Where’s Your Data?
Establish a plan for managing, retaining and retrieving information.
Suppose your fitness facility is served with a document request. This could come in a variety of contexts, ranging from a government audit to a sexual harassment investigation. It may be a subpoena seeking records related to another lawsuit. If the lawsuit involves your business directly, you are obligated to preserve related data and you may be required to produce it.
Under any of these circumstances, it’s strongly recommended that you retain counsel licensed in your jurisdiction to help you navigate the process and ensure that the scope of the request is appropriate. You also need guidance providing the sought-after data while protecting your (or your clients’) confidential or proprietary information.
However, the responsibility for the day-to-day management of facility information is yours. Legal counsel will need to know your procedures for identification, storage, retrieval and destruction of your facility’s data, and the attorney will work with whatever you have. A lawyer can’t go back in time, however, and help you recreate documents that were inadvertently destroyed. Also, ethically your legal counsel cannot hide or dispose of harmful data that a well-drafted data management policy could have prevented or eliminated.
Storage and Organization
It’s essential for you to know where, how and for how long various types of your fitness facility’s data are stored, so that you can preserve and produce the data as required or assert a legally based objection. And this is not just for lawsuits and investigations. Your data is the lifeblood of your business. Know how it is backed up and stored—in case of theft, security breach or other technological failure.
For any business with even a few employees, this is no easy task. Technology has advanced to the point where data is created and captured virtually everywhere. You should assume that data about your facility is being generated every minute.
A well-drafted data retention and destruction policy governs how you manage this abundance of electronic (and, to some extent, hard-copy) data. A good policy is specifically tailored to your business, the nature of the records the business produces, the people who have access to the data and the technology you use to capture it. Generally speaking, a policy ensures that
- necessary records are adequately preserved and maintained;
- records that are no longer needed or that are of no value are destroyed at the appropriate time and in a consistent manner;
- employees and contractors understand their obligations with regard to retaining and destroying data; and
- an individual employee (or department) within your business is responsible for administering and enforcing the policy and can serve as the point person if your business is served with a document request.
Suppose you operate a franchise fitness facility with approximately 500 members. The facility, which has been in business for 10 years, has 15 employees: you, two front-desk workers, a membership director, a bookkeeper and 10 personal trainers/group exercise instructors. Your massage therapist, nutritionist and cleaning/maintenance staff are independent contractors.
Various types of data might be generated in the day-to-day operation of this relatively simple business scenario, and that data could be managed in a number of ways. Consider these examples:
Membership data. You might store this information on a network or server within your facility. Who has access to this? All of your employees, or just the membership director? Maybe you allow different employees to access different fields. Can your employees enter or delete data, or simply view it? Can members view and/or alter their own data? Has the data storage method changed within the past 10 years? Where and how is the archived data stored?
Financial, accounting and payroll data. You may keep hard-copy files or you may maintain everything electronically. Just as with the membership data, access may be restricted to certain individuals, and older material may be stored in a different manner. Perhaps duplicate electronic copies are housed with your accountant or your payroll service.
Emails, text messages and voicemails. These include communications between the facility and its employees and contractors, among employees and contractors, between the facility and clients, between the facility and corporate headquarters and among individual trainers and contractors and the facility’s clients. If you provide employee email accounts, do you know if your employees use them, or do the employees use personal email accounts or text messages to communicate with clients?
Social media. Your employees and contractors likely interact with clients or each other on Facebook, Twitter™, LinkedIn or other forms of social media. Given the nature of your business, consider whether you, or a designated employee, will need to set guidelines and review or monitor the interactions.
Some or all of your electronic data may also be housed off-site—for example, on a server maintained by your IT contractor, or in the cloud. If it’s stored in the cloud, know the cloud vendor’s terms and conditions for storage and retrieval. The data is still yours, and you are responsible for maintaining, preserving and producing it as may be required by law.
Your data, if not maintained in an organized fashion and if not periodically pared down, could become overwhelming. The key is to determine whether, how and for how long the data needs to be maintained.
Data Preservation Obligations
The law requires businesses to maintain certain types of records, usually for a specified period of time. These time periods are generally driven by the limitation periods that apply in lawsuits about a particular subject area, and they vary by jurisdiction. Failure to maintain records for the applicable time period could subject your facility to penalties and fines, or it could deprive your business of the ability to assert legal rights, claims and defenses. You and your lawyer may find it prudent to establish a policy to destroy data after the expiration of the applicable minimum retention period. If no minimum retention period applies, you could destroy the data on a more routine basis, such as every 6 months or every year.
There are two important exceptions to routine data destruction:
- Legal matters. As stated above, you may be required to provide data in a legal proceeding. At a minimum, you will be required to preserve the data—in other words, keep it from being automatically purged. This is commonly referred to as a “litigation hold.” Whenever litigation is reasonably anticipated, threatened or pending against your business, you have a duty to preserve relevant information. This duty arises regardless of whether your business is initiating the litigation or defending against it (The Sedona Conference® 2007).
- Vital records. You need vital records to help reconstruct your basic business functions in the event of a disaster or loss. Obviously, vital records should be excluded from any routine data destruction process. Such vital data may include, but not be limited to, business formation documents, data needed to restart your computer system and website and contact information for third-party vendors (such as payroll companies, customers, contractors, suppliers and business partners).
Conduct a technology inventory. Identify the hardware, software and storage media that you currently use, and determine if you need to change or upgrade any of it in order to manage your data more effectively. Determine what devices and accounts your employees and contractors are using to conduct their day-to-day work tasks. Depending on the size and complexity of your business, you can develop your own data management policy, or you might choose to have a legal professional or experienced IT professional develop one for you. Review it once a year to ensure that it is accurate and complete. Give your employees copies so they can read and understand the policy and can comply with it and provide input. If ever you are presented with a request for data or you need to retrieve data after a technological breach or failure, these proactive steps will pay off.