Record Management, Retention, and Destruction Policy
Record Management Policy Template 62 pages - 12 easy to use forms - Citations for Laws - Retention Periods Defined
Detail I-9 Requirements - Citations for latest federal rules including Lilly Ledbetter Fair Pay Act
All companies create records in the regular course of business. These records may be created to meet business needs, comply with existing legal requirements or to protect the organization in case of litigation. Some are physical, most are electronic.
A fundamental best practice for minimizing business risk is to implement a legally-defensible records management program. The first requirement of such a program is to determine the legal requirements for records retention and destruction. These requirements are the foundation for producing a defensible records retention schedule.
Next steps include:
- Creating policies and procedures like the Records Management, Retention, and Disposition Policy that conform to a retention schedule framework similiar to the one defined in Janco's policy template
- Consistently execute and enforce the retention and disposal rules defined in the policy,
- Integrate the policy to entire operational infrastructure.
Which records can be saved and which can be disposed off?
There are numerous business records that should be held on to for a minimum of seven years, which can include employee agreements, business loan documentation, litigation records, as well as general expense reports and records including overhead expenses and professional consultation fees.
Other documents may be kept for shorter, longer or an indefinite period of time and it's important to know what legal requirements are enforced for your industry to not only stay compliant, but to also dispose of documents you may no longer need. Regularly maintaining filing cabinets and securely disposing of old documents can help minimize risk of sensitive information falling into the wrong hands. The risks of keeping old documents containing sensitive data can be high – resulting in identity theft, fraud and potential financial loss or reputation damage.
There are many common myths about tape, disk, data protection and archiving including that archiving and long-term data retention are only for regulatory compliance purposes. The reality is that while regulatory compliance data, including Sarbanes-Oxley, ISO, financial or HIPAA medical, require long-term retention, other records and data, including those that do not fall under regulatory requirements, can benefit from - if not require - long–term data retention.
Record Management Policy Template Includes Citations for Federal and Selected State Record Retention Requirements
A record is essentially any material that contains information about your company’s plans, results, policies or performance. In other words, anything about your company that can be represented with words or numbers can be considered a business record – and you are now expected to retain and manage every one of those records, for several years or even permanently depending on the nature of the information. The need to manage potentially millions of records each year creates many new challenges for your business, and especially for your IT managers who must come up with rock-solid solutions to securely store and manage all this data.
The Record Management, Retention, and Destruction policy is a detail template which can be utilized on day one to create a records management process. Included with the policy are forms for establishing the record management retention and destruction schedule and a full job description with responsibilities for the Manager Records Administration.
United States Employers have a number of record retention requirements that are mandated by the federal government. Download Federal Record Retention Requirements here.
The areas included with this Record Management Policy Template are:
- Record retention requirements for SOX sections 103a, 302, 404, 409, 801a and 802.
- Record Management Policy
- Compliance and Enforcement
- E-mail Retention and Compliance
- Job Description Manager Record Administrator
- 12 forms for Record Retention and Disposition Schedule
- Record Management Best Practices
- Employee Record Retention Federal Requirements
Records Retention and Disposition Schedule Forms
- Personnel Records
- Administrative Records
- Facility Records
- Financial Records
- Sales Records
- Computer and Information Security Records
- Computer Operations and Technical Support
- Data Administration
- General Systems and Application Development
- Network and Communication Services
- User and Office Automation Support
- Safety Records
All of these forms are contained within the Records Management Policy Template.
Managing backup and recovery in today's environment is a multi-dimensional challenge with both near and long term business requirements. Recent technological developments in disk backup have had a positive impact on short term data retention requirements. But these improvements do not replace the need to execute and deliver on a long term data retention strategy which includes:
- Business and Regulatory Requirements Demand a Long-term Plan
- Manage and Contain Your Total Cost of Ownership (TCO)
- Encrypt Your Data for Secure Long-term Retention
- Weigh the Environmental Impacts and Minimize Power and Cooling Costs
- Simplify Management of the Entire Solution
All of the policies that are provided here are contained within one or more of the templates that are on this site. These policies have been added as individual documents in WORD format (WORD 2003 and WORD 2007) for those clients who just need this particular policy. All policies are Sarbanes-Oxley, HIPAA, PCI-DSS, and ISO compliant.The policies have just been updated to comply with all mandated requirements and include electronic forms that can be Emailed, filled out completely on the computer, routed and stored electronically -- a total solution.
- CIO IT Infrastructure Policy Bundle (All of the policies below are included as individual MS Word files and a single PDF file. Electronic forms are all individual documents that are easily modifiable)
- Backup and Backup Retention Policy
- Blog and Personal Web Site Policy (Includes electronic Blog Compliance Agreement Form)
- BYOD Policy Template (Includes electronic BYOD Access and Use Agreement Form)
- Incident Communication Plan Policy (Updated to include social networks as a communication path)
- Internet, e-Mail, Social Networking, Mobile Device, Electronic Communications, and Record Retention Policy (Includes 5 electronic forms to aid in the quick deployment of this policy)
- Mobile Device Access and Use Policy
- Patch Management Policy
- Outsourcing Policy
- Record Management, Retention, and Destruction Policy
- Sensitive Information Policy (HIPAA Compliant and includes electronic Sensitive Information Policy Compliance Agreement Form)
- Service Level Agreement (SLA) Policy Template with Metrics
- Social Networking Policy (includes electronic form)
- Telecommuting Policy (includes 3 electronic forms to help to effectively manage work at home staff)
- Travel and Off-Site Meeting Policy
- IT Infrastructure Electronic Forms