Resolution: Approval for the Document Retention Policy

Approval for the Document Retention Policy

This resolution was approved on June 16, 2017.

Resolved, The Board of Trustees approves the Document Retention and Destruction Policy.

Approve: Christophe Henner (Chair), Maria Sefidari (Vice Chair), Dariusz Jemielniak, Kelly Battles, Nataliia Tymkiv, and Alice Wiegand

Not present: Jimmy Wales

I. Purpose

This policy outlines how the Wikimedia Foundation ("Wikimedia" or "Foundation") handles the systematic review, retention, and destruction of Foundation information. In particular, this policy contains guidelines for how long certain information must be kept and when and how records should be destroyed. The purpose of this policy is to ensure that we comply with federal, state, and local statutes and regulations, to eliminate accidental or innocent destruction of records, to ensure that we don't keep certain information longer than needed, and to make sure we always have the right information we need to do our jobs.

II. Overview

The three guiding principles of this policy are summarized below:

A. Wikimedia Foundation MUST KEEP information that is subject to (1) legally-imposed retention periods or (2) business/operational needs

This policy describes specific retention periods targeting particular categories of information, and all employees must retain information in each of those categories for the specified amount of time. The overall policy is described in Section V, and the specific retention periods are defined in Section XI (the “Retention Schedule” or “Schedule”). These periods are based on legal and operational needs – for example, certain finance records must be kept for a specific length of time in case our taxes are audited.

Please alert the Chief of Finance and Administration (“CFA”) (or the Chief Operating Officer if the CFA is not available) whenever you think that a retention period is too long or too short or that a category should be added or removed. If you think an exception is warranted, you must alert the CFA; you may not make an exception yourself without consulting the CFA. When adjustments or exceptions are made, the CFA or the General Counsel (“GC”) will notify staff and update the version of the Schedule on office.wikimedia.org. to the most current version.

B. Wikimedia Foundation MUST KEEP all information subject to a “litigation hold”

When we are threatened with legal action, or reasonably believe we will be threatened with legal action, a "litigation hold" is required to preserve any relevant information. Therefore, disposals or deletions of information that do not comply with this policy may result in legal complications for us, ranging from having to legally defend the deletions to criminal or civil liability. Section VI below explains in more detail which policies will apply if we face this situation.

C. Wikimedia Foundation WILL PERMANENTLY DISPOSE of all information not subject to Sections II.A or II.B

Most Foundation information does not require long-term retention. As set out in the Schedule, the routine disposal of information that we’re not explicitly required to retain avoids unnecessary effort, expenses, and storage (both electronic and physical) involved in maintaining, organizing, and backing up old information.

III. Scope

A. What information is covered?

This policy applies to all information – regardless of physical form, format, or characteristics – created or received by the Foundation, including information in electronic or paper form. Also within the scope of this policy is all Foundation information stored, hosted, archived, or otherwise located with any outside vendor to which the Foundation outsources any of its data or hardcopy storage.

Because it may be relevant to litigation holds (Section VI), this policy includes information about users that is collected through the WMF websites. However, as noted in the Retention Schedule, retention periods for information generated by the WMF websites will generally be governed by the relevant privacy^[1] and public data retention policies.

B. Which people are covered by this policy?

This policy applies to, and must be complied with by, all Wikimedia Foundation employees, advisors, consultants, contractors, temporary workers, and any others who have access to Wikimedia’s electronically stored information ("ESI") or paper documents (collectively “covered parties”). ESI includes, among other things, emails, instant messages, and voicemails. For clarity, all third parties granted the ability to use any of the Foundation’s information systems are covered under this policy.

IV. Contacts and questions

If, after consulting this policy, you have a question whether some information should be retained, or you have any other questions or otherwise need help with any related issues, please contact either the CFO or the GC.

V. Retention and destruction guidelines

A. How long must we keep records?

Wikimedia must keep adequate records about certain types of information for at least the minimum period required by applicable law. Tax, financial, and human resources records are especially important. Retention requirements for these and other record categories are in the Schedule below. As a note, we generally are not required to keep emails, but we are allowed to keep them unless they fall into a record category described in the Schedule below.

