Questions & Answers
1193 of the most common records management questions, answered plainly.
Records Management Fundamentals
- An employee left and had work records saved only on their personal phone or laptop — how do we recover them?
- Are the outputs of generative AI tools like ChatGPT and Copilot considered records that have to be retained?
- Can a company use a single global retention schedule across multiple countries or do different national laws force separate ones?
- Can an employee be personally fined or fired for deleting records they were supposed to keep?
- Can blockchain make records tamper-proof, and does an immutable ledger satisfy recordkeeping and retention requirements?
- Can keeping records longer than required ever actually hurt me legally, or is more retention always safer?
- Do I really need to keep duplicate copies and convenience copies, or can I delete them anytime?
- Do nonprofits have to keep donor records and how long should a 501(c)(3) retain financial documents?
- Do only signed or finalized documents count as records, or do drafts and working files count too?
- Do retention periods start from creation date or fiscal year end?
- Do visitor sign-in logs count as records, and how long do we keep them?
- Does my organization need a written records management policy to be compliant, or is practice enough?
- How accurate is AI auto-classification of records, and can you trust it enough to apply retention and disposition automatically?
- How do I build and roll out a records management training program for staff?
- How do I decide whether an email or document is actually a record or just reference material?
- How do I document records destruction and create a certificate of destruction?
- How do I set cutoff dates and disposition triggers in a retention schedule?
- How do I set up records management for a small remote team with no central office?
- How do I start a records management program?
- How do I write a records retention schedule from scratch?
- How do recordkeeping rules differ between regulated industries like healthcare, banking, and government?
- How do we get the records out of an old system that is being decommissioned before we lose them?
- How do you build a business case to get executive buy-in and funding for a records management program?
- How do you build a RACI matrix for a records management program so everyone knows who is accountable?
- How do you classify and file records to a file plan?
- How do you conduct a records inventory step by step?
- How do you draft a records management policy from scratch?
- How do you keep a records retention schedule and policy current as new technology and apps keep getting added?
- How do you reconcile GDPR storage limitation rules with longer US legal retention requirements when a company operates on both sides of the Atlantic?
- How do you transition records management responsibilities when the records officer leaves or retires?
- How does a SAORM differ from an agency records officer, and can one person hold both roles?
- How does Canada's Access to Information Act (ATIP) compare to the US FOIA for requesting government records?
- How does the EU eIDAS regulation treat the legal validity of electronic signatures and records compared to the US ESIGN Act?
- How does the UK Public Records Act and the 20-year rule differ from how US federal records are transferred to NARA?
- How long do board meeting minutes and resolutions need to be retained?
- How long do law firms have to keep closed client files and can they shred them without permission?
- How long do we have to keep employee expense reports and reimbursement receipts?
- How long do we have to keep payroll records and employee timesheets?
- How long do we need to keep security camera and CCTV footage before deleting it?
- How long does HIPAA require medical practices to keep patient records after the last visit?
- How long must insurance companies retain claim files and policy records after a claim is closed?
- How long should a company keep paid invoices and accounts payable records?
- How long should we keep job applications and resumes from candidates we didn't hire?
- How long should we retain IT system and user access logs?
- How many records management staff and how much budget does an organization actually need for the size of its records program?
- How often should we audit our records retention practices to stay compliant?
- How should I handle duplicate copies of the same record across different systems?
- If I delete a file and empty the recycle bin, is the record actually destroyed?
- Is ISO 15489 used as a global records management standard and do countries like the UK and Australia have their own national versions?
- Is it really safer to just keep everything forever instead of deleting records on a schedule?
- Is shredding documents the same thing as defensible disposition under a retention schedule?
- Isn't records management just the IT department's job, or does our software handle it automatically?
- Once a record's retention period expires, does it stop being a record so I can delete it freely?
- Our contract with a records storage vendor is ending — how do we get our records back safely?
- Should I keep draft versions of a document or only the final approved version?
- We found boxes of records that are years past their retention date — can we just shred them now?
- What are an individual employee's day-to-day records management responsibilities, and what are they personally accountable for?
- What are IT's specific responsibilities for records management versus what the records department handles?
- What are the first things we should do in the first hours after a flood or fire damages our paper records?
- What are the steps to apply and later release a legal hold on records?
- What are the steps to transfer permanent records to the National Archives?
- What do I do if a record that should exist cannot be found when someone requests it?
- What does a records management compliance audit actually check for?
- What evidence do I need to prove our records program is compliant if a regulator shows up?
- What happens if you keep records longer than the retention period?
- What happens when two departments have conflicting retention schedules for the same type of record?
- What is a good file naming convention for organizing business records?
- What is a non-record?
- What is the difference between a big-bucket retention schedule and an itemized granular schedule, and when should you use each?
- What is the difference between a record and a document?
- What is the difference between a records officer and a records liaison or coordinator, and what does each one actually do?
- What is the difference between a transitory record and a record that has to go on a retention schedule?
- What is the difference between active and inactive records?
- What is the difference between an official record copy and a convenience copy of the same document?
- What is the difference between Controlled Unclassified Information (CUI) and classified information?
- What is the difference between destroying a record and just deleting a file?
- What is the difference between filing records and just saving files in folders?
- What is the difference between metadata and the actual data in a record, and why does records management care about both?
- What is the difference between migration and emulation for keeping old electronic records readable?
- What is the difference between records management and document management?
- What is the difference between records management and knowledge management?
- What is the difference between storing records on a shared drive and keeping them in a recordkeeping system?
- What is the records continuum model used in Australia and how is it different from the US records lifecycle?
- What is the records lifecycle?
- What KPIs and metrics should you put on a records management dashboard to report program health to leadership?
- What recordkeeping rules does FINRA impose on broker-dealers for client communications?
- What records are legally required to be kept by a small business?
- What records do construction companies need to keep for completed projects and how long?
- What records retention requirements apply to state and local government agencies under their own schedules?
- What should I do if a record was destroyed before its retention period ended by mistake?
- What should I do with old records I inherited that have no retention schedule?
- What student records does FERPA require schools to keep, and which ones can be destroyed?
- What's the difference between a legal retention requirement and an industry best-practice guideline?
- Where should the records officer report in the org chart, and should records management sit under IT, legal, or compliance?
- Which country's data laws apply when records are stored in the cloud across multiple jurisdictions?
- Which records management maturity model should you use to assess your program, and how do you score where you are today?
- Who is legally liable when a company can't produce records a court asks for?
- Who is responsible for placing and lifting a legal hold, and is it legal, IT, or the records officer?
- Who is responsible for records management in an organization?
- Who is supposed to declare a record day to day, the employee or the records department?
- Who owns business records — the employee or the organization?
- Why is records management important?
Retention & Disposition
- Can a company be fined for keeping records longer than the law requires?
- Can any manager authorize destroying records, or does it have to be someone specific?
- Can deleting emails too soon be considered illegal spoliation of evidence?
- Can different copies of the same document have different retention periods?
- Can GDPR storage limitation requirements force you to delete records you are legally required to keep elsewhere?
- Can I just delete old records whenever I need to free up storage space?
- Can records be destroyed during litigation or an audit?
- Do I have to keep records in their original format to satisfy retention requirements?
- Do I really need a retention schedule if my company never deletes anything?
- Do state and local government agencies have to follow their state archives' retention schedules, and what happens if they don't?
- Does a litigation hold override my company's retention schedule?
- Does ISO 15489 carry legal weight outside the US or is it just a voluntary global baseline?
- Does legal or the records officer decide how long to keep records, and what happens when they disagree?
- Does storing records on blockchain satisfy retention and disposition requirements, and can immutable records ever be deleted?
- How do cross-border data transfer rules affect where you can store and retain electronic records?
- How do I dispose of records securely?
- How do I prove a record was destroyed according to the retention schedule?
- How do I prove my records destruction was defensible if I get sued?
- How do I reduce records storage costs?
- How do we handle records still sitting in a system that is being decommissioned or shut down?
- How do you classify records to a file plan so they map to the right retention category?
- How do you document the destruction of records so the disposal is defensible?
- How do you keep a records retention program current as new technologies and collaboration tools keep emerging?
- How do you plan and run a records digitization project from start to finish?
- How do you set the cutoff and disposition trigger for a record series?
- How do you train employees to follow a records retention schedule?
- How do you transfer permanent records to NARA, and what are the steps?
- How does records retention under the UK Public Records Act differ from the US Federal Records Act?
- How long do I need to keep business records?
- How long do insurance companies have to retain claim files and policy records under state insurance regulations?
- How long do you need to keep job applicant and recruitment records for candidates you didn't hire?
- How long does HIPAA require healthcare providers to keep patient medical records, and is that different from state retention laws?
- How long must a law firm keep closed client files, and when can it destroy them without the client's consent?
- How long should I keep employee records?
- How long should I keep tax records?
- How long should IT keep system access logs and audit logs?
- How long should you keep purchase orders and procurement records after a contract closes?
- How often should a records retention schedule be reviewed and updated?
- How should a multinational company reconcile conflicting records retention laws across the countries it operates in?
- Is a longer retention period always safer than a shorter one?
- Is it true that keeping everything forever is the safest option for records?
- Once a retention period expires, do I have to delete the record immediately?
- We found a batch of records that are years past their retention period during a cleanup, what do we do with them now?
- What are construction firms required to keep for project records, and how long after a building is completed?
- What are IT's responsibilities versus the records officer's when applying retention rules in a system?
- What are the penalties for destroying records before their retention period ends?
- What does eIDAS require for the long-term validity of electronically signed records in the EU?
- What does FERPA say about how long schools must keep student education records and when they can dispose of them?
- What happens if I keep a record past its retention period instead of destroying it on time?
- What happens if you can't produce records during a regulatory audit?
- What happens to retention requirements when one company acquires another?
- What happens when records under a legal hold still exist in our backups after they were supposed to be deleted?
- What is a big bucket retention schedule?
- What is a disposition hold and how is it different from a litigation hold?
- What is a records inventory?
- What is a records retention period and how is it calculated?
- What is an individual employee actually responsible for when it comes to retention and disposition?
- What is defensible disposition?
- What is the Australian records continuum model and how does it differ from the US records lifecycle?
- What is the difference between a records officer and a records liaison officer, and who reports to whom?
- What is the difference between a retention period and a statute of limitations?
- What is the difference between a retention schedule and a records schedule?
- What is the difference between deleting a record and destroying it under a records retention schedule?
- What is the difference between event-based retention and time-based retention, and how do you set up each one?
- What is the difference between purging records and archiving them when storage fills up?
- What is the difference between transferring records to an archive and destroying them at the end of a retention period?
- What is the difference between transitory records and temporary records, and do they have separate retention periods?
