Q. Why don’t elephants use email? A. They prefer to make trunk calls.
There are really three main aspects of email which get us all thinking:
1. Its use (eg etiquette)
2. Its security
3. It’s management
Today, I’m going to concentrate most on number 3, but will inevitably also touch on aspects of 1 and 2.
I don’t’ intend this talk to be a step by step guide to managing email, as I’m sure you all know the theory already – all the stuff about clearing your in-boxes on a weekly basis, giving yourself time for reflection before hitting the ‘send’ button, deciding whether to store things on- or off- line, and so on. However, if you do need this sort of information – for instance, if you are going to have to give training in your own organisations – I would be happy to send you the text of a talk I gave along those lines a year or so ago.
Instead, what I’m going to try to cover this afternoon are:
- the main areas you need to cover when advising your colleagues about email
management, or when trying to persuade them that email should be managed,
- what structures you need in place to manage email successfully, and
- techniques others have used to achieve staff compliance.
A few statistics often help to make people sit up and take notice. We all know how email has proliferated in the last 5 years or so, but do you have figures to quantify this?:
· 1995 101 billion emails sent
· 2000 2.6 trillion emails sent
A 26-fold increase in only 5 years!
One (Ferris Research Inc http://www.ferris.com/) source states that the average office worker sends about 15 emails a day and receives about 20 (I think this is rather low). These volumes are expected to grow by 60% and 80% respectively over the next year. And if you are on listserves or don’t have a system which filters out SPAM, you are probably receiving far more than this. We can probably look forward to plenty more headlines like this one, from the January 6 edition of the Observer:
and therefore easy to get hold of.
And, of course, those 15 or 20 emails can proliferate very easily:
Just a single email could be held by:
‚ you …
‚ anyone who sent it to you …
‚‚ ‚anyone you sent it to…
‚‚‚‚anyone it was originally copied to…
‚‚‚‚‚‚‚..anyone to whom any of the above forwarded it
And on top of this, all these people might have this one email stored in more than one place:
· an email folder
· a personal drive
· a drive shared with colleagues?
· What about the servers the email has passed through to reach you? A copy of it will be stored on every one of these.
· And then there are the backup tapes made from each server (usually weekly) which will keep copying that email over and over again until it is removed from the server.
If your office policy is to print out important messages and file them, this is another copy. And how many of us make sure that all electronic copies have been deleted once the hard copy has been filed?
So, we can show how the use of email has exploded over the last 5 years, and how storage can get out of hand, but do our managers realise quite how dramatically the use of email has changed over the same period?
Only a couple of years ago, email was still mainly used for informal communications (‘how about lunch’, ‘are you free for a meeting tomorrow’ etc), but another recent study has estimated that 52% - over half - of all business-critical information is now stored within messaging systems
So what are the main dangers of allowing email to proliferate in this way?
The main principle to bear in mind when talking about email management is, of course, that email is just another medium on which business records can be stored and therefore, all the dangers inherent in bad records management generally, apply to email as well.
As I’ve said, we are now faced with a situation where there are huge numbers of emails whizzing around, a significant proportion of which contain important business information. Without procedures in place to manage this avalanche of data, this vital business information can easily be lost, and staff time wasted in searching for it can cost a business dear.
In addition to this, the storage space these emails take up on computer systems can clog them up and slow them down, even causing entire systems to crash.
So how do you respond to a boss who says “No problem – we’ll just store everything off-line and use a free-text search engine – then still we’ll be able to find it all!”
Well – for a start, free-text searches are unlikely to find every relevant message, and are likely to find lots of rubbish. Just think of the amount of junk that any search on the internet returns even with very specific search terms. Would your organisation want its employees ploughing though reams of irrelevant data in search of on single message?
And the consequences of such a system can even be more far-reaching than this:
And secondly, would you really want to be able to find it all emails ever sent or received? Some of them might contravene legislation or land your organisation in serious trouble:
Lots of existing legislation impinges on email – for example, the Obscene Publications Act, Data Protection, libel and copyright laws. I’d like now to cover the broad legal issues that you and your senior management need to be aware of:
· During a legal case, lawyers can obtain a court order allowing them to “discover” any documents held by the opposing side which are be relevant to the case. Documents affected can be in any format, including email.
