Library and Archives Canada
Symbol of the Government of Canada
Skip to content | Skip to institutional links

Common menu bar links

Home > Government

Institutional links

Institutional links

Government

Previous | Table of Contents | Next

Email Management Guidelines - Roadmap

Appendices

Appendix B - Email Management Guidelines Compliance and Implementation Plan

The extent of impact (types of impact or areas of impact)

Improved ability to meet legal requirements

  • Prevent spoliation or loss of records
  • Prevent unnecessary exposure to legal action

Reduce the number of instances of an email message

  • Simplify retrieval of files for legal proceedings, audits, access to information requests
  • Simplify disposition of records by reducing the number of instances of a record

Documentation - storage of documentation

  • Documentation of the systems involved in email management will need to be very detailed (possibly more detailed than is presently the case).
  • Documentation will have to be preserved for the longer term in the event it may be needed to help establish the reliability and integrity of the system (at relevant times) for the purposes of legal proceedings or audits.

Obsolescence

  • There is an obligation that institutions ensure that messages remain readable for the duration of their retention period. This means ensuring that the applications and systems that are capable of reading email must be preserved into the future, or that messages must periodically be migrated to a form readable by newer technology, or that any technology that is acquired has backward compatibility.

User time - managing email

  • A portion of every email user's time will have to be devoted to managing email - and this may well be more than the amount of time that is currently allocated.

Timely disposition

  • Effective and efficient email management will make it easier to locate records and information and permit timely disposition of items that have reached the end of their retention period.

Training

  • New and improved training programs will have to be developed, some of which will broadly target all users. These programs will involve the development of training materials in a variety of media in order to keep the message fresh and allow learners to make use of materials that best suit their learning style. Since business requirements may vary from one institution to another, instruction may have to be customized to some degree. This will require allocation time and effort on the part of training developers, instructors and trainees.
  • Specialized training will be required for executives, information management specialists, systems administrators and operational managers. Training will again involve effort on the part of specialized resources like training designers and instructors and, in addition will require time on the part of the trainees.

Management time (the operational manager)

A portion of a manager's time will have to be allocated to identifying training needs, coaching staff and monitoring compliance.

Storage

  • It will be necessary to save email messages, metadata and attachments that are considered to be official records or information.
  • It will be necessary to set up an infrastructure to store email records and information.
  • It will be necessary to organize the storage to permit efficient and effective retrieval and use of email records and information and to facilitate eventual disposition.

Cost

Managing email involves costs at all levels and in all areas of an institution.

Areas where resource costs may be expected

Human resources

The management of email will require an expenditure of effort on the part of virtually all employees, contractors and other email users in each government institution.

  • Users will be required to invest time in managing their email. They will need to identify email messages that do not constitute government records and delete them. They will be required to exercise judgement in determining how to classify or categorize email messages and will be required to store the messages, metadata and attachments in storage areas designated and approved by management.
  • Network and systems administrators will be required to devote time and effort to the development, operation and maintenance of the technical infrastructure for email management.
  • In addition to their normal duties, operational managers will be required to set time aside to identify the training needs of individual employees on the subject of email management, and ensure that these needs are met. Managers will also be required to monitor employee compliance with Email Management Guidelines and policies and ensure that employees use appropriate classification and storage for email records and information. In addition, managers will be expected to ensure that appropriate retention periods are applied to email messages.
  • Information management specialists may expend effort in devising classification schemes and advising managers as to how to develop a filing system where email messages and attachments must be stored. They may also be required to collaborate with systems administrators in the design of email management infrastructure.
  • Executives will also devote effort to email management. Their role will be to set the strategic direction for email management and guide the development and adoption of email management policy. They will also be required to review and allocate budgets to ensure that sufficient funding is provided for email management programs and systems and to ensure that appropriate email management training is developed and delivered to employees.
  • Training specialists will be required to develop suitable training materials and deliver training programs to support the effective management of email.

Technology

The effective management of email may require the adaptation of existing infrastructure or the development of new infrastructure. This may involve costs related to effort expended in development and maintenance. In addition, specialized software, hardware and storage facilities may be required.

Areas where cost savings or cost avoidance may occur

The payoff in cost avoidance is in legal compliance - where the ability to store, preserve and reliably and efficiently retrieve email records and information may save substantial costs associated with legal discovery, audits or access to information requests. The risk of legal liability may also be reduced through the ability to efficiently and effectively dispose of email records and information on a timely (and sometimes mandatory) basis.

Effective management of email will also have the intangible benefit of providing continuing access to corporate memory - reduce rework and duplication of effort and permit re-use of information.

Scope of application - areas of business or operations affected

Virtually all aspects of business operations in the Government of Canada will be affected.