- What is the most common mistake people make when applying a retention schedule?
- What is the penalty for destroying records too early?
- What recordkeeping rules does FINRA require broker-dealers to follow for retaining business text messages and chat?
- What records am I legally required to keep for an IRS or tax audit?
- What records does a nonprofit need to keep for IRS Form 990 and donor compliance, and for how long?
- What records management maturity models exist and how do you assess which level your program is at?
- What should I do if a record cannot be located when someone requests it for a FOIA request or audit?
- What should I do if records were destroyed too early by mistake before their retention period ended?
- What should I do with records that have no assigned retention period?
- What should we do if an employee leaves with business records saved on a personal device?
- What triggers a retention period?
- What's the difference between a retention period and a destruction date?
- Who decides how long records should be kept in an organization?
- Who has the authority to approve destroying federal records?
- Who is held accountable if records are destroyed too early or kept past their retention period?
- Who is legally liable when records are destroyed without proper authorization?
- Who should sit on a records retention committee and what decisions does it actually make?
- Who signs off before records are destroyed, and how many approvals does a disposition certificate need?
- Whose job is it to apply a litigation hold and make sure scheduled disposition actually stops?
Federal Records Management
- Are records created by federal contractors considered federal records?
- Big-bucket vs item-level retention schedules: how do I decide which approach to use?
- Can a federal employee be personally fined or jailed for deleting government records?
- Can federal employees conduct official business on personal devices or apps?
- Can I delete old federal records to free up storage space when our shared drive gets full?
- Can you destroy records in one country when GDPR requires deletion but another jurisdiction requires retention?
- Disposition vs destruction: are they the same thing in records management?
- Do backup tapes and system backups have to be preserved when records on them are under a litigation hold?
- Do board meeting minutes and committee records have to be kept permanently in a federal agency?
- Do federal agencies still have to manage paper records after M-23-07?
- Do I really have to destroy records as soon as a NARA-approved schedule says they're eligible, or can the agency keep them longer?
- Does an agency have to report unauthorized destruction of federal records to NARA, and how soon?
- Does an eIDAS qualified electronic signature satisfy US records authenticity requirements?
- Does SEC Rule 17a-4 require broker-dealers to keep electronic communications like texts and chat?
- Does storing records on blockchain actually make them tamper-proof and legally admissible?
- How do I assess my records program's maturity level and figure out what to improve next?
- How do privacy and information security officers share responsibility with records staff for protecting sensitive records?
- How do the records officer, CIO, and SAORM divide responsibility for an agency's records program?
- How do we handle federal records that are discovered years past their approved disposition date and never destroyed?
- How do we recover our records when a cloud vendor or contractor holds them and the contract is ending or terminated?
- How do you build a records management training program for staff, and what should new-employee and annual refresher training cover?
- How do you classify and file federal records to a file plan so they are categorized to the right record series?
- How do you conduct a records inventory at a federal agency, and what information do you collect for each record series?
- How do you lift a legal hold and resume disposition once litigation ends, and what do you document?
- How do you plan and run a records digitization project from pilot to backlog, and what should the project plan cover?
- How do you write a records management policy from scratch, and what sections does a defensible policy need to include?
- How does a federal agency get a new records schedule approved by NARA?
- How does an organization operating in multiple countries reconcile conflicting records retention laws?
- How does Canada's ATIP process for accessing government records compare to a US FOIA request?
- How does NARA enforce records management rules when an agency is found out of compliance?
- How long are agencies required to retain CCTV and security camera footage?
- How long do hospitals have to keep patient medical records under HIPAA and state retention laws?
- How long does a federal agency have to keep contract files after a contract closes out?
- How long does an agency keep an employee's Official Personnel Folder after they leave?
- How long must a school keep student education records under FERPA before it can destroy them?
- How long should an agency keep visitor logs and building access records?
- How long should travel vouchers and employee expense reports be retained?
- If I delete an email from my Outlook inbox, does that actually delete the official federal record under Capstone?
- In a FOIA response, what is the difference between withholding a record and redacting it?
- Is it a myth that work I do on my personal email or phone can't be a federal record because it's not on a government system?
- Is it true that if my IT department backs up our servers, the agency doesn't also need a separate records management system?
- Is it true that once a document is saved in SharePoint or a shared drive it automatically counts as a properly managed federal record?
- Is using auto-deleting messaging apps like Signal a violation of the Federal Records Act?
- Migration vs emulation for preserving digital records: which one keeps a file readable long-term?
- What are an agency's legal obligations when an employee uses personal email for official business?
- What are the specific duties of a Senior Agency Official for Records Management (SAORM) and who do they report to?
- What are the steps to apply records cutoff and trigger disposition under a federal retention schedule?
- What are the steps to physically transfer permanent electronic records to NARA, and what forms and metadata are required?
- What financial and donor records is a 501(c)(3) nonprofit legally required to keep, and for how long?
- What happens if a federal agency misses the NARA deadline to manage all records electronically?
- What happens to a federal employee's records and email when they leave or change agencies?
- What happens when a federal record is accidentally destroyed before its retention period ends, and how do we report it to NARA?
- What is a federal Agency Records Officer and what are they responsible for?
- What is a SAORM?
- What is an SF-115 and how is it used to dispose of federal records?
- What is NARA?
- What is OMB/NARA Memorandum M-23-07?
- What is the Capstone approach to managing federal email?
- What is the correct process for handling federal records when a legacy IT system is being decommissioned or shut down?
- What is the difference between a federal record and personal papers?
- What is the difference between a litigation hold and a records freeze, and do they cover the same documents?
- What is the difference between a vital record and a permanent record, and can a record be both?
- What is the difference between an agency records officer and a records liaison or records custodian?
- What is the difference between classified information and CUI, and can the same document be both?
- What is the difference between FOIA in the US and the UK Freedom of Information Act 2000?
- What is the difference between metadata and the actual record content, and why does metadata count as part of the record?
- What is the difference between temporary and permanent records?
- What is the Federal Records Act?
- What is the General Records Schedule (GRS)?
- What is the most common mistake agencies make by assuming it's always safer to keep every federal record forever?
- What is the NARA Federal Agency Records Management Self-Assessment and is it mandatory?
- What is the penalty for unlawful destruction of federal records?
- What is the Presidential Records Act?
- What is the role of an agency's Office of General Counsel in records management and litigation holds?
- What is the role of the IT department in federal electronic records management?
- What recordkeeping requirements do FERC and NERC impose on electric utilities for compliance evidence?
- What records do federal agencies have to produce during a congressional or inspector general investigation?
- What records does a law firm have to keep after a client matter closes, and who owns the client file?
- What records management responsibilities does a federal employee personally have for their own emails and documents?
- What records retention rules do state and local government agencies follow if they aren't covered by the Federal Records Act?
- What should an agency do if a record responsive to a FOIA request cannot be located or appears to be missing?
- What should we do if a federal employee leaves the agency with official records stored on their personal phone or laptop?
- What training is required for federal records management staff and how often?
- When does a federal agency transfer permanent records to NARA?
- Where do I find the retention period for federal payroll and time-and-attendance records?
- Which records schedule covers IT system and user access logs, and how long are they kept?
- Who audits federal agencies for records management compliance, and what do they look for?
- Who is responsible for managing records created in SaaS apps the records team didn't approve?
- Why can't I just leave records management to the agency records officer since it's their job, not mine?
- Why do international organizations use ISO 15489 instead of country-specific recordkeeping laws?
Electronic Records Management
- Are digital signatures legally valid on records?
- Are spreadsheets and database entries considered records I need to retain?
- Can a company be sanctioned for not preserving electronic records when it should have anticipated litigation?
- Can I just save a file as a PDF and call it a permanent electronic record?
- Can I store official records in the cloud?
- Can my cloud vendor's retention settings be trusted to delete records correctly, or is that still my responsibility?
- Can SharePoint be used as a records management system, or do I need separate software?
- Can you legally store records about EU citizens on servers located in the United States?
- Do backups still under a legal hold have to be preserved even after the records were deleted from the live system?
- Do I have to keep every draft and old version of an electronic document?
- Do I really need to keep electronic records in their original file format, or can I convert everything to PDF?
- Does SEC Rule 17a-4 require electronic records to be stored in a non-rewritable WORM format?
- How do I apply and release a legal hold inside an electronic records system without breaking the retention schedule?
- How do I build a business case to get executives to fund an electronic records management program?
- How do I figure out the retention period for I-9 forms and hiring records of applicants we didn't hire?
- How do I figure out which files on a shared network drive are actually records and which are junk?
- How do I inventory electronic records scattered across shared drives, email, and cloud apps?
- How do I keep electronic records readable as technology changes?
- How do I keep records under control when employees keep spinning up new cloud and SaaS apps?
- How do I migrate records when we replace an old system?
- How do I set up automatic cutoff and disposition triggers in an electronic records management system?
- How do I write an electronic records management policy that staff will actually follow?
- How do state and local governments handle text messages and emails as public records under open records laws?
- How do we handle electronic records when an old system or application is being decommissioned?
- How do you handle records retention when GDPR data minimization conflicts with another country's mandatory retention period?
- How does a regulator decide whether an organization's electronic recordkeeping is compliant during an audit?
- How does eIDAS treat electronic signatures and timestamps on records differently from US e-signature law?
- How long do insurance companies have to retain electronic claims files and policy records, and who sets those rules?
- How long do IT system and access logs need to be kept for compliance?
- How long should we retain workplace incident and accident reports?
- How often should we revisit our records management program to keep up with new technology?
- How should a law firm manage electronic client files and matter records, and how long do you keep them after a case closes?
- How should records management responsibilities be divided between IT, legal, and the privacy office for a new records system?
- How should we handle records stored in cloud apps like Google Drive, OneDrive, and Dropbox?
- If I scanned a paper document, can I delete the electronic copy and keep only the paper, or vice versa?
- Is deleting electronic records to free up server space ever a legitimate reason?
- Is it true that if our IT backups capture everything, we don't need a separate records archive?
- TIFF vs PDF/A: which format is better for long-term electronic record preservation?
- We found electronic records that should have been destroyed years ago, so what do we do now?
- What are SEC and FINRA's electronic records requirements for broker-dealers, and what does WORM storage have to do with Rule 17a-4?
- What are the legal risks of migrating electronic records to a new system without preserving metadata?
- What are the records retention requirements for construction projects, and how long do you keep contracts, drawings, and inspection records after a building is finished?
- What are the SAORM's specific duties for electronic records management under federal requirements?
- What are the steps to build a file plan and map it to retention rules in an electronic records system?
- What are the steps to document a defensible destruction of electronic records so it holds up in an audit?
