The Sedona Conference Working Group 1 recently released for public comment its Principles and Commentary on Defensible Disposition. The idea for the Defensible Disposition Commentary arose from discussion in 2016 among the WG1 Steering Committee and leaders in charge of updating the 2014 Commentary on Information Governance. The leadership recognized that, with the staggering amount of data that is produced daily, a need existed for guidance on the adequate and proper disposition of information that is no longer subject to any legal hold and has exceeded the applicable legal, regulatory, and business retention requirements. While The Sedona Conference included a Principle and limited commentary on data disposition in its 2014 Commentary on Information Governance, the Defensible Disposition Commentary discusses in detail when and how organizations may effectively engage in information disposition in the ordinary course of business.
More specifically, Principle 6 of the Commentary on Information Governance stated: “The effective, timely, and consistent disposal of physical and electronic information that no longer needs to be retained should be a core component of any Information Governance program.” The appropriate disposition of information is increasingly recognized to be critical for an organization to meet its data privacy obligations, engage in defensible and efficient litigation, protect business interests, operate efficiently, and mitigate risks of possible security breaches.
As many organizations recognize the value of information disposition, they often struggle against a culture of tending to retain everything and the fear of deleting information that must be retained for some reason. The Defensible Disposition Commentary discusses:
- the legal defensibility of deleting stale information;
- benefits of disposing of stale information;
- risks of retaining too much data; and
- practical guidelines for implementing data disposition.
The Defensible Disposition Commentary also includes considerations for common challenges to information disposition, such as unstructured data, shared file types, sensitive information, and information held by outside service providers.
Principle 1 of the Defensible Disposition Commentary addresses the defensibility of information disposition and how organizations may dispose of information that they do not need to keep. Defensibility requires organizations to consider legal hold requirements for litigation and investigations, as well as statutory and regulatory obligations related to information retention.
Principle 2 of the Defensible Disposition Commentary discusses how organizations may define and measure risks of over-retention against the benefits of disposition. Organizations should evaluate what business value its information creates and for how long, as well as benefits and risks of retaining the information. For example, reducing an organization’s information footprint often improves productivity and legal compliance, while reducing costs and risks related to discovery, privacy and security.
Principle 3 of the Defensible Disposition Commentary provides guidance on how organizations can implement disposition in the ordinary course of business. At a minimum, the commentary urges that an organization first create an Information Governance program that has identified an information classification system with corresponding retention periods, then develop knowledge of what information it has, where it is, and what value it has, and designate employees responsible for an information disposition program.
Organizations should then define disposition goals in the context of their technological capabilities, so that those goals are realistic and achievable. For example, automated deletion of data may be desired but may not be feasible or practical with an organization’s existing technology, requiring the organization to consider whether to seek outside assistance or invest in new technology. In addition, the commentary notes that, even if some copies of information are deleted, the organization may not meet its disposition goals of additional copies of the same information continue to exist elsewhere.
In summary, the Defensible Disposition Commentary provides support for the defensibility and benefits of information disposition in the ordinary course of business. The Sedona Conference invites the public to submit comments on the Defensible Disposition Commentary to firstname.lastname@example.org. The period for public comment extends until Oct. 10, 2018.