Your comprehensive records management policy should be broad but specific - and brief. More than one to two pages become incomprehensible for most people (and thus won’t be followed). The policy should spell out the expectations in an executable way – employees should know their responsibilities and be able to do what is expected. If tools or processes for compliance are not available yet, create a compliance plan that outlines which parts of the policy guidelines are expected to be followed at which point in time. This compliance plan will break the policy implementation into workable and practical phases.
The policy should cover the full lifecycle of a document – from creation to disposition, and anything in between. Remember that record keeping is a process that includes creation, storage and retrieval, retention, expiration, and disposition. To ensure that documents are properly managed, the policy needs to support protection, access control, auditing, reporting, etc. Note that the policy should treat documents in any format in the same way – for retention it is usually not relevant whether the information is recorded on paper or electronically. In very few cases do the physical characteristics of a document make a difference, and usually it is not for retention length, as much as for storage medium and authenticity (your legal assessments should help with this differentiation). The policy should reference the retention schedule, a separate document listing common types of documents, their retention periods, and the retention period trigger. Retention schedules are usually lengthier, so leave them as separate documents to keep the policy short. However, the retention schedule should be authorized by your policy as a tool and extension of the policy, so don’t forget to include the necessary language in your policy somewhere. Otherwise you’ll easily find yourself in a position to justify “who said that these docs should be kept for X years???”.
In your policy, you should have a statement regarding litigation holds. These holds exist to satisfy the company’s document preservation obligations during litigation and should supersede the standard disposition requirements. The same should be considered for audits or investigations, if that applies to your business. Your policy should include general guidelines for each of these concepts.
The policy should also state explicitly management’s responsibility for making sure that employees follow the rules, and may also include consequences for failing to keep adequate records. You will need to think about controls for your policy – how will you know whether it is being followed? Who can change the policy? How will the company audit record keeping – through periodic spot tests, random sampling, full formal audits, or self-audits, just to name a few?
While each of these elements needs to be included in the policy, the details will be quite specific to each organization. For instance the period that records will be kept will vary between organizations, as will the consequences for non-compliance, depending on the organizational requirements and culture. Policy statements should always be specific to the way work is done (process-specific) rather than focus on the technology mechanisms for applying the policy. this allows a policy to be applied even when technology changes or when new technologies arise.
Tina Torres, Corporate Records Manager