Acts that require the Guidelines

While the following Acts do not specifically prescribe a particular email management standard, or guideline, they do set out certain legal responsibilities and obligations pertaining to the disclosure (and non-disclosure) and disposition of information, including electronic information. Definitions of electronic information include or may be interpreted to include information contained in email messages, metadata and attachments.

Email information is among the most common types of information required to support legal proceedings, and/or audit proceedings and may also be required to serve access to information requests.

With the exception of financial transactions, there is no duty on the part of institutions of the Government of Canada to document the decision process or actions taken. However, if such records and information are kept, it is the duty of the institution to ensure that they are preserved for an appropriate period of time.

The guidelines herein are conceived to facilitate compliance with the responsibilities and obligations described in the following legislation (see Appendix C for descriptions of the Acts and Internet addresses where they can be found.

  • Access to Information Act
  • Appropriation Acts
  • Auditor General Act
  • Canada Evidence Act
  • Canadian Charter of Rights and Freedoms
  • Canadian Security Intelligence Service Act
  • Copyright Act
  • Crown Liability and Proceedings Act
  • Emergency Preparedness Act
  • Financial Administration Act
  • The Library and Archives Canada Act
  • Official Languages Act
  • Personal Information Protection and Electronic Documents Act
  • Privacy Act and Regulations
  • Public Service Employment Act
  • Security of Information Act
  • Statistics Act

Federal policies that require the Guidelines

Policy on Information Management

The objective of this policy is to achieve efficient and effective information management to support program and service delivery; foster informed decision making; facilitate accountability, transparency, and collaboration; and preserve and ensure access to information and records for the benefit of present and future generations.

Expected Results

  • Government programs and services provide convenient access to relevant, reliable, comprehensive and timely information.
  • Information and records are managed as valuable assets to support the outcomes of programs and services, as well as operational needs and accountabilities.
  • Governance structures, mechanisms and resources are in place to ensure the continuous and effective management of information.

(Source: www.tbs-sct.gc.ca/pubs_pol/ciopubs/TB_GIH/pim-pgi01_e.asp#
pim-pgi5)

There are many other policies that require the Guidelines, or which, themselves, prescribe standards or guidelines applicable to email.

  • Access to Information Policy
  • Common Services Policy
  • Communications Policy
  • Electronic Authorization and Authentication Policy
  • Evaluation Policy
  • Government PKI Policy
  • Policy on Information Management
  • Policy on Management of Information Technology
  • Policy on the Use of Electronic Networks
  • Privacy and Data Protection Policy
  • Privacy Impact Assessment Policy
  • Project Management Policy
  • Risk Management Policy
  • Security Policy
  • Policy on Learning, Training and Development

Means by which compliance may be monitored and audited

Compliance can be monitored and audited in a number of ways. For example, manual audits, discovery drills and system logs can be used to provide answers to the following key questions:

Policy and Governance

  • Is there a policy addressing the Email Management Guidelines?
  • Does the policy address all Email Management Guidelines and recommendations, indicating whether or not they apply?
  • Where guidelines or recommendations are subject to interpretation, does the policy state how to apply them?
  • For guidelines or recommendations that are applicable to the institution does the policy indicate how they are to be interpreted and applied?
  • Is the policy distributed, promoted by management?
  • Has the policy been read, understood and acknowledged by employees?
  • Are there an executive champion and steering committee responsible and accountable for information management in general, and email management in particular?
  • Is there a plan for improvement of email management and is the institution tracking to the plan?

Email Management Awareness and Education Program

  • Is there a functioning high-level awareness program to inform employees?
  • Is the effectiveness of the program measured?
  • Are there specialized training programs related to email management and the roles and responsibilities of executives, information management specialists, network and system administrators, operational managers and users?
  • Is email management training provided to new employees?
  • Is email management training provided to established employees?

Compliance Measurement

  • Is there a program to measure compliance of users?
  • Do compliance metrics and targets exist to measure user compliance with individual standards?
  • Are there baselines for email management metrics and are there targets, plans and activities established to improve compliance levels?
  • Is user compliance with Email Management Guidelines and related recommendations routinely monitored and are corrective measures taken when users are not compliant?
    If so, is the effectiveness of the corrective action measured?
  • Is information management / email management expenditure proportional to the size of the institution?

E-Information Life-Cycle

  • Are there stated retention periods for different kinds of records and information?
  • Is there protection against obsolescence?
  • Are email records and information adequately protected and preserved?
  • Is the email management system documentation up to date and kept as a permanent record?
  • Does system documentation support the admissibility of email under the rules of evidence?
  • Are email messages, metadata and attachments stored together (or if not is the relationship preserved?

The preceding list of questions is not exhaustive and, indeed it may be desirable to ask additional questions and to measure other aspects of compliance.

