back to article Don't delete that email! Why you must keep biz docs for 6 YEARS

Companies should retain project emails and documents in a central repository for more than six years before considering deleting the information, an expert in resolving IT disputes has said. Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said that organisations should consider retaining the information for …

COMMENTS

This topic is closed for new posts.

Page:

  1. Anonymous Coward
    Anonymous Coward

    You think it's gone - but it isn't

    Then there is the opposite situation, where someone deletes embarrassing emails and blithely assumes they are gone where all the old bits go. Years later, those self-same emails are still reposing snugly in the corporate evidence repository, thanks to generations of self-sacrificing sysadmins and their backup procedures.

    1. LarsG
      Meh

      Re: You think it's gone - but it isn't

      All businesses are required to keep documentation for six years, what's new? It's just that when you think about it, how many inane emails from this person and that you will have to store.

      Buy shares in data storage now!

  2. Anonymous IV

    Social media messages?

    How are Facebook information and Tweets to be saved for six years, then? It's not just email and paper documents any more...

    1. Brewster's Angle Grinder Silver badge

      Re: Social media messages?

      Twitter is going to allow you to download your tweets. I'm not sure if Facebook or Linked-in allow you to export your data. But the point is well made.

      1. David Neil

        Re: Social media messages?

        You can export some data from Facebook, but it's a little vague on how far back they keep it

        https://www.facebook.com/help/326826564067688

  3. Sir Runcible Spoon

    Sir

    You just know someone is going to store all their junk in 'the cloud' and get it lost for them.

    In fact, I run my own business (technically) and all my emails are in the cloud and have been for 12 years. If my email provider loses their data storage I have no idea if my emails are backed up.

    C'est la vie.

    1. auburnman
      Devil

      Re: Sir

      That could actually be a nice little earner for a shady cloud company... get a contract to be the exclusive data storage and backup provider for MegaCorp Incorporated, with some under the table backhanders cementing the understanding that there will be a "catastrophic data loss" if any government agents start sniffing around.

      But no-one would ever do such a dishonest thing, would they?

      1. Anonymous Coward
        Anonymous Coward

        Re: Sir

        I'd market it to politicians first...

      2. Brad Ackerman
        Devil

        Re: Sir

        Depends on the country and the object of the cover-up. In the US, whistleblowers receive a cut of fines for violations of tax and/or securities law. Do you trust Shady Cloud Inc. that much?

  4. johnB
    Facepalm

    Personal folders

    So do I just put everything I'm unsure about into a sub-folder of "Personal" & it's no longer available to investigators ?

    1. David Paul Morgan
      FAIL

      Re: Personal folders

      no. if it's on the corporate system, then it's fair game - and you should not be using the corporate system for 'personal' items anyway.

      1. Anonymous Coward
        Anonymous Coward

        Re: Personal folders

        Depends on where you live.

        I distinctly remember a recent case, in France perhaps, where an employer lost a court case brought against him by a disgruntled employee (or maybe ex-employee) because it had accessed documents stored on the company's systems which were in a folder clearly labelled as personal and private.

        1. JDC

          Re: Personal folders

          Same in Spain, despite being corporate email the company cannot just open it.

  5. Ken Hagan Gold badge

    Personal

    If you can just hide stuff by calling it personal, what's the point?

    There have been a number of cases of politicians hiding stuff from civil service (or equivalent) retention regimes. It's illegal, but it happens, so surely there would be a presumption that stuffed received at a business email address but labelled "personal" should be inspected. Otherwise the law makes an ass of itself.

    1. JDC

      Re: Personal

      Not really, it just means a court order would be required to open this mail.

  6. Anonymous Coward
    Anonymous Coward

    Why don't they say the sad truth? It's all a farce

    Come on, everyone knows that in six years the Exchange version used to store the mailbox will be unsupported. The Windows server version that runs that Exchange version will be unsupported. You will not be able to buy or repair a server six years old and newer hardware does not run older operating systems.

    On top of that, the Outlook version used to read this message will also be unsupported, same as the Windows desktop version.

    Before you say virtualize everything, bear in mind that some suppliers do not support their software running in virtual environments (other than their own, of course)

    The only solution that can guarantee that you're going to be able to read something in the future should be based on open data and open code. Anything different from that is simply delusional.

