Creating Record Retention Policies: A Practical Guide

By Mark S. McCue, Esq. and Hannah K. Sullivan, Esq.

Every organization is inundated with records, whether in paper, electronic or audio format. The unfettered retention of e-mail and other electronic documents strains server capacities, off-site storage of paper records strains budgets and staff time, and the demands to retrieve certain records from this morass strain nerves and patience. To complicate the situation, organizations and their employees adopt a wide variety of approaches to this problem, from saving everything to destroying almost everything.

While this situation creates a number of business challenges, it also raises legal concerns. Since the Enron and Arthur Andersen financial scandals resulted in federal legislation known as the Sarbanes-Oxley Act, the way in which organizations retain and destroy documents became under intense scrutiny. Although most of Sarbanes-Oxley applies only to publicly-traded companies, the provision imposing criminal penalties upon organizations and their employees for destroying records in connection with a federal investigation is applicable to all organizations. And while these past scandals, plus Sarbanes-Oxley, have increased awareness of document retention practices, similar sanctions already exist under procedural rules pertaining to lawsuits and administrative investigations. In addition, a number of laws impose document retention periods.

Address Critical Needs

An effective record retention policy will address two critical needs of all organizations. First, it will ensure that an organization retains records which are essential to its business and required by law. Second, it will ensure that outdated or unnecessary documents are destroyed in a systematic, thoughtful way so that no one can infer that the organization is acting with bad intentions. By adhering to its legal obligations under the policy, the organization actually will enjoy administrative efficiencies and cost savings—a rare result when lawyers are involved.

Record retention policies should be as unique as the organization which creates them. The first step in the process of creating a good record retention policy is for the organization to identify its various records and their uses. It is important to remember that e-mails, electronic documents, voice mail, videotapes and information stored on other media are all "records" in addition to traditional paper documents. For organizations with multiple functions and departments, this process should be integrated so that all uses for a particular record are identified.

Once the organization has identified the types of records it generates, both legal considerations and business usage will determine the types of records to be retained and length of time to retain them.

Legal Considerations

The legal considerations governing an organization’s record retention policy may arise from a variety of sources. Federal, state and local laws establish retention requirements for a variety of records, including tax records, workers’ compensation claims, settlement records, personnel files and project bids and proposals. A single record may be subject to a variety of laws and regulations. For example, the treatment of certain payroll records is dictated by several federal laws, including the Civil Rights Act of 1964, Title VII (as amended by the Equal Employment Opportunity Act of 1972); the Americans with Disabilities Act of 1990; the Fair Labor Standards Act of 1938, as amended by the Equal Pay Act of 1963; the Age Discrimination in Employment Act of 1967; the Family and Medical Leave Act of 1993; and various regulations promulgated by the U.S. Department of Treasury and the U.S. Department of Labor. New Hampshire municipalities also must comply with New Hampshire RSA Chapter 33-A, which sets forth a schedule for certain types of records and the applicable retention period. Whenever a particular record is subject to various retention requirements, the chosen retention period should be the longest retention period specified by applicable laws to ensure compliance.

Specific contract terms also may establish retention periods. For example, contracts with employee benefit administrators may require that certain contribution or claims records be retained so that the administrator can meet its legal obligations. To limit the number of varying retention periods, an organization should consider adopting uniform retention provisions to be negotiated into every contract.

Statutes of limitations also are critical in determining record retention periods. Statutes of limitations establish the maximum period of time, after certain events, by which legal proceedings based on those events may be commenced. Record retention practices must ensure that an organization is able to defend itself properly against any claims. For example, the minimum record retention period for service contracts should be the life of the contract plus the period of time during which parties may make a legal claim against the other party for a breach of the contract.

Finally, record retention policies and procedures must recognize the special rules that apply when a lawsuit or administrative investigation is threatened or brought against the organization. Although the nature of such proceedings will determine the scope of the records that would be affected, a few general guidelines should be observed. First, federal and state laws of civil procedure and the Sarbanes-Oxley Act may mandate that a "litigation hold" be placed on certain records to prevent their destruction, even if they are scheduled for routine destruction under a record retention policy. Second, legal counsel should be contacted immediately to assist in determining what records should be subject to the litigation hold. It is critical to recognize that the litigation hold applies to threatened as well as actual litigation or administrative investigations. If an organization has a reasonable expectation that an investigation or legal action is forthcoming, it should refrain from its normal course of record destruction pending consultation with legal counsel.