Audience and Stakeholders

Executives are a key audience, since they are responsible for the retention of government records and information and for the actions of their employees. They are also a new audience target for the promotion of information management, which has been typically addressed to IM professionals. There is an increasing recognition that IM needs more resources in order to meet the requirements of legislation, the courts and federal auditors. Thus it is essential to convey the importance of funding and championing IM at an executive level.

Information management professionals are the traditional audience for standards, guidelines, practices and tools related to IM. However, the community is not monolithic. Larger institutions may have resources with highly developed skills and extensive experience, but, in smaller institutions, individuals responsible for IM may have very little relevant training or experience.

Systems administrators have the responsibility to build, operate and maintain the infrastructure that supports email and email management. They need to know and understand the Email Management Guidelines in order to work effectively with information managers

Operational managers are in direct contact with the users and are best positioned to monitor compliance, apply corrective measures, assess training needs and obtain training for their staff. Operational managers may also work with the information manager and systems administrator to articulate business-related information management requirements and constraints, and should therefore know and understand these Email Management Guidelines.

Users are the front line in email management. Users will make decisions about whether to keep or delete messages. They will classify the messages and store them and are the first link in the chain of the email management process.

Trainers will need to know and understand the Email Management Guidelines, or at least the guidelines and recommendations that pertain to specific audiences for whom they are preparing training materials, and developing or presenting training programs.

Recommended Implementation Approach / Strategy

It is recommended that this new Email Management Guidelines come into effect within one year of approval.

Executives, information management specialists and system administrators must be prepared in advance of the users. Executives are the first priority, and they must buy-in to the advantages of email management and champion its implementation. It is the executives in the institutions who will need to be motivated to re-allocate funds from existing resources, and ensure that appropriate policies are written to guide the implementation of the Email Management Guidelines within their institutions. They will be the ones to authorize development of related procedures, and training programs. They will be the ones to authorize the implementation of any changes that may be necessary to the technology infrastructure, in order to achieve readiness.

Information managers and systems administrators will need to work closely together, possibly with broader involvement of information technology specialists or outside consultants to design and implement any changes that might be necessary to the applications or to the technology infrastructure that supports email management. Development of and awareness campaign as well as training materials and training programs, may begin once policy and design are complete. It may be necessary to revise these materials to some degree once testing and debugging are complete.

A compliance monitoring program should start immediately after implementation and should involve an appropriate blend of technological support and human intervention.

The first three months (time frames may vary from one institution to another)

  • Publication of the Email Management Guidelines begins and continues for the next two years.
  • Executives, information management specialists and system administrators are primed
  • Steps required to implement the Email Management Guidelines are identified
  • Funds are re-allocated from existing budgets to undertake preparations

From three to six months

  • Institutions draft pertinent policies, design email management procedures and identify and plan any infrastructure adjustments may be necessary.

From six to nine months

  • Infrastructure changes are made and tested (email management, security, disaster recovery)
  • Procedures are tested and refined.
  • Compliance monitoring plans are developed and tested.
  • Training materials are developed to reflect email management policy, procedure and infrastructure.

From nine to twelve months

  • A high-level email management awareness program begins, preparing users for implementation
  • Detailed training commences to prepare employees, contractors and other users for implementation

At twelve months

  • The Email Management Guidelines are implemented
  • Compliance monitoring commences
  • Initial bugs are identified and resolved

Monitoring requirements, and success factors,

Compliance monitoring for email management will require the establishment of appropriate metrics, which may vary from one government institution to another, depending on business requirements and how the Email Management Guidelines are interpreted and implemented.

Compliance monitoring will need to be performed on a regular basis, likely more frequently when the Email Management Guidelines are introduced and less frequently once the Email Management Guidelines become part of the established infrastructure and practice.

The success of an email management program will depend in significant measure on the impetus of an executive champion who has authority to allocate funds to the program, who is prepared to participate in setting compliance targets and who will take responsibility for steering the institution toward the target state.

Monitoring procedures and mechanisms

Audit logs can provide a considerable amount of relevant data which can be digested into reports on a wide variety of metrics pertaining to email management.

Desk checks - Operational managers can periodically spot-check their employees' email at the desktop to see if email messages are being categorized and stored appropriately, instead of accumulating in the "Inbox" or in the "Sent" box.

Discovery drills (or audit or access to information drills) would help identify problem areas with respect to compliance by exercising the institution's ability to locate and recover electronic information, including email.

Compliance audits could determine compliance levels by asking simple questions such as whether there is an email management policy, and whether there are related training programs. A compliance audit could also catalogue the active features of the technology being used to manage email.

Level of consensus reached in the Working Group

A broad level of consensus was reached in the Working Group, which met on a number of occasions in February and March 2006, in Ottawa, and which involved representatives from the following Federal Government departments.