Information with an ongoing or current business or operational need (i.e. it’s important to have it for somebody to be able to do their job) must be retained for the duration of that need.

B. How should we dispose of records?

1. Routine, Regular Disposal

All information lacking a legal or operational retention need should be permanently disposed of on a routine basis. Each record, including all copies, should be disposed of once it has reached the end of its defined retention period under the Schedule. The CFO is responsible for the ongoing process of identifying records that have outlasted the required retention period and overseeing their destruction.

2. Notice of Disposal

In order to provide an opportunity to identify documents that remain necessary to ongoing business, Office IT will seek to provide notice of scheduled deletions to a covered party 30 days in advance of planned deletions that would affect that party. Notice will include what documents are planned to be deleted and where they are stored.

3. Disposal and Destruction of Sensitive Information

When disposing of sensitive information – including financial or personnel-related data – the disposal process must include sound destruction processes, such as shredding paper documents or secure deletion of electronic documents.

For documents that contain an individual’s personally identifying information ("PII")^[2] – or any compilation of that information – destruction must comply with the Disposal Rule issued by the Federal Trade Commission ("FTC") under the Fair and Accurate Credit Transaction Act ("FACTA"). In practice, this means shredding paper and deleting electronic files such that they can’t be easily recovered or restored. Such records include background checks or consumer reports on prospective employees or contractors, and any compilations of that information.^[3] Destruction measures must also be sound whenever ESI or a hardcopy document contains health, medical, insurance, or other sensitive information on any individual.^[4]

C. What about wikis?

Wikis are an important part of how we work at the Foundation. Simultaneously, by creating a permanent historical record that is difficult to delete, wikis create an interesting exception to this document retention policy. Due to the relatively permanent nature of wikis, information subject to deletion according to this policy does not need to be removed. However, please ensure sensitive information (e.g. donor, contributor, and personnel-related data) is never uploaded onto a wiki without their explicit written permission or checking with the GC. This section also applies to Phabricator, Gerrit, Git repositories, and similar public facing work areas that are intended to preserve public work history.

VI. Suspension of destruction: “Litigation hold”

A. What is a litigation hold?

A litigation hold is the requirement to preserve relevant documents if we “reasonably anticipate” litigation. If a litigation hold happens, you’ll hear about it from the Foundation's legal team and will need to follow their directions to preserve documents as soon as you’re contacted.

B. Why do litigation holds matter?

Failing to comply with a litigation hold may result in civil or criminal liability for Wikimedia or the individuals involved. At a minimum, it may lead to subsequent allegations of improper, selective destruction – and the need for Wikimedia to expend time and resources defending such allegations. This can happen even if the destruction occurs by mistake.

C. When will a litigation hold occur?

Wikimedia has a legal obligation to preserve relevant information when it knows of or reasonably anticipates:

a lawsuit by or against Wikimedia; or
an investigation, inquiry, enforcement proceeding, or criminal prosecution regarding Wikimedia by a government agency, regulatory body, or prosecutor.

This obligation may also arise if the Foundation receives a government request (e.g., a subpoena) to produce information in a lawsuit or proceeding in which the Foundation itself is not a party, such as when we receive a subpoena about a reader of one of the Wikimedia project websites.

D. Who should we contact if we know about potential litigation or a subpoena?

You should notify the Foundation's legal team as soon as you have reason to believe one of the listed triggers (a lawsuit or an investigation by some kind of government body by or against Wikimedia) in VI.C has occurred. The GC will assess whether a hold is warranted.

E. What will happen when a litigation hold occurs? How will we be notified?

Each time a triggering event is determined to have occurred, Wikimedia must institute a litigation hold. The litigation hold will entail the Foundation's legal team ordering a suspension of certain typical destruction procedures, perhaps including some regular backup recycling/rotation regimens. To start the litigation hold’s implementation, the legal team will issue a litigation hold notice to all pertinent recipients.

When you receive a hold notice, you must preserve any information discussed in the notice. Please take extra care to keep the information separate and maintain it over time. If the information is lost, there could be disciplinary action.

