lawyers in India

Data Retention Policies - An Emerging Requirement and Various Compliances

Written by: Vibhor Verdhan Verdhan - Practicing Advocate in Delhi & Allahabad Courts
Constitutional Lawyers in India
Legal Service India.com
  • Document retention, especially the retention of electronic data has become a hot topic in the legal industry. In the 21st century business world, companies are creating and storing the electronic document and information at light speed. Electronic documents are not only found on desktops and laptops but also stored on the phones like Blackberry's etc. But for modern business organizations storing all this business information can be expensive not only because of the cost of physical storage of tapes but also because of the potential liability of keeping sometimes seemingly useless information for too long.

    What is Data Retention Policies?

    A document retention policy provides for the systematic review, retention and destruction of documents received or created in the course of business. A document retention policy will identify documents that need to be maintained and contain guidelines for how long certain documents should be kept and how they should be destroyed.

    What documents must be protected?

    Temporary Records
    Temporary records include all business documents that have not been completed. Such include, but are not limited to written memoranda and dictation to be typed in the future, reminders, to-do lists, report, case study, and calculation drafts, interoffice correspondence regarding a client or business transaction, and running logs.

    Final Records
    Final records include all business documents that are not superseded by modification or addition. Such include, but are not limited to: documents given (or sent via electronic form) to any third party not employed by Organization, or government agency; final memoranda and reports; correspondence; handwritten telephone memoranda not further transcribed; minutes; design/plan specifications; journal entries; cost estimates; etc. All accounting records shall be deemed final.

    Permanent Records
    Permanent records include all business documents that define Organization's scope of work, expressions of professional opinions, research and reference materials. Such include, but are not limited to contracts, proposals, materials referencing expert opinions, annual financial statements, federal tax returns, payroll registers, copyright registrations, patents, etc. Except as provided for in the Document Retention Schedule (Appendix A), all permanent documents are to be retained indefinitely.

    Accounting and Corporate Tax Records
    Accounting and corporate tax records include, but are not limited to: financial statements; ledgers; audit records; invoices and expense records; federal, state, and property tax returns; payroll; accounting procedures; gross receipts; customer records; purchases; etc.

    Workplace Records
    Workplace records include, but are not limited to Articles of Incorporation, bylaws, meeting minutes, deeds and titles, leases, policy statements, contracts and agreements, patents and trademark records, etc

    Employment, Employee, and Payroll Records

    Employment records include, but are not limited to job announcements and advertisements; employment applications, background investigations, resumes, and letters of recommendation of persons not hired; etc. Unless otherwise specified in the DRS, such records should be retained for the minimum of one (1) year. Employee records include, but are not limited to employment applications, background investigations, resumes, and letters of recommendation of current and past employees, records relating to current and past employee's performance reviews and complaints, etc. Unless otherwise specified in the DRS, such records should be retained for the minimum of three (3) years following unemployment with Organization. Payroll records include, but are not limited to wage rate tables; salary history; current rate of pay; payroll deductions; time cards; W-2 and W-4 forms; bonuses; etc.

    Bank Records
    Bank records include, but are not limited to bank deposits; check copies; stop payment orders; bank statements; check signature authorizations; bank reconciliations; etc.

    Legal Records
    Legal records include, but are not limited to all contracts, legal records, statements, and correspondence, trademark and copyright registrations, patents, personal injury records and statements, press releases, public findings, etc.

    Historical Records
    Historical records are those that are no longer of use to Organization, but by virtue of their age or research value may be of historical interest or significance to Organization.

    How long to retain data?

    Only for so long as the law requires or for as long as you actually have use for them, and not a moment longer. There is no bright line number. In typical lawyerly fashion, my real answer is that it depends. Any records management program must ensure that legally required documents are kept for at least the minimum prescribed time periods. But, are there circumstances under which they should be kept for a longer period of time? In my view there are two answers to that question. First, there may be records you think are critical to preserving historical continuity, for example, minutes of strategic planning meetings or of policy development sessions. Board members come and go, and these records may help their successors understand the intent behind certain policies and standards, hopefully preventing repetitive wheel inventing exercises. More importantly, they may help prevent inconsistent decision making. These calls are tough to make, but the executive director is the person most likely to have the long-term perspective or corporate memory needed to make that decision. The second reason may be litigation or governmental investigations and enforcement actions. As I will discuss next, these latter circumstances will almost always out trump your retention and disposition schedule.

