Email Records Management Done Right: A Walkthrough of NARA’s Guidelines (NARA Series #5)

Post Date: 03/27/2019
feature image

Having trouble getting NARA compliant? Download our free NARA compliance resource kit today! 


This is the fifth entry in our NARA series. Check out the others below!

Email is the lifeblood of the modern office environment. While convenient, it’s created a massive source of new records subject to federal records keeping regulations. It also means that an electronic medium never designed for permanent preservation now needs to be managed forever.

NARA has mandated rules for the disposition and management of all federal electronic records, and that includes email. What does NARA mean when they say “email?” What does it mean to “permanently preserve” an email? What guidance has NARA provided?

What’s the guidance from NARA?

On April 6th, 2016, NARA released “Criteria for Managing Email Records in Compliance with the Managing Government Records Directive (M-12-18)” which states the following:

“The Office of Management and Budget (OMB) and National Archives and Records Administration (NARA) released Memorandum M-12-18, Managing Government Records Directive, on August 24, 2012. The Directive outlines targets for agencies to meet to develop a 21st-century framework for the management of Government records. Directive Goal 1.2 states:

By December 31, 2016, Federal agencies must manage all email records in an electronic format. Email records must be retained in an appropriate electronic system that supports records management and litigation requirements (which may include preservation-in-place models), including the capability to identify, retrieve, and retain the records for as long as they are needed.”

When we think of email, we tend to think of Outlook or Gmail. However, a records manager must think about all the contextual information that sits around an email as well.

So, what is an email to a records manager? At the end of the day, it’s just another type of record (evidence of a business transaction, action, or decision) that needs to be managed the same way as any other. Per NARA, the “email record” includes:

  • The header information containing the FROM: and TO: (as well as CC: and BCC:) addresses
  • The subject line
  • The time and date stamp
  • The body of the email
  • Any attachments

Yes, attachments are considered part of the email record and should be submitted to NARA as part of the discrete record package that includes the email it was attached to. The format of the attachment can be ignored, and it does not have to be converted from the native format as part of the email record. On the other hand, components like calendar invites, contacts, tasks, and instant messages are not considered email records by NARA and should instead be scheduled and submitted as records on their own.

NARA has grouped the success criteria meeting the M12-18 mandate into four broad categories: policies, systems, access, and disposition.

Need tips for tackling email preservation? Check out this post: Click To Tweet

POLICIES

Successful records management of any type of record begins with and is determined by the policies that govern the organization. Policies must be thorough, well-documented, and well-communicated to the team members within the organization. Policies will generally be decided by organization leadership based on regulations, mission, need, and any other relevant statutes.

These are the “marching orders” that are delivered to the records managers and personnel in the organization. The policies outline individual and organizational records management responsibilities, how training personnel will be accomplished, the processes and methods that will be used to meet the mandate, and other considerations based on the mission and operational posture of the agency or department.

From the NARA Memo:

“What Success Looks Like: Your agency’s policies and training programs explain staff responsibilities for managing email records. The policies and training should instruct staff how to distinguish between permanent, temporary, transitory, and non-record email messages and how to appropriately handle email messages containing classified national security information and those created on nonofficial or personal electronic messaging accounts.”

How can your team determine if your organization’s records policies will help you meet NARA’s M-12-18 mandate? Thankfully, NARA has provided a series of questions that will help you evaluate your policies as you work towards compliance:

  1. Has your agency developed, disseminated, and implemented an approved email management policy throughout the agency?
  2. Who are the relevant stakeholders involved in the policy creation process in your agency (for example, a CIO, records management team, IT, or General Counsel)?
  3. Does your agency have a NARA-approved disposition schedule in place that applies to emails that are federal records?
  4. Does your agency have policies and procedures in place to access email in response to all information requests?
  5. Does your agency have policies and procedures in place to protect against unintended loss?
  6. Does your agency perform periodic reviews of records management policies with all relevant stakeholders?
  7. Does your agency perform periodic audits to make sure employees are in compliance with records management laws, regulations, and policies?
  8. Does your agency have the policies, technological means, and procedures to place legal holds on email records or accounts?
  9. Does your agency have policies in place regarding the use of personal or nonofficial email accounts?
  10. Have you trained all account holders on the requirement to copy or forward to official accounts federal records created, received, or transmitted in personal or non-official email accounts?
  11. Does your agency comply with the requirements for managing security classified information in email accounts and systems?

