Data Retention and Archiving

[klawd]

We have been reviewing policy and procedure in the school, and something which has cropped up as a potentially serious issue, is the one of data retention.

I'm told that currently all data about children must be held in our establishment for 5 years. This lead to questions regarding email retention.

We host our own email using exchange 2003, and have "limited" measures in place for email archiving. I was wondering how other schools handle long term data archiving (software and hardware), especially email archiving, and what systems they have in place to process requests under the FOI act.

[maniac]

The only system which we are required to retain the information in is SIMS and the finance system as far as I know, both of which deal with their own archiving inside the program, so as long as you have up-to-date backups should the worst happen, as far as retaining data is concerned you're covered (as far as I'm aware.)

All the rest is merely a service that is provided to the student or staff member while they are in attendance at the school so we don't retain anything network wise for that long. We keep Students work on the network for 6 months after they leave, and it will be available on backup tapes for a further 12 months until the last monthly backup with it on gets over written. Same for staff home folders and e-mail accounts.

Please someone correct me if I'm wrong.

Mike.

[enjay]

We run a similar system to Maniac, although leavers' work is kept for longer as we archive it to our NAS (don't think I've ever been asked for anything more than about 6 months old, though).

My understanding is that the FOI does not require us to provide any and all information which we have ever held about someone, merely to provide what information is still held at the time of the enquiry.

Remember also that there is a "get out clause" in the FOI which pretty much means that an organisation can refuse a request if it is too difficult to provide the information.

[notalot]

We hold data on Sims backups as maniac does, also when checking with the major exam boards they say that they won’t ask for information relating to any course work (electronic or otherwise) past 6 months after the results date (for the longest).

We currently keep user areas for 1 year for students and staff. Emails are kept on a 1 year rolling backup as part of our monthly backups. These are all backed up to tapes and stored off site.

[klawd]

Thanks for the responses. Very interesting.

How do people handle email retention and archiving?

There has been an incident here, which has referred to correspondence via email between staff and parent, which took place some time ago (over 6 months), for evidence purposes.

Just wondering how others deal with this.

[Ketlane]

It's all horribly complicated and I think we all worry that we'll get it wrong - applies to paper files as well as e-files (and as some establishments already scan all paper documents and then retain the e-file, it gets even more complex)

Need to retain evidence of correspondence and internal documents so that an audit trail and evidence that things that should have been done, have been done. This might be for a long time: consider the student who comes back with a legal challenge that he/she hadn't been looked after properly, perhaps years later when the trigger for the action is dropping out of uni. This needs to be balanced with the Data Protection principle that we should not keep data that is not held for the benefit of the data subject. In that context we get requests for verification of old exam results - some as far back as the 1960s - so that sort of e-data needs pretty permanent storage.

The big load on any school that is brave enough to do things by the book must be the cost of weeding the files, whether electronic or paper.

My guess - not our policy, my guess - is that 6 months or a year might not be long enough in some cases. Storage space is cheap so I would tend to go for longer storage.

[pete]

Thanks for the responses. Very interesting.

How do people handle email retention and archiving?

There has been an incident here, which has referred to correspondence via email between staff and parent, which took place some time ago (over 6 months), for evidence purposes.

Just wondering how others deal with this.

There are 3 main approaches:

1) Favoured by companies who get sued a lot (or rather, favoured by their legal dept):

"We don't keep anything older than 3 months". That's their policy and it's legal to do so. They also usually make impromptu per-user archiving (say .pst to a network homedir) impossible (automated regular sweeps of fileservers) and grounds for dismissal* or disciplinary action.

2) Favoured by hoarders, packrats and people who panic.

"Let's keep everything!!!!" "On sata disks, yay - terabytes are cheap". These people are hated by their legal depts, their sysadmins and loved by professional evidence audit teams (per-day rate + terabytes = happy bonus time for auditors) and Ontrack (same reason - "we don't need no stinking enterprise rated sata, use the pc world special").

3) The balanced approach

"How long, assuming our backups are good and regularly tested, do we need to retain email for the purpose of school business?"

Decide that and then set your time. You are under _no_ obligation to save email correspondance to "prove" one way or another whether something did or didn't happen beyond then. Saving it can later bite you in the arse and so can not saving it, so it's a wash overall. Retention should be "reasonable", not kept out of fear you'll get spanked if you don't.

If you have $requested_data, and the requestee has a legal claim to see it, hand it over. But "sorry, that's outside our data retention periods" is also a perfectly valid response. Provided you have a set policy that states "we keep X for $time".

*if you're the sysadmin who kept a "just-in-case" backup of the mailserver before carrying out some work and the evidence search team finds it, you will not be popular.