  • Health Canada
  • Indian and Northern Affairs
  • PWGSC
  • Veterans Affairs Canada

During these meetings, an early draft of what is now called the Email Management Guidelines - Roadmap was reviewed in detail, generating considerable discussion. These meetings and discussions generated valuable suggestions about the organization of the document, about the general content of many of the guidelines, about the related sample policy statements, and in many cases, about the specific wording to be used. The suggestions were agreed to, in person, by most participants (and in many cases, all participants) and were reflected in the subsequent version of the document.

Further input from reviewers

In January and February 2008, the draft Email Management Guidelines - Roadmap was reviewed again by information management specialists representing a number of other government institutions.

  • Government of Canada
    • Atlantic Canada Opportunities Agency
    • Canada Revenue Agency
    • Citizenship and Immigration Canada
    • Library and Archives Canada
    • Office of the Privacy Commissioner of Canada
    • Royal Canadian Mounted Police
    • Transport Canada
  • Government of Alberta
    • Services Alberta

Again, a general consensus emerged in support of the document and its contents. However, as before, the review generated a number of valuable suggestions about the content of some of the guidelines, the sample policy statements, and in some cases, about the specific wording to be used.

Some minority concerns arose about the need to resolve government information management issues as a whole - and not just with respect to email. However, these concerns could not be addressed, as they were beyond the scope of the exercise.

Significant unresolved issues

Calendars, contact lists and task lists are typical features of email applications used today - but were not within the scope of the study from which the proposed email management guidelines have emerged. Nor does this document address the now pervasive use of mobile devices, the advent of instant messaging, and other relatively recent steps in the evolution and convergence of technology.

Email Management Guidelines - estimating key implementation costs

The following tables may be used by institutions of varying sizes to estimate key implementation costs, by order of magnitude. Areas where costs are most likely to occur are indicated with a dollar sign ($). However costs may be calculated in terms of dollars, Full Time Equivalents (FTEs) or such other measure as may be considered appropriate by the institution providing the estimates.

Furthermore, since business models vary from one institution to another, the following tables should be used with a degree of flexibility. Estimators are not obligated to enter costs in all areas designated by a dollar sign - nor are they to be prevented from entering costs into areas not designated by a dollar sign..

Estimate worksheet - for implementation of Email Management Guidelines

The first three months

Tasks Publication of the Email Management Guidelines begins and continues for the next two years Executives, IM specialists and SysAdmins are primed Steps required to implement the Email Management Guidelines are identified Funds are re-allocated from existing budgets to undertake preparations
Design & Develop $ $ $ $
Trainer & Trainee Time   $    
Physical Space        
Hardware        
Software        
Compliance Monitoring        

From three to six months

Tasks Draft pertinent policies Design email management procedures Identify and plan any infrastructure adjustments may be necessary Start procurement of hardware: servers, telecommunications devices, temporary backup and long-term storage devices) Start procurement of software: email applications, security applications, records management software, records classification software
Design & Develop $ $ $    
Trainer & Trainee Time          
Physical Space          
Hardware       $  
Software         $
Compliance Monitoring          

From six to nine months

Tasks Infrastructure changes are made and tested (email management, security, disaster recovery) Procedures are tested and refined Compliance monitoring plans are developed and tested High Level awareness materials are developed Specialized training materials are developed to reflect email management policy, procedure and infrastructure
Design & Develop $ $   $  
Trainer & Trainee Time       $ $
Physical Space $        
Hardware $        
Software $        
Compliance Monitoring     $    

From nine to twelve months

Tasks A high-level email management awareness program begins, preparing users for implementation Detailed training commences to prepare employees, contractors and other users for implementation
Design & Develop $ $
Trainer & Trainee Time $ $
Physical Space   $
Hardware   $
Software   $
Compliance Monitoring    

At twelve months

Tasks The Email Management Guidelines are implemented Compliance monitoring commences Initial bugs are identified and resolved
Design & Develop $   $
Trainer & Trainee Time      
Physical Space      
Hardware      
Software      
Compliance Monitoring   $  

Other potential costs

Tasks Outside consultants Customization or configuration of software Data migration
Design & Develop $ $ $
Trainer & Trainee Time $    
Physical Space      
Hardware      
Software      
Compliance Monitoring $    

Total costs

Tasks Total Costs
Design & Develop $
Trainer & Trainee Time $
Physical Space $
Hardware $
Software $
Compliance Monitoring $

Previous | Table of Contents | Next

Social Tagging (About Social Tagging)
RSS Icon RSS Feeds from LAC
 Add to Delicious   Add to Digg   Add to Diigo   Add to facebook   Add to Technorati
 
Date Created: 2008-08-21
Date Modified: 2009-06-15

Top of Page
Terms and Conditions