Educause Security Discussion mailing list archives
Re: archiving email
From: "Walters, Caroline (cw8de)" <cw8de () ESERVICES VIRGINIA EDU>
Date: Fri, 17 Jul 2009 12:23:46 -0400
Hello All, I was told about the "archiving emails" below by my colleagues in IT Security/Policy here at UVA - I am not an IT person and know just enough about computers to get myself into trouble, but I do know Records Management. To answer the question about how long to maintain an email - you really need to know the content of the email. Email in fact is just a transmission method for information and is not what we Records Managers call a Records Series. Saving all email for one set period of time can cause problems - you either destroy some things too soon or you hold on to other things too long. Classifying the email based upon the content is the only way to properly maintain the records in accordance with any records retention and disposition schedule. This is the same for any type of information - the format (email, voicemail, audio tape, video, paper document, microfilm, electronic file or database) makes no difference in how long you should maintain the information - but the format does come into play when you decide how to keep the information for the time period required under your organization's retention policies. Working at a state school, we have records retention and disposition schedules from the state, but every organization should have some retention schedule which guides the record keeper or custodian (as I like to call them) on how long to maintain the records. The custodian is usually the user/creator of the information. They know the content of the records, how they are used, and usually if there is another copy somewhere else. I've heard a lot about automated archiving systems for email and although they are a great idea, they can cause problems - because if you archive everything you retain multiple copies of the same emails sent to everyone in the organization and you retain loads of unnecessary information - like meeting arrangement emails (i.e. "are you available here???"), personal emails, and confidential emails (FERPA, HIPAA related). Again working at a state school, if we retain all emails that come and go through our email system (only for faculty and staff) and someone requests them through a FOIA request we have to spend the time and effort to locate them in the huge archive. Same goes for litigation - if someone subpoenas all the email and we have it all, they get it all!! My answer is set retentions based upon content of the email - and for that matter any type of information regardless of format. Train your users to make classification decisions based upon the records series in the schedules, and have them place emails in an archive with some indexing/classification/metadata - without any metadata (other than a subject line - and I hope you know most people write terrible subject lines on emails) it is extremely difficult to find what it is you are looking for in a general email archive. A metadata field can be linked to the retention schedule and then the system can remove the emails from the archive once they have met retention. It's not the easiest answer - such as throwing it all out or keep it all - but the costs involved in finding or not having information when you need it could be very damaging! If you have a records management manager at your school, get them involved in this discussion and the policy you set. I hope this helped a bit and I'd be happy to answer other questions off the list. Thanks, Caroline Caroline J. Walters, MA, MLS University Records Officer/Records Management Information Security, Policy, and Records Office (ISPRO) Office of the Vice President/CIO University of Virginia, 2400 Old Ivy Rd. Box 400898, Charlottesville, VA 22904-4898 Phone: (434) 243-9162 Fax: (434) 243-9197 Email: cjwalters () virginia edu<mailto:cjwalters () virginia edu> -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Zach Jansen Sent: Thursday, July 16, 2009 4:09 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] archiving email I am curious about this as well since I've been looking at this again recently. I looked at several school policies that are available via google: "site:.edu email retention policy" In general what I saw were retention periods ranging from 180 days to 4 years. Public institutions had the longer periods as they sometimes had state public records retention requirements. Seemed like the private institutions favored the shorter retention periods. A few sites broke their email down into classifications such as administrative, fiscal, general, or ephemeral The other part I was interested in was the mechanism for retention. In the cases I saw, the user is expected to manually implement the retention of the documents, usually by archiving documents, printing documents, or sending them to a retention email address. I didn't see any indication that schools were implementing systems to automatically retain all records for a period of time (I saw one or two schools that seemed to be automatically deleting anything not archived after the retention period) or based on other criteria such as keywords. To me it seems like relying on users to archive messages that may be relevant for litigation may be a weak spot in a retention plan. Once notice of legal action is received this seems easier to deal with, and I've seen a few response plans indicate the need to image/copy machines, email, etc when notice is received. Is the manual nature of retention a concern that others have with their email retention policies? The other part I wondered about is, once a document is archived or printed, what is the retention period for those documents? I didn't see any indication of how that's being handled. I know that here, when people archive an email message, it's probably going to stay in the archive forever or until their storage is full. In my mind that would violate a records retention policy that states email should only be kept for X days or years when some of it is archived and kept for longer than the retention period. Anyone have any advice on these issues? Thanks, Zach Jansen -- Zach Jansen Information Security Officer Calvin College Phone: 616.526.6776 Fax: 616.526.8550
On 7/16/2009 at 10:29 AM, in message
<66CA77B6F1A6AE44B6EC941464FFB31C611A481C8E () EXCHCLUSTER scc stchas edu<mailto:66CA77B6F1A6AE44B6EC941464FFB31C611A481C8E () EXCHCLUSTER scc stchas edu>>, Barbara Keim <bkeim () STCHAS EDU<mailto:bkeim () STCHAS EDU>> wrote:
We are developing a policy related to archiving college email
including how long to store the information in case it is needed in
the future for a legal discovery process.
Could you please share samples of your policies including how long you
are saving emails.
Thank you.
Best regards,
Barbara Keim, Ph.D.
VP Technology, Research, and Planning St. Charles Community College
St. Peters, MO 63011
636-922-8573
P Please consider the environment before printing this e-mail.
Current thread:
- archiving email Barbara Keim (Jul 16)
- <Possible follow-ups>
- Re: archiving email Tupker, Mike (Jul 16)
- Re: archiving email Harry E Flowers (flowers) (Jul 16)
- Re: archiving email Zach Jansen (Jul 16)
- Re: archiving email Brian Desmond (Jul 16)
- Re: archiving email Terence Ma (Jul 16)
- Re: archiving email Walters, Caroline (cw8de) (Jul 17)