Peer to Peer: ILTA's Quarterly Magazine
Issue link: https://epubs.iltanet.org/i/1502513
52 P E E R T O P E E R : I L T A ' S Q U A R T E R L Y M A G A Z I N E | S U M M E R 2 0 2 3 board, they will take those messages to the wider firm and articulate and advocate for the actions that need to be taken to effect lasting change. Understanding data Step 2 is understanding the data held and where it is. This means making an inventory of all the systems in which data is held. This isn't straightforward. We've already alluded to the old IT systems that have been superseded or replaced. There are also back-up systems to think about. Another potential complication is shadow IT. This can be understood as what happens when individual lawyers do work beyond the boundaries of the firm's sanctioned and provisioned IT infrastructure and systems or where such usage is not fully communicated to the information governance team. It's a problem because any advice given to the client should be part of the matter record, but if the activity was done, say, on the client's system instead of on the firm's, the firm has lost control of that record. Understandably, the pandemic caused a huge increase in shadow IT. As clients scrambled to get advice from their lawyers and their lawyers scrambled to give it, work was done on personally owned devices, emails were exchanged using personal email addresses and files were saved on a range of personal systems. Shadow IT holds records that need to be brought into the light. You must also remember that work product isn't the only data you need to worry about. The firm will also hold administrative records including HR files and financial information that needs to be part of your retention and disposition planning. Mapping data Once you know what systems or content repositories exist, you must refine your knowledge further by conducting a data mapping exercise. This will categorize and classify data in terms of the different types of documents and file types, as well as the type of information: is it personally identifiable information (PII), is it confidential, is it commercially sensitive? In addition, the data will need to be classified in terms of practice group, department, office or jurisdiction, where these have a bearing on retention and disposition; and in terms of client engagement requirements, taking those OCGs into account that impact on retention and disposition. One approach to data mapping is to create a process diagram that will help you see the different datasets and systems you have. By mapping data, you can really begin to tame a seemingly unruly mass of records. Each category of data can be tackled one by one, in an order that makes sense, to bring them into an information retention and disposition framework that reflects your policy objectives. The commitments When data is mapped, or even before mapping is fully completed, it's time for Step 3, which is to draw up a retention and disposition policy. This document will be the reference point for all subsequent activities, and it articulates the commitments the firm is making. The ideal situation is that everyone signs off on this early in the process. This creates understanding, agreement and momentum as well as an early opportunity for an awareness campaign within your firm. Procedures and controls will also need to be drawn up to ensure the policy is enforced conscientiously and consistently. On that note, it will expose the firm to potential investigation and liability if an agreed policy isn't enforced, or is selectively enforced: e.g. some documents mandated for destruction are destroyed, while others aren't. Procedures, such as the destruction process for electronic records, should be documented and agreed, as should the controls, e.g. that destruction details are logged. Q 2 W H I T E P A P E R S