Developing a Policy for Managing Email

Summary
Introduction
Policy Components
Sample Policies
Policy 1: Village of Hidden Valley
Policy 2: Town of Big Thunder
Policy 3: State Office of Administrative Support and Analysis
Appendix: The Legal Framework

2. Principles and Best Practices

2.1 Understand email use

When trying to manage email, there is usually no easy solution. Managing email means developing strategies that are selective, focusing resources where they are critically needed and where they will have the greatest impact. Policy decisions on how to manage email must reflect how a government or agency uses email. For example, do users primarily use email to communicate short, transitory messages, with some isolated exceptions? Or does a government or agency, or an individual unit of that government or agency, rely on an email system to send, receive, and store records relating to one or more core functions? The extent to which an email system is used for transmitting and receiving records, the distribution of records across a government or agency, and the value and retention requirements of those records must guide policy and the management strategy.

2.2 Manage centrally

Email policies of the past decade have tended to make individual users responsible for managing their own emails. Recent litigation and studies have highlighted the shortcomings of this approach in guaranteeing organization-wide compliance with records and other requirements. In large organizations especially, email is managed inconsistently if left to end users, because individuals exercise various levels of discipline and use their email accounts differently. Email management may be centralized agency-wide, government-wide, or by individual program units.

Central control is necessary to eliminate unnecessary duplicates, identify and link threads in an extended email exchange, provide access to more than one user, and guarantee legal compliance. These guidelines tend to emphasize (and encourage) strategies that allow some degree of centralized control, at least for emails that are permanent, vital, or vulnerable to e-discovery.

Options for managing email centrally include

• managing via a Local Area Network (LAN), or a shared directory. A LAN, or shared directory, is an imperfect tool for managing emails centrally, because it ultimately relies on each user of an email system to move individual emails manually out of a mailbox and into a shared electronic file system.

• email archiving software, which captures and preserves email traffic flowing into and out of the email server and stores it at a central location. Email archiving provides "single-instance storage," meaning that only one copy of an email or attachment is stored in the archive but is associated with senders and receivers, thereby reducing the volume of email on the online email server and making search and retrieval more efficient. Email archiving does not, however, integrate email with other electronic records (word-processed files, databases, webpages); emails exist and are managed as a stand-alone body of information.

• Electronic Document Management System/Enterprise Content Management (EDMS/ECM), which is a central repository for all electronic records. Depending on the product, an EDMS/ECM can have a sophisticated array of management functions, and can even manage retention and disposition through a records management application (RMA). Email management exists as a separate, add-on module of an EDMS/ECM.

2.3 Manage electronically

Another management strategy has been to rely on the "low-tech" method of printing out important emails to integrate them into a paper recordkeeping system. Printing emails is still a viable option for a small organization with limited technology support and finances, provided that individuals across the organization consistently apply records retention requirements to the printed emails, capture all essential metadata, and file the emails with their respective attachments. Such controls are difficult, if not impossible, to enforce in large organizations where email traffic and volume is increasing exponentially.
Governments and agencies are more likely to ensure compliance with policy by retaining their email electronically and managing their email records with a growing arsenal of electronic tools (although it may still prove necessary to print emails occasionally, to integrate a few emails into an existing paper file).

2.4 Ensure cooperation, coordination, and support

Most local governments and state agencies are required by law to appoint a records management officer (RMO), who is responsible for coordinating and overseeing a comprehensive records management program. It can be difficult to coordinate and gain support for managing a resource that affects everyone, especially in an environment with a mixture of full- and part-time officials and employees, interns, volunteers, and contractual personnel working at various locations. Because of the impact and costs of not managing email, however, RMOs and others in governments and agencies must develop strategies and mechanisms for building cooperation.

The management of electronic records and email can enhance the relevance and visibility of a cooperative body that already exists in a local government or state agency, or it can be a compelling reason for initiating a cooperative body that includes everyone with an interest in and knowledge about records. Possible responsibilities of such a board or committee could be to

• ensure communication between program areas that are directly concerned with electronic records (especially records management and information technology)
  
  
• advise on the desired capabilities of a software solution to manage email and other electronic records
  
  
• review requests for proposals (RFPs) and responses to the RFPs for email management solutions
  
  
• coordinate an appropriate response to a legal action or other inquiry (FOIL, audit)
  
  
• identify sources of grant funding, and identify and prioritize projects for grant applications
  
  
• identify and coordinate training opportunities
  
  
• periodically review policies and procedures for managing electronic records
  
  
• advise on appropriate responses (including disciplinary measures) when policies and procedures aren't followed

An RMO in a local government can form, refocus, or re-energize a records advisory board to advise on electronic records issues, or form a technology committee to focus on the unique needs of electronic records. An RMO in a state agency can form or give a new role to a committee that consists of liaisons from across the agency who are directly involved with managing records in their respective program areas and with coordinating those functions with the RMO. The records manager, records access officer, information technology director, information security officer, and legal counsel should be involved in any such committee, working with the support of and input from management.

2.5 Address any backlog

Many local governments and state agencies are dealing with a backlog of unmanaged emails stored either on servers or on various storage media offline. Whether or not to manage emails retroactively depends on the level of risk involved in not managing them. If the risk level is high, analysis of a sample of tapes or other storage media involved might suggest an appropriate course of action. Methods of analysis may include

• downloading backups or copies of email into an existing management system
  
  
• working with a data recovery vendor to restore tapes or other media one by one
  
  
• surveying past email users to determine what is likely to be on the media

The goal is to identify, as much as possible, the latest retention period of records on the storage media and to destroy the media when that retention period has passed. Base all strategies on solid reasoning, and document those strategies in an email management policy.

2.6 Work with service providers

A variety of services are available to governments and agencies that either don't have or can't afford to divert their limited resources towards managing email entirely on their own. These services include

1. Commercial Internet Service Providers (ISPs), who provide email services as a component of Internet services (such as Verizon, Time Warner)
   
   
2. Widely used commercial stand-alone email systems (such as AOL)
   
   
3. Free email services (such as Gmail, Hotmail, Yahoo)
   
   
4. Email services offered by local governments or state agencies (BOCES for constituent school districts, counties for municipalities, Office for Technology for state agencies and others)

It is important to define in policy the range of email services received from an outside service provider. Whenever possible, arrange for services that extend beyond connectivity to include essential management functions. In addition, be aware of potential problems involving the use of the first three options listed above, such as limitations on attachment file size and mailbox capacity and the difficulty of importing files from the host system. A signed contract or service agreement with the outside provider should reflect the system's capability to address existing policies and procedures.

Managing email consistently and comprehensively can be problematic when individual users in the same government have accounts with several different services or service providers. One solution is to download all government email records to a central server, where email records can be stored in-house and managed electronically through the use of specialized software. The alternative is to work with the email service provider to utilize "software as a service" possibilities to ensure that all aspects of email, including retention and disposition, are managed appropriately while not making further demands on an in-house technology infrastructure.