Email and Electronic Records Retention: IT Requirements Paul Dworak Office of Compliance...
-
Upload
maya-garness -
Category
Documents
-
view
213 -
download
1
Transcript of Email and Electronic Records Retention: IT Requirements Paul Dworak Office of Compliance...
Email and Electronic Records Retention: IT Requirements
Paul DworakOffice of [email protected]
Records
Any document that is created or received in the course of State business
The medium of a record is irrelevant. Paper records, electronic files, emails, images, etc. are all state records
Objective of Records Management To keep records for periods of time required
by federal and state statutes, in order to demonstrate that proper business operations are being followed
To dispose of records in an organized manner to save space
To limit legal liability by disposing of records that no longer have business value
BUT, to hold records that are needed in litigation
Record Series Record Series are groups of records related
by their content The Record Series Number determines the
retention period The retention period consists of an active
period and a storage period The active period is the time during which a
record is accessed frequently The storage period is the time when the record is
accessed little or not at all
Archiving
In record management terms, archiving a record series means storing a permanent record
Vital Records
Vital records are those that need to be backed up so that they can be restored in the event that an agency has a disaster and must implement its business continuity plan
Only some records are defined in the Record Retention Schedule as being vital records
Important Record Series for this Presentation
Calendars [1.1.013]—retention period is 1 year following the end of the previous calendar year (2005 calendar entries can be deleted 1/1/2007)
Transitory Information [1.1.057]—retention period is “when the purpose of the record has been fulfilled”
Important Records Series (cont.)
Administrative Correspondence [1.1.007]—retention period is 3 years
General Correspondence [1.1.008]—retention period is 1 year
Other Record Series The custodian of a document (the person
who created it or received it) is responsible for determining the record series into which any other type of document falls
The retention period is determined by the record series
For emails, this is based on the content of the email and/or its attachments
Email Records
All emails, regardless of content, that are created by a state agency, or that come into a state agency, are state records
However, the record retention schedule enables the custodian to determine the record series of any email
Email Record Series
Administrative Correspondence—email relating to policies, procedures, strategic planning, etc.
General Correspondence—email relating to general operations
Other Email Records—record series is determined by the content of the message and/or its attachments
Transitory Information
Identify transitory information Bulk mail Junk mail Spam
Delete “when the purpose has been served,” i. e., immediately or within a short period of time (e. g., 24 hours)
Free storage space
Transitory Information (cont.) Recipient of an email can determine
that other emails are transient Everyone emails referring to an event on
a specific date, or an action that contains a deadline
The email can be put into a “Transient” folder (i. e., the Trash) when the email has served its purpose
User can establish rules, or global rules can be developed if possible
Official Records Some emails will require classification into
record series based on their content It may take time for the user to place
emails into the proper folders Ideally, the folder system should be
standardized and not up to the user Users can create subfolders in the standardized
folder system The user is responsible for filing the emails
appropriately
Work Space Emails stay in this space until they
can be filed as transient or official records
Work Space can have time or space limits that are established by policy or by written operating procedures
These limitations are imposed to handle users who do not dispose of transitory information
Issues A written policy or procedure needs to
define whether the sender of an email, the receiver, or both are custodians of the record
A written policy or procedure needs to identify the auto-delete time frames for transitory and work space emails
There is the potential for auto-deleting vital records inappropriately
The record custodian will be responsible for violating the law, not the IT staff
Backups Vital records MUST be backed up The number of backup tapes used
before they are recycled is based on a written policy or operating procedure
Depends on the requirements of the business continuity plan—how many backups are needed to create a reliable image of business operations?
Generally no more than 30 days
Backups (cont.) It is illegal to use backup tapes as a way of
retaining records, in lieu of an established, effective records management system
It is illegal to keep records indefinitely Any records that exist on backup tapes
must be restored and retrieved in response to legal discovery or an open records request
Backup tapes cannot be recycled once a record hold is declared
Training
The success of any email retention system is user training
This training has a records retention component Responsibility of the Compliance Office
And an email use component Responsibility of the Groupwise staff and
Network managers
Training (cont.)
We will need to collaborate to develop an efficient and cost effective way of delivering the training, whether it be Classroom Online Emails/websites One-on-one
Consequences for Users State employees only have immunity if they
operate in the course and scope of their duties
State employees may not have immunity in cases of federal prosecution
More courts are considering failure to manage records as failure to act in the course and scope of duties
Results are fines and prison sentences
Consequences for Management In Danis v. USN Communications, the
federal judge fined the CEO for failure to maintain oversight of the company’s record management program
CEO’s are considered responsible for the actions of all their employees, UNLESS there is an effective system for records management that an employee flagrantly violates after being trained
Views of IT Staff
They control the hardware and applications so much that they determine the records management paradigm
They provide a service to management and employees, who are responsible for determining the records management implementation
Consequences for IT Staff The objective is to be viewed as a service
component, which implements the policies and operating procedures approved by management In this case, IT has no legal responsibility for
failures, unless they are malicious IT must have input in the development of
policies and procedures, since IT acquisitions flow from defined business processes and needs
If IT is viewed as determining the records management paradigm, it could be assigned responsibility for mismanagement of records and bear the legal consequences
Immediate Objectives
Compliance Status
No organization is currently in compliance
Organizations decrease their liability by articulating and implementing a plan to get into compliance
At some unknown future time, organizations without evidence of planning will be highly vulnerable
Implementation Steps Compliance Office will conduct an inventory
of electronic records (where are they stored, by whom, etc.) Will take one year for vital records, three years
for all records Will enable departments to establish a
standardized filing structure for electronic records
Policies—other than for a brief overarching policy, policies should NOT be developed for getting into compliance
Implementation Steps
Operating procedures should be developed that are approved by Associate VP for Computing and CIO Vice President for Finance and Business
Affairs Records Manager (Compliance Officer) [President]
Operating Procedures Define custodian for emails (sender,
receiver, both) Establishes responsibility for management
Define categories of storage (transitory, official records, work space)
Determine rules for auto-deleting transitory and work space emails
Determine how backups will be done and how many tapes will be used
Operating Procedures Define records management roles for users Define how vital records will be identified
by the user Define how record holds will be
implemented Define communication responsibilities for
procedures that are implemented Establish consequences for violation of
procedures
Other Tasks
Determine what training is needed Define applications needs for email
retention Determine if any vendors can meet
these needs Determine if funds are available or
can be acquired
Thank you!!
Questions and Suggestions . . .