- What compliance obligations apply when employees use chat apps and collaboration tools that the records system does not capture?
- What do we do if a record can't be located when a FOIA or public records request comes in?
- What does 'born-digital' mean?
- What does the law require an electronic records system to log in its audit trail?
- What evidence do you need to defend the destruction of an electronic record in court?
- What file format should I use for long-term electronic records?
- What file naming conventions should we use to keep electronic records organized?
- What happens if we accidentally delete electronic records before their retention period ends?
- What happens if we keep all our electronic records forever instead of deleting them on schedule?
- What happens to an employee's electronic records when they leave the company?
- What happens to our electronic records when a cloud vendor or service contract ends?
- What is a file plan?
- What is auto-classification?
- What is the difference between a backup copy and a recordkeeping copy of an electronic file?
- What is the difference between a big-bucket and a granular retention schedule for electronic records?
- What is the difference between a system owner and a records officer when it comes to electronic recordkeeping?
- What is the difference between ECM and records management?
- What is the difference between filing a US FOIA request and a Canadian ATIP request?
- What is the difference between format migration and normalization when transferring electronic records to an archive?
- What is the difference between in-place records management and moving records into a dedicated repository?
- What is the difference between metadata and the data inside an electronic record, and why does it matter for records management?
- What is the most common mistake organizations make when storing records in SharePoint or a shared drive?
- What KPIs prove to leadership that a records program is reducing risk and cost?
- What makes an electronic record trustworthy?
- What metadata should a record have?
- What metrics should I track to measure whether our electronic records management program is working?
- What records management responsibilities do individual employees have for the electronic records they create?
- What records retention rules apply to nonprofits, and how long must they keep Form 990s, donor records, and grant documentation?
- What role does the information security team play in electronic records management?
- What student records does FERPA let a school destroy, and what has to be kept permanently?
- Who is legally liable when an automated retention rule deletes a record that should have been kept?
- Who is responsible for configuring retention and disposition rules in an electronic records system?
- Who is responsible for managing records inside an electronic records management system, IT or the records officer?
- Who signs off before an agency deploys a new electronic recordkeeping system?
- Why can't I just drag old files into a folder labeled 'Archive' and consider them archived?
- Why do multinational companies use ISO 15489 as a baseline for records management across jurisdictions?
Information Governance
- Big-bucket vs item-level retention schedules: how do I choose between them?
- Can a company be penalized for keeping data too long under privacy laws even if nothing was breached?
- Can a US company store records in the EU, or do data localization and cross-border transfer rules block it?
- Can executives or board members be held personally liable for information governance failures?
- Can information governance help reduce cloud storage costs, and how?
- Can our IT department decide on its own to delete old files to free up server space?
- Can we just keep everything forever to be safe instead of bothering with a retention schedule?
- Can we let an AI model train on or index our records, and what are the records and privacy risks?
- CUI vs classified information: what is the difference and do they get handled differently?
- Do I really need a retention schedule if storage is cheap and we never run out of space?
- Do state and local government agencies have to follow a state-approved records retention schedule before destroying records?
- Does a written information governance policy actually protect a company in court if records were mishandled?
- Does the EU GDPR override a company's retention schedule when keeping personal data across borders?
- How do I assess my organization's information governance maturity and figure out the next level to target?
- How do legal, privacy, and records roles divide responsibility during a litigation hold or e-discovery request?
- How do overlapping regulations like GDPR, HIPAA, and SOX get reconciled in one information governance policy?
- How do we keep our records management program current as new technology and tools keep being adopted?
- How do we recover records from a departing employee's personal device before they leave?
- How do you build an information governance program from scratch in a small company?
- How do you get employees to actually follow information governance rules?
- How do you measure the ROI of an information governance program?
- How do you measure whether an information governance program is working?
- How does Library and Archives Canada decide which government records are kept permanently?
- How is information governance different from records management and data governance?
- How long do you have to keep payroll records and timesheets, and what rules set that period?
- How long does a law firm have to keep client files after a matter closes, and who decides what gets destroyed?
- How long should a business keep accounts payable records like invoices and purchase orders?
- How long should a company keep board meeting minutes and where do you find the right retention period?
- How long should an organization keep IT system and access logs, and what determines the retention?
- How long should you retain job applicant and interview records for candidates you didn't hire?
- How should an information governance committee be structured and which departments need a seat at the table?
- Is it a myth that email isn't really a record, or do work emails actually have to be managed like records?
- Is it true that our nightly backups count as our records archive, or do we still need a separate retention system?
- Metadata vs data: what is the difference and why does metadata matter for records?
- What are the day-to-day responsibilities of a records management officer versus a records liaison in each department?
- What are the fines for failing to produce records during a regulatory investigation or audit?
- What are the IGRM maturity levels and how do you assess them?
- What documentation do regulators expect to see during an information governance audit?
- What does an information governance committee actually do day to day?
- What does FINRA require for retaining broker-dealer communications like emails and text messages?
- What happens if we treat information governance as just an IT project instead of a business-wide responsibility?
- What happens to records when a company closes or is acquired?
- What happens when our backups still contain records that are under a legal hold we tried to lift?
- What is a litigation hold?
- What is e-discovery?
- What is eIDAS and how does it affect the legal validity of electronic records and signatures in the EU?
- What is electronically stored information (ESI)?
- What is information governance?
- What is ROT (redundant, obsolete, trivial) data?
- What is the difference between a chief data officer and a chief information governance officer?
- What is the difference between a DMS and an ECM system, and do I need both?
- What is the difference between data governance and information governance?
- What is the Information Governance Reference Model (IGRM)?
- What is the most common mistake organizations make when starting an information governance program?
- What laws actually require a company to have an information governance program, or is it voluntary?
- What recordkeeping rules does FERC impose on energy and utility companies, and which operational records must they retain?
- What records does a nonprofit need to keep to stay compliant with IRS Form 990 and maintain tax-exempt status?
- What records management duties can a manager delegate to staff and which ones can't be delegated?
- What should be included in an information governance policy document?
- What should we do if a record cannot be located when responding to a request or audit?
- What should we do when a vendor still holds our records and the contract is ending?
- What should we do when we find records sitting past their retention period during an office cleanup?
- Where does the line fall between IT and the records department when it comes to retention and disposition of data?
- Who is legally on the hook when a third-party vendor or cloud provider loses our governed records?
- Who is responsible for declaring and classifying a record at the moment it's created — the employee, IT, or the records team?
- Who owns and can recover our records when a SaaS vendor shuts down or we switch providers?
- Who should own information governance in an organization, IT or legal?
- Who should own the records retention schedule and who has authority to approve changes to it?
- Who should sit on an information governance committee?
- Why can't I just delete data I no longer need whenever I want under our information governance policy?
E-Discovery & Litigation Readiness
- A key custodian left the company—how do we preserve and collect their email and files after they're gone?
- An employee admitted to deleting emails relevant to a lawsuit—what do we do now?
- Are curative measures or monetary fines available when lost data can be replaced through other sources?
- Can a company be sanctioned for spoliation when an employee auto-deleted text messages or ephemeral chats?
- Can a court order cost-shifting or limit search terms when keyword searches return an unmanageable hit count?
- Can a US court compel production of EU employee emails when GDPR and a blocking statute prohibit transferring the data abroad?
- Can employees collect their own documents for discovery, or do we need IT or a vendor to do it?
- Can I collect Slack messages for e-discovery without altering timestamps or read receipts?
- Can routine disposition of records continue while a litigation hold is in place, and how do I scope the hold so it doesn't freeze everything?
- Can the requesting party dictate the form of production, or does the producing party get to choose the format under FRCP 34?
- Do custodians have to acknowledge a legal hold, and how do you track who hasn't responded?
- Do I have to preserve backup tapes once a litigation hold is in place, or are they 'not reasonably accessible'?
- Do I need to suspend auto-delete and snapshot rotation when a legal hold attaches to a system?
- Does a Rule 502(d) clawback order actually protect you from waiving privilege on inadvertently produced documents?
- Does copying files to a new folder change the metadata, and how do I collect documents without spoiling the metadata?
- Does deleting documents under a routine retention schedule count as spoliation if litigation is anticipated?
- Does the French blocking statute (Law No. 68-678) actually prevent me from responding to a US discovery request, and what penalties apply if I comply anyway?
- Does the Hague Evidence Convention provide a workable alternative to the Federal Rules for obtaining documents located in GDPR-covered countries?
- How broad should the scope of a litigation hold be, and can you be sanctioned for over-preserving or under-preserving?
- How can I estimate and document review costs to support a proportionality argument before the meet-and-confer?
- How do courts distinguish negligent loss of evidence from intentional destruction when deciding sanctions?
- How do I build a data map for e-discovery, and what data sources do legal and IT often miss?
- How do I conduct a Sedona Conference proportionality and comity analysis to argue against producing personal data protected under GDPR?
- How do I issue a litigation hold for data stored in cloud and SaaS apps like Google Workspace or Salesforce?
- How do I justify a date range limitation in discovery when opposing counsel demands the full custodial history?
- How do I narrow a list of custodians in e-discovery without risking spoliation claims?
- How do I preserve a Microsoft Teams channel including chats, posts, and shared files for litigation?
- How do I preserve and collect ESI from an employee's personal phone under a BYOD policy?
- How do I reconcile a litigation hold preservation obligation with a data subject's GDPR right to erasure during active litigation?
- How do I safely release a legal hold and resume disposition once a matter closes without risking spoliation?
- How do the identification, preservation, and collection stages hand off to each other without breaking chain of custody?
- How do you build a privilege log during the review stage and what has to be on it under FRCP 26(b)(5)?
- How do you defend a predictive coding protocol when opposing counsel demands the seed set and training documents?
- How do you identify which custodians and data sources to include in a legal hold?
- How do you monitor and audit ongoing compliance with a legal hold to prove you took reasonable steps?
- How do you produce modern files like Slack, Teams chats, and dynamic spreadsheets that don't fit native or image formats?
- How do you redact privileged or PII content from native Excel spreadsheets without breaking formulas or hidden data?
- How do you use statistical sampling to argue that restoring backup tapes or reviewing a data set is not proportional?
- How does a current records retention schedule shrink the volume of data subject to discovery?
- How does Bates numbering work for natively produced files that have no fixed pages?
- How does defensible deletion reduce e-discovery costs, and what do I need to document to prove the deletion was defensible?
- How does email threading reduce review costs and is it safe to review only the inclusive email in a thread?
- How does processing reduce data volume before review in e-discovery (de-NISTing, deduplication, and date filtering)?
- How far back in time and how broadly do we have to preserve documents when we anticipate litigation?
