Feeds

back to article Don't delete that email! Why you must keep biz docs for 6 YEARS

Companies should retain project emails and documents in a central repository for more than six years before considering deleting the information, an expert in resolving IT disputes has said. Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said that organisations should consider retaining the information for …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge

You think it's gone - but it isn't

Then there is the opposite situation, where someone deletes embarrassing emails and blithely assumes they are gone where all the old bits go. Years later, those self-same emails are still reposing snugly in the corporate evidence repository, thanks to generations of self-sacrificing sysadmins and their backup procedures.

2
0
Silver badge
Meh

Re: You think it's gone - but it isn't

All businesses are required to keep documentation for six years, what's new? It's just that when you think about it, how many inane emails from this person and that you will have to store.

Buy shares in data storage now!

2
0
Bronze badge

Social media messages?

How are Facebook information and Tweets to be saved for six years, then? It's not just email and paper documents any more...

2
0
Bronze badge

Re: Social media messages?

Twitter is going to allow you to download your tweets. I'm not sure if Facebook or Linked-in allow you to export your data. But the point is well made.

0
0

Re: Social media messages?

You can export some data from Facebook, but it's a little vague on how far back they keep it

https://www.facebook.com/help/326826564067688

0
0
Silver badge

Sir

You just know someone is going to store all their junk in 'the cloud' and get it lost for them.

In fact, I run my own business (technically) and all my emails are in the cloud and have been for 12 years. If my email provider loses their data storage I have no idea if my emails are backed up.

C'est la vie.

0
0
Silver badge
Devil

Re: Sir

That could actually be a nice little earner for a shady cloud company... get a contract to be the exclusive data storage and backup provider for MegaCorp Incorporated, with some under the table backhanders cementing the understanding that there will be a "catastrophic data loss" if any government agents start sniffing around.

But no-one would ever do such a dishonest thing, would they?

2
0
Silver badge

Re: Sir

I'd market it to politicians first...

2
0
Devil

Re: Sir

Depends on the country and the object of the cover-up. In the US, whistleblowers receive a cut of fines for violations of tax and/or securities law. Do you trust Shady Cloud Inc. that much?

0
0
Facepalm

Personal folders

So do I just put everything I'm unsure about into a sub-folder of "Personal" & it's no longer available to investigators ?

0
0
FAIL

Re: Personal folders

no. if it's on the corporate system, then it's fair game - and you should not be using the corporate system for 'personal' items anyway.

0
0
Anonymous Coward

Re: Personal folders

Depends on where you live.

I distinctly remember a recent case, in France perhaps, where an employer lost a court case brought against him by a disgruntled employee (or maybe ex-employee) because it had accessed documents stored on the company's systems which were in a folder clearly labelled as personal and private.

0
0
JDC

Re: Personal folders

Same in Spain, despite being corporate email the company cannot just open it.

0
0
Gold badge

Personal

If you can just hide stuff by calling it personal, what's the point?

There have been a number of cases of politicians hiding stuff from civil service (or equivalent) retention regimes. It's illegal, but it happens, so surely there would be a presumption that stuffed received at a business email address but labelled "personal" should be inspected. Otherwise the law makes an ass of itself.

0
0
JDC

Re: Personal

Not really, it just means a court order would be required to open this mail.

0
0
Anonymous Coward

Why don't they say the sad truth? It's all a farce

Come on, everyone knows that in six years the Exchange version used to store the mailbox will be unsupported. The Windows server version that runs that Exchange version will be unsupported. You will not be able to buy or repair a server six years old and newer hardware does not run older operating systems.

On top of that, the Outlook version used to read this message will also be unsupported, same as the Windows desktop version.

Before you say virtualize everything, bear in mind that some suppliers do not support their software running in virtual environments (other than their own, of course)

The only solution that can guarantee that you're going to be able to read something in the future should be based on open data and open code. Anything different from that is simply delusional.

But then again, in six years the manager that approves the archiving initiative will not be around. And the auditors are reviewing this today, no one is asking about the mail from six years ago. So really the lesson here is do not trust about the future to anyone that does not have a stake in that future.

