Record Retention Policy
Updated March 23, 2022
This policy applies to all records, including all Altair Information and Altair Resources, regardless of format, whether in paper, electronic, microform (e.g., microfilm, microfiche, magnetic tapes, and CD-ROM), or other medium.
The purpose of the Record Management Policy is to (1) establish an efficient Altair-wide record management system for maintaining, identifying, retrieving, preserving and destroying records, (2) ensure that records are adequately protected, (3) preserve Altair history, (4) ensure that records that are no longer needed or of no value are destroyed at the appropriate time, and (5) comply with all applicable local, state, and federal laws and regulations.
The Chief Financial Officer (CFO) is responsible for retention of financial (accounting, tax), statutory and regulatory, and other related records.
The Executive Vice President, TMX Resources and Administration (EVP-TMXR) is responsible for retention of all HR records.
The Vice President, Infrastructure Services (VP-IS) is responsible for storage of electronic data in line with this procedure.
The Chief Technology Officer (CTO) is responsible for ensuring that retained records are included in business continuity and disaster recovery plans.
Definitions
Active Record | See “Altair Record” below. |
Historical Record | See “Altair Record” below. |
Custodian of Record | The designated Department, as identified in the Record Retention Schedule, responsible for retaining and timely destruction of Altair Records in compliance with this Policy. |
Department | Any and all Altair business, financial, human resources offices including any specific divisions or areas of expertise or responsibility. |
Electronically Stored Information | Any and all information created, manipulated, communicated, stored, and best utilized in digital form, requiring the use of computer hardware and software. Electronically Stored Information resides in many places, including:
· Office Equipment – including personal desktop computers, laptops, smart phones, and voicemail systems. · Networked Photocopiers, · Portable Media – including jump drives, portable hard drives, CDs, DVDs, magnetic tapes, diskettes, memory cards. · Servers – including email servers, SPAM filter servers, document management systems servers, instant messaging (IM) servers, file servers, print servers, firewall servers, HR database, servers, payroll database servers, and internal and external web servers. · Proprietary applications (software or other programs licensed expressly to Altair); and · Back-up tapes or other backup systems. |
Inactive Record | See “Altair Record” below. |
IS Office | The Information Services office, and/or, as applicable, any other organizational technology group within Altair (including its subsidiaries and affiliates) that maintains Altair Information or Altair Resources. |
Litigation Hold Notice | A formal directive issued by the Vice President, Legal Services that Altair is under a legal obligation to preserve potentially relevant evidence in connection with a pending or threatened legal action. |
Record Management Administrator | The Department representative responsible for maintaining day-to-day records management practices and procedures. |
Record Retention Period | The length of time for which the Records Custodian is responsible for retaining a specified Altair Record in accordance with the Record Retention Schedule. |
Record Retention Schedule | The table listing the required Record Retention Period and the designated Records Custodian for each identified Altair Record. |
Altair | Altair Global Services, LLC, d/b/a Altair Global including its divisions, subsidiaries, and affiliates (e.g., Altair Global Relocation Ltd., Shanghai, Singapore, EU, etc.) |
Altair Information | All activities and business must be conducted on Altair Resources. All Altair Information must be stored on Altair Resources. Any and all use of Altair Information and Altair Resources must comply with all local, state, and federal laws and regulations as well as company policies and procedures and client contracts.
At Altair’s sole discretion and in accordance with this Policy and procedure, any and all Altair Information and Altair Resources are subject to access by designated Altair representatives, with the approval of the Chief Executive Officer, President or EVP, TMXR for preservation, review, monitoring, and seizure, at any time without notice, in order to: 1. Ensure compliance with local, state, and federal laws and regulations as well as any Altair policy, and procedure. 2. Comply with any order by a court, agency, or other governmental entity. 3. Retain information and data. 4. Preserve and produce Evidence in Litigation Discovery. 5. Maintain the integrity and security of Altair Information and Altair Resources. 6. Investigate a suspected violation of law or regulation, or of a suspected infraction of Altair policy; and/or 7. Respond to an emergency of any kind. Because the primary use of Altair Information and Altair Resources is to further Altair’s mission, goals and objectives, Team members should not have an expectation of privacy in their use of such resources and information. In the event Altair activities and business are conducted on non-Altair Resources, or Altair Information is stored on Non-Altair Resources, such non-Altair Resources are subject to this policy. Any violation of this policy and procedure or failure to timely cooperate in complying with its provisions by any Applicable Member may result in disciplinary action up to and including termination. |
Altair Record | Any recorded information (hard copy or electronic) that is created, received or transmitted by a Team member or Department in the ordinary course of Altair business. All Altair Records regardless of their format are subject to this Policy.
