Act makes it a crime to knowingly alter, destroy, mutilate, conceal, cover up, falsify, or make a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any federal department or agency or any case filed under the federal bankruptcy code.
Adopting a document retention policy is not only sensible — it is also sound risk management. You will be creating a regular business practice of systematically destroying documents in accordance with an approved schedule. Having a written policy and a regular practice of document destruction according to a formal schedule lets employees know what documents to retain, and for how long. And it can help you avoid pitfalls in the future.
Strive for consistency
The most important part of a document retention policy is to aim for consistency in every aspect of managing your company’s records. Start by identifying what types of paper and electronic files your organization generates, determine the appropriate (and legal) length of time to retain them, and then record those retention times on a formal schedule.
In addition:
- Appoint a records-retention team. Ideally, this team should include a senior executive (such as a CEO or COO), legal counsel, a high-level professional from your company IT department, and a high-ranking individual from operations. This task force from different areas of the company can brainstorm, troubleshoot, and manage an effective policy.
- Select an electronic records management system, if you don’t already have one. The head of your IT department and your CIO should be the ones to make the final decision on which solution best fits your company’s needs.
- Implement a universal retention schedule. After obtaining senior management support, implement a universal retention schedule for all business units. The schedule should be organized and classified by business function that categorizes similar records into broader groupings to ensure consistency and manageability.
- Clearly state the reasons why retention is necessary. For example, do the documents need to be retained for Sarbanes-Oxley or HIPAA requirements? As requirements change, the reasons for retention should be reviewed, and any changes (if necessary) to the retention period should be made.
- Establish document retention periods. Make sure the retention periods within the retention schedule reflect the longer of the legal and operational requirements of the records. For example, if a law or regulation states they must be held for five to seven years, retain them for seven. Document the justification (both legal and operational) for the retention periods.
- Schedule records to be destroyed. A good electronic records management system should be able to calculate actual retention dates. This calculation will include a combination of the retention schedule within the system and the records’ creation date.
- Review the schedule periodically. It should be viewed as dynamic, not static. The retention schedule should be reviewed periodically (approximately every 12 to 18 months) to determine the impact of legal changes upon retention periods. Also consider updating records classification to keep pace with changes in your company’s business.
- Communicate the policy clearly and openly. The document retention policy and schedule should become part of your company’s way of life. Along with the records management program, it should be communicated clearly and frequently to employees throughout the organization.
For a sample document retention and destruction policy to use as a guideline, click here.