Accessibility statement

Slack data retention policy

1. Introduction

This policy outlines how long we retain data within Slack at the University of York, taking into account Data Subject rights and compliance risks, operational and record keeping needs and Slack’s expanding functionality. 

It has been developed by IT Services, the Records Management and Information Governance teams and signed off by the University’s Information Security Board.

This policy sets out to:

  • reduce the impact and risks of e-discovery - a form of digital investigation that attempts to find evidence in digital data. 
    • Examples include Freedom of Information (FoI) requests and Subject Access requests (SAR). 
    • By controlling the length of time we store data in Slack, we can be sure we understand what remains accessible for discovery when needed.
  • limit the damages associated with a potential data breach or cybersecurity incident.
  • reduce our digital carbon footprint.

2. Policy

This policy applies to all data within the University of York Slack Grid.

2.1 Messages in public and private channels

By default:

  • Messages in public channels will be retained within Slack for three years from the date they are sent
  • Messages in private channels will be retained within Slack for three years from the date they are sent
  • Messages in archived channels will be retained within Slack for three years from the date they are sent

Three years has been agreed as the default setting in order to cover annual business cycles, keep short-medium term information on recurring issues or shared information available and to support ongoing projects and collaboration that are medium-long term.  

Due to the breadth of use of Slack, some members may need to keep data for a shorter or longer amount of time. To give flexibility, all members can override the default message retention settings on private channels they are members of. Changes to channel policies will be visible in our Slack audit logs and a notification message will be sent in the channel within Slack.

We only recommend making a change if there's a strong business need and agreement from channel members because messages will be permanently deleted up until the point of the overridden policy date, which means other people may unexpectedly lose data if the notification in channel is missed.

Workspace Owners have permission to override the default message retention settings on public channels created in their workspace, but this should only be done where there’s a strong business need.

2.2 Direct messages

  • By default messages in direct messages (DMs) will be retained within Slack for 18 months from the date they are sent

18 months has been agreed as the default setting for direct messages as the content in these conversations is more transitory and casual in nature than that of a project or team channel. Members are encouraged to have conversations relating to work in private or public channels.

Due to the breadth of use of Slack, some members may need to keep data for a shorter or longer amount of time. To give flexibility, all members can override the default message retention settings on DMs. Changes to DM policies will be visible in our Slack audit logs and a notification message will be sent in the channel within Slack.

We only recommend making a change if there's a strong business need and agreement from all members because:

  • a direct message can only have one retention policy at a time - members cannot set two different policies on the DM
  • the last person to set a policy will override any previous policies set on the direct message for both members. For example, if person A sets the policy to six months, the messages in that direct message will be removed for both members for that time scale
  • messages will be permanently deleted up until the point of the overridden policy date, which means you or the other member may unexpectedly lose data if the notification in channel is missed

2.3 Editing and deleting messages

Members have permission to edit their messages for up to 30 minutes from the time they were sent.

Org Owners and Workspace Admins have permission to delete messages. Messages should only be deleted in exceptional circumstances such as confidential information being shared in a public channel.

2.4 Files By default uploaded files will be retained within Slack for three years from the time they are uploaded. No override option is available.

2.5 Canvases By default canvas content will be retained within Slack for three years from the date of the last edit. No override option is available.

2.6 Lists By default lists content will be retained within Slack for three years from the date of the last edit. No override option is available.

3. Responsibilities

3.1 All staff as Slack members are responsible for:

  • creating channels with the appropriate permissions for the content of that channel, eg public vs private
  • setting a channel manager(s) who is responsible for the channel and its content
  • archiving channels when they are no longer needed
  • ensuring that personal data is only shared with relevant colleagues in private channels or DMs when necessary to do so
    • passwords and bank details should never be shared within Slack
  • changing their password if shared by mistake in a Slack
  • removing any important information that may be needed in the future and storing and documenting it in places that are accessible to the correct people/teams such as a shared Drive in Google or the Wiki
  • ensuring formal business decisions (project decisions, HR information) are documented in the appropriate places or with the correct teams