Not addressing data retention is playing with fire
Upon being asked by the Bushfires Royal Commission to produce the map he had used to predict the path of fires on Black Saturday, Victorian Country Fire Authority (CFA) chief Russell Rees looked ashen-faced.
The map, which was considered a key piece of evidence at the Commission, had gone missing. On an earlier occasion Mr Rees had suggested that it might have been thrown out by the cleaners!
Commissioner Ron McLeod, clearly not impressed, observed that “the culture of the CFA should be such that no documents were destroyed”.
The missing map is a salient lesson for all organisations. While many now understand the importance of having a document retention policy in place, effectively following such a policy and ensuring the culture of the organisation encourage and support it remain a challenge.
The importance of having an up-to-date document retention policy which is properly followed cannot be stressed enough. As well as assisting organisations to meet necessary corporate governance and legislative obligations, adherence to an effective policy is an essential risk management tool.
It assists organisations to manage litigation effectively, and it ensures the smooth running of internal business processes including HR, audit, risk and legal. So what approach should you be taking to document retention?
Your document retention policy needs to strike a balance between the Arthur Anderson and Enron approach – the “shred everything you can and deny approach” with the “let’s hold on to everything just in case approach”.
Retaining documentation indefinitely or longer than required can be just as problematical for organisations. One need only look at the US Bank Morgan Stanley whose failed document retention policy and subsequent inability to produce electronic documents required by the judge led to an order of $US604 million in damages being made against them.
If that is not incentive enough to get your house in order I am not sure what is!
So, now that we’ve established the importance of an effective document retention policy, what should you include in your policy? A good place to start is in identifying the documents to which the policy will apply.
Is retention required for current operational use, by contract, by law or regulation, for litigation, or for some other special circumstance? Is the limitation period for retention still required?
Answering these questions will allow you to not only identify relevant documents within your organisation but will give you a step by step process for archiving or destroying the relevant documents. Only when you can answer NO to all these questions may a document be destroyed.
So what else do you need to include in a policy? An effective policy will specify time periods during which documents must be retained, reasons for undertaking a decision to retain or destroy certain documents, and who is responsible for ensuring procedures are followed.
It will include procedures to ensure the authenticity and integrity of the documents and ensure the maintenance and backup of documents. That’s a lot to take on board.
Staff needs to be aware of the policy obligations to ensure compliance across the organisation. It is all well and good having a dedicated individual responsible for managing the policy but if your staff are not following it or don’t understand how to comply you leave yourself wide open.
So you have a policy in place and a process which allows you to confirm when retention is not required. But what about those documents you are required to retain? What are your specific document retention obligations?
Under common law, once litigation has commenced there is an obligation upon all participants to retain all records relevant to the litigation. Prior to the commencement of litigation, all records that may be relevant should be retained if litigation is anticipated.
In 2004, the Queensland Supreme Court upheld an earlier Court decision which convicted a person for attempting to pervert the course of justice where that person had shredded papers knowing they ‘might’ be required in judicial proceedings.
New legislation followed the well-known McCabe case at both Commonwealth and State level and in step with the case law. Legislation now imposes numerous document retention obligations.
In 2006, Victoria amended the Crimes Act 1958 (Vic) (Crimes Act) to create a new criminal offence in relation to the destruction of documents likely to be required in legal proceedings. Both individuals and companies can be prosecuted, potentially facing large fines and imprisonment.
A company may be vicariously liable for an officer who breaches the document destruction provisions of the Crimes Act. Other key pieces of legislation that require document retention or availability are the Corporations Act 2001 (Cth) Evidence (Document Unavailability Act) 2006, Income Tax Assessment Act 1997 and Trade Practices Act 1974 (Cth).
Depending on what industry you are in you may also have specific retention requirements affecting your organisation. The penalties for breaching legislation which govern document retention should be enough to make even the most reluctant director sit up and take notice.
Prosecution under the Crimes Act can attract penalties of up to 5 years imprisonment and $330,000 fines. Further, breaches of the financial record retention requirements under the Corporations Act can also attract fines of up to $1,000,000 for corporations and $200,000 for any individual involved in the breach.
It is clear that organisations need to ensure they have an effective document retention policy in place but how do you embed good preservation practices within your organisation?
A good first step is to establish a document retention committee comprising representatives from legal, IT and the business. Such a committee would be responsible for formulating and implementing the document retention policy.
Appoint a champion from within the business to spread the word and ensure regular training and updates. The board would obviously need to keep itself reasonably informed as to the policy itself and would need to regularly monitor and review developments. If leading by example is not incentive enough then the usual liability risks may focus the attention of the board further.
Dudley Kneller, a partner in the Middletons Technology group, practises in the areas of technology, privacy and data security, and outsourcing and advises a range of Australian and international customer and supplier clients on their technology, data and outsourcing requirements