- How often do you need to send legal hold reminders and re-issue the notice to custodians?
- How should the parties agree on production formats and metadata fields in an ESI protocol or meet-and-confer?
- Is failure to issue a litigation hold by itself enough to support a finding of spoliation?
- Should I pseudonymize, redact, or minimize personal data in EU documents before producing them in US discovery, and which approach satisfies GDPR data minimization?
- The data we need for discovery lives in a system we're about to decommission—how do we handle it?
- The opposing party is demanding we produce literally everything—how do we push back on an overbroad discovery request?
- We accidentally produced a privileged document—can we claw it back, and how?
- We discovered responsive documents after we already produced—how do we do a supplemental production?
- We just got served with a lawsuit—what's the first thing we should preserve in the first 48 hours?
- What are the six proportionality factors under FRCP Rule 26(b)(1) and how do courts actually weigh them?
- What counts as 'not reasonably accessible because of undue burden or cost' under Rule 26(b)(2)(B), and who bears the burden of proof?
- What counts as forensically defensible collection, and when can custodians self-collect their own ESI?
- What does "reasonably anticipated litigation" actually mean, and what events put a company on notice that it must preserve?
- What does litigation readiness look like for an organization, and how do I assess whether ours is ready before we get sued?
- What GDPR lawful basis (Article 6) and transfer mechanism do I use to move personal data from the EU to the US for litigation review?
- What information has to be on a privilege log and can you produce a categorical or metadata privilege log instead?
- What information must a legal hold notice contain to be legally defensible?
- What is a clawback agreement and FRE 502(d) order, and how do they protect inadvertently produced privileged documents?
- What is early case assessment in the EDRM and how does it shape preservation, collection, and review scope?
- What is the best way to produce structured data from a database or SQL system in discovery?
- What is the difference between a litigation hold and a retention schedule, and what happens when they conflict?
- What is the difference between native, near-native, and TIFF-plus-load-file production formats, and how do I decide which to use?
- What is the difference between near-duplicate detection and exact deduplication in document review?
- What is the difference between producing extracted text versus OCR text, and when is each required in a production?
- What is the difference between technology-assisted review (TAR 1.0) and continuous active learning (TAR 2.0)?
- What is the safest workflow for in-country document review in the EU so personal data never crosses the border during US litigation?
- What language should a written objection use to push back on an overbroad document request as disproportionate?
- What level of intent must be proven before a court orders the most severe spoliation sanctions like default judgment or dismissal?
- What metadata fields must be preserved through collection and processing so a production is defensible?
- What metadata fields should a production load file include, and what do DAT, OPT, and LFP files do?
- What must the requesting party show to prove prejudice from lost ESI before sanctions are awarded?
- What recall and precision rates does a court expect from a TAR review to be considered defensible?
- What steps should you take after discovering you inadvertently produced privileged documents to opposing counsel?
- What's the difference between forensic imaging and logical collection, and when do I need a full forensic image?
- When can a court impose an adverse-inference instruction for lost electronically stored information under FRCP 37(e)?
- When can a party shift e-discovery costs to the requesting party, and what is the Zubulake seven-factor test?
- When can a US litigant rely on GDPR Article 49 derogations (necessary for legal claims) to transfer personal data without an adequacy decision or SCCs?
- When does the duty to preserve evidence trigger and how far back does it reach before a lawsuit is filed?
- When does the duty to preserve records for litigation actually begin, and how does anticipated litigation trigger a hold?
- When exactly does the duty to preserve evidence trigger, and does it start before a lawsuit is actually filed?
- When is it safe to release a legal hold, and what should you document before lifting it?
- When is keyword searching better than predictive coding, and can you use both together in the same review?
- When is technology-assisted review (predictive coding) defensible to use instead of linear human document review?
- When should you produce documents in native format versus TIFF or PDF images in e-discovery?
- Who is responsible for collecting ESI from third-party custodians or vendors that hold our data?
- Who is responsible for issuing and tracking a legal hold across legal, IT, and records management?
FOIA & Public Records
- Am I supposed to get an acknowledgement letter after I file a FOIA request, and what should it contain?
- Are emails on a city council member's personal phone subject to state public records law?
- Are police body-camera footage and incident reports public records under state law?
- Are state university student disciplinary records subject to public records requests, or does FERPA block them?
- Can a business stop an agency from releasing its confidential information under FOIA (reverse FOIA)?
- Can a federal employee be personally disciplined for destroying records that are subject to a FOIA request?
- Can a FOIA request be made anonymously?
- Can a freelance journalist or blogger qualify for the news media fee category under FOIA?
- Can a government agency charge for staff time and attorney review when fulfilling a public-records request?
- Can a non-citizen or foreign national file a FOIA request for U.S. government records?
- Can a public hospital withhold patient information from a state open records request under HIPAA?
- Can a state public-records office require me to state my reason or prove residency to get records?
- Can a US company be forced to hand over records stored in the EU during litigation?
- Can an agency be held in contempt for ignoring a court order to release records under FOIA?
- Can an agency charge me FOIA search and review fees if it misses the 20-day response deadline?
- Can an agency just stamp a whole document exempt, or does it have to release the parts that aren't?
- Can an agency set high copying fees to discourage people from filing public records requests?
- Can an agency use FOIA Exemption 5 attorney-client privilege to withhold communications with outside consultants or contractors?
- Can an insurance company's filings with a state insurance department be obtained through a public records request?
- Can I ask an agency to proactively disclose records instead of filing a formal FOIA request?
- Can I ask for a fee waiver on a FOIA request and how do I qualify for one?
- Can I file both a Mandatory Declassification Review and a FOIA request for the same classified document at the same time?
- Can I recover attorney fees and costs if I win my FOIA lawsuit, and what makes me 'eligible' versus 'entitled'?
- Can I request records about myself under FOIA or do I have to use the Privacy Act?
- Can I still appeal or sue if the agency only sent a partial release with redactions instead of a full denial?
- Can the public request inspection reports and safety records from a regulated electric utility?
- Do I have to file an administrative appeal before I can sue an agency in federal court over a FOIA denial?
- Do individual employees have to help respond to a FOIA request for their own emails?
- Do journalists get faster FOIA processing or lower fees than regular requesters?
- Do open-meetings (sunshine) laws require a public body to give advance notice and post an agenda before meeting?
- Does a nonprofit that receives government grants have to disclose its records under FOIA or state open records laws?
- Does a private law firm have to respond to a public records request when it does contract work for a city?
- Does an agency have to give me the first two hours of search time and 100 pages free under FOIA?
- Does an agency have to notify me before charging FOIA fees over a certain dollar amount?
- Does FOIA apply to private companies?
- Does FOIA Exemption 3 require Congress to name a specific statute, and how do I find which statutes qualify?
- Does GDPR override a company's own retention schedule for keeping employee or customer data?
- Does the 'frequently requested records' rule mean an agency has to post documents after they've been requested three times?
- Does using a personal email or text app to conduct government business violate FOIA and public records laws?
- Does using OGIS mediation pause or replace my right to file a FOIA appeal?
- How can I get FOIA fees waived or reduced when an agency demands hundreds of dollars in search and copying costs?
- How can I use an agency's annual FOIA report to estimate how long my request will take?
- How can the FOIA Public Liaison or OGIS mediation help when my request is stuck or denied?
- How do construction firms respond to a public records request for bid documents on a government project?
- How do I appeal a denied state public-records request, and can I recover attorney fees if I win?
- How do I appeal a FOIA response where almost every page came back fully redacted?
- How do I assess my organization's records management maturity level and benchmark it against peers?
- How do I file a FOIA lawsuit and when is suing the agency actually worth it?
- How do I find out if someone else already requested the records I want through FOIA?
- How do I find the right FOIA office or component within a large federal agency to send my request to?
- How do I qualify for expedited processing of a FOIA request and what counts as a compelling need?
- How do I request records from a school district, and does FERPA block release of student information?
- How do I word a FOIA fee waiver request so it actually gets approved?
- How do I write a FOIA request letter so the agency doesn't reject it as too vague?
- How do legal, privacy, and program offices divide the review work on a FOIA request?
- How do we handle a FOIA request for records that a disaster damaged or destroyed?
- How do we handle a FOIA request for records that were already destroyed under an approved retention schedule?
- How do we respond to a FOIA request when the records are held by a vendor and the contract is ending?
- How do you apply FOIA exemptions and redact a document so the release is defensible?
- How do you calculate and document FOIA processing fees and search-time estimates?
- How do you set up a FOIA log to track requests, deadlines, and dispositions?
- How do you set up a proactive disclosure or FOIA reading room so records post automatically?
- How do you write a Vaughn index for documents withheld under FOIA?
- How does a commercial requester get charged differently for a FOIA request?
- How does an agency decide which parts of a record are reasonably segregable and must be released?
- How does FOIA multi-track processing work, and which track will my request be assigned to?
- How does the UK Freedom of Information Act 2000 differ from the US FOIA?
- How does the UK Public Records Act decide when government records go to The National Archives?
- How long do I have to file a FOIA appeal after my request is denied?
- How long do I have to file an administrative appeal after a FOIA denial, and does the agency have to tell me the deadline?
- How long does an agency have to decide on my expedited processing request?
- How long does an agency have to respond to a FOIA request?
- How long does the deliberative process privilege under FOIA Exemption 5 last, and does it expire?
- How long should a company keep board meeting minutes and resolutions?
- How long should a company keep purchase orders and accounts payable invoices after they're paid?
- How many days does a city or county have to respond to a public-records request under state law?
- How much does it cost to file a FOIA request?
- How should a researcher word a FOIA request to qualify for the educational or scientific fee category?
- If I delete an email after someone files a FOIA request for it, does that make the request go away?
- Is ISO 15489 recognized as a records management standard outside the United States?
- Is it better to file a FOIA request by mail, email, or the FOIA.gov online portal?
- Is it true that an agency can refuse a FOIA request just because finding the records would be a lot of work?
- Is it true that draft documents and internal emails are automatically secret and can't be released under FOIA?
- Is it true that records held by a government contractor are out of reach for a public records request?
- Should I request my own records under FOIA or the Privacy Act to get more of my file?
- Should I state a fee limit or request a specific format in my FOIA request, and how do I word it?
- What annual FOIA reports are agencies required to file and who reviews them for compliance?
- What are my options when an agency says no records exist in response to my FOIA request?
- What are the nine FOIA exemptions?
- What are the penalties for a government agency that wrongfully withholds records under FOIA?
- What are the steps to conduct a reasonable records search in response to a FOIA request?
- What are the steps to organize records and file plans so an agency can respond to FOIA requests quickly?
- What are the steps to process a FOIA request that spans multiple agency offices or program areas?
