Save Everything? Effective Data Management Includes “Defensible Disposal”

July 24, 2013


By Tom Fruman
Director, GTA Enterprise Governance and Planning


Today’s information systems make our work and our lives easier in so many ways. But, they’re also magnifying issues and creating new ones, such as deciding what to do with all the data we’re accumulating.

GTA recently hosted a one-day summit that focused on helping government agencies better manage data and use it more effectively in making business decisions. The summit featured presentations from several companies with expertise in such areas as big data and business intelligence. (You can download the presentations at

But any discussion of data management inevitably leads to the following question: What data can and should we delete and when? In an article for CIO Insight, Lorrie Luellig tackles the question and offers direction to any organization struggling to come up with a sound strategy for data retention and disposition.

Luellig cites a 2012 survey of corporate CIOs that found almost 70 percent of the data kept by most organizations could be deleted without any negative impact. But to achieve what she calls “defensible disposal”, IT must work closely with records and information management, legal counsel and business managers to develop a strategy.

She argues that most of the retention schedules in use today were devised during an era when paper records dominated. The vast majority of information today is stored electronically and under IT’s direct responsibility, she explains, but IT often lacks the insight necessary to link legal and regulatory obligations to the applications, databases and other repositories it manages. She writes about the shared responsibility among legal, records management and IT departments for information management and defensible disposal.

Luellig offers the following steps to a modern governance strategy for data disposal:

  1. Manage all information, not just “records”; consider anything and everything, including e-mails.
  2. Connect legal, privacy and regulatory retention obligations directly to relevant information.
  3. Retention periods must take into account the business value of information in addition to legal and compliance value.
  4. Identify where information is located and create a reliable “data map”.
  5. Ensure that retention and disposal obligations are communicated and publicized in a language that stakeholders can understand; define the responsibilities of “data stewards”.
  6. Allow for flexibility to adapt to local laws, obligations and limitations.
  7. Include a mechanism that allows legal and IT to collaborate in executing and terminating legal holds on specific data.
  8. Identify and eliminate duplicate information; with a clear and transparent retention schedule, there’s no need to save everything “just in case”.
  9. Update your retention schedule in real time to account for changes in laws, to the business and in technology.

It would be well worth your time to read the full article. It offers important insights and adds to our discussions about data management.


You are welcome to provide feedback on this blog entry. 

Please enter your name
Please enter a valid e-mail address.
This question is for testing whether you are a human visitor and to prevent automated spam submissions.