Email and Electronic Records Retention: IT Requirements

Paul DworakOffice of Compliancedworak@unt.edu565-4906

Records

Any document that is created or received in the course of State business

The medium of a record is irrelevant. Paper records, electronic files, emails, images, etc. are all state records

Objective of Records Management To keep records for periods of time required

by federal and state statutes, in order to demonstrate that proper business operations are being followed

To dispose of records in an organized manner to save space

To limit legal liability by disposing of records that no longer have business value

BUT, to hold records that are needed in litigation

Record Series Record Series are groups of records related

by their content The Record Series Number determines the

retention period The retention period consists of an active

period and a storage period The active period is the time during which a

record is accessed frequently The storage period is the time when the record is

accessed little or not at all

Archiving

In record management terms, archiving a record series means storing a permanent record

Vital Records

Vital records are those that need to be backed up so that they can be restored in the event that an agency has a disaster and must implement its business continuity plan

Only some records are defined in the Record Retention Schedule as being vital records

Important Record Series for this Presentation

Calendars [1.1.013]—retention period is 1 year following the end of the previous calendar year (2005 calendar entries can be deleted 1/1/2007)

Transitory Information [1.1.057]—retention period is “when the purpose of the record has been fulfilled”

Important Records Series (cont.)

Administrative Correspondence [1.1.007]—retention period is 3 years

General Correspondence [1.1.008]—retention period is 1 year

Other Record Series The custodian of a document (the person

who created it or received it) is responsible for determining the record series into which any other type of document falls

The retention period is determined by the record series

For emails, this is based on the content of the email and/or its attachments

Email

Email Records

All emails, regardless of content, that are created by a state agency, or that come into a state agency, are state records

However, the record retention schedule enables the custodian to determine the record series of any email

Email Record Series

Administrative Correspondence—email relating to policies, procedures, strategic planning, etc.

General Correspondence—email relating to general operations

Other Email Records—record series is determined by the content of the message and/or its attachments

Transitory Information

Identify transitory information Bulk mail Junk mail Spam

Delete “when the purpose has been served,” i. e., immediately or within a short period of time (e. g., 24 hours)

Free storage space

Transitory Information (cont.) Recipient of an email can determine

that other emails are transient Everyone emails referring to an event on

a specific date, or an action that contains a deadline

The email can be put into a “Transient” folder (i. e., the Trash) when the email has served its purpose

User can establish rules, or global rules can be developed if possible

Official Records Some emails will require classification into

record series based on their content It may take time for the user to place

emails into the proper folders Ideally, the folder system should be

standardized and not up to the user Users can create subfolders in the standardized

folder system The user is responsible for filing the emails

appropriately

Work Space Emails stay in this space until they

can be filed as transient or official records

Work Space can have time or space limits that are established by policy or by written operating procedures

These limitations are imposed to handle users who do not dispose of transitory information

Issues A written policy or procedure needs to

define whether the sender of an email, the receiver, or both are custodians of the record

A written policy or procedure needs to identify the auto-delete time frames for transitory and work space emails

There is the potential for auto-deleting vital records inappropriately

The record custodian will be responsible for violating the law, not the IT staff

Backups Vital records MUST be backed up The number of backup tapes used

before they are recycled is based on a written policy or operating procedure

Depends on the requirements of the business continuity plan—how many backups are needed to create a reliable image of business operations?

Generally no more than 30 days

Backups (cont.) It is illegal to use backup tapes as a way of

retaining records, in lieu of an established, effective records management system

It is illegal to keep records indefinitely Any records that exist on backup tapes

must be restored and retrieved in response to legal discovery or an open records request

Backup tapes cannot be recycled once a record hold is declared

Training

The success of any email retention system is user training

This training has a records retention component Responsibility of the Compliance Office

And an email use component Responsibility of the Groupwise staff and

Network managers

Training (cont.)

We will need to collaborate to develop an efficient and cost effective way of delivering the training, whether it be Classroom Online Emails/websites One-on-one

Consequences for Users State employees only have immunity if they

operate in the course and scope of their duties

State employees may not have immunity in cases of federal prosecution

More courts are considering failure to manage records as failure to act in the course and scope of duties

Results are fines and prison sentences

Consequences for Management In Danis v. USN Communications, the

federal judge fined the CEO for failure to maintain oversight of the company’s record management program

CEO’s are considered responsible for the actions of all their employees, UNLESS there is an effective system for records management that an employee flagrantly violates after being trained

Views of IT Staff

They control the hardware and applications so much that they determine the records management paradigm

They provide a service to management and employees, who are responsible for determining the records management implementation

Consequences for IT Staff The objective is to be viewed as a service

component, which implements the policies and operating procedures approved by management In this case, IT has no legal responsibility for

failures, unless they are malicious IT must have input in the development of

policies and procedures, since IT acquisitions flow from defined business processes and needs

If IT is viewed as determining the records management paradigm, it could be assigned responsibility for mismanagement of records and bear the legal consequences

Immediate Objectives

Compliance Status

No organization is currently in compliance

Organizations decrease their liability by articulating and implementing a plan to get into compliance

At some unknown future time, organizations without evidence of planning will be highly vulnerable

Implementation Steps Compliance Office will conduct an inventory

of electronic records (where are they stored, by whom, etc.) Will take one year for vital records, three years

for all records Will enable departments to establish a

standardized filing structure for electronic records

Policies—other than for a brief overarching policy, policies should NOT be developed for getting into compliance

Implementation Steps

Operating procedures should be developed that are approved by Associate VP for Computing and CIO Vice President for Finance and Business

Affairs Records Manager (Compliance Officer) [President]

Operating Procedures Define custodian for emails (sender,

receiver, both) Establishes responsibility for management

Define categories of storage (transitory, official records, work space)

Determine rules for auto-deleting transitory and work space emails

Determine how backups will be done and how many tapes will be used

Operating Procedures Define records management roles for users Define how vital records will be identified

by the user Define how record holds will be

implemented Define communication responsibilities for

procedures that are implemented Establish consequences for violation of

procedures

Other Tasks

Determine what training is needed Define applications needs for email

retention Determine if any vendors can meet

these needs Determine if funds are available or

can be acquired

Thank you!!

Questions and Suggestions . . .