Hardly a day goes by without some email, text message or document, found or lost, hitting the front pages and rocking the foundations of some of our largest institutions, government and the media.
Knowing what to keep is critical for an organisation’s compliance, business continuity and reputation, but do you sometimes wonder what is lurking on your backups?
What follows is a rough guide to one of these potentially unmapped territories in your information landscape – the backups created and maintained for business continuity and disaster and crisis management.
In a recent survey of IT security staff, 82% were reviewing their processes and systems for controlling information risks because of recent headlines, including WikiLeaks. However, only 18% of respondents said that they knew the exact number of sensitive files they had, and just 39% could say for sure where those files were located on their servers. Even more surprising, 65% of those polled said that they were unsure who has access to these sensitive files. How does this affect records managers? Linking the organisation’s information asset register to the configuration management database can provide better control for both IT and records management staff.
As an information and records manager, are you already involved in identifying and evaluating the risks for your organisation’s backup systems? If not, approach your IT Security Officer (ITSO) or Information Assurance colleagues and offer your expertise in the area of knowing what to keep, where the organisation’s valuable records are stored, how long they need to be retained for and whether they are destroyed or transferred when no longer needed by the business. The National Archives’ ‘What to Keep’ guidance can help with this.
Know the language
There can be some confusion between backups and IT archives. Before discussing the backups with your IT colleagues, be sure that everyone is talking the same language.
- Backups (sometimes referred to as storage backups or backup storage) are duplicate copies of information, applications, operating systems that are used to restore entire systems or parts of business processes where there has been a business continuity type of failure. Backups can be to tape or disk – and sometimes to both!
Not to be confused with….
- Archives (in this context) are IT systems where old data or data not used for everyday business processes are kept, most likely for record-keeping purposes, but essentially to reduce the cost of storage. Email archiving systems are a typical of this type of system. Not to be confused with records management archives.
Sometimes these backups and archives use the same software and media (but different business processes to manage them) and may even hold the same data. Ask your IT team how it works in your organisation.
Although it is clear that backups are copies of records, and therefore shouldn’t be listed on records management retention schedules, legally, the copies held on them have been used in courts and tribunals. The Information Commissioner provides advice on if data held on backups are considered ‘information held’ in their Awareness Guidance Number 8.
There are some things you can do now to contribute to the protection of your organisation and its records
- Restoration – find out if there is a policy (or it may be a service desk procedure) for restoring data that is accidentally destroyed by business users or IT staff working with systems. Keep in mind that not all restore activities are from backups. If it doesn’t already, suggest that the restore policy or procedure is auditable and robust – owned and reviewed by either Information Asset Owners or, if appropriate, the SIRO – and identified as a record. Try to include a metadata section in the policy making it clear that metadata is not to be changed during the restoration of any lost data or documents
- Destruction – get involved in the business continuity and disaster recovery planning for the organisation and find out from your IT infrastructure team or manager how the backup storage routines currently in practice support those business continuity needs. Ask what their backup retention policy is and how destruction is being carried out. Where is the evidence of this destruction kept? The cycle of backups and destruction should be mapped against record retention and disposition to help identify the likelihood of records being found on backups that have been destroyed by the business.
- Manage risk – update the risk register with the risks of being directed to search backup storage media for corporate records as a result of e-discovery or Freedom of Information Act and Subject Access requests. Include the costs and resource implications and assess the likelihood of data being available on the backups. Although some Information Tribunals (e.g. Keillery v IC & University of East Anglia) have insisted that organisations search their backups to find documents that have been deleted from enterprise record-keeping systems, knowing the costs that will be incurred and the likelihood of discovery can save the business time and money. Keep the risk entries updated when new backup routines and destruction policies are adopted or changed. Another consideration is machinery of government changes and the risk of holding records in backups if part of the organisation is moved onto another IT system. Although this won’t make any change to business continuity that backups support, it may determine the way they are indexed or created in the first place
- Advice and guidance – keep in touch with new or changing advice provided by the Information Commissioner about the status of backups as information ‘considered held’. And please, share any ideas you might have!