6
4
Anonymous Coward

Re: Why don't they say the sad truth? It's all a farce

Most companies just print it or store it as plain text. Not totally convenient, but easy to do.

0
0

Re: Why don't they say the sad truth? It's all a farce

Ever hear of perimeter archiving?

0
0
Go

Re: Why don't they say the sad truth? It's all a farce

that's why you should use a third-party product to do your vaulting and indexing - it's independent of the mail/calendar system, but compatible with it.

0
0
Anonymous Coward

Re: Why don't they say the sad truth? It's all a farce

still using Outlook from Office XP in some installations

can still load old psts from various outlook archives.

six years is nothing for the software in small business - remembering what you did with that backup from 3 years ago is.

0
0

Re: Why don't they say the sad truth? It's all a farce

We've had some pretty good results with a perimeter online live email archiving which cycles our old stuff into slower storage in favor of the incoming new stuff while automatically indexing everything -- it gets rid of the reliance on Exchange for archival storage, and as a sort of fringe benefit, the POLE vaulting scheme allows for quick search and retrieval in the event we find ourselves for the high jump.

0
1
Stop

Oh look another FOSS argument

But yet again, it's a straw man.

See, if you knew anything about how Exchange or Outlook worked you wouldn't have said this. And if you had any kind of corporate experience, you definitely wouldn't have said this.

The version of Exchange that created the mailbox is irrelevant. You can migrate all your old mailboxes up to the latest version with little hassle, and Microsoft will support you for this. There's even provision in the licensing agreements for it. So if you have to stand up a 2000 Exchange and a 2003 to recover an old mailbox from tape, not a problem. I still work migration projects where this is the case. Tapes are stored for a decade or more, since nobody ever throws things away.

As for Outlook, do you think corporate bosses care that much about support? I'm on site where Office 2003 is still in use. So that's your argument blown out of the water.

As for "some suppliers don't support their software running in virtual environments (other than their own...)" MS were supporting their stuff in VMWare and Citrix for years. So your "subtle" dig here is without merit also.

If you want to argue against proprietary standards, you are better off aiming at "Document Management" systems, which usually lock customers in for life since there is no easy way to export information for use in another competing system.

4
0
Anonymous Coward

Re: Why don't they say the sad truth? It's all a farce

Ever heard of contractual commitments not being satisfied?

0
0

This post has been deleted by its author

Bronze badge

Re: Why don't they say the sad truth? It's all a farce

So what you're saying is that in a few years time the NHS could be on to a nice little earner - I'm pretty sure our servers and e-mail system can only access stuf that it at least 6 years old.....

0
0

Re: Oh look another FOSS argument

Saved me the trouble of saying it, and you did it better. Still, people always like to get a shot in at MS, don't they? Exchange is a hard act to follow.

0
0

heh

I think I will just stick to storing invoices for 7 years - like HMRC request. I see no legal obligation to store emails or other communication for such a long period, and if its not here then I simply cannot hand it over can I?

Such a shame...

3
0

Re: heh

>I think I will just stick to storing invoices for 7 years - like HMRC request. I see no legal obligation to store emails or other communication for such a long period, and if its not here then I simply cannot hand it over can I?

upvoted your post as you are correct, aside for a few regulated professions, there is no legal obligation to keep any email or communications. If you are subject to a legal claim or investigation (eg OFT) you simply have to hand over the data that you curently have. You don't/cant hand-over data that you dont have like purged or deleted emails.

The main reason to consider an archiving policy in this case is if the other party has a copy of an email sent from you, or, conversley if they claim not to have received something from you, this could leave you in a difficult position to defend yourself (or hang yourself depending on the content!) as you have no evidence to support you side of any argument.

2
1
Silver badge

Re: heh

This is not about the existing legal requirement to record business activity for HMRC/Gov/Tax purposes. It is about resolving disputes between companies.

