On the Record with SharePoint: Taking out the E-Trash

In our last column, we discussed how organizations categorize enterprise content for retention and retrieval in electronic recordkeeping environments such as SharePoint, Documentum, Open Text, and OmniRIM. By embedding a consistent enterprise content categorization system in retention schedules, retrieval taxonomies, file plans, and in the technical solutions mentioned above, information workers and auto-categorization tools are more likely to categorize content consistently, which ensures better compliance with an organization’s retention and disposition requirements.

In this column, we will discuss how to use information lifecycle states to manage retention and disposition for content that does not have “official record” value. We will highlight what organizations do when destroying content and provide a list of nine best practices that surfaced repeatedly across organizations and industries.

In a previous article, Taking Out the E-Trash, we provided specifics on how to dispose of official records whose retention is prescribed by an organization’s retention schedule. This column addresses all the other content in an organization – drafts, duplicates, convenience copies, etc. – which can be four to five times the volume of the official records. A large volume of unmanaged content puts an organization at risk for non-compliance with privacy and recordkeeping requirements, exponential increases in storage requirements, and increased litigation risk from unnecessary production and review of obsolete content in discovery efforts. This column will explain how using information lifecycle states can enable organizations to consistently manage retention by categorizing content by lifecycle state.

Information Lifecycle Model
An enterprise information lifecycle establishes states for all content that is created or received in an enterprise through to its final disposition. The reason that a standard enterprise information lifecycle is so important is that it enables the management of content according to an enterprise retrieval taxonomy (providing classification and naming standards) and consistent rules for retention and disposition.

The information lifecycle defines processes, rules, and repositories that are globally applied to all information across the enterprise. The result is consistent content governance combined with consistent information worker expectations for how they should participate in the management and retention of enterprise content. Below is an example of an enterprise information lifecycle:

From a content disposition perspective, all states in the lifecycle have a transition to the "disposed" state. Within the information lifecycle, each state has a rule for retention, which is the maximum amount of time that a piece of content can exist in that state. Therefore, content in the Temporary state may have a retention period of 90 days (from the last modified date). For each of these non-record states, organizations take different approaches for how this content disposition is handled.

Using Lifecycle States to Categorize Content for Disposition/Destruction in SharePoint
A SharePoint information lifecycle must incorporate definition of policies for the disposition/destruction of content based on the business rules defined in the information lifecycle. The exact mechanism for the movement of content from the current state to the disposition state varies between organizations.

The consistent practice of disposition of non-record content is that as the content moves closer to the Final or Record state of the lifecycle, the action of disposition/destruction is less abrupt and involves more notification or considerations for inadvertent disposition. The following represents a typical enterprise example of disposition/destruction of content in the Temporary state:

The Temporary state disposition rule is defined for a very short retention period, and the destruction rule is abrupt. Generally, temporary information is handled in this manner because the perceived value of the information to the organization is very low.

The Disposition Rules for Work In Progress (WIP) are provided in the table below:

The WIP state disposition rule, while much longer in duration, also provides a two-week buffer provided by the recycle bin component within SharePoint. The buffer gives the owner of the information the ability to retrieve the information if it has been placed into the disposed state inadvertently.

Nagging about Disposition/Destruction
Many implementations of content and records management systems provide the ability to perform a "nag" function. This is the ability to notify content owners that an action is going to be automatically performed on their content.

During system implementation, the tendency of IT teams is to "over communicate" and provide automatic notifications when any and every action is performed by the system. Excessive nagging is not necessary if the organization has a consistent, simple disposition plan that is communicated clearly to information workers.

Before implementing a number of automatic notifications or emails, consider the information worker. Most of these nag emails are overlooked or forgotten. Always remember that these emails place electronic systems and retention policies directly in the forefront of the user, and not necessarily in a positive context.

Risk Management and Governance for the Destruction of Electronic Records
When content reaches the end of its lifecycle, organizations need an electronic content disposition policy and process that facilitates compliance with standards, laws, and regulations, decreases storage requirements, and reduces litigation risk. Coupled with evidence that the policy and process are routinely followed, organizations can better demonstrate when necessary that the destruction of content was in good faith.

