What laws actually require a company to have an information governance program, or is it voluntary?
The short answer: no single law says “you must have an information governance (IG) program.” But many laws require specific recordkeeping outcomes, and a formal IG program is the practical way most organizations meet them. So IG is rarely fully voluntary in effect, even when it is not named in statute.
What the law actually requires
Rather than mandating a “program,” most legal requirements target specific records, retention periods, and protections. Common examples for private organizations include:
- Tax records that substantiate income and deductions (the IRS sets how long to keep them).
- Employment and payroll records under wage-and-hour and equal-employment rules (the U.S. Department of Labor and the EEOC each impose recordkeeping duties).
- Industry-specific rules in sectors such as healthcare, finance, and energy, where regulators require records to be created, retained, secured, and produced on demand.
Government agencies face a higher bar: federal records laws require agencies to make and preserve records and manage them under approved schedules.
Why “voluntary” is misleading
Even where no statute names IG, two forces make it effectively mandatory:
-
Litigation and discovery. Courts expect organizations to preserve relevant information once litigation is reasonably anticipated. Failing to do so can lead to sanctions. A defensible, consistently applied program is your evidence that retention and disposition were done in good faith, not to hide evidence.
-
Privacy and security obligations. Privacy and data-protection laws require you to know what information you hold, limit how long you keep it, and safeguard it. You cannot meet those duties without governance over the information itself.
The bottom line
The program is the means; the compliance outcomes are the legal requirement. Adopting recognized practices (for example, the international records management standard ISO 15489) is voluntary, but it gives you a structured, auditable way to satisfy the many non-voluntary obligations scattered across tax, employment, privacy, sector, and litigation rules.
Because requirements vary by jurisdiction and industry, confirm which specific rules apply to your organization with qualified counsel.
For a broader overview of how these pieces fit together, see the information governance topic hub.
Sources & further reading
Authoritative government and non-profit references.
- Records management laws — National Archives (NARA)
- ISO 15489-1 Records management — ISO
How to cite this page
APA
RM University Editorial. (2026). What laws actually require a company to have an information governance program, or is it voluntary?. Records Management University. https://www.recordsmgmt.org/questions/what-laws-require-an-information-governance-program/
MLA
RM University Editorial. "What laws actually require a company to have an information governance program, or is it voluntary?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/what-laws-require-an-information-governance-program/.
Related questions
- Big-bucket vs item-level retention schedules: how do I choose between them?
- Can a company be penalized for keeping data too long under privacy laws even if nothing was breached?
- Can a US company store records in the EU, or do data localization and cross-border transfer rules block it?
- Can executives or board members be held personally liable for information governance failures?
- Can information governance help reduce cloud storage costs, and how?