· Discovery is very big in the US, and as the UK always seems to follow its American cousins, it’s probably heading for these shores as well, although thankfully, it has not yet really taken hold here.
· But even if your organisation is not in particular danger of being taken to court, you also have to take public relations and the embarrassment factor which things like ‘leaks’ to the press might cause:
LEGAL ADMISSIBILITY OF ELECTRONIC RECORDS
But just as you don’t want the wrong emails to end up being used in court, there might be others which could actually help your organisation win a case.
In this case, you need to be able to prove to the court’s satisfaction that the emails have not been tampered with in any way. And the same goes for any other type of electronic record which you may wish to produce in a court of law.
You can provide this proof by creating a clear “audit trail” for electronic records, which records everything done to them. Guidelines for doing this are set out in various publications issued by the British Standards Institute and DISC (listed on slide):
EMPLOYER – EMPLOYEE RELATIONS
•Emails are like postcards – not secure at all.
• Many organisations monitor employees email and under the new Human Rights Act, they are obliged to tell their employees if they do this.
• Some do not allow personal use of emails, but even if your organisation allows limited use of email for personal messages, this doesn’t give employees carte blanche. They can still be in trouble if they send or receive inappropriate material, or if they abuse the facility. Think about what you write before you put fingers to keyboard.
•The Data Protection Act also has implications for the use of personal data in employer/employee relationships and the Office of the Information Commissioner has issued draft guidelines on this, which contains clauses about the monitoring of email.
•There is also work being done on BSI “code of practice guidelines” for e-mail.
1. DATA PROTECTION
· On top of this, email is also subject to the wider provisions of the Data Protection Act, so any email containing personal data must be treated in the same way as all other records containing personal data.
· As one of the main principles of the Data Protection Act is that personal information should not be stored any longer than necessary this means that organisations must have procedures in place to ensure that email is regularly reviewed, assessed and disposed of correctly.
But even if the personal data your emails contain is innocuous, could you find it easily at the moment, or would your organisation have to spend significant time and resources searching it out if an individual requested it?
· Another of the principles states that information should be kept secure and that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data." Keeping such data on email – a notoriously insecure medium is therefore a bad idea.
· Also, remember that another principle of the Data Protection Act is that "Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data." So even if you are happy that you can encrypt email to keep it secure, you need to think about what might happen to it at the other end.
· More than that, however, the very act of transferring of data itself is a process, and under the Act a transfer can mean sharing of information within an office. So for example, if personal data has been collected for the administration the council tax process, the council tax department of the local authority cannot transfer that information to the housing department so that they can conduct a marketing initiative, as that is not the purpose for which the data was collected.
It’s so easy just to dash off an email without thinking or send an attachment containing personal information, so it is vital that all staff understand their responsibilities under this Act.
And while I think of it - there is also technology out there which allows anyone sending you an email to follow their message through your system. It can see who you forward it to and any comments you write about it. Basically, it bugs your email in the same way that a wiretap would bug your telephone. It is known as the "Reaper exploit" or simply "Email Wiretap". It is, of course, illegal – but when did that ever stop hackers?
“So”, your bosses might say, swinging wildly from their earlier suggestion of keeping everything, “why not avoid all this potential hassle by just deleting everything at regular intervals ?” Apart, of course, from the fact that you are increasingly likely to be deleting information vital to your organisation, there are two main reasons –
First - as you probably know deleting a message doesn’t necessarily mean that it no longer exists. The “delete” button on your computer does not remove the message, just takes away the “signpost” the computer uses to locate it. The computer then knows that it can overwrite this area to store other information. However, there is no way of telling when it will be overwritten and at least until then, IT experts will still be able to get hold of the original message.
And second -
FREEDOM OF INFORMATION LEGISLATION
· The Freedom of Information (Scotland) bill is currently before the Scottish Parliament and is likely to be passed later this year. The new legislation will entitle people to request access to many different types of information, some of which could be held on email.
· Like the existing UK FoI Act, the Scottish bill provides for the appointment of an Information Commissioner, who will start asking awkward questions if information cannot be found.
