We already know that a “Keep everything” approach to managing records is costly, problematic and risky. Once a company no longer needs certain records, any further use of these company records will be by someone else (likely obtained through discovery) and can only be detrimental. Even if the legal action is not successful, you have incurred expense and disruption that was not necessary due to the inclusion of this extra volume of records. It has always been good business sense to dispose of records once the company has no further use for them.
Today the “Age of Privacy” has arrived which represents another risk or, perhaps more correctly, danger in retaining records beyond their required retention. As this “Age of Privacy” develops and matures, companies need to be responsive at the corporate, departmental and personal level. Record keeping policies and procedures must be developed for records access, usage and disposal. In addition, actions must be taken to confirm compliance with these privacy policies and procedures at the personal, departmental and corporate level. This is not an area to be taken lightly. In addition to bad publicity, there are significant and potentially severe penalties, including civil and criminal. Take the Health Insurance Portability and Accountability Act (HIPPA), for example. This law specifies not only retention/disposal requirements, but records access and usage as well. This privacy law has consequences. Each violation is a $100 penalty, up to a maximum of $25,000 for all violations of an identical requirement for a calendar year. It doesn’t end there. Wrongful disclosure of individually identifiable health information has penalties of 50, 100 or 250 thousand dollars and might be coupled with imprisonment of 1, 5 or 10 years, depending on the reason for disclosure. This has forever elevated the significance of managing records.
More recently, the European Union has established the General Data Protection Regulation (GDPR) which has stringent requirements for individuals’ information including the “Right to be Forgotten” that is – a right to have one’s personal data erased, and the right to restrict processing. Depending on the infraction, the penalties for a company may be as much as 20,000,000 Euros or 4% of the total of a company’s global revenue. These can be crippling penalties for a company. These penalties likely exceed the cost of implementing appropriate systems, repositories and controls. And of course, should a company be found in violation and have to pay the fines, it would still need to remediate its practices. Much better to assure compliance before the law takes effect.
The “Age of Privacy” has required companies to expend significant resources to examine their records access, utilization and disposal processes and make necessary revisions. The “Age of Privacy” with its severe penalties for non-compliance has brought the “Keep it Forever” style of records management to extinction. It is simply intolerable for records where privacy laws apply. As companies retool their records management programs to assure compliance where privacy laws apply, they would do well to extend those same disciplines across the business and establish or strengthen their Information Governance program. A disciplined Information Governance program reduces cost and improves business efficiency to the extent that it pays for itself (see Information Governance is Free). While initially troublesome, the Age of Privacy might be the driving force a company needs to establish a fully functional and comprehensive Information Governance program.