How very peculiar. Most recently almost every bioinformatics project I have
been involved with has a requirement to destroy evidence, electronic and other,
as a legal requirement.
Some prior work that comes to mind was a result of the UK POFA 2012 act
http://www.legislation.gov.uk/ukpga/2012/9/contents/enacted ;
<http://www.legislation.gov.uk/ukpga/2012/9/contents/enacted> that I undertook
for a large UK forensic services provider. Here the project objective was to
break all traceable links between the determined DNA profile and an unconvicted
donor, for all physical samples held (buccal swabs etc), and all electronic
records including backups of electronic records and audit trails, as a legal
requirement.
Given the extensive costs to undertake this work, after reading this thread I
am convinced it has worked out cheaper for them over retaining all versions of
the data, and access to it, in a working system for, and I paraphrase,
perpetuity.
~
Mike
Woodward Informatics Ltd, http://www.strychnine.co.uk ;
<http://www.strychnine.co.uk/>
On 3 May 2017, at 13:58, Thomas Roach <troach@xxxxxxxxx> wrote:
I've also seen the opposite. They want to keep data for analysis and legal
wants to remove data after the law says they no longer need to keep it -
worried about freedom of information requests etc. or if there was a subpoena
and having to get the data if they still have it which created a burden as
they see it. I guess it's very subjective and dependent on the legal
professionals view point.
Sent from my iPhone
On May 3, 2017, at 7:50 AM, Niall Litchfield <niall.litchfield@xxxxxxxxx
<mailto:niall.litchfield@xxxxxxxxx>> wrote:
I think some interesting conversations with the Lawyers about the tension
between "can't destroy evidence so must keep everything" and the GDPR rights
to erasure (especially where PII data is no longer required for the purpose
for which it was collected) will be forthcoming over the next few years.
On Wed, May 3, 2017 at 12:31 PM, Schneider <schneider@xxxxxxxxxxxxxx
<mailto:schneider@xxxxxxxxxxxxxx>> wrote:
This has been a really interesting thread.
Now, I'm curious: what if you were running your application on Amazon RDS
Aurora? How would you deal with this situation where legal requires you to
retain an image of today's data in its "native" state for 6 years?
-Jeremy
P.S. A quick google search turned up one related article here
https://www.ediscoverylaw.com/2017/02/court-grants-motion-to-compel-reproduction-in-requested-format/
<https://www.ediscoverylaw.com/2017/02/court-grants-motion-to-compel-reproduction-in-requested-format/>
On Mon, May 1, 2017 at 2:24 PM, Dimensional DBA <dimensional.dba@xxxxxxxxxxx
<mailto:dimensional.dba@xxxxxxxxxxx>> wrote:
I have a worked at a few companies that has mothballed complete systems
including SW as you don’t know if even the hardware will run the software
any more depending on the OS you are running (AIX, HPUX, etc)
This has been a standard problem since the Dec 2007 Supreme court ruling on
evidence being available in its native electronic form.
If your company isn’t using one of the email programs that duplicate all
email or haven’t turned on MRM in MS Exchange then you may already be in
violation of
“They insist we keep every version of every email because deleting any is
considered “destroying evidence”. “
Compliance is fairly straight forward from a database perspective in you
ensuring you have backups and that you test the backups. Everything else
falls in someone else’s area of concern such as the backup team, the email
team and the legal team in reviewing processes to meet current to data
compliance rules that morph over time based on ongoing court cases.
Saving the VM images may be problematic also as the versions of the VMWare
ops center moves upward not always being fully backwards compatible older
images. Keeping a copy running can be problematic if something goes wrong
and you have to rebuild and don’t have all the components to do so.
Normally there is no legal requirement to keep it online, that part is
probably from your legal team, but in reality when you get to the keeping of
all versions of the backups, you are not keeping a live version of the
system at each backup point online only the last running version of the
system.
You can always take that last running backup of the system and continue to
upgrade the database SW and the OS, so that you don’t have worry about age
out, but that doesn’t help you with
In some cases this is not a technical problem anymore. I have seen legal
teams use programs to save off the email into single file pdf format instead
of maintaining them in the original Email systems.
From: oracle-l-bounce@xxxxxxxxxxxxx <mailto:oracle-l-bounce@xxxxxxxxxxxxx>
[mailto:oracle-l-bounce@xxxxxxxxxxxxx ;
<mailto:oracle-l-bounce@xxxxxxxxxxxxx>] On Behalf Of Scott Canaan
Sent: Monday, May 1, 2017 6:27 AM
True, but that’s not my call.
