Conquering information retention and disposition

To achieve systematic and consistently successful data minimization, the bottom line is that you need buy-in and cooperation from across the firm. This requires cross-departmental engagement from key stakeholders - hence the need to convene a representative data steering committee.

To get the appropriate coverage this should include heads of departments or practice groups, the CIO, CISO, General Counsel, DPO and, of course, the Director of Information Governance. The committee is the reference point for all subsequent activity. Moreover, when commit­ tee members understand the issues and are on-board, they will take those messages to the wider firm and articulate and advocate for the actions that need to be taken to effect lasting change.

Step 2 is understanding the data held and where it is. This means making an inventory of all the systems in which data is held. This isn't straightforward. We've already alluded to the old IT systems that have been superseded or replaced. There are also back-up systems to think about.

Another potential complication is shadow IT. This can be understood as what happens when individual lawyers do work beyond the boundaries of the firm's sanctioned and provisioned IT infrastructure and systems or where such usage is not fully communicated to the information governance team. It's a problem because any advice given to the client should be part of the matter record, but if the activity was done, say, on the client's system instead of on the firm's, the firm has lost control of that record.

Understandably, the pandemic caused a huge increase in shadow IT. As clients scrambled to get advice from their lawyers and their lawyers scrambled to give it, work was done on personally owned devices, emails were exchanged using personal email addresses and files were saved on a range of personal systems. Shadow IT holds records that need to be brought into the light.

You must also remember that work product isn't the only data you need to worry about. The firm will also hold administrative records including HR files and financial information that needs to be part of your retention and disposition planning.

Once you know what systems or content repositories exist, you must refine your knowledge further by conducting a data mapping exercise. This will catego­ rize and classify data in terms of the different types of documents and file types, as well as the type of infor­ mation: is it personally identifiable information (PII), is it confidential, is it commercially sensitive? In addition, the data will need to be classified in terms of practice group, department, office or jurisdiction, where these have a bearing on retention and disposition; and in terms of client engagement requirements, taking those OCGs into account that impact on retention and disposition.

One approach to data mapping is to create a process diagram that will help you see the different datasets and systems you have. By mapping data, you can really begin to tame a seemingly unruly mass of records.

Each category of data can be tackled one by one, in an order that makes sense, to bring them into an informa­ tion retention and disposition framework that reflects your policy objectives.

When data is mapped, or even before mapping is fully completed, it's time for Step 3, which is to draw up a retention and disposition policy. This document will be the reference point for all subsequent activities, and it articulates the commitments the firm is making. The ideal situation is that everyone signs off on this early in the process. This creates understanding, agreement and momentum as well as an early opportunity for an aware­ ness campaign within your firm.

Procedures and controls will also need to be drawn up to ensure the policy is enforced conscientiously and consist­ ently. On that note, it will expose the firm to potential in­ vestigation and liability if an agreed policy isn't enforced, or is selectively enforced: e.g. some documents man­ dated for destruction are destroyed, while others aren't.
Procedures, such as the destruction process for electron­ ic records, should be documented and agreed, as should the controls, e.g. that destruction details are logged.

A critical component of the overarching records reten­ tion and disposition policy is the retention review date calculation and the "event" from which such dates are calculated. Retention review dates may be determined by jurisdiction, practice group, client, matter, even document type. The retention period for matter material may be seven, ten, twenty or a hundred years even. Whilst this should be pinned down, so must the dates from which these retention periods commence. Is it 10 years after the matter closes, or 10 years from when the firm no longer
 
worked with the client, or 10 years after billing activity ceased even if the matter remains open? You need to make a clear decision on this so that policy has clarity and ensure all content can sit within the policy.

Care needs to be taken over exceptions to the standard rules on destruction. Some documents, like wills, trust deeds, etc. clearly need to be kept in perpetuity. Alter­ nately some records may need to be destroyed sooner because of some overriding OCG requirement, or because of something stipulated in the original terms of engagement. There may be especially confidential documents which need to be managed differently, including documents that require additional levels of approval before destruction. Consideration needs to
be given to the records that may need to be kept as evidence for longer than standard because there's the possibility of some future action or litigation.

Step 4 is execution of the policy mandated processes, procedures and controls, which is straightforward - in as much as you just do what's mandated in your policy.
Yet it can feel overwhelming, especially at the beginning, when you're dealing with the largest volume of data. It's about taking it one step at a time.

In the US the task of offering to return matter materials to the client can be complicated by not being able to find the client anymore. If it's verified that they're no longer around it becomes a matter of tracking down their beneficiaries. Likewise, if the lawyers who handled a matter have left the firm, it's also harder to assess if any litigation might arise. It's also difficult to get senior law­ yers to take on the unrewarding task of reviewing long lists of material to ensure the right decisions are being made. That's why it's necessary to pay attention to Step 5 which is getting data destruction decisions over the line.

This can be tough because some lawyers are instinctively conservative and would rather keep all data than destroy any. Notwithstanding the firm has to keep its eyes on the prize. The whole exercise is aimed at minimizing data and all your effort will be in vain if the final step isn't taken.

It follows that firms should do everything possible to help lawyers with appropriate guidance (hence the importance of an information governance committee and an aware­ ness campaign) and also ensure all the information the lawyer needs at the point of decision making is available and easy to follow. Software can help here by arranging everything in a simple interface so the deciding lawyer can see, for example, that no fees are outstanding, and the date on which all the firm's criteria for a closed matter have been met.

The final act is to follow the preordained destruction procedure, which ensures that destruction means destruction: so paper needs to be shredded or pulverized, and electronic files are deleted beyond retrieval
or reconstruction.