For information governance professionals, last week the hottest spot north of Havana was ARMA’s 60th Annual Conference and Expo in Washington, DC. Over 1,700 gathered to network, explore cutting-edge technology, and learn information governance best practices from industry thought leaders.
Huron Legal’s Eugenia Brumm and Tom Corey facilitated an educational session on “Managing Global Information Risks and Compliance.” The entertaining session was illustrated by a case study based on a fictional global company that manufactures and sells merchandise to fans of a performer whose songs make the whole world sing. The company decided to use its existing U.S. Records Retention Schedule and Policy as the standard policy applicable to all company locations, including those in other countries.
The case study examined these common problems that can arise if a company takes a U.S.-centric approach to records retention:
- Use of U.S.-based terminology. Many U.S. retention forms reference specific documents such as I-9 forms, ERISA forms, OSHA forms, Workers Compensation records, and others. All of these refer to specific U.S.-based forms or records categories. A more global approach would be to use general descriptors (for example, “employee citizenship or immigration documents”), identifying specific form names as examples only.
- Different legal retention times. Some countries require that certain types of records be kept much longer than is required in the U.S. Others require that they be kept for much shorter periods because of privacy requirements or other reasons. Particular attention should be paid to the differences in data privacy laws, particularly between the U.S. and the E.U. European rules apply to businesses located outside the E.U. if they process the personal data of E.U. residents or offer E.U. residents goods and services. It is therefore important to ensure that the retention schedule considers minimum and maximum retention times, by delineating specific exceptions to the general retention rule or by other means.
- Different format or location requirements. Some countries require that certain types of records, such as personnel files, be kept in “hard” form rather than electronic. Sometimes they require that the employee or others maintain possession of the original record. Again, a solution may be to set out specific exceptions for records located in countries with more rigid requirements.
- Categories of records not applicable to all jurisdictions. Some categories of records may not apply to all offices, and there may be risks involved in including them in a blanket retention schedule. For example, medical records documenting onsite drug and alcohol testing might exist in a manufacturing facility but not in a sales office, and such testing might not be permitted in some countries. Clarification of the retention schedule language, such as specifying “where permitted” or specifically excepting some jurisdictions, may be warranted.
Given the differences in retention requirements around the world, some may think it’s a miracle if an organization can develop a global retention schedule. Even now, however, it can be done with research of the requirements, consideration of the common issues listed above, and careful crafting of the retention schedule’s language.