Personal tools
addition.html
Home
About |
Working Groups
Publications |
Join Events |
Topics Chapters |
News
Search |
Computer Professionals for Social Responsibility |
Email messages ARE organizational records!
by Rick Barry rickbarry@aol.comIn response to A sample E-mail and Voice-mail policy (with CPSR's suggestions for improvement)
I believe the draft email policy is excellent as far as it goes. In my opinion, however, it lacks coverage in a very important area: records management. Email policy should not really be the domain, or at least the sole domain, of the CIO or IT department even though those managers should have key inputs to such a policy. This is because only a small aspect of email policy relates to technology. Its more important aspects are related to its role in recording the on-going business of the organization and legal risks associated with its use and abuse. One of the most important aspects of email, vmail and other electronic documents, is that they constitute organizational records in many if not most cases. Where I have done studies of email usage and policy in organizational settings, I have found that the large percentage of employees do not have a clue what is and is not a record, least of all with respect to email/vmail. And they have little or no understanding of what their responsibilities are in this respect. Whether a communication or document (in the broadest usage of the term) constitutes an organizational record has nothing whatever to do with the technology used to create it. It has purely to do with the fact that the communication fulfills some basic requirements: it was created in the normal course of business (not ginned up for the record after the fact when a law suit is imminent), it was recorded in some medium/media and ultimately it was set aside for recordkeeping purposes because it fulfilled the first two conditions. Most email messages (EMs) meet these conditions. How long records are kept before destruction is another totally separate matter that is determined as part of the analysis that takes place in the appraisal process. Depending on the organization, this might mean that a very large percentage of EMs would not be retained beyond their immediate use or for more than a few years. This determination has to do with the organizational value of the document for administrative (organizational continuity, accountability), legal (evidentiary) or research (informational, social, historical value) purposes. With the advent of electronic records, of which email is a prime example, more archivists and records professionals are attempting to carry out macro-appraisal, i.e., to elevate the appraisal process to the system application (payroll, pension, etc.) level or, if possible to the business process (hire staff, lend money, produce software products) level. As email is not an application system but is more analogous to paper, it may be used in reference to any application or business process area. Thus, increasingly organizations are being faced with the very serious issues of: who decides whether a particular em is record or not (author, business process, other corporate policy criterion); how EMs that are legitimate organizational records will be captured into the recordkeeping system; how they will be linked to appropriate business process categories or records series; what metadata will be required and how it will be captured; where the line is drawn in the organization between access to business communications and personal privacy; and how long-term access to legitimate organizational records will be maintained over very long periods of time (especially when created using proprietary software systems) with ever shortening cycles of technological obsolescence. CIOs are both ill equipped and typically do not have the organizational mandate to answer many of these questions and to set related policies unless the corporate archivist and records management functions have been integrated into their organizations, which is beginning to happen in both the public and private sectors. In some ways, those responsible for the management of technology would even be in a conflict of interest situation and possibly in conflict with their own professional codes of ethics in attempting to set such policy. For example, those responsible for the administration of email systems often set email destruction dates (known in the records management world as retention schedules) on the basis of purely technological considerations (e.g., to avoid the disk exceeding 80% of capacity) rather than on the value of the information as an organizational asset. Any email policy that does not address these issues is incomplete at best, at worst, is placing the organization very much at risk. Whether the individual sees email as a substitute for informal telephone conversations (the distinguishing difference being what communications are "recorded" and what are not) -- whether the information manager, or for that matter the records manager, considers email as non-records -- is of little consequence. The reality is that they are discoverable in a court of law and this is becoming a routine situation these days. I would also like to reinforce the comments made by David Levinger and Carl Page regarding the looseness of the current draft in the area of monitoring. In particular, I refer to the current verbiage: "Although the company does not make a practice of monitoring these systems, management reserves the right to retrieve the contents for legitimate reasons, such as to find lost messages, to comply with investigations of wrongful acts or to recover from system failure." As stated, the policy is so loose as to be open to serious abuse, not only by managers but by "colleagues". Witness the recent revelations of the abuses of privacy carried out by IRS employees interested in reading the returns of their neighbors, Hollywood celebrities, etc. If an organization like the IRS whose effectiveness depends on very careful attention to such matters is subject to such abuse, imagine how much more so most other organizations are. I recommend that the monitoring of individual communications not of a business nature be limited to "duly authorized investigations that have been authorized by the VP or Director of Human Resources or higher authority, or as may be required to meet requirments of a lawful subpeona. A related topic, also missing from the draft, is to establish a policy that requires that the author be promptly notified after the fact of EMs that have been accessed for the reasons noted in the draft, and the reasons this has happened. Obviously in the case of investigations of wrongdoing, as noted in the last para, the policy should indicate that in these cases, notification will take place upon completion of the investigation. In the same vein, the policy should clearly establish that intentional abuse of this policy by system administrators or others will be subject to severe sanctions including possibly immediate dismissal from the position of trust that made improper access possible or dismissal from the organization altogether. For futher info on email policy, I invite readers to browse the Email section of my WWWpage <http://www.rbarry.com/>. Rick Barry Richard E. Barry, Barry Associates E-mail: rickbarry@aol.com or rbarry@erols.comReturn to:
A sample E-mail and Voice-mail policy (with CPSR's suggestions for improvement)
This page last updated on Nov. 11, 1998 by Marsha Woodbury.