Record management legislation has been behind the times for years, due to the continued expectation that digital records are similar to paper records. Since the two have numerous differences and governments are beginning to understand these differences, you will soon be dealing with increasingly-complex legislation in this vein.
H.R. 5709
The US's Federal Records Modernization Act of 2016, which is currently being modified in their Congress, is going to affect your business because of Canada's trade relationship with the States. While this record management legislation applies primarily to government entities, it is a likely precursor to American businesses adopting similar measures as a matter of law instead of mere best practice.
The Act focuses on data retrieval and general handling. Namely, any falsification of records or documents will result in no less than suspension and removal of anyone at any level of government. Additionally, documents must be immediately reported to a central body if there is any falsehood or inaccuracy within them. Further, only officially approved transmission methods may be used for the distribution of documents.
FRMA may initially complicate matters, but should ultimately provide a framework that allows both government and business in the US to become more organized. Further, the introduction of prompt punishment of internal violators is a valuable precedent. Particularly if you have or may acquire government contracts, this record management legislation will have a significant impact on your business.
Personal Information Protection and Electronic Documents Act
This communications and storage-related act, which has been in its current form since June of 2015 and is similar to many provincial acts that have come before it, covers both a failure to establish your organization's safeguards and to any breaches of those safeguards. This record management legislation is not directly concerned with general consumer information, but does contain a clause relevant to any business transaction or commercial activity in general. As well, the Act contains a clause concerning information about and relevant to an employee's employment.
One particularly interesting part of the PIPED Act is that information disclosure is only allowed under very tightly-controlled circumstances. Namely, private information needs to be protected for either 100 years after its creation or 20 years after the death of the individual it directly concerns. This is not merely a legal statute, but a requirement that when your current hardware and software become obsolete, effective migration must take place and effective protection of your data must be ensured across legacy, current and future technologies.
Ontario Evidence Act
Ontario's Evidence Act, R.S.O. 1990, is still pertinent despite being in force since 2011. This Act states that when evidence comes from an electronic record, verification this data's authenticity is necessary for the evidence to be admissible in court. While this record management legislation is not national as of this writing and applies primarily to the courtroom, it is forward-thinking and provides a double burden of proof on evidence, as well as highlighting the importance of data efficacy in daily life. When data can be shown conclusively to be authentic, it is more reasonable to trust it.
Your data needs to be consistent and reliable, in addition to being secure and accurate. Having inconsistent data across your organization can lead to a state of double ignorance, where the phrase "one foot does not know what the other is doing" applies. Developing a consistent "hub" or central data can be a useful endeavor, both for accommodating the record management legislation and for working with its underlying intention of having a solid data framework that protects relevant information from initial entry through long-term storage and ultimate deletion.