The Sedona Guidelines for Managing Information and Records in the Electronic Age

1. An organization should have reasonable policies and procedures for managing its information and records.

1. The hallmark of an organization's information and records management policies should be reasonableness.
2. Defensible policies need not be universal, nor do they need to address the retention of all information and documents.
3. No single standard or model can fully meet an organization's unique needs

2. An organization's information and records management policies and procedures should be realistic, practical and tailored to the circumstances of the organization.

1. Information and records management is important in the electronic age.
2. Information and records management requires practical, flexible and scalable solutions that address the differences in an organization's business needs, operations, IT infrastructure and regulatory and legal responsibilities.
3. An organization must assess its legal requirements for retention and destruction in developing an information and records management policy.
4. An organization should assess the operational and strategic value of its information and records in developing an information and records management program.
5. A business continuation or disaster recovery plan has different purposes from those of an information and records management program.

3. An organization need not retain all electronic information ever generated or received.

1. Destruction is an acceptable stage in the information life cycle; an organization may destroy or delete electronic information when there is no continuing value or need to retain it.
2. Systematic deletion of electronic information is not synonymous with evidence spoliation.
3. Absent a legal requirement to the contrary, organizations may adopt programs that routinely delete certain recorded communications, such as electronic mail, instant messaging, text messaging and voice-mail.
4. Absent a legal requirement to the contrary, organizations may recycle or destroy hardware or media that contain data retained for business continuation or disaster recovery purposes.
5. Absent a legal requirement to the contrary, organizations are not required to preserve metadata.

4. An organization adopting an information and records management policy should consider including procedures that address the creation, identification, retention, retrieval and ultimate disposition or destruction of information and records.

1. Information and records management policies must be put into practice.
2. An organization should define roles and responsibilities for program direction and administration within its information and records management policies.
3. An organization should guide employees regarding how to identify and maintain information that has a business purpose or is required to be maintained by law or regulation.
4. An organization may choose to define separately the roles and responsibilities of content and technology custodians for electronic records management.
5. An organization should consider the impact of technology (including potential benefits) on the creation, retention and destruction of information and records.
6. An organization should recognize the importance of employee education concerning its information and records management program, policies and procedures.
7. An organization should consider conducting periodic compliance reviews of its information and records management policies and procedures, and responding to the findings of those reviews as appropriate.
8. Policies and procedures regarding electronic management and retention may be coordinated and/or integrated with the organization's policies regarding the use of property and information, including applicable privacy rights or obligations.
9. Policies and procedures should be revised as necessary in response to changes in workforce or organizational structure, business practices, legal or regulatory requirements and technology.

5. An organization's policies and procedures must mandate the suspension of ordinary destruction practices and procedures as necessary to comply with preservation obligations related to actual or reasonably anticipated litigation, governmental investigation or audit.

1. An organization must recognize that suspending the normal disposition of electronic information and records may be necessary in certain circumstances.
2. An organization's information and records management program should anticipate circumstances that will trigger the suspension of normal destruction procedures.
3. An organization should identify persons with authority to suspend normal destruction procedures and impose a legal hold.
4. An organization's information and records management procedures should recognize and may describe the process for suspending normal records and information destruction and identify the individuals responsible for implementing a legal hold.
5. Legal holds and procedures should be appropriately tailored to the circumstances.
6. Effectively communicating notice of a legal hold should be an essential component of an organization's information and records management program g.
7. Documenting the steps taken to implement a legal hold may be beneficial.
8. If an organization takes reasonable steps to implement a legal hold, it should not be held responsible for the acts of an individual acting outside the scope of authority and/or in a manner inconsistent with the legal hold notice.
9. Legal holds are exceptions to ordinary retention practices and when the exigency underlying the hold no longer exists (i.e., there is no continuing duty to preserve the information), organizations are free to lift the legal hold.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.