How should records management responsibilities be divided between IT, legal, and the privacy office for a new records system?
Standing up a new electronic records system works best when each office owns the part of the problem it is built to handle, and a records or information governance (IG) function coordinates across all of them. The goal is shared accountability without gaps or duplication, anchored to an approved records schedule and retention policy.
A simple way to divide the work
Records/IG (the coordinator). Owns the retention schedule, file plan, classification taxonomy, and disposition rules. Defines what a record is, how long it must be kept, and when it may be destroyed or transferred. IG should set the requirements that the other offices implement, rather than reacting to a system built without them.
IT (build and operate). Implements those requirements technically: storage, access controls, audit logging, backups, integrity and encryption, automated retention and disposition triggers, and reliable export or migration paths. IT keeps the system available and secure but should not unilaterally decide what is kept or for how long.
Legal (obligations and risk). Identifies legal and regulatory retention requirements, manages litigation holds and legal-hold suspension of disposition, and advises on e-discovery, admissibility, and recordkeeping mandates. Legal confirms the schedule reflects current obligations and signs off before any destruction.
Privacy office (data subjects and sensitive data). Identifies personal and otherwise sensitive information, sets minimization and access limits, and ensures the system supports lawful collection, use, and individual rights. Privacy interests can pull toward shorter retention, so it must be reconciled with legal and records requirements, not treated as an afterthought.
Making it stick
- One authoritative policy. A single retention and disposition policy that all offices endorse prevents conflicting instructions to IT.
- Build requirements in early. Engage all four roles during design, not after go-live, so retention, holds, and privacy controls are native features.
- Resolve conflicts deliberately. When privacy favors deletion but legal requires retention, document the decision and let the longer obligation govern until it lapses.
- Audit and review. Periodically verify the system enforces the schedule and that holds actually suspend disposition.
For broader context on managing digital records, see the electronic records topic hub. Clear, written roles and a shared schedule are what turn three separate offices into one functioning records program.
Sources & further reading
Authoritative government and non-profit references.
- Records management policy and guidance — National Archives (NARA)
- ISO 15489-1 Records management — ISO
How to cite this page
APA
RM University Editorial. (2026). How should records management responsibilities be divided between IT, legal, and the privacy office for a new records system?. Records Management University. https://www.recordsmgmt.org/questions/how-to-divide-records-responsibilities-between-it-legal-and-privacy/
MLA
RM University Editorial. "How should records management responsibilities be divided between IT, legal, and the privacy office for a new records system?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/how-to-divide-records-responsibilities-between-it-legal-and-privacy/.
Related questions
- Are digital signatures legally valid on records?
- Are spreadsheets and database entries considered records I need to retain?
- Can a company be sanctioned for not preserving electronic records when it should have anticipated litigation?
- Can I just save a file as a PDF and call it a permanent electronic record?
- Can I store official records in the cloud?