1. Policy
The Records Retention and Management Policy of the IETF Trust (the “Policy”), is adopted by the IETF Trust and the IETF Intellectual Property Management Corporation (IPMC) (individually and collectively, as the context requires, the “Organization”), and is set forth below and includes the attached IETF Trust Document Retention Matrix. This policy replaces all previous retention policies of the IETF Trust including the IETF Trust retention policy dated 6/16/2016.
2. Objective
The Organization adopts this Policy for the purposes of:
a. Ensuring compliance with legal and regulatory obligations;
b. Reducing storage costs and increasing efficiency;
c. Easily and reliably retrieving current information or important archives;
d. Minimizing litigation costs; and
e. Providing an accurate and reliable record of the IETF Trust’s actions and decisions.
3. Scope
For purposes of this Policy, a “Record” is any document or record in any form (whether paper or electronic), to the extent (a) produced or received by the Organization or on behalf of the Organization by any of its trustees, employees, representatives, agents, governing board members, committee members or group members (collectively, “Representatives”), and (b) maintained in the possession, custody or control of the Organization or of any of its Representatives on behalf of the Organization. Records may include corporate, business, tax and other materials, and may be as obvious as a memorandum, contract or case study. Records may also include less obvious information, such as electronic files and memos, computerized desk calendar items, electronic mail (“email”), appointment book entries or expense records, tax software files, general ledger files, presentation materials (including “.ppt” files), “.pdf” files, and any other form of information that is created and/or stored electronically and satisfies the conditions specified in the first sentence of this paragraph.
Records may also include online documents (for example on google documents), web pages, wikis, chat records (such as Slack), and log files, but only to the extent their storage is under the control of the Organization. For avoidance of doubt, when Records are stored at a provider that is not subject to this policy (“Third Party Provider”), the Third Party Provider’s retention policy applies. For those Records stored at a Third Party Provider that may be destroyed under the Third Party Provider’s retention policy, the Organization’s personnel will, from time to time, use reasonable efforts to convert such third-party-stored Records into Records under the Organization’s control before they are destroyed.
Documents and materials maintained exclusively in the possession, custody and control of one or more third parties are not considered Records for purposes of this Policy.
4. General Policy
It is the policy of the Organization that, unless an Exception applies (addressed further below), Records will be (i) retained for the applicable retention period set forth in the attached “IETF Trust Document Retention Matrix”. Thereafter, physical documents will be (ii) Destroyed within a reasonable time. After the retention period has expired, electronic documents may be retained or Destroyed at any time under the Organization’s direction and discretion.
If the person tasked with destruction of a Record believes or is informed by the Organization or legal counsel that the Record is relevant to any pending litigation, any pending tax, regulatory or other governmental proceeding, or any pending dispute or matter that could result in such litigation or other such proceeding (the “Litigation Exception”), then the Record shall be preserved until the Organization in consultation with legal counsel, determines such preservation is no longer required.
The Organization shall generally retain permanent copies of all Records that have been made publicly available, including but not limited to, press releases and publicly filed or recorded documents, but excluding publicly available documents that are routinely updated (such as, but not limited to, web pages, wikis, online documents) (the “Public Document Exception”). The IETF Trustees or the IPMC board of directors (individually and collectively, as the context requires, the “BoD”) may from time to time approve destruction of such Records in order to make compliance with this Policy both affordable and manageable.
The preceding exceptions supersede any previously or subsequently established retention or destruction schedules for the Record in question, and to the extent of any conflict between the General Exceptions, the Public Document Exception and/or the Litigation Exception shall control.
This Policy refers to three categories of Records:
a. Indefinite: Integral records (e.g., Board minutes) that have no scheduled expiration/destruction date.
b. 7 Years: Such Records have a seven-year retention period that commences at their creation.
c. 3 Years: Such Records have a three-year retention period that commences at their creation. Exhibit A to this policy is a table that designates, by document type, which category a given type of Record falls under.
Note that with respect to contracts or other Records without time dimension (e.g., a receipt), the time periods noted above begin running on the termination date of the agreement in question.
5. Storage of physical Records
Physical Records in current use should be accessible in labeled file cabinets on site. Historical physical Records should be securely boxed and clearly labeled and may be stored in secure offsite storage. A current inventory sheet will be maintained on a best-effort basis and should contain a description of the item, why it is being retained, the category under this Policy that it falls under for purposes of preservation and destruction, where it can be found, and how long it should be retained. File cabinets containing confidential records should be locked at the end of each business day.
6. Storage of electronic Records
Electronic Records in current use and historical electronic Records are stored and made accessible on systems maintained by the IETF Secretariat or by the IETF LLC. For avoidance of doubt, the IETF Secretariat and the IETF LLC are not Third Party Providers in the sense of Section 3.
7. Records Destruction
At the time of Destruction as set forth above, physical Records should be shredded. Electronic Records should be erased or destroyed in such a way that they can no longer be reconstructed without a significant investment in forensic services.
8. Review
The BoD shall review this Policy periodically and make such changes as it deems necessary.
9. Adopted
This Policy is adopted on 2023-12-11 by the Trustees of the IETF Trust and on 2023-12-11 by the Board of Directors of the IETF Intellectual Property Management Corporation.
Document Retention Matrix
[1] Special Correspondence is correspondence regarding matters whose documents are otherwise being retained indefinitely