PART TWO

Step 1: Survey and Determine Legal and Regulatory Applicability and Requirements

There are federal, provincial, state, and even municipal laws and regulations that may apply to the retention of information (data, documents, and records). Organizations operating in multiple jurisdictions must maintain compliance with laws and regula- tions that may cross national, state, or provincial boundaries. Legally required pri- vacy requirements and retention periods must be researched for each jurisdiction (e.g.

county, state, country) in which the business operates, so that it complies with all ap- plicable laws.

IG, compliance, and records managers must conduct their own legislative research to apprise themselves of mandatory information retention requirements, as well as privacy considerations and requirements, especially in regard to personally identifi - able information (PII). This information must be analyzed and structured and pre- sented to legal staff for discussion. Then further legal and regulatory research must be conducted, and fi rm legal opinions must be rendered by legal counsel regarding information retention, privacy, and security requirements in accordance with laws and regulations. This is an absolute requirement. In order to arrive at a consensus on records that have legal value to the organization and to construct an appropriate retention

schedule, your legal staff or outside legal counsel should explain the legal hold process, provide opinions and interpretations of law that apply to your organization, and ex- plain the value of formal records.

Legal requirements trump all others. The retention period for a particular type of document or PII data or records series must meet minimum retention, privacy, and security requirements as mandated by law. Business needs and other considerations are secondary. So, legal research is required before determining and implementing reten- tion periods, privacy policies, and security measures.

In order to locate the regulations and citations relating to retention of records, there are two basic approaches. The fi rst approach is to use a records retention citation service, which publishes in electronic form all of the retention-related citations. These services usually are purchased on a subscription basis, as the cita- tions are updated on an annual or more frequent basis as legislation and regula- tions change.

Figure 4.1 is an excerpt from a Canadian records retention database product called FILELAW®. ¹ In this case, the act, citation, and retention periods are clearly identifi ed.

Another approach is to search the laws and regulations directly using online or print resources. Records retention requirements for corporations operating in the United States may be found in the Code of Federal Regulations (CFR).

In identifying information requirements and risks, legal requirements trump all others.

Figure 4.1 Excerpt from Canadian Records Retention Database

Source: Ontario, Electricity Act, FILELAW database, Thomson Publishers, May 2012.

The Code of Federal Regulations (CFR) annual edition is the codifi cation of the general and permanent rules published in the Federal Register by the de- partments and agencies of the federal government. It is divided into 50 titles that represent broad areas subject to federal regulation. The 50 subject matter titles contain one or more individual volumes, which are updated once each calendar year, on a staggered basis. The annual update cycle is as follows: titles 1 to 16 are revised as of January 1; titles 17 to 27 are revised as of April 1; titles 28 to 41 are revised as of July 1; and titles 42 to 50 are revised as of October 1.

Each title is divided into chapters, which usually bear the name of the issu- ing agency. Each chapter is further subdivided into parts that cover specifi c regulatory areas. Large parts may be subdivided into subparts. All parts are organized in sections, and most citations to the CFR refer to material at the section level. ²

There is an up-to-date version that is not yet a part of the offi cial CFR but is updated daily, the Electronic Code of Federal Regulations (e-CFR) . “It is not an offi cial legal edition of the CFR. The e-CFR is an editorial compilation of CFR ma- terial and Federal Register amendments produced by the National Archives and Re- cords Administration’s Offi ce of the Federal Register . . . and the Government Printing Offi ce.”³ According to the gpoaccess.gov Web site:

The Administrative Committee of the Federal Register (ACFR) has autho- rized the National Archives and Records Administration’s (NARA) Offi ce of the Federal Register (OFR) and the Government Printing Offi ce (GPO) to develop and maintain the e-CFR as an informational resource pending ACFR action to grant the e-CFR offi cial legal status. The OFR/GPO partnership is committed to presenting accurate and reliable regulatory information in the e-CFR editorial compilation with the objective of establishing it as an ACFR sanctioned publication in the future. While every effort has been made to en- sure that the e-CFR on GPO Access is accurate, those relying on it for legal research should verify their results against the offi cial editions of the CFR, Federal Register and List of CFR Sections Affected (LSA), all available online at www.gpoaccess.gov . Until the ACFR grants it offi cial status, the e-CFR editorial compilation does not provide legal notice to the public or judicial notice to the courts.

The OFR updates the material in the e-CFR on a daily basis. Generally, the e-CFR is current within two business days. The current update status is displayed at the top of all e-CFR web pages.

For governmental agencies, a key consideration is complying with requests for information as a result of freedom of information laws like the U.S. Freedom of

In the United States the Code of Federal Regulations lists retention require- ments for businesses, divided into 50 subject matter areas.

Information Act, Freedom of Information Act 2000 (in the United Kingdom), and similar legislation in other countries. So the process of governing information is criti- cal to meeting these requests by the public for governmental records.