E-mail Records Management, Part 3: E-mail Retention

In my previous post, I described how organizations can define a set of e-mail classifications (i.e. managed folders) and how end users can use those folders to classify content. In this post, I’ll describe one of the main uses of this classification system: e-mail retention policies.

I mentioned in the last post that one of the first steps of an e-mail management plan is for a records manager to create a list of all the types of e-mail content within an organization. During this process, a records manager should also define the retention periods for each class of e-mail.

For instance, a records manager may decide that “Research and Development Design” e-mails should be kept for three years and then deleted. She may also define a broader and more generic class of content called “Long Term Business Need,” which might have the policy that e-mail must be kept for five years. Generally, the policies for e-mail will closely match the retention rules for managing documents in Microsoft Office SharePoint Server 2007. For example, both product specification documents and e-mail messages in the category “Research and Development Design” would be kept for three years and then deleted.

As you might expect, these e-mail retention rules are made concrete when a managed folder is assigned a retention policy for the mail inside it. This is done on Microsoft Exchange Server 2007 and the rules are enforced by Exchange, not Outlook. This allows an IT department to centralize the management and enforcement of the rules (e.g. deletion of the e-mail) without having to configure an application on each end user desktop.

The types of retention rules that can be defined are fairly broad. The event that triggers the expiration of an e-mail is based upon an auto-captured piece of metadata, such as the date the e-mail was sent. Exchange provides both move and delete as possible expiration actions (more on that below).

E-mail retention rules can also vary depending on the type of content in the folder. For instance, voice-mail messages might only be kept for 60 days, while e-mail message might be kept for a year. (As an aside, this allows policy decisions to be made based upon the medium and not just on the content itself. There was a really interesting comment thread that talked about whether that’s appropriate).

In addition, a records manager can also specify policies on non-managed folders, such as the Inbox and Sent Items folder. There is also a “default policy” that will be applied to all user-created folders. Generally, these policies should have a retention period shorter than the periods on the managed folders. This will encourage users to classify e-mail that they want to keep by moving it out of their Inbox and into a long term managed folder.

As it’s been described so far, the feature has only addressed the pure compliance scenario: non-important e-mail will be deleted; important e-mail will be kept for as long as there is a business justification for it. However, if we stopped there, we’d have introduced a major issue with our approach. This is the “So what did you do with my e-mail?” problem. Any e-mail records management solution should be sensitive to end users’ need to know what’s happening to their e-mail messages. We’ve done a couple things to address this.

Sharp-eyed readers of my previous post will notice one of the primary things we’ve done to make people comfortable with e-mail retention. We’ve provided records managers with a way to communicate the corporate policy on a folder. Within Outlook 2007, every folder displays a policy statement provided by the records manager:

Just like the Information Policy Bar in Word, Excel, and PowerPoint, this policy statement supports the communication of corporate policy directly within the Office applications. This is valuable irrespective of our policy enforcement features. Instead of having to visit a hard-to-find corporate intranet site or watch a video, users can learn about corporate compliance directly within the application they work with everyday.

Customers can also use a “recycle bin” approach as a backstop to prevent the accidental deletion of important e-mail. Before deleting an e-mail, Exchange can move it to a “Cleanup Review folder,” where it will sit for short amount of time (generally thirty days). With this approach, the user can visit her Cleanup Review folder, see what’s about to be deleted, and – if appropriate – move a particularly important e-mail to a managed folder with a longer term retention policy.

As you can see, our approach to managing e-mail is similar to our approach to managing documents in the Office SharePoint Server collaborative spaces. All files are classified based upon their content, and then an expiration policy is applied unique to the classification. In Office SharePoint Server document management, we focus more on user-collected metadata. With Exchange, we only have auto-populated metadata to work with. But it’s the same general concept for both.

In the next post, we’ll conclude our discussion of managed folders and talk about a couple of other types of policies that can apply to e-mail. Until then, keep the blog comments and questions coming!

Thanks,

Adam Harmetz

Program Manager