Organizations need to look at defining a formalized retention policy for electronic records and email documents. This policy should be based on the organization’s retention needs from statutory and legal perspectives, as well as its own internal auditing requirements. In many cases, there may already be records retention policies in place, which should be modified to include electronic records.
When defining their retention policy, organizations should be aware of various driving factors:
Access to Information
Publicly funded organizations are governed by the State’s Access to Information legislation. Thus, in defining their electronic records policies, these organizations should check the retention time frames and the nature of the information that individual states mandate must be retained to meet open records request directives.
While organizations may be subject to the state’s access to information policy, it is critical that they develop their own policies for handling open records requests. They can use the state’s policy as a guideline and elaborate on it, so that when they are faced with a records request, there is a clear procedure and policy for fulfilling it.
Legal Discovery
Electronic data is becoming the most prevalent source of evidence in most civil trials and organizations are finding themselves under great pressure and financial burden to produce electronic records in the course of litigation procedures. There are many legal opinions on which information or how much information to keep, but the consensus among legal experts dealing with electronic records is to save more information rather than less. This view is primarily based on the fact that email records by their very nature are difficult to destroy completely and so having more evidence in court is more beneficial than the other way around.
Internal Auditing
As with most organizations, the email correspondence between employees or to external sources sometimes needs to be audited to ensure compliance with internal policy, appropriate conduct and proper use of system resources. Human Resources and Compliance probably have the biggest requirements for internal auditing.
It should be noted that while legal discovery and access to information requests could go back years, auditing of day-to-day communications typically comprises short-term monitoring.
Save Everything or Save Some Things?
The majority of current legislation postulates, and legal advisors confirm it, that there is no reason to save all email messages and that transitory information and “junk” can and should be deleted from the system. The dilemma arises in determining what should be kept and what constitutes transitory information that should be deleted. The second issue has to do with the risks of empowering users to make those decisions.
Option 1: Save only Business Record
This is the desired policy, but it has a catch. In order to implement it, the organization must develop a highly formalized data retention policy which outlines the individuals’ responsibility to retain information on behalf of the organization and also provides clear guidelines as to what information is acceptable to be destroyed and what information must be kept. In addition, the policy needs to state how the information must be kept. This policy has to be communicated to staff as part of an internal policy enforcement program. It also needs to be audited in order to ensure that it is being conformed to.
Unfortunately, practice shows that policy creation, education, and enforcement as the three aspects of data retention prove to be too much overhead for most organizations in terms of effort and resource allocation and effort to implement. Most organizations do not implement this option without a very strong mandate and participation from many groups within the organization.
Option 2: Save Everything
This is the default policy when organizations are unable to define and/or enforce formal retention policies. In this scenario, the requirements are simply passed down to IT as a technical issue. The underlying premise to this approach is that adding storage or simply configuring the system to keep everything is cheaper and faster than allocating resources for designing, implementing, enforcing, and monitoring a retention policy.
Option 3: Save for Selected Users
Many organizations especially those moving to the cloud are now provided with options for retention of data based on the licensing model they choose. Organizations can choose to implement more expensive licenses that provide full litigation and email retention hold capabilities for select users and exclude the majority of users from imposed retention with lower cost licenses. While this model does provide a solution to protecting the organization from regulatory compliance and legal action against key stakeholders it leaves the majority of users free to maliciously or accidentally destroy key records.
Option 4: Save Everything – Destroy Some things
The save everything policy can provide full coverage of any scrutiny of whether critical records were accidently destroyed but typically any legal discovery is constrained by the retention policy defined by the organization and while courts cannot request data which is outside this retention policy, some organizations may be asked to provide proof that they follow their own retention policies.
The premise with this policy is that data is pervasive and can exist in multiple locations so a single point of discovery and retention is desirable. Everything is retained and then selectively destroyed based on corporate policies and not individual decisions as well as the assurances that this data has been successfully destroyed from secondary locations such as backups and personal archives.
Full retention can be achieved quite easily by implementing the host email systems internal controls. GroupWise has a retention service where Exchange/O365, have litigation hold, Retention policies and Single Item Recovery mode which eliminates ability to destroy deleted items for a fixed period of time. Consult your system administration guide for details on these capabilities.
Typical IPRO Retention Policy Scenario
The typical retention polices created for the majority of organizations is one of 100% retention with separated trash. In this scenario, an IPRO policy is configured to capture all email. The system allocates two separate repositories for the archived email: one for email messages in users’ inboxes and folders, and one for the trash and junk mail folders.
This scenario meets the following objectives:
- 100% of the information is retained for a minimum duration consistent with the lifecycle of that data in external systems such as personal archives and backups thus maintaining a single point of discovery.
- Provides selective data destruction capabilities by allowing separate destruction policies to be placed on the data that users determine is non-business related.
- The organization controls the destruction timetable and policies for all retained data and this allows the ability to audit ALL data for compliance and investigation and maintain legal holds on this data.
Conclusion
Implementing formal archiving policies for email will simplify the process of records retention and provide a single point of access and knowledge. If there are legal discovery or public access requests, organizations can be certain as to what information is available to them and where that information exists, thus reducing costs and providing quicker discovery turn-around.
Without formal electronic records retention policies endorsed by upper management, most IT initiated policies quickly become diluted through the introduction of “exceptions” due to user “pushback” which threaten to compromise or undermine the retention mandate.
What to keep and for how long to keep it are questions that every organization tries to define and for which there are many conflicting legal opinions. The main advice from legal experts in the electronic evidence practice is that email is hard to destroy due to multiple copies and individuals wishing to keep email. Courts penalize organizations for producing insufficient evidence but never for too much evidence. Organizations should look at their industry, the information contained within their email system and make decisions based on records management and liability.
