A question that we often hear is, "What should the retention policy be for my email?" Our response is always the same: “It depends.” There is no one-size-fits-all solution for how long an organization should retain its email because every organization is different, even though email is structurally the same. Generally, though, email is a transitory medium used to facilitate the communication of information, and email should be retained only as long as most information tends to hold immediate and temporary value. If the value is expected to be more long term, the information usually should not be stored in email.
Can that information be stored outside of email?
When the answer is yes, we advise using other applications and processes to retain that information. When the answer is no, we advise creating duplicate copies and/or segregating the original email, depending on the need.
How should email be addressed in records retention policies?
From a technological standpoint, email is semi-structured data. Email will generally have fields for To:, From:, CC:, Subject, and Body, and can be searched using those criteria. From a metaphorical standpoint, email is the envelope around a letter. Keeping all of your envelopes, in addition to their contents, would create a mess; so it is with email. Just as envelopes do not affect the import of the papers inside, nothing about email itself makes it especially deserving of retention. The messages contained in emails may trigger retention requirements, but it depends on what they contain. One question we don't hear is, "How long should I retain my PowerPoint presentations?" because that's obvious - the retention schedule should match the business, legal, or regulatory requirements. Similarly, if you receive an email receipt that contains tax related information, which in turn isn't accessible anywhere else, the IRS requires that email be retained for a specified period, likely at least seven years. Nothing about the fact that email might be the medium to communicate a presentation or a receipt changes how those files should be treated. If the same document had come in as a fax, a paper document, or a PDF synced to a cloud account, the content itself would be the same and as such, the length of time it needs to be held should reflect that. Keeping documents for less time than that runs the risks of interfering in business efficiency, spoliation of evidence, or violating legal or compliance requirements. Holding on to documents for longer than is required risks the opposite: exposing you organization to unnecessary liability.
Emails that contain information that should be kept outside of email
Emails that employees consider important have value as either a reference or precedent; they contain facts that might be needed later, or they are documents that may be reused as a template to create similar documents later. When the information desired to be retained is an attachment file, users should be trained to store just the attachment file, without the email, in a manner that will subject the document to a retention and deletion process similar to other business documents. When the information desired to be retained is information in the text of the email, rather than an attachment, we assume that the information is transitory; in other words, it has immediate but temporary value that will diminish by the time it is eligible for deletion based on the email policy. If the user believes that the value of this piece of information will extend beyond the email retention period, a process should exist to record that information for future reference. The appropriate period before email deletion, and the process and technologies employed to store valuable information, depend on the nature of the organization, the content of information most likely to be needed, and the frequency that this is expected to occur.
Emails that contain information that should be kept as email
Sometimes, the email itself is important: based on a business need to keep evidence of a communication or because the law requires retention of the email itself. In these cases, the sender, recipient, time, date, and text of the email are all important to the record. Emails may be evidence of a communication that should be kept. For example, a company may regularly use email to communicate the offers and acceptance of contracts for orders with clients. The emails themselves are the record evidencing the transaction, as opposed to a formal contract. These types of documents, including those in a sent mail folder should themselves be retained. However, they should be isolated by moving them into a separate mail folder or copying them to another location. In addition, it may be worthwhile considering whether this business practice should be replaced with a different method of documenting its order history. In addition, some emails must be kept under certain legal rules and/or as part of an internal compliance program. Legal requirements are specific to different industries, types of organizations, and even by country. Internal compliance programs should be specifically tailored to the needs of each organization. When an email pertains to anticipated or ongoing litigation, it must be retained for the duration of a legal hold. In this instance, as with other records in the company, the legal hold policy should supersede the records retention policy.
Although data stakeholders’ kneejerk reaction to email deletion is, “I need those!”, the vast majority of emails are of limited value for a limited period of time. Most email is transitory and routine, not to mention spam, mass email blasts, or routine announcements. These emails can be classified together as a single category in your retention policy. The time retained should reflect how long the information in transitory communications tends to have significant value. This will vary from organization to organization. In some cases, it may even vary widely from department to department within an organization, in which case different retention times may be assigned accordingly.
But really, how long should I keep them?
Ok, we knew you were going to ask that again. Now that we’ve explained why our real answer is “it depends,” we will give you some idea of general practices. We find that retention periods for emails tend to vary from 60 days to two years. However, some small portion of emails will qualify for longer retention periods as business records under other parts of your retention policy, as described above. Business records should be carefully and narrowly defined so they are limited only to what really needs to be retained.
About Jonathan Swerdloff