Tag Archives: blind sweeper

Deletion and the blind sweeper

This post is part of my research on highly-evolvable enterprise architectures.  It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license.  I am indebted to Jay Dvivedi for sharing with me the ideas developed here.  All errors are my own.

One challenge in designing enterprise systems is how to think about the deletion of records.  I discussed the issue with Jay yesterday, and he had several suggestions.

First, to prevent fraud, sabotage and accidents, the ability to delete records should restricted to a very small group of senior personnel or forbidden entirely.  When a person attempts to delete a record, the system should required approval from another person.

Second, the system must be designed to cleanse itself of unneeded records that contain potentially damaging confidential information.  These situations occur frequently in service industries where companies handle confidential information belonging to their customers.  For example, a bank or health insurance firm handles personal information about customers, and a management consulting firm handles confidential information belonging to client companies.  Such information must be destroyed when it is no longer needed.

The system should function much like a blind sweeper that cleans conference rooms after meetings end and the participants have left.  The sweeper cannot access the content of any forgotten or abandoned papers, so he simply burns them all.  Such a system must keep track of who needs the information.  Each of these people can be thought of as a person in the conference room.  Only when all the people have left can the blind sweeper enter and destroy the information in the room.  To ensure consistency, destruction of information should occur in two phases.  First, the information to be destroyed is isolated.  Then, when all information to be destroyed has been accounted for, the destruction should take place.

The blind sweeper approach is similar to garbage collection in software, where references to a piece of information lock it in place.  When there are no references to a piece of information, the system deletes it.