Don't ask IT workers to determine what gets kept and for how long; their job is to make sure data is safe in case disaster strikes. If you've been to as many compliance meetings as I have, you've likely heard managers refer to the IT department's backup strategy as their department's solution for meeting the company's record retention policy.
Backup might appear to be an easy way out with regards to records retention, but is it the right answer?
If backups are the universal solution to records retention, that means an awful lot of responsibility gets shifted to IT. Not the responsibility to actually do the backup—that's a given. Or, at least, it should be. Rather, you're now asking IT to take on the burden of knowing the content of every file and every e-mail message on a backup tape, determining how long content like that should be kept and taking appropriate action when the retention period is up.
But given that it would be impossible for IT to make these determinations, the "safest" (and simplest) thing for IT to do is to save backups forever. Obviously this isn't workable, nor is it something your legal department would stand for. (You can almost sense the collective panic as the implication of "save forever" sets in.)
An important part of this discussion is in how you define the purpose of backup. Is it a retention mechanism or a recovery mechanism? Generally, backup has always been a data safety net meant to protect against hardware failure, accidental deletion or other mishaps.
But over time, that function has kind of overlapped the need for retention. Take it back a step and the question becomes, What is IT's role regarding the data?
HP rolled out a lower-cost version of its best-selling Fibre Channel SAN (storage area network) disk array that it says can be installed and run by IT-savvy employees who aren't storage experts. Click here for the story.
In my view, IT is the custodian of the data, responsible for keeping it safe; hence the need for proper backups. But it is the users who are the owners of the data. In a way, it's like your bank's relationship with your money: You decide what to do with it, and the bank pledges to keep it safe for you.
So if IT has the responsibility for the recovery, who has responsibility for the retention? It's not IT, it's the users. If there are files, e-mails or database records that have to be kept for a certain length of time, who better than the user to identify them? If it's time to remove data, users should be the ones to make that call (not too different from the periodic purges done of paper-based file cabinets). Does it really matter if the backup tapes are kept for six months or six years if antiquated data is online forever?
NetApp's new StoreVault S550 storage appliance has increased storage and supports drives hefty enough to allow for server virtualization support. Click here to read more.
So, where do you start? As a general rule, your legal department is a good place to begin. They know the regulatory requirements and the issues. Next, meet with users and explain to them the distinction between recovery and retention and what role the IT department is playing. You need a simple written policy that you can give to users and to the auditors when they make their rounds.
Data is the most valuable asset that IT is responsible for, but it is a responsibility that can't be borne by IT alone.
Brian D. Jaffe is an IT director in New York and co-author of The IT Manager's Handbook: Getting Your New Job Done. He can be reached at brian@red55.com.
/ 16 