E.g. if a previous client claimed that your business had defrauded them by misrepresenting equipment capabilities and/or falsifying system acceptance test results, and they had a few 'key' emails from five years ago, for evidence in court; then you'd look a bit silly if you couldn't find some e-mails which your chief engineer remembered sending that would prove you to be innocent.

In court, the jury would be faced with a situation where the defendant appeared to have deliberately destroyed e-mails from the relevant time, contrary to 'accepted industry practice'. It wouldn't look good for you.

1
0

Deliberate decision not to archive

A former employer of mine - a FTSE 100 company - had a deliberate policy of NOT retaining old email. Users could delete anything they wanted to from their mailbox, including from its archives.

If an incriminating email wasn't there when someone looked for it, and it was older than the backup retention period, the answer would always be 'sorry, pal, nothing we can do'.

Far less onerous than keeping everything 'just in case' and cheaper on storage too.

2
0
Silver badge

Re: Deliberate decision not to archive

However, if I were in business I'd worry that a dishonest customer might present a very biassed selection of e-mails that I sent to him in support of some dispute. Or even edit such e-mails. Would you want to be unable to prove bias - or fraud?

0
0
Silver badge

But, but, but ...

I routinely get called in to try to recover shit that was generated last week and lost yesterday! The reality is that virtually nobody understands how these infernal contraptions work ... much less how "the server" manages to dole out miscellaneous bits of binary nonsense on queue.

Speaking as a dude in the trenches, the premise of the article is nonsensical.

0
3

Re: But, but, but ...

Don't worry, "dude". It'll make more sense when you grow up a bit and graduate off the helpdesk into a real job, hopefully along the way finding a clue about "queue" vs. "cue".

3
2

Re: But, but, but ...

True, but no need to be nasty.

0
0
Silver badge

@Aaron Em: (was: Re: But, but, but ...)

I left the hell desk before it was called the hell desk. I've been retired from the 9-5 IT thing for over two decades. If you don't know what an "on queue" job is, I suggest you look it up. Think "on tour" or "on duty" for the variation of "on"; you seem to have a handle on queue.

0
2

Questions

1. What constitutes a business email?

2. Medical information has to be held for ten years. So as email is unstructured...how can business information and medical be separated to comply with retention periods? If the business information is to be deleted and the medical part retained...the document is no longer the original and therefore cannot be used as evidence in court.

3. In order to produce electronic mail in court you must be able to prove that the emails are the originals and have not been tampered with as per (2). In today's climate who will be collecting every email including spam to make sure human error does not interfere?!

Happy to be emailed - stuart.hargreaves@bii-compliance.com

0
0
Black Helicopters

Re: Questions

Wouldn't medical information be better off kept out of email entirely? I'd think just a link to an ERM/EHR system would work, and do a much better job of restricting access to those with a need-to-know.

Black helicopters, because presumably they're the DPA Police's vehicle of choice.

0
0
Anonymous Coward

Re: Questions

Medical information is just an example, email is also not just SMTP and Internet, there are huge amounts of secure private internal company email systems, all of which need archiving.

0
0
Anonymous Coward

Not far enough....

.....All communication within an office environment should be recorded in some manner now we have the technology to do so cheaply and easily. I'm a business owner, and we'll soon be rolling out the placement of recording devices on the desks of each employee that will be set up to start recording when any conversation takes place. This will allow us to have a complete record of who said what, and when which will help our audit process immeasurably. As personal mobiles present a problem in recording the other side of the conversation, we've prohibited their use in business hours,

As for company emails, phone calls and internet browsing - done and done already. I have to say, the improvements in trace ability of problems has more than offset the cost.

1
3
Anonymous Coward

Re: Not far enough....

Glad I don't work for you and I'm glad my boss doesn't have a record of what I say about him.

1
0
Silver badge
Trollface

Re: Not far enough....

Excellent. I have a proposal to set up a lobby to make that idea mandatory across the board. After all, what CAN be done, SHOULD be done. It will also help save children.

1
0
Anonymous Coward

Re: Not far enough....

