So much for the paperless office! The massive increase in the use of electronic communications has lead to documents being created on an unprecedented scale. And as the number of documents increases, so does the importance of knowing what to do with them.
Businesses therefore need to develop a clear document retention policy. This article looks at the aims and benefits of such a policy as well as considering some of the key issues in this increasingly important area.
What do we mean by document?
In general terms, a document is simply something used to record information. It does not have to be a physical, paper document, so emails and electronic mediums will normally be considered documents. The law has long regarded function more important than form when considering the impact of new mediums. For example an electronic diary was accepted by a Scottish court as type of document. A decision which was unfortunate for its owner as it contained highly incriminating details of the drug deals which formed the basis of the criminal charges he faced.
So it should never be assumed that because a document is in electronic form it somehow becomes less important, or is less relevant in relation to legal requirements for document retention.
Is keeping everything the answer?
No. From a practical perspective retaining everything would have significant cost implications. And it would also make it very difficult to manage and retrieve such a large amount of documentation. Also, the Data Protection Act requires that personal information should not be retained for longer than necessary. So a policy of retaining all documents is likely to contravene this Act.
What retention periods apply?
Retention periods can broadly be split into three categories:
- where there is a specific statutory time limit;
- where there are recommended retention periods; and
- documents which fall into neither of the previous categories
The first category is a fairly extensive one. There are numerous statutory requirements which impact on retention for types of records, including tax and employment records, company records, medical records and banking records. For example there is a requirement under section 355 of the Companies Act 2006 that records of company resolutions be retained for at least 10 years.
The second category is one where no specific statutory time limits apply but where certain periods are recommended. These recommendations arise either out of good practice or in order to comply with general statutory requirements, such as the Data Protection Act requirement that personal information should not be retained for longer than necessary. Examples in this category include the recommendation that job applications be retained for 3-6 months after notifying unsuccessful candidates and that assessments under Health and Safety Regulations be retained permanently.
This category also includes contracts and other important commercial documents which do not need to be retained by law, but which may be important as evidence in court proceedings. In Scots law, actions arising out of breach of contract can normally be brought within 5 years from the date of the alleged breach. So it would be recommended to retain the principal contract for at least 5 years following expiry or termination of that contract. Under English law the limitation for such actions in normally 6 years.
The normal rule for evidential productions in litigation is the “best evidence” one; which requires the principal contract to be produced if available. If you have destroyed the principal and only kept a scanned copy this does not mean that it is of no evidential value. However it does mean you have to prove to the court that the scanned copy is a true copy of the original agreement. And that might be difficult to do if the copy is of poor quality or if the person responsible for making it has moved away from your business and cannot be contacted.
The third category covers documents such as memos, internal notes and emails. For such types of document there is no statutory or recommended retention period. Whether such documents are retained, and for how long, will largely be within the discretion of each business. Having a clear retention policy will make sure that this discretion is exercised consistently, which can be very important. The random destruction of a document which could otherwise have provided important evidence in a court action is likely to be viewed suspiciously. However if that document had been disposed of in accordance with a clear retention policy then such an adverse inference is unlikely.
Storage and security
Electronic storage is generally cheaper than storing paper copies of files and records. It also makes document retrieval much easier and quicker. Good quality electronic filing systems will also have the advantage of being searchable, and should require little in the way of software upgrades in relation to storing historical data.
Some documents can be scanned in and saved as opposed to keeping the original. A scanned copy is also more easily accessible to other people who may need to refer to it quickly. However, scanned documents come with a health warning that they can become corrupt during the scanning process. And there is also the possibility of human error causing pages to be missed out!
A detailed retention policy should recommend different formats for different documents. In some cases retaining the principal will be most appropriate choice and for others retaining electronic copies will be sufficient.
It should be remembered that any personal information retained will be subject to the Data Protection Act which requires that “appropriate technical and organisational measures” are taken against such information being damaged, accidentally lost or destroyed, or being used without authorisation.
The nature of the data which is to be protected and the harm which may result from a breach of security needs to be weighed up against the cost of implementing security measures. Guidance has been issued by the Information Commissioner on security management, access control, staff security, training, and how to deal with a breach of security. Organisations processing data should also be aware of the British Standards Institute guidance on Information Security management, BS 7799-2:2002, which can help to identify, manage and minimise the security risk to data.
With electronic storage of data it is also important to consider the risk of viruses on the data which is held. Generally, the risk of viruses on a data storage unit is very small. In broad terms, standard firewalls and virus checkers provide robust protection against hackers.
Key aims of a retention policy
The key main aims of a policy should normally include the following:
- to comply with statutory requirements;
- to hold the minimum set of records required;
- to minimise storage costs;
- to improve operational efficiency;
- to maintain an adequate historical archive; and
- to assist staff appreciation of the risk associated with document creation
This last point relates to staff understanding that it might not always be appropriate to create a document in the first place. This is particularly the case in relation to non-contemporaneous documents, i.e. documents created ‘after the event’.
Normally a business can be ordered to produce a document in one of two situations: by a regulatory body, or in the context of court proceedings. Documents which are damaging to a business may have to be produced, but it will be particularly frustrating if the damaging documents are those which need not have been created in the first place. The best known example is the single email sent by an in-house lawyer at Arthur Anderson which advised the partner in charge of the Enron account to make certain changes to a memo, and which led to a US jury conviction for obstructing justice and ultimately to the break up of the global accounting firm.
Creating and Operating a retention policy
The precise content of a retention policy will vary from business to business. However regardless of the nature or size of the business concerned, the following considerations should be of relevance:
- Be aware of the different types of document which your business generates and uses. Normally an audit should be carried out to confirm this.
- Ensure that the policy differentiates between the different types of document which your business generates. It is unlikely to be appropriate to have a policy which treats all documents in exactly the same way.
- As well as considering statutory requirements you will also need to weigh up other considerations in deciding whether to retain a document and in what format. These will include the cost of retention as against disposal, the commercial value of the document to your business and likely demand for that document in the future. And of course you should consider the risks you would incur if the document was not retained.
- As well as different policies for storing documents the sensitivity of some documents may result in different disposal practices being required. It is useful to require an authorisation before certain documents can be destroyed. This should reduce the possibility of a document being destroyed in error.
- Check document security is sufficient for all formats used.
- Ensure that staff are aware of the policy and that is implemented consistently across the business. Having an impressive storage system is rather pointless if staff don’t read or policy the retention policy.
- Carry out regular reviews of the policy to make sure it remains up to date and appropriate for the documents your business is generating and using.
For more detailed information, Tods Murray are hosting a briefing, “Scan, shred or save: document management in the Internet Age”
http://www.todsmurray.com/brieflistings.aspx