

Ask HN: Need a policy on log retention. Suggestions? - rubyrescue


======
kurt_
> What to keep and for how long time ?

Try to make the data anonymous when possible (remove from log file all
potential personnal data, not needed by your data process). If usernames are
kept and can contain personnal data, if you don't need these data, remove them
from log file.

Log only valuable data you need and only for the amout of time you need them.

> Is there any guideline here ?

In Europe, you have the obligation to retain all informations needed to
identify the owner of an online publication.

"This Directive aims to harmonise Member States’ provisions concerning the
obligations of the providers of publicly available electronic communications
services or of public communications networks with respect to the retention of
certain data which are generated or processed by them, in order to ensure that
the data are available for the purpose of the investigation, detection and
prosecution of serious crime, as defined by each Member State in its national
law." - Directive 2006/24/EC - <http://bit.ly/HxZcW>

If you are based in Europe, you must refer to your national law for more
informations.

------
rdl
I'd just copy the policy from whoever your nearest comparable is. It is fairly
specific to your application and needs.

Probably the best thing is to find comparable companies, take their policies,
and then go to your lawyers with that info and see what they suggest.

~~~
jacques_chester
> _I'd just copy the policy from whoever your nearest comparable is. It is
> fairly specific to your application and needs._

While bearing mind that legal documents are often copyrightable and you may
need your own to be independently drafted.

------
rubyrescue
My company has built a social networking app that is growing very, very
quickly. We have a LOT of data. We're trying to figure out what makes sense to
keep - 30 days? 90 days? This is a mostly-anonymous social network so the idea
of anonymity is important. Would less than 30 days be OK? Is there a legal
guideline here? (i can't find one) In the absence of legal framework, what are
best practices?

I say idea of anonymity because we don't prevent you from using personally
identifiable information - but you're free to make up a username (or change it
later) and the app doesn't show your exact location, IP address, guid, etc.

~~~
dfc
_"I say idea of anonymity because we don't prevent you from using personally
identifiable information - but you're free to make up a username (or change it
later) and the app doesn't show your exact location, IP address, guid, etc."_

I think you should change any mention of anonymity to pseudonimity in order to
eliminate any misconceptions.

~~~
rubyrescue
it's never referred to as anonymity. in fact it's the opposite - it's "meet
people".

------
dfc
The first thing you need to do is identify any legislative/regulatory
requirements.

If you are unsure about your industry/jurisdiction maybe update the question
with your relevant info.

~~~
rubyrescue
thanks. researched and can't find any in either category.

------
paulsutter
We aren't lawyers and you need to talk with one.

~~~
rubyrescue
agreed. except that a) we have lawyers, b) i'm not asking for legal advice,
just best practices.

