Last week we had a great chat with Susan Cisco. She’s a very experienced old hand in the IG business and both John Isaza and I have known her and worked with her for a long time, so it was great to have an opportunity to sit down with her and talk shop. Many of you will know Susan as an early advocate and theorist for the “big bucket” approach to retention scheduling. In light of the many developments in the privacy area these days, retention schedules generally and the big bucket/little bucket debate have become more relevant than ever.
Susan and Mr. Isaza – no stranger himself to big bucket theory – gave us a great overview of how privacy interacts with a big bucket retention schedule, and how Access’s Virgo retention scheduling software can help solve this conundrum. It’s a challenge, because so many privacy laws deal with information at a fairly granular content level, but it can be – and must be – done, and besides Virgo, Access has a lot of ways we can help you. Bottom line here – you need a retention schedule more than ever these days, and you need a robust privacy compliance program to go with it.
We also had a terrific discussion about metadata tags, specifically around leaving little stubs there after you have deleted electronic data to prove that it was there and got deleted. All three of us have strong views on this – my own position is that, as an evidentiary matter in legal proceedings, metadata stubs are more trouble than they’re worth:
To me, it’s a version of the old fashioned destruction certificate. Sounds great, but if you have them, you better have them for absolutely everything. If not, you’ll just have a lawyer beating you over the head about the missing ones, and if you’ve ever been through a good, tough deposition or trial appearance, you appreciate what that’s like. I dare say that Susan and John I share the same basic feeling about them, for pretty much the same reasons.
All that said, not everyone agrees with this view. One such person Is Ken Withers, one of the movers and shakers of the Sedona Conference, the preeminent legal think tank for a wide assortment of legal issues associated with information issues. He takes a contrary view, and he’s not a man whose views can be lightly dismissed. And I’m pleased to be able to say that he’s our very next guest on Out of the Box on May 27. So don’t miss it, we’re going to get to the bottom of this metadata stub business. He’s also a widely respected expert on an assortment of things related to the law and information governance, so it promises to be a terrific show.
We got some great questions on the last Out of the Box Live! that we never got to, and I want to take a few lines to respond to them. Next show, we’ll address some good questions posed by viewers on metadata stubs that we didn’t get to last time, with the added advantage of having Ken on, so I’m not going to address them below. Tune in next time to continue that discussion.
So here goes. I’m summarizing and combining some questions.
It’s not a problem to choose the longer period, UNLESS there is PII in there. Then you’ve got a conflict between US law and what could be very, very short MAXIMUM privacy requirements. In that case, if the data is commingled, you’ve got a problem that may require some extensive system re-engineering, and/or making some tough retention decisions.
Yes, big bucket = big record series.
Big buckets gets you completely away from a departmental focus.
Yes, and increasingly so. A lot of information systems have a hard time handling granular retention requirements, so bigger is not only better, often it’s the only choice.
Bottom line is that privacy requirements require a departure from a general big bucket approach – think of it as big buckets with some very little buckets rounding things out.
Can do – Virgo has an API to import rules into systems. It’s already active with Office 365 and similar integrations are possible with other systems.
Just make sure it’s really an applicable requirement.
It depends on business need, any applicable privacy considerations, and other possible uses. There is no hard and fast answer here – it’s always a balancing act. Some times, definitely not.
It’s possible, and I’ve done it. But you need to think it through and document very carefully the hows and whys, otherwise you’ll be in that deposition I mentioned earlier trying to explain it to a lawyer, and you won’t be having fun.
Whew! That’s it, I need to go lay down and catch my breath. If I missed a question or you’ve just thought up a new one, bring it to the next Out Of The Box Live! We’ll get to it then.