Developing a Policy for Managing Email
Table of Contents
Principles and Best Practices
Policy 1: Village of Hidden Valley
Policy 2: Town of Big Thunder
Policy 3: State Office of Administrative Support and Analysis
Appendix: The Legal Framework
Arts and Cultural Affairs Law
The Arts and Cultural Affairs Law defines records and mandates how the records of state agencies and local governments in New York State must be managed. Regardless of physical characteristics or form, the law applies to records that are "made, produced, executed, or received" by a local government or state agency, legislature, or judiciary "pursuant to law or in connection with the transaction of public business."
By law, an email message-in spite of its unique characteristics and form-is a government record if it is produced for government business. The state effectively claims ownership of all emails that agencies, the legislature, and the judiciary create or receive on behalf of the state, and local governments similarly own the email records of local officials. The law does not distinguish between locations where a record is created and media where it ultimately resides. The law applies to government-related emails on any computer (personal computers, laptops, PDAs) and media (tapes, server, personal hard drive), regardless of whether the computer or media are publicly or privately owned.
The Arts and Cultural Affairs Law assigns responsibility for the oversight of state and local government records to the Commissioner of Education, who delegates that responsibility to the State Archives, an office of the State Education Department. In particular, the commissioner is charged with authorizing the appropriate retention and disposition of records and with promulgating regulations that further define the stipulations of the law. Excluded from the commissioner's oversight are court records and the records of the state legislature, New York City, municipal housing authorities, and select other offices and local governments.
Part 185 of 8NYCRR (Regulations of the Commissioner of Education) pertains to managing records in local governments. Part 188 concerns state government records. The regulations mandate that local governments and state agencies ensure the following when managing electronic records:
- Include records retention and other requirements in system design.
- Ensure electronic records are usable for the full retention period. State agencies are additionally required to transfer archival electronic records to the State Archives in a usable and accessible format.
- Create and maintain metadata about electronic records (seven required metadata elements are listed).
- Create and store backup copies in a secure offsite facility (which for state agencies can be the State Records Center).
- Take steps to ensure media integrity (six steps are listed).
If local governments and state agencies create, disseminate, and maintain records as emails, they must apply the above regulatory requirements to those email records.
Cyber Security Policy P03-002
The New York State Office of Cyber Security and Critical Infrastructure Coordination (CSCIC) has promulgated a statewide policy on information security (Cyber Security Policy PO3-002) that addresses all "information assets" regardless of format, including email, that are created and maintained by "state entities." The policy is also mandatory for any "outsourced third parties who have access to or manage state entity information," including local governments that exchange information with state entities.
The Cyber Security Policy includes a section on Internet and email appropriate use, but many of the broad subject areas the policy addresses are also relevant to any discussion of email. These subjects include physical and environmental security, portable devices, wireless networks, access controls, and monitoring and compliance. The security policy is available on CSCIC's website.
Federal Rules of Civil Procedure
Enacted in December 2006, amendments to the Federal Rules of Civil Procedure apply to e-records relevant to federal cases. The amendments have already been adopted by several states, and it is expected that more states will follow. Although not adopted in New York, the amended Federal Rules at least bring new prominence to existing state legislation and regulations pertaining to records.
The Federal Rules emphasize the following components of an e-records management program:
- An e-records inventory, because under the new rules both parties are required to meet within 90 to 120 days of the beginning of an e-discovery action to review a list of potentially relevant e-records
- Retention schedules that are regularly implemented, to prove that potentially relevant records have been destroyed appropriately
- Staff training, because the control of many electronic records, especially email, depends on an individual user
Most importantly, an e-records program must be regulated by written policies and procedures. The existence of policy is especially important if a party in a lawsuit seeks "safe harbor," a provision in the rules that places a limit on the efforts a defendant must expend to locate or produce records. As yet untested by litigation, safe harbor is intended to protect a defendant who cannot retrieve electronic records in spite of all best efforts.
Freedom of Information Law (FOIL)
Email is a record as defined by New York's Freedom of Information Law (FOIL). This means that, as with other records, the public has the right to gain access to messages in an agency (defined as all local governments and state executive branch agencies) email system, except for those emails or portions of them that fall into the ten categories of records that are exempt from disclosure under FOIL. Emails relating to government business that are created and received on home computers are also subject to disclosure under FOIL.
FOIL requires each agency to designate a records access officer, who is responsible for receiving and responding to FOIL requests from the public, including requests for disclosure of email.
An amendment to FOIL enacted in 2006 states that "if an agency has the ability to receive requests for records from the public and transmit records by means of email, it will be required to do so," using forms consistent with the request form developed by the Committee on Open Government.
In 2008, FOIL was again amended to clarify issues that govern access to electronic records. In terms of managing email, the most significant FOIL amendments are the following:
- Section 87, part 5(b): No agencies shall enter into or renew a contract for the creation or maintenance of records if a contract would impair public inspection or copying.
- Section 89, part 3(a): An agency shall not deny a request on the basis that the request is voluminous or that locating or reviewing the requested records or providing the requested copies is burdensome because the agency lacks sufficient staff or on any other basis.
- Section 89, part 3(a): Any programming necessary to retrieve a record maintained in a computer storage system and to transfer that record to the medium requested...shall not be deemed to be the preparation or creation of a new record.
- Section 89, part 9: An agency in designing its information retrieval methods, whenever practicable and reasonable, shall do so in a manner that permits the segregation and retrieval of available items in order to provide maximum public access.
Given the frequency with which FOIL requests (and the courts) focus on email, local governments and state agencies should ensure that their email records are accessible and that the efficient retrieval of emails is a key result when selecting or designing an email management system. If a local government or state agency relies in part or completely on one or more service providers to manage email, the government or agency must have the ability to extract, redact, and export emails from the host's system that are relevant to FOIL requests, preferably with as little effort (and additional cost) as possible.
For more information about FOIL as it relates to email, contact the New York State Committee on Open Government.