1 / 33

Email and Electronic Records Retention: IT Requirements

Email and Electronic Records Retention: IT Requirements. Paul Dworak Office of Compliance dworak@unt.edu 565-4906. Records. Any document that is created or received in the course of State business

ciro
Télécharger la présentation

Email and Electronic Records Retention: IT Requirements

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Email and Electronic Records Retention: IT Requirements Paul Dworak Office of Compliance dworak@unt.edu 565-4906

  2. Records • Any document that is created or received in the course of State business • The medium of a record is irrelevant. Paper records, electronic files, emails, images, etc. are all state records

  3. Objective of Records Management • To keep records for periods of time required by federal and state statutes, in order to demonstrate that proper business operations are being followed • To dispose of records in an organized manner to save space • To limit legal liability by disposing of records that no longer have business value • BUT, to hold records that are needed in litigation

  4. Record Series • Record Series are groups of records related by their content • The Record Series Number determines the retention period • The retention period consists of an active period and a storage period • The active period is the time during which a record is accessed frequently • The storage period is the time when the record is accessed little or not at all

  5. Archiving • In record management terms, archiving a record series means storing a permanent record

  6. Vital Records • Vital records are those that need to be backed up so that they can be restored in the event that an agency has a disaster and must implement its business continuity plan • Only some records are defined in the Record Retention Schedule as being vital records

  7. Important Record Series for this Presentation • Calendars [1.1.013]—retention period is 1 year following the end of the previous calendar year (2005 calendar entries can be deleted 1/1/2007) • Transitory Information [1.1.057]—retention period is “when the purpose of the record has been fulfilled”

  8. Important Records Series (cont.) • Administrative Correspondence [1.1.007]—retention period is 3 years • General Correspondence [1.1.008]—retention period is 1 year

  9. Other Record Series • The custodian of a document (the person who created it or received it) is responsible for determining the record series into which any other type of document falls • The retention period is determined by the record series • For emails, this is based on the content of the email and/or its attachments

  10. Email

  11. Email Records • All emails, regardless of content, that are created by a state agency, or that come into a state agency, are state records • However, the record retention schedule enables the custodian to determine the record series of any email

  12. Email Record Series • Administrative Correspondence—email relating to policies, procedures, strategic planning, etc. • General Correspondence—email relating to general operations • Other Email Records—record series is determined by the content of the message and/or its attachments

  13. Transitory Information • Identify transitory information • Bulk mail • Junk mail • Spam • Delete “when the purpose has been served,” i. e., immediately or within a short period of time (e. g., 24 hours) • Free storage space

  14. Transitory Information (cont.) • Recipient of an email can determine that other emails are transient • Everyone emails referring to an event on a specific date, or an action that contains a deadline • The email can be put into a “Transient” folder (i. e., the Trash) when the email has served its purpose • User can establish rules, or global rules can be developed if possible

  15. Official Records • Some emails will require classification into record series based on their content • It may take time for the user to place emails into the proper folders • Ideally, the folder system should be standardized and not up to the user • Users can create subfolders in the standardized folder system • The user is responsible for filing the emails appropriately

  16. Work Space • Emails stay in this space until they can be filed as transient or official records • Work Space can have time or space limits that are established by policy or by written operating procedures • These limitations are imposed to handle users who do not dispose of transitory information

  17. Issues • A written policy or procedure needs to define whether the sender of an email, the receiver, or both are custodians of the record • A written policy or procedure needs to identify the auto-delete time frames for transitory and work space emails • There is the potential for auto-deleting vital records inappropriately • The record custodian will be responsible for violating the law, not the IT staff

  18. Backups • Vital records MUST be backed up • The number of backup tapes used before they are recycled is based on a written policy or operating procedure • Depends on the requirements of the business continuity plan—how many backups are needed to create a reliable image of business operations? • Generally no more than 30 days

  19. Backups (cont.) • It is illegal to use backup tapes as a way of retaining records, in lieu of an established, effective records management system • It is illegal to keep records indefinitely • Any records that exist on backup tapes must be restored and retrieved in response to legal discovery or an open records request • Backup tapes cannot be recycled once a record hold is declared

  20. Training • The success of any email retention system is user training • This training has a records retention component • Responsibility of the Compliance Office • And an email use component • Responsibility of the Groupwise staff and Network managers

  21. Training (cont.) • We will need to collaborate to develop an efficient and cost effective way of delivering the training, whether it be • Classroom • Online • Emails/websites • One-on-one

  22. Consequences for Users • State employees only have immunity if they operate in the course and scope of their duties • State employees may not have immunity in cases of federal prosecution • More courts are considering failure to manage records as failure to act in the course and scope of duties • Results are fines and prison sentences

  23. Consequences for Management • In Danis v. USN Communications, the federal judge fined the CEO for failure to maintain oversight of the company’s record management program • CEO’s are considered responsible for the actions of all their employees, UNLESS there is an effective system for records management that an employee flagrantly violates after being trained

  24. Views of IT Staff • They control the hardware and applications so much that they determine the records management paradigm • They provide a service to management and employees, who are responsible for determining the records management implementation

  25. Consequences for IT Staff • The objective is to be viewed as a service component, which implements the policies and operating procedures approved by management • In this case, IT has no legal responsibility for failures, unless they are malicious • IT must have input in the development of policies and procedures, since IT acquisitions flow from defined business processes and needs • If IT is viewed as determining the records management paradigm, it could be assigned responsibility for mismanagement of records and bear the legal consequences

  26. Immediate Objectives

  27. Compliance Status • No organization is currently in compliance • Organizations decrease their liability by articulating and implementing a plan to get into compliance • At some unknown future time, organizations without evidence of planning will be highly vulnerable

  28. Implementation Steps • Compliance Office will conduct an inventory of electronic records (where are they stored, by whom, etc.) • Will take one year for vital records, three years for all records • Will enable departments to establish a standardized filing structure for electronic records • Policies—other than for a brief overarching policy, policies should NOT be developed for getting into compliance

  29. Implementation Steps • Operating procedures should be developed that are approved by • Associate VP for Computing and CIO • Vice President for Finance and Business Affairs • Records Manager (Compliance Officer) • [President]

  30. Operating Procedures • Define custodian for emails (sender, receiver, both) • Establishes responsibility for management • Define categories of storage (transitory, official records, work space) • Determine rules for auto-deleting transitory and work space emails • Determine how backups will be done and how many tapes will be used

  31. Operating Procedures • Define records management roles for users • Define how vital records will be identified by the user • Define how record holds will be implemented • Define communication responsibilities for procedures that are implemented • Establish consequences for violation of procedures

  32. Other Tasks • Determine what training is needed • Define applications needs for email retention • Determine if any vendors can meet these needs • Determine if funds are available or can be acquired

  33. Thank you!! Questions and Suggestions . . .

More Related