· Active Record: An Altair Record that is currently being used in the ordinary course of Altair business. · Inactive Record: An Altair Record that is no longer being used in the ordinary course of Altair business that must be retained until the end of its Record Retention Period and is not required to be preserved in accordance with a Litigation Hold Notice. · Expired Record: An Altair Record: · that is no longer being used in the ordinary course of Altair business. · is not listed under the Record Retention Schedule or whose Record Retention Period has ended. · that is not subject to a Litigation Hold Notice; and · that is not a Historical Record.
|
GDPR | The General Data Protection Regulation[1] is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). |
[1] The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA) that also addresses the transfer of personal data outside the EU and EEA areas.
CCPA | The California Consumer Protection Act[1] is a legal framework that sets guidelines for the collection and processing of personal information of individuals within and/or residents of California. Additional states are contemplating legislation similar to the CCPA and for purposes of this document, will be included under CCPA. |
[1] California Consumer Privacy Act of 2018, Ca Civil Code §1798.185, et. seq. (2020)
4.2.1 Active, Inactive, and Historical Records must be maintained in accordance with the Record Retention Schedule and this Policy. Expired Records must be destroyed in accordance with this Policy. The Specific record retention periods can be obtained from our Vice President, Legal Services. The CFO has the authority to extend the records retention period beyond those listed in the specific records retention periods.
4.2.2 The Record Retention Schedule designates the Records Custodian for each identified Altair Record.
4.2.3 If a record is not found under the Record Retention Schedule, it must be destroyed when no longer needed in the ordinary course of Altair business. However, if a team member believes a record not listed on the Record Retention schedule or an Altair Record should be retained beyond the time period specified on the Record Retention Schedule, the team member should not destroy the record without prior approval of Altair’s Vice President of Legal Services.
4.2.4 Historical records are of long-term value to document past events (e.g., purchase and sale agreement). This may arise from exceptional age and/or connection with some significant historical event or person associated with Altair. Historical Records are not listed in the Record Retention Schedule given the nature of its content and the events associated with the Historical Record (e.g., a letter or e-mail written memorializing an important event). Retaining these types of Historical Records is a responsibility shared by all Altair team members. Any team member who believes an Expired Record should be retained permanently for its historical value should consult Altair Archives. Records transferred to the Altair Archives may be restricted by the office of origin for up to 25 years. Longer restrictions may apply if required by federal, state, or local statute.
4.2.5 If a record fits within two categories, each having a different retention period, the longer period governs. In order to facilitate compliance with this Policy, all Record Retention Periods expiring during a calendar year may be extended to the last day of such calendar year. Thus, all Altair Records expiring during a calendar year should be destroyed as near as practicable to the last day of that calendar year.
4.3 Non-Altair Records
All Non-Altair Records (i.e., any communications not listed in the Record Retention Schedule, informal communications such as instant messaging or social media posts unless it contains an approval, direction to take or refrain from taking action or similar communications) should be immediately destroyed after use.
4.4 Copies of Altair Records
4.4.1 Departments and team members that are not the designated Records Custodian for an identified Altair Record are expected to only retain copies and drafts of such Altair Record to the extent necessary to conduct Altair business. Such Altair Departments and/or team members must destroy such copies/drafts once they are no longer needed to conduct Altair business unless subject to a Litigation Hold Notice.
4.4.2 The designated Records Custodian for an identified Altair Record should only retain originals of Inactive Records and destroy all copies and drafts.
4.5 Records Subject to CCPA, GDPR and other local regulations
Citizens of the EU and certain other countries, residents of California (and Virginia) have specific rights in their data including the right to have the records corrected and a corresponding right to be “forgotten” or “deleted.” Customers have the right to review their data and have errors corrected upon request.
