Data retention policy for Oracle DBAs: When to "trash" your data

As disk prices fall to record lows, many corporations are retaining all of their corporate data, including all corporate correspondence, e-mails and customer queries. But is this a prudent decision? Although it worked for Larry Ellison, some experts suggest that it's a big mistake to archive every detail of your operational business processes, especially if the data have not been carefully reviewed for content. Today, many large companies are requiring complete purges of sensitive data that might be misunderstood, and they are going to great pains to have their Oracle DBAs remove all traces of this information.

During my work in Oracle forensics, I've helped many litigants resurrect evidence that has helped to punish bad guys and vanquish people who have been treated unfairly. During these forensic investigations, unscrupulous shops are shocked to discover that "smoking guns" can be uncovered years after the data has been deleted from Oracle.

But it's not just the bad guys who must trash their Oracle data. In today's litigious world, the conventional wisdom that saving all corporate data can save the day is now being challenged. In case after case, archived Oracle data is being abused by greedy plaintiffs, and the community is starting to realize that a prudent data retention policy must also include specific directions for "trashing" some Oracle data.

While data is a valuable resource, blindly archiving data can have serious financial consequences. Consider these examples:

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Oracle Database Administrator Understanding SQL string functions What is the difference between a database engineer, architect and administrator? Import on one table from dump file Error during RMAN backup Can I drop a column in SYS schema? STATSPACK tool: transaction vs. execution measurement Should I port from Microsoft Access? How can I find statistics on total memory usage and database connections? Installing multiple Oracle homes Modifying SYS password in a RAC environment Oracle database administration How to rebuild a built-in Oracle package body How to use a wrapper script with cold backups in Oracle Understanding Oracle cost-based optimizer (CBO) and rule-based optimizer (RBO) Can we use a single database update trigger for an Oracle database upgrade? How to rebuild a database to change Oracle block size The top 10 Eye on Oracle blog posts of 2008 The top advice from Oracle experts in 2008 Web 2.0 users, community and participation in the enterprise Enterprise search and links for Web 2.0 Tips for Web 2.0 success and setting Web 2.0 goals in the enterprise Oracle database administration Research Oracle database backup and recovery How to export triggers in an Oracle export command How to precreate Oracle table extents and define extent size How to trim the Oracle listener log in Unix/Linux How to avoid invalid objects in Oracle when restoring the database How to perform an Oracle 9i upgrade with the Database Upgrade Assistant How to avoid Oracle error ORA-00060 when dropping a datafile in Oracle 10g How to precreate tablespaces in Oracle before a new database import How to solve an Oracle import error How to use Transportable Tablespaces in Oracle to copy files quickly Exadata: A first look at Oracle's entry into the appliance market Oracle database backup and recovery Research

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

What do these cases have in common? They were all Oracle shops that made fatal errors in their data retention policy. They all fell for the common misconception that because disks are cheap and Oracle can easily manage all forms of corporate data, their data should be stored forever.

The Oracle DBA as data custodian

While the intentional destruction of evidence ("spoliation") is highly illegal, it is prudent and responsible to purge data that no longer has any value to the company, especially data that might be misconstrued or used in a lawsuit.

Since employers are held responsible for the acts of their employees, management must decide between two unsavory options:

The Orwellian tactic of monitoring employees is falling from favor, so many large corporations now require that all corporate correspondence be completely and totally destroyed after a reasonable period of time.

So how does the savvy Oracle DBA manage data retention policies?

As more and more information systems are consolidating all of their operational information into Oracle databases, the Oracle DBA becomes the custodian of a wealth of varied data: everything from confidential e-mails to secret marketing plans. Since many vendor products (e.g., Oracle Collaboration Suite) now incorporate non-traditional data like spreadsheets and correspondence, the DBA must clearly understand what data is to be preserved and what data must be expunged from the archives.

Let's start by looking at the legal requirements for data archiving and understand how to comply with federal laws while eradicating unwanted information.

Legal requirements for data archiving

The Oracle DBA presides over a vast amount of corporate data and he or she must often work with corporate attorneys to ensure that their data retention policies comply with a host of federal data requirements (see Appendix A for a partial list).

These data archiving laws impose huge burdens on Oracle shops, especially laws such as HIPAA that mandate the auditing of anyone who views confidential patient data. These audits can exceed the size of the database every day, and the DBA is further challenged by laws requiring reporting. For example, an Oracle DBA in a hospital only has a few hours to sort through terabytes of HIPAA data to show everyone who has viewed a particular patient's records.

A wide variety of Oracle data must be retained and archived, including these (as specified in this article):

[TABLE]

Many of these laws impose criminal sanctions against any DBA who fails to comply, so some DBAs will simply retain everything in order to ensure compliance.

However, that's often a huge mistake. For example, a well-intentioned e-mail that states something like "Joe is in the hospital for VD treatment, in case anyone wants to send flowers" could be used as evidence for a HIPAA lawsuit for disclosing confidential medical information.

Avoiding stale data

All Oracle DBAs must be vigilant to ensure database recoverability while ensuring that sensitive or confidential data is completely obliterated. Most Oracle DBAs develop a sophisticated data retention policy that ensures recoverability, but they fail to develop policies for completely removing "stale" data.

In the article what you must have, should have, and never want to see in your company's records," we see that that all Oracle database information should be cleansed before archiving, removing all traces (including the redo logs) for any "smoking gun" data. The following information could be buried deep inside Oracle Applications or Oracle Collaboration Suite:

So how does the DBA manage these conflicting requirements? In order to be effective, the end-user community must be intimately involved in the purging of stale data from the Oracle tables, but it is up to the DBA to ensure that none of this stale data is retained inside export files, audit trails or archived redo log files.

A sample retention policy should also spell-out the specific acts to ensure the through destruction of the data. Remember, audit trails almost always contain confidential data, and the audit trail tapes should be thoroughly incinerated.

In some shops with threats of third party litigation, the corporate attorneys have developed thorough procedures for destroying Oracle data, even going as far as incinerating the archived backup tapes. They have observed that un-cataloging the archived redo log tapes is not sufficient because they could be reconstructed by an Oracle forensics expert, and an archived redo file that is sent to a "safe site" must also be completely destroyed.

Archives kept on disk also require special treatment. The disk files should be physically erased, since it's not enough to just remove the files. Here are some high-level best practices for Oracle data destruction:

In sum, the Oracle DBA has become the important custodian of critical corporate data, a job that requires attention to retention as well as destruction.

Appendix A

U.S. statutes mandating data archiving:

References

About the author

Donald K. Burleson has been a database administrator since the 1980s and manages the USA's largest remote DBA support service. He is also a popular author and serves as series editor for Rampant TechPress, a leading provider of Oracle technical books.

Rate this Tip To rate tips, you must be a member of SearchOracle.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.