I think David makes some excellent points. Bottom line is the retention is
only part of the broader 'records management' process, which includes
identification, categorization and classification of records. Legal and
functional reps should all be involved in the process. Once in place, these
things will help drive how long records are kept. In my opinion (which is
reinforced by the opinion of our legal department), an e-mail copy of something
should never be kept longer than you'd keep a paper copy of a document. Just
because you can save a digital copy of something in a small space and tuck it
away doesn't mean you should. Any information you do keep could be
discoverable in a legal matter and may cost your company not only the legal
penalties, but the time and effort it takes to retrieve the information.
John Kuisle
IS Supervisor - Security and Business Recovery
Federated Mutual Insurance
507-455-5477
-----Original Message-----
From: levenick@sympatico.ca [mailto:levenick@sympatico.ca]
Sent: Friday, November 12, 2004 1:04 PM
To: security-management@securityfocus.com
Cc: Robert.Mezzone@PJSolomon.Com
Subject: Email Retention Policy
Before one can really decide how long records must be kept one should look at
defining the different type of documents there are. In my realm (Govt) we
define documents to include but not just limited to email as:
a. Transitory Records - is a record that is required only for a limited
time to ensure the completion of a routine action or the preparation of a
subsequent record. A transitory record is not a corporate record.
Examples of transitory records include:
· Information in a form used for casual communication;
· Copies used for convenience only; and
· Working drafts of letters, reports, and memos used for personal
reference (i.e., not communicated beyond the individual who created them); and
b. Corporate Record - is recorded information, regardless of physical
form, that is created, collected or received in the initiation, conduct,
control or completion of a business or operational activity. A corporate record
includes sufficient content, context and structure to provide evidence of a
business or operational activity. Corporate records are used to commit the
resources of an organization, give direction or declare the position or opinion
of an organization on any business subject or issue.
Examples of corporate records would include:
· Records used in decision-making;
· Developing or implementing a policy, directive, or procedure; or
· Carrying out government activities.
If you would agree to the above then there would be no real requirement to keep
transitory records for any longer than personal requirements. I would suggest
that "Corporate documents" should be retained locally for at least a min of two
years then further archived (central headquarters or archive dept) for at least
5 to ten years.
With regard to "Corporate Record" I would suggest that retention alone is not
sufficient. The "Corporate Record" should if in digital/electronic format, be
digitally signed using an approved method. My environment uses the PKI/Entrust
technologies to meet the mandate of digitally signing all corporate documents.
David Levenick
Information Systems Security Officer
levenick@sympatico.ca
From: "Handy, Mark (IT)" <Mark.Handy@morganstanley.com>
Date: 2004/11/12 Fri PM 01:03:14 EST
To: <Robert.Mezzone@PJSolomon.Com>,
<security-management@securityfocus.com>
Subject: Re: Email Retention Policy
David Levenick
This e-mail and its attachments are intended only for the use of the
addressee(s) and may contain privileged, confidential or proprietary
information. If you are not the intended recipient, or the employee or agent
responsible for delivering the message to the intended recipient, you are
hereby notified that any dissemination, distribution, displaying, copying, or
use of this information is strictly prohibited. If you have received this
communication in error, please inform the sender immediately and delete and
destroy any record of this message. Thank you.
