Last Tuesday, I had the privilege to attend an event around the topic of Email Archiving put on by the AIIM New England Chapter. Bill Tolson, Director of Product Marketing for Iron Mountain, and Brett Burney, Lawyer, Burney and Associates talked about the various reasons email archiving is important, best practices around the subject, and as you might expect, the scary realities of eDiscovery requests. There were many interesting and valuable tid-bits offered up during the presentations, but the one statement that stuck in my head was when Bill Tolson said “you have to know what to throw away!”
When we build out SharePoint to support ECM goals, we are usually focused on creating a place to put content. I have heard that there are some enlightened ones among us, who add features like retention policies and destruction dates, but that isn’t the kind of “throwing away” I am talking about today. I am thinking about the content that went into SharePoint – was it moved? Was it copied? Does it still exist? Do you know the answer? Well, if you don’t know the answer, then you need to be prepared to search. Searching leads to finding things, things that you find have to be reviewed and things that aren’t privileged need to be served up when a discover request arrives. I have only been involved in one eDiscovery request, but I learned what Brett Burney meant when he said “the answer to what has to be provided in response to a discovery request is – it depends.” Here’s one example:
Among the places we had to search for instances of three specific text strings, were the folders holding old flat-file database tables. In one folder was a table that included one of the search phrases. In a folder below that, was a collection of 10 sorted versions of that table. The sub-folder was called “TempReport” the sorted files all included ‘temp’ in the file name, and we could show that the files held records identical to those in the table, to be used for reporting. None of that mattered, we were ultimately required to convert each file into a spreadsheet, describe it in detail and provide it in response to the request.
When I migrate files from a shared folder into SharePoint, I copy them. After they arrive in SharePoint, I rename the folder structure to indicate that the files were uploaded to SharePoint, and I make the folders read-only. After a few backup cycles, once I can convince the users that I have everything and I shouldn’t be able to lose it, I delete the files from the shared folder. That process works well, but I am in charge of the whole process. What happens when individual employees move content into SharePoint? When my coworkers move email, or email attachments into SharePoint from Outlook (see previous post), do they also move the email into a folder in Outlook? Do they put the content in SharePoint and then send a link around to others, or do they move it after forwarding the email to others? Do we have these answers? Do we have a policy that will allow us to search only SharePoint for those documents? I think we do, but I know that the answer is “it depends.” It depends on the judge at the time the request is made. The only way you can know that it doesn’t depend on anything, is when you know that you threw it away. (yes, I know there are times you can’t throw things away, but I do impose an 800 word limit on myself, so…)
Those are easy examples to wrap our heads around, but they are far from the only things we need to consider. For example, in our latest SharePoint project, we are managing the production, review and disposition of engineering inspection reports. During the creation and review process, we keep minor versions. During the distribution process, we create a major version, delete the minor versions and move a PDF copy of the final version to a Records Center. That’s not just our policy; it is a process that is executed by SharePoint workflows – it is also the first time we’ve automated that process.
After Bill and Brett were done speaking at the AIIM NE event, I was talking to a few other members of the audience. The conclusion we came to is that many of us are only providing the means to proper content management. Even governance rules and strict policies can only go so far. There is no real way to prevent people from making and keeping copies of company records. Solving that problem requires changing behavior, and changing behavior requires education and communication.