Based on the Gimmal’s experience with organizations that have developed a policy and process for destruction of electronic content, nine elements surfaced repeatedly across organizations and industries:

1. Governance Covers All Content — A governance process for consistently managing enterprise content including destruction that covers all formats, physical and electronic.
2. Information Lifecycle Model — A succession of conditions through which information is processed from creation or receipt to its final disposition. An enterprise information lifecycle establishes states for all content that is created or received in an enterprise through to its final disposition.
3. Records Retention Schedule — An up-to-date approved records retention schedule covers all jurisdictions, United States and international.
4. Retention Hold Process — A standardized process for applying and removing retention holds suspends the retention schedule in the event of current or anticipated litigation, governmental proceedings, investigations, or audits.
5. Automated Destruction Process — A standardized process for electronic content destruction is automated when possible and sustainable. When the destruction of electronically stored content cannot be automated, manual processes are designed so content is deleted at the end of its lifecycle. Whether automated or manual, content destruction includes all preceding versions. The process needs to ensure the content, and the media that support it, are destroyed in a manner that prevents reconstruction. Some organizations require complete, irrevocable destruction of certain types of content (sometimes called forensic deletion), which generally takes longer and costs more.
6. Destruction Logs — Destruction logs provide evidence and verify completion of electronic record destruction. The system keeps information on the destruction log to a minimum, starting with the unique identification of a record (number, filename, or record title). Additional information to capture on the destruction log includes the significant dates of the piece of content’s lifecycle, e.g., creation and destruction dates and system-generated information and properties (creation date, destruction date, and the system that destroyed it).
7. Third Party Destruction — When third parties are contracted to destroy electronic or physical content, certificates of destruction are recommended. Certificates of destruction usually include the date, time, location, method of destruction, and signature of the operator who destroyed the records.
8. Training — Train content owners on destruction protocols. Training needs to be implemented for new hires and for all information workers as part of regular compliance-training activities.
9. Compliance Monitoring — Monitor for compliance in ways that are non-disruptive to business activities and transparent to information workers. Where areas of non-compliance are discovered, the organization will take action to address them and bring them into compliance.

Conclusion
Nearly all content in all sizes of organizations can be managed using fairly simple enterprise information lifecycle states. At the end of the lifecycle, organizations need a systematic approach to the final disposition of content, including a consistent and scalable process for destruction of all versions, formats, and media. The process must demonstrate the uniform application of records and information management policies and processes, including adherence to confidentiality and security requirements and recognition of records on legal, tax, or audit holds. Going forward, destruction requirements need to be part of an organization’s systems development and implementation methodology.

About the Authors:
Susan Cisco, Ph.D., CRM, FAI, is a director for Gimmal Group focused on enterprise content management and records management (ECM/RM). She has more than 25 years of experience in the records and information management field as a practitioner, educator, and consultant. Cisco has successfully consulted with organizations in multiple industries, including oil and gas, hospitality, insurance, utilities, and government. Her recent groundbreaking work in the application of the “big bucket approach” to the classification and retention of electronic records enhances the usability of ECM/RM and other recordkeeping systems, simplifies deployment strategies, and optimizes user adoption. She earned a master’s degree and a doctorate degree in library and information science from The University of Texas at Austin. Cisco is a Fellow of ARMA International. She can be contacted at susan.cisco@gimmal.com.

Brad Teed is a managing director for Gimmal Group focused on enterprise content management and records management (ECM/RM). He is a subject matter expert in the areas of content and document management systems and has more than 18 years of experience in the information technology field. He has designed and implemented more than 30 production content, document, and record management systems, and he has participated in the implementation of more than 500 pilots and prototypes for strategic technology system implementations. Teed has extensive experience in the areas of application architecture and design, solution architecture, systems integration, and application development. His work includes experience with the strategy, evaluation, architecture, and implementation of numerous industry-leading content and record management systems. In addition to his extensive EMC product experience, Teed has led and participated on projects implementing collaboration and basic content and records management services using Microsoft’s SharePoint suite of products. He can be contacted at brad.teed@gimmal.com.

Mike Alsup is a Sr. Vice President with Gimmal Group, an ECM and RM systems integrator. He blogs at (kqj109.wordpress.com). He welcomes comments or scathing remarks at malsup@gimmal.com.