Retrieved from ISED-L list-serv 5/08, CC3.0 a, s-a, nc license
Jason Johnson wrote an article for the AASL magazine Knowledge Quest (Nov/Dec 2007) on this subject titled "Know When to Hold 'em". It is not available on-line but your school librarian probably has a copy.
Basically: 1. Not all email is created equal. Every school will have unique data retention requirements. For example: If you have financed new construction through a bond, you may have document retention requirements (including email) specifically related to certain financial requirements. Some states have passed laws that require retention of emails by administrators but not by teachers. Any service your school nurse or doctor charges for has HIPAA retention requirements. Your retention policy for these documents may simply be to print them out. It does not have to be a purely technical solution. In any case, they tend to be a small number of emails and should not set the bar for your entire system. 2. Lawyers will generally tell you to delete as much as you can, as quickly as possible. Most of us want to hang on for historical purposes, to compile historical trends, and archives can be a great source of school information in the future. Your school has to find the balance. Deleting everything as quickly as possible reduces the chance of lawsuits based on a "culture" (typically discriminatory or sexual harassment). However, if you don't have a large endowment or other assets that be targeted by legal action, it is less likely that you will face that kind of legal action. 3. Keep your policy simple and automate as much as possible so you can be sure it is followed. When you receive a warrant or are sued, any deviation from your policy can look bad and potentially cause other legal issues. I recommend reading this before the police arrive and keep a copy of it with your retention policy. http://www.ala.org/ala/oif/ifissues/confidentiality.cfm 4. Make sure your policy considers all infrastructure. If you require email to be retained 6 months or less, but you keep your email systems backups for a year, then your backups are violating your retention policy. Also make sure the policy accounts for the firewall logs, spam filter cache, and the other infrastructure that retains copies of messages and behavior on the network.