Email retention policies becoming more and more necessary / By Maria Sprow
In the course of one day, a county employee may get dozens of emails, pertaining to any number of topics, events, discussions, non-discussions.
If email were paper, there are days when it seems like cyberspace must have a bigger landfill of garbage than the real world could ever possibly imagine. If all the “gone for the day” “out to lunch” “meeting’s been postponed” “read this study” “what do you think?” and “help me please” emails actually took up space, or had to be saved somewhere, oh, what a mess it would be.
Many people don’t consciously think of email as something that takes up space or needs to be filed, sorted, saved and deleted – at least, not until getting an In Box is Full error message. They delete emails according to their own preferences and habits. But when it comes to county emails – meaning any email that is sent to a county address – by law, they are not emails, but records, which should be retained and deleted according to approved records management and retention schedules based on what is inside the record and its level of importance.
There are various methods of doing this, both correctly and incorrectly, say records retention experts. Whichever method is selected, counties should have a policy for email retention, whether that policy is separate or within an acceptable email usage policy or a larger records retention policy.
Method # 1: Pack Rat
The first method of retaining emails is to simply archive all emails without deleting them. This can be set up to be done independent of an employee’s email box, meaning that even if a county employee were to follow the recommended records retention schedule and delete emails accordingly, the emails would still be archived by the county and would still be subject to public information requests and lawsuits. The downside, besides having to go through more documents when responding to the requests or a lawsuit, is that it quickly gets costly to save every email.
Mary Ann Bridges, the manager of the Records Management Assistance program at the Texas State Library and Archives Commission, said that there are 9500 governments in Texas, about 10 percent of which are choosing to retain all their email records permanently. “They do not have the authority to delete anything, at all, ever,” Bridges said, unless the government decides to change its policy. “Thousands upon thousands of email messages are retained that have met their retention period and could have been deleted, but since they are still retained, they would have to be made available for open records requests or lawsuits. you still have to search through those messages.”
Method #2: Automatic Deletion
A second method, in which employees or counties delete all emails a certain number of days after they are sent – usually 90 days – is problematic for the opposite reason; important emails that could protect the county from a lawsuit or could serve in the public’s best interest if kept could wind up prematurely deleted.
“Some agencies have an email policy that says, when your email comes in, it will be there for only 60 or 90 days and it will be automatically deleted. Th at forces the employee to make a decision about every email, whether that email is important enough to be retained,” said Sheila Fries, the records manager of the Archives and Information Services Division at the Texas State Library and Archives Commission, adding that agencies that do adhere to that type of policy also normally keep the deleted emails in the trash bin for an additional 120 days in case they need to be recovered.
Jack Lydick, the records retention manager for the Texas Association of Counties, said he does not believe local governments should use this type of policy any longer, since public information laws now specify that it’s not the format of a record that matters, it’s the content. Bridges said the TSLAC is currently re-looking at whether such a policy is acceptable, since parts of the Code of Federal Regulations have been revised. Th e commission is currently waiting for any resulting case law to play out.
“The retention times for email vary, so you can’t just assign one or two retention periods” and not expect to get hit by a lawsuit or information request, Lydick said, adding that more and more, emails are becoming a hot discovery item during the litigation process – the legal community even coined the name ediscovery for the process – as evidenced by several lawsuits involving Microsoft, one by the Department of Justice and one in which a 4-year-old email from one of the company’s vice presidents telling employees to delete emails after 30 days (contrary to the company’s official policy) came to light during a patent infringement and anti-trust case.
Bridges said many attorneys are using email as evidence in their cases and that laws have just recently caught up to the popularity of ediscovery and email in general.
“In litigation, it was basically a free for all, attorneys would ask to have all emails for ever so that they could look through all emails to find the smoking gun,” she said, adding that federal codes regarding email were most recently amended in December 2006, which means TSLAC is still determining the effects of the rule changes on local governments.
She added that ediscovery has become so complex that it is no longer acceptable to retain the email as a paper document, since information from the original email would be lost.
“Litigants can ask for information in its native format, and that’s what attorneys are latching onto,” she said. “your printout of an email is not going to give the same information that the original message in your system is going to show. It doesn’t show your blind cc’s, it doesn’t show how the forwarded message was changed, or the conversation trail, you know how it is when you forward an email to 12 people and then they respond and they respond to the responses. That’s what lawyers are looking for.”
Method # 3: Retention Software
A third option is to purchase email retention software. According to the Website Email-policy.com, most of this software works by capturing copies of email, analyzing stored emails and checking those emails for identifying information, such as keywords, attachment names and sizes and deleting relevant documents after a set period of time
But Bridges said much of the software is still not where it needs to be in order to fully support a government’s retention needs.