4.5.1 Correction of simple errors (e.g., data entry errors including misspellings or incorrect initials, addresses, phone numbers, etc.) should be corrected immediately upon the customer’s request.
4.5.2 Errors in government records (e.g., a passport or driving license, court decree, etc.) request a copy of the supporting document and make the corresponding correction immediately on receipt.
4.5.3 A customer requesting to be “forgotten” or submitting a request to have their records deleted should be advised the employer will be notified (per contract requirements) and the data may still be retained for a period to facilitate audits and potential legal and other issues. Once the need to retain the data has passed, Altair will automatically and irretrievably destroy all data however, during the retention period, the data will remain confidential and protected.
4.6 Litigation Holds Notices
All Altair Records are subject to the litigation discovery policy. If there is any reason to believe that a claim may be asserted against Altair for which any Altair Records may be relevant, the records must not be destroyed without the prior approval of the Vice President, Legal Services.
4.7 Security – Confidential Information
Many Altair Records contain confidential information which is protected by Altair policies and procedures as well as, state and federal laws and regulations including but not limited to the Health Insurance Portability and Accountability Act (“HIPAA”), the Gramm-Leach-Bliley Act, and the Fair and Accurate Credit Transactions Act of 2003. This Policy shall be implemented in a manner consistent with all such policies, procedures, laws, and regulations, as those may be amended from time to time.
4.8 Records Management Responsibilities
Records management is the responsibility of all team members of Altair.
4.9 Altair Department Head.
The head of each Altair Department is responsible for:
4.9.1 Developing and maintaining practices and procedures that meet the specific requirements under this Section V and Section VI below.
4.9.2 Ensuring team members of the Department comply with this Policy.
4.9.3 Reporting any potential or actual non-compliance with this Policy to the Chief Executive Officer, President & Chief Operating Officer, Executive Vice President TMX Resources and Administration, Senior Vice President, Global Reporting and Compliance or Vice President, Legal Services.
4.9.4 Designating one or more Record Management Administrators (depending on organizational structure). Where a Department is small or has minimum records management obligations, the head of the Department may consider serving as the “Records Management Administrator[1];” where a Department is large or has complex records management obligations, the Department Head should consider designating more than one Record Management Administrator; and,
4.9.5 Designating an alternate Record Management Administrator in the event the current Records Management Administrator separates from Altair, changes departments or business units or is otherwise unavailable.
4.9.6 Where a Department serves as Records Custodian regarding an Altair Record, the Department is responsible for maintaining their designated Altair Record in compliance with the Record Retention Schedule.
4.10 Responsibilities of Records Management Administrator.
The Record Management Administrator must implement the Department’s established record management practices and procedures on a day-to-day basis. Specifically, the Records Management Administrator is responsible for coordinating retention, preservation, and destruction of Altair Records in accordance with this Policy and the Department’s records management practices and procedures; and Coordinating the Department’s efforts to comply and respond to any issued Litigation Hold Notice, internal or external investigations, court orders, or other requests for records in a timely fashion.
[1] An individual designated as having primary responsibility for ensuring compliance with this Policy for that group, department or business unit.
4.11 Responsibilities of Team members.
4.11.1 All team members are responsible for the Altair Records in their possession. Team members are responsible for reviewing the content of the records they use in conducting Altair business and complying with this policy.
4.11.2 The CTO Office is not responsible for determining whether an electronic record must be retained or destroyed in accordance with this policy.
4.11.3 Every team member is responsible for complying with this policy as well as the record management practices and procedures established by their Department. Failure to comply with this policy may result in disciplinary action (up to and including termination) and/or legal action. If a team member believes another Altair Member is violating this policy (e.g., destroying Altair Records required to be retained), such Altair team member should immediately contact the EVP, TMXR or report such incidents through the Altair team member’s supervisor.
4.12 Requirements for Department Record Management Practices and Procedures
A Department’s practices and procedures must cover all aspects of records management including maintaining, identifying, retrieving, preserving, and destroying Altair Records. Such practices must take into account business needs as well as legal and security requirements. In addition, such practices should allow for efficient access and retrieval of Altair Records.