The legal team will oversee the administration of the litigation hold process, including contacting and working with all affected personnel, as well as the Foundation's IT team, to ensure the Foundation’s legal obligations are met as effectively and efficiently as possible.

F. Does this apply to outsourced information storage?

When a hold notice is issued, it applies to every outside vendor to which the Foundation outsources the management or storage of any applicable Foundation information in the same way it would apply to Foundation-hosted storage. The Foundation's legal and IT teams, and any other responsible teams will coordinate with such vendor(s) to ensure they comply with the litigation hold obligations.

G. How long must I retain information and refrain from destroying it?

The Foundation's legal team will determine the scope and duration of each litigation hold, and include that information in the hold notice. Once a hold is issued, the legal team will work with affected people and teams to ensure that the covered information is retained for the duration of the hold period. Until the legal team issues a notice that the period has expired, do not resume normal destruction activities for any covered information.

VII. Separating/departing employees

Consistent with Wikimedia’s Staff Handbook and other human resources ("HR") and IT policies and procedures, Wikimedia handles information maintained by terminated/departing covered parties as follows:

A. Notice

When a covered party separates from Wikimedia, the IT team will provide an opportunity according to IT policies for the individual's manager, the legal team, and the HR team to determine if there is any ESI (electronically stored information) or hard copy information created by or pertaining to that person will be retained.

B. Retention of information

During the review period, Wikimedia will retain any ESI or hard copy information according to IT policies. After the review period, the information will be deleted if not required to be retained or if there is not an extension granted according to procedures in the Staff Handbook.

C. Application only to individual information

This section applies to an individual's laptop and ESI that individual maintained, which will be wiped after 15 days if not required to be retained. It does not apply to staff-wide system backups (such as email accounts, mailing lists, and google docs) which may be retained for a longer period of time up to 10 years per the appendix below.

VIII. Emergency planning and backups

The Foundation’s records must be stored in a safe, secure, and accessible manner. Information and financial files that are essential to keeping the Foundation operating in an emergency will be duplicated or backed up regularly and maintained off-site.

Wikimedia’s IT team has established procedures for frequent and systemized backups of information stored in central locations and repositories. As the details of the Foundation’s backup procedures change over time, the IT team with the legal team’s review and approval will revise this policy accordingly.

All personnel must comply with IT procedures requested of them and take reasonable precautions to ensure vital data is not lost due to equipment failure, to natural disaster, and/or to only being stored in a non-backed-up location on a local machine or device. All personnel are responsible for paying attention to backup changes announced by the IT team.

Backups of individual laptops will be retained for no longer than one year. These backups of centrally stored information are maintained for disaster recovery and business continuity and not for information-management or retrieval. Therefore, to further this policy’s guiding principles, the Foundation will retain backups only for the respective periods in IT team protocols, subject to any suspension of recycling/rotation required by a litigation hold, law, or a business interest.

IX. Compliance

This policy will remain in effect unless revoked or modified by the CFO or the GC in writing. The CFO and the Audit Committee Chair will periodically review this policy’s procedures and the schedule’s categories with the Legal Team or certified public accountant to see if updates are warranted.

At least once a year, the CFO will remind WMF accessors and third parties covered by the policy about this policy and its contents. Periodically, to ensure that best efforts are being made to follow this policy as consistently as possible, the CFO will commission an assessment that analyzes the degree of compliance by WMF accessors, third parties, and outside storage vendors.

Reasonable variances as to the scheduling of retention-related activities, including such reminders and assessments, may be permitted based on business needs – such as involvement in time-sensitive transactions at the time of a scheduled reminder or assessment. To the extent possible, records memorializing adherence to this policy, including periodic reminders, will be retained by the CFO following the timing rules of this policy.

X. Enforcement

Failure on the part of employees to follow this policy can result in possible civil and criminal sanctions against the Wikimedia Foundation and its employees and contractors as well as possible disciplinary action against responsible individuals.

Any Wikimedia covered party found to have violated this policy may be subject to disciplinary action, up to and including termination of employment or services.