· FoI will also oblige organisations to reply to requests within a certain number of days – so efficient retrieval of all information will be a must.
· The FoI (Scotland) Act will be accompanied by a Code of Practice on the Management of Records which will apply to all records, in whatever medium – including email. A draft of this code is due to go before the Justice Committee in February, when the Bill reaches Stage 2 of its passage through Parliament.
· All this means that you need to have clear written retention and disposal schedules in place for all your records, including emails, setting out what types of information can be destroyed and when. This will allow you to defend the destruction of information in the normal course of business, if it is asked for later.
· BUT, please note that it is likely to be an offence to destroy information after it has been asked for, even if it is down for destruction on an approved records schedule. In such cases, routine destruction procedures have to be suspended.
So, as you can see, there are several factors which need to be considered when considering email management – legal, privacy, and employee-employer issues have to be considered as well as storage, reviewing and information management ones.
There is now a general recognition at all levels both regulatory and legally that the use of e-mail needs prescription.
In a recent article, Martin Waldron of In-Form Systems summed all these factors up in a useful diagram and suggested that there are basically four legs to corporate email management and that only addressing two or three of these will fail to provide effective control that recognises email’s growing role in all aspects of business activity:
- Regulatory /records management – to cover the legal and regulatory aspects relating to the email as records
- Security/privacy – to cover legislation and corporate policies on information and computer security, and personal privacy, and to cover employee-employer relations
- Information/knowledge management – to integrate it with the wider knowledge and information management policies or needs of the organisations.
- Archive – to cover what is kept and for how long, where it is stored, etc.
So these are the things which email management needs to cover. But how can that management be achieved successfully. I think the main things you need to have in place are:
A policy/policies – Email can’t be managed in isolation – it is just another type of record and must be integrated with any overall records management, data protection, (and soon FoI) policies the organisation has. It also needs to take into consideration any policies on staff management and IT security.
I would suggest that the rules governing the physical management of emails should be part of an overall records management policy rather than a separate document, and that the ‘Email policy’ should refer to this but concentrate on matters which are not covered fully enough elsewhere – namely the staff use of email.
Mainly to protect your organisation from legal action:
Firstly, such an email policy makes your staff aware of the corporate rules and guidelines, which if followed will protect your organisation.
Secondly, it can help stop any misconduct at an early stage by asking employees to come forward as soon as they receive an offensive email, for example.
Thirdly, if an incident does occur, an email policy can minimize the company’s liability for the employee’s actions by providing proof that what they did was against company policy.
Finally, if your organisation monitors the contents of its employee’s emails, it is essential to have an email policy that states the possibility of such monitoring. If an organisation does not have one, it could be liable for prosecution for privacy infringement.
The policy or policies must then be backed up by more user-friendly guidance and training on the various aspects of email management.
And that all of these tools should be regularly reviewed.
Lets look at these in a bit more detail:
Whether you decide to incorporate the management of email into a wider records management policy and issue separate documents to cover other aspects of its use, or whether you decide to incorporate all issues covering email into one document, the general consensus is that policies should always be:
· Brief – setting out the main intentions of the organisation but not going into great
detail. Long policies don’t get read.
· Cross-referenced to any related policies or guidelines
· Issued and endorsed by senior management. This is doubly true in the case of
records management policies, as the new International Standard on Records
Management (ISO 15489) says that RM policies ‘should be adopted and endorsed at
the highest decision-making level’ .
It may sound like text-book speak, but everyone I have spoken to who has tried to
implement a policy – on email, records management , data protection or anything –
has always said that there was no hope of it working unless top management was
behind it all the way. I am aware, however that getting top management on your side
is not always easy – maybe that’s a candidate for a future Society training course!!
It might also be a good idea to try to involve not only senior management , but IT, personnel and legal staff when compiling the policy. Not only will this mean you get the best advice on these specialised issues, but it will mean a larger number of people have a stake in the success of the policy.
Policies concerning the records management aspects of email should also include:
· a definition of an official record – this should be the same for records in any media.
· Bearing in mind that several copies of the same email can exist, it should indicate
which copy is the one which should filed.
· Identify roles and responsibilities for end users, managers, technical staff, records
managers, and support staff.