- What are the three FOIA exclusions under (c)(1)-(c)(3), and how do they differ from exemptions?
- What can I do if a city or county ignores or stonewalls my open-records request?
- What can I do if a government agency never responded to my FOIA request after the 20-day deadline?
- What can I do if my FOIA request is denied?
- What counts as 'constructive exhaustion' if an agency misses the FOIA response deadline and never answers my request?
- What counts as confidential commercial information under FOIA Exemption 4 after Argus Leader?
- What does 'release to one, release to all' mean, and will documents I requested be posted publicly?
- What does a FOIA officer actually do day to day?
- What does de novo review mean in a FOIA lawsuit, and why does the agency carry the burden of proof?
- What does it mean when a FOIA response says 'no records found' and can I challenge it?
- What does it mean when an agency sends me a 'still interested' letter on my FOIA request?
- What does the FOIA Improvement Act of 2016 require agencies to do differently?
- What does the foreseeable harm standard require an agency to show before withholding records under a FOIA exemption?
- What does the public interest balancing test for FOIA privacy exemptions 6 and 7(C) actually weigh?
- What FOIA fees can a commercial requester be charged that other requesters cannot?
- What happens if I sent my FOIA request to the wrong agency and how do I get it redirected?
- What happens to pending FOIA obligations when the system holding the requested records is being decommissioned?
- What happens when an employee leaves the agency with records on a personal device that are needed for a FOIA request?
- What information must I include in a FOIA request letter for it to be considered properly submitted?
- What is a Chief FOIA Officer report and how is it different from the annual FOIA report?
- What is a FOIA reading room or electronic FOIA library, and how do I search it before filing a request?
- What is a FOIA tracking number and how do I use it to check the status of my request?
- What is a Glomar response and how do I challenge an agency that will neither confirm nor deny records exist?
- What is a perfecting or clarification request, and what happens to my FOIA clock while I respond to it?
- What is a Vaughn index and when does an agency have to produce one?
- What is a Vaughn index and when does the court make the agency produce one in FOIA litigation?
- What is an agency legally required to include in a FOIA denial letter?
- What is Canada's Access to Information and Privacy (ATIP) process and who can use it?
- What is OGIS and how can it help if my FOIA request stalls?
- What is submitter notice and when must an agency tell a company before releasing its records under FOIA?
- What is the difference between a CUI marking and a FOIA exemption when deciding what to release?
- What is the difference between a FOIA exemption and a FOIA exclusion?
- What is the difference between a FOIA fee waiver and a reduced-fee category, and can I ask for both?
- What is the difference between a FOIA Public Liaison and a Chief FOIA Officer?
- What is the difference between a Glomar response and a regular FOIA denial?
- What is the difference between a partial denial and a full denial of a FOIA request?
- What is the difference between a referral and a consultation when an agency finds another agency's records in my FOIA request?
- What is the difference between expedited processing and a fee waiver in a FOIA request?
- What is the difference between FOIA and state public records laws?
- What is the difference between FOIA and the Privacy Act?
- What is the difference between FOIA Exemption 6 and Exemption 7(C) for protecting personal privacy?
- What is the difference between getting records through FOIA and getting them through discovery in a lawsuit?
- What is the difference between proactive disclosure in a FOIA reading room and a regular FOIA request?
- What is the most common mistake agencies make that turns a routine FOIA request into a lawsuit?
- What is the records officer's role in making FOIA responses defensible?
- What is the two-part public interest test an agency uses to grant a FOIA fee waiver?
- What KPIs should I report to leadership to show a records management program is improving?
- What qualifies someone as a representative of the news media for FOIA fee purposes?
- What should a FOIA administrative appeal letter include to give me the best chance of winning?
- What should I do if an agency ignores my FOIA request and never responds?
- What should I do if my FOIA request has been pending for months with no documents and only a tracking number?
- What should we do if records under a litigation hold still exist only on backup tapes when a FOIA request comes in?
- What should we do if two offices give conflicting answers about whether responsive FOIA records exist?
- When can a city council or school board legally go into closed-session executive session?
- When can a court award attorney fees against an agency in a FOIA lawsuit?
- When can a federal agency withhold trade secrets and confidential business information under FOIA Exemption 4 after the Argus Leader decision?
- When can an agency give a Glomar response and how do I challenge it?
- When does the 20-business-day FOIA clock actually start counting?
- Which federal agency do I send my FOIA request to if I don't know who has the records?
- Which federal district court can I file a FOIA lawsuit in, and what do I have to prove in the complaint?
- Which FOIA requester category do I fall into, and how do commercial, news media, educational, and 'all other' fees actually differ?
- Who can file a FOIA request?
- Who decides whether a record can be withheld or must be released in a FOIA request?
- Who is accountable when an agency misses a FOIA deadline or loses responsive records?
- Whose job is it to search for records when a FOIA request comes in?
- Why are FOIA backlogs so long, and how can I find out an agency's current backlog and average response time?
- Why can't I just get government records by asking the official directly instead of filing a formal FOIA request?
- Why does my FOIA request take longer when records are referred to another agency?
Declassification & Classified Records
- Can a hospital or research university hold classified records, and how do FCL and HIPAA rules interact?
- Can a law firm representing a government client retain classified discovery, and who declassifies it after the case?
- Can a multinational company use ISO 15489 as a single recordkeeping standard across all of its countries?
- Can a private citizen request that a specific classified record be declassified?
- Can AI and machine learning reliably assist with declassification review of classified records?
- Can an agency be penalized for over-classifying records to avoid disclosure?
- Can declassified documents be reclassified later?
- Can I destroy a declassified record to save storage space once it's no longer secret?
- Can I just email or store a declassified-but-not-yet-released record on my regular network like any other file?
- Do I really need declassification markings if the document is already old and obviously outdated?
- Does a declassified record still have to be retained, and for how long, under records law?
- Does a state or local government emergency management office have to follow federal declassification rules for classified records it receives?
- Does an eIDAS-compliant electronic signature or seal count as a valid record signature outside the EU?
- Does blockchain or immutable storage actually help with managing classified records and audit trails?
- Does declassification mean a record is automatically released to the public?
- How do energy and utility companies handle Protected Critical Infrastructure Information and classified threat briefings as records?
- How do I appeal an agency's denial of my mandatory declassification review request?
- How do I assess the maturity of my agency's classified records management program?
- How do I build a business case to get executive buy-in for investing in declassification technology?
- How do I conduct a line-by-line declassification review and redact a classified document for release?
- How do I find out if a classified document has already been declassified?
- How do I inventory and prioritize a backlog of aging classified records for automatic declassification?
- How do I properly mark a newly classified document with classification level and declassification instructions?
- How do I refer a classified record to another agency for equity review during declassification?
- How do we handle classified or CUI records held by a cloud provider or contractor when the contract is ending?
- How do we handle classified records that are still sitting on system backups and disaster-recovery tapes after the live copies were processed?
- How do we handle two offices holding the same classified record with conflicting declassification dates or downgrade instructions?
- How do you reconcile conflicting retention rules when the same record must comply with US, UK, and EU laws at the same time?
- How does a defense contractor handle declassification of CUI and classified records when a contract ends?
- How does declassification in the UK work compared to the US, and what role does the 30-year rule and The National Archives play?
- How does GDPR data minimization conflict with legal hold and litigation obligations in other countries?
- How does ISOO audit and enforce agency compliance with classification rules?
- How is a mandatory declassification review request different from a FOIA request for classified records?
- How is automatic declassification different from systematic declassification review?
- How long do you have to keep security clearance and personnel security investigation files after an employee leaves?
- How long do you keep visitor logs and access control records for a facility that handles classified information?
- How long does a mandatory declassification review request usually take to get an answer?
- How long does an agency legally have to respond to a mandatory declassification review request?
- How long does classified information stay classified before it must be declassified?
- How long should an agency retain classified document destruction certificates and SF-702 security container check sheets?
- How long should we retain CCTV and security camera footage from a secure or restricted-access area?
- How many staff and what budget does a declassification review program typically need to clear its backlog?
- How should classified records be handled when an agency moves workloads to a cloud or SaaS environment?
- Is it a myth that once a document is declassified it can never be classified or pulled back again?
- Is it true that a classified record automatically becomes unclassified after 25 years, so I can just shred it?
- Redaction vs sanitization: what's the difference when releasing a classified document?
- What are a university's obligations under DCSA when faculty research produces classified or export-controlled records?
- What are an employee's legal obligations when they discover a classified records spill?
- What are an individual employee's responsibilities for safeguarding classified records they handle?
- What are the duties of an agency's Original Classification Authority versus a derivative classifier?
- What are the levels of security classification?
- What are the penalties for mishandling classified information under federal law?
- What are the records and classification risks of using generative AI tools with sensitive or classified information?
- What are the steps to file a mandatory declassification review request with a federal agency?
- What are the steps to set up an agency systematic declassification review program?
- What are the steps to transfer permanently valuable classified records to the National Archives?
- What does the Senior Agency Official for declassification actually do day to day?
- What happens if a disaster damages classified records and recovery requires sending them to an outside vendor?
- What happens if classified records are accidentally destroyed before their declassification review was completed, and how do we prevent it?
- What happens if classified records are accidentally destroyed or mishandled?
- What happens if I redact a classified document myself and release it instead of waiting for declassification review?
- What happens if you fail to properly mark a document with declassification instructions?
- What happens to a financial firm's classified records when it gets a Suspicious Activity Report tied to national security?
- What happens to classified records after 25 years if no one reviews them?
- What is automatic declassification?
- What is Controlled Unclassified Information (CUI)?
- What is mandatory declassification review (MDR)?
- What is the difference between a declassification exemption and a FOIA exemption for national security records?
- What is the difference between a FOIA request in the US and an Access to Information request under Canada's ATIP?
- What is the difference between Confidential, Secret, and Top Secret?
- What is the difference between original classification and derivative classification?
- What is the most common mistake people make when they assume declassified means publicly releasable?
- What KPIs should I track to measure the effectiveness of a declassification program?
- What role does an agency's records officer play in transferring classified records to NARA?
- What should I do if I find a classified marking on an old record in our files?
- What should we do if a classified system or repository is being decommissioned but the records inside still have years left on their classification?
- What should we do if a record responsive to a FOIA or MDR request cannot be located but we know it was classified?
- What should we do if an employee leaves and we discover classified or CUI records on their personal laptop or home network?
- What's the difference between a security classification and a dissemination control marking like NOFORN or ORCON?
- What's the difference between declassification and downgrading a classified record?
- What's the difference between declassification and redaction?
- Who decides which records get referred to other agencies during declassification review?
- Who has the authority to classify information in the first place?