    Why to have Data Retention Policies? (Purpose)

    In today's business world, information is created and stored electronically on the computer. Therefore, the importance of creating and implementing a Document Retention Policy becomes more complicated, but extremely important in order to protect against cases of future litigation. A document retention policy provides for the systematic review, retention and destruction of documents received or created in the course of business. A document retention policy will identify documents that need to be maintained and contain guidelines for how long certain documents should be kept and how they should be destroyed.

    The policy is also helpful to:
    • provide a system for complying with document retention laws;
    • ensure that valuable documents are available when needed;
    • save money, space and time;
    • protect against allegations of selective document destruction; and
    • provide for the routine destruction of non-business, superfluous and outdated documents.

    The six most important reasons why an organization should implement a document retention policy are:
    1) To comply with legal duties and requirements, either statutory or regulatory;
    2) To avoid liability through spoliation, the improper destruction or alteration of documents in a litigation situation;
    3) To support or oppose a position in an investigation or litigation;
    4) To protect from unnecessary expense and time during discovery;
    5) To maintain control over discovery and e-discovery, and
    6) To keep documents confidential and avoid leakage to attackers or competitors.

    Document retention policy is important in various aspects; First, adhering to the policy may limit liability in long run. Many a case has been damaged due to suffering of unfavorable emails or documents kept too long and taken out of context. In many of those case if document retention policies been in place and enforced, that information would no longer be available.

    Second, if a document retention policy limits how long the information is kept, companies will have less information to search and review if served with a document request.

    Finally, under Federal Rules of Civil Procedure (FRCP) only electronic information that is reasonably accessible due to undue burden of cost is discoverable. Thus a good document retention policy will make company in control of what is available and discoverable under the Federal Rules.

    Laws Related to Data Retention Policy:

    In India:
    In India there is no Central Act which laid down the provisions related to Data Retention Laws. But there are different policies incorporated by various agencies and which maintain and follows their policies. Example: Government of India Central Vigilance Commission by their wide notification no. No.17/09/2006-Admn. Gives the provisions related to Retention period/destruction schedule of recorded files, available at http://cvc.nic.in/retention.pdf; similarly the Ministry of Finance- Financial intelligence Unit has its own policy. Notification No. 9/2005 - gives the rules for Record Keeping and Reporting.

    {Rule 6. Retention of records - The records referred to in rule 3 shall be maintained for a period of ten years from the date of cessation of the transactions between the client and the banking company, financial institution or intermediary, as the case may be."}.

    Thus, it may be noted that organization has its own Data retention Policies and certain rules for retention of such records. However, there is no such established law wherein it is binding for the organizations to prepare such policies.

    Laws in Different Countries:
    Currently, Article 15(1) of the Privacy Directive provides EU member states a national security and crime prevention exception to EU data protection requirements. However, at least nine EU member countries (Belgium, Denmark, Finland, France, Ireland, Italy, Spain, Switzerland and the United Kingdom) have adopted various national laws mandating data retention. The EU Commission's draft Directive on Data Retention would require communications companies to retain all fixed and mobile telephony data and location data for one year, and IP-based communications data for six months.1 This draft was introduced by the Justice Ministries of France, Ireland, Sweden and the United Kingdom on 28 April 2004 and seeks to harmonize the rules on communications data retention among member states in order to facilitate judicial cooperation in the criminal area. The storing of location data of mobile phones includes lists of websites visited, all details of phone calls made (including the identity, at least by number, of the caller and recipient), and details of any e-mails and text messages sent. In addition, companies that temporarily retain individual customer information for billing and related business purposes would be required to keep it in a form accessible to law enforcement and other government agencies for one to three years.

    United State of America:
    The United States government has a number of requirements for retaining various types of records. In the state of Texas for example, disability and sick benefit records must be retained for 6 years and claims of employee inventions must be retained for 25 years. Depending on the nature of your business, there may be other agencies that have their own special requirements. For instance, OSHA requires that certain industrial hygiene records and medical records be retained for 30 years. Information pertaining to the Department of Defense has additional rules that must be strictly followed. Remember that you must examine requirements at the local, state, federal and possibly the international level. The Internet knows no boundaries.

    United Kingdom:
    The Data Retention (EC) Regulations were approved by the House of Lords on Tuesday and signed into law by Home Secretary Jacqui Smith on Wednesday. The Regulations transpose into UK law most of the European Union's Data Retention Directive.

    The new law is intended to ensure that security services have a reliable log of mobile and fixed-line phone calls to be used in investigations, and relates not to the content of calls but only to records of their occurrence.

