Coming late to this, but ... On Mon, 19 Sep 2016 17:48:20 +0200, Willy-Bas Loos <willybas@xxxxxxxxx> wrote: >The use case of legal disputes being fought with our data as evidence and >digging up the exact data from a certain point of time never occurred in >those 10 years, and it is unlikely that it ever will. >But it might, if anyone could reasonably expect this to be possible. > > : > >My question to you all is: >* Is the legal thing actualy something one could expect of us? >* Is the security thing really a good practice? >* Is this a common use case that is normally solved with standard >components? I am not a lawyer. You don't say where you are specifically, but in the US, there is a legal notion that changes/deletions done in the "normal course of business" generally are permitted. That is, e.g., if once a month you routinely purge records older than 3 years, then you can't be expected to produce records from 4 years ago. But you have to prove to the court that this is normal for your business: e.g., show documentation of your record keeping procedures. The problem comes when you do get notice of a legal action. From that moment forward you must preserve any data that might be relevent to the case ... including any new data that is created ... in the event that it ever is subpoenaed by the court. This can become a major issue when you realize that a court case may drag on for many years, and you may not know exactly what data has to be preserved. Lawyers often go on "fishing expeditions", asking for data in many different ways [by different keywords, etc.], hoping to find something by comparing the results. Journaling solves the retention problem and may provide other nice features like an audit trail of who made the changes. Of course, journaling may take a lot of extra space unless it stores only deltas. Many locales have similar requirements for data preservation in the face of a legal action. You need to find out what is expected where you are. I'd have to advise that you talk to your lawyers rather than ask here. At least in the US, the "normal course of business" applies to archive data as well as to live data, so you may be able to limit how long you need to keep the journals. Hope this ... doesn't further confuse. George -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
