When writing a data retention policy, you need to determine how to:
- Organize information so it can be searched and accessed at a later date
- Dispose of information that is no longer needed
Some organizations find it helpful to use a data retention policy template that provides a framework to follow when crafting the policy.
A data retention policy must consider the value of data over time and the data retention laws an organization may be subject to. In 2006, the U.S. Supreme Court recognized that it is not financially possible to retain all information indefinitely. However, organizations must demonstrate that they only delete data that is not subject to specific regulatory requirements and use a repeatable and predictable process to do so. This means various types of information are held for different lengths of time. For example, a hospital's retention period for employee email would be different than that of its patient records.
While it is common for an organization to establish its own data retention requirements, there are certain data retention laws that must be adhered to. This is especially true for organizations operating within regulated industries. For example, publically traded companies within the U.S. must establish a Sarbanes-Oxley Act (SOX) data retention policy. Similarly, healthcare organizations are subject to Health Insurance and Portability and Accountability Act (HIPAA) data retention requirements and organizations that accept credit cards must adhere to a Payment Card Industry Data Security Standard (PCI DSS) data retention and disposal policy.
Simply retaining data is not enough. Federal laws commonly require organizations in regulated industries to create a documented data
Proper data disposal
When a protected record's age exceeds that of the applicable data retention policy, the record needs to be disposed of properly. Organizations are not required by law to dispose of old data, but it is often in their best interest to do so since old email messages, documents and database records could be subpoenaed in the event of litigation.
Many organizations use an automated system, typically a dedicated archive software product, to securely delete data that no longer falls within the required data retention period. Automation ensures data will be disposed of in the proper time frame without manual intervention. Some organizations may use their backup software's archiving functionality to automate data disposal.