From: oracle-l-bounce@xxxxxxxxxxxxx <mailto:oracle-l-bounce@xxxxxxxxxxxxx>
[mailto:oracle-l-bounce@xxxxxxxxxxxxx ;
<mailto:oracle-l-bounce@xxxxxxxxxxxxx>] On Behalf Of Reen, Elizabeth
Sent: Monday, May 01, 2017 9:24 AM
This is where calculating the cost of fighting it vs settling
comes in. Sometimes settling is cheaper.
Liz
From: Scott Canaan [mailto:srcdco@xxxxxxx ;<mailto:srcdco@xxxxxxx>]
Sent: Monday, May 01, 2017 9:19 AM
There is no pushing back on the lawyers. They insist we keep every version
of every email because deleting any is considered “destroying evidence”.
They (and the courts) don’t care about cost or technical issues. When they
want the data, we have to supply it or get fined and, most likely, lose
whatever case is against us. In this case the data being saved is the
timekeeping system for hourly employees.
From: Reen, Elizabeth [mailto:elizabeth.reen@xxxxxxxx ;
<mailto:elizabeth.reen@xxxxxxxx>]
Sent: Monday, May 01, 2017 9:16 AM
Agreed, wish I had that option 10 years ago. Push back on the lawyers. Do
they really need all of the backups or will a couple suffice. They tend to
be very conservative about preserving evidence.
Liz
From: Scott Canaan [mailto:srcdco@xxxxxxx ;<mailto:srcdco@xxxxxxx>]
Sent: Monday, May 01, 2017 8:59 AM
This was one of the first things we thought of, however there are 28 backups
to keep running (4 databases x 7 days each), which becomes unwieldly very
quickly.
What we are looking at doing is putting all 4 databases into one VM, then
taking a VM snapshot of the entire environment, which gets us down to 7
snapshots to save and that way the O/S and Oracle software are also
preserved with the databases. That’s what I’ve gathered from the responses
here is the best way to go.
From: Reen, Elizabeth [mailto:elizabeth.reen@xxxxxxxx ;
<mailto:elizabeth.reen@xxxxxxxx>]
Sent: Friday, April 28, 2017 4:29 PM
What I have ended up doing is just keeping the copy on a
database, upgrading and patching as needed. Expensive, yes. Data always
available, yes. What you have to lose if you lose the case should dictate
how you keep the data.
Liz
From: oracle-l-bounce@xxxxxxxxxxxxx <mailto:oracle-l-bounce@xxxxxxxxxxxxx>
[mailto:oracle-l-bounce@xxxxxxxxxxxxx ;
<mailto:oracle-l-bounce@xxxxxxxxxxxxx>] On Behalf Of Scott Canaan
Sent: Thursday, April 27, 2017 1:16 PM
To: oracle-l@xxxxxxxxxxxxx <mailto:oracle-l@xxxxxxxxxxxxx>
Subject: Database Retention Question
We are trying to find a workable solution to a rather large problem. One
system has an Oracle database in Red Hat 6 and Oracle 11.2.0.4. Last
August, there was a legal request to freeze 28 different backups of this
database. That was done by the systems team, via CommVault (using RMAN).
By asking more questions, it has come to light that any and / or all of
those backups need to be quickly accessible as Oracle databases until Aug.
31, 2023. When I mentioned to our legal department that there’s no way that
I can guarantee that whatever version of Oracle we’ll be using in 5, 6, 7
years will be able to even open the database files, the response was “you
have to guarantee that the data is available if required in a lawsuit. No
excuses are accepted by the courts.”.
We’ve toyed with a couple of possible options. One is to keep a Red Hat 6 /
Oracle 11.2.0.4 environment running until Sept. 1, 2023, which the SAs hate
(not to mention the Security Office). Another is to restore from backup and
upgrade along with other database upgrades and take a new frozen backup,
which we aren’t keen on doing 28 times.
Does anyone have any other ideas on how to save these backups and guarantee
that they are usable through Aug. 31, 2023? I’d appreciate any thoughts.
Thank you,
--
http://about.me/jeremy_schneider ;<http://about.me/jeremy_schneider>
--
Niall Litchfield
Oracle DBA
http://www.orawin.info ;<http://www.orawin.info/>
