Earlier this year, I wrote about proposed new legal requirements with respect to the destruction of records. Those amendments (An act to amend the Personal Information Protection and Electronic Documents Act (Bill C-29)) died with the 40th Parliament, but organizations should still make sure they understand their obligations with respect to destroying documents.
Now the other side of the coin—retaining documents—which is equally important and perhaps equally difficult to navigate.
There are a number of potentially troublesome issues associated with retaining records. For example: there are storage and privacy concerns; organizations must ensure they keep records secure in accordance with relevant privacy laws. At the same time, organizations might not have considered the self-incriminating information that records might hold, and they will want to ensure they don’t keep potentially incriminating records any longer than the law requires.
Not that I think our readers are up to no good! But when it comes to audits, organizations are likely better off providing the least amount of information they are legally required to, rather than all of the information they have in their possession covering the audit period. That means implementing a records management policy—and making sure to follow the policy.
A policy will help you understand which documents and information you need to keep and for how long, and which you can destroy. A policy will also force you to manage your electronic documents: Can you account for every copy of a document? Do you erase files securely, so that no trace of them remains, even to special data recovery software? Are your documents stored securely, so that no unauthorized persons can access them?
Find a detailed outline of the issues and obligations in policy 3.06 – Records management and retention of Finance and Accounting PolicyPro, Volume II — Corporate Governance. Policy 1.11 – Confidentiality and privacy is relevant. Information Technology PolicyPro also offers commentary and sample policies on data security.
Adam Gorley
First Reference Internal Controls, Human Resources and Compliance Editor
A new age of records retention: good policy more than worth the effort
Latest posts by Adam Gorley (see all)