Building and Refreshing Retention Schedules John Montaña 1.

1

Building and Refreshing Retention

SchedulesJohn Montaña

2

What’s a Retention Schedule?

Conceptually, it’s nothing more than:A list of records or record typesA retention period for each item on the list

In reality, it’s:An index and finding aidA policy and work instructionsA legal compliance document

3

The Overall Plan for Building a Schedule

1. Identify your records

2. Organize them into a meaningful structure

3. Determine retention periods

4. Vet the result

5. Repeat the above until satisfied

4

Change Management Over Time

What changes? Potentially anythingLawsJurisdictionsSystemsRecord and data typesRisk toleranceOrganizational culture

5

Revising a Retention Schedule

How often? As often as need be – but emerging standard is

every year or two

What to review?Bucket structureLegal authorityRetention periodsExample records

A very old schedule may bear little resemblance to what’s actually there

6

Outcomes of Review

Old schedules may need extensive revision, or scrapping entirely

Brand new schedules likely to undergo some revision the first couple of cycles

Mature, regularly updated schedules usually need only small revisions, absent significant organizational changes

7

Issues

High StakesProduct liabilityRegulatory actionsLawsuitsAdverse publicityUndesirable political attention

8

Regulatory Landscape

Possible Issues: Heavily regulated organizationMultiple jurisdictionsRequirements that:

OverlapConflict

9

Jurisdictional and Preemption Issues:

Potential concurrent state and federal jurisdiction and foreign jurisdiction

Potential concurrent jurisdiction by different agencies

Different regulatory regimes for different business processes

Cross-border issues of regulation

10

Regulatory Compliance

Regulators:International, state, federal, local, industryThe list will depend on your industry:

PharmaBankingUtilitiesEtc.

Everybody will have some:Wage and hourOSHTax

11

Utilities

FERC

State Utilities Commission

NARUC

NERC

12

Insurance

State Insurance Commissions

State Securities agencies

SEC

Frank-Dodd agencies

13

Pharmaceuticals

FDA

EU Medicines agencies

European national pharma agenciesGermanyFranceBelgiumSwitzerland

Other national pharma agencies – Asia, South America, etc.

Mercosur, PIC scheme, WHO, ASEAN

14

Banking

FDIC

Treasury

State Banking Commissions

SEC

Farm Credit Administration, etc., etc., etc. etc., etc.

15

Issues with Statutory and Regulatory Language

Vague or outdated statutory language

Poor match between records contemplated by law and those actually found

No or few implementing regulations when the statute calls for them

Unreasonable retention requirements

Verbatim state adoption of federal requirements What if federal requirements change?

16

A Common Problem

Laws require the keeping of “records” but:“Record” as used in most laws is outdated –

it assumes discrete, permanent objects such as paper records

Many modern records are reports from databases or other electronic repositories

The “record” often used for business purposes is often an nth generation version of the data originally collected.

Still More Problems

U.S.-centric solutions may not comply with requirements in foreign jurisdictions

Foreign requirements may be burdensome in the U.S.

Changing legal landscapes – i.e., Frank Dodd

Failures and uncertainties mean increased costs and risks

17

And More Problems

Conflicting and burdensome legal requirements

No data map

No full organizational knowledge of system

Personnel shifts and changes

Data migration

Legacy systems

Orphan systems and repositories18

And More Problems

Distributed systems

Virtual addresses for data

The “Cloud”

Bad management practicesno standard data structuresNo standard indexing, etc.

19

20

Particular Requirements

Controlling laws may require:Specific information in a recordSpecific formats or mediaSpecific records or kinds of recordsRetention in specific locations or systems

21

So, What do We Do?

