Defensible disposition addresses the problem of over-retention -- organizations have been over-retaining electronic information and failing to dispose of it in a legally defensible manner when business and law will allow. The best way to address this monster problem is to break it into more tractable sub-problems: day-forward information disposition and historical informational disposition. I won’t go into a day-forward information disposition here, because it is an easier problem to solve. Let’s stipulate that it’s taken care of and focus on historical information disposition.
First, note that you may have hundreds of TBs lying around waiting to cause you problems. It may take you years to fully address that pile of information. However, you should start soon and plan to take many smaller steps rather than just a few big steps. Second, here I’m going to focus on just the methodology that’s specific to defensible disposition. I’m going to talk about 4 specific steps in the defensible disposition methodology, but these 4 steps should be embedded in a larger ECM-type program and project methodology.
Here, then, is how to do defensible disposition. It primarily consists of developing and then executing four pieces:
The first step is to develop your Defensible Disposition Policy. This is the design specification that states very clearly the objectives that your methodology will fulfill. You should be able to defend your actions by pointing at your policy for defensible disposition, which shows what you intend to do, and then showing that you are following it. The good news is that you don’t need to be perfect – you don’t have to perfectly satisfy your retention demands. You doneed to use the Principle of Reasonableness and act In Good Faith.
Using technology for the heavy lifting in the file assessing and disposing of processes is absolutely necessary. But there are two sources of complexity in finding and using the right tools that make it a challenge: First, the “analysis, classification, and disposition” market is young and a mess. Second, to efficiently assess a pile of files, you typically have to use a variety of different techniques and thus tools, since the tools have different sweet spots. There is no universal assessment technique and thus, no universal assessment tool.
This means that you need a Technology Plan that fits the right tools to your Assessment Plan and Disposition Plan, both of which are discussed below.
The Assessment Plan specifies which information and systems you’re investigating and the particular processing rules you’re going to use. The first step in developing the Assessment Plan is to do the legwork and get a picture of what repositories the information is in and anything else that will help you create a plan of attack. You then create processing rules based on the different types of file attributes.
The Disposition Plan evaluates your assessment results against your Defensible Disposition Policy and lays out a roadmap for disposing of the various kinds of files you found. Then you start executing the Disposition Plan. This may require one or more FTEs managing the purges and cleanup over months or even years.
And finally, as you go through your first disposition cycle, you’ll probably want to refine your Defensible Disposition Policy – as you’ve now got a much more realistic picture.