This document discusses record retention and destruction policies (RRDP). It notes that RRDPs are important for complying with statutory and contractual obligations, and preserving useful documents for required periods while appropriately destroying documents. Key issues addressed include minimum and maximum retention periods as dictated by law, ensuring appropriate document destruction to avoid charges of spoliation, and how properly implementing an RRDP can help defend against allegations of improper document destruction.
Records Retention And Destruction PoliciesRichard Austin
This presentation reviews the legal reasons for companies to establish a records retention and destruction policy and identifies the major steps in establishing a policy. It also presents a high level overview of the new Ontario e-Discovery rules.
Records Retention and Destruction Policies 2015Richard Austin
Overview of records retention and destruction policies including why have an RRDP, issues to consider in developing an RRDP and steps in developing an RRDP
Compliance with the Requirements of GDPdUGFI Software
This white paper examines the different methods for deploying and managing an email archive solution in an organization and specifies the key requirements that a full featured email archiving system should include.
Records Retention And Destruction PoliciesRichard Austin
This presentation reviews the legal reasons for companies to establish a records retention and destruction policy and identifies the major steps in establishing a policy. It also presents a high level overview of the new Ontario e-Discovery rules.
Records Retention and Destruction Policies 2015Richard Austin
Overview of records retention and destruction policies including why have an RRDP, issues to consider in developing an RRDP and steps in developing an RRDP
Compliance with the Requirements of GDPdUGFI Software
This white paper examines the different methods for deploying and managing an email archive solution in an organization and specifies the key requirements that a full featured email archiving system should include.
Since the days of California's pioneering data breach notification law, virtually all states have implemented some form of consumer ID theft protection law. In 2008, the focus shifted to the east coast, when Massachusetts took it beyond notification, and issued their regulations for the protection of personal information, viewed by many as the most proscriptive in the US. This presentation will provide a general overview of state law, but focus on how the MA regulations evolved from the version issued in Sept 2008 to what became effective March 2010, how organizations are responding, and some potential implications for the future.
Allison Dolan, Program Director, Protecting Personally Identifiable Information, Massachusetts Institute of Technology
Allison F. Dolan is currently Program Director, Protecting Personally Identifiable Information at the Massachusetts Institute of Technology. This program is co-sponsored by the Institute Auditor and Vice President for Information Services and Technology (IS&T). Previously, Allison spent 10 years in IS&T, including roles as Director of Shared Services - Finance, Administration and HR, and as Director of Telephony Services. Allison’s MIT experience was preceded by 20 years of combined information systems, operational, and leadership experience at Eastman Kodak. Allison holds a BA degree from the University of Delaware, with a double major in Computer Science and Economics.
THE BRAZILIAN LAW ON PERSONAL DATA PROTECTIONIJNSA Journal
Rapid technological change and globalization have created new challenges when it comes to the protection and processing of personal data. In 2018, Brazil presented a new law that has the proposal to inform how personal data should be collected and treated, to guarantee the security and integrity of the data holder. The General Law Data Protection - LGPD, was sanctioned on September 18th, 2020. Now, the citizen is the owner of his personal data, which means that he has rights over this information and can demand transparency from companies regarding its collection, storage, and use. This is a major change and, therefore, extremely important that everyone understands their role within LGPD. The purpose of this paper is to emphasize the principles of the General Law on Personal Data Protection, informing real cases of leakage of personal data and thus obtaining an understanding of the importance of gains that meet the interests of Internet users on the subject and its benefits to the entire Brazilian society.
Knobbe Martens Of Counsel, Arsen Kourinian hosted a webinar regarding data privacy issues surrounding the COVID-19 coronavirus outbreak, and the current state of the evolving regulations governing the California Consumer Privacy Act (CCPA).
Published in the European Official Journal on May 4 2016 and become effective on May 24 2016, at a distance of two years, the legislation that will reform the European legislation on protection of data, matches its direct implementation in Italy.
The General Data Protection Regulation, better known as GDPR, will enter into force on May 25 2018: the legislation is going to make a significant change on how data is managed and protected by – and from - private companies.