4.12.1 Indexing System: Management of Active, Inactive and Archival Records
Departments shall implement and maintain a Department-wide centralized and/or uniform indexing system with which all team members of the Department must comply. The indexing system should be based on the nature of the Department’s business need. This will ensure efficient and streamlined accessibility, retrieval, and destruction. Thus, the same indexing system used for maintaining Active Records in the ordinary course of business should be followed for the centralized storage of Inactive Records.
4.12.2 Protection and Security of Confidential Information
Departments must implement practices that protect confidential information contained in Altair Records in accordance with relevant laws and Altair policies. Such protections must be applied in maintaining Active Records, the storage of Inactive and Archival Records, and the destruction of Expired Records. Thus, the level of security that applies to an Active Record must be maintained when such a record becomes an Inactive or Archival Record. See Section F below for further requirements for destroying such records.
4.12.3 Responding to Records Requests
Departments must implement practices that allow for efficient compliance and response to any Litigation Hold Notice, internal or external investigation, court order, or other requests for Altair Records in a timely fashion.
4.12.4 Physical Storage Facilities Practices
A Department’s storage facility practices must ensure the preservation of all Altair Records in their original condition while also ensuring efficient retrieval of such records. Departments should secure any physical storage facility to avoid unauthorized access (e.g., lock file cabinets in which customer files are kept). In addition, such facility and set up should protect such records from possible physical damage such as:
- Pest infestation
- Fire, smoke, or sprinkler damage
- Water damage (e.g., humidity, leaky pipes)
- Damage from magnets (e.g., digital data on magnetic storage media)
A comprehensive list of off-site storage facility requirements may be obtained from the Vice President, Legal Services. For off-site storage, Departments may only use an Altair-designated storage facility. For more information, contact Altair Procurement.
4.13 Retention Practices
Altair Records must be retained by the Records Custodian in the following manner:
4.13.1 Hardcopies must be retained in hardcopy form unless it is converted to electronic format in an Altair centrally managed system (e.g., AREV, GROW, etc.).
4.13.2 Electronic records, such as e-mails, pdfs, and other electronic documents that are not retained in an Altair centrally managed system (e.g., AREV, GROW, etc.) should be printed in hard copy form in a manner that preserves their original content and form.
4.13.3 Electronic records stored within an Altair centrally managed system (e.g., AREV, GROW, etc.) must comply with the requirements under Section VI.B and C above and other applicable Altair policies. The Records Custodian is responsible for contacting and consulting with the Vice President of Legal Services to ensure such compliance.
4.14 Destruction of Expired Records
If the Records Custodian believes that an Expired Record has historical value and should be retained permanently as a Historical Record, the Vice President of Legal Services should be consulted. Otherwise, the Records Custodian must destroy all other Expired Records in the following manner:
4.14.1 Hardcopy Destruction.
Expired Records in hardcopy form that do not contain confidential information should be recycled. Expired Records in hardcopy form that do contain confidential information should be shredded in a manner that renders them unreadable and that would prevent them from being reconstructed. Security of the Expired Records should be maintained until proper destruction is actually performed.
4.14.2 Electronic Records.
E-mails and other electronic documents (e.g., Word Documents, Excel, and PDFs) should be deleted.
4.14.2.1 The VP, Legal Services is responsible for contacting and consulting with the CTO Office to ensure that Expired Records contained in an Altair centrally managed system (e.g., AREV, GROW, etc.) are properly destroyed.
4.14.2.2 Devices or other media that store electronic records (e.g., jump drives, CDs, etc.) should be destroyed in a manner consistent with the Data Retention and Disposal Policy. The CTO Office and Altair’s designated off-site storage facility currently provide such services. Consult the CTO Office to arrange for such destruction.
4.15 Each data item that is stored is marked per data classification policy with the name of the record, the record type, the original owner of the data, the information classification, the data of storage, the required retention period, the planned date of destruction, and any special information (e.g., in relation to cryptographic keys).
4.16. Cryptographic keys, which are required for certain types of electronic messaging are retained as set out in our Information Security Policy
4.17 For all electronic storage media, Altair Global retains the means to access that data.
4.18 For all electronic storage media, Altair Global does not exceed 90% of the manufacturer’s recommended life.
4.19 The Vice President, Infrastructure Services is responsible for destroying data once it has reached the end of the retention period. Destruction must be completed within the calendar year but no more than 90 days of the planned retention period. Destruction is handled as follows:
4.20 Physical records are to be incinerated.
4.21 Electronic records are to be irretrievably erased based on current technology.
4.22 When records are scheduled to be destroyed, A Destruction Log must be completed. Once records are current, destruction may be done on an annual basis (e.g., year-end, fiscal year end, etc.)