    But then again, in six years the manager that approves the archiving initiative will not be around. And the auditors are reviewing this today, no one is asking about the mail from six years ago. So really the lesson here is do not trust about the future to anyone that does not have a stake in that future.

    1. Anonymous Coward
      Anonymous Coward

      Re: Why don't they say the sad truth? It's all a farce

      Most companies just print it or store it as plain text. Not totally convenient, but easy to do.

    2. Inertia

      Re: Why don't they say the sad truth? It's all a farce

      Ever hear of perimeter archiving?

      1. Anonymous Coward
        Anonymous Coward

        Re: Why don't they say the sad truth? It's all a farce

        Ever heard of contractual commitments not being satisfied?

    3. David Paul Morgan
      Go

      Re: Why don't they say the sad truth? It's all a farce

      that's why you should use a third-party product to do your vaulting and indexing - it's independent of the mail/calendar system, but compatible with it.

      1. Aaron Em

        Re: Why don't they say the sad truth? It's all a farce

        We've had some pretty good results with a perimeter online live email archiving which cycles our old stuff into slower storage in favor of the incoming new stuff while automatically indexing everything -- it gets rid of the reliance on Exchange for archival storage, and as a sort of fringe benefit, the POLE vaulting scheme allows for quick search and retrieval in the event we find ourselves for the high jump.

    4. Anonymous Coward
      Anonymous Coward

      Re: Why don't they say the sad truth? It's all a farce

      still using Outlook from Office XP in some installations

      can still load old psts from various outlook archives.

      six years is nothing for the software in small business - remembering what you did with that backup from 3 years ago is.

    5. Peter Jones 2
      Stop

      Oh look another FOSS argument

      But yet again, it's a straw man.

      See, if you knew anything about how Exchange or Outlook worked you wouldn't have said this. And if you had any kind of corporate experience, you definitely wouldn't have said this.

      The version of Exchange that created the mailbox is irrelevant. You can migrate all your old mailboxes up to the latest version with little hassle, and Microsoft will support you for this. There's even provision in the licensing agreements for it. So if you have to stand up a 2000 Exchange and a 2003 to recover an old mailbox from tape, not a problem. I still work migration projects where this is the case. Tapes are stored for a decade or more, since nobody ever throws things away.

      As for Outlook, do you think corporate bosses care that much about support? I'm on site where Office 2003 is still in use. So that's your argument blown out of the water.

      As for "some suppliers don't support their software running in virtual environments (other than their own...)" MS were supporting their stuff in VMWare and Citrix for years. So your "subtle" dig here is without merit also.

      If you want to argue against proprietary standards, you are better off aiming at "Document Management" systems, which usually lock customers in for life since there is no easy way to export information for use in another competing system.

      1. This post has been deleted by its author

      2. Chris Parsons

        Re: Oh look another FOSS argument

        Saved me the trouble of saying it, and you did it better. Still, people always like to get a shot in at MS, don't they? Exchange is a hard act to follow.

    6. Great Bu

      Re: Why don't they say the sad truth? It's all a farce

      So what you're saying is that in a few years time the NHS could be on to a nice little earner - I'm pretty sure our servers and e-mail system can only access stuf that it at least 6 years old.....

  7. Richard Jukes

    heh

    I think I will just stick to storing invoices for 7 years - like HMRC request. I see no legal obligation to store emails or other communication for such a long period, and if its not here then I simply cannot hand it over can I?

    Such a shame...

    1. MikeS

      Re: heh

      >I think I will just stick to storing invoices for 7 years - like HMRC request. I see no legal obligation to store emails or other communication for such a long period, and if its not here then I simply cannot hand it over can I?

      upvoted your post as you are correct, aside for a few regulated professions, there is no legal obligation to keep any email or communications. If you are subject to a legal claim or investigation (eg OFT) you simply have to hand over the data that you curently have. You don't/cant hand-over data that you dont have like purged or deleted emails.

      The main reason to consider an archiving policy in this case is if the other party has a copy of an email sent from you, or, conversley if they claim not to have received something from you, this could leave you in a difficult position to defend yourself (or hang yourself depending on the content!) as you have no evidence to support you side of any argument.

    2. frank ly

      Re: heh

      This is not about the existing legal requirement to record business activity for HMRC/Gov/Tax purposes. It is about resolving disputes between companies.