XI. Schedule of retention periods

By default, the above three guiding principles of this policy apply to all Wikimedia information. This list is non-exhaustive and subject to change over time with approval of the legal and IT teams. Records that are not listed, but are substantially similar to those listed in the Schedule, will be retained for the same amount of time as those records. Unless paper storage is specifically noted as required, electronic storage is acceptable and highly encouraged. In the event that a document falls into multiple categories below, it should be retained for the longest period of time required.

Part A - Finance & Administration Departments

Record Category	Retention Period
Financial Statements General Ledgers Audit Reports	Permanently
Appraisals Deeds and Bills of Sale Depreciation Schedules Fixed Asset Records	Permanently
Construction Documents	Permanently
Correspondence, if (i) essential to one or more of the “permanently” categories in this Part A; or (ii) if deemed to warrant permanent retention by the CFA or the legal team	Permanently
Annual Reports to Secretary of State/Attorney General	Permanently
IRS Annual Return (Form 990 or 990-EZ) and Worksheets IRS Application for Tax-Exempt Status (Form 1023) IRS Determination Letters	Permanently
All books of account or records as are sufficient to show specifically the items of gross income, receipts, and disbursements, and to substantiate the information reported on the annual Form 990 tax return. Such records include, without limitation, those that reflect information concerning expenses, proof of deductions, business costs, accounting procedures, and other information concerning Wikimedia Foundation's revenues.	Permanently
State Sales Tax Exemption Letter State Tax Returns and Worksheets	Permanently
Stock and Bond Records	Permanently
Bank Deposit Slips Bank Statements and Reconciliation Accounts Payable Ledgers and Schedules Expense Reports Invoices (to customers, from vendors) Inventories of merchandise IRS 1099s Journal Entries Sales Records (merchandise sales) Sales & Use Tax Filing Records	7 years
Leases	7 years after expiration, unless longer period: specified by terms of lease; and/or indicated by breach-of-contract statute-of-limitations period in force in state (e.g., 15 years for Ohio), country, or province whose law would control any contractual dispute
Correspondence with Vendors	2 years after expiration of contract or agreement

Part B - Fundraising Department

Record Category	Retention Period
Fundraiser Records A fundraiser for charitable purposes must maintain records reflecting the following: The date and amount of each contribution received as a result of the solicitation campaign and, for non-cash contributions, the name and mailing address of each contributor. The name and residence address of each employee, agent, or other person involved in the solicitation campaign. Records of all revenue received and expenses incurred in the course of the solicitation campaign. For each account into which the commercial fundraiser deposited revenue from the solicitation campaign, the account number and the name and location of the bank or other financial institution in which the account was maintained. If a commercial fundraiser sells tickets to an event and represents that they will be donated for use by another, he or she must keep the number of tickets purchased and donated by each contributor, and the name and address of all organizations receiving donated tickets.	During each solicitation campaign, and 10 years following its completion, the Wikimedia Foundation must maintain a copy of its contract with the commercial fundraiser and records of solicitations and donations according to the list of items (a) through (e) in the left column for this category
Solicitations for Contributions	See “Commercial Fundraiser Records” above
Donor Records (typically maintained in CiviCRM)	10 years
Correspondence, if (i) essential to one or more of the 10 years categories in this Part B; or (ii) if deemed to warrant permanent retention by the CFA or the GC	10 years
Endowment gift agreements between donors and Tides, as well as other documents pertaining to Wikimedia Endowment fund gifts	10 years