Legal requirements usually require interpretation

Theoretical legal requirements may conflict with reality

Risk management is always an issue

Your job is to balance these against cost of compliance

22

Development of Record Series

Two sources:Information collection

What we know we have

Legal researchWhat the law requires us to have

Iterative process:Research suggests new record seriesRecord series suggest additional researchRepeat as needed

23

Some Issues to Resolve

Big versus small buckets

Resolving conflicts

Consistent implementation

Updating and staying current

24

Big Buckets v. Little Buckets

No hard and fast rule, but:Bigger buckets means:

longer retention periodsLess detailMore potential conflicts

Smaller buckets means:Longer, more complex scheduleMore administrative overhead

25

Databases and Electronic Systems

Often cross geographic boundaries

Often co-mingle data types

May have limited purge/disposition capabilities

May force purge categories on you

Dynamic Databases may make legal comliance very problematic

26

Differences Between Paper and Electronic Data Sets

Data structures and separability

Granularity of management

Ease of disposition

Organization or lack thereof

27

Data Structures and Separability

Paper system example -- accounting:Many record series

PayablesReceivablesLedgerEtc.

Electronic systemOne big database

“Record series” are merely reports out of the dbThe reports are duplicates

28

What This Means

As a practical matter, there’s only one record series, or at most a few

You probably cannot meaningfully assign different record series and different retention periods to different parts of the database

You’re going to go big bucket, like it or not

29

Extreme Cases

Enterprise content systems (SAP, Peoplesoft, etc.)Buckets are very, very bigMay encompass many record series that would

not be traditionally relatedMay be virtually impossible to reconfigure once

installedMake sure you know what you’re getting into before you

go live

30

Granularity of Management

Could go either way:Great big buckets, orExtremely detailed granular management on a

document-by-document basis

It depends on:The particular software and systemHow it’s configured

31

An Example of Granular Management

Personnel filesMany individual items within a personnel file are

legally regulatedIt’s possible to assign different retention period to

these individual itemsNo one ever doesWhy? No one will go through them to cull

individual pieces of paper

32

Privacy and Maximum Retention Periods

Common in Europe, increasingly seen in the U.S. – e.g., HIPAA

Very challenging to implementOften very granularMay only implcate part of a larger recordCreates serious issues in ERP systems (e.g.,

SAP, Peoplesoft)The more jurisdictions you add into the

equaton, the worse it gets

33

Conflicts

Record series with conflicting legal requirementsYour bucket’s too big – break it out

Legal conflict between jurisdictionsBreak out jurisdictions or go so smaller buckets

34

Legal Research and Analysis

Preliminary assessment of scope of research Jurisdictions Industries and topics

Research

AnalysisWhat do requirements mean in aggregate?How do we deal with

Ambiguous requirements? Statues of limitation? Absence of requirements? Conflicting requirements? Concurrent jurisdiction?

35

Resolution of Legal Issues and Conflicts

Do the research – define the boundariesWe must do X to be minimally compliant

with everythingMap the research to the scheduleIdentify the conflictsRe-work the schedule to eliminate conflictsExceptions:

JurisdictionsUnmanageable repositories and systems

36

Regulators

Know thy regulators’ behavior:Do they audit?

How often are they supposed to audit?How often do they REALLY audit?

Do they ask for records older than the legal requirement?Are you prepared to refuse them if they do?

Do they ask for other things they aren’t really entitled to?Are you prepared to refuse them?

37

Risk Management

Know thy legal and risk environment!What kinds of lawsuits, regulatory actions and

other disputes do we get into?What kind of money are we talking about?What kinds of records are involved in them?How far back into time do these records go?What’s our comfort level? Do we like to have lots

of records in these cases?

38

Common Mistakes

Poorly chosen buckets result in very long retention periods – e.g., “environmental records”

Record series don’t correspond to any real world data objects

When in doubt – PERMANENT!

Excessive complexity

39

Bottom Line

Know the legal boundaries

Make sure you understand how legal requirements map to your records

Make sure you understand the high-risk.high-value repositories and systems

Make sure you understand the high-risk/high-value issues

Make sure that record series or categories corrsspond to data objects you can actually manage

The final retention schedule must accommodate all of these

Remember --- a retention schedule is not a static document. It lives and changes, just like your organization

40

Questions?

John Montaña Montaña & Associates

4340 South Pennsylvania St.Englewood CO 80113

610-255-1588484-653-8422 mobile

[email protected]

twitter: @johncmontana