Internews Document Retention and Destruction Policy

Internews Document Retention and Destruction Policy

1. Policy and Purposes

This Policy represents the policy of INTERNEWS (the “organization”) with respect to the retention and destruction of documents and other electronic records, both in hard copy and electronic media (which may merely be referred to as “documents” in this Policy).  Purposes of the Policy includes (a) retention and maintenance of documents necessary for the proper functioning of the organization as well as to comply with applicable legal requirements; (b) destruction of documents which no longer need to be retained; and (c) guidance for the Board of Directors, officers, staff, any third-party representatives or sub-contractors, volunteers, interns and other constituencies with respect to their responsibilities concerning document retention and destruction. Adherence to this policy is mandatory and non-compliance could lead to disciplinary action. Notwithstanding the foregoing, the organization reserves the right to revise or revoke this Policy at any time.

1.1 Personal Information and Data Protection: Internews needs to collect personal information about the people we employ, work with or have a business relationship with, to effectively and compliantly carry out our everyday business functions and activities, and to provide our products and services. This information can include (but is not limited to), name, address, email address, data of birth, IP address, private and confidential information, sensitive information and bank details.

In addition, the organization may occasionally be required to collect and use certain types of personal information to comply with the requirements of the law and/or regulations, however we are committed to collecting, processing, storing and destroying all information in accordance with the General Data Protection Regulation, UK data protection law and any other associated legal or regulatory body rules or codes of conduct that apply to our business and/or the information we process and store.

Internews’ Data Retention Policy and processes comply fully with the GDPR’s fifth Article 5 principle: - Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’).

1.2 Objectives and Principles:

  • Ensure that Internews conducts itself in an orderly, efficient and accountable manner
  • Support core business functions and providing evidence of compliant retention, erasure and destruction
  • Develop and maintain an effective and adequate records management program to ensure effective archiving, review and destruction of information
  • Only retain personal information for as long as is necessary
  • Comply with the relevant data protection regulation, legislation and any contractual obligations
  • Ensure the safe and secure disposal of confidential data and information assets
  • Ensure that records and documents are retained for the legal, contractual and regulatory period stated in accordance with each bodies rules or terms
  • Ensure that no document is retained for longer than is legally or contractually allowed
  • Mitigate against risks or breaches in relation to confidential information

1.3 Destruction and Disposal of Records and Data: All information of a confidential or sensitive nature on paper or electronic media must be securely destroyed when it is no longer required. This ensures compliance with the Data Protection laws and the duty of confidentiality we owe to our employees, clients and customers. Internews is committed to the secure and safe disposal of any confidential waste and information assets in accordance with our contractual and legal obligations and that we do so in an ethical and compliant manner. We confirm that our approach and procedures comply with the laws and provisions made in the General Data Protection Regulation (GDPR) and that staff are trained and advised accordingly on the procedures and controls in place.

1.4 Paper Records: Due to the nature of our business, Internews retains paper based personal information and as such, has a duty to ensure that it is disposed of in a secure, confidential and compliant manner. Employee shredding machines are made available in Internews HQ offices.

1.5 Electronic and IT Records and Systems: Internews uses numerous systems, computers and technology equipment in the running of our business. From time to time, such assets must be disposed of and due to the information held on these whilst they are active, this disposal is handled in an ethical and secure manner.

The deletion of electronic records must be organized in conjunction with the information technology department who will ensure the removal of all data from the systems so that it cannot be reconstructed. When records or data files are identified for disposal, their details must be provided to the designated department head to maintain an effective and up to date log of destroyed records.

Only the IT department can authorize the disposal of any technology device that holds data.  This includes: laptop and desktop computers, tablets, mobile phones, servers, and external data storage devices.  Equipment disposition shall be handled in coordination with the Accounting Department.  Prior to disposition, information is wiped from the equipment through use of standard software and re-formatting procedures.

In all disposal instances the IT Department must confirm successful deletion and destruction of each asset. Once disposal has occurred, the IT Department is responsible for updating the IT asset inventory lists for the asset that has been removed.  The Accounting Department shall also be informed for updating of the official ERP based asset tracking system.

