Main Nav

Ethan,

 

I think you and Kyle are making a very important point that retention policy has to address removal at the appropriate time as well as retention. My feeling is that every institution is going to have to come to grips with this in terms of what makes sense for that particular institution. My previous institution was a State University and we had to comply with the State retention policy for Massachusetts State Agencies. That ignored students but had very strict rules for employees with different retention policies based on the content of the messages. The rule of thumb was 5 years for messages involving decision-making (with lots of exceptions and caveats), but for messages to or from senior staff (VP and higher) the retention period was “permanent”.

 

Thankfully I’m now at a private institution where we can craft simpler policies that are easier to implement. On the other hand my previous institution’s response to the complex requirement was to make individuals responsible for complying with retention policy with regards to their own messaging and that might make some sense. Here at Siena we use Postini for employees (faculty and staff) but accepted the Postini default retention of 10 years. My opinion is that is too long. I know of other institutions that have Postini retention measured in months rather than years. If the point is backup and self service recovery of deleted messages that makes sense. I should also say that there is at least one senior officer here who routinely deletes stuff from email and counts on Postini to find messages needed later. Also not unreasonable, but again there should be an institutional policy decision about the acceptable risks of keeping messaging that long.

 

All of this makes for a very interesting discussion, but doesn’t really address the original question from Anwar; to which I have to add my voice to those saying: why are you worrying about retention of student email? I’ve never heard of a retention policy that covers more than employees. If you do need to retain student email, and Postini is too expensive, you might look at the Barracuda mail archiving solution. It is an appliance based solution and pretty flexible in configuration.

 

- Mark

 

 

From: Ethan Benatan [mailto:ebenatan@MARYLHURST.EDU]
Sent: Tuesday, March 06, 2012 8:12 PM
Subject: Re: E-mail Retention and Gmail

 

Kyle's point is spot on.  I'm not sure what others are doing and would love to hear, but rather than accommodate general records retention policy into email retention policy, I'm trying to separate the two.

 

For one thing, I'm very uncomfortable with mixing up content that is specifically adressed in our records retention policy into the mess of email where users and accounts come and go and things are easy to delete.  Plus, some kinds of information need to be retained for very long periods; that's not a good "floor" on which to build an email retention policy. 

 

I am suggesting (and it's largely accepted at this point) that we revise our records retention policy to state that email can never be used to achieve compliance. Compliance can be achieved by digitally or physically filing things, or by ensuring data that is preserved in the ERP. 

 

This would free us up to set email retention based only on other factors, probably at one year.

 

I'd love to hear others' thoughts on this!

 

Thanks,


Ethan

 

——

Ethan Benatan, Ph.D.

Vice President for IT & 

Chief Information Officer

503.699.6325   

 

MARYLHURST UNIVERSITY

You. Unlimited.

 

