Dr. Stephen Covey reminded us that “important” is not the same thing as “urgent.” Records retention reminds us that important is not the same thing as exciting. I get it – records retention schedules are boring. But the fact remains that literally thousands of records retention requirements apply to your organization’s information. I know, because my firm finds and tracks these laws as part of our decades of retention schedule work for clients across industries. And your regulators expect you to know them too.
Records retention requirements generally apply to information’s content, regardless of the information’s medium – electronic data, paper, you name it. The requirements are scattered across the federal and 50 states’ statutory and regulatory codes, often with unusual retention mandates. Here are just a few:
- New York requires that workers compensation injury reports be retained for at least 18 years, far beyond the time period for other states.
- Records of determinations that a PII data security breach will not cause harm, thereby excusing notice under state breach notification statutes, must be retained for three years under Maryland and South Dakota law and five years under Alabama, Alaska, Florida, Iowa, Louisiana, Missouri, New Jersey, and Oregon law.
- While OSHA regulations generally require that hazardous substance medical records be retained for 30 years after employee separation, inexplicably, for five specific substances (inorganic arsenic, lead, coke oven emissions, DBCP, and acrylonitrile), the OSHA retention period is instead the later of 40 years or for the duration of employment plus 20 years.
- Payroll records retention may be only three years under federal law, but the states are all over the map, such as the eight year California requirement for exempt employment, the seven year Tennessee requirement, and the calendar year plus six year New Hampshire rule (the Minnesota calendar year plus eight year requirement changed to calendar year plus four years back in July 2014).
- Contractors subject to the Federal Acquisition Regulations must, after scanning documents for official recordkeeping, nevertheless retain the original paper records for a full year.
Sometimes the codes themselves aren’t right. The Code of Federal Regulations in 41 C.F.R. Section 60-1.12(a) is simply, and bizarrely, missing two entire sentences from the effective regulation as published in the Federal Register at 65 Fed. Reg. 68022, 68042 (November 13, 2000), thereby rendering invisible the following trifecta of important recordkeeping requirements:
 In the case of involuntary termination of an employee, the personnel records of the individual terminated shall be kept for a period of not less than two years from the date of the termination,  except that contractors that have fewer than 150 employees or that do not have a Government contract of at least $150,000 shall keep such records for a period of not less than one year from the date of the termination.  Where the contractor has received notice that a complaint of discrimination has been filed, that a compliance evaluation has been initiated, or that an enforcement action has been commenced, the contractor shall preserve all personnel records relevant to the complaint, compliance evaluation or enforcement action until final disposition of the complaint, compliance evaluation or enforcement action.
And yes, though the header of the Federal Register’s PDF of this regulation indeed says “Vol. 165,” it’s actually Volume 65. Grrrrrrr.
Finding, analyzing, and applying tens of thousands of retention requirements is geeky, not glamorous – believe me, I know. The head of compliance at a large manufacturer client once told me “If I had to do what you do, I’d shoot myself in the head.” I took that jest as a compliment, because while building and validating records retention schedules is not exciting, it’s nonetheless vitally important to do, and do well.
Why? Because a well-crafted retention schedule is the structural foundation for information governance. It’s the framework for all important information of the organization, coupled with the right-sized rules for managing that information. And without this cornerstone, any information governance initiative will be on shaky ground:
- You can’t manage electronic documents and other unstructured data without effective file plans and directory structures, or ECM system rules, that dovetail with a retention schedule’s record series and retention periods.
- You can’t control e-mail volume without a strategy for retaining record-worthy email content in sync with a retention schedule’s rules.
- You can’t comply with privacy laws, such as the Illinois Biometric Information Protection Act (BIPA), without ensuring that subject information is compliantly disposed of per statutory and policy requirements.
- You can’t reduce data security exposures caused by unnecessarily retaining protected information without a retention schedule’s clarity on how long such protected information must be kept.
- You can’t clean up legacy paper and data troves without having a retention schedule’s rules to support defensible disposal.
- You can’t control ediscovery costs without using a retention schedule to combat unnecessary retention of documents and data, before the preservation duty arises.
So yes, ensuring your organization has an up-to-date and legally validated retention schedule is not exciting, but it is indeed important. By the way, given the costs, risks, and exposures of not having one … it’s also urgent.