Data Protection Bill 2019 Participative Role of General Publicijtsrd
Protection of data privacy is a very crutial aspect considering the advent of technology in every Sphere of human life. It directly depends of how privacy is understood and the legal framework present behind that to protect ones privacy in the way it is meant to be understood. Data protection bill would let us understand the variety of rights and obligation when the question is about protection of ones privacy. At the same time, non invasion into the privacy of others is also quintessential. The research article would elucidate in detail the matter crux of Data protection bill considering the practical implications of the rules therein mentioned. The author would also deal with the suggestions would help, safeguarding the privacy at the very ground level. N Parmesh ""Data Protection Bill 2019: Participative Role of General Public"" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-4 | Issue-2 , February 2020,
URL: https://www.ijtsrd.com/papers/ijtsrd30250.pdf
Paper Url : https://www.ijtsrd.com/other-scientific-research-area/public-relations/30250/data-protection-bill-2019-participative-role-of-general-public/n-parmesh
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
U.S. INTELLECTUAL PROPERTY
ENFORCEMENT COORDINATOR
ANNUAL REPORT ON
INTELLECTUAL PROPERTY
ENFORCEMENT
COVER TITLE HERE
FEBRUARY 2 01 2
CONSUMER DATA PRIVACY
IN A NETWORKED WORLD:
A FRAMEWORK FOR PROTECTING
PRIVACY AND PROMOTING INNOVATION
IN THE GLOBAL DIGITAL ECONOMY
U.S. INTELLECTUAL PROPERTY
ENFORCEMENT COORDINATOR
ANNUAL REPORT ON
INTELLECTUAL PROPERTY
ENFORCEMENT
COVER TITLE HERE
FEBRUARY 2 01 2
CONSUMER DATA PRIVACY
IN A NETWORKED WORLD:
A FRAMEWORK FOR PROTECTING
PRIVACY AND PROMOTING INNOVATION
IN THE GLOBAL DIGITAL ECONOMY
Warrants. Wiretaps. PRTTs. Subpoenas. Section 702. 2703(d) order. National Security Letters. All Writs Act. Many in the infosec community are aware that the government has an array of legal authorities to use in investigating crimes which allow them access to user content and metadata, but few people could articulate the differences among these types of orders. This talk will review each type of legal process used by state and federal agencies to request access to various types of user data and content.
Since the days of California's pioneering data breach notification law, virtually all states have implemented some form of consumer ID theft protection law. In 2008, the focus shifted to the east coast, when Massachusetts took it beyond notification, and issued their regulations for the protection of personal information, viewed by many as the most proscriptive in the US. This presentation will provide a general overview of state law, but focus on how the MA regulations evolved from the version issued in Sept 2008 to what became effective March 2010, how organizations are responding, and some potential implications for the future.
Allison Dolan, Program Director, Protecting Personally Identifiable Information, Massachusetts Institute of Technology
Allison F. Dolan is currently Program Director, Protecting Personally Identifiable Information at the Massachusetts Institute of Technology. This program is co-sponsored by the Institute Auditor and Vice President for Information Services and Technology (IS&T). Previously, Allison spent 10 years in IS&T, including roles as Director of Shared Services - Finance, Administration and HR, and as Director of Telephony Services. Allison’s MIT experience was preceded by 20 years of combined information systems, operational, and leadership experience at Eastman Kodak. Allison holds a BA degree from the University of Delaware, with a double major in Computer Science and Economics.
THE BRAZILIAN LAW ON PERSONAL DATA PROTECTIONIJNSA Journal
Rapid technological change and globalization have created new challenges when it comes to the protection and processing of personal data. In 2018, Brazil presented a new law that has the proposal to inform how personal data should be collected and treated, to guarantee the security and integrity of the data holder. The General Law Data Protection - LGPD, was sanctioned on September 18th, 2020. Now, the citizen is the owner of his personal data, which means that he has rights over this information and can demand transparency from companies regarding its collection, storage, and use. This is a major change and, therefore, extremely important that everyone understands their role within LGPD. The purpose of this paper is to emphasize the principles of the General Law on Personal Data Protection, informing real cases of leakage of personal data and thus obtaining an understanding of the importance of gains that meet the interests of Internet users on the subject and its benefits to the entire Brazilian society.
Knobbe Martens Of Counsel, Arsen Kourinian hosted a webinar regarding data privacy issues surrounding the COVID-19 coronavirus outbreak, and the current state of the evolving regulations governing the California Consumer Privacy Act (CCPA).
Published in the European Official Journal on May 4 2016 and become effective on May 24 2016, at a distance of two years, the legislation that will reform the European legislation on protection of data, matches its direct implementation in Italy.
The General Data Protection Regulation, better known as GDPR, will enter into force on May 25 2018: the legislation is going to make a significant change on how data is managed and protected by – and from - private companies.