Be aware that you might not need to create a policy from scratch. Numerous sources outline the components of a successful management strategy for e-mail, and I have put some examples of model policies on the information sheet which accompanies this talk.
As I’ve said, I don’t think detailed guidelines on the management, use or etiquette of email should be incorporated into overall email policies, as they clutter them up and put people off reading them. I favour issuing them as completely separate documents, as you then have scope to use a more relaxed style to make them more user-friendly, and you will also be able to update them more easily and frequently.
Advice from those who have implemented such guidelines is to keep them light. As with policy documents, guidelines should also be regularly reviewed and updated, to take into account new developments (eg the advent of FoI)
Guidelines should be drawn up alerting staff to the legislation governing their use of records, including email, their responsibilities under this legislation, and where they can get help if needed. For example, give contact details for the organisation’s archives/RM section, its Data Protection officer, security officer, etc.
These guidelines should be underpinned by a staff management policy which includes clear statements to ensure that staff are aware of what the organisation has the right to do (in terms of monitoring mail etc) and what they themselves are and are not allowed to do with email.
Things to include:
E-mails typically cover a wide spectrum of importance. Each organisation needs to define its own simple, understandable and effective rules by which all users can understand
· Which of their e-mails (incoming or outgoing) should be treated as official records – ie how to determine the value of a message.
· Where to store their emails (depending on short, medium or long term value)
· In what format to save emails. This depends on what metadata your organisation decides it is vital to keep. Printing emails out, for instance, can loose important information. One organisation instructs its staff to save emails into the .msg format to ensure that metadata and strings are captured.
· What to consider when creating an email
Are there any principles in the organisation’s email or records management
policies which they should bear in mind?
- What about titles – keeping them short, pertinent, relevant and so on.
- How many subjects does your organisation prefer an email to contain – one per
title, to keep filing simple?
- Are there house styles and templates they should be following? What legal issues
should they bear in mind when composing an email?
- Does your organisation prefer to limit the size of emails to a few lines and put
anything more complicated into attachments? Or does it not allow attachments at
all because the system can’t cope with them?
…and so on
· The guidelines should also indicate what staff need to consider when replying to, or forwarding an email:
- Again, the title – but this time – is it still valid, or, if the message has been to
several people already, and the original subject has changed, should it be modified
before the message is passed on? Or alternatively, will the original title mean much
to the person you are sending it on to? If not, it would be better to change it to
something they will understand (eg change ‘BS15489’ to ‘New Records
Management Standard Issued’ if sending it to a non-archivist or Records Manager
- Do you have procedures covering message strings? If so, the guidelines should
cover what these are – does your organisation wish to preserve message strings
for metadata purposes or does it prefer staff to create a new message for each
reply in order to avoid creating long, cumbersome emails?
- And who really needs to receive the forwarded message – staff should be
encouraged not to clutter up their colleagues’ inboxes with information they don’t
really need, just because they can!
Training will be needed in order to reinforce the written guidelines your organisation issues – many people take more in face to face than from the written word.
All new staff should receive induction training on records management, including the management of email. It is hoped that the Code of Practice on Records Management under FoI will, like the one south of the border, place importance on staff awareness training. The training should introduce the organisation’s policies on email, explain why they are important, and cover any guidelines – where to get hold of them and how they can help people’s work .
Existing staff will also need to be trained in any changes to procedure and regular updates are probably a good idea to stop them developing bad habits or becoming too complacent.
You may experience resistance from existing staff who think they already know all about email. If you cannot make training compulsory, then you may need to persuade people to come along by offering incentives – for example, including an opportunity to learn new shortcuts and calling it something like “email – how to halve the time you spend on it”.
The Water Corporation of Western Australia found that making separate presentations to Senior Management was effective in gaining their understanding of the issues and getting them on board before rolling training out to other layers of management.
Use your intranet site, if you have one – both the Scottish Executive and the Scottish Parliament have sections on theirs which cover Email best practice, including dos and don’ts on housekeeping, what to do when you are away, creating messages, sending them, and handling received mail.
Use posters, changed at intervals so that people don’t simply stop seeing them after a while. But don’t overdo it, as a plethora of notices are as bad as none at all – they don’t catch the eye and people don’t bother to read any of them.