SYSTEMS

Almost all federal organizations are going to have some existing email system; Microsoft Exchange on-prem, Lotus Notes, Gmail, Microsoft Exchange Online, etc. Many of these emails systems include support for preservation of email as records. Others provide access to the records contained but perform either limited or no records management functions. Still other systems that may be in use have no provision for either exporting or managing records. Systems need to be able to accept email records with attachments, store them, index them for search, and maintain a defensible record of disposition.

This is where federal departments and agencies are turning to the IT and Records industry for assistance. Various products are available that plug the “records gaps” left in enterprise-scale email systems and services.

For example, AvePoint Records is laser-focused on helping federal customers meet the NARA mandate as seamlessly as possible, turning policies federal customers create into technical specifications for automated records management throughout the enterprise. Centralized records rules and term management, delegation of file plan management, granularity, and inheritance simplify the process of records management from creation to final disposition.

From the NARA Memo:

“What Success Looks Like: Your agency’s systems and business processes support the management of email records in accordance with all applicable requirements including the manual or automatic execution of their disposition whether using a Capstone-based or content-based record schedule.”

Federal organizations need to consider the following questions NARA has provided to evaluate how their existing and planned IT systems help them meet the M-12-18 mandate:

  1. What systems does your agency use to store and manage email messages?
  2. Who in your agency has the ultimate responsibility for the systems that manage email, how email is accessed, and how disposition is carried out?
  3. Does your agency manage email outside of the originating system in a dedicated records management system?
  4. Does your agency’s email system maintain the content, context, and structure of the records?
  5. Can your agency associate email records with the creator, their role, and their agency?
  6. Does your system retain the components of email messages identified in RFC 5322 including labels that identify each part of the header, the message content, and any attachments?
  7. Are departing employees’ email records preserved in accordance with NARA approved disposition schedules?
  8. If your agency’s email system supports the use of codes or nicknames, or identifies addresses only by the name of a distribution list, can you provide the intelligent or full names of the sender and addressee(s) with the transfer-level documentation?
  9. Can email be migrated from one system to another or to an email archiving application to ensure consistent access?
  10. Does your agency use email systems to transmit classified information?

ACCESS

Success is not merely contingent on making sure emails are not deleted. NARA includes the ability to search, read, reproduce, copy, and transmit these records within their success criteria. Records are preserved for the express purpose of being able to retrieve them. Federal customers need to ensure that their repository is properly indexed and searchable when planning it out. This will allow for the fulfillment of FOIA requests, research, historical accuracy, and use during litigation. Without the ability to access the record, the record might as well not exist.

From the NARA memo:

“What Success Looks Like: Your agency’s email records are maintained in a system that preserves their content, context, and structure, protects against their unauthorized loss or destruction, and ensures that they remain discoverable, retrievable, and usable for the period specified in their retention schedule.”

Oftentimes federal records managers feel “access” is the hardest problem to define. To them, this is an IT problem, not a records problem. IT is a stakeholder, but records managers have a responsibility to inform IT of how records access differs from “live” document access. NARA has provided a list of questions to help records managers as they work with IT:

  1. Can your agency use, retrieve, and interpret email records throughout the entire NARA-approved retention period?
  2. Is your agency able to access email from current and departed employees?
  3. If your agency uses a digital signature or encryption technology, is email usable and retrievable across the lifecycle?
  4. If emails are stored on local or removable media, are they retrieved and searched when responding to an information request?
  5. Is your agency able to perform a federated search across multiple email accounts or multiple systems to find emails needed for agency business?
  6. Is your agency able to prevent unauthorized access, modification, or destruction of email records?

Blog Post: 4 Essential Cloud Records Management Tips for New Users


DISPOSITION

The “schedule” (or file plan) defines when the record is to be sent to NARA, destroyed, or is otherwise no longer required to be under the custody of the federal organization that created it. NARA is currently in the process of creating a portal for federal organizations to transfer records to electronically. Until that is available, records need to be converted, packaged, and then transmitted to NARA via a “manual” process. There are options for automation, but until the NARA portal is completed there will almost always need to be a human actor in the loop.

This schedule will identify the nature of the record, the period it is to remain a “live” document, when it is to be archived, and when it is to be finally disposed of or transmitted to NARA for permanent preservation.

