Yes, Email Can Be an Official Record

As the State of Ohio begins its 136th General Assembly of the Ohio Legislature, the Ohio Electronic Records Committee would like to remind newly elected State Legislators of our Email Management Online Training Series. Training courses include Email As A Record; Email Clean-Up Strategies; Email Filing and Organization; and Microsoft 365 Outlook Email Management.

In these online courses, one will learn several things including, that “email itself is not a record series but should be retained based on the content of the message.” If the email serves as a record that “documents the organization, functions, policies, decisions, procedures, operations, or other activities of the office,” [ORC 149.011(G)] then it needs to be retained. Examples of records in email format can include: correspondence, personnel documentation, or project working papers. Often emails have attached documents with them. This training series helps one determine what is necessary to keep (email, email and attachment, or just the attachment) for different circumstances.

The amount of email one receives can be quite overwhelming. The Email Clean-Up and Email Filing and Organization training courses are both helpful and informative and can guide one through this difficult process in an efficient manner. Lastly, many governmental bodies, organizations, and businesses are now switching to Microsoft 365 Outlook Email. Steps for applying retention rules for Microsoft 365 Outlook emails are demonstrated using desktop and web applications in the training program, Microsoft 365 Outlook Email Management.

Please take some time to review these very informative courses. Good luck as you begin your endeavor in email management.

Ransomware Can Hold Your Records “Hostage”

In another unfortunate trend for Ohio in 2024, Wood County had experienced a ransomware attack that has prevented them from accessing their electronic records management system. As seen in the article found here, while the attack is not impacting public services, the county is resorting to using pen and paper to record emergency calls as well as preventing them from accessing historical police records.

Just like water or a fire damaging paper records, your electronic records are vulnerable to disasters and disruptions to business like these cyberattacks. There are several things your office should keep in mind:

  1. Understand where your records are on your network as well as who has permission to those files. ARMA International has a great article on defining data maps found here. This will also help identify where your vital records are, those records integral to your business operations and should be recovered quickly.
  2. Have your IT routinely backup your electronic records as well as run updates to system software/antiviruses/network firewalls.
  3. Provide mandatory cybersecurity training to your office staff to educate them on identifying fraudulent requests and the steps to report on them.
  4. Clean up electronic records that have met their applicable records retention schedules and are no longer needed. The less files there are on your network, the less files that could be potentially stolen from your office.
  5. Finally, establish continuity of operations plan (COOP) in place to define the policies and procedures to respond to an emergency or disaster. Have a COOP plan in place will allow a swifter restart of your operations. FEMA has a brief brochure describing a COOP plan found here.

Information Technology Resources for an Informed Retention Schedule  [Keeping Your Retention Schedules Evergreen:  How Your IT Department Can Help You Find the Gaps in Your Retention Schedules]

By: Pari Swift and based on the 2023 presentation Mine the Gaps : Uncovering What You Don’t Know About Your Retention Schedule with Warren Bean, Zasio.

Are you ever shocked when you learn about a new type of record that your organization is maintaining? To uncover records series that may not be covered by your current retention schedules, leverage the work being done by your information technology department. Here are some IT resources that can help you uncover the gaps:

  • Software Procurement – Get involved in this process. As the records manager, you need to understand whether the software can adhere to your retention and disposition requirements. Additionally, being part of this process will inform you of what types of records and information will be put into the system. Often the vendor assessments offer a window into the purpose and function of the system. This will allow you, early in the process, to match those records to your retention schedule, or add a new series if the records are not already covered.
  • Privacy Officer – As part of their role to protect private information, privacy officers often evaluate information keeping systems, paper or electronic, to ensure that privacy laws are being followed and information is protected and secure. They need to know where sensitive data lives within the organization, so they should have a map or documentation that will shed light on potential records not yet covered by your retention schedule. Two of the tools that they use are the Privacy Threshold Analysis and Privacy Impact Analysis. These gather information about the type of information stored in a system, why it is collected, and how it will be used. This same information can shed light on the records that are already covered on a retention schedule and can be valuable in the records analysis process for determining retention.
  • Cyber Security – Similar to the privacy office, cybersecurity needs to know where data lives and what level of protection it needs. Much of the information that they gather about the records and information is the same as what records managers gather when doing a records analysis to describe a record series and determine retention.
  • Enterprise Architects – The purpose of enterprise architecture is to create a map or blueprint of the structure and operations of an organization, which should include a map of IT assets and an outline of business processes. You can use this information to learn more about what business processes exist and what records are created. Compare this information to what is in your retention schedule to learn whether further conversations about adding to or updating their retention schedules are necessary.
  • IT Backup Schedule – Your IT department most likely has a list of information systems as part of its backup process documentation. Are you aware of all the systems listed and what types of records or information they contain? If not, now you can work with the business unit using the system to ensure that the records are covered on your retention schedule.

These information technology resources are a starting point. They won’t give you all the information that you need to fully flesh out and develop a new record series.  You’ll still need to go to the department subject matter experts for that. What they will do is clue you in to what records might not be covered on your retention schedule so that you can reach out to the department to get them added. These resources may also provide some of the basic information that you need to know, thus saving you and the department valuable time by being able to skip ahead to the questions about the records not yet asked.

Use your IT resources to keep your retention schedules evergreen!