2. Administration

2.1 Responsibilities of the Administrator.  The organization’s Vice President for Information Security and Technology shall be the administrator (“Administrator”) in charge of the administration of this Policy.  The Administrator’s responsibilities shall include supervising and coordinating the retention and destruction of documents pursuant to this Policy and particularly the Document Retention Schedule included below.  The Administrator shall also be responsible for documenting the actions taken to maintain and/or destroy organization documents and retaining such documentation.  The Administrator may also modify the Document Retention Schedule from time to time as necessary to comply with law and/or to include additional or revised document categories as may be appropriate to reflect organizational policies and procedures.  The Administrator is also authorized to periodically review this Policy and Policy compliance with legal counsel and to report to the Executive Committee as to compliance.  The Administrator may also appoint one or more assistants to assist in carrying out the Administrator’s responsibilities, with the Administrator, however, retaining ultimate responsibility for administration of this Policy. 

2.2 Responsibilities of Constituencies.  This Policy also relates to the responsibilities of board members, staff, consultants, volunteers (“Internews Representatives”) with respect to maintaining and documenting the storage and destruction of the organization’s documents.  The Administrator shall report to the Board of Directors (the board members acting as a body), which maintains the ultimate direction of management.  The organization’s staff shall be familiar with this Policy, shall act in accordance therewith, and shall assist the Administrator, as requested, in implementing it.  The responsibility of Internews Representatives with respect to this Policy shall be to produce specifically identified documents upon request of management, if the staff still retains such documents.  In that regard, after each project in which an Internews Representative has been involved, or each term which the Internews Representative has served, it shall be the responsibility of the Administrator to confirm whatever types of documents the Internews Representative retained and to request any such documents which the Administrator feels will be necessary for retention by the organization (not by the Internews Representative). 

3.  Suspension of Document Destruction; Compliance.  The organization becomes subject to a duty to preserve (or halt the destruction of) documents once litigation, an audit or a government investigation is reasonably anticipated.  Further, federal law imposes criminal liability (with fines and/or imprisonment for not more than 20 years) upon whomever “knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States …  or in relation to or contemplation of any such matter or case.”  Therefore, if the Administrator becomes aware that litigation, a governmental audit or a government investigation has been instituted, or is reasonably anticipated or contemplated, the Administrator shall immediately order a halt to all document destruction under this Policy, communicating the order to all affected constituencies in writing.  The Administrator may thereafter amend or rescind the order only after conferring with legal counsel.  If any board member or staff member becomes aware that litigation, a governmental audit or a government investigation has been instituted, or is reasonably anticipated or contemplated, with respect to the organization, and they are not sure whether the Administrator is aware of it, they shall make the Administrator aware of it.  Failure to comply with this Policy, including, particularly, disobeying any destruction halt order, could result in possible civil or criminal sanctions.  In addition, for staff, it could lead to disciplinary action including possible termination.  

4. Electronic Documents; Document Integrity.  Documents in electronic format shall be maintained just as hard copy or paper documents are, in accordance with the Document Retention Schedule.  Due to the fact that the integrity of electronic documents, whether with respect to the ease of alteration or deletion, or otherwise, may come into question, the Administrator shall attempt to establish standards for document integrity, including guidelines for handling electronic files, backup procedures, archiving of documents, and regular checkups of the reliability of the system; provided, that such standards shall only be implemented to the extent that they are reasonably attainable considering the resources and other priorities of the organization.

5. Privacy.  It shall be the responsibility of the Administrator, after consultation with counsel, to determine how privacy laws will apply to the organization’s documents from and with respect to employees and other constituencies; to establish reasonable procedures for compliance with such privacy laws; and to allow for their audit and review on a regular basis.  Internews Privacy Policy

6. Emergency Planning.  Documents shall be stored in a safe and accessible manner.  Documents which are necessary for the continued operation of the organization in the case of an emergency shall be regularly duplicated or backed up and maintained in an off-site location.  The Administrator has developed reasonable procedures for document retention in the case of an emergency.