And I noticed last time I was visiting them that they had a new drive on encouraging people to ‘spring cleaning‘ in boxes.
When it comes to guidance, similar techniques can be used as with training sessions - Draw people in by including things like shortcuts and easier ways of doing things, either in the guidance or in separate ‘hints and tips sheets’ – they will be far more inclined to read and follow the rest of the guidelines if they see them as helping their day to day work rather than as just another set of rules issued from on high.
And if this helpful information comes from their friendly neighbourhood archivist or records manager, and your contact details are readily available, they may be more inclined to come to you for help on other record-related matters in future. So it could also work to your advantage as good PR.
Make the guidelines specific to whichever email system you use – and update them immediately if this changes.
Give examples in the guidelines so that people can relate to them more easily. For instance, which of these two ways of presenting the same information would you say was more helpful? – eg examples of emails which are ephemera, ones which should be preserved as records, examples of good email subject titles, and of bad ones.
People don’t have the time to puzzle over things which are difficult to comprehend, so make them as obvious as possible.
By the same token, avoid professional jargon. I find it useful to get a colleague who is not a records specialist to proof read and test out guidance before it is issued.
Now I just want to say a little bit about automatic email ‘archiving’ or ‘management’ systems. There are three main types around:
1. Security/privacy management systems which use headers and message content to determine whether a message is virus-free, junk mail, offensive, or other unwanted information.
2. Simple storage management systems which scoop up all messages and move older ones to off-line or near-line storage, with little regard to the content of the message. Some of these have an automatic delete facility which deletes all messages over a certain age.
3. Electronic Document Management (EDM) or Electronic Records Management (ERM) systems which are capable of dealing with email as well as other electronic records. Many of these are closely integrated with mainstream email systems like Outlook and Lotus, and incorporate facilities for the user to register and file emails. The more sophisticated ones can also include a requirement on the user to classify the contents of the message and attachments so that they also become an integral part of the company’s knowledge management strategy.
The first two types may well already have a place in your overall IT and records management strategies and are more affordable than the third.
EDRM systems are, of course, designed to manage more than just email and to buy one just for this would be folly, as they are alarmingly expensive. They are also not records management systems in themselves, but simply software packages which enable you to operate a system electronically – you still have to design that system in the first place. They are therefore only as good as the records management system they overlay, so organisations need to have done a great deal of spade work both in deciding what they want such a system to do, and in getting their current records management practices to a point where they are working well manually, before even considering such a purchase.
As you will know, the PRO have done a lot of work in this area and I would recommend that you look at their functional requirements for ERM systems in detail if you are considering purchasing such a system. They have also tested various products against these requirements and a list of those which have passed the test is available on their website. But be aware that the products vary and some may be more suitable for your particular circumstances than others.
It is also, of course, a good idea to speak to other organisations which have implemented ERM systems to find out what the pros and cons of various systems are, whether they would do things differently if given a second chance etc . There are not that many fully functioning ERM systems in UK organisations, but quite a few Australian organisations have something along these lines, so if you can’t persuade your organisation to send you on a fact-finding mission to Oz you might at least get some help from the various list serves which exist.
And that brings me on to learning from the experience of others more generally
As a plane ticket to Australia was unfortunately unforthcoming from my own employers, I asked the members of the Australian records management list serve for their experience of email management.
Of those using automatic systems, one message came back loud and clear – the biggest elephant trap of all is made of people. No system is truly automatic: however good it is, it still relies on people capturing the correct stuff in the first place, and you can’t rely on this working 100% in ANY system.
However, ways to minimise the problem include making it as easy to use as possible –
many people, and again, this is especially true of senior managers, do not do their own paper filing, and a system which requires every single individual to make a decision about where to place something in the electronic filing system at the point of saving will always encounter some initial resistance. Minimising the extra time it takes to decide where to file something and actually do so will help reduce the number of rebellions you have to deal with, even in a non-automated system.
One national institution recommends using laminated ‘cheat sheets’ so that people have the main points and instructions handy beside their PC.
Others had developed systems based on their current IT capability, rather than buying in full EDRM solutions:
Several places in Australia give all their staff a personal email address, but instruct them not to use this for official communications. Instead, there is a single separate address for the organisation and all official communications should go through that. The records management staff have access to all the emails going through this address, and file those of importance (either electronically or by printing them out).
