Jul 10 2023
Digital Workspace

3 Areas to Make Your Agency’s Record Retention Practices More Efficient

Even information stored on employee-owned devices and remote communications tools must be sent to NARA when a worker leaves.

The National Archives and Records Administration (NARA) requires that all official federal documents and communications be turned over to the agency for preservation at the end of a presidential term or when an employee leaves government.

But with the increasing use of employees’ own devices, text messaging, and remote work tools such as Zoom and Webex, collecting federal documents for historical preservation has become a complicated process.

Given the numerous channels of communication these days, and the ephemeral nature of much of the resulting data — pixels and bytes are far less stable than paper — federal agencies need to take care to ensure they retain important data and can turn it over to NARA when required.

Agencies must consider three important components when planning how to collect this data, especially from employees’ own devices: policies, people and technology.

Click the banner below to learn about the benefits of hybrid cloud environments.

Using Policies to Set the Foundation of Data Retention

A data retention policy is key to preventing critical data from being accidentally or intentionally deleted. A well-written policy spells out what data must be protected, how it should be archived and for how long it must be kept.

Comprehensive policies address data on employees’ personal devices as well as content that is accessed via external sites. The policy is implemented through document lifecycle management processes that cover not only data retention but also e-discovery, compliance, data destruction or archiving, and access controls and monitoring.

In the past, it often fell to administrators or individual users to determine what should be retained. They would have to go through each email, instant message or chat message and decide on its relevance.

With NARA’s role-based approach to managing data retention, known as Capstone, federal agencies can now schedule emails and messages as permanent for transfer to the National Archives based on certain roles or positions (generally those at the top of the organizational chart). This makes managing records more efficient.

READ MORE: Why data is key to agencies’ zero-trust implementations.

The Importance of Employee Training in Agency Culture

People are, as always, a vital factor in retaining data and handing it over when they leave. Each agency must instill a culture of compliance from the very start of a person’s employment, include the retention policy in new hire onboarding and request acknowledgment that the employee understands the policy.

Periodic refresher training will keep retention top of mind. Posting the data retention schedule online and promoting it adds to employees’ ease of use, as can clear guidelines on what steps users should take to manage content.

The right tools can automatically determine what needs to be kept or help people make informed decisions. For example, the Rubrik Security Cloud, built on zero-trust architectural principles, can perform automatic data discovery based on rules to secure enterprise, cloud and Software as a Service–based data.

This tool’s Service-Level Agreement Retention Lock capability helps ensure that unauthorized people cannot change retention policies or delete archival data. Archived data is encrypted and immutable.

Source: National Archives and Records Administration, 2022-2026 Strategic Plan, March 2022

The Value of New Technology in Agency Data Retention

Technology can be invaluable to both the agency and users for protecting and retaining data from employee devices, instant messages and texts, call recordings and other relevant content.

Many agencies require employees to use government collaboration and communication tools, which can discover and archive relevant data. However, there are many occasions when users need to interact with external entities via invitations sent from commercial applications. Common collaboration tools can be configured to capture and archive relevant data.

Zoom Meeting Archiving, for example, can automatically capture meeting and breakout room data — voice, video, captions, transcripts and in-meeting chat messages — to a third-party platform. It can even capture sent, edited and deleted messages and files sent via Zoom Team Chat.

Webex for Government is an another advanced FedRAMP platform for audio- and videoconferencing that enforces data loss prevention policies along with end-to-end encryption.

DISCOVER: How the modern data platform fuels success.

Why IMs Matter When Considering Agency Data

When it comes to instant messages, many employees mistakenly think that IMs and similar forms of communication do not constitute a federal record. According to NARA, however, text messages and chat communications that are created or received in the course of agency business are likely federal records.

Department of Defense standard 5015.2-certified applications such as Cisco Unified Communications Manager Cloud can capture and manage records in any electronic format. For other IM applications, the client or server should be configured to capture messages without user intervention.

Finally, with regard to employees’ own devices, data retention policies need to spell out the rights and duties of employee and employer to preserve mobile device data. Where possible, agencies can automatically suspend auto-deletion of texts and messages. Tools such as Druva Insync provide data protection and governance across laptops, mobile devices, cloud applications and servers.

The words “trust but verify” are never more apt than when dealing with the requirement to turn over all government records and data at the end of employment.

Don’t neglect to conduct periodic audits of employees’ use of email services, chat platforms and messaging applications to make sure they are adequately capturing and preserving federal communications.

shironosov/Getty Images
Close

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.