Sorry but you may be soon breaking the law, make sure you are compliant, so many employers know F** all about call recording, you could easily beak laws on Human Rights, DPA and / or Ofcom rules.

Excerpts

"....The most fundamental requirement of this condition has been that every reasonable effort is made to inform all parties to a telephone conversation that it may or will be recorded. Annex 1 provides an extract of the relevant section of the SPL/TSL."

This means that there has to be some way in which employees at work can make or receive personal calls that will not be recorded or monitored. ....The key issue is that there are some lines at work which members of staff can use for private calls secure in the confidence that calls made from them will not be recorded or monitored."

1
0
Anonymous Coward

Re: Not far enough....

Human Rights? Ofcom? Bureaucratic nonsense. Anyone working for me will not be making personal calls - not on my dime Sonny.

1
2
Happy

Re: Not far enough....

@ AC 11:07

Why should a company provide a phone that staff can use for personal calls??

Surely they are there for work and if any emergencies do arise needing them to be contacted it wont cause a problem that the calls are recorded. Unless it is an emergency killing session and they are being activated by their handlers???

I get really annoyed by people who expect their employers to provide things (other than mandated things such as breaks/wages). They are there to do a job and that is what they should be doing, if they do not like the fact that all their calls/emails work correspondence is monitored maybe they should look for another job!

Sent from my highly monitored IT system sat next to my monitored phone which I will use to call my wife in a minute!

0
1
Silver badge

Re: Not far enough....

As with many such things a modicum of commonsense is needed. In the case of archiving e-mails that may in part also be personal, people need to have confidence that the archive is automatic, that reading its contents will never be a matter of routine, and that if personal information is uncovered in the context of an retrieval for proper business or legal purposes, then it will remain private. Some of this is already mandated by law, more of it ought to be, and a good business won't routinely be spying on its staff because that's very bad for morale once it becomes known or even suspected.

After all that is said, the bottom line is that if you are using your employer's hardware, you can't expect the same degree of privacy you'd have if you used your own. So don't post stuff that would cause anything worse than moderate embarassment were it to become public.

Most of us aren't BOFH's. I've more than once found embarassing user content while doing a sysadmin's job. I've never revealed information that was not intended for my eyes.

1
0
Bronze badge

Re: Not far enough....

I knew sign language would come in handy one day!

0
0
Childcatcher

Re: Not far enough....

Ensuring that employees have access to a payphone meets the requirement for access to an unmonitored telephone.

Source: http://www.ofcom.org.uk/static/archive/oftel/publications/1999/consumer/reco0899.html

0
0
Anonymous Coward

Re: Not far enough....

Dear Anonymous, I had to upvote you as this was clearly sarcasm (or at least SHOULD be considered sarcasm)!

0
0
Bronze badge

Re: Not far enough....

>employees have access to a payphone meets the requirement for access to an unmonitored telephone

Fun how we forget about things. The first company I worked with in the late 70's had pay phones for personal use and all external calls from office phones were dialed via the switch board (switchboard hours only), it was a sign of status that the departmental manager's office phone allowed the direct dialing of outside calls.

0
0

Policy

This is an odd article as it misses a number of important points:

-- There's no obligation to store email for seven years or any other time. There ARE obligations for different times for different things -- payroll, contracts...

-- There's no magic cutoff at seven years. If you're holding information that's ten years old, and it's relevant, the court can order you to discover it

-- Filing system documents are just as vulnerable as email to being produced in 'discovery'

The proper approach is

-- A clear policy which is appropriate for your business (so it covers stuff you keep indefinitely, and a cut-off date for things you don't want) and isn't just wriggling to avoid legal obligations

-- Implementation of your policy -- IE you actually DO delete stuff older than eighteen months. Crucial.

-- Implementation of a 'legal hold' so stuff which is being discovered at month 17 won't be deleted before it can be produced.

Unless you can actually delete (from archive and tapes) and retain for legal holds, I would say that you're better off keeping everything, and cataloguing your tapes REALLY carefully.

5
1

Page:

This topic is closed for new posts.