All businesses must manage records, but the cost and difficulty of storing documents can eventually outlive their usefulness. Although you may not have a use for them anymore, knowing what confidential records to keep and which ones to destroy is essential to ensuring compliance and the protection of private data.
What is a Business Record?
Your document retention policy should be tailored to your business. The policy should include a definition of what is considered a “business record” and differentiate it from documents that have no retention requirements.
Document Retention Policy
A document retention policy identifies confidential information and categorizes it by how and where documents and other records are stored (electronically or on paper) and the required retention period based on federal, provincially, and other regulatory requirements.
Below are seven reasons why every workplace should have a document retention policy:
- Compliance: Failure to comply with provincial and federal privacy laws and destroying records before the end of a required retention period can result in penalties. You may also need records to defend against claims. Use your legal department or counsel and trusted third parties to help ensure company policies comply with applicable regulations.
- Efficiency: Some organizations still store and destroy documents haphazardly. But saving records for too long or destroying records too soon can also be problematic. A document retention policy, as part of a comprehensive document management process, will detail how to organize documents for storage, retrieval, and recordkeeping. The policy will make locating and retrieving records more efficient. Plus, it will flag when the retention period ends and instruct regarding how to properly destroy each document.
- Culture of Security: A comprehensive document retention policy includes measures to ensure the security of records, whether they are stored as hard copy or digital. Embedding these regulations so they are part of employee training and a standard workplace process will help strengthen a culture of security throughout the organization.
- Access Control: Several laws contain specific provisions regarding who may access information and how it may be used. Certain information should be made available only on a need-to-know basis.
- De-cluttering: Too much clutter in the workplace can increase employee stress and reduce productivity. A data retention policy, in effect, gives permission to delete digital content and dispose of paper records when appropriate. With electronic records, many businesses choose to purchase additional storage instead of deleting unnecessary files. While digital file deletion will help clean up hard drives, bad actors may still restore and obtain deleted data using special software. When hard drives are obsolete or broken down, they should be physically destroyed to guarantee that all data is deleted.
- Destruction of Records: Any records containing confidential, personal, or financial information should be securely shredded when they are no longer needed or when the retention period ends. Using a trustworthy document destruction service, like Shred-it®, will provide a Proof of Service Certificate after every material pick up to acknowledge that your documents have been collected for secure destruction. A professional document destruction service will provide tamper-proof consoles for paper documents that are no longer needed and scheduled service for secure shredding by security-trained personnel. Hard drive and e-media destruction services should also be provided.
- Cost Savings: There are costs related to maintaining unnecessary records. Employees waste time and money looking for documents, and there are storage costs for office space, filing cabinets, hard drives, and cloud storage. There could also be fines, penalties, and other legal fees for non-compliance with applicable document retention or destruction requirements.
Document Retention Policy Development
Here are a few tips to consider when developing a document retention policy to help keep your information secure.
- Information Audits: Use audits to identify the types of records the business manages and use that information to create an inventory which is updated regularly.
- Easy Retrieval: Index all documents for easy retrieval. Store in a secure, locked location or a protected digital file. Control access so only those employees who need the information to do their jobs can do so. Storing unneeded information increases the risk of a security breach, takes up space, and costs money.
- How Long to Keep Documents: There are two parts to data retention: how long documents will be useful to the business and how long they must be retained based on government and industry requirements.
- Remember Emails: Records are paper files, digital documents, and correspondence, including emails. If emails aren’t part of an important business or legal use or are not subject to regulatory compliance, delete them within the appropriate time frame.
- Fines – Either Way: While it is the law to keep certain documents, if you retain a record for too long you might also expose yourself to litigation risks and fines. Like most privacy laws, Personal Information Protection and Electronic Documents Act (PIPEDA) compliance requires that records be securely disposed of when the official retention period is over.
Use a Professional Shredding Service
Learn more about Shred-it®'s secure shredding and hard drive destruction services and how we can help be an important part of your document retention policy.