Stay out of the spotlight: retention and disposition according to GARP[R].

• Author: Colgan, Julie J.
• Position: GARP[R] SERIES

[ILLUSTRATION OMITTED]

The time is now to address information governance. "The onus should not be on consumers to wipe their devices clean," said Canada Privacy Commissioner Jennifer Stoddart in a June Globe and Mail article after her office concluded its year-long investigation of Staples Business Depot practices for wiping information from returned devices, such as memory sticks and hard drives, before re-selling them.

Stoddart's office had launched the investigation in response to a "series of complaints" and found that one-third of the 149 devices it purchased from 17 Staples stores still held personal information; Staples has been given until June 2012 to comply with Stoddart's recommendations to correct this issue, as verified by a third party.

This is a perfect example of the need for organizations to be prepared to deal with all information they create, receive, and maintain.

Solving a Conundrum: Whose Job Is it?

The Staples' story is of particular interest because it clearly demonstrates one of the common pitfalls inherent in determining proper retention and disposition of records and information: Whose job is it?

Some may find it ironic that Stoddart is relieving consumers of responsibility to ensure their own personal information has been removed from devices they return to a retailer. They may wonder if a retailer truly should have an obligation to double check devices just to be sure no information remains on them--especially considering that retailers are not knowingly collecting the data, and the data are not official records of the retailers.

Specific obligation or not, Staples has found itself the subject of a news story and facing potential investigation for its information retention and disposition practices. And, this kind of news item can be found in media outlets around the globe nearly every day of the year: some organization either has not kept information it should have, or it has disposed of information in an improper way or at an improper time. The public is watching. All organizations should take note and step carefully.

Getting it Right

Terabytes and even petabytes of information are no longer foreign concepts. Massive amounts of information are everywhere, and organizations are finding that ignoring its retention and disposition is a bad idea; it is costly to store and manage, and it is even more costly to deal with it in the face of litigation or investigation.

Figuring out who owns the information, how long it should be retained, where and how it should be retained, and who is responsible for disposing of it and in what way are the questions that need to be answered.

But it's hard to get these answers right because the volume of information being created or received, the speed at which it is created, the silos in which it is stored, a demanding economy, exceedingly granular regulations for dealing with the information, and a litigious culture that won't quit all create an environment rich with opportunities to get it wrong. And when an organization gets it wrong and the failure is picked up in the news--no matter how minor the failure--it runs a risk not only of financial and legal damage, but of serious and often irreversible reputational damage.

Getting it Wrong...