I previously talked about record keeping clauses in outsourcing contracts. These clauses are really record retention and destruction policies (RRDPs) writ in the context of outsourcing transactions. However, the parties to an outsourcing deal often do not devote the attention to record keeping clauses that a customer would to developing its own RRDPs. I want to discuss today some of the RRDP issues that are inherent in record keeping clauses, as a way of getting a quick fix on the issues that may be being ignored in these clauses.
1. Scope/Inventory: The starting point in any analysis is to understand the potential scope of the obligation – how big is the possible universe of records, how many of them are there and just what do they look like?
These can be hard questions – for both the customer and the service provider. At the time that the outsourcing agreement is being negotiated, the customer may lack detailed knowledge about how the service provider’s systems or processes operate and what records they produce. Similarly, before the agreement is signed and the service provider has assumed responsibility for the customer’s operations, the service provider may not have good insight into how the customer’s applications or processes operate and what records they use or produce. It isn’t a solution to this potential lack of knowledge however for the customer and service provider to sweep a litany of nearly-synonymous terms into the definition of “Records” and then feel confident that, whatever may be out there, it has likely been caught. This can only lead to retaining records that should be destroyed and destroying records that should be retained. In these circumstances, the customer and the service provider should work together to inventory the records related to the outsourcing, in a manner similar to what the customer would do in developing its own RRDP.
(i) Service Provider Records: what are records, documents and information of the service provider relating to the services that the customer needs access to? Certainly, the answer to this question will include operational data, financial information such as invoices and invoicing detail, security information such as security logs and video tapes and perhaps personnel information. In design, build operate transaction, it may include test data and results. The customer and service provider need to consider individually the services that are being provided and inventory, by service, the records, documents and information produced.
(ii) Customer Data: what are the records relating to the customer’s business that are produced in the course of the services and that are under the control of the service provider? This may not be a very big set of records for IT infrastructure outsourcing transactions where the application systems and their output are under the customer’s control. The answer is likely different though for business process outsourcing transactions, where often the services being provided are closely intertwined with the customer’s operations. Here, information created by the service provider’s employees may well constitute customer business records that should be identified as part of the records inventory.
In inventorying these records, the customer and the service provider will also need to think about related questions such as the form in which the records are produced, whether temporary records are relevant, what the volume of records is and how this volume will grow over the term of the outsourcing agreement.
2. Purpose: The customer and the service provider should identify the reasons for which the records are to be retained. Is it to support the customer’s audit rights under the outsourcing agreement?, e.g. to allow the customer to verify that the service provider has processed the records correctly and has not overcharged the customer? Or are the records being retained for purposes related to the customer’s business?, e.g. to allow regulatory authorities auditing the customer to verify that the customer has appropriate security procedures in place or to satisfy regulatory requirements that the customer retain various types of records for specific periods of time. If the customer and the service provider are able to agree on the purposes for which the records are to be retained, then they may also be able to agree that other types of information need not be retained or can be destroyed once the purpose is satisfied.
3. Legal Requirements and Retention Period: What do the applicable laws and regulations require be retained and for how long? This is not the same thing as requiring the service provider to “maintain Records in accordance with applicable laws”. It is about understanding the laws applicable to the customer’s business, what records these laws require to be retained and for how long. The only way this can be done is through a thorough review of the laws and regulations applicable to the components of the customer’s business that are being outsourced by counsel who understands the outsourcing. For example, if the services being outsourced involve the processing of customer financial records, then these may need to be retained for six years under the Income Tax Act (R.S.C. 1985, c.1 (5TH Supp.), s-s 230(4)). Conversely, for human resources outsourcing transactions for banks or insurance companies, the customer will need to consider its obligations to limit the use, disclosure and retention of the records under Principle 5 of Schedule 1 of the Personal Information Protection and Electronic Documents Act (2000, c. 5).
4. Customer Record Retention and Destruction Policies: The customer should ensure that the record keeping clause in its outsourcing agreement and its record retention and destruction policies are consistent – the same retention periods for the same records. If there are special circumstances that require records produced as part of the outsourcing transaction to be retained for different periods of time, then the RRDP probably needs to be amended to incorporate those unique circumstances and retention periods. Further, if the RRDP establishes procedures for the destruction of records at set intervals or after the passage of specified time periods, the record keeping solution developed under the outsourcing agreement should incorporate the same destruction procedures.
If the customer and service provider have: (i) developed an inventory of the outsourcing records; (ii) determined why the records are to be retained; (iii) identified the applicable legal requirements and retention periods; and (iv) resolved any inconsistencies with the customer’s existing RRDP, they have a good picture of what the record keeping obligations for the outsourcing ought to be. There are still a few other issues to think about however.
5. Other Agreement Provisions: The outsourcing agreement likely contains other provisions relating to retention or destruction of information. Frequently, for example, the confidentiality provisions of the Agreement will include a section requiring the service provider, at the customer’s request, to return or destroy all customer confidential information. Similarly the termination transition provisions of the agreement may require the service provider to return to the customer all information and data and not to retain any copies. These provisions should cross-reference the record keeping provisions to avoid any inconsistencies.
6. Format/Technology Change: The customer and service provider should discuss in what form the records will be retained and whether the customer will be able to access the information during, as well as after, the term of the agreement. This should not be an issue for recently-created records that can be maintained by the service provider as part of the operations of its existing systems. However, as the outsourcing relationship evolves, the technology is refreshed and the systems are upgraded, the IT environment necessary to read records that have been archived may no longer exist. The records have not been destroyed – it is just that they are no longer accessible by the service provider’s existing systems. This is a problem can only get worse after the outsourcing relationship ends and the technology that was once state-of-the-art dissolves into end of life.
7. Cost: The customer and the service provider should discuss the (estimated) cost of retaining the records for the required periods and who is responsible for these costs. Frequently this does not happen, perhaps because of an assumption that records retention is an integral part for the service provider’s base service offerings, and therefore, there are no separately identifiable costs. This may not be the case or the service provider’s base fees may only cover basic, standardized record keeping which may not be what the customer requires.
8. Monitoring: Record keeping clauses do not normally deal with what rights, if any, the customer has to monitor the service provider’s compliance with the provisions. To the extent that the outsourcing agreement provides the customer with such rights, they are usually found in other provisions such as those dealing with the customer’s audit rights. This is something that the customer should ensure is addressed in the agreement. Moreover the customer should include reviews of the service provider’s compliance as part of its audit plans early in the outsourcing relationship, before the effects of any non-compliance have had the opportunity to accumulate.
These issues will take time to address. In a digital age however, where electronic records are the norm and e-discovery and spoliation are on everyone’s lips, the issues are unlikely to go away. The parties to an outsourcing transaction should take the time to deal with these issues carefully, thoughtfully and at the right level of detail, not take a broad brush approach that ignores the issues in favour of unlimited or unfiltered retention.