Regulation and Email Retention
I was reading a document (http://www.umiacs.umd.edu/~oard/teaching/708x/spring09/t1.pdf)
That can really assist in our infinite quest for knowledge about “How Long
Email Should Be Saved?” This document was written in 2007 so
some modifications may have been made to some of these times but most that I
checked still are the same as they were in 2007.
Here is a really good paragraph from this document that can
help all of us in the IM space regarding Email archiving.
(Page 6)
Regulatory Compliance Requirements
Regulatory Compliance Requirements
A wide variety of regulations
and standards apply to record retention, and email can be a vehicle for these
records. Different regulations will apply to different departments within every
business – human resources may concern themselves with HIPAA, facilities may be
concerned with OSHA, and finance may focus on Sarbanes-Oxley. Therefore, it
makes sense to target the email archiving solution by department or area of
responsibility in order to align it with record retention regulations. The
table below shows many of the regulations that might affect record retention
and security requirements. Some affect certain market sectors or corporate
constituencies, while others are region-specific or focus on public companies
or manufacturers.
Note that most regulations do
not specify the mechanism or schedule of record retention. Instead, they detail
the desired outcome, whether that is protecting confidential information or
producing critical records on demand. However, some regulations do specify
retention periods for certain record types, as illustrated below.
Note retentions vary relative
to different areas of focus: Some concern the lifespan of individual people,
others refer to the beginning or end of a product’s development, and others are
specific to a document or other record. When they take effect also varies –
some start counting at creation while others are ―term plus‖, adding years
after an event. Another consideration is whether the regulation calls for a
positive end or not – some demand an action at a certain time, while others are
minimums. This can get quite confusing. HIPAA, for example, calls for retaining
adult medical records only for two years after a patient’s death but retaining
pediatric records until the patient reaches the age of 21. This means that a
retention scheduler would have to have access to birth dates and death records,
which would likely be injected come from an outside source. Automating this
type of retention schedule can test the flexibility of both the archiving
product and the programmer assigned to implement it.
No comments:
Post a Comment