Comments

HI Ethan, We are in the process of implementing our new email archive/retention policy. We use gmail for students and exchange for faculty and staff. We decided not to restrict retention of student emails but just concentrate on handling staff and faculty emails appropriately. After almost a whole year of discussions with the administration, faculty, HR and legal, we finally have a policy. Here is the summary of our policy: * Faculty and Administrator emails will be retained for 10 years. * Staff emails will be retained for 5 years. * We will journal all email activities. The journals will be stored 2 years. * We will retain all deleted emails for 2 years. If an employee leaves the institution, we wanted to make sure we can provide the last year's complete email activity if the request is within the first year of departure. * There is a bucket called "Legal Hold". Emails that are viewed in such manner may be retained until such time that they are deemed none essential. Only a select few can create "Legal Hold" items. Procedurally: We are anticipating a huge explosion of space requirements. Hence backup and recovery is going to be a problem. We are purchasing two SAN's with d-dup and replication capabilities to handle the added space. All emails older than one year are placed into an archived email mode. The content of the archived mail is placed into slower secondary storage and a small stub remains in the Exchange database. To the user, they will see very little difference between a non-archived email and an archived email. When the user decides to retrieve the email, it takes about a second more to retrieve it from archive. The one big disadvantage is that off-line outlook will not be able to retrieve those emails. God bless, Sam Young Chief Information Officer Point Loma Nazarene University Individualization ~ Achiever ~ Learner ~ Belief ~ Activator From: "Berman, Mark" > Reply-To: EDUCAUSE Listserv > Date: Wed, 7 Mar 2012 07:51:18 -0800 To: EDUCAUSE Listserv > Subject: [CIO] FW: E-mail Retention and Gmail Ethan, I think you and Kyle are making a very important point that retention policy has to address removal at the appropriate time as well as retention. My feeling is that every institution is going to have to come to grips with this in terms of what makes sense for that particular institution. My previous institution was a State University and we had to comply with the State retention policy for Massachusetts State Agencies. That ignored students but had very strict rules for employees with different retention policies based on the content of the messages. The rule of thumb was 5 years for messages involving decision-making (with lots of exceptions and caveats), but for messages to or from senior staff (VP and higher) the retention period was “permanent”. Thankfully I’m now at a private institution where we can craft simpler policies that are easier to implement. On the other hand my previous institution’s response to the complex requirement was to make individuals responsible for complying with retention policy with regards to their own messaging and that might make some sense. Here at Siena we use Postini for employees (faculty and staff) but accepted the Postini default retention of 10 years. My opinion is that is too long. I know of other institutions that have Postini retention measured in months rather than years. If the point is backup and self service recovery of deleted messages that makes sense. I should also say that there is at least one senior officer here who routinely deletes stuff from email and counts on Postini to find messages needed later. Also not unreasonable, but again there should be an institutional policy decision about the acceptable risks of keeping messaging that long. All of this makes for a very interesting discussion, but doesn’t really address the original question from Anwar; to which I have to add my voice to those saying: why are you worrying about retention of student email? I’ve never heard of a retention policy that covers more than employees. If you do need to retain student email, and Postini is too expensive, you might look at the Barracuda mail archiving solution. It is an appliance based solution and pretty flexible in configuration. - Mark From: Ethan Benatan [mailto:ebenatan@MARYLHURST.EDU] Sent: Tuesday, March 06, 2012 8:12 PM Subject: Re: E-mail Retention and Gmail Kyle's point is spot on. I'm not sure what others are doing and would love to hear, but rather than accommodate general records retention policy into email retention policy, I'm trying to separate the two. For one thing, I'm very uncomfortable with mixing up content that is specifically adressed in our records retention policy into the mess of email where users and accounts come and go and things are easy to delete. Plus, some kinds of information need to be retained for very long periods; that's not a good "floor" on which to build an email retention policy. I am suggesting (and it's largely accepted at this point) that we revise our records retention policy to state that email can never be used to achieve compliance. Compliance can be achieved by digitally or physically filing things, or by ensuring data that is preserved in the ERP. This would free us up to set email retention based only on other factors, probably at one year. I'd love to hear others' thoughts on this! Thanks, Ethan —— Ethan Benatan, Ph.D. Vice President for IT & Chief Information Officer 503.699.6325 MARYLHURST UNIVERSITY You. Unlimited.

All:

 

I think Kyle articulates excellent questions on this issue, and Rich has described what I consider the best approach to the problem of email retention. 

 

First, since Gmail offers each user robust storage, solid reliability, and actually saves “deleted” email for a while where it can be recovered by the user, I would question why anyone would bother retaining email for students.

 

Second, the same options are available for faculty and staff if the institution uses Gmail;  they should be able to manage their own as well as the students.  Our students and our faculty staff are on email under Google Apps for Education, and we take no special steps to save or backup email beyond what Google offers in the base service.

 

Third, for both students and faculty/staff a retention cycle adds to the institution’s and the users’ risk in cases involving litigation.  If you save all email (for whatever period) you are saving all sorts of business-irrelevant and personal content that becomes available for discovery to anyone named in or peripheral to a lawsuit.   I think one does a disservice to faculty, staff, and (particularly) students to save all this stuff and make it a potential target for litigants who won’t have their best interests at heart.  Moreover, once a person becomes the subject of litigation, the law expects  the institution to save all electronic documentation related to that person;  If there’s a year of retained email, that becomes part of what the institution must set aside and protect for potential discovery, and this “saving” can go on for a long time regardless of its effect on IT’s resources.  If you don’t save it as a matter of policy, the courts don’t make you produce it;  if you do save it, then you may have to save it for a very long time.

 

So I think the ideal approach is as Rich describes:  only save email (if at all) for backup purposes (a week or so?) and then write over it, or just mirror the system so it can be restored from a system loss,  but with no ability to go back in time.  We used to do this with our Mirapoint system, then moved to Gmail where we let users handle their own retention.

