The morality of document / e-mail retention policies

I work for a multinational corporation. Among the training courses everybody is obligated to take, there’s the Ethics course, and there’s the Document Retention course.

The Ethics course dictates that we deal with our customers and suppliers fairly, we follow the laws, etc. (*)

The Document Retention course says that every document can be subject to a retention policy, and that some people in the Legal team can request/order that specific documents be remitted to them and/or that they be destroyed.

Similarly, there’s an e-mail retention policy that essentially says that all e-mails must be destroyed after 1 year, and that exceptions can be made to allow for a few years more, but “forever” is not an option. This is justified by saying it saves storage space, it decreases “privacy risk” and it decreases “risk of litigation”.

I find it really odd that, as an “ethical” company, we’re supposed (obligated, even) to destroy evidence of anything. Is this common in large corporations?

(* I understand that the Ethics thing is partly CYA: if an employee commits fraud, corruption, etc., the company can point to the policy and put the responsibility on the employee.)

It’s pretty much universal. The problem is that if you keep records for a long time, they can be subpoenaed in a lawsuit, and the legal team doesn’t even have a handle on what’s out there. It can get really expensive and complicated to search through them to figure out what is relevant to a particular discovery request. And if they ever get anything wrong about whether particular documents are relevant, they can land in a lot of trouble, even if it was an innocent mistake.

It’s vastly cheaper and safer for the company to say ‘everything in email goes after 1 year, 3 years if it’s marked keep’ than to try to search multiple decades of email every time there’s a lawsuit.

As a former IT guy, email can consume vast amounts of valuable storage space. Which all has to be backed up and maintained. And costs money.

Pretty standard in my experience. And I wouldn’t call email evidence unless there is the possibility of litigation, in which case it would be saved.
My company (a big one) had automatic deletion at some point > 1 year - unless the email was archived specially. Is this common? I’d think so - who has time to go through and delete emails from two years ago.

It’s wise to keep emails you sent.

Export them to an Outlook Data File (.pst file) on a usb drive.

That’s your documentation if it’s ever needed.

Yep, if you have it, it can get turned over…saving it and storing it is expensive. Discovery on it is expensive. The worst is when you have it - on old backups - but you’ve switched backup software and now need to reinstall a whole system to get things back.

There are retention requirements outside of email which will leave a trail - you can’t get rid of R&D documents, documents related to tax, strategic plans, etc. immediately (depending on the document, its usually between five and ten years - R&D might be longer, its been awhile since I’ve worked records retention policy). But even there, everything has a life.

You should check your company’s policies when doing this.
Otherwise you may get thanked - by the lawyers of the entity suing your company who get a nice juicy pile of possibly incriminating evidence.

I agree; don’t listen to aceplace57’s advice. It could be a career-limiting move.

My understanding is that if you shred or destroy documents or electronic records after being informed of a potential lawsuit, you could be held in contempt. But if you have a regular policy of deleting documents after a certain period, you’re not liable, as you weren’t trying to hide anything.

When I worked for a hospital network, HIPAA required emails to be archived for seven years. And heaven help the hospital that was caught deleting archives too soon.

OTOH, I don’t think we ever had an archive that made it to seven and a half years.

Everything to Know About Email Retention Laws

Industry 		Regulatory Organization 	# of Years Required for Retention

Credit Card 		PCI DSS 			One year
  and Related Processing Companies
Telecommunication 	FCC (Title 47, Part 2) 		Two years
All  Federal,  		FOIA (Federal and State) 	Three years
State and Local Agencies
DOD Contractors 	DOD 5015.2 			Three years
Banking 		FDIC 				Five years
  Pharmaceuticals, 					Seven years
  Biological Products 
  and Food Manufacturers 		
All Companies 		IRS 				Seven years
All Public Companies 	Sarbanes Oxley (SOX) 		Seven years
Banks 			Gramm-Leach-Bliley Act 	Seven years
Healthcare 		HIPAA 				Seven years
Investment Advisers 	SEC 204-2 			Seven years to lifetime
Securities Firms, 	SEC 17a(3) and 17a(4) 		Seven years to lifetime
  Investment Bankers, 			
  Brokers and Dealers 
  and Insurance Agents 

I can’t say how well other industries are enforced and I’m pretty sure the IRS isn’t going to care unless they decide to subpoena you for records.

Thanks for the responses so far.

I forgot to mention in the OP that, as part of my IT duties, I might find myself having to explain / justify this policy to my colleagues, who are just as beleaguered as I am. My personal instinct is to keep everything forever. At home, I have personal e-mails from 1996, personal documents I wrote in 1993, etc. And my job involves maintaining systems that were developed over the past 10 years and still have ongoing maintenance contracts. In software development, we keep source code forever. So it feels odd to have to justify deleting stuff.

In short, there are conflicting forces at play.