      E.g. if a previous client claimed that your business had defrauded them by misrepresenting equipment capabilities and/or falsifying system acceptance test results, and they had a few 'key' emails from five years ago, for evidence in court; then you'd look a bit silly if you couldn't find some e-mails which your chief engineer remembered sending that would prove you to be innocent.

      In court, the jury would be faced with a situation where the defendant appeared to have deliberately destroyed e-mails from the relevant time, contrary to 'accepted industry practice'. It wouldn't look good for you.

  8. Matthew 3

    Deliberate decision not to archive

    A former employer of mine - a FTSE 100 company - had a deliberate policy of NOT retaining old email. Users could delete anything they wanted to from their mailbox, including from its archives.

    If an incriminating email wasn't there when someone looked for it, and it was older than the backup retention period, the answer would always be 'sorry, pal, nothing we can do'.

    Far less onerous than keeping everything 'just in case' and cheaper on storage too.

    1. Nigel 11

      Re: Deliberate decision not to archive

      However, if I were in business I'd worry that a dishonest customer might present a very biassed selection of e-mails that I sent to him in support of some dispute. Or even edit such e-mails. Would you want to be unable to prove bias - or fraud?

  9. jake Silver badge

    But, but, but ...

    I routinely get called in to try to recover shit that was generated last week and lost yesterday! The reality is that virtually nobody understands how these infernal contraptions work ... much less how "the server" manages to dole out miscellaneous bits of binary nonsense on queue.

    Speaking as a dude in the trenches, the premise of the article is nonsensical.

    1. Aaron Em

      Re: But, but, but ...

      Don't worry, "dude". It'll make more sense when you grow up a bit and graduate off the helpdesk into a real job, hopefully along the way finding a clue about "queue" vs. "cue".

      1. Chris Parsons

        Re: But, but, but ...

        True, but no need to be nasty.

      2. jake Silver badge

        @Aaron Em: (was: Re: But, but, but ...)

        I left the hell desk before it was called the hell desk. I've been retired from the 9-5 IT thing for over two decades. If you don't know what an "on queue" job is, I suggest you look it up. Think "on tour" or "on duty" for the variation of "on"; you seem to have a handle on queue.

  10. SCHargo

    Questions

    1. What constitutes a business email?

    2. Medical information has to be held for ten years. So as email is unstructured...how can business information and medical be separated to comply with retention periods? If the business information is to be deleted and the medical part retained...the document is no longer the original and therefore cannot be used as evidence in court.

    3. In order to produce electronic mail in court you must be able to prove that the emails are the originals and have not been tampered with as per (2). In today's climate who will be collecting every email including spam to make sure human error does not interfere?!

    Happy to be emailed - stuart.hargreaves@bii-compliance.com

    1. Brad Ackerman
      Black Helicopters

      Re: Questions

      Wouldn't medical information be better off kept out of email entirely? I'd think just a link to an ERM/EHR system would work, and do a much better job of restricting access to those with a need-to-know.

      Black helicopters, because presumably they're the DPA Police's vehicle of choice.

      1. Anonymous Coward
        Anonymous Coward

        Re: Questions

        Medical information is just an example, email is also not just SMTP and Internet, there are huge amounts of secure private internal company email systems, all of which need archiving.

  11. Anonymous Coward
    Anonymous Coward

    Not far enough....

    .....All communication within an office environment should be recorded in some manner now we have the technology to do so cheaply and easily. I'm a business owner, and we'll soon be rolling out the placement of recording devices on the desks of each employee that will be set up to start recording when any conversation takes place. This will allow us to have a complete record of who said what, and when which will help our audit process immeasurably. As personal mobiles present a problem in recording the other side of the conversation, we've prohibited their use in business hours,

    As for company emails, phone calls and internet browsing - done and done already. I have to say, the improvements in trace ability of problems has more than offset the cost.

    1. Anonymous Coward
      Anonymous Coward

      Re: Not far enough....

      Glad I don't work for you and I'm glad my boss doesn't have a record of what I say about him.

    2. Destroy All Monsters Silver badge
      Trollface

      Re: Not far enough....

      Excellent. I have a proposal to set up a lobby to make that idea mandatory across the board. After all, what CAN be done, SHOULD be done. It will also help save children.

    3. Anonymous Coward
      Anonymous Coward

      Re: Not far enough....

