Implementing the new Slack data retention policy
Posted on 23 September 2024
Following a period of consultation with staff, IT Services have finalised the data retention policy for Slack, which will be implemented in January 2025.
A data retention policy sets out how long data will be stored by an organisation before it is deleted. Implementing a policy at York will help limit the damages associated with a potential data breach or cybersecurity incident.
York’s policy has been developed by IT Services, the Records Management and Information Governance teams and signed off by the University’s Information Security Board.
Policy in summary
By default:
- messages in public and private channels will be retained for three years from the time they are sent
- messages in direct messages will be retained for 18 months from the time they are sent
- files will be retained for three years from the time they are uploaded
- Canvas and Lists data will be retained from three years from the last edit.
If you need to keep data for longer than the default settings outlined above, you must make changes before the policy comes into place in January. Read guidance on how to change retention settings, please note this should be done with caution and only when necessary for business needs.
Read the full Slack data retention policy to understand the changes in detail.
When does the policy take effect?
We have to work with Slack to set up the policy, and due to the time difference between the UK and the US we cannot give a specific date however we will be working with Slack to ensure it is in place by the end of the week commencing 13 January 2025.
What you have to do
- Read the policy and ask any questions in the #help-slack channel within Slack
- Read the responsibilities as a Slack member section on this page
- Change the retention settings of any channels where you need to keep data longer than the default settings (this must be done before the policy is enabled)
- Once the policy is implemented in January, you will be asked to agree to the University of York’s Slack term of service, which outlines the policy, next time you login to Slack
Your responsibilities as a Slack member
To align with data security best practice and the retention policy, all staff are responsible for:
- creating channels with the appropriate permissions for the content of that channel, eg public channel
- setting a channel manager(s) who is responsible for the channel and its content
- archiving channels when they are no longer needed
- ensuring that personal data is only shared with relevant colleagues in private channels or DMs when it is necessary to do so
- passwords and bank details should never be shared within Slack
- changing their password if shared by mistake in a Slack
- removing any important information that may be needed in the future and storing and documenting it in places that are accessible to the correct people/ teams such as shared Drive in Google or the Wiki
- ensuring formal business decisions (project decisions, HR information) are documented in the appropriate places or with the correct team
Where should I store information if not in Slack?
Depending on what your team uses, you may use one or several platforms for different kinds of information. Generally for guides, processes and known issues it’s best to use:
- Google shared drives and Google docs
- the University wiki
Exporting Slack data
If you want to export data ahead of the retention policy coming into effect, you will need to manually copy and paste messages into an alternative platform. This could be a Google doc within a shared Drive or the Wiki - wherever your team documents processes and decisions.
This should be limited to data that needs to be retained because it pertains to work processes eg it’s a known issue, explains a decision, includes a decision made etc.