From the NARA memo:

“What Success Looks Like: Your agency has identified appropriate retention periods for email records and implemented systems and policies to support the disposition as specified in an approved records schedule.”

Once again, NARA has provided a very handy list of questions to help records managers as they work to meet the M-12-18 mandate:

  1. Does your agency have NARA-approved disposition schedules in place that identify the systems where federal email records are held?
  2. Has your agency analyzed existing disposition schedules to determine if they apply to email records? Have you identified gaps in the disposition schedules?
  3. Has your agency established procedures to associate email records with projects or case files?
  4. Has your agency developed training to inform employees of their responsibilities for managing records in email accounts in accordance with approved disposition authorities?
  5. Can your agency transfer permanent email records to the National Archives of the United States in accordance with approved records schedules and applicable laws, regulations, and NARA transfer guidance?

“Permanent Preservation” – Old Concept, New Solutions

In the Records Management and archivist context, “permanent preservation” is jargon that originally referred to the process of treating a physical object that needs to be preserved for posterity. Preserving a physical object includes processes like cleaning, sealing, mounting, and other activities that make the object available but provide protection to prevent it from degrading. Even though the concept originally arose regarding physical objects, it also applies well to electronic records.

When referring to electronic artifacts such as email and attachments, preservation includes conversion to formats that will ensure availability, searchability, and readability, as wells as (and a separate concern from) storage in high-availability, hardened, redundant systems.

In its “Format Guidance for the Transfer of Permanent Electronic Records” bulletin, NARA provided additional guidance about which formats to use and other concerns around how to package emails for permanent preservation. The general guidance NARA provides for email is as follows:

  • “Transfers of email records must consist of an identifiable, organized body of records (not necessarily a traditional series);
  • Email messages should include delimiters that indicate the beginning and end of each message and the beginning and end of each attachment (if any). Each attachment must be differentiated from the body of the message, and uniquely identified;
  • Email messages transferred as XML files must be accompanied by any associated document type definitions (DTDs), schemas, and/or data dictionaries;
  • Labels to identify each part of the message (Date, To [all recipients, including cc: and bc: copies], From, Subject, Body, and Attachment) including transmission and receipt information (Time Sent, Time Opened, Message Size, File Name, and similar information, if available). To ensure identification of the sender and addressee(s), agencies that use an email system that identifies users by codes or nicknames, or identifies addressees only by the name of a distribution list should include information with the transfer-level documentation; and
  • Email converted to formats not natively used by the email program, and which do not maintain header information (such as RTF or Word documents) are not accepted. Printouts of emails are also not accepted under this Bulletin.”

Emails and their attachments can be stored in a variety of proprietary systems and must be converted to a more universally defined and accepted format for permanent preservation. NARA has designated specific formats as “sustainable,” stating “Sustainability, as it relates to electronic file formats, is the suitability of a format to preserve encoded information over time. Factors that contribute to a format’s sustainability include the availability and completeness of documentation and the availability of applications that can interpret it.”

The formats chosen by NARA were chosen specifically because they are open, universal, and technology agnostic. Note that NARA specifically states that “printing to a Word document” and other methods of conversion to non-email formats will NOT be accepted. NARA provides a list of “preferred” and “accepted” formats for both individual emails and aggregated packages of emails as Appendix A to the 2014-04 bulletin.

Depending on the source system and the record involved, further steps than exporting and conversion to an acceptable format may be required. Metadata tagging, identification and possible redaction of sensitive information, format stripping and font normalization, encryption or decryption, and deactivation of DRM are all examples of actions that may need to be taken on email records before transferring them to NARA.

Some of these actions can be automated, and in an organization with a robust records management culture, metadata tagging and identification, redaction of sensitive information, and records disposition will all be part of the comprehensive overall records management and information governance policies. Technical enforcement of these policies with software tools automating as much as possible prevents delays, eases workloads, and ultimately ensures more accurate and compliant records management.

When first considering how to meet the M-12-18 mandate, records managers may feel that the problem is too big to solve. However, NARA provides all the guidance a records manager needs to direct their organization in the transformation to digital records management with automation, ease of use, and better security and compliance.

Need some help putting these guidelines into motion? AvePoint provides the tools and expertise to help.


Want more records management tips from industry pros? Subscribe to our blog!

Share this blog

Subscribe to our blog