Document Retention Policy: Know What to Keep and What to Shred
"I think we need to change the fundamental design of the way each and every document is created and managed," commented Bill Anderson of cyber security company OptioLabs, in a cnet.com story about the Panama Papers.
The Panama Papers is the latest mega data breach where millions of confidential documents from a Panamanian law firm were leaked, exposing offshore bank accounts – and possibly tax havens – for wealthy clients.
While there are many aspects to information security, a sound document retention policy is one of the most important. Knowing what confidential documents to keep and which ones to permanently destroy should be of concern to everyone, particularly at tax time when information thieves are in high gear.
Indeed, the Internal Revenue Service (IRS) sent out an alert that personal data scams in the U.S. increased 400% in the first four months of 2016. Criminals create fake tax returns and send scam workplace e-mails pretending to be executives asking for tax-related data.
Here are some document retention policy guidelines to help keep your information secure.
- Information audits: Use audits to identify the types of documents the business produces, and to create an inventory and keep it updated.
- How long to keep tax records? There are two parts to data retention: how long documents will be useful to the business, and how long they must be retained based on government and industry requirements. For example, in the U.S. payroll tax returns must be kept 4 years. Every business must evaluate laws that are applicable.
- Fines – either way: While it’s law to keep certain documents, if you retain a record for too long you might also expose yourself to litigation risks and fines. Like most privacy laws, Data Protection Act compliance stipulates the record must be securely disposed of when the official retention period is over.
- Emails: Records are paper files, digital documents, and correspondence including emails. According to wired.com, the Panama Papers leak included more than 4.8 million emails (as well as 3 million database files and 2.1 million PDF’s). If emails aren’t part of an important business or legal use or not subject to regulatory compliance, delete them within the appropriate time frame.
- Easy retrieval: Index all documents for easy retrieval. Store in a secure, locked location and/or in a password protected file. Control access so only those employees that need the information to do their jobs can do so. Storing unneeded information increases the risk of a security breach, takes up space, and costs money.
- Secure disposal: The only acceptable way to discard paper or digital documents when they are no longer needed is to completely destroy them. Shredding is a legal requirement for many documents, and outsourcing eliminates risk. Partner with a reputable shredding company that has secure chain of custody processes for information destruction.A Certificate of Destruction will document compliance and should be issued after every shred.
Use this document retention factsheet to help create the right retention schedule for your business.