Legislation, regulation, business contracts and prudence mandate the retention of specific records. These records are largely electronic (including e-mail) and their confidentiality and integrity needs to be protected throughout the period of retention, and they need to be accessible – in spite of intervening technology upgrades and system changes.
An increasingly wide range of organizational and individual records (including e-mail, voice mail and Instant Message communications) must be retained to meet statutory or regulatory requirements, while others may be needed to provide adequate defence against potential civil or criminal action or to prove the (current and historic) financial status of the organization to a range of potential interested parties, including shareholders, tax authorities, auditors and to meet contractual liabilities. Records should be kept in a format that can prove they have not been tampered with, and so that they can be found many years later. This implies that organizations need an effective archive management policy and, inevitably, appropriate technology. Records do not (and should not) be kept for ever – this can make it difficult to find what is required as and when it is required, and the cost of storage is likely to be increasingly expensive.
Therefore, time limits – based, in each instance, on the maximum retention period identified in any of a statute of limitations, relevant legislation (including tax and company legislation) or specific regulatory requirements - should be set for the retention of each individual category of information. Information lifecycle management automates the process of moving information from primary (expensive) to secondary (much less expensive) storage devices. After the defined time period, records should be destroyed – in line with the procedure adopted by the organization to ensure that any confidential information within those records is not inadvertently made public.
Failure to retain, in an accessible format (which might mean retaining versions of all old software and hardware after upgrades, in order to ensure accessibility) key records can have a significant impact on an organization, not just in terms of fines and reputational impact, but also possibly in civil damages.