Data Disposition: What is it and why should it be part of your data retention policy?

By: Anthony Paille on September 2nd, 2021

Print/Save as PDF

Data Disposition: What is it and why should it be part of your data retention policy?

Retention  |  Electronic Records Management (ERM)

What happens when information comes to the end of its lifecycle and no longer remains relevant, useful, or valuable? Or, what about when a record’s retention schedule comes to an end? If we keep everything forever, we’ll quickly run into issues like storage costs and other negatives like findability and increased risks. There’s a better way - read on as we explore the importance of Disposition.


Get Your Free Guide: How to Achieve Records Management Best Practices

What is Disposition?

AIIM training provides us with the following definition:

Disposition is the disposal of information that has come to the end of the information lifecycle. Most often, this means destruction, though it can also mean transfer to another organization in some cases – for example, to a corporate archive if it has historical value.

Information is disposed of for a variety of reasons: to save storage space or costs; to make it easier to find information (the smaller the set of information to sift through, the more likely it is that users will find what they are looking for); and to reduce risks associated with keeping information too long.

Software solutions can facilitate and automate the Disposition of content, records and non-records alike, at the end of the information lifecycle.

In summary, Disposition means those actions that are taken regarding information and records after they are no longer needed in office space to conduct current operations.

Why is Disposition Important?

We’ve talked a bit already about how Disposition provides the benefits of reducing storage costs, mitigating risks, and reducing clutter to provide better findability. Let’s take a deeper look at the importance of Disposition.

This graphic from the Compliance, Governance, and Oversight Council (CGOC) shows the breakdown of the information held in a typical organization.

Breakdown of Information Held in a Typical Organization

The goal here is to reduce costs and risks. We want to ensure we identify and retain records that have business or legal value, but also comply with any legal hold. Everything else – get rid of it.

How much of your information is “data debris”? You won’t know this until you analyze it, but you can expect it to be from 20 to 40%. One organization storing 2.5TB found that they could get rid of 20% of this, which was $2,500,000 per year in storage expense.

Key Considerations for Disposition

Lorrie Luellig summarizes quite well in CIO Insights what this means for organizations.

  1. Manage all information, not just “records.” The retention schedule must apply to all the data in an organization’s possession, not just information officially classified as “records.” Consider anything and everything—including both structured and unstructured data sources—as either having legal, regulatory, or business value or as debris, whether it’s a human resource record, patent filing, financial statement, email message, or tweet.

  2. Connect legal, privacy, and regulatory retention obligations directly to relevant information. The retention schedule must clearly define how legal, privacy, and regulatory obligations apply to all types of information and business users, including what is covered, who is obliged to comply, and how retention obligations, privacy directives, and disposal mandates are triggered. Technology solutions may be deployed to help organizations automate the connection of information to retention and disposal requirements.

  3. Retention periods must take into account the business value of information in addition to legal and compliance value. This value should be explicitly defined by business stakeholders and made transparent to legal, RIM, and IT. Again, technology solutions can help by allowing users to associate information types, such as purchase orders or employee agreements, with specific data sources, such as enterprise cost management and human resources systems, or records repositories, and to include details on why and for how long the information is and will be of business value.

  4. Identify where information is located. Information inventories are a must, describing where data is stored, what record classes apply, who was or is responsible for the content and who manages it. With the help of a reliable “data map,” data stewards can more easily identify information and understand the value and obligations related to that information according to lines of business, departments, and so on.

  5. Ensure that retention and disposal obligations are communicated and publicized in a language that stakeholders can understand. This involves two key elements: defining what is required of data users when creating and identifying information and defining the responsibilities of data stewards related to the Disposition of information. For example, IT won’t be able to make sense of a disposition directive that states, “Comply with record class HUM100.” Translated more clearly, this directive might state, “Job applications created by HR users and stored in the HR shared drive must be permanently deleted ten years after the termination of the employee.” Clarity invites compliance.

  6. Allow for flexibility to adapt to local laws, obligations, and limitations.

  7. Include a mechanism that allows legal and IT to collaborate in executing and terminating legal holds – and to comply with legal, regulatory, and audit requests. No retention schedule can achieve the goal of defensible disposal without clear communication between legal and IT stakeholders regarding what specific information is on legal hold and when holds can be released. Legal departments should be able to easily collaborate with IT to identify relevant corporate data and both set in motion and terminate legal holds.

  8. Identify and eliminate duplicate information. Confusion about what exactly needs to be retained and for how long can encourage a tendency to “save everything,” which is a bad information management habit, especially as some privacy laws require the deletion of certain types of information after a period of time. With a clear and transparent retention schedule, there’s no need to keep duplicate information “just in case.”

  9. Update in real-time to account for changes in laws, to the business, and in technology. With global regulatory, legal, and privacy requirements constantly evolving, it’s vitally important to stay ahead of changes and incorporate new requirements into the retention schedule. Technology can assist with alerts and automation that communicates to systems and data stewards when adjustments are needed.

Conclusion

Ready to get started? A good place to begin is to provide employees with explicit guidance for the acceptable use of available tools for dynamic content and their associated retention periods.

Make sure your policies identify disposition as an effective and necessary step in the records lifecycle - and the broader information lifecycle. The policy should identify that disposition or transfer is expected and automatic at the end of the lifecycle, subject only to legal or other requirements to suspend those activities.

Also, establish procedures that lay out how records and information will be dispositioned according to their type, location, record status, etc.

Ultimately, AIIM recommends working to automate these processes to provide the most effective management as a part of your Intelligent Information Management (IIM) Strategy.

Free Guide: How to Achieve Records Management Best Practices