April 25, 2016

Document Retention Policy: Know What to Keep and What to Shred

"I think we need to change the fundamental design of the way each and every document is created and managed," commented Bill Anderson of US cyber security company OptioLabs, in a cnet.com story about the Panama Papers.

The Panama Papers is the latest mega data breach where millions of confidential documents from a Panamanian law firm were leaked, exposing offshore bank accounts – and possibly tax havens – for wealthy clients.

Knowing how long to keep documents and which ones to permanently destroy should be of concern to everyone particularly at the end of the financial year when information thieves are in high gear.  Indeed, the Telegraph reports that last year there were 17,000 fraudulent or incorrect repayment claims to HM Revenue and Customs, potentially worth up to £100 million in total.  

Criminals create fake tax returns and send scam phishing emails asking for client details.

While there are many aspects to information security, a sound document retention policy is one of the most important.   

Here are some guidelines:
  • Information audits: Use audits to identify the types of documents the business produces, and to create an inventory and keep it updated.
  • How long to keep VAT records? There are two parts to data retention: how long documents will be useful to the business, and how long they must be retained based on government and industry requirements. For example, in the UK, Value Added Tax (VAT) records have a minimum retention period of 6 years. Every business must evaluate laws that are applicable.
  • Fines – either way: While it’s law to keep certain documents, if you retain a record for too long you might also expose yourself to legal action and fines. Like most privacy laws, Data Protection Act compliance stipulates the record must be securely disposed of when the official retention period is over.
  • Emails: Records are paper files, digital documents, and correspondence including emails. According to wired.com, the Panama Papers leak included more than 4.8 million emails (as well as 3 million database files and 2.1 million PDF’s). If emails aren’t part of an important business or legal use or not subject to regulatory compliance, delete them within the appropriate time frame.
  • Easy retrieval: Index all documents for easy retrieval. Store in a secure, locked location and/or in a password protected file. Control access so only those employees that need the information to do their jobs can do so. Storing unneeded information increases the risk of a security breach, takes up space, and costs money.
  • Secure disposalThe only acceptable way to discard paper or digital documents when they are no longer needed is to completely destroy them. Shredding is a legal requirement for many documents, and outsourcing eliminates risk. Partner with a reputable shredding company that has secure chain of custody processes for information destruction. A Certificate of Destruction will document compliance and should be issued after every shred.  

Use this Document Retention Guide to help create the right retention schedule for your business.