Part C - Human Resources Department

Record Category	Retention Period
Benefits Plans	Permanently
Benefits Data & Records: Benefits Claims Benefits Insurance Policies (medical, dental, vision, LTD/STD/life, EAP, FSA, HSA, etc.) Retirement Plan Data & Documents COBRA Overall Payroll Records: Payroll Tax Returns Payroll Summaries & Registers State Unemployment Tax Records W-2 Statements	6 years
OSHA Documents Accident Reports	5 years
Reduction In Force records	5 years from date of reduction
Workers’ Compensation Records - Claim Files	Latest of these dates: (1) 5 years from date of injury; (2) 5 years from date compensation last provided; (3) 2 years after claim is closed; or (4) if a governmental audit is conducted within the time specified under applicable law, then until the audit has become final
Worker’s Compensation Records - Injury Claims	5 years
Individual Employee Wage Records: Deduction & Garnishment Records Timesheets Compensation Increases & Approvals	4 years after termination
Employee Personnel File: General Records (contracts, agreements, reviews, etc.) Private-Information Records Leave-Related Documents (FMLA, CRFA, PDL, etc.) Promotion, Demotion, or Discharge Records	5 years after termination
Employment applications or any other form of employment inquiry submitted to Wikimedia in response to an ad or other notice of job openings, including: Records Pertaining to the Failure or Refusal to Hire Employment Referral Records Applicant Identification Records	Successful candidates – 3 years after termination Unsuccessful candidates – 2 years from the date the position is filled
Legal Disputes: Claims, Investigations & Legal Proceedings Personnel & Payroll Records About Complaining Parties Personnel & Payroll Records of Others in Similar Jobs	Through disposition of dispute or case and appeal plus any additional period that the GC might, in his/her discretion, determine to be appropriate
I-9 Forms	The later of 3 years from hire or 1 year after termination
Child Labor Certificates	3 years after termination
Affirmation Action Records	3 years
Injury & Illness Prevention Program: Inspections: Records documenting scheduled and periodic inspections as required to identify unsafe conditions and work practices, including: Name of person(s) conducting the inspection; Unsafe conditions and work practices identified; and Action taken to correct the unsafe conditions and work practices. Illness Prevention Training Records documenting required safety and health training for each employee, specifically including: Employee name or other identifier; training dates; Type(s) of training; and Name of training provider.	1 year Note– likely kept in respective individual personnel "files" (except that training records of employees who have worked for less than one year for the employer need not be retained beyond the term of employment if provided to the employee upon termination).

Part D - Legal Team

Record Category	Retention Period
Articles of Incorporation	Permanently
Board Charters, Policies, Resolutions, Notices, Waivers of Notices, & Written Consents Board Meetings’ and Board Committees’ Meetings’ Minutes Bylaws and Amendments	Permanently
Press Releases and Publicly Filed Documents Purpose: Wikimedia should have its own copy to test the accuracy of any document a member of the public can theoretically produce against Wikimedia.	Permanently
Records Designated for Retention by the Bylaws (if any)	Specified Period
Legal Matters Records – The GC will decide the disposition date for each (sub)set of records covered by the following categories: Subject to a litigation hold issued as to a situation or claim that does not ripen into a lawsuit or into an actual proceeding; Records from open and closed lawsuits and governmental proceedings, including but not limited to correspondence, pleadings, written discovery requests, and responses and information produced and received in discovery; Records produced by Wikimedia in response to non-party subpoenas; and Due diligence files.	To be determined by General Counsel or designated representative within the legal team
Contracts – ALL, subject to three exceptions listed below	7 years after expiration, unless longer period: specified by terms of contract; and/or indicated by breach-of-contract statute-of-limitations period in force in state (e.g., 15 years for Ohio), country, or province whose law would control any contractual dispute
Contracts – exception # 1 - FUNDRAISING contracts	See “Fundraising Records” under “Fundraising” category (Part B above)
Contracts – exception # 2 – FEDERAL GOVERNMENT (sub-)contracts and leases, as well as records directly pertaining to and involving transactions relating to the agreement – including, without limitation, all information required to be retained by the Federal Acquisition Regulation (FAR), including: civilian or military contracts, and every contract as to a public or private university, college, laboratory, or the like, whenever some or all of the funding is coming from a federal agency	Longer of: Period stated in contract; or Period stated in FAR regulations; or Period stated in any superseding agency-specific federal regulations [e.g., D.O.E., per FAR 4.702(b)]; or If no period stated, then permanently See 41 U.S.C. § 254d (civilian) and 10 U.S.C. § 2313 (military)
Contracts – exception # 3 – STATE OR LOCAL GOVERNMENT (sub-)contract and lease, as well as records directly pertaining to the agreement	Longer of: Period stated in contract; or Period provided in state and/or local statutes, regulations, guidelines, ordinances, specifications, and/or bid/RFP materials 7 years after expiration
Filings with the Registry of Charitable Trusts	10 years
Grant Agreements Applications and Contracts	7 years after expiration
Licenses involving the intellectual property rights of Wikimedia or any other affiliated person or entity	7 years after expiration, unless longer period: specified by terms of license; and/or indicated by breach-of-contract statute-of-limitations period in force in state (e.g., 15 years for Ohio), country, or province whose law would control any contractual dispute
Intellectual Property other than Copyright, Patent, or Trademark: Royalties and Assignments Records; and Trade Secrets Records: all records containing trade secrets; and related documentation, including records evidencing measures taken by Wikimedia to protect its trade secrets and avoid the unauthorized use of trade secrets of others (including under all trade secret licenses)	Expiration of protected status plus 7 years
Patents granted by USPTO and all significant related records, including applications, invention/engineering notebooks, workpapers, correspondence, memos, and any speeches, recordings, and any other information demonstrating what was made available to the public and on what date(s)	Expiration of patent plus 7 years
Trademark Registrations	Expiration of protected status plus 7 years
Trademark – all significant related records, including applications and work papers	Expiration of protected status plus 7 years
Copyright Registrations	Expiration of copyright plus 7 years
Copyright – all significant related records, including applications and work papers	Expiration of copyright plus 7 years
Correspondence with parties who have contracted to receive services from WMF	2 years after expiration of contract or agreement

