Email retention policies - regulatory considerations

["Hearn, David L." <DHearn () ADMIN FSU EDU>]

Good morning all,

I am in the beginning stages of researching and generating Email
retention guidelines for my group (and for possible dissemination within
the University). I am quite comfortable with the technical
considerations and disaster recovery(DR) best practices, but am finding
I am out of my area of expertise when attempting to integrate Legal and
Regulatory considerations into these guidelines. 

As a public institution, we operate under fairly overarching sunshine
laws and are subject to Public Records Requests where we must provide
electronic correspondence upon request within a reasonable period.

Is there anyone out there who has a formal policy the specifically
spells out IT (SysAdmin) responsibilities regarding retention with these
regulatory considerations in mind? 

I've done some research and some organizations completely punt and state
that responding to Public Records Requests is the responsibility of the
user or department and that IT bears no responsibility for responding to
these requests, regardless of DR capabilities. Having seen the other
side in action, however, I know a good plaintiff lawyer will cut that
assertion to shreds if comprehensive DR backups do indeed exist. 

I also know some government and financial sectors have addressed this
issue by implementing complete indexed\searchable journaling of all
Email correspondence. As a University, where personal freedom of
expression is highly valued (and the costs of a journaling system are
prohibitive), this is not a politically viable solution. 

I'd love to hear how this is being addressed. Thank you for your time
and consideration. 


David Hearn
FSU - OTI Windows System Admin
david.hearn () fsu edu
w -(850)644-2591
m -(850)528-4309
f - (850)644-8722
 


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.