- Who has the authority to declassify a document before its scheduled date?
- Who is accountable when classified records are over-classified or never declassified on schedule?
- Who is legally authorized to classify or declassify national security information?
- Who is responsible for declassifying and disposing of classified records at a federally funded research and development center?
- Who is responsible for marking declassification instructions when a document is first created?
- Who sits on an agency's declassification review panel and what do they decide?
- Why can't I just declassify a document I created myself when I'm the one who classified it?
- Why is part of a released document blacked out even after it was declassified?
Compliance & Standards
- Can a commercial off-the-shelf system meet the NARA Universal ERM Requirements without being DoD 5015.2 certified?
- Can a company be fined or sanctioned for not following ISO 15489 in a lawsuit?
- Can a US company store its records on servers in another country, and what cross-border data rules apply?
- Can following ISO 15489 actually help us pass an audit or hold up in court?
- Can I just adopt ISO 15489 word-for-word as our records policy, or does it not work that way?
- Can I just pick whichever records standard is easiest, since DoD 5015.2, ISO 15489, and ISO 16175 all basically do the same thing?
- Do I have to pay to read the official ISO 15489 standard or is it available for free?
- Do I really need to follow the NARA Universal ERM Requirements if my agency already passed an inspection a few years ago?
- Does a company in the private sector need to follow DoD 5015.2 or is it only for government agencies?
- Does buying DoD 5015.2 certified software make my organization automatically compliant?
- Does FINRA require broker-dealers to capture text messages and WhatsApp chats as business records?
- Does my agency have to meet the NARA Universal ERM Requirements by a deadline?
- How do I get a records management system certified to DoD 5015.2?
- How do I know if my records management software is actually compliant with the standards it claims to meet?
- How do regulators prove a record was altered or backdated after the fact?
- How do we handle a record that still exists but is in a file format no current system can open?
- How do you conduct a gap analysis of your current records program against the NARA Universal ERM Requirements?
- How do you configure cutoff and disposition rules in an electronic records system so they satisfy DoD 5015.2 requirements?
- How do you document records destruction so it holds up against a DoD 5015.2 audit trail review?
- How do you map your existing file plan to the metadata fields required by DoD 5015.2?
- How do you prepare the documentation NARA expects to prove your agency meets the Universal ERM Requirements?
- How do you write a records management policy that aligns with both ISO 15489 and DoD 5015.2 without contradicting either?
- How does Australia's records management framework under the Archives Act and state archives differ from the federal-only US system?
- How does Canada's Access to Information Act (ATIP) compare to the US Freedom of Information Act?
- How long can a business keep security camera and CCTV footage before it has to be deleted?
- How long does HIPAA require a hospital to keep patient medical records, and is it different for minors?
- How long must a construction company keep project records, drawings, and inspection reports after a building is completed?
- How long should a law firm keep a closed client file, and who decides what to do with it?
- How long should an employer keep job applications and resumes from candidates who were not hired?
- How often are records management standards like DoD 5015.2 and ISO 15489 updated or revised?
- How should an agency split records management compliance duties between the CIO, the records officer, and the privacy and security offices?
- Is DoD 5015.2 required by law?
- Is ISO 15489 certification a thing, or can only organizations be certified?
- Is ISO 15489 legally required anywhere, or is it just a best-practice baseline countries adopt voluntarily?
- Is it true that buying DoD 5015.2-certified software automatically makes my whole organization compliant, or do we still have to do something?
- Is it true that once a records system is certified to a standard it stays compliant no matter how we configure or use it later?
- What are a Senior Agency Official for Records Management's specific duties under the NARA Universal ERM Requirements versus the agency records officer's?
- What are an individual employee's responsibilities for declaring and capturing records so the organization stays compliant with DoD 5015.2 or ISO 15489?
- What are the legal consequences of missing the NARA fully electronic records deadline?
- What are the steps to build a records classification scheme that conforms to ISO 15489?
- What are the steps to run a system migration that meets the ISO 16175 functional requirements for records?
- What are the Universal ERM Requirements?
- What does a NARA records management inspection actually check, and what happens if an agency fails it?
- What evidence do you need to defend records destruction if you are audited or sued?
- What governance committee or oversight body should own ongoing conformance with ISO 16175 functional requirements in an organization?
- What happens if a vendor claims their product is 'NARA compliant' but it was never actually tested against the ERM requirements?
- What happens if an auditor finds our DoD 5015.2 certified system was reconfigured in a way that broke compliance?
- What happens when GDPR's right to erasure conflicts with a legal hold or statutory retention requirement in another country?
- What happens when someone challenges our claim that our recordkeeping is ISO 15489 compliant during a dispute or contract bid?
- What happens when we decommission a legacy system that was never DoD 5015.2 or NARA-compliant and still holds active records?
- What is ISO 15489?
- What is ISO 16175 and how is it different from ISO 15489?
- What is the difference between a 'must' and a 'should' requirement in the NARA Universal ERM Requirements?
- What is the difference between a standard like ISO 15489 and a regulation like 36 CFR 1236?
- What is the difference between being DoD 5015.2 certified and being compliant with records management law?
- What is the difference between conformance and certification when a vendor claims to meet a records standard?
- What is the difference between DoD 5015.2 and ISO 15489?
- What is the difference between functional requirements and conformance testing in records management standards?
- What is the difference between ISO 15489 and ISO 30300 for managing records?
- What is the difference between meeting the NARA Universal ERM Requirements and being DoD 5015.2 certified?
- What is the difference between MoReq and DoD 5015.2 for evaluating records software?
- What is the difference between the DoD 5015.2 baseline requirements and the classified records marking module?
- What is the most common mistake organizations make when they say they are 'ISO 15489 compliant'?
- What is the retention period for payroll records and employee timesheets?
- What records do auditors ask to see to prove a records management program is compliant?
- What records does FERPA require a school to keep, and when can a student's education records be destroyed?
- What records retention obligations do energy utilities have under NERC and FERC for grid and reliability data?
- What retention period applies to employee expense reports and reimbursement receipts?
- What retention rules apply to insurance claim files and policy records after a claim is closed?
- What role does the legal department play in approving a records retention schedule before it is certified as compliant with ISO 15489?
- What should we do if a new version of ISO 15489 or the NARA Universal ERM Requirements is released after we already built our program to the old one?
- What should we do if our agency blew past the NARA electronic records deadline and our system still is not compliant?
- What should we do if our backup tapes still contain records under a legal hold even though our retention schedule already authorized destroying the live copies?
- Which records management standard should a small organization start with if it has never followed one before?
- Who in an organization is responsible for making sure records management standards are actually followed day to day?
- Who is accountable when a DoD 5015.2 certified system is deployed but staff never apply the file plan or retention rules?
- Who is personally liable if a federal agency illegally destroys records, the employee or the agency?
- Who is responsible for configuring and maintaining the DoD 5015.2 access controls and audit settings after the software is installed, IT or the records officer?
- Who signs the annual SAORM and records officer reports certifying an agency meets NARA's electronic records requirements?
- Why can't I just self-certify that our system meets DoD 5015.2 instead of using the official testing program?
Email & Messaging Records
- Are emails between teachers and parents considered education records under FERPA?
- Are emails in my Sent folder and Inbox both records, or just one copy?
- Are emails on my personal phone discoverable in a lawsuit?
- Are ephemeral or disappearing messages legal to use for work, or do they violate recordkeeping rules?
- Are text messages and chat business records?
- Can a company be sanctioned for failing to preserve employee text messages during litigation?
- Can an EU employee's GDPR right-to-erasure request force deletion of a work email that US litigation or FOIA rules require us to keep?
- Can blockchain or immutable ledgers prove our email and chat records have not been altered?
- Can I delete an email after I forward it to a coworker or our records system, assuming they now have the official copy?
- Can I delete spam and newsletters from my work inbox without breaking records rules?
- Can I just rely on my company's email backup tapes as our official email archive, or do backups not count as records retention?
- Can I use personal email for work?
- Do disappearing or auto-delete messages violate records laws?
- Do HIPAA rules require a hospital to keep emails and texts that contain patient health information?
- Do I have to keep email attachments separately from the email itself?
- Do I have to keep every email?
- Do I really need to keep work text messages and chats, or is it true that only formal emails are considered records?
- Do managers have a responsibility to manage their team's chat and instant messages as records?
- Does a litigation hold require us to stop auto-deleting Slack and Teams messages?
- Does a small nonprofit need an email retention policy for donor and grant communications?
- Does Canada's ATIP regime require government departments to capture text and instant messages the same way the US Capstone approach does?
- Does ISO 15489 give a multinational company a common baseline for email and messaging recordkeeping across countries?
- Does turning on auto-delete or inbox cleanup rules in Outlook get me in trouble?
- How do auditors check whether an agency is actually capturing email records under the Capstone approach?
- How do I assess the maturity of our email and instant messaging recordkeeping program against a recognized model?
- How do I build a business case to get executive funding for a Microsoft 365 email and Teams records capture project?
- How do I capture WhatsApp messages as business records?
- How do I manage Microsoft Teams and Slack messages as records?
- How do we handle it when a FOIA or e-discovery request asks for an email we cannot locate in any mailbox or archive?
- How do we keep our email and messaging records program current as employees adopt new collaboration apps faster than IT can approve them?
- How do we preserve Teams and Slack messages when we are decommissioning the platform and migrating to a new one?
- How do we resolve it when two offices have conflicting retention rules for the same email thread?
- How do you apply and release a legal hold on email and messaging without breaking normal disposition?
- How do you conduct a records inventory of email and chat across an organization?
- How do you document the destruction of email records so it holds up in an audit?
- How do you reconcile GDPR's storage-limitation rule with longer email retention obligations when a company operates in both the EU and the US?
- How do you set cutoff and disposition triggers for email records under the Capstone approach?
- How do you transfer permanent email records to the National Archives in an accepted format?
- How does the Australian records continuum model change the way email and chat records are managed compared to the US lifecycle approach?
- How does the UK Freedom of Information Act 2000 treat work emails sent from an official's personal account?
- How long do I have to keep emails?
- How long do we have to keep rejected job applicant and recruitment records?
- How long should employee training and certification records be kept?
- How many records staff and what budget do we need to manage email and messaging records as our message volume grows?
- How should a global company set an email retention schedule when UK, Canadian, Australian, and EU rules all set different periods for the same message?
- How should an insurance company retain claims-related emails and adjuster text messages?
- How should I handle a single email thread that mixes business and personal content?
- Is it a mistake to keep every email forever just to be safe, or does keeping everything actually create legal risk?
- Is IT or the records office responsible for configuring email archiving and journaling?
