There are few phrases more daunting than ‘regulatory compliance’ when it comes to protecting the safety and legality of your records. It is, however, increasingly important to understand your responsibilities to best safeguard your business against any risk of fines, persecution or civil actions. By understanding the essential elements of regulatory compliance, you can give yourself peace of mind knowing you’ve protected your business from loss or legal vulnerabilities.

Legislative Retention Requirements

There is no one-size-fits-all when it comes to legislative retention requirements. Different regulations are applied to different types of information and vary between industries. It’s critical that you familiarise yourself with the regulations and specifics that apply directly to your documents. For example, contracts and agreements relating to the maintenance of IT infrastructure should be kept for at least seven years. Contracts and agreements in the real estate industry, however, need to be kept for a minimum of fifteen years. Certain documents need to be kept for much longer periods of time, for example, copyright information should be kept for at least seventy years. Documents pertaining to insurance, policies or claims, should be kept indefinitely.

Typically, however, documents need to be retained for a period between five and seven years. It is imperative that you are familiar with the regulations pertinent to your industry.

ISO 54189

In considering the evidentiary value or your organisation’s information, the AS ISO 54189 standard is the primary guidance standard when it comes to maintaining your information management system.

The standard is comprehensive, to say the least, but you can save yourself from drowning in compliance legalese by understanding the following key elements:

  • Information systems and retention processes should be designed to protect information against unauthorised access, loss or destruction.
  • Organisations need to maintain a policy and set up appropriate guidelines for moving information from one archiving system to another.
  • Systems for the electronic retention of information should be designed to ensure the information remains accessible, auditable, authentic, reliable and usable during the retention period, regardless of any system changes.
  • Organisations need to be able to prove that the content of a particular electronic record or data file has not been altered since its creation at the date of storage.

There are three main “risk-areas” in managing your information:

  • Unauthorised Access
    • Whether accidental or deliberate, unauthorised access can result in theft or leakage of intellectual property, violation of privacy principles or the alteration or destruction of information that needs to be retained.
  • Inability to Locate Information
    • If your information is not stored in a structured manner, time, money and resources can be lost to search and recovery.
  • Inappropriate Protection of Information
    • Inappropriate protection could result in loss or damage to information either from degradation due to the storage environment – paper mould, mildew or atrophy of magnetic media – or damage due to external events such as flood or fire.

The Legal Considerations of Information Management

There are a number of legal issues pertaining to the requirements that you need to consider in establishing and maintaining your organisation’s information management.

The primary concerns include:

  • The legal requirement that certain contracts must be in writing.
  • Whether or not legal obligations exist in your industry sector to retain certain types of information in hard copy paper format.
  • The legal requirements with regards to the conversion of written documentation stored in an electronic format.

It’s critical to know your legal obligations and regulatory compliance. Minimum and maximum retention periods should be known and adhered to, the evidentiary value of stored information should be understood as should the legislation around the retention and accessibility of electronically stored information. By familiarising yourself with the basics at your earliest opportunity, you can arm yourself against any legal vulnerability.