Data Privacy Requirements Launched Records Management 3.0 – Privacy Protection

To print this article, all you need to do is be registered or log in to

In the last 20 years, we have had two seismic events that have disrupted the discipline in the field of records management:

  • 2006: the modification of the Federal Rules of Civil Procedure puts the electronic management of files at the forefront.

  • 2011: The realization of the need to manage more than narrowly defined business documents led to the addition of “and information” to document management, now called document information management (RIM) . However, beyond how records managers spoke and thought about our work, little or nothing has changed.

RIM is in the midst of the third seismic event: data privacy. The impact that data privacy has had on RIM is likely to be the factor that fundamentally changes RIM for the better – records managers will emerge from this change in a few years with functional, supported and resourced records management programs . Here’s why: With the advent of mandatory representation of personal information (PI) or sensitive personal information (SPI) retention periods under the California Privacy Rights Act (CPRA), RIM’s programs for Fortune 1000 that handle a significant portion of consumer data, will need to mature.

And for these Fortune 1000 organizations, program maturity means: Purging corporate records past their retention period in a systematic and consistent manner across unstructured and structured systems on a regular basis, with documentation of what has been done and how.

So what is this RIM 3.0, post-records-as-we-know-it world looks like?

It’s all within reach

Records management can no longer be about what would traditionally be considered company records, but must expand to understand all company information. This will include

  • Business information that must be retained for a certain period of time (i.e., traditional recordings)

  • Company information that must be retained for a certain period (i.e., Privacy Data), and

  • Everything else, primarily operational data, but also non-business data, such as employee tax returns, children’s football schedules, family photos, and all other personal information that employees manage on company systems.

Get rid of adjectives

Good prose and good politics are good inversely proportional to the number of adjectives they contain. Official recordings, transient recordings, vital recordings, Company records, etc., are distinctions which, in the world of privacy, are of little value, at best; but more often than not, these distinctions prevent true compliance with retention representation requirements such as those outlined in the CPRA.

If the records manager intersects the typical complexity of records management policies with the mandatory complexity of representing retention periods for PI/SPI, it becomes overwhelming and nearly impossible to operationalize.

Given this, an organization’s records management policy needs to be streamlined, at the highest level, to align with three broad categories:

  • Information that we have a legal, regulatory or other obligation to retain for a certain period of time

  • Information that we have a legal, regulatory or other obligation not to retain for more than a certain period of time

  • All other information

Link records to PI/SPI

Records management, as generally practiced today, focuses on the legal requirements to retain certain categories of records for a set period of time, regardless of their specific content. But in terms of privacy, the sensitivity of the data managed is critical, which means that RIM will need to consider not only the type of record of a document or dataset, but also the nature of its content with respect to PI/SPI.

To accomplish this, the traditional best practice approach to document retention schedules will evolve. Today, most retention schedules are organized by function/sub-function, each containing

  • A set of record series

  • Examples of documents and data that correspond to each series

  • Time periods and triggers that must be used to ensure records are retained long enough to meet obligations

  • The reference legal or regulatory citations which impose the retention periods indicated

To support confidentiality, however, this traditional approach to retention schedules will need to be expanded to include an indication of the PI/SPI likely to be found in each set of records. This will allow your privacy feature to demonstrate to regulators, courts, and others, when making statements in the public privacy notice, that “we only retain PI/SPI for as long as we are legally there.” obligated and no more”, that employees know what the obligations are vis-à-vis the PIs/SPIs that appear in the records.

For example, on a records retention schedule, the “Invoice” record series would show that first name, last name, address, phone, and email are present, but not biometrics, IP address or location data. The privacy team can then use this information to create an inverted matrix to display for each type of PI/SPI, (1) all series of records in which it occurs, (2) time periods storage for which you keep it before purging it, and (3) the legal and regulatory obligations that you consider relevant to determine these retention periods.

Records managers can also partner with their privacy team to go further and indicate the purpose of use for which the record series information is collected (for example, billing data is collected for billing purposes). For members of the privacy team, the purpose of use for which the PI/SPI is collected is critical to defining a defensible period of time for data retention to comply with privacy regulations like CPRA or the GDPR.

The benefit of adding this dimension to the retention calendar is that it provides stronger support for corporate retention practices. For example, if the time period dictated by the purpose of use is longer than the retention period indicated on the retention schedule, from a privacy perspective, an organization may be able to retain this information longer. long time. Similarly, if the duration dictated by the purpose of use is shorter than the retention period indicated on the retention term, an organization can now have a basis for retaining it longer, because the organization can link the duration of retention to a legal or regulatory obligation to do so.

The first leg of a journey

The change we’ve looked at here is significant, but it’s only the first step in the journey RIM will need to take to evolve to support privacy compliance. From there, organizations will need to operationalize this new approach from RIM so that the organization meets the retention schedule. In the next article, we’ll cover some ways you can take steps to help your organization start following your records retention schedule and have a functioning records management program.

Originally published May 26, 2022

The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.


Friday, I read CPRA (again)

Frankfurt Kurnit Klein & Selz

For the second week in a row, CAPP dropped a bombshell on a Friday afternoon. Last week, CAPP released a 66-page first draft of its proposed CPRA settlement (you can read our initial analysis here)…

CPRA Countdown: The New Concept of “Sharing”

Hogan Lovells

The California Privacy Rights Act (CPRA) introduces a new concept, “sharing,” which provides California residents with the right to opt out of certain disclosures of personal information…

FTC to ‘crack down’ on Ed Tech’s use of children’s data

Global Advertising Lawyers Alliance (GALA)

The Federal Trade Commission (FTC) has unanimously approved a policy statement that focuses on the application of the Children’s Online Privacy Protection Act (COPPA) to education technologies…