  • Some laws require that some documents and e-mails be kept for a minimum period (without specifying a maximum).
  • Operational needs dictate that information about an ongoing project be kept while the project is ongoing (duh). Documents can supplement/replace people’s memory, especially when people leave the company.
  • As part of a lawsuit, the company can be required to turn over all documents and e-mails it has concerning a particular subject.


  • Some laws (such as GDPR) require that some information be discarded.
  • Keeping documents and e-mails has a cost, and keeping them searchable costs more.
  • The legal team can’t know about all documents and e-mails throughout the company, yet must be able to ascertain legal risks when the company is sued.
  • Arm’s length (aka CYA): If the company doesn’t have the documents because it has a policy of destroying documents, then the company can’t be blamed for destroying them. In the absence of such a policy, it could be blamed.

Can anybody add anything, especially on the pro-destruction side?

Do not do this without knowing your company policy. FERPA (higher ed privacy laws) would block me from doing this to an unsecured or personal drive, like he’s describing.

This is not an argument for retention beyond minimum period plus one day.

Again, not really an argument for retaining records. Especially if some how in there some are missing or appear to be missing and, inevitably, it will be assumed that’s the critical document confessing guilt or something.

There’s one point I want to emphasize about that cost. Most of those documents and emails are WORTHLESS.
The email reminding people to turn in their timesheets early because of Thanksgiving has no value a week from now let alone a year from now. And your email is full of MUCH, MUCH more of that then enduring, relevant information.
Same for documentation. It’s not often that it matters that 3 years ago the procedure was to sweep the parking lot at 7:15 am.
You’re basically saving the owners manual for the car you got rid of two years ago. And paying to do it.

Back when we had tap back ups that went back years and years, we had a request for emails from that where 6-10s old. Lot of work to retrieve them.

After that, we changed policy.

It would be a lot easier today though. Storage is practically free.

Storage is cheap. Backup not so much.

I never delete anything, and I prefer it that way – searching through old emails due to poor documentation of our processes is a past-time of mine. A mandatory 1 year deletion policy would cripple me. Storage is cheap, so I don’t buy the space issue. I’d even accept local storage so they wouldn’t need to worry about backups (I’d accept the risk involved there). There’s no way I could fill up my standard issue 1TB hard drive with emails in my lifetime.

I guess I don’t really have an opinion on the ethical side. My instinct says that it would be more ethical to keep everything for transparency purposes, but I guess I see that if someone accidentally sent me something containing personal information, they might prefer to know that it wouldn’t sit in my deleted items folder for a decade.

This is something I actually used to get paid a lot of money to pretend to know something about.

You aren’t really destroying “evidence”. Unless there is some regulatory requirement to maintain those emails or they are under a litigation hold, there generally is no requirement to keep old emails. Although 1 year does seem short to me. I often find myself referring to old emails from longer ago than that.

What having a retention policy does is protect the company or individuals in the company from being accused of destroying evidence. i.e. it looks very suspicious if everyone has every email since the dawn of time and there is a 3 month gap during the same period of time where an investigation is focusing on.

Yeah, I remember back when we used to collect email and had to revert to backup tapes. It was always a problem because even if you had the tapes, you still had to find the hardware and set up the environment to retrieve the data.

Right- a company can’t get accused of spoliation if they routinely wipe out everything older than some period. It’s a broad CYA policy that also pays dividends in terms of disk space, system performance, etc…

But one year? That seems drastically short to me. At my last job, we didn’t have any specific retention policies, but I routinely found myself digging into emails that were two years old for support purposes, and sometimes 3 for original project notes and documentation-type emails. Rarely past that, but on occasion it was helpful when some VP sent something like “Didn’t we discuss these proposed mods a while back?” and after some digging find out that it was discussed and rejected 4 years prior.

Where I work, there’s no date-based retention policy. Instead users are given email quotas, from 150MB at the bottom (which is my quota) up to multiple terabytes or even unlimited storage for those identified as evidence custodians. I’m annoyed that my employer gives me only 150MB while for my free GMail account, Google gives me 15GB or a hundred times as much.

It sounds crazy to have such limited retention periods, but I’ve seen the negative results of failing to have such a policy at first-hand.

I used to work for a pharma company and they were engaged in a patent challenge involving a specific drug. In order to respond to the discovery request from the opposing counsel, the company had to lease an entire building for two years and staff it with 50+ temps (plus phones, copy machines, break areas, etc.) Their sole responsibility was to put together the response to the subsequent discovery requests. We also had to spend a significant amount of money to upfit the building with access control, intrusion detection, and video surveillance systems to ensure security and confidentiality. We even installed a brand-new building fire alarm system.

Much of this was mandated based upon the accidental admission that there “may” be “some other” materials that were not destroyed in accordance with the current document retention policies.

Will GMail restore an important email if you lose it? Will Gmail restore an email you deleted 5 years ago? If GMail accidentally wipes all your email, will Gmail restore it all?

Data space is cheap; data resilience is expensive.