Data Protection Bill 2019 Participative Role of General Publicijtsrd
Protection of data privacy is a very crutial aspect considering the advent of technology in every Sphere of human life. It directly depends of how privacy is understood and the legal framework present behind that to protect ones privacy in the way it is meant to be understood. Data protection bill would let us understand the variety of rights and obligation when the question is about protection of ones privacy. At the same time, non invasion into the privacy of others is also quintessential. The research article would elucidate in detail the matter crux of Data protection bill considering the practical implications of the rules therein mentioned. The author would also deal with the suggestions would help, safeguarding the privacy at the very ground level. N Parmesh ""Data Protection Bill 2019: Participative Role of General Public"" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-4 | Issue-2 , February 2020,
URL: https://www.ijtsrd.com/papers/ijtsrd30250.pdf
Paper Url : https://www.ijtsrd.com/other-scientific-research-area/public-relations/30250/data-protection-bill-2019-participative-role-of-general-public/n-parmesh
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
U.S. INTELLECTUAL PROPERTY
ENFORCEMENT COORDINATOR
ANNUAL REPORT ON
INTELLECTUAL PROPERTY
ENFORCEMENT
COVER TITLE HERE
FEBRUARY 2 01 2
CONSUMER DATA PRIVACY
IN A NETWORKED WORLD:
A FRAMEWORK FOR PROTECTING
PRIVACY AND PROMOTING INNOVATION
IN THE GLOBAL DIGITAL ECONOMY
U.S. INTELLECTUAL PROPERTY
ENFORCEMENT COORDINATOR
ANNUAL REPORT ON
INTELLECTUAL PROPERTY
ENFORCEMENT
COVER TITLE HERE
FEBRUARY 2 01 2
CONSUMER DATA PRIVACY
IN A NETWORKED WORLD:
A FRAMEWORK FOR PROTECTING
PRIVACY AND PROMOTING INNOVATION
IN THE GLOBAL DIGITAL ECONOMY
Warrants. Wiretaps. PRTTs. Subpoenas. Section 702. 2703(d) order. National Security Letters. All Writs Act. Many in the infosec community are aware that the government has an array of legal authorities to use in investigating crimes which allow them access to user content and metadata, but few people could articulate the differences among these types of orders. This talk will review each type of legal process used by state and federal agencies to request access to various types of user data and content.
Data Privacy: What you should know, what you should do!
CSMFO Data Privacy in the Governmental Sector, Local Government. Data Privacy Laws, PCI, Breaches, AICPA – Generally Accepted Privacy Principles
As banks prepare themselves for the open banking journey and being able to share high-quality and accurate data with third parties, they face two immediate needs - a strong data governance and a robust data management framework that offers adequate data privacy and security measures.
The Artificial Intelligence World: Responding to Legal and Ethical IssuesRichard Austin
The presentation examines the legal and ethical issues that Facial Recognition Systems and Autonomous and Self-driving Vehicles present then looks at organizational, regulatory and individual tools available to respond to these issues.
An examination of the legal and ethical issues that the use of Artificial Intelligence products and services presents to lawyers including by reference to the American Bar Association's Model Rules of Professional Conduct.
Intermediary Accountability in the Digital AgeRichard Austin
Examination of the accountability of Internet Intermediaries with a focus on Online Reputation, Cambridge Analytica and Facebook and Competition issues
Ai on the case legal and ethical issues (may 17 2019)Richard Austin
Presentation on the legal and ethical issues that the use of Artificial Intelligence products and systems presents for lawyers including discussion of ABA Model Rules of Professional Conduct
Knowing and managing what's been agreed the case for contract managementRichard Austin
This presentation, by Richard Austin and Eric Notkin, looks at: (i) the context of Contract Management - why it is becoming more important; (ii) the reasons for expectations' and performance gaps in contracts; and (iii) ideas and initiatives to improve Contract Management.
Use of audit clauses in information technology and outsourcing agreements including implications for the Cloud, OSFI Memorandum of February 29, 2012, control audits and CSAE 3416 Audits (Richard Austin and Ken Silverman)
This presentation reviews key provisions of source code escrow agreements including (i) how to define escrow deposits; (ii) the importance of verfication services; and (iii) definitions of release events. The presentation also considers other uses of escrow such as SaaS escrow. It concludes by looking at IP licenses under s. 365(n) of the U.S. Bankruptcy Code and under s. 65.11 of the recently amended Canadian Bankruptcy and Insolvency Act.