- Is it true that an email isn't really a record until I file it somewhere, so anything sitting in my inbox doesn't count?
- Should I print important emails to file, or is the electronic version enough?
- What are an individual employee's duties when they forward a business email to personal accounts?
- What are the SEC recordkeeping fines for off-channel business communications on personal phones?
- What are the steps to classify Teams and Slack messages to a file plan?
- What are the steps to write an email and instant messaging records policy employees will actually follow?
- What are the steps to write an email retention schedule that maps mailboxes to records series?
- What do we do if a chat channel or shared mailbox was auto-deleted before its retention period was up?
- What email retention rules apply to law firms for client communications and privileged correspondence?
- What happens if I delete old emails just to clear space in my mailbox when it hits the storage quota?
- What happens when a backup tape still contains emails that are under a litigation hold but the schedule says to delete them?
- What is the difference between a record email and a transitory email, and how do I tell them apart in my inbox?
- What is the difference between an ephemeral messaging app and an auto-deleting retention policy on a normal chat tool?
- What is the difference between email archiving and email journaling, and do I need both for records compliance?
- What is the difference between holding email under a litigation hold and retaining it under a records schedule?
- What is the difference between in-place message capture and journaling for Teams and Slack records?
- What is the difference between role-based and content-based email retention, and which one should my organization use?
- What is the difference between text messages and instant-messaging chat when deciding how to retain them as records?
- What is the difference between the Capstone approach and printing-and-filing emails for federal recordkeeping?
- What is the most common mistake people make when treating a Teams or Slack message as if it can never be a record?
- What is the SAORM's specific responsibility for managing electronic messaging records?
- What KPIs and metrics should I track to prove our email and messaging records capture is actually working?
- What messaging records do energy and utility companies have to keep for FERC compliance?
- What must employers do to stay compliant when employees text about work on their own cell phones?
- What penalties do federal employees face for using encrypted messaging apps like Signal for official business?
- What should I do if an employee left and their work text messages only exist on a personal phone we no longer have access to?
- What should we do if a server crash or disaster wiped out email records before they were captured into our archive?
- What should we do if our email archiving vendor's contract is ending and they are holding years of our records?
- When does a text message on a city employee's personal phone become a public record under state law?
- When does deleting work emails or messages cross the line into obstruction of justice or spoliation?
- Which country's law governs an email record when the sender, recipient, and mail server are in three different jurisdictions?
- Who decides which positions go on the Capstone official list, and who has to approve it?
- Who is responsible for applying a litigation hold to email and chat, and who actually enforces it?
- Who is supposed to approve a new messaging app like Signal or WhatsApp before employees use it for work?
- Who is the official recordkeeper when an email goes to multiple people in the same office?
- Whose job is it to capture a departing employee's email mailbox before the account is deleted?
- Why can't I just set Outlook or Gmail to auto-delete everything older than a certain age to stay compliant?
Privacy, PII & Data Protection
- Can a multinational use ISO 15489 to build one global records policy, or does it still need separate schedules per country?
- Can blockchain or immutable storage be used for records when privacy laws require you to delete personal data on request?
- Can I keep customer data longer than my retention schedule says if I might need it later?
- Can I keep customer personal data indefinitely if they agreed to my privacy policy when they signed up?
- Can you be fined for failing to honor a data subject's deletion request if you can't find their records?
- Data breach vs privacy incident: what's the difference and does each one trigger notification?
- Data retention vs data residency: what's the difference and why do both matter for personal data?
- Do eIDAS electronic signatures and timestamps make a record legally valid across all EU member states?
- Do privacy and data-protection laws really apply to my small business, or only to big tech companies?
- Do state and local government agencies have to keep PII in public records that residents ask to have deleted?
- Does deleting records on schedule protect you from data breach liability?
- Does FERPA require schools to destroy student education records, or just restrict who can see them?
- Does masking or redacting PII count as deleting it for retention and privacy purposes?
- How do I find and inventory all the PII my company stores across different systems?
- How do I respond to a data subject access request (DSAR)?
- How do I respond when a customer asks me to delete all their personal information?
- How do I safely dispose of paper documents that contain personal information?
- How do records management, IT, legal, and the privacy office divide responsibility for protecting PII without gaps or overlap?
- How do we handle decommissioning an old system that still holds personal data subject to different retention rules?
- How do we handle PII left behind in shared drives and email when someone changes roles or transfers offices?
- How do you apply and later release a legal hold on records containing PII without violating a pending deletion request?
- How do you assess the maturity of a privacy and PII data-protection program, and what does each maturity level look like?
- How do you build a business case to get executive funding for a privacy and data-protection program before a breach forces the issue?
- How do you build a retention schedule for records containing PII so it satisfies both the records schedule and privacy storage-limitation rules?
- How do you de-identify or anonymize a dataset so you can keep it past its retention period without breaking privacy rules?
- How do you keep a privacy and data-protection program current as new AI features get added to the SaaS tools you already use?
- How do you set cutoff and disposition triggers for personal data tied to a purpose or consent rather than a fixed retention period?
- How do you train staff to recognize, label, and properly handle PII in everyday records work?
- How does a litigation hold override privacy law requirements to delete personal data?
- How does Australia's Archives Act split responsibility between the National Archives and state and territory archives?
- How does the GDPR right to be forgotten conflict with records retention requirements?
- How does the UK Public Records Act work with the Freedom of Information Act 2000, and who decides what The National Archives keeps?
- How long does an insurance company need to keep claims files containing health and financial PII after a policy ends?
- How long must federal agencies keep Privacy Act records and what happens if they over-retain?
- How long should board meeting minutes and board packets be kept?
- How long should I keep records containing personal data?
- How many staff and what budget does it take to run a privacy and PII data-protection program in a mid-sized organization?
- How should a law firm handle client files and PII when a matter closes or a client requests their file back?
- If I delete personal data from my main system, is it really gone, or does it still exist in backups?
- Is internal employee data like HR files and email exempt from privacy rules because it never leaves the company?
- Is it true that if I encrypt personal data I don't have to delete it when the retention period ends?
- Is it true that once I anonymize a dataset, privacy rules no longer apply and I can keep it forever?
- Privacy Act system of records vs records retention schedule: how are they different and do I need both?
- Right to erasure vs right to restriction of processing: how do they differ and how does each affect my records?
- Should employee personnel records have a different retention period than customer records?
- What are an individual employee's day-to-day duties for handling personal data, and what counts as mishandling it?
- What are the breach notification deadlines and penalties under state privacy laws?
- What are the penalties for keeping PII longer than your retention schedule allows under GDPR?
- What are the Senior Agency Official for Privacy's responsibilities, and how do they differ from the records officer's?
- What are the steps to map and classify PII fields to a file plan so privacy controls follow the records wherever they live?
- What are the steps to run a privacy impact assessment before a new system starts collecting personal data?
- What customer records must a bank or broker retain under GLBA and FINRA, and how does that conflict with deletion requests?
- What documentation do auditors look for to prove you destroyed PII when required?
- What does a Data Protection Officer actually do, and is my organization legally required to appoint one?
- What donor and volunteer records can a nonprofit keep, and what privacy rules apply when it shares them with fundraisers?
- What happens if a disaster damages physical records containing PII and we cannot tell what was exposed?
- What happens if we accidentally destroy records containing personal data before a pending data subject deletion request was completed?
- What happens when a cloud vendor's contract ends and they still hold copies of our records with personal data?
- What is data minimization?
- What is personally identifiable information (PII)?
- What is the difference between a data controller and a data processor when it comes to keeping records?
- What is the difference between a privacy impact assessment and a data protection impact assessment, and when do I need each?
- What is the difference between anonymization and pseudonymization?
- What is the difference between data anonymization and de-identification, and which one satisfies privacy laws?
- What is the difference between PII and sensitive personal information, and does it change how long I keep the records?
- What is the difference between PII, PHI, and personal data?
- What is the most common mistake organizations make when responding to a request to delete someone's personal data?
- What metrics prove that AI-driven auto-classification is improving PII handling rather than creating new risk?
- What metrics should you track to measure whether a privacy and PII-retention program is actually working?
- What patient data can a hospital keep in research records after a HIPAA authorization is revoked?
- What should I do if I find an old spreadsheet full of customer Social Security numbers we no longer need?
- What should I do with records after a data breach?
- What should we do if an employee leaves and we discover they have customer PII stored on a personal laptop or phone?
- What should we do if we find personal data kept years past its retention period during an inventory?
- What should we do when two departments have conflicting retention schedules for the same personal data?
- When a data breach involving PII happens, who inside the organization must be notified first and who decides whether to report it?
- When EU data protection law and a foreign government's records request conflict, which law wins for cross-border records?
- Who fulfills a data subject access or deletion request, and which department is accountable if the deadline is missed?
- Who in my organization is responsible for deciding how long we keep personal data?
- Who is legally liable when a records vendor mishandles PII you outsourced to them?
- Who is responsible for deciding how long PII can be kept — the records officer, the privacy office, or the business unit that owns the data?
- Whose job is it to run a privacy impact assessment before a new system that collects personal data goes live?
- Why can't I just black out personal information in a PDF with a highlight or box before sharing it?
Digitization & Imaging
- Are Microsoft Copilot and ChatGPT outputs considered records, and how do you capture them?
- Are scanned copies legally admissible in the UK under the BS 10008 standard the same way they are in the US?
- Are scanned copies of documents admissible to the SEC and FINRA, and do broker-dealers still need WORM storage after digitizing?
- Are scanned documents legally admissible in court?
- Are there industries where scanning and shredding originals is prohibited by law?
- Can a company be penalized if scanned records turn out to be illegible during an audit?
- Can a law firm shred client files after scanning them, and what does the duty to preserve client property require?
- Can a multinational company run one global scanning and digitisation program when EU, UK, and US rules on destroying originals differ?
- Can anyone in the office authorize destroying the paper originals after they're scanned?
- Can construction firms scan signed contracts, change orders, and as-built drawings and rely on the digital copies in a dispute?
- Can I just shred the originals the same day I scan them, or do I have to wait?
- Can I throw away paper records after scanning them?
- Can insurance companies destroy paper claim files after imaging them, and which states require originals to be kept?
- Can scanned medical records replace the paper originals under HIPAA, and how long do hospitals have to keep the images?
- Do I need OCR on scanned documents?
- Do I need to keep the original paper if I scanned it years ago without following standards?
- Do I really need OCR and metadata, or is a picture of the page good enough?
- Does a digitization project need executive or SAORM approval before it can start in a federal agency?
- Does a digitized record have to be a certified or notarized copy to satisfy regulators?
- Does Australia's records continuum model change how I should plan a digitisation project compared with the US lifecycle approach?
