Ask the Expert Retention Email and Records

ERM Community Wiki

Community Topic(s): ERM


Barclay Blair provides answers about retention, email in the cloud, how to determine if an email is a record.

Q: What is the best way to implement records retention in email without the use of specialized software? Can it be done simply in the existing email environment?
Blair: With email management, I think it is important to focus on two things: 1) getting started and 2) getting better. While some may be in a position to pull off a "big bang" project with new software, policies, training, change management, etc., others don't have that luxury. I have had clients get started with email retention in their existing email environment simply by created an "Email Records" folder and directing employees to drag all email records into it. Then, anything outside of that folder is deleted after a set time period. It would also be advisable to provide a similar method for anything requiring preservation under a Legal Hold. This is far from perfect, but it does 1) get you started and 2) make you better.

Q: My organization is anxious to outsource our email into the "cloud." What does that do to our ability to manage and retain our email? What do you think about the risks of housing email in an offsite solution?
Blair: Hosted solutions for email are really nothing new, even if they have a new name. The risks and rewards really haven't changed either. Many experts in this space like to point to the cloud as the new compliance boogeyman, but I'm not one of them. The situation is pretty simple – you can outsource your email, but you can't outsource your legal or compliance obligations. So, make sure that your provider can support those obligations, and then address the important issues contractually. The issues are pretty self evident:

security, privacy, availability, service levels, response times, representations and commitments, capability to support e-discovery requests, continuity planning in the event of service provider bankruptcy or acquisition, etc.

The scope of the issues you need to address also depend on how you are using the cloud, i.e., for simple storage, or for the entire email capability. As a final note, I have seen plenty of IT departments who haven't exactly done a great job on providing the capability to manage and retain email, so make sure that you aren't comparing a mythical perfect situation to the speculative and scary new one.

Q: How can a company allow an employee to determine if the email is not needed?
Blair: I like this question. Here is a question back. How can we allow employees to fly airplanes? How can we allow them to make important business decisions?

How can we allow them to monitor the instrumentation that controls the power plant? How can we allow them to (fill in the blanks)? My point here is that we allow (and require) employees to do all kinds of things in their jobs that would be difficult, tricky, and downright dangerous without the proper training and context. So, why do we think employees are unable to look at a piece of information and tell if it is a contract or an invoice? Certainly I'm being a bit glib here, but this question seriously does mystify me.

With the advent of personal computers and the Internet, the ability to create and disseminate information was decentralized. The result? The records management function was also decentralized. In other words, every employee today is a records manager - like it or not. But, asking them to be a records manager without showing them how to be a records manager is doomed to fail. So, in that context, the question takes us to a useful place - if we don't show them how to do it, we can no more allow or trust employees to make retention decisions that we can allow them to run a piece of equipment or negotiate a deal. The great news is that with newer technologies that support role-based retention categories, automatic classification, and so on, their job is getting easier.

Adapted from the Ask the Expert column in Infonomics, Ask the Expert: Retention, Email, and Records. Barclay T. Blair ( bblair@fcsig.com or 403-638-9302) is a consultant to Fortune 500 companies, software and hardware vendors, and government institutions, and is an author, speaker, and internationally recognized authority on a broad range of policy, compliance, and management issues related to information governance and information technology. Barclay has led several high-profile consulting engagements at the world’s leading institutions to help them globally transform the way they manage information. Mr. Blair heads up the Information Governance practice at Forensics Consulting Service, LLC (www.forensicsconsulting.com).

Read the original column at http://www.aiim.org/infonomics/ask-the-expert-retention-email-records.aspx


The wiki text is available under the Creative Commons Attribution License agreement.

Blog email facebook linkedin Rss Twitter Youtube

Copyright © AIIM 2013 Privacy Policy