Customer Misconception: It’s Okay to Store Records Indefinitely – Selling Information Disposition by the Book (vol. 10)
June 26, 2017
By Bob Johnson
At its worst, the conversation unfolds something like this:
Service Provider: “I would like to discuss your records destruction needs.”
Data Controller: “That’s not necessary. We keep everything forever.”
And even though the data controller may not say it so blatantly, it is common knowledge that many, if not most, companies don’t destroy retained records when they have reached their retention period. Of course, this is bad news – for them, because it puts them at risk, and for secure destruction services, because they are robbed of the opportunity to properly protect their customers.
This risky misconception is confronted directly on page 56 of Chapter 3: Records and Information Management Principles, in the section titled Liability of Retaining Unnecessary Records.
The risks delineated within this section include Legal Discovery, Adverse Inference, and Increasing Risk of Unauthorized Access. In all, almost two pages of text describe in detail why the data controller should not retain records longer than legally required.
It should be noted that the short conversation above characterizing this misconception is to as an issue also signals that the data controller does not consider the daily flow of media as something that requires destruction. Readers will remember that was covered in Customer Misconception #3. So, when you hear a data controller say they don’t need a records destruction service because they keep everything, you probably have two misconceptions to overcome – and good use for the new textbook.