Re: archiving email

["Walters, Caroline (cw8de)" <cw8de () ESERVICES VIRGINIA EDU>]

Hello All,

I was told about the "archiving emails" below by my colleagues in IT Security/Policy here at UVA - I am not an IT 
person and know just enough about computers to get myself into trouble, but I do know Records Management.

To answer the question about how long to maintain an email - you really need to know the content of the email.  Email 
in fact is just a transmission method for information and is not what we Records Managers call a Records Series.  
Saving all email for one set period of time can cause problems - you either destroy some things too soon or you hold on 
to other things too long.  Classifying the email based upon the content is the only way to properly maintain the 
records in accordance with any records retention and disposition schedule.  This is the same for any type of 
information - the format (email, voicemail, audio tape, video, paper document, microfilm, electronic file or database) 
makes no difference in how long you should maintain the information - but the format does come into play when you 
decide how to keep the information for the time period required under your organization's retention policies.

Working at a state school, we have records retention and disposition schedules from the state, but every organization 
should have some retention schedule which guides the record keeper or custodian (as I like to call them) on how long to 
maintain the records.  The custodian is usually the user/creator of the information.  They know the content of the 
records, how they are used, and usually if there is another copy somewhere else.

I've heard a lot about automated archiving systems for email and although they are a great idea, they can cause 
problems - because if you archive everything you retain multiple copies of the same emails sent to everyone in the 
organization and you retain loads of unnecessary information - like meeting arrangement emails (i.e. "are you available 
here???"), personal emails, and confidential emails (FERPA, HIPAA related).  Again working at a state school, if we 
retain all emails that come and go through our email system (only for faculty and staff) and someone requests them 
through a FOIA request we have to spend the time and effort to locate them in the huge archive.  Same goes for 
litigation - if someone subpoenas all the email and we have it all, they get it all!!

My answer is set retentions based upon content of the email - and for that matter any type of information regardless of 
format.  Train your users to make classification decisions based upon the records series in the schedules, and have 
them place emails in an archive with some indexing/classification/metadata - without any metadata (other than a subject 
line - and I hope you know most people write terrible subject lines on emails) it is extremely difficult to find what 
it is you are looking for in a general email archive.  A metadata field can be linked to the retention schedule and 
then the system can remove the emails from the archive once they have met retention.

It's not the easiest answer - such as throwing it all out or keep it all - but the costs involved in finding or not 
having information when  you need it could be very damaging!

If you have a records management manager at your school, get them involved in this discussion and the policy you set.

I hope this helped a bit and I'd be happy to answer other questions off the list.
Thanks,
Caroline

Caroline J. Walters, MA, MLS
University Records Officer/Records Management
Information Security, Policy, and Records Office (ISPRO)
Office of the Vice President/CIO
University of Virginia, 2400 Old Ivy Rd.
Box 400898, Charlottesville, VA 22904-4898
Phone: (434) 243-9162
Fax: (434) 243-9197
Email: cjwalters () virginia edu<mailto:cjwalters () virginia edu>


-----Original Message-----

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Zach 
Jansen

Sent: Thursday, July 16, 2009 4:09 PM

To: SECURITY () LISTSERV EDUCAUSE EDU

Subject: Re: [SECURITY] archiving email



I am curious about this as well since I've been looking at this again recently. I looked at several school policies 
that are available via google: "site:.edu email retention policy"



In general what I saw were retention periods ranging from 180 days to 4 years. Public institutions had the longer 
periods as they sometimes had state public records retention requirements. Seemed like the private institutions favored 
the shorter retention periods. A few sites broke their email down into classifications such as administrative, fiscal, 
general, or ephemeral



The other part I was interested in was the mechanism for retention. In the cases I saw, the user is expected to 
manually implement the retention of the documents, usually by archiving documents, printing documents, or sending them 
to a retention email address. I didn't see any indication that schools were implementing systems to automatically 
retain all records for a period of time (I saw one or two schools that seemed to be automatically deleting anything not 
archived after the retention period) or based on other criteria such as keywords. To me it seems like relying on users 
to archive messages that may be relevant for litigation may be a weak spot in a retention plan. Once notice of legal 
action is received this seems easier to deal with, and I've seen a few response plans indicate the need to image/copy 
machines, email, etc when notice is received. Is the manual nature of retention a concern that others have with their 
email retention policies?



The other part I wondered about is, once a document is archived or printed, what is the retention period for those 
documents? I didn't see any indication of how that's being handled. I know that here, when people archive an email 
message, it's probably going to stay in the archive forever or until their storage is full. In my mind that would 
violate a records retention policy that states email should only be kept for X days or years when some of it is 
archived and kept for longer than the retention period.







Anyone have any advice on these issues?



Thanks,



Zach Jansen





--



Zach Jansen

Information Security Officer

Calvin College

Phone: 616.526.6776

Fax: 616.526.8550



> > > On 7/16/2009 at 10:29 AM, in message

<66CA77B6F1A6AE44B6EC941464FFB31C611A481C8E () EXCHCLUSTER scc stchas 
edu<mailto:66CA77B6F1A6AE44B6EC941464FFB31C611A481C8E () EXCHCLUSTER scc stchas edu>>,

Barbara Keim <bkeim () STCHAS EDU<mailto:bkeim () STCHAS EDU>> wrote:

> We are developing a policy related to archiving college email

> including how long to store the information in case it is needed in

> the future for a legal discovery process.

>

> Could you please share samples of your policies including how long you

> are saving emails.

>

> Thank you.

>

> Best regards,

>

>

> Barbara Keim, Ph.D.

> VP  Technology, Research, and Planning St. Charles Community College

> St. Peters, MO  63011

> 636-922-8573

>

>

> P Please consider the environment before printing this e-mail.