Keep It or Toss It - How Many Years is Long Enough?: Document Retention and Destruction Best Practices [Higher-Ed/College Athletics Best Practices Alert (Third Quarter 2014)]
Author: Lori A. Williams, Esquire (Senior Counsel)
For most institutions, August marks the beginning of the upcoming academic year. As a part of the transition into fall, institutions should take this period, during the quiet before the storm, to implement the RED process for its policies, procedures and other departmental documents.
What is the RED process?
It is the deliberate process during which your institution will Review, Evaluate and Destroy documents according to the established document retention and destruction policy. If your institution does not have a formal document retention policy, it is vulnerable to disastrous consequences. You should seek legal assistance to develop a policy that meets all applicable laws and regulations.
Generally speaking, an institution only needs to keep documents as long as there is a business purpose. The document retention and destruction policy should identify the various types of electronic and hard copy records used in the course of business and how long each document should be retained. The policy must comply with the laws and regulations of the federal, state and regulatory agencies that govern the business activities that occur within your institution. [Note: If you receive notice of an ongoing “litigation hold,” the institution is required to keep documents that are reasonably discoverable in anticipated litigation. See Zubulake v. UBS Warburg LLC, 2003 U.S. Dist. LEXIS 18771 (S.D.N.Y., Oct. 22, 2003).] You should immediately consult a legal professional if you have any questions regarding the scope of an ongoing litigation hold.
Let’s explore each step of the RED process in more detail.
Review – The institution’s policies, procedures, forms and statements should be reviewed for edits that reflect legal or philosophical changes. For example, in Division I, the NCAA Student-Athlete Statement has been amended to remove language waiving the rights of a student-athlete regarding the use of a student-athlete’s name, image or likeness. As a result, any departmental documents referencing that provision should undergo revision as well.
Evaluate – Those individuals responsible for the content of departmental documents should conduct annual evaluations to determine whether the documents should be retained (and properly stored) or destroyed in accordance with the institution’s document retention policy. Further, if the document contains sensitive information, the administrator charged with safeguarding the document should ensure it is maintained in a secure location. For physical documents, administrators should use locked cabinets or cabinets within a locked office. With respect to electronic information, administrators should avoid storing sensitive data on the desktop of their computers/laptops. Sensitive data should be maintained on the institution’s server where it is properly protected and backed up for security purposes.
Destroy – Whenever a document containing sensitive information is no longer needed, it should be properly destroyed in a secure manner. Options for proper document destruction include using a cross-cut or micro cut shredder or hiring a company that specializes in the secure disposal of sensitive data. Sensitive data includes, but is not limited to, all forms of personally-identifiable information (PII); donation statements; financial information; employment, academic or medical records; legal documents; purchase card/credit card information, etc. Specific examples of PII include: Social Security Numbers; student/employee identification numbers; dates of birth; and mailing addresses when used in combination with any of the other identified PIIs.
To tie it all together, the best practices supporting participation in the RED process prior to the start of the next sports season is three fold: (1) there is an increased ability to provide focused attention on the document review aspect when there are fewer students on campus and no in-season sports; (2) there is more time available to revise or replace documents that are outdated; and (3) the RED process operates in tandem with relocating existing retained files to permanent storage locations and clearing off shelf space for the to-be-created files that will soon be filled with documents collected over the course of the next year.
By developing and actively implementing a RED process for document retention and destruction, you will limit the scope and likelihood that a request for information will uncover a negative email or memorandum that presents your institution in an unflattering light.
Contact Lori A. Williams (954-941-1844; firstname.lastname@example.org) for additional information on risk management best practices.