A short answer to the questions about IM logging and retention

The recent story about the Canadian government’s use of text messaging is only another example of a festering problem


text message logging and retention advice

Even with the best search tools, what kind of sadistic manager would ask an employee to pore through every “What’s up?”, every “LOL” and all the other seemingly innocuous things that get exchanged through corporate text messaging? Unfortunately, the answer is likely all managers, at some point or another.

It was just before the holidays when a recent report in the Toronto Star brought back the very real possibility that one of the fundamental channels of unified communications poses difficult questions about logging, retention and auditing of information. According to the story, Canada Revenue Agency asked Shared Services Canada to stop logging posts delivered through instant messaging or short message service (SMS) tools such as BlackBerry BBMs and deleting all previously held texts last summer.

“Since SMS and BBM messaging are non-secure, transitory methods of communication are used only for routine and nonbusiness related purposes; there is no requirement to maintain the transitory information,” a CRA spokesman told the Star.

Critics, of course, are worried that some of that information isn’t so transitory, and may provide a digital paper trail of sorts when we need to understand how decisions were made or strategies were executed. This is by no means the first time this issue has come up, of course. The Office of the Information Commissioner of Canada once even recommended banning instant messaging from the public sector entirely.

Nothing to LOL about

Of course, private sector firms face similar challenges with instant messaging, and experts have debated for years about the possible implications as e-discovery requirements for text messages become a part of civil procedure in the U.S. and elsewhere. Perhaps the best way to work through this is to think about the journey information tends to take as IT systems mature.

For example, I imagine that in the early days of e-mail, much of those messages contained transitory information too. You certainly wouldn’t send contracts or other important documents through email until it was incredibly pervasive and offered some level of security. Even phone calls could have been considered primarily a means of conveying transitory information, especially in the early days of people fearful that operators were listening in (or, more recently, the NSA wiretapping U.S. citizens).

Now think of more recent communication channels, or those still to come. Should all videoconferencing sessions be recorded, logged and available for audit? As wearable devices and the Internet of Things become mainstream, what new forms of transitory information will be exchanged, and how long before more mission-critical types of conversations start happening through them?

Policies, plus processes

The decision not to log or retain records doesn’t necessarily solve everything, either. In some cases it will have to come hand-in-hand with IT policies that mandate, in perhaps different terminology, that they only be used for less important discussions. This won’t be easy to define, and could negate the benefits of UCaaS tools that bring various forms of communication together.

CIOs can only address this the same way they should think through UCaaS in general. They will need to evaluate how existing tools are being used today, perhaps even taking a representative sample of anything that is already logged. Next, think through the business processes and workflows where the tools are meant to bring value, and determine what kind of information will flow through them that may be vital in some way. Then, it’s all about educating users, establishing a logging policy that’s appropriate to the business and legal needs, and adapt as necessary.

I suspect the information travelling via instant messaging and similar tools will become far less transitory as time goes on. What will be more transitory are the rules organizations use to manage the risks around them.
photo credit: joe bustillos via photopin cc

Comments are closed.