The ABCs of record management: archive, back up and covert operations

Covert operations. Spies. White House cover-ups. Who ever said email backup was boring?

In 2003, an American journalist published the classified identity of the CIA covert operative, Valerie Plame. The ensuing investigation into how anyone outside the US government had that kind of information revealed a staggering flaw in the White House's backup policies: the IT department had been rewriting over the same backup tapes over and over, meaning important records were being destroyed on a regular basis.

When the White House's CIO was called to a secret grand jury, they were unable to attest to the existence or non-existence of emails that allegedly related to the disclosure of Plame's identity.

Granted, most Australian businesses aren't the Bush Administration, or even an intelligence agency specialising in the uncovering of international intrigue. But like the White House, their employees can be called as witnesses in court, and their email records subpoenaed.

'Til death do you part ... from your company and its email policy

But according to David Thompson, the Asia-Pacific vice-president of archive management company AXS-One, many Australian companies simply don't take email seriously yet.

"For most Australian corporations, email is still not seen as a record," Thompson says.

But emails are business records, and therefore need to be kept in case of legal proceedings. This has even been legislated, though not in so many words: if any document - whatever the medium - contains any relevance to business, then it will be affected by any legislation referring to that type of business document.

So if you receive a purchase order via email, you must keep this for however long the law demands purchase orders must be kept, even though it is in the form of a simple email.

Many Australian businesses are unaware of this. In fact, Thompson says most people either keep records forever, or delete them after 60 days.

Funnily enough, both of these scenarios can land you in hot water. The White House got into trouble because it wasn't keeping an archive at all, but keeping records for too long can also be harmful to your business. As Thompson says, "You shouldn't keep anything longer than required by law or policy. You want to make sure it gets deleted."

The reasons why this is the case vary. A good example is privacy: if you keep an email with a client's personal information for an 'unreasonable' amount of time, and this email is seen by the wrong person, you may arrive at work one morning to find a writ under the door.

In an effort to complicate your life even further, the laws regarding document retention stipulate wildly different time periods for different types of document. This can be anywhere from six months to 150 years. But while you and the last of your bloodline may be long dead by then, someone will be held accountable.

However, you can't just delete emails at your own leisure: the law says that any deletion of a business document must be in line with your company's internal policy, or legislation for that type of document. But, Thompson says, if you just deleted something willy-nilly, you could be in trouble.

And that brings us back to the CIA: in backing up over the top of their existing backups, the White House neglected to keep archival copies of business documents that could be - and in fact were - related to a court case later down the track.

Worst practices

So what should the White House have done, and what should you do in the future? The answer is messy, and that's part of the reason why we don't yet have any industry guidelines detailing best practices for backup recycling, or email management.

"People are all over the place. Lawyers disagree on this. Your major managing and consulting companies - a lot of them don't understand it," says Thompson.

Best practice basically boils down to a tension between security and economy.

Firstly, you need to know what legislation applies to your business and how long you must keep different records for, as well as a way to take them outside of your backup cycle.

Also, reusing backup tapes will leave traces of data on the tapes. This means the only way to be certain that old records are gone from your backup is to only operate with new, blank tapes, destroying a backup tape once it becomes redundant.

Before you have a heart attack, this isn't Thompson's final conclusion. He says you must ask yourself: is the risk in re-using the same backup tapes - and leaving trace amounts of data on the tapes - acceptable? He believes that yes, in most cases the risk is acceptable. A constant stream of new tapes is simply too costly.

Of course, the best thing you can really do is talk to a lawyer.

And what of the future? Will there soon be industry guidelines?

"Well there has to be at some point. Because we can't go on the way we are. It's just not manageable."

NEXT MONTH: Mitigating litigation in the muddy minefield of messaging malpractice

Read more on Privacy and data protection