Protecting Third Party Information under FOI LegislationRichard Austin
Examination of the protection available for vendor confidential information in public sector procurements in light of client concerns for public accountability and disclosure (including under FOI legislation).
2. Table of Contents
I. Introduction
II. Why have an RRDP?
II.A Compliance with Statutory Obligations
II.B Compliance with Contractual Obligations
III. Issues:
III.A Minimum Retention Periods
III.B Maximum Retention Periods
III.C Appropriate Document Destruction
III.D Document Destruction
IV. Developing and Managing an RRDP
3. I. The Information Age
4.1 billion email accounts in 2014
2.5 billion email users worldwide in 2014
353,860,000 Internet users in North America, up from
252,908,000 in 2009
108.7 billion emails per day in 2014
IDC states 2.8 zettabytes (2.8 trillion GBs) of information
created 2012, forecasts 40 zettabytes by 2020
Sources:
Email Statistics Report, 2014-2018 , http://www.radicati.com/wp/wp-content/uploads/2014/01/Email-Statistics-
Report-2014-2018-Executive-Summary.pdf
Internet Worldwide Stats, http://www.internetworldstats.com/stats.htm
How much data is out there, http://www.webopedia.com/quick_ref/just-how-much-data-is-out-there.html
4. Electronic documents differ from paper documents:
Volume and
Duplicability
Environment
Dependence
Persistence Obsolescence
Metadata Dispersion
Dynamic, changeable
content
Searchability
5. Record Retention and Destruction Policies (RRDP):
preserve useful documents
for the period of time for which retention is useful
or required by law
while managing the expense and
implementing appropriate document destruction
6. Exclusions:
This presentation does not address:
Litigation, e-discovery and litigation holds
Legal file management responsibilities:
Practice Management Guidelines, Section 3
(http://www.lsuc.on.ca/with.aspx?id=2147490535)
Guide to Retention and Destruction of Closed Client Files for
Lawyers (http://lsuc.on.ca/with.aspx?id=2147499150)
7. II. Why have an RRDP?
A. Compliance with Statutory Obligations
1. General corporate obligations:
Canada Business Corporations Act, R.S.C. 1985, c. C-44, s. 20
Business Corporations Act, R.S.O. 1990, c. B.16, s. 140
2.Taxing statutes, e.g.:
Income Tax Act, R.S.C. 1985,c.1 (5TH Supp.), s. 230
Excise Tax Act, R.S.C. 1985, C. E-15, s. 286
Retail Sales Tax Act, R.S.O. 1990, c. R.31, s. 16
8. Compliance with Statutory Obligations:
3. Employment Related Statutes, e.g.:
Canada Labour Code, R.S.C. 1985, c. L-2, s. 252(2)
Canada Pension Plan, R.S. 1985, c. C-8, s. 24
Employment Insurance Act, S.C. 1996, c.23, s. 87
Employment Standards Act, 2000, S.O. 2000, c. 41, Part VI
Occupational Health and Safety Act, R.S.O. 1990, c. O-1, s. 26
4. Industry specific obligations, e.g.:
Bank Act, S.C.1991, c. 46, ss. 238-239
Insurance Companies Act, S.C. 1991, c. 47, ss. 261-262
Trust and Loan Companies Act, S.C. 1991, c. 45, ss. 243-244
Law Society Act, R.S.O. 1990, c. L-8, By-law 9, Part V
Securities Act, R.S.O. 1990, c. S-5, s. 19
9. Compliance with Statutory Obligations:
5. Privacy Obligations, e.g.:
Personal Information Protection and Electronic Documents Act, S.C.
2000, c. 5
“5.(1) ... every organization shall comply with the obligations set out
in Schedule 1.”
Schedule 1:
1. Accountability 2. Identifying Purpose
3. Consent 4. Limiting Collection
5. Limiting Use, Disclosure and Retention 6. Accuracy
7. Safeguards 8. Openness
9. Individual Access 10. Challenging Compliance
10. Privacy Obligations cont’d
PIPEDA Case Summary # 2007 - 380 - Bank’s record keeping practices
considered inadequate safeguard:
“... On balance, the Assistant Commissioner believed that this account was the
complainant’s only, and therefore the bank disclosed his personal information without
the complainant’s knowledge or consent. She noted that it was not enough for the
bank to argue that it was a joint account because both of the names appeared on the
statements. It needed to produce evidence and it could not.