      Sorry but you may be soon breaking the law, make sure you are compliant, so many employers know F** all about call recording, you could easily beak laws on Human Rights, DPA and / or Ofcom rules.

      Excerpts

      "....The most fundamental requirement of this condition has been that every reasonable effort is made to inform all parties to a telephone conversation that it may or will be recorded. Annex 1 provides an extract of the relevant section of the SPL/TSL."

      This means that there has to be some way in which employees at work can make or receive personal calls that will not be recorded or monitored. ....The key issue is that there are some lines at work which members of staff can use for private calls secure in the confidence that calls made from them will not be recorded or monitored."

      1. Anonymous Coward
        Anonymous Coward

        Re: Not far enough....

        Human Rights? Ofcom? Bureaucratic nonsense. Anyone working for me will not be making personal calls - not on my dime Sonny.

      2. Jay Holmes
        Happy

        Re: Not far enough....

        @ AC 11:07

        Why should a company provide a phone that staff can use for personal calls??

        Surely they are there for work and if any emergencies do arise needing them to be contacted it wont cause a problem that the calls are recorded. Unless it is an emergency killing session and they are being activated by their handlers???

        I get really annoyed by people who expect their employers to provide things (other than mandated things such as breaks/wages). They are there to do a job and that is what they should be doing, if they do not like the fact that all their calls/emails work correspondence is monitored maybe they should look for another job!

        Sent from my highly monitored IT system sat next to my monitored phone which I will use to call my wife in a minute!

        1. Nigel 11

          Re: Not far enough....

          As with many such things a modicum of commonsense is needed. In the case of archiving e-mails that may in part also be personal, people need to have confidence that the archive is automatic, that reading its contents will never be a matter of routine, and that if personal information is uncovered in the context of an retrieval for proper business or legal purposes, then it will remain private. Some of this is already mandated by law, more of it ought to be, and a good business won't routinely be spying on its staff because that's very bad for morale once it becomes known or even suspected.

          After all that is said, the bottom line is that if you are using your employer's hardware, you can't expect the same degree of privacy you'd have if you used your own. So don't post stuff that would cause anything worse than moderate embarassment were it to become public.

          Most of us aren't BOFH's. I've more than once found embarassing user content while doing a sysadmin's job. I've never revealed information that was not intended for my eyes.

        2. Brad Ackerman
          Childcatcher

          Re: Not far enough....

          Ensuring that employees have access to a payphone meets the requirement for access to an unmonitored telephone.

          Source: http://www.ofcom.org.uk/static/archive/oftel/publications/1999/consumer/reco0899.html

          1. Roland6 Silver badge

            Re: Not far enough....

            >employees have access to a payphone meets the requirement for access to an unmonitored telephone

            Fun how we forget about things. The first company I worked with in the late 70's had pay phones for personal use and all external calls from office phones were dialed via the switch board (switchboard hours only), it was a sign of status that the departmental manager's office phone allowed the direct dialing of outside calls.

    4. Roland6 Silver badge

      Re: Not far enough....

      I knew sign language would come in handy one day!

    5. Anonymous Coward
      Anonymous Coward

      Re: Not far enough....

      Dear Anonymous, I had to upvote you as this was clearly sarcasm (or at least SHOULD be considered sarcasm)!

  12. umacf24

    Policy

    This is an odd article as it misses a number of important points:

    -- There's no obligation to store email for seven years or any other time. There ARE obligations for different times for different things -- payroll, contracts...

    -- There's no magic cutoff at seven years. If you're holding information that's ten years old, and it's relevant, the court can order you to discover it

    -- Filing system documents are just as vulnerable as email to being produced in 'discovery'

    The proper approach is

    -- A clear policy which is appropriate for your business (so it covers stuff you keep indefinitely, and a cut-off date for things you don't want) and isn't just wriggling to avoid legal obligations

    -- Implementation of your policy -- IE you actually DO delete stuff older than eighteen months. Crucial.

    -- Implementation of a 'legal hold' so stuff which is being discovered at month 17 won't be deleted before it can be produced.

    Unless you can actually delete (from archive and tapes) and retain for legal holds, I would say that you're better off keeping everything, and cataloguing your tapes REALLY carefully.

Page:

This topic is closed for new posts.

Other stories you might like