Published OnNovember 28, 2018Defensible disposition involves much more than bulk shredding.
Information governance (IG) professionals are frequently asked whether bulk shredding can be used to free up space. Lack of space is a typical lament in every industry, even if your organization has achieved a paperless “nirvana.” Data storage may be cheap, but the costs still add up.
Understanding the data disposal laws that affect your organization is a critical part of any IG program, even if your industry is not heavily regulated. It’s a good business practice to have a plan for handling legal action, which, in my experience, is fairly common. Some organizations take the easy route and periodically hold “shred days” to dispose of everything older than a selected year. I’m not a lawyer, so for all I know, some judges might interpret this practice as acceptable, but I wouldn’t want to bet my livelihood on it.
Regarding disposition, I’m a long-time advocate of “defensible deletion.” Defensible deletion involves more than understanding the data disposal laws, hiring a local shredding organization and receiving a simple letter of destruction. If you ever have to appear before a court, it’s better to be able to demonstrate your adherence to data disposal laws with a thorough, documented disposition process and a chain of custody.
Bulk shredding is highly susceptible to human errors of commission and omission. There is always resistance to discarding “my stuff” because “I might need that someday.” How many times have you heard that or even said it yourself? A standardized process ameliorates this issue.
Though bulk shredding companies certainly have their place, they don’t regularly develop defensible disposition policies and procedures into a sustainable program. This is why it pays to involve IG professionals at the outset. They have the knowledge of the applicable data disposal laws and the expertise to help your organization set up such a program as quickly as possible.
There are several steps for creating a defensible disposition program: You must first identify all of the data within the organization, its storage format (hard copy, electronic, file type, etc.), its quantity and its location. Once you have this information, you need to review it with your legal staff and upper management to develop a records retention schedule as well as a list of information owners to establish a workflow of approvals for destruction. This workflow will become part of the chain of custody documentation for the entire process. This chain of custody document is just as important as the letter of destruction to prove your process is defensible.
If this sounds like a lot of tedious work, that’s because it is. I recommend hiring a records and information management (RIM) organization to get the job done. A defensible deletion program makes it easier to lower storage costs, mitigate legal risk and find relevant information, since it generally runs in the background once it has been instituted. There is one caveat to this process: It has to be followed every single time. You must be able to prove in court that you follow whatever policy you have established. Legitimate exceptions must be accounted for in the program itself — another job for RIM professionals.
A defensible disposition process is important regardless of the size of your organization or your specific regulatory risk. It is simply a good business practice. It is also something that requires the expertise of RIM professionals.