Business Usage

Once an organization has determined how legal requirements affect its record retention practices, the next step is to consider the length of time a particular type of record should be retained for business purposes. If the practical use of a record is shorter than the legally required retention period, the requirement imposed by law should apply. The useful life of certain records, however, sometimes exceeds the legally required retention period. For example, a municipality may want to retain unsuccessful bids if it anticipates issuing a request for proposal (RFP) for similar services in the future. The prior bids can be used to generate a list of RFP recipients and evaluate any changes in responses from repeat bidders.

The analysis of business usefulness also should include a determination of which departments within an organization have a need for the same record. In municipalities and other multi-function organizations, several copies of a record often are maintained in different departments. For example, the finance, legal and human resources departments all may want access to payroll records. In these instances, each department should evaluate its unique business needs for particular records and coordinate efforts with other departments so that those records are stored in a single location (whether in hard copy or electronic form). To simplify the record retention procedure, the organization may determine that the department with the longest business use for a particular type of record will be responsible for its storage and destruction.

Given the various legal and business considerations, should an organization simply save every document? There are several reasons why the "save every record indefinitely" approach is inadvisable. First, storage is costly whether records are retained in electronic or hard copy form. Second, significant administrative time may be expended looking for a particular record among an abundance of stored documentation. Third, certain records may subject an organization to unnecessary or unanticipated exposure in the face of Right to Know Law requests and litigation discovery demands. To the extent that legal or business considerations do not require retention of those records, they should be destroyed systematically in accordance with procedure. As noted previously, a uniform and procedural approach to document destruction will avoid the implication of bad intentions that accompanies more selective destruction of only those records which the organization perceives as damaging. Finally, retaining records other than as legally or operationally necessary could make it difficult to respond—and respond accurately—to Right to Know Law requests or other litigation discovery requests.

Implement and Evaluate

Even the most wonderfully crafted record retention policy will be valueless if it is not followed by the organization and its employees. In fact, a policy that is not followed may cause as much harm as the absence of any policy. It is critically important to draft, implement and evaluate a record retention policy so that it is used effectively by the appropriate people in an organization.

The unique needs of the organization, not a legal template, should determine the format of the record retention policy, which should focus on clarity and ease of administration. Some organizations may choose to use a chart or spreadsheet, while others will use descriptive prose or a combination of the two. Again, depending on each organization’s particular structure, one or more persons should be assigned the task of overseeing the implementation of the record retention policy. In an organization with numerous departments, one person in each department may be charged with overseeing record storage and destruction. As suggested previously, the various department representatives should work together to establish a single protocol for use, storage and destruction of particular records.

To achieve set goals, a record retention policy must not only be easy to use but also be used as uniformly as possible. The organization should train all of its personnel on the purposes and uses of the record retention policy, and the training should be updated and repeated as necessary. A good record retention policy also matches the organization’s ability to implement and enforce it. Because an organization’s records increasingly are maintained in electronic form, management should work closely with information technology personnel to determine the capabilities of its computer system to store and destroy records on a timely and uniform basis in accordance with the policy. Finally, because organizations and their policies are organic and evolving, the governing body should regularly review and evaluate the effectiveness of its record retention policy in light of industry trends, new laws or administrative burdens and make any necessary changes.

Effective Policy Criteria

As previously noted, it is very important that each organization creates a policy which reflects its unique business operations and needs. Although record retention policies should be different for each organization, all effective record retention policies accomplish the following:

Ensure that only essential records are created, records of continuing value are preserved and records of temporary value are promptly and systematically disposed of after serving their purpose.

Encompass records in all formats.

Conform to all applicable legal requirements.

Create an effective method for identifying and implementing "litigation holds."

Encourage regular and compliant policy use through accessibility (including understandable language), uniformity and training.

Provide for regular policy review and assessment.

Establish accountability by identifying responsible persons and imposing sanctions for failing to observe the policy.

Provide guidelines for the disclosure and disposal of records.

Mark S. McCue and Hannah K. Sullivan are attorneys at the regional law firm of Hinckley, Allen & Snyder LLP, which maintains offices in Concord, New Hampshire.