This last point led the Assistant Commissioner to comment that the bank’s record
keeping with respect to this account was so careless as to amount to an inadequate
safeguard. It could not provide documentary evidence to support its position vis-à-vis
the account holder(s). It could not provide documentary evidence that it had or had not
disclosed material. She commented that while there might be retention periods in place
for certain documentation, these were not consistently applied, as shown by the fact that
the bank could provide signature cards for an account that was older than the one under
investigation.” (emphasis added)
11. II.B Compliance with Contractual Obligations
Obligations relating to records retention and destruction
Where found: What Obligations:
Non-disclosure agreements Retention Period
Letters of Intent Accuracy and completeness
Memoranda of Understanding Format and storage media
Software license, maintenance and
support agreements
Locations / obligation not to relocate
Teaming Agreements Remote access
Master Service Agreements and
Statements of Work
Delivery obligation
Subcontracts, supply agreements and
purchase orders
Destruction obligation
Shipping documents Costs
12. Compliance with contractual obligations:
Touches all aspects of the business
Requires education and training of company personnel
Dynamic and changing
Raises business, confidentiality and security issues
Not susceptible to standardized approaches
Costly
Sometimes isn’t possible
13. III. Issues:
A. Minimum Retention Periods
By contract
By statute:
Defined retention periods, e.g. Employment Standards Act, 2000,
s.15
General obligations, e.g. PIPEDA, Principle 4.5.2:
“Personal information that has been used to make a decision about an individual
shall be retained long enough to allow the individual access to the information
after the decision has been made.”
14. Minimum Retention Periods:
Limitations Act, 2002, S.O. 2002, c.24, Sched. B
Securities Act, R.S.O. 1990, c. S-5, 129.1
Ontario v. Johnson Controls Ltd., [2002] O.J. No. 4725
“50. … A policy with a short retention period might offer some justification to dispose
of "smoking guns" and other prejudicial evidence. Any such policy that permits
destruction within much less than ten years after an event probably fails to
take reasonable account of the standard six year limitation period under the
Limitations Act for actions in tort or contract, plus some period to allow for a
discoverability period, which allows for discovery of the damage and those
responsible prior to the commencement of the limitation period. A
short retention period would also ignore the extended period under s. 8 of the Act.”
See also:
Alvi v. YM Inc. (Sales)(cob Stitches), [2003] O.J. No. 3467(Ont. Sup. Ct.) at para. 48
336332 B.C. Ltd. v. Imperial Oil Ltd., 2002 BCSC 587 at para. 46
15. III.B Maximum Retention Periods
PIPEDA, Principle 4.5.3:
“Personal information that is no longer required to fulfil the identified
purposes should be destroyed, erased, or made anonymous.”
PIPEDA Case Summary #2013-001 - concerns relating to the
retention of non-user numbers found to be well founded:
“44 Although personal information collected by WhatsApp during the
contact discovery process is appropriately limited to that necessary for
legitimate purposes, as specified by WhatsApp in its Terms of Service,
the company's retention of out-of-network numbers remains, in our
view, unnecessary and may create the potential for inappropriate or
unintended uses of non-user mobile numbers.”
See also:
Personal Information Protection Act, S.B.C 2003, c.63, s. 35
16. III.C Appropriate Document Destruction: Context
The “Smoking Gun”:
“ATHM is a piece of crap!”
Email from Merrill Lynch analyst who published high ratings of ATHM,
disclosed during an SEC investigation of Merrill Lynch, resulting in $100
million fine
Spoliation:
“The intentional destruction, mutilation, alteration or concealment of
evidence.”
Black’s Law Dictionary, 9th ed.
17. Appropriate Document Destruction cont’d
“Justice Brooke stated his understanding of the law of spoliation based on four
case authorities to which he was referred by counsel for the respondents. The
following is a summary of what was stated: 1. A rebuttable evidentiary
presumption arises where evidence of spoliation exists; the doctrine of spoliation
is an evidentiary rule raising a presumption and not an independent tort giving rise
to a cause of action. 2. In an appropriate case, destruction of documents carries a
procedural but not substantive remedy, an action for damages cannot be sustained
solely on the ground that documents have been destroyed. 3. Spoliation requires
four elements in evidence: a) the evidence has been destroyed; b) the evidence
destroyed was relevant to an issue in the lawsuit; c) legal proceedings were
pending; and d) the destruction of documents was an intentional act indicative of
fraud, or an intention to suppress the truth. 4. There is no common law duty of
care to preserve property which may possibly be required for evidentiary
purposes; such an obligation can only be imposed by court order granted
pursuant to the Rules of Court … .” (emphasis added)
Holland v. Marshall, 2008 BCCA 468 (CanLII) (citations omitted)
18. Records Retention and Destruction Policies:
A properly adopted and implemented RRDP may help defend
against charges of improper document destruction or failure
to preserve:
“Compliance with a reasonable records management policy ... should
not, in the ordinary course, constitute sanctionable conduct.