- Does eIDAS require a qualified electronic signature or seal to keep a scanned document trustworthy across EU member states?
- Does legal or compliance need to be involved before destroying source documents after scanning?
- How do auditors verify that a digitized record is a complete and authentic copy of the original?
- How do I capture index metadata during a scanning project so the images are actually findable later?
- How do I decide which paper records are worth digitizing and which to leave alone?
- How do I handle fragile, oversized, or bound documents when digitizing a collection?
- How do I keep digitised records compliant when GDPR forces deletion but another country's law requires me to retain the same scan?
- How do I plan and run a records digitization pilot project before scaling to the full backlog?
- How do utilities and energy companies digitize inspection and maintenance records to satisfy FERC and NERC requirements?
- How do we handle it when scanned images and their index metadata get separated or mismatched during a system migration?
- How do we handle scanned records that are under a legal hold when the imaging system they live in is being decommissioned?
- How do we reconcile it when the scan count does not match the paper document count after a digitization batch?
- How do you build the reconciliation and audit trail needed to authorize destroying paper after scanning?
- How do you set up FADGI color targets and scanner calibration before a digitization run?
- How does Library and Archives Canada decide whether a digitised government record can replace its paper original?
- How long do you have to keep accounts payable invoices, and is a scanned copy enough for an IRS or financial audit?
- How long do you have to keep board meeting minutes, and can you keep them as scanned PDFs instead of the signed originals?
- How long do you have to retain IT system and access logs, and do they count as records you can't just delete?
- How long do you keep visitor sign-in logs and building access records, and can you scan and shred the paper sheets?
- How long does it take to digitize a large backlog of paper files?
- How long should a company retain intellectual property records like patents, trademarks, and invention disclosures?
- How long should a company retain payroll records and employee timesheets, and where do you find the rule?
- How long should you keep employee training and certification records after someone leaves the company?
- How should I prepare paper documents before feeding them into a scanner?
- How should responsibilities be split when digitization is outsourced to a third-party scanning vendor?
- How should schools digitize student education records while staying compliant with FERPA?
- Image-only PDF vs searchable PDF: what is the difference and which one counts as a usable record?
- Is a scanned PDF automatically a legal record I can rely on in court?
- Is it true that digitizing my paper records makes the retention period reset or go away?
- Is it worth digitizing records that are close to the end of their retention period?
- Should I digitize old microfilm and microfiche?
- Should I scan records in-house or hire a digitization service bureau?
- TIFF vs PDF/A: which format should I use for digitized records and how do they differ?
- What are an individual employee's responsibilities when scanning their own records to a shared drive?
- What are the steps to ingest scanned images into a records or content management system after digitizing?
- What are the steps to maintain chain of custody for paper records during a digitization project?
- What are the steps to write an imaging specification or scanning SOP for a digitization vendor?
- What does NARA's digitization rule (36 CFR 1236) require before federal agencies can dispose of source records?
- What does quality control look like after a scanning project, and how much should I check?
- What file format should I use for scanned records?
- What happens if my scanner skips a page or cuts off the edges and I already destroyed the paper?
- What happens in litigation if you destroyed the paper original and the scanned image is challenged as inaccurate?
- What happens when an auditor finds we destroyed paper originals before quality control was completed on the scans?
- What happens when our scanning vendor goes out of business before delivering the images and metadata they were holding?
- What is the difference between a preservation master copy and an access copy when you scan records?
- What is the difference between backfile conversion and day-forward scanning?
- What is the difference between bitonal, grayscale, and color scanning and when should you use each?
- What is the difference between digitization and digital transformation in a records program?
- What is the difference between lossy and lossless compression for scanned records?
- What is the difference between migration and emulation for keeping digitized records readable over time?
- What is the difference between OCR and ICR when digitizing handwritten and typed documents?
- What is the most common mistake people make when they save scans as JPEGs for long-term keeping?
- What is the records officer's role in a digitization project versus the IT department's?
- What KPIs and metrics should a records manager report to leadership each quarter?
- What legal requirements must a digitization program meet before destroying the paper originals?
- What naming convention and folder structure should I use for scanned files?
- What resolution should I scan records at?
- What rules does The National Archives in the UK set for digitising public records before the paper originals can be destroyed?
- What should I do if an employee scanned records to a personal device or personal cloud account and then left the organization?
- What should I do if I discover a batch of scanned records is corrupted or unreadable years after we shredded the paper originals?
- What should I do if we find scanned PII in a digitization project that should have been redacted before public release?
- What standards must county and municipal governments meet to scan land deeds and court records and destroy the paper?
- Which ISO standard should I cite for scanning image quality when I operate in countries that each follow different national digitisation rules?
- Who is legally liable if an outsourced scanning vendor loses or mishandles records during digitization?
- Who is responsible for applying retention to records that live only inside a SaaS application like Salesforce or Workday?
- Who is responsible for approving the disposal of paper records after they have been digitized?
- Who owns quality control checks in a digitization program and how is accountability assigned?
- Who signs off that a scanned image is an acceptable substitute for the original record?
- Why can't I just scan everything at the lowest setting to save storage space?
Vital Records, Archives & Preservation
- Are vital records the same as permanent or archival records, or are they different?
- Can a company store records subject to one country's laws on cloud servers located in another country?
- Can an organization be held liable if permanent records are lost to digital obsolescence?
- Can blockchain be used to prove records are authentic and tamper-proof, and is it accepted for legal recordkeeping?
- Can I just keep everything forever instead of identifying which records are vital or permanent?
- Do I really need to migrate old digital files, or will they still open in 20 years if I leave them alone?
- Does an electronic signature recognized under the EU eIDAS regulation hold up as a valid record in the United States?
- Does destroying a record scheduled as permanent count as unlawful destruction under the law?
- Does scanning old documents count as preservation or do I still need the originals?
- How do archivists decide which records are worth preserving forever?
- How do I conduct a preservation needs assessment of an archival collection?
- How do I create a vital records program from scratch, step by step?
- How do I identify which of my records count as vital records?
- How do I plan and run a periodic test of my vital records recovery plan?
- How do I protect vital records from fire, flood, and disaster?
- How do we handle backups that still contain records under a legal hold after the live copies were deleted?
- How do we handle records found in an old system that is being decommissioned and were never put on a retention schedule?
- How do we recover and preserve vital records after a fire or flood when we never had a disaster plan in place?
- How do you appraise records to decide what gets permanently archived versus destroyed?
- How do you assess the maturity level of a records management program and what model should you use?
- How do you manage records retention and disposition in SaaS applications you do not control?
- How do you prepare permanent records for transfer to an archives or NARA?
- How do you recover water-damaged records after a flood?
- How does an organization operating in both the US and EU reconcile FOIA-style transparency requirements with GDPR data-protection and erasure rules?
- How does Canada's Access to Information and Privacy (ATIP) regime differ from the US FOIA process?
- How is disaster recovery different from continuity of operations (COOP) when it comes to protecting records?
- How long do public records have to be kept before they transfer to The National Archives under the UK Public Records Act?
- How long does a law firm have to preserve closed client case files and original wills after a matter ends?
- How long does microfilm last compared to digital storage?
- How long must an electric utility retain pipeline and grid inspection and maintenance records for regulators?
- How long should a business keep expense reports and travel receipts?
- How long should a construction firm keep as-built drawings, RFIs, and project records after a building is completed?
- How many staff and what budget do you need to run a records management program for a mid-sized organization?
- How often does NARA require agencies to review and test their vital records plan?
- How often should I refresh or migrate digital archives to prevent data loss?
- How often should vital records copies be updated and rotated?
- How should a county clerk's office preserve permanent land deeds and vital records like birth and death certificates?
- Is a federal agency legally required to have a vital records program?
- Is it a myth that vital records and permanent records are the same thing?
- Is it true that having backups means I don't need a separate vital records program?
- Is it true that once records go to the archives they're safe and don't need any further management?
- What are an agency head's and SAORM's responsibilities for the vital records and continuity program?
- What are individual employees responsible for when it comes to protecting vital records and continuity?
- What are the penalties for failing to protect vital records before a disaster?
- What are the steps to build a disaster recovery plan for paper and electronic records?
- What are the steps to digitize fragile or deteriorating archival documents safely?
- What are the steps to set up off-site storage and rotation for vital records?
- What are vital records?
- What do we do if we discover mold or pest damage on archived records in long-term storage?
- What does a digital preservation archivist actually do day to day?
- What does a NARA records management inspection check for in an archives or preservation program?
- What file formats are best for long-term digital preservation?
- What financial and donor records must a nonprofit preserve long-term to keep its 501(c)(3) tax-exempt status?
- What happens if I never run a fixity check on my preserved digital records?
- What is continuity of operations (COOP), and how do records fit in?
- What is the best way to store old paper documents so they do not deteriorate?
- What is the difference between a dark archive and an active archive, and when would an organization use one?
- What is the difference between a fixity check and a backup for keeping archived files safe?
- What is the difference between a preservation master copy and an access copy, and why do archives keep both?
- What is the difference between a vital records program and an IT backup, and why isn't a backup enough?
- What is the difference between an archivist and a records manager?
- What is the difference between backup and archiving?
- What is the difference between deaccessioning records from an archive and destroying them on a retention schedule?
- What is the difference between migration and emulation in digital preservation, and when should you use each?
- What is the difference between records management and archives?
- What is the difference between retention and preservation?
- What is the most common mistake organizations make when storing vital records off-site?
- What is the OAIS model?
- What is the role of IT versus the records officer in protecting and backing up vital electronic records?
- What records does an insurance company need to keep as vital records to pay claims after a catastrophe?
- What regulations govern the environmental storage conditions required for archival records?
- What should we do if an employee leaves and we discover official records only exist on their personal phone or laptop?
- What should we do if we find boxes of records that are years past their retention period and were supposed to be destroyed?
- What should we do when a cloud or storage vendor holds our records and the contract is ending or the vendor goes out of business?
- What student records must a school district keep permanently versus destroy under FERPA retention rules?
- Where should I store vital records copies to keep them safe in a disaster?
- Which patient records must a hospital protect as vital records for continuity after a disaster under HIPAA?
- Which retention period applies when a multinational company has records subject to conflicting retention laws in different countries?
- Who decides whether a permanent record gets transferred to an archives or kept in the agency?
- Who is accountable when vital records are lost or unrecoverable after a disaster?
- Who is legally accountable when an agency fails to transfer permanent records to the archives on schedule?
- Who is responsible for designating and maintaining the vital records list in an organization?
- Who signs off on long-term preservation formats and migration decisions for archival records?
- Why can't I just save important records as PDFs on a shared drive and call it long-term preservation?