Monday, May 26, 2008

Re: email retention policy - and data retention (UNCLASSIFIED)

Hello,

Thank you for your summary of the article. I'm trying to get a copy of =
the full article. Our little K-8 school does not have it, but I'm =
checking at the nearest public library and if that doesn't work I'll try =
the University.

Your information was indeed helpful and greatly needed.

Thank you,
=20
Sister Elizabeth
Powhatan School


>>> "Johnson, Jason P Mr WRAMC_Wash DC" <Jason.Johnson3@amedd.=
army.mil> 5/21/2008 9:01 AM >>>
Classification: UNCLASSIFIED=20
Caveats: NONE

Recently I wrote an article for the AASL magazine Knowledge Quest
(Nov/Dec 2007) on this subject titled "Know When to Hold 'em". It is
not available on-line but your school librarian probably has a copy and
you may find it helpful since there was very little in the way of school
specific information available when I researched it.

Basically:
1. Not all email is created equal. Every school will have unique data
retention requirements. For example: If you have financed new
construction through a bond, you may have document retention
requirements (including email) specifically related to certain financial
requirements. Some states have passed laws that require retention of
emails by administrators but not by teachers. Any service your school
nurse or doctor charges for has HIPAA retention requirements. Your
retention policy for these documents may simply be to print them out.
It does not have to be a purely technical solution. In any case, they
tend to be a small number of emails and should not set the bar for your
entire system.
2. Lawyers will generally tell you to delete as much as you can, as
quickly as possible. Most of us want to hang on for historical
purposes, to compile historical trends, and archives can be a great
source of school information in the future. Your school has to find the
balance. Deleting everything as quickly as possible reduces the chance
of lawsuits based on a "culture" (typically discriminatory or sexual
harassment). However, if you don't have a large endowment or other
assets that be targeted by legal action, it is less likely that you will
face that kind of legal action.=20
3. Keep your policy simple and automate as much as possible so you can
be sure it is followed. When you receive a warrant or are sued, any
deviation from your policy can look bad and potentially cause other
legal issues. I recommend reading this before the police arrive and
keep a copy of it with your retention policy.
http://www.ala.org/ala/oif/ifissues/confidentiality.cfm=20
4. Make sure your policy considers all infrastructure. If you require
email to be retained 6 months or less, but you keep your email systems
backups for a year, then your backups are violating your retention
policy. Also make sure the policy accounts for the firewall logs, spam
filter cache, and the other infrastructure that retains copies of
messages and behavior on the network.

Obviously there is a lot more to it than this but hopefully it helps and
I believe NAIS now has some helpful resources for this as well including
a sample policy, but it is behind the pay-wall so I do not have access.

_J

___________________________________

Jason Johnson - Program Director
Web Services Branch - Walter Reed Army Medical Center Ingenium (ISO
9001:2000 certified)
Office: 202-782-1047
Cell: 202-262-0516
jason.johnson@ingenium.net=20
jason.p.johnson2@us.army.mil=20


Classification: UNCLASSIFIED=20
Caveats: NONE

[ For info on ISED-L see http://www.gds.org/ISED-L ]
Submissions to ISED-L are released under a creative commons, attribution, =
non-commercial, share-alike license.
RSS Feed, http://listserv.syr.edu/scripts/wa.exe?RSS&L=3DISED-L

[ For info on ISED-L see http://www.gds.org/ISED-L ]
Submissions to ISED-L are released under a creative commons, attribution, non-commercial, share-alike license.
RSS Feed, http://listserv.syr.edu/scripts/wa.exe?RSS&L=3DISED-L