Part E: Third-Party Information Collected via the WMF Websites

Information collected from third parties through the Foundation's public-facing websites, like en.wikipedia.org, must be retained as described in the public Data Retention Guidelines. Note that the retention guidelines commit to keeping such information for the shortest time consistent with the maintenance, understanding, and improvement of the Wikimedia sites and our obligations under applicable U.S. law. As a result, litigation holds still apply to data collected under the Privacy Policy and Data Retention Guidelines.

Part F: Other Information Not Mentioned

Information not covered by any of the above categories will be deleted after 10 years of nonuse.

Notes

↑ Most WMF sites are governed by the main privacy policy, which can be found at https://wikimediafoundation.org/wiki/Privacy_policy. Our donor policy is at https://wikimediafoundation.org/wiki/Donor_policy/en, and the privacy policy for the blog is at https://wikimediafoundation.org/wiki/Wikimedia_blog_privacy_policy. We may also update other specific sites with their own privacy policy.
↑ Types of personally identifiable information can include a real name, Social Security Number, driver’s license number, phone number, physical address, or perhaps even e-mail address. See WMF’s privacy policy for a full definition of such information.
↑ Other examples include employment background, check writing history, insurance claims, residential or tenant history, or medical history.
↑ Although the Foundation is only subject to U.S. law, adverse parties may argue that we should, in some instances, comply with applicable international laws when it relates to our international contractors. If you are dealing with international citizens, see the GC to determine what your retention and destruction obligations are. For many international contractors, data such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, sex life, or criminal convictions may be subject to special rules.

[1] Most WMF sites are governed by the main privacy policy, which can be found at https://wikimediafoundation.org/wiki/Privacy_policy. Our donor policy is at https://wikimediafoundation.org/wiki/Donor_policy/en, and the privacy policy for the blog is at https://wikimediafoundation.org/wiki/Wikimedia_blog_privacy_policy. We may also update other specific sites with their own privacy policy.

[2] Types of personally identifiable information can include a real name, Social Security Number, driver’s license number, phone number, physical address, or perhaps even e-mail address. See WMF’s privacy policy for a full definition of such information.

[3] Other examples include employment background, check writing history, insurance claims, residential or tenant history, or medical history.

[4] Although the Foundation is only subject to U.S. law, adverse parties may argue that we should, in some instances, comply with applicable international laws when it relates to our international contractors. If you are dealing with international citizens, see the GC to determine what your retention and destruction obligations are. For many international contractors, data such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, sex life, or criminal convictions may be subject to special rules.

[1]

[2]

[3]

[4]