Records Management and Retention

APPENDIX 5-O: Sample Data and Information Management Policy

Purpose: This policy is intended to provide guidance regarding the creation, receipt, retention, and destruction of data and information produced in the course of Company business.

Roles/Responsibilities: All employees must be familiar with this policy and act in compliance with it when creating, receiving, managing, storing, and destroying Company data and information.

  • Employees must identify whether the data and information that are created are official business records and, if so, the applicable retention period according to the data retention schedule.

  • Employees must know which official business records/information they are the custodian for.

  • Employees must be aware of litigation, tax and/or audit hold that may apply to the data and information which are being created, received, or maintained, and act in accordance with the guidance provided by such a hold.

  • Employees should regularly review all files, including electronic files and emails, and maintain them in an orderly manner in accordance with this policy and the applicable retention schedule.

  • Employees are responsible for protecting the confidentiality of the Company’s data and information and preventing unauthorized disclosure to a third party (i.e., persons both inside and outside the Company without a need to know).

Policy: In general, the Company desires to retain only official business records (according to the data retention schedule), unless there is a specific Company hold in place which requires other retention.

Definitions

What Is a Record/Information? A record/information isany form of recorded information created, maintained or received by the Company in conducting its business, including but not limited to any paper, email, electronic, microfilm, microfiche, photograph, map, computer disk or tape, software, video, or other recorded information. The policy and procedures, as well as the data retention schedule, apply equally to records/information that whether paper, electronic, or stored on other media.

What Is an Official Business Record? Official business records/information are records/information that record business activities which the Company has determined are necessary to be kept for business purposes or other legal reasons. Official business records may exist in any media format including paper, electronic, audio/video or microfiche. Usually, official business records/information are originals rather than copies. Only one copy of an official business record, either paper or electronic, should be normally retained in accordance with the data retention schedule. Normally, the creator/custodian of this document will make this determination.

Official business records are required to be retained according to the time periods set forth in the data retention schedule and any applicable policy or procedure.

Examples of official business record include signed contracts, invoices, archive data, personnel and payroll records, research reports and laboratory notebooks.

What Is a Convenience Record? Convenience records are records or information that are not official business records. Convenience records/information will not further Company business needs if they are maintained and should be kept only for the period of time in which they are active and useful.

Examples of convenience records include: duplicates or copies (electronic or otherwise) of official business records, reference materials, catalogs and trade journals, casual correspondence, working papers or drafts, emails, instant messages, and personal records and correspondence.

Keeping Official Business Records/Convenience Records. Official business records/information should be maintained pursuant to the applicable retention schedule (unless subject to a litigation, tax or audit hold), and destroyed once the retention period expires.

Convenience records/information should be maintained only so long as reasonably necessary (unless subject to a litigation, tax or audit hold), and be discarded once they are no longer required.

Litigation Holds, Tax Holds, or Audit Holds. A litigation, tax and/or audit hold will stop the destruction of certain designated data and information, even if the data retention schedule mandates destruction, or if the data and information are convenience records.

All data and information, whether official records/information or convenience records/information, and copies of such (whether paper or electronic), falling within the scope of a litigation hold, tax hold and/or audit hold must be kept until the hold is lifted, even if, under the applicable data retention schedule, the record/information would or could otherwise be destroyed.

Questions about any hold, including whether the data and information falls within the scope of a litigation hold, tax hold and/or audit hold, should be directed to the party that issued the hold.

Conformance to Data Retention Schedule Requirements. All official business records must be kept as long as is stated on the data retention schedule and any applicable policy or procedure. Compliance with the data retention schedule and these policies and procedures is required regardless of the media in which the record/information is maintained. If an official business record is retained in electronic format (image, database, etc.), then the document shall be retained in an electronic format, or it may be printed out, and handled in accordance with these policies and procedures, the data retention schedule and any departmental policy or procedure. Early destruction of Company data and information is expressly prohibited by the Company and may violate federal and/or state laws and regulations.

Destruction Approval. When a retention period ends, the official business record should be destroyed unless there is legitimate reason to postpone the discarding (i.e., litigation hold, tax or audit hold or request for exemption that has been approved).

Data and information of any kind in any format or medium subject to a litigation, tax or audit hold notice may not be discarded until written notice from the department that issued the hold, regardless of the retention period set forth in the data retention schedule.

Regular Review of On-site Departmental Records. In order to manage office and electronic space, departments should regularly schedule a review of their data and information. Employees should review all data and information and decide if any are convenience records/information that no longer serves a business purpose and should be discarded or if they are official business records/information that should be sent to the appropriate facility with sufficient documentation to identify the contents and applicable retention schedule and destruction date.

Employee and Company Rights to Access Data and Information. Each employee’s access to data and information is limited to data and information owned by their business department and is otherwise limited to approved access to any other data and information. The legal department, ethics & compliance office, and audit department shall have access to all data and information. The tax department shall have access to all accounting and financial data and information.

The Company respects the individual right of privacy of its employees. However, this right does not extend to work-related conduct or the use of equipment which is provided by the Company. Thus, while employees have individual access codes to Company voicemail, email, and computer systems, the Company may access these systems at any time without the employee’s prior authorization or knowledge. Any data and information, whether created in the course of Company business or sent to and/or received from Company property, is the property of the Company and is not the property of the author, recipient, or custodian of such data and information.

Additionally, employees may be subject to periodic unannounced inspections and/or monitoring and/or surveillance of work areas, (including computers and voicemail) by the Company for business or legal reasons. Employees are responsible for regularly reviewing and discarding all convenience records, including emails, which may be stored on the hard drive, folders, or in other business areas.

Email: Email is not a file storage system. Therefore, email messages must not be retained indefinitely. If the email message is an official business record/information, then it must be stored on file servers, in folders or archived appropriately in accordance with the company data and information management policies and procedures and the data retention schedule. As part of good email practice, employees should regularly review and empty their deleted items and sent items.

The size of the user’s mailbox is currently limited to XXX MB per the IT department policy. Warning messages will be displayed when the mailbox size exceeds a certain amount. When this limit is exceeded, the user will no longer be able to send email until the mailbox size is reduced below the limit.

Training and Education:The office of data and information management is responsible for ensuring that all employees are provided appropriate training and education on records and information management.

Questions: Any questions about this policy, including whether a record is an official business or convience record, the retention schedule, disclosure of information, or anything else related to this policy, can be directed to Jane Doe at jane.doe@companyx.com or .xxxx.

Responsibilities: The responsibilities each party has in connection with this policy are:

Data and information management office—content owner

Approved by: Jane Doe Effective Date: January 1, 2022 Date of Last Revision: July 2022

Other Relevant Policies:

  • Records retention schedule

  • Litigation/tax/audit holds lists

This document is only available to subscribers. Please log in or purchase access
Purchase Login

About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings