revisiting email retention

I have an archive copy of just about every email I’ve sent or received since about 1996, and certainly haven’t deleted an email since 1998 – not even the spam.  Many people know this – and many colleagues do something similar.

I suppose I have two reasons for doing this:

  • trawling the archives is occasionally useful (for finding information, or confirming what someone said, or being reminded what I said); because just about all of my work is eventually mediated (in and out) by email, the mailbox archive plays the role of a professional journal.
  • the process of filing and deciding what to retain and what to delete is insanely time-consuming, and easily costs more than the now insanely cheap cost of disc storage and associated backups.
This approach actually extends beyond email – I haven’t really deleted a file in a decade or so.

But two recent conversations/talks have made me want to revisit this.  One was explaining this policy to a barrister (who had been complaining of the time-consuming nature of email filing): he was horrified and suggested that he couldn’t possibly retain his clients’ confidential messages longer than necessary.  Another was a talk from the Deputy Information Commissioner – who said that their office was increasingly concerned with issues of retention, since the Data Protection Act places a requirement on relevant parties to retain information no longer than is necessary.

Much of the email I handle is only marginally/arguably within scope of the DPA – it has email addresses on it, but is in no sense personal.  Some, however, is of a much more sensitive nature – whether formally covered by the DPA or not.  Such ambiguity is a non-trivial matter: some have argued that committee minutes listing me as in attendance are themselves personal information, for example.  But if I filed a subject access request against the University, I wouldn’t really expect it to disclose to me every email with my name in, from every system managed by the University.  This is, then, a grey area.

An earlier blog post considered this point from a corporate liability perspective.  The risks and costs associated with retention are – independently of the Data Protection Act – much higher than they appear in my second bullet point above.  The issue of compliance remains a complex one – I think that have a contractual duty to comply with the University’s Data Protection Policy, but the way that this pertains to email (or other miscellaneous items of filing) is not really well-explored.  A detailed policy would be useful to have – but I wonder how it would be enforced (and whether it would necessarily move all emails into the scope of lawful disclosures on demand).

So, legal grey areas notwithstanding, I’m reluctantly starting to conclude that I should in fact adopt an aggressive policy of purging email daily. Or perhaps to install my own purging script, for, say, all unflagged email of more than six months old.  My 15-year-old archive may be a different matter, but at least I can turn over a new leaf now.  The implications of this switch for my every-day work, however, would truly scare me, however.

Does anyone else feel my pain?

Comments are closed.