Privacy Guidelines for Managing Emails

The Office of the Information and Privacy Commissioner of Alberta has published guidelines on how to manage emails to minimize organizational risks and expenses that could be caused by a privacy breach. The guidelines indicate that “In light of the vast quantities of email sent and received daily by an organization, email management is not just a records management issue, but is also a necessary business process” that should be managed in accordance with records management principles and the requirements of Alberta’s access to information and privacy legislation. Although the guidance provided in this document is directed at managing emails, the general principles may assist in managing records in other formats.

Notwithstanding that the guidelines are from Alberta, they make good business sense for the other Canadian jurisdictions. Below are some elements we can learn from the guidelines.

As indicated in the guidelines under section 1(1)(m) of the Personal Information Protection Act (Alberta) (PIPA) a

“record” means a record of information in any form or in any medium, whether in written, printed, photographic or electronic form or any other form, but does not include a computer program or other mechanism that can produce a record. […] Therefore, public bodies, custodians and private sector organizations must apply the access and privacy provisions of PIPA to the emails in their custody or under their control. Note that not all emails need to be kept. Only those emails that are official records must be retained. […] An official record provides documentary evidence of the business transactions, activities and decisions of a public body, custodian or organization. Official records are required for future business, legal or archival purposes.”

The guidelines recommend, in addition to a privacy policy, that organizations should implement efficient corporate records management policies and practices. “Effective and efficient records management practices ensure that evidence of business transactions and decisions is created, captured, managed and made accessible to those who need it, for as long as it is required, regardless of the medium or format of the record.”

How should emails be retained?

Emails that qualify as official records may be retained in one of two ways:

  1. In electronic format and filed in an appropriate electronic record keeping system; or
  2. Printed and filed in the paper filing system managed by the organization’s records management personnel.

Whether retaining the email in paper or electronic format, the record keeping system needs to be able to identify, retrieve, share and retain the records for as long as the emails are needed.

The emails must be saved or retained in a way that ensures they are captured with their transmission and receipt data, and are not changed, thereby remaining accurate and reliable as evidence. Attachments to emails should be captured and stored with the email message because the message often provides the context for the attachment.

Email archiving is the act of preserving all emails to and from an employee. Email archiving is not a substitute for an effective record keeping system. For one, it does not differentiate between emails that qualify as official records and transitory records such as duplicate, personal and unsolicited commercial email. The emails are also not linked to related records in other formats and systems, among other reasons as to why archiving should not be a substitute to an effective record keeping system.

Staff training and monitoring

Effective email management requires ongoing training and support for staff. Staff training must be followed with regular monitoring to ensure that records and email management policies and procedures are being complied with and official record emails are being captured in the records management system.

In addition, when an employee is retiring or otherwise leaving the organization, the employee should ensure that all official email records are transferred from their email mailboxes to the appropriate records management system before they leave.

More can be found in the guidelines here (in PDF). Eight tips to manage emails are also found here (in PDF).

Comments are closed.