 

We are a state institution, though, and the state requires that certain types of documents (even in electronic form) have to be retained as “state records” for defined periods.  Typically, they are defined as state documents if they are personnel actions or work directives to subordinates.  We take the attitude that it is up to the sender and receiver to retain those documents themselves, either in electronic or paper form.  For example:  the post office delivers mail but is not responsible for knowing or preserving the content of the documents it handles in transition.  We take the attitude that we are the same.  I think this is a logical and clean approach that minimizes the ability of others to access our users’ content, and minimizes the work that central IT takes on.  

 

Hope this helps!

-Mark Reed

Binghamton – State University of New York (SUNY)  

 

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Rich Pickett
Sent: Wednesday, March 07, 2012 1:17 AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] E-mail Retention and Gmail

 

Ethan,

 

We took the opposite approach and don't believe that email data should be considered any differently than other information that is covered by existing data retention policies.  We believe that the content, rather than the medium, dictates the appropriate procedures. This appears to be borne out in several E-discovery requests that I've received.  As a public university we are subject to additional requirements that aren't levied on private institutions. 

 

As soon as email no longer meets an operational need, in digital or paper format, we don't want it kept. We took the position that we will not archive any deleted email beyond a basic backup period.  In our 'legacy' email system (Mirapoint) it was 14 days for tape rotation.  Now that we moved to Google for employees it is 30 days, a period that is controlled by Google until it is irretrievably lost.  If we had control over the deletion period it would be 14 days, or less. 

 

Our Guidelines (we prefer 'guidelines' to 'policy' whenever possible) is at: http://bfa.sdsu.edu/policies/pdf/emailretnpolc.pdf


Chief Information Officer
San Diego State University
San Diego CA 92182-1604
Rich.Pickett@SDSU.edu
ETS.SDSU.edu
619-594-8370

 

 

From: Ethan Benatan <ebenatan@MARYLHURST.EDU>
Reply-To: "The EDUCAUSE CIO Constituent Group Listserv <CIO@LISTSERV.EDUCAUSE.EDU>" <CIO@LISTSERV.EDUCAUSE.EDU>
Date: Tue, 6 Mar 2012 17:12:19 -0800
To: "The EDUCAUSE CIO Constituent Group Listserv <CIO@LISTSERV.EDUCAUSE.EDU>" <CIO@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [CIO] E-mail Retention and Gmail

 

Kyle's point is spot on.  I'm not sure what others are doing and would love to hear, but rather than accommodate general records retention policy into email retention policy, I'm trying to separate the two.

 

For one thing, I'm very uncomfortable with mixing up content that is specifically adressed in our records retention policy into the mess of email where users and accounts come and go and things are easy to delete.  Plus, some kinds of information need to be retained for very long periods; that's not a good "floor" on which to build an email retention policy. 

 

I am suggesting (and it's largely accepted at this point) that we revise our records retention policy to state that email can never be used to achieve compliance. Compliance can be achieved by digitally or physically filing things, or by ensuring data that is preserved in the ERP. 

 

This would free us up to set email retention based only on other factors, probably at one year.

 

I'd love to hear others' thoughts on this!

 

Thanks,


Ethan

 

——

Ethan Benatan, Ph.D.

Vice President for IT & 

Chief Information Officer

503.699.6325   

 

MARYLHURST UNIVERSITY

You. Unlimited.



At Idaho State University we take the exact same approach Mark just described...for the same reasons.
I based my arguments on an excellent presentation on the topic a number of years ago at Educause.
Randy

Mark has very clearly stated exactly our views here, too.
Theresa

Dear Colleagues,

 

I appreciate all the thoughtful responses and dialogues that my e-mail has generated. I gathered that general consensus on the topic is to take the position not to archive any emails beyond a basic backup period. For those in the administration who still sees a need for e-mail retention policy – we can summarize that as 14 days or whatever backup rotation is used.

 

I also understand that if a retention policy must be supported in Gmail, there are alternatives to Postini for the purpose.

 

Cheers,

 

Anwar

 

 

Saving vs. not saving information is a two edge sword. It can cut against you but it can also cut for you. I have had cases where a note or record in a litigation makes all the difference to save the university. On the other hand, it can also be a huge disadvantage if the university is in the wrong. The question becomes - do you expect your employees to be in the wrong more or in the right more? Are they acting in a fair and just manner or are they allowing their prejudices and other biases surface in the work place? We, off course, know that we have both types of employees and both types of law suites. Question is - which is more likely and which is going to cost more? God bless, Sam Young Sent from my iPhone On Mar 7, 2012, at 12:04 PM, "Theresa Rowe" > wrote: Mark has very clearly stated exactly our views here, too. Theresa
Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.