Personal tools


Email policy addition

Working Groups
Computer Professionals for Social Responsibility

Email messages ARE organizational records!

by Rick Barry

In response to A sample E-mail and Voice-mail policy (with CPSR's suggestions for improvement)

I believe the draft email policy is excellent as far as it goes.  In my
opinion, however, it lacks coverage in a very important area: records
management. Email policy should not really be the domain, or at least
the sole domain, of the CIO or IT department even though those managers
should have key inputs to such a policy.  This is because only a small
aspect of email policy relates to technology.  Its more important
aspects are related to its role in recording the on-going business of
the organization and legal risks associated with its use and abuse. One
of the most important aspects of email, vmail and other electronic
documents, is that they constitute organizational records in many if not
most cases. Where I have done studies of email usage and policy in
organizational settings, I have found that the large percentage of
employees do not have a clue what is and is not a record, least of all
with respect to email/vmail. And they have little or no understanding of
what their responsibilities are in this respect.   

Whether a communication or document (in the broadest usage of the term)
constitutes an organizational record has nothing whatever to do with the
technology used to create it. It has purely to do with the fact that the
communication fulfills some basic requirements:  it was created in the
normal course of business (not ginned up for the record after the fact
when a law suit is imminent), it was recorded in some medium/media and
ultimately it was set aside for recordkeeping purposes because it
fulfilled the first two conditions. Most email messages (EMs) meet these

How long records are kept before destruction is another totally separate
matter that is determined as part of the analysis that takes place in
the appraisal process.  Depending on the organization, this might mean
that a very large percentage of EMs would not be retained beyond their
immediate use or for more than a few years. This determination has to do
with the organizational value of the document for administrative
(organizational continuity, accountability), legal (evidentiary) or
research (informational, social, historical value) purposes.  

With the advent of electronic records, of which email is a prime
example, more archivists and records professionals are attempting to
carry out macro-appraisal, i.e., to elevate the appraisal process to the
system application (payroll, pension, etc.) level or, if possible to the
business process (hire staff, lend money, produce software products)
level.  As email is not an application system but is more analogous to
paper, it may be used in reference to any application or business
process area. Thus, increasingly organizations are being faced with the
very serious issues of: who decides whether a particular em is record or
not (author, business process, other corporate policy criterion); how
EMs that are legitimate organizational records will be captured into the
recordkeeping system; how they will be linked to appropriate business
process categories or records series; what metadata will be required and
how it will be captured; where the line is drawn in the organization
between access to business communications and personal privacy; and how
long-term access to legitimate organizational records will be maintained
over very long periods of time (especially when created using
proprietary software systems) with ever shortening cycles of
technological obsolescence.  CIOs are both ill equipped and typically do
not have the organizational mandate to answer many of these questions
and to set related policies unless the corporate archivist and records
management functions have been integrated into their organizations,
which is beginning to happen in both the public and private sectors.  In
some ways, those responsible for the management of technology would even
be in a conflict of interest situation and possibly in conflict with
their own professional codes of ethics in attempting to set such
policy.  For example, those responsible for the administration of email
systems often set email destruction dates (known in the records
management world as retention schedules) on the basis of purely
technological considerations (e.g., to avoid the disk exceeding 80% of
capacity) rather than on the value of the information as an
organizational asset.  

Any email policy that does not address these issues is incomplete at
best, at worst, is placing the organization very much at risk.  Whether
the individual sees email as a substitute for informal telephone
conversations (the distinguishing difference being what communications
are "recorded" and what are not) -- whether the information manager, or
for that matter the records manager, considers email as non-records --
is of little consequence.  The reality is that they are discoverable in
a court of law and this is becoming a routine situation these days. 

I would also like to reinforce the comments made by David Levinger and
Carl Page regarding the looseness of the current draft in the area of
monitoring. In particular, I refer to the current verbiage:

"Although the company does not make a practice of monitoring these
systems, management reserves the right to retrieve the contents for
legitimate reasons, such as to find lost messages, to comply with
investigations of wrongful acts or to recover from system failure."

As stated, the policy is so loose as to be open to serious abuse, not
only by managers but by "colleagues".  Witness the recent revelations of
the abuses of privacy carried out by IRS employees interested in reading
the returns of their neighbors, Hollywood celebrities, etc.  If an
organization like the IRS whose effectiveness depends on very careful
attention to such matters is subject to such abuse, imagine how much
more so most other organizations are.  I recommend that the monitoring
of individual communications not of a business nature be limited to
"duly authorized investigations that have been authorized by the VP or
Director of Human Resources or higher authority, or as may be required
to meet requirments of a lawful subpeona.  

A related topic, also missing from the draft, is to establish a policy
that requires that the author be promptly notified after the fact of EMs
that have been accessed for the reasons noted in the draft, and the
reasons this has happened.  Obviously in the case of investigations of
wrongdoing, as noted in the last para, the policy should indicate that
in these cases, notification will take place upon completion of the

In the same vein, the policy should clearly establish that intentional
abuse of this policy by system administrators or others will be subject
to severe sanctions including possibly immediate dismissal from the
position of trust that made improper access possible or dismissal from
the organization altogether.

For futher info on email policy, I invite readers to browse the Email
section of my WWWpage <>.

Rick Barry

Richard E. Barry, Barry Associates 
E-mail: or
Return to:
A sample E-mail and Voice-mail policy (with CPSR's suggestions for improvement)
This page last updated on Nov. 11, 1998 by Marsha Woodbury.

E-mail with questions or comments.
Archived CPSR Information
Created before October 2004

Sign up for CPSR announcements emails


International Chapters -

> Canada
> Japan
> Peru
> Spain

USA Chapters -

> Chicago, IL
> Pittsburgh, PA
> San Francisco Bay Area
> Seattle, WA
Why did you join CPSR?

In these times, this is the kind of organization that technology professionals should be a part of.