Accessibility statement

Slack data retention policy

1. Introduction

This policy outlines how long we retain data within Slack at the University of York, taking into account Data Subject rights and compliance risks, operational and record keeping needs and Slack’s expanding functionality. 

It has been developed by IT Services, the Records Management and Information Governance teams and signed off by the University’s Information Security Board.

This policy sets out to:

  • reduce the impact and risks of e-discovery - a form of digital investigation that attempts to find evidence in digital data. 
    • Examples include Freedom of Information (FoI) requests and Subject Access requests (SAR). 
    • By controlling the length of time we store data in Slack, we can be sure we understand what remains accessible for discovery when needed.
  • limit the damages associated with a potential data breach or cybersecurity incident.
  • reduce our digital carbon footprint.

2. Policy

This policy applies to all data within the University of York Slack Grid.

2.1 Messages in public and private channels

By default:

  • Messages in public channels will be retained within Slack for three years from the date they are sent
  • Messages in private channels will be retained within Slack for three years from the date they are sent
  • Messages in archived channels will be retained within Slack for three years from the date they are sent

Three years has been agreed as the default setting in order to cover annual business cycles, keep short-medium term information on recurring issues or shared information available and to support ongoing projects and collaboration that are medium-long term.  

Due to the breadth of use of Slack, some members may need to keep data for a shorter or longer amount of time. To give flexibility, all members can override the default message retention settings on private channels they are members of. Changes to channel policies will be visible in our Slack audit logs and a notification message will be sent in the channel within Slack.

We only recommend making a change if there's a strong business need and agreement from channel members because messages will be permanently deleted up until the point of the overridden policy date, which means other people may unexpectedly lose data if the notification in channel is missed.

Workspace Owners have permission to override the default message retention settings on public channels created in their workspace, but this should only be done where there’s a strong business need.

2.2 Direct messages

  • By default messages in direct messages (DMs) will be retained within Slack for 18 months from the date they are sent

18 months has been agreed as the default setting for direct messages as the content in these conversations is more transitory and casual in nature than that of a project or team channel. Members are encouraged to have conversations relating to work in private or public channels.

Due to the breadth of use of Slack, some members may need to keep data for a shorter or longer amount of time. To give flexibility, all members can override the default message retention settings on DMs. Changes to DM policies will be visible in our Slack audit logs and a notification message will be sent in the channel within Slack.

We only recommend making a change if there's a strong business need and agreement from all members because:

  • a direct message can only have one retention policy at a time - members cannot set two different policies on the DM
  • the last person to set a policy will override any previous policies set on the direct message for both members. For example, if person A sets the policy to six months, the messages in that direct message will be removed for both members for that time scale
  • messages will be permanently deleted up until the point of the overridden policy date, which means you or the other member may unexpectedly lose data if the notification in channel is missed

2.3 Editing and deleting messages

Members have permission to edit their messages for up to 30 minutes from the time they were sent.

Org Owners and Workspace Admins have permission to delete messages. Messages should only be deleted in exceptional circumstances such as confidential information being shared in a public channel.

2.4 Files By default uploaded files will be retained within Slack for three years from the time they are uploaded. No override option is available.

2.5 Canvases By default canvas content will be retained within Slack for three years from the date of the last edit. No override option is available.

2.6 Lists By default lists content will be retained within Slack for three years from the date of the last edit. No override option is available.

3. Responsibilities

All members of staff that use Slack are responsible for:

3.1 Channel management

  • Create channels with appropriate permissions based on the content, eg public vs private (Public vs private channels)
  • Assign one or more channel managers to oversee the channel’s content and activity
  • Archive channels when they are no longer needed to maintain workspace efficiency

Channel management guide

3.2 Data sharing and management

  • Share personal data only with relevant colleagues and only in private channels or direct messages when absolutely necessary
  • Never share sensitive information such as passwords or bank details within Slack
  • If sensitive information (eg passwords) is shared by mistake, immediately update the password and notify relevant parties if needed

3.3 Storing and documenting information

  • Understand how data is stored in Slack as outlined in this policy
  • Remove any critical information from Slack that may need to be retained long-term and store it in - accessible locations such as a shared Google Drive, Wiki, or other approved documentation tools
  • Ensure formal business decisions, including project or HR-related information, are documented with the appropriate teams or systems outside of Slack