Last week we had a great chat with Susan Cisco. She’s a very experienced old hand in the IG business and both John Isaza and I have known her and worked with her for a long time, so it was great to have an opportunity to sit down with her and talk shop. Many of you will know Susan as an early advocate and theorist for the “big bucket” approach to retention scheduling. In light of the many developments in the privacy area these days, retention schedules generally and the big bucket/little bucket debate have become more relevant than ever.
Big Bucket Retention Schedules
Susan and Mr. Isaza – no stranger himself to big bucket theory – gave us a great overview of how privacy interacts with a big bucket retention schedule, and how Access’s Virgo retention scheduling software can help solve this conundrum. It’s a challenge, because so many privacy laws deal with information at a fairly granular content level, but it can be – and must be – done, and besides Virgo, Access has a lot of ways we can help you. Bottom line here – you need a retention schedule more than ever these days, and you need a robust privacy compliance program to go with it.
We also had a terrific discussion about metadata tags, specifically around leaving little stubs there after you have deleted electronic data to prove that it was there and got deleted. All three of us have strong views on this – my own position is that, as an evidentiary matter in legal proceedings, metadata stubs are more trouble than they’re worth:
- They’re not legally required in any jurisdiction I’m aware of. You’re fully justified in standing on your retention schedule – it’s not there, the retention schedule says it isn’t supposed to be, end of story.
- It’s all or nothing – if you haven’t got them for everything, you’re just opening the door for opposing counsel to pick at you and ask a lot of annoying questions about the inconsistency.
- Most information systems don’t have this capability anyway – at least not intentionally – so I don’t see the point in having a proof mechanism that you can apply to only a small percentage of your data.
To me, it’s a version of the old fashioned destruction certificate. Sounds great, but if you have them, you better have them for absolutely everything. If not, you’ll just have a lawyer beating you over the head about the missing ones, and if you’ve ever been through a good, tough deposition or trial appearance, you appreciate what that’s like. I dare say that Susan and John I share the same basic feeling about them, for pretty much the same reasons.
An Opposing View
All that said, not everyone agrees with this view. One such person Is Ken Withers, one of the movers and shakers of the Sedona Conference, the preeminent legal think tank for a wide assortment of legal issues associated with information issues. He takes a contrary view, and he’s not a man whose views can be lightly dismissed. And I’m pleased to be able to say that he’s our very next guest on Out of the Box on May 27. So don’t miss it, we’re going to get to the bottom of this metadata stub business. He’s also a widely respected expert on an assortment of things related to the law and information governance, so it promises to be a terrific show.
We got some great questions on the last Out of the Box Live! that we never got to, and I want to take a few lines to respond to them. Next show, we’ll address some good questions posed by viewers on metadata stubs that we didn’t get to last time, with the added advantage of having Ken on, so I’m not going to address them below. Tune in next time to continue that discussion.
So here goes. I’m summarizing and combining some questions.
What about when retention timeframes for US law conflict with EU law?
It’s not a problem to choose the longer period, UNLESS there is PII in there. Then you’ve got a conflict between US law and what could be very, very short MAXIMUM privacy requirements. In that case, if the data is commingled, you’ve got a problem that may require some extensive system re-engineering, and/or making some tough retention decisions.
Is a big bucket the same thing as a records series?
Yes, big bucket = big record series.
Is a big bucket similar to retention on a by-department basis?
Big buckets gets you completely away from a departmental focus.
Are big buckets common?
Yes, and increasingly so. A lot of information systems have a hard time handling granular retention requirements, so bigger is not only better, often it’s the only choice.
How do they interact with privacy law?
Bottom line is that privacy requirements require a departure from a general big bucket approach – think of it as big buckets with some very little buckets rounding things out.
Can you tie big buckets to content types and systems?
Can do – Virgo has an API to import rules into systems. It’s already active with Office 365 and similar integrations are possible with other systems.
Do regulatory requirements trump the right to be forgotten?
Just make sure it’s really an applicable requirement.
Any value to keeping a record beyond legal requirements?
It depends on business need, any applicable privacy considerations, and other possible uses. There is no hard and fast answer here – it’s always a balancing act. Some times, definitely not.
Should you maintain a different retention schedule for electronic and paper?
It’s possible, and I’ve done it. But you need to think it through and document very carefully the hows and whys, otherwise you’ll be in that deposition I mentioned earlier trying to explain it to a lawyer, and you won’t be having fun.
Whew! That’s it, I need to go lay down and catch my breath. If I missed a question or you’ve just thought up a new one, bring it to the next Out Of The Box Live! We’ll get to it then.