    Though all telecoms firms keep data for a period, the Regulations are designed to ensure a uniform approach across the industry.

    "Communications data, such as mobile phone billing data, have a proven track record in supporting law enforcement and intelligence agency investigations and are a vital investigative tool," said Lord Bassam of Brighton, who proposed the adoption of the Regulations this week in the House of Lords. "They provide evidence of associations between individuals and can place them in a particular location. They also provide evidence of innocence."

    "Without this data, the ability of the police and the Security Service painstakingly to investigate the associations between those involved in terrorist attacks and those who may have directed or financed their activity would be limited," said Bassam. "The police and the Security Service's ability to investigate terrorist plots and serious crime must not be allowed to depend on the business practice that happens to be employed by the public communications provider that a particular suspect, victim or witness used. These draft regulations will ensure that, regardless of which public communication provider supplies the service, the communications data will be available."

    The Regulations will come into force on 1st October, two weeks after the deadline set by the EU, but they will not apply to internet traffic data.
    The Home Office conducted a consultation on the Regulations with the public and industry and said that the telecoms industry told it that the collection of internet data was too complicated to be include in the current rules.

    In fact the Internet Service Providers' Association (ISPA) told the Home Office that it believed the current Regulations could never be used for ordering the retention of internet data.

    Romania Government:

    http://www.mcti.ro/index.php?id=16&lege=383; http://www.mcti.ro/index.php?id=16&lege=412
    A first draft law for the implementation of the data retention directive was presented at the end of April 2007 by the Romanian Ministry of Communications and Information Technology for public consultation. The ministry also organized on 26 April a public debate on the draft law.
    The first draft was achieved in cooperation with a number of public bodies including the Ministry of Justice, Ministry of Internal Affairs or the Romanian Data Protection Authority.

    The text proposing a 12-month period of traffic data retention, without any explanatory reports, has received criticism from ISPs and other telecom operators that believe it puts a high financial burden on them. The draft clearly specifies that the content of the communications cannot be retained by the operators, considering the retention of the content as well as any retained data transfer without a proper judicial authorization as crimes. The retained data should be deleted at the end of the 12 month period.

    Only the electronic communication providers that have notified the Regulatory Authority are subject to data retention obligations and there are no provisions for the hosting or other online service providers.

    The retained data can be accessed by prosecutors only in the penal cases related to organized crime and terrorism crimes and with a proper specific judged-approved access authorization. The prosecutor can ask, through a specific ordinance, for access to the data as a provisional measure, if this is necessary due to specific circumstances that could otherwise put in danger the penal investigation. But in this case, the prosecutor's decision together with the data needs to be confirmed by a judge in 48 hours. If a judge does not confirm the prosecutor's ordinance, all the accessed data will be destroyed.

    The very detailed procedure regarding access by prosecutors to the retained data is in opposition with Article 16 of the draft text that allows, "in case of a threat to the national security", the request of the retained data by "the specific bodies, as explained in the laws on national security". The vagueness of this article was criticized in the public debate, the participants considering that this could leave room for discriminatory access by the Romanian secret services.
    As regards the type of data retained, the Romanian draft is only a translation of the European Directive on data retention. The public consultation will end on 10 May 2007 and the text could be approved by the Government and then sent to the Parliament for consideration.

    Laws in Italy

    : http://www.edri.org/edrigram/number3.16/Italy
    In Italy, the government passed the Decree Law on Anti-terror Measures on July 27, 2005 which mandates a data retention period for telephone data for a minimum of two years and five months, and Internet traffic data for at least six months. Article 6 of the Decree Law orders the suspension until 31 December 2007 of the implementation of any measures that order or allow the deletion of telephone or Internet based communication traffic data that allows for tracing access and services. Traffic data will include data concerning telephone calls that were not answered. In addition, before issuing a SIM card, it will be compulsory for telecommunications service providers to acquire personal data contained in an official identification document presented by a customer.2 In addition, when Italy adopted the EU Privacy Directive in 2002, immediately created an exception to the obligation to erase traffic data, and under Article 132 of the Data Protection Code, telecommunications service providers are already required to retain telephone traffic data for the purpose of detecting and preventing crime for four years (albeit without the location data).

