Thoughts on minimum and maximum retention
I've been considering some of the processes of defensible deletion. Basically, we have a few considerations for establishing a retention requirement:
Note that OMB basically limits retention to three years from creation unless there is an otherwise stated reason for doing so. So one could make the argument that three years is long enough. There are, however, some interesting challenges here.
Dan Michaluk of Hicks Morley wrote an interesting piece on retention and destruction. He notes that privacy legislation often puts a limit on maximum retention. The Ontario Privacy Commissioner, for example, has endorsed a 20-year retention period for credit records. In other situations, the OPC has struck down lengthy retention when there was no business critical reason for doing so (e.g., retaining personal information of departed employees on the off-chance they are rehired). The British Columbia OIPC challenged a retailer that permanently held on to the contact information of people who made merchanise returns. The OIPC found that the business purpose was valid but that it did not warrant permanent retention.
There's also the issue of retaining a document or record for too little time. In _Lewy v. Remington Arms_, a suit was brought against the arms company after a gun misfired. The suit claimed that the three year retention for complaints and gun examination reports was too short (i.e., limitations of action). The court noted that three years might be "sufficient for documents such as appointment books or telephone messages, but inadequate for documents such as customer complaints."
Another example is _Broccoli v. Echostar_ involving a company that purged email within 21 days. The challenge was that there was no effective holds process in place. The court noted that "under normal circumstances, such as policy may be a risky but arguably defensible business practice undeserving of sanctions."
- stated retention requirement. Basically, you have to keep it due to some regulation.
- limitations of action. A period during which an organization may face legal action so it might want records on hand for defense. It is about litigation strategy.
- no stated retention. Many requirements tell you to retain stuff but then don't state how long.
Note that OMB basically limits retention to three years from creation unless there is an otherwise stated reason for doing so. So one could make the argument that three years is long enough. There are, however, some interesting challenges here.
Dan Michaluk of Hicks Morley wrote an interesting piece on retention and destruction. He notes that privacy legislation often puts a limit on maximum retention. The Ontario Privacy Commissioner, for example, has endorsed a 20-year retention period for credit records. In other situations, the OPC has struck down lengthy retention when there was no business critical reason for doing so (e.g., retaining personal information of departed employees on the off-chance they are rehired). The British Columbia OIPC challenged a retailer that permanently held on to the contact information of people who made merchanise returns. The OIPC found that the business purpose was valid but that it did not warrant permanent retention.
There's also the issue of retaining a document or record for too little time. In _Lewy v. Remington Arms_, a suit was brought against the arms company after a gun misfired. The suit claimed that the three year retention for complaints and gun examination reports was too short (i.e., limitations of action). The court noted that three years might be "sufficient for documents such as appointment books or telephone messages, but inadequate for documents such as customer complaints."
Another example is _Broccoli v. Echostar_ involving a company that purged email within 21 days. The challenge was that there was no effective holds process in place. The court noted that "under normal circumstances, such as policy may be a risky but arguably defensible business practice undeserving of sanctions."
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home