Library and Archives Canada
Symbol of the Government of Canada

Institutional links

Government

Previous | Table of Contents | Next

Email Management Guidelines

4. Institutions must ensure that the use of email supports performance of work that is consistent with their business goals and objectives

Email should be used for appropriate purposes and typically not for sensitive, protected or secret information. System logs can track the use of email and provide reports that help to determine the overall, as well as individual level of compliance with approved policies and procedures. Email is now one of the most common forms of evidence required by courts, so institutions should be prepared, at all times, to disclose email evidence in electronic form. Email management must aim to provide users with timely and convenient access to information in email records, in accordance with legal and policy obligations. It may be helpful to use actual incidents or to devise "drills" to exercise and analyse the organization's ability to reliably and cost-effectively produce email evidence for courts, audit proceedings or ATIP requests.

Expected Outcome

In any given federal government institution, the following benchmarks will have been achieved:

  • Users will be provided with and know how to avail themselves of timely and convenient access to information which they are authorized to see and/or use.
  • Actual incidents requiring access to specific email records for legal discovery, audit or ATIP proceedings will be monitored and analyzed on a regular basis to establish performance metrics, assess risk and identify improvements to email management processes.
  • Artificial "discovery drills" will be devised and executed on occasion to provide controlled diagnostic tests of the ability to locate and produce email records.
  • Lessons learned will be appropriately shared and put into practice.

4.1. Do not use email for sensitive, personal, protected or secret information except for authorized business purposes, and only with approved security measures

Avoid the use of email for sending confidential, sensitive, protected or secret information, except where there is a specific business requirement to do so and where specialized secure systems or encryption are available - in which case, users must follow government and institutional security policy and guidelines (see also -5.1.5)

Party or Parties Responsible for Implementing and/or Applying the Recommendation:

  • Users

4.2. Use system logs to create an audit trail and monitor compliance

System logs should be used to track and create a record (audit trail) of all actions taken on email records or information in an email system or other file storage repository.

Party or Parties Responsible for Implementing and/or Applying the Recommendation:

  • Network or System Administrators
  • Information Management Specialists

4.3. Display names in headers and email addresses

The header of an email message should display the name of the author (From) the addressee (To) in accordance with the GC metadata standard.

Party or Parties Responsible for Implementing and/or Applying the Recommendation:

  • Network or System Administrators

4.4. Be prepared to disclose email evidence in electronic form

Email storage and filing systems, including online and near-line, whether short-term or archival should enable researchers to rapidly identify, disclose and produce relevant email messages along with metadata and attachments, for legal proceedings, audit purposes or for ATIP requests. To facilitate efficient retrieval for disclosure, email records should be filed according to an approved institutional classification system (also see Guideline 3 and related recommendations).

Party or Parties Responsible for Implementing and/or Applying the Recommendation:

  • Network or System Administrators
  • Information Management Specialists

4.5. Monitor performance of discovery and disposition activities

In accordance with the Treasury Board Policy on Information Management and other related Treasury Board policies including the Active Monitoring Policy, the Evaluation Policy and the Policy on Internal Audit, institutions should monitor the effectiveness of their performance in activities related to discovery and disposition.

Periodic "drills" (which may be actual incidents or specially designed simulations) should be used as opportunities to develop and assess performance measurements and evaluate the efficiency and effectiveness of discovery and disposition procedures.

Results observed during these drills should be shared and analyzed in the form of lessons learned that should be known by and accessible to any individual involved in discovery or disposition, or in the evaluation and improvement of information management practices in the institution.

Party or Parties Responsible for Implementing and/or Applying the Recommendation:

  • Network or System Administrators
  • Information Management Specialists
  • Operational Managers

Previous | Table of Contents | Next