There are a number of factors to be considered in determining if
destruction was intentional or reckless. Adherence to a document
management policy in the face of reasonably contemplated or actual
litigation is not appropriate.”
Comment 11.e (Reasonable records management policies), Sedona
Conference Working Group 7, The Sedona Canada Principles, Public
Comment Draft, February 2007
19. The Ontario Public Sector:
Ontario Bill 179, Public Sector and MPP Accountability and
Transparency Act, 2014, Schedule B:
Adds section 10.1 to the Freedom of Information and Protection of
Privacy Act:
“Every head of an institution shall ensure that reasonable measures respecting the
records in the custody or under the control of the institution are developed,
documented and put into place to preserve the records in accordance with any
recordkeeping or records retention requirements, rules or policies, whether established
under an Act or otherwise, that apply to the institution.”
Adds to the list of offences in Section 61(1) of the Act:
“(c.1) alter, conceal or destroy a record or cause any other person to do so, with the
intention of denying a right under this Act to access the record or the information
contained in the record.”
Corresponding amendments to the Municipal Freedom of Information
and Protection of Privacy Act
20. III.D Document Destruction
Implement appropriate document destruction policies:
Office of the Information and Privacy commission of Canada,
Personal Information Retention and Disposal: Principles and Best
Practices at
https://www.priv.gc.ca/information/pub/gd_rd_201406_e.asp
Office of the Information and Privacy Commissioner of Ontario,
Secure Destruction of Personal Information at
https://www.ipc.on.ca/images/resources/up-fact_10_e.pdf
Office of the Information and Privacy Commissioner of Ontario, Best
Practices for the Secure Destruction of Personal Health Information at
https://www.ipc.on.ca/images/Resources/naid.pdf
21. IV. Developing and Managing an RRDP
A. Internal Approvals:
Identify RRDP issues to the board/senior management:
• The necessity for a comprehensive and dynamic RRDP
Establish RRDP Committee:
• Cross-functional representation
• With sufficient budget and authority
• Reporting regularly to the board/senior management
22. IV.B Getting Started: Assessing the Situation:
Examine any current Records Retention and Destruction
Policies
Evaluate current records retention and destruction
practices:
• What information does the company keep, how and
where?
• What information does the company destroy, where
and how?
• Are these practices in compliance with law and
existing policies?
23. IV.C Defining the Scope of the RRDP
Records Management:
“The planning, controlling, directing, organizing, training, promoting, and
other managerial activities involving the life cycle of information, including
creation, maintenance (use, storage, retrieval), and disposal, regardless of
media. Record management procedures are used to achieve adequate and
proper documentation of corporate policies and transactions and effective and
economical management of business and organizational operations”
Records:
“anything that is recorded within an organization, including email, drawings,
documents/reports created by users, and information received from the
outside”
http://www.rimtech.ca/page7.html
All devices and locations:
servers, personal computers, laptops, Blackberries, PDAs, cell phones, iPods,
hard drives, disks, sticks, social media sites, etc.
24. IV.D Regulatory and Contractual Requirements
For each of:
Statutory requirements (*)
Industry specific standards
Contractual requirements
Understand and document:
What records must be kept?
For how long?
In what form?
What records must/can be destroyed?
When?
How?
(*) If the company operates outside Canada, it will be necessary to ensure
compliance with international obligations
25. IV.E Establishing the Standards:
Format of Records
Destruction Periods
Classification of Information
• Preserving Privilege
Integration with other policies and practices, e.g. Policies relating to:
• Confidential information
• Intellectual Property Protection
• Use of corporate assets
• Internet Usage
• Security
Suspension for Litigation Holds:
• When: as soon as litigation is reasonably anticipated
• Who can suspend
26. IV.F Implementation
Communication
Monitoring Compliance:
• Test effectiveness of:
o Retention practices
o Destruction practices
o Litigation Holds
• Audit compliance with the policy
• Part of individual performance evaluations
Update as required