But everyone using this system who wrote to me acknowledged that there was no way of ensuring that 100% of official correspondence went through the official address and that records management staff therefore had to rely on their colleagues forwarding any official material which came in to their personal addresses.
One city council does not have a separate email address for the organisation, but automatically cc’s all emails to the records management team. The Records Policy Officer says that this has resulted in them receiving most important emails rather than the one or two a day they were forwarded previously. However, he also admits that “this does mean that I spend a significant part of my day sifting through rubbish.” !! I can’t see this being a practical solution in any but the very smallest of organisations, with the tiniest quantity of email traffic.
Another organisation has a partial EDMS system and as a stop-gap, has initiated a project to assist all users to store electronic documents, including email, on work group servers in a directory structure which reflects the keywords in the organisation’s thesaurus. Not only will this help them to manage their electronic records in the meantime, but it should also make migration to a full EDMS system much simpler when it eventually happens. However, this obviously requires you to have a good existing paper-based filing system on which to base the electronic version – not all organisations, for instance, have a thesaurus for their files.
There is also the question of whether you can do anything to reduce the quantity of emails you have to deal with in person. You can sometimes alleviate the burden of email to some extent by using auto-responses. No doubt you have all used the “out of office” facility when you are away from work for a few days, but it is sometimes possible to take this further.
Here’s an example from closer to home – the National Archives of Scotland, in fact! For years, our Reader Services Branch has been struggling with increasing amounts of correspondence and in the last couple of years, a significant amount of this has been arriving by email. Not only did we find that we were getting the same few questions over and over again, but we also found that, when receiving emailed replies, enquirers were more likely to fire off supplementary questions almost as soon as they received our responses, causing our staff even more work.
About a year ago, colleagues developed an ‘auto-response’ system, whereby every single emailed enquiry receives the same standard reply, acknowledging receipt of their email, covering some of the most frequently asked questions, referring people to our website, and indicating that their question will be read by a human being and that an individual reply will be sent if we feel that it has not already been answered by our automatic response or our website. We also indicate that individual replies take about 4 weeks.
We are therefore killing several birds with one stone – acknowledging receipt of communications, supplying an instant reply to a significant proportion of our correspondents, and managing expectations. Since the system was introduced, email correspondence which has to be dealt with by search room staff has dropped by around 8-9% and the practice of firing supplementary questions back immediately has stopped dead.
This afternoon, I’ve tried to cover the main elements necessary for successful email management and provide you with a few ideas on how to get this information across to your managers and colleagues. I’ve given you some ammunition for scaring the hell out of you senior managers, but I’m aware that unrelentingly negative messages are seldom what senior management really wants to hear. So, to put a more positive spin on it, I just want to briefly run through the advantages an organisation can expect to gain from improving its practices?
· Increased efficiency/productivity as it becomes easier to find particular messages. This will also help to improve PR as turnaround times and customer targets are hit more consistently.
“Pity the poor organisation that keeps bajillions of smoking guns just because it can”
· Decreased risk of breaching laws and regulations – we will be less likely to incur financial or other penalties under future FoI legislation, or to receive adverse publicity by being ‘named and shamed’ by the Scottish Information Commissioner.
· And of course, most importantly of all, they have you! The principles of email management are no different to those of wider records management, and they already have a resident expert in this field. So if they use your expertise, they are half way there already – and it will be so much cheaper to use you than to start from scratch in their IT department or with consultants. So make sure they know this!
And finally, another lame joke:
Viking joke on screen, plus your email address
Q. Why don’t Vikings use email A. They prefer to use Norse code.
 Laura Mitchell is a professional archivist who has worked for the National Archives of Scotland for 10 years. She has recently become Head of Government Records Branch that deals, amongst other things, with the issues surrounding electronic records produced by government. Laura states that she “is not an expert on email or on email management, but researched the subject for a presentation given at a 2002 training event for archivists and records managers.” The resultant talk (reproduced here), she says, “is simply a summary of the main issues surrounding email that organisations need to address, together with some suggestions on how they might go about managing it."