Lydick said retention software is mostly utilized by larger counties, though he said most counties could benefit by utilizing one of the several Microsoft Exchange add-ons that create searchable centrally-managed archives in which the program determines how long an email should be retained for.
“If you’re spending too much time out of your day looking for records, you need to have a full electronic records management system,” he said. “The longer they go without an email management program in place, the longer they are exposed to potential lawsuits and could get into trouble for not properly managing their information.”
Method #4: Educate, Educate, Educate
Finally, the fourth solution is to educate county employees on how to sort, retain and delete messages according to their importance and retention schedule, as laid out by the Texas State Library and Archives Commission. That is TSLAC’s own internal method of retaining records and emails.
The retention schedule is complicated, but basically sorts each document into one of six schedules:
• Documents/emails that must be retained “as long as administratively valuable”;
• Documents/emails that must be retained until the end of a calendar year;
• Documents/emails that must be retained according to the Code of Federal Regulations requirements;
• Documents/emails that must be retained until the end of a fiscal year;
• Documents/emails that must be retained according to Texas Administrative Code requirements; and
• Documents/emails that must be retained until they have been superseded by an updating email.
According to the schedule:
• Emails containing documents or information submitted to a governing body for consideration, approval or other action should be kept for 2 years;
• Emails regarding an employee grievance relating to personnel policies or working conditions should be kept for 2 years;
• Emails containing a complaint made by the public to a government employee, department or body should be retained for 2 years after the complaint has been resolved;
• Emails containing correspondence or internal memos regarding the development of a policy, program, service or project by the local government should be retained for 5 years;
• Emails containing correspondence or internal memos regarding routine administrative matters involved with a policy, program, service or project by the local government should be retained for 2 years; and
• Emails containing correspondence or internal memos with routine information such as requests for publications, meeting notices or event planning can be deleted as soon as they are no longer administratively significant.
So a person sorting through the faux inbox could delete the news clippings after reading them, assuming they weren’t relevant to a county project. The next five emails could also all be deleted whenever the employee stopped needing the information, as could the emails about the baby shower, the surprise birthday party, the mandatory training, and the risks of ovarian cancer.
But what about the others? Most of them should be kept either two or five years; the surest way to do that correctly is to provide employees training on the retention schedule and have them create folders to separate emails according to the schedule.
Having an email retention policy is critical to the fourth option. Bill Tolson, of SearchStorage.com, which boasts of being the Internet’s “best storage-specific information resource for enterprise IT professionals,” wrote in a column that a model email retention policy should include a section outlining responsibilities, what to do with duplicate email copies, and which person or department is responsible for making sure the policy is being followed.
“The mistake most companies make when creating an email retention policy is not involving all areas of the company in the construction/ review process,” Tolson advises. “It is important that you understand how employees use the email system. Do they create their own personal archives? How often do they reference old emails? Understanding these things will ensure you don’t put in place procedures that will adversely affect employee productivity.”
According to a model email retention policy provided by the SANS Institute, which specializes in computer security training, certification and research, the policy should have several parts:
• Purpose, which would be to “help employees determine what information sent or received by email should be retained and for how long,” according to the model policy;
• Scope, which can list the types of categories that emails can fit into, including for example, routine correspondence, administratively significant correspondence, developmentally significant correspondence and fiscal correspondence;
• Policy, which further defines the categories and gives examples of which categories different email topics would fit into;
• Enforcement, which would state the consequences for failing to comply with the policy; and
• Definitions, for any technical terms used within the policy.
Within the internal TSLAC retention policy, the various categories of email include administrative correspondence, defined as “pertaining to the formulation, planning, implementation, interpretation, modification or redefinition of the programs, services, or projects of an agency,” which must be retained for 3 years; general correspondence, defined as correspondence regarding the “routine operations of the policies, programs, services or projects of an agency,” which TSLAC employees must keep for one year; directives correspondence, defined as “any document that officially initiates, rescinds, or amends general office procedures,” which must be retained for one year after the email is no longer relevant; and transitory information, defined as “records of temporary usefulness,” which do not have a retention period.
The TSLAC policy also states that “employees who voluntarily terminate employment, retire, transfer, or are demoted will be required to review their email accounts with their immediate supervisors. The employee’s immediate supervisor is responsible for ensuring that the email records are properly classified, stored and that working or convenience copies are disposed of in the correct manner.”
Jim Lewis
Editor, County Magazine
Texas Association of Counties
512-478-8753