A. Storage of Physical Records
- Physical Records may be stored on-site or must be stored at an off-site storage facility managed by a vendor that has been approved, executed a contract with Altair to provide off-site storage (Approved Vendor). An off-site storage facility managed by an Approved Vendor is referred to in this Standard as an “Off-site Storage Facility.”
- Physical Records must be stored to ensure their protection, usability, and integrity for the required retention period.
- Filing cabinets or other types of stationary storage must not damage the Physical Records during storage.
- Boxes, containers, or other packaging must be packed to withstand the handling and pressure exerted by the contents during storage or transfer between locations.
- Physical Records must be stored in a location that:
- Provides adequate fire protection and suppression
- Protects against risk of theft
- Is protected against possible damage as a result of being located:
- In a flood zone
- Under a fire sprinkler
- In a damp or moist location or subject to mold
- In an area exposed to rodent or insect infestation
- Exposed to temperatures above 70° F (21.11° C)
- In a humidity level below 30% and greater than 50%
- Physical Records stored in an on-site location that does not meet the requirements in 4 (containerized) and 5 (physically secure) above, must be relocated at the earliest opportunity to a location that meets the requirements.
- Physical Records must be reviewed annually to determine whether the applicable Trigger Event has occurred. If the Trigger Event has occurred, the retention period begins, and the physical records enter the Inactive Phase of the records lifecycle. If the Trigger Event has not occurred, the physical records are in the Active Phase.
- Records in the ACTIVE PHASE may be transferred to an Off-site Storage Facility if there is a lack of adequate space to store the records in On-site locations that meet the requirements listed above.
- Records in the INACTIVE PHASE:
- Must be moved to an Approved Vendor Off-site Storage Facility.
- Must be destroyed at the end of the retention period specified, provided the records are not subject to a legal hold.
C. Restricted Records
Physical Records classified as Restricted Records must be stored in a manner that permits immediate access before, during and after an emergency, crisis, or abnormal condition.
D. Transferring Physical Records to and from an Off-Site Storage Facility
All Personnel must comply with the following:
- Physical Records containing internal, confidential, restricted, or privileged information must be labelled and clearly identified on the Records Transmittal form.
- Only Physical Records may be sent to an Off-site Storage Facility. Duplicate and non-records must be stored On-site and should be retained for a maximum of three years if necessary to perform and complete a valid business function and must not be retained longer than the original record, unless subject to a legal hold.
- Requests to transfer Physical Records to an Off-site Storage Facility must be made in compliance with GOV-7104P-01, “Sending Physical Records to Off-Site Storage Procedure”.
- The transfer of Physical Records must be prepared in compliance with GOV-7104P-01-JA01, “Preparing a Box of Records for Transfer.”
- Request to retrieve Physical Records from an Off-site Storage Facility must be made in compliance with GOV-7104P-01-JA02, “Box Retrieval Request.”
- Retrieval records must be approved by the supervisor of the requestor.
- Physical Records may only be released and transferred to the Off-site Storage Facility by Approved Vendor personnel showing proper identification.
- Personnel who have received retrieved records must:
- Acknowledge receipt of the records by sending an email to [Records Custodian].
- Notify the [Records Custodian] when the records they requested are transferred to another person, location or Department within Altair-owned or -leased premises.
- Physical Records that have been retrieved from an Off-site Storage Facility must be returned to the Approved Vendor.
E. Physical Records Disposition
Personnel must follow the procedures for destruction of records if the retention period expired.
- Physical Records not subject to a legal hold must be destroyed at the end of the applicable retention period.
- Physical Records that have been retrieved from an Off-site Storage Facility must be returned to the Approved Vendor for destruction.
- Before Physical Records can be destroyed, personnel must notify the respective client contact via email.
- Physical Records stored On-site that can be destroyed must be placed in secure shred-bins, not in trash or recycle bins.
- Prepare a certificate of destruction sufficient to identify the particulars (client, relocating customer, dates of service, file number, etc.