Questions concerning automated data centers, Part 2
4. "When was everything last backed up?"
This is another area of concern. Naturally, backups should be performed in a manner to ensure that data is not lost. But, because data on backup storage (SANs, disks, tapes, etc.) is discoverable in a legal action, the backups should be made NOT BASED ON APPLICATIONS but based on retention periods for the data to ensure only "like retention period data" is on each backup device. This will allow for the appropriate destruction of data in accordance with assigned retention periods and prevent the retention of other data beyond these periods. These are what are generally referred to as "ticking time bombs" by the legal counsel of organizations...the e-mails that were kept because it was easier to store them all than apply appropriate rules based decisions for destroying non-record material.
5. "Do I need to actually back everything up or can I get rid of a lot of stale data?"
The first part of this question is a valid one. The second part is dangerous. To simply make the decision based on "stale data" is not what fits into a "best practice" in the RIM environment. Records are identified by a series that is assigned a retention period based on a number of issues: regulatory or legal requirements, business or fiscal needs, historic or enduring value being the primary issues. Each record series is assigned a retention period and prior to destruction of the data, which is periodically reviewed to ensure there are no new requirements (or legal reasons) to extend the retention and is ALWAYS reviewed prior to destruction of the data. The decision for destruction should be ultimately made by the "owning organization" as they will bear the greatest impact if data is no longer available.
6. "Which data is mandated to be kept by regulatory requirements?"
Hopefully, your list wasn't in any specific order. If so, this item should have been at the top of the list. ALL decisions related to storage of data should be based upon the regulatory requirements facing an organization ahead of the other considerations.
7. "The hard work (which is policy definition and creation) needs to be done by you. So start defining your policies today."
And this is definitely true but I wish you would have defined better who the "you" in this statement is. The IT personnel are the ones given the functional responsibility for providing access to the data but the decisions on policy should involve the records and information management organization, the compliance and legal counsel organization, and DEFINITELY the client or owning organization. These policies should not be developed in a vacuum by IT based on operational considerations.
Click here for Part 1.
4. I think you are mixing up backups with data retention here. If the data in question has already been archived with a retention period based on a business process that created a policy for that data, then it should already be assumed to have been backed up.
Most policy requirements (say for SEC 17a-4) would also include the need for an off-site copy of that data. The intelligent management software would need to determine normal backup
policy for online data, and that of the retention policy based on data that has been archived for regulatory requirements. ANY data that was archived due to policy MUST be available for recovery during the entire retention period
. BUT, once that period is over, the data should be destroyed immediately to mitigate risk. Once destroyed, the storage that was occupied by that data could then be recovered and reused.
5. I'm almost positive though that some companies have tons of "garbage" data being stored and are backing it up nightly. Wouldn't it be nice to be able to weed all that data expenses? In other words, unless your selling iPODS, all the MP3 files should go. The rest of your comments I agree with. The owner of the data should always be notified prior to destruction of data so it can be reviewed.
6. EVERY organization is not bound by regulatory requirements therefore, decisions related to storage of data needs to be taken in context to what the business does for a living. A company that manufactures paint does not need to follow the same rules as a brokerage firm.
7. Yup, I agree. That's why it's the HARD part.
Editor's note: Do you agree with this expert's response? If you have more to share, post it in one of our
This was first published in February 2004