On Mon, 2007-04-23 at 14:26 +0100, Andy Swiffin wrote:
> >>> Rhys Smith <[log in to unmask]> 17/04/2007 12:15 >>>
> >you really shouldn't be reusing email addresses straight away for
> Data
> >Protection Purposes.
>
> Do you have a reference that you based that on that I could look up?
>
>
> (To be fair, we don't re-use straight away, there is quite a delay
> caused by the timing of the purges. But - that is about to change and
> if there are issues I want us to get it right so this is a timely
> discussion)
Andy,
Don't think there's a specific reference I can give you unfortunately.
The number we use of 2 years before reassigning email addresses is one
we decided upon ourseleves - between Information Services and Corporate
Compliance. 2 years is a good balance between it being long enough for
most external people/organisations and internal systems to forget about
it and being short enough that we don't run out of "good" email
addresses.
The problem is fairly obvious - a person joins Cardiff University, lets
call him Mr Smith (not me!). He gets a Cardiff email address, signs up
to various mailing lists. He then leaves, we reassign his email address
a month later to a student, Mr Smith (not me again!). That person then
likely receives some of the email meant for the first person, including
potentially personal information - usernames/passwords/addresses/the
fact they signed up to an extreme political party's mailing list, or
even worse! - the QVC mailing list. Plus, potentially internal things
meant only for staff members to do with exams, results, etc. Internal
systems run at "the speed of university" - no faster, no slower.
Email addresses were never designed to be instant throw-away addresses,
and persist for far longer than they should in internal and external
systems and address books - just ask our friend Ian (Young) -
a.k.a. ...seismo!mcvax!ukc!latlog!ian :-)
So I'm not sure of any official documents that mandate this, but it's
worth thinking of just to minimise the risk of any problems in the
future.
R.
--
----------------------------------------------------------------------
Rhys Smith e: [log in to unmask]
Engineering Consultant: Identity & Access Management (GPG:0xDE2F024C)
Information Services,
Cardiff University, t: +44 (0) 29 2087 0126
39-41 Park Place, Cardiff, f: +44 (0) 29 2087 4285
CF10 3BB, United Kingdom. m: +44 (0) 7968 087 821
----------------------------------------------------------------------
|