File Management, Backup and Recovery
This document defines:
- the responsibilities for file management for users of the University’s central IT services
- the processes and mechanisms employed on the central IT systems to safeguard data from accidental loss or system failure.
This document relates only to services provided by PLN; however it is expected that equivalent practises would be in place for locally managed IT facilities.
2: File Management Responsibilities
Users are responsible for the management, retention and safe storage of their files. It is recommended that all files are stored on a central managed facility such as personal file-stores (M drives) or shared areas (e.g. JT2), which are backed-up on a daily basis, rather than on local PC drives (e.g. D drive) unless local backup arrangements are in place.
PLN undertake nightly backups of all centrally managed systems for the purposes of system recovery in the event of a hardware failure or other disaster, but not (in general) for the recovery of files which have been deleted on some past occasion.
Users must ensure that files they require or might require at some future time are not deleted but are retained on appropriate on-line storage, unless explicit archival arrangements have been made with PLN for their long-term, off-line retention. Users must not, and cannot, assume that a file which has been deleted at some time in the past can be recovered at some arbitrarily point in the future from a PLN backup.
3: Recovery of Accidentally Deleted Files
PLN provide facilities for the recovery of files which have been recently accidentally deleted. Where possible, user invoked file recovery mechanisms are provided as a function of the system or application used to access the file. Where no such in-built recovery mechanism is available, PLN provide file recovery from recent backup tapes. These mechanisms usually enable deleted files to be recovered, but this cannot be guaranteed.
3.1: Systems with In-Built File Recovery
Examples of systems with in-built file recovery mechanisms available to users include:
- Emails can be recovered via “Recover Deleted Items” facility in Outlook for up to 14 days after deletion.
- Sharepoint files can be recovered from the Sharepoint Recycle bin for up to 30 days after deletion.
Where adequate in-built file recovery mechanisms are available to users, PLN does not provide a “recovery from backup” service.
3.2: Systems without in-built file recovery
Examples of systems which do not provide a mechanism for users to recover accidentally deleted files include:
- Personal Files-stores – (M Drives)
- Shared Areas – JT2
For such systems recently deleted files can usually be recovered from backup tapes by PLN; however the likelihood of being able to recover a deleted file depends on a a number of factors, (such as how long the file existed for, how long ago it was deleted and the tape backup and retention cycle), and is thus difficult to predict.
4: Database Recovery
Database backups (for Oracle and SQL-server systems) are taken for the purposes of system recovery and for the recovery of tables which have been recently accidentally deleted by the custodian. Recovery of data at the row or cell level is explicitly not provided. Generally, a database can be recovered up to the last completed transaction by restoring the last backup and applying the subsequent transaction logs.
5: Off-line File Retention
Staff who require long-term off-line retention of files should contact PLN prior to the removal of these items from on-line storage. A special backup provision to a suitable media (CD or DVD where possible) will be undertaken with one copy given to the user and a second copy retained by PLN.
6: Files belonging to University Leavers
Technically, a student leaves the University on the completion date of their programme. However to provide some leeway, student login accounts (and associated personal files and emails) are retained and remain active for approximately 90 days from their programme completion date whereupon they are deleted. Advance warning notice of the pending termination of the account is given by email.
Staff computer login accounts are disabled from their employment termination date. Personal files and emails belonging to someone who has left the university are deleted within a week of their leaving date.
The computer login accounts of associates of the University are disabled on notification of their sponsor that access is to be discontinued. Personal files and emails are then deleted within a week of their disassociation.
It is the responsibility of staff, student or associate leavers to ensure they copy personal files they wish to retain to CD or other suitable media before their computer account is terminated.
Personal files and email remain the personal property of the leaver. Line managers or research groups must ensure that the leaver transfers any files relevant to continuing LJMU activities from their personal storage or email folders to an appropriate area before the termination of their employment.
All files contained in personal file-store areas and all emails in personal email accounts are treated as private and confidential to the individual. However, in the following exceptional circumstances files and emails pertaining to University related business may be accessed if the owner is:
unexpectedly unavailable and access is required for operational reasons
unable to undertake normal operational activities themselves
in dispute with the University and refuses legitimate access requests
the subject of a disciplinary investigation
Access will be mediated to protect the owner’s privacy: the line manager will define the required subject matter and only those emails and files matching that criteria be extracted.
8: Retention of Backups
Backups taken for the purposes of system recovery and to enable the recovery of recently, accidentally deleted files or tables are retained only for the period deemed necessary to support these functions; beyond this point the backup areas / tapes are recycled. Such backups are not retained for longer periods for the following reasons:
The Data Protection Act (DPA) requires that data which is no longer required must be destroyed. Through the DPA, a data subject can request that any information held about them is disclosed. When a file is deliberately deleted, the user is effectively declaring that the data therein is no longer required; however, long term retention of this file on a backup tape means that this data is in fact still being held and is therefore subject to disclosure under the DPA.
- For some systems (Exchange in particular) recovery of individual files from a backup is extremely onerous. In some cases this will require that the entire environment for that system, as it existed at the time of the backup, is reconstructed in an isolated environment in order to facilitate restoration of the dataset in which the file exists. Where a police or court search warrant requires exposure of any information relating to an individual, every backup dataset which might contain such information would have to be restored - undertaking such a task would be extremely labour intensive and technically difficult.
- The length of time a deleted file is present on a backup tape can be very short and will depend on length of time it existed; and the likelihood of a deleted file being present on a backup tape decreases significantly over time. The long-term retention of backups for the potential recovery of deleted files is therefore of very limited real value.
In general, the backup technologies used for system recovery purposes are not appropriate for the arbitrary recovery of deleted files or the historic reconstruction of content as it existed at a particular point in time. For such purposes, system specific data archiving technologies are required. The University has determined that this is not a business requirement.
9 General Policy
Unless otherwise explicitly defined for a particular system:
- Backups are taken for the purpose of overall system recovery but not, in general, for the purpose of individual file recovery.
- Recovery services for recently deleted files are provided, but the ability to recover such files is not guaranteed
- Backup tapes are only retained for the period necessary to facilitate the above