Information Governance

Corporate Regulation and Email Retention

 
I was reading a document (http://www.umiacs.umd.edu/~oard/teaching/708x/spring09/t1.pdf) That can really assist in our infinite quest for knowledge about “How Long Email Should Be Saved?” This document was written in 2007 so some modifications may have been made to some of these times but most that I checked still are the same as they were in 2007.
 
Here is a really good paragraph from this document that can help all of us in the IM space regarding Email archiving.
 
(Page 6)

Regulatory Compliance Requirements
 
A wide variety of regulations and standards apply to record retention, and email can be a vehicle for these records. Different regulations will apply to different departments within every business – human resources may concern themselves with HIPAA, facilities may be concerned with OSHA, and finance may focus on Sarbanes-Oxley. Therefore, it makes sense to target the email archiving solution by department or area of responsibility in order to align it with record retention regulations. The table below shows many of the regulations that might affect record retention and security requirements. Some affect certain market sectors or corporate constituencies, while others are region-specific or focus on public companies or manufacturers.
 
regulation1.JPG
 
Note that most regulations do not specify the mechanism or schedule of record retention. Instead, they detail the desired outcome, whether that is protecting confidential information or producing critical records on demand. However, some regulations do specify retention periods for certain record types, as illustrated below.
 
regulation2.JPG
 
Note retentions vary relative to different areas of focus: Some concern the lifespan of individual people, others refer to the beginning or end of a product’s development, and others are specific to a document or other record. When they take effect also varies – some start counting at creation while others are ―term plus‖, adding years after an event. Another consideration is whether the regulation calls for a positive end or not – some demand an action at a certain time, while others are minimums. This can get quite confusing. HIPAA, for example, calls for retaining adult medical records only for two years after a patient’s death but retaining pediatric records until the patient reaches the age of 21. This means that a retention scheduler would have to have access to birth dates and death records, which would likely be injected come from an outside source. Automating this type of retention schedule can test the flexibility of both the archiving product and the programmer assigned to implement it.

 

Comments

Cool, it is nice to know that some standards like SEC17a-4 requires data to be kept forever devil

Good article