7. Document Creation and Generation.  The Administrator shall provide training to staff the ways in which documents are created or generated.  With respect to each employee or organizational function, the Administrator shall attempt to determine whether documents are created which can be easily segregated from others, so that, when it comes time to destroy (or retain) those documents, they can be easily culled from the others for disposition. 

8. Document Retention Schedule. 

* Retention Period Definition:  Retention Period is defined as the additional retention period beyond 1 year after the final funder report date of the most recent end data of the award(s) to which the document is relevant. If the document is related to an expense not tied to an award (i.e. an overhead expense), then the Retention Period is defined as the additional retention period beyond the NICRA certification date for the year of the relevant documents.  Documents are eligible for destruction after these retention periods.  Documents are not automatically destroyed when they reach the data destruction eligibility date.

Document Type   * Retention Period

Accounting and Finance

Accounts Payable  7 years
Accounts Receivable  7 years
Annual Financial Statements and Audit Reports Permanent
Bank Statements, Reconciliations & Deposit Slips 7 years
Canceled Checks – routine 7 years
Canceled Checks – special, such as loan repayment  Permanent
Credit Card Receipts 7 years
Employee/Business Expense Reports/Documents 7 years
General Ledger  Permanent
Interim Financial Statements 7 years

Contributions/Gifts/Grants

Contribution Records Permanent
Documents Evidencing Terms of Gifts  Permanent
Grant Records Permanent

Corporate and Exemption

Articles of Incorporation and Amendments Permanent
Bylaws and Amendments  Permanent
Minute Books, including Board & Committee Minutes  Permanent
Other Corporate Filings Permanent
IRS Exemption Application (Form 1023 or 1024)  Permanent
IRS Exemption Determination Letter Permanent
State Exemption Application (if applicable)  Permanent
State Exemption Determination Letter (if applicable) Permanent
Licenses and Permits  Permanent
Employer Identification (EIN) Designation Permanent

Correspondence and Internal Memoranda

Hard copy correspondence and internal memoranda relating to a particular document otherwise addressed in this Schedule should be retained for the same period as the document to which they relate.

Electronic copy correspondence and internal memoranda relating to routine matters with no lasting significance  3 Years
Correspondence and internal memoranda important to
the organization or having lasting significance
Permanent

Electronic Mail (E-mail) to or from the organization

Electronic mail (e-mails) relating to a particular document otherwise addressed in this Schedule should be retained for the same period as the document to which they relate but may be retained in hard copy form with the document to which they relate.

E-mails considered important to the organization or of lasting significance should be stored in a central repository. Permanent
E-mails not included in either of the above categories  3 Years beyond employment end date of the email account holder.

Electronically Stored Documents

Electronically stored documents (e.g., in pdf, text or other electronic format) comprising or relating to a particular document otherwise addressed in this Schedule should be retained for the same period as the document which they comprise or to which they relate but may be retained in hard copy form (unless the electronic aspect is of significance).

Electronically stored documents considered important to the organization or of lasting significance should stored in a central repository Permanent
Electronically stored documents not included in either of the above categories  Two years

Employment, Personnel and Pension

This category applies to employees, consultants, volunteers and board members.

Personnel Records 10 years after employment ends
Employee contracts   10 years after termination
Retirement and pension records 50 years
 

Insurance

Property, D&O, Workers’ Compensation and General Liability Insurance Policies Permanent
Insurance Claims Records  Permanent

Legal and Contracts

Contracts, related correspondence and other supporting documentation 10 years after termination
Legal correspondence  Permanent

Management and Miscellaneous

Strategic Plans  7 years after expiration
Disaster Recovery Plan 7 years after replacement
Policies and Procedures Manual  Current version with revision history

Property – Real, Personal and Intellectual

Property deeds and purchase/sale agreements  Permanent
Property Tax Permanent
Real Property Leases Permanent
Personal Property Leases 10 years after termination
Trademarks, Copyrights and Patents  Permanent

Tax

Tax exemption documents & correspondence Permanent
IRS Rulings Permanent
Annual information returns – federal & state  Permanent
Tax returns Permanent