    New Zealand:
    In New Zealand, the Telecommunications Information Privacy Code 20034 was enacted under the Privacy Act 19935 in order to amend the information privacy principles in the Act with regard to telecommunications agencies. The Code affects all telecommunications agencies (including telephone companies, publishers of telephone directories, Internet service providers, mobile telephone retailers and call centers) in their handling of personal customer information. The Code provides for the following:
    (a) ensures that subscribers need not pay to keep their details from being published in the telephone directory,
    (b) requires blocking options to be available free of charge when caller ID is offered,
    (c) prohibits the use of traffic data gained from interconnection for unauthorized direct marketing,
    (d) prohibits reverse search directories without individual consent,
    (e) allows telecommunications agencies discretion in processing personal information, such as allowing disclosure for purposes of preventing or investigating a threat to the telecommunications network or service security or integrity, and
    (f) prohibits the retention of telecommunications information for longer than is required for the purposes for which the information may be lawfully used. In addition, the Telecommunications Interception Capability Act 20046 requires public telecommunications networks to be interception-capable so as to achieve greater effectiveness in law enforcement and security.

    Denmark, France, Spain, Switzerland

    Based on this directive, countries such as Belgium, Denmark, France, Spain, Switzerland as well as United Kingdom have established data retention scheme. Based on the provision of the directives in Italy a law was passed which made data retention compulsory for 2 years and five months in case of telephone data and for at least 6 months in case of Internet traffic data. In case of Denmark Internet service providers must retain the data that contains senders. Internet protocol address as well as the port number. Even in Finland data retention has been made mandatory for 3 weeks in case of telephonic and mobile data. However there is no data retention requirement in case of Internet traffic data. The policies dealing with data retention are basically introduced in order to protect national security, to conduct criminal investigation and to fight against terrorism.

    However, many believe that such directive of mandatory data retention is a serious invasion of privacy. Compulsory recording to telephonic calls, or online behavior impinges upon freedom of expression. In fact many believe such data retention is a method of killing privacy as personal lives are becoming more and more transparent. Thus many of the opinion that data retention interferes with the right to respect for private life, and many a times harmless people are made the target. Besides this data retention is believed to erode civil rights as well.
    Australia - Commonwealth Government's Information Exchange Steering Committee (IESE); The Evidence Act 1995 ; (more than 80 Acts, regulations and rules specifying document retention requirements applicable to companies under Australian law).

    Brazil - Electronic Government (e-gov) Programme; EU GMP Directive 1/356/EEC-9
    China - Very little: ISO 15489
    France - Model Requirements for the Management of Electronic Records (MoREQ); EU Directive 95/46/EC;
    Germany - Federal Data Protection Act; Model Requirements for the Management of Electronic Records (MoREQ); EU Directive 95/46/EC; --- 62(2) Implementing Regulation of the Turnover Tax Law (UstDV);
    Israel - Archives Law; Civil Service Code;
    Japan - Personal Data Protection Bill;
    Norway - The Accounting Act 1998; Registry of Business Enterprises Act 1985;
    Russia - Very little: Russian Electronic Digital Signature Law;
    Switzerland - Swiss Code of Obligations articles 957 and 962.

    Implementation & Flexibility:
    A document retention policy is only as good as its implementation. A policy needs to be rigorously enforced from top management down. Companies must make sure educate their employees about not only the policy, but the implication of not following it. It must be easy to follow, periodically renewed, and it must clearly lay out how often it will be audited. The policy should also address the fact that employees may store and save information in different ways (i.e., some employees may save documents to a hard drive, others to a network) and on different hardware (some emails are only saved on BlackBerry® devices and not in desktop or laptop inboxes). In addition, the policy must be flexible enough to be suspended if a litigation hold is necessary. The policy should address the litigation hold and how it is to be implemented, including any policy on email backup tapes.

    Following the rulings in Zubulake email backup tapes created fro disaster recovery only are not subject to a litigation hold unless they are accessible. The Zubulake case did not define accessibility but under FRCP 26(b)(2)(B), a party need not provide discovery of electronic information from sources that the party identifies as not reasonably accessible because of undue burden or cost. On the other hand, according to the court in Zubulake IV, if the company can locate the information of the key players (employees likely to have relevant information to the litigation), that information should be preserved even if it exists in the form of disaster recovery backup tapes. Thus, a document retention policy should specifically address how email backup tapes are handled. In the wake of Zubulake, one could argue that backup tapes should always be used for disaster recovery only and not as an archival system. In fact, backup tapes are not adequate for storage and search of large volumes of email information. The policy should also attempt to identify who the key players in the business may be and where their information is stored.

