Where does the line fall between IT and the records department when it comes to retention and disposition of data?
The short answer is that the records department decides what happens to information and when, while IT provides the systems and technical capability to carry it out. Retention and disposition are governance decisions; execution is a shared, system-dependent task. Problems usually arise not because the line is hard to draw, but because no one drew it explicitly.
Who owns what
Think of the division along three questions:
- What is this, and how long must it be kept? This is the records and information governance (IG) function. Records staff classify content, apply the retention schedule, identify legal holds, and authorize final disposition. These judgments rest on legal, regulatory, and business value — not on storage convenience.
- How is it stored, secured, and acted upon? This is IT. IT manages the repositories, backups, access controls, encryption, and the tools that actually move, migrate, or delete data when the records authority says so.
- Who is accountable for the information itself? Usually the business unit or data owner that created it, working under the policy the records function sets.
A useful principle: retention rules should be system-agnostic. The same email or contract keeps the same retention period whether it lives in a content system, a shared drive, or a backup. IT implements that rule across platforms; records defines it once.
Where the line blurs
Friction tends to cluster in a few places:
- Backups and “convenience” copies. IT keeps backups for disaster recovery, not as records. Records governs the official copy; backup rotation should not become de facto permanent retention.
- Defensible deletion. When a retention period ends and no hold applies, records authorizes disposition and IT executes it. Both must be able to document that the deletion followed policy.
- Legal holds. Legal or records issues the hold; IT must be able to suspend automated deletion to honor it.
Drawing it cleanly
Document the split in a written policy and a RACI-style matrix so retention decisions, execution, and accountability each have a named owner. ISO 15489 frames recordkeeping as a managed program with defined roles — the discipline that keeps IT and records aligned rather than guessing.
For a fuller picture of how these roles fit together, see the information governance topic hub.
Sources & further reading
Authoritative government and non-profit references.
- Records management (NARA) — National Archives (NARA)
- ISO 15489-1 Records management — ISO
How to cite this page
APA
RM University Editorial. (2026). Where does the line fall between IT and the records department when it comes to retention and disposition of data?. Records Management University. https://www.recordsmgmt.org/questions/line-between-it-and-records-for-retention-and-disposition/
MLA
RM University Editorial. "Where does the line fall between IT and the records department when it comes to retention and disposition of data?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/line-between-it-and-records-for-retention-and-disposition/.
Related questions
- Big-bucket vs item-level retention schedules: how do I choose between them?
- Can a company be penalized for keeping data too long under privacy laws even if nothing was breached?
- Can a US company store records in the EU, or do data localization and cross-border transfer rules block it?
- Can executives or board members be held personally liable for information governance failures?
- Can information governance help reduce cloud storage costs, and how?