    Precedents:
    Zubulake v. UBS Warburg (thrills and chills)
    In July of 2004, a federal judge in New York sent thrills throughout the plaintiffs' attorney community, and chills throughout the defense lawyer ranks, when she wrote a blistering opinion criticizing UBS Warburg and its in-house counsel for failing to personally prevent the destruction of employee e-mails.13 In that case, Judge Shira A. Scheindlin found that UBS Warburg had notice that the plaintiff, Laura Zubulake, was contemplating legal action for gender discrimination as early as April 2001 because of comments she made about filing a charge with the Equal Employment Opportunity Commission. Judge Scheindlin held that the duty to preserve relevant evidence attached at that time because litigation was (or should have been) reasonably anticipated.

    Even though UBS Warburg's in-house attorneys issued a missive in August of 2001 instructing employees not to destroy electronic and hard copy records, nothing was said about backup tapes. When Zubulake's lawyers later asked for e-mails stored on backup tapes it was discovered that the tapes had been routinely recycled. When the matter was brought to the judge's attention, her Honor faulted the company, and its lawyers, for having failed both locate and monitor compliance with the litigation hold throughout the pendency of the lawsuit. Judge Scheindlin went on to find that UBS Warburg employees also continued to destroy e-mails in the face of their own lawyer's directives. Based on the joint failures of UBS Warburg and its counsel, her Honor imposed sanctions ranging from monetary fines to the dreaded adverse inference jury instruction, where the jury is told they may infer that UBS Warburg was intentionally destroying evidence that would have helped Ms. Zubulake prove her case.

    In New York Times, Inc. v. Tasini,
    The United States Supreme Court held that the newspaper violated freelance authors' copyright when it reproduced their articles in an electronic database. The Court found that such a use had not been contemplated or agreed to by the authors and exceed the paper's license whether express or implied.

    Rowe Entertainment, Inc. v. William Morris Agency, Inc., 205 F.R.D. 421, 423 (S.D.N.Y. 2002).

    Information is retained not because it is expected to be used, but because there is no compelling reason to discard it.

    Wachtel v. Health Net, Inc., 2006 U.S. Dist. LEXIS 88563 (D. N.J. Dec. 6, 2006)(not for publication) and Krumwiede v. Brighton Associates, LLC, 2006 U.S. Dist. LEXIS 31669 (N.D. III. May 6, 2006). That Federal Rules even contain a safe harbor for companies who fail to provide electronically stored information lost as a result of routine, good faith operation of an electronic information system. If a company's policy is comprehensive and routinely audited, it can provide the court with assurance that a company has all of the information it is required to keep, and knows how to find it which can go a long way to protecting a corporation in the long run.

    We haven't heard the last word on this issue. As technology continues to change, so will the law. Lawyers who want to stay competitive will make sure they keep up-to-date on both.

    Preventing Sanctions
    In the end, when it comes down to litigation or a government information request, the most important reason for a company to have a workable and active document retention policy is that it can persuade a court that documents that no longer exist were purged pursuant to a policy and not willfully destroyed and spoliated. Courts do not have a lot of patience for companies that mismanage or delete documents on an inconsistent basis. See, e.g., Wachtel v. Health Net, Inc., 2006 U.S. Dist. LEXIS 88563 (D. N.J. Dec. 6, 2006)(not for publication) and Krumwiede v. Brighton Associates, LLC, 2006 U.S. Dist. LEXIS 31669 (N.D. III. May 6, 2006). That Federal Rules even contain a safe harbor for companies who fail to provide electronically stored information lost as a result of routine, good faith operation of an electronic information system. If a company's policy is comprehensive and routinely audited, it can provide the court with assurance that a company has all of the information it is required to keep, and knows how to find it which can go a long way to protecting a corporation in the long run. We haven't heard the last word on this issue. As technology continues to change, so will the law. Lawyers who want to stay competitive will make sure they keep up-to-date on both.

    The author can be reached at: [email protected] / Ph No: +91 9711961483 / Print This Article

    How To Submit Your Article:

    Follow the Procedure Below To Submit Your Articles

    Submit your Article by using our online form Click here
    Note* we only accept Original Articles, we will not accept Articles Already Published in other websites.
    For Further Details Contact: [email protected]


    Divorce by Mutual Consent in Delhi/NCR

    Mutual DivorceRight Away Call us at Ph no: 9650499965

    File Your Copyright - Right Now!

    Copyright Registration
    Online Copyright Registration in India
    Call us at: 9891244487 / or email at: [email protected]