Managing email in Office 365

What is an email account in Office 365?   It is a special type of document library, that doesn’t need version control, doesn’t need extra metadata fields and doesn’t live in SharePoint.

It now seems a little incongruous for organisations to ask their staff to move important emails out of email accounts and into a ‘corporate record system’.  If Office 365 is your corporate record system then email accounts are within it already!

One of the things that Microsoft had to do in order to make Office 365 work as a service offering was to get their SharePoint team working with their Exchange team – something that famously never happened whilst both products were predominantly on-premise offerings.  Microsoft customers implementing on-premise SharePoint alongside their on-premise Exchange email system  had to deploy third-party plug-ins if they wanted staff to be able to drag and drop an email into a SharePoint document library without leaving their Outlook email client.

There are two routes Microsoft could have gone with the relationship between Exchange and SharePoint within Office 365:

  • the integration route – building in features that make it easier to move emails from Exchange to SharePoint;
  • the governance route – making common governance features available so that emails in an email account could be governed using the same policies as documents in a document library in SharePoint.

Microsoft’s choice of direction for Office 365 has implications for the policy decisions that organisations need to take on email:

  • If Microsoft were to go down the integration route then it would fit in with the records management belief that an email system is not a ‘record system’ but is instead a ‘communications tool’.  Many organisations over the course of the past decade have designated SharePoint as their corporate records system and asked staff to move important emails into SharePoint.
  • If Microsoft were to go down the governance route then it would fit with the information governance belief that distinctions between record systems and non-records systems are meaningless and unhelpful because organisations are under legal, regulatory and ethical obligations to manage all their business information systems in accordance with information governance principles.

From a marketing point of view, there are clear advantages to Microsoft from going down the governance route rather than the integration route:

  • If Microsoft went down the integration route it would imply that they viewed a SharePoint document library as a better place to store business email than an Exchange email account. This is despite the fact that Exchange was built for and designed around the storage of email messages, whereas SharePoint document libraries were not designed with email in mind.
  • By going down the governance route Microsoft can stay neutral on the question of whether an email is better stored in SharePoint or in Exchange, and can gradually remove any necessity for organisations to move emails out of Exchange and into SharePoint.

It is therefore no surprise to see Microsoft putting their emphasis on the governance route rather than the integration route.

Office 365 comes with a ‘Security & Compliance Centre’ that sits separately from SharePoint or Exchange or any of the other component parts of Office 365.   The Security & Compliance Centre gives you two different means of applying retention rules to content:

  • retention policies which are applied to the containers within which content sits (SharePoint sites, email accounts etc.);
  • retention labels which are applied to individual items of content (emails/documents etc.).

This effectively gives you three alternative options for applying retention to email:

  • apply retention policies to email accounts without applying retention labels; OR
  • ask end users to apply retention labels to emails (or automate the application of labels if and when you develop automation capability), without applying retention policies; OR
  • use a combination approach by applying a default retention policy to email accounts whilst allowing staff (or machines!) to apply a retention label to particular emails that deserve a retention rule that differs from the default.

Note that in applying retention from the Security & Compliance Centre to content in OneDrive, Office 365 groups or SharePoint you will be faced with variations of the three options listed above.   The variation relates to the type of container that you would be applying retention policies to, and the type of content that you would be applying retention labels to.

The fact that Microsoft allows an email account to be treated in the same way as a document library for retention purposes will not stop organisations wanting to apply different retention periods to email accounts than to document libraries even when they arise from a similar business function.  The cost and risk profile of an email account differs significantly from that of a document library.

However Office 365 is a game changer in two ways:

  • it brings the application of retention rules to email in email accounts firmly into the information governance, rather than the IT domain.  The retention policy  and retention label menus in the Office 365 Security & Compliance centre can be used to apply retention policies and/or retention labels to Exchange email accounts and SharePoint sites (as well as other parts of Office 365 including Office 365 groups and OneDrive accounts);
  • it creates the possibility of applying different types of policy towards email. For example if you wanted to apply a Capstone policy towards email you could do so out of the box in Office 365 by simply:
    • setting two retention policies on email; a Capstone retention policy for application to the relatively small number of email accounts that you wish to retain permanently, and a non Capstone retention policy for application to email accounts that you do not wish to retain permanently;
    • deploying  retention labels to enable staff with Capstone email accounts to identify trivial and personal emails so that those emails are exempt from the permanent retention applied to the rest of the correspondence in their email account.

Is it possible to solve the email problem?

I will be giving a presentation in London on Friday March 15 2019 for the IRMS Public Sector Group.

Below is a summary of the presentation:

James Lappin has recently had an article published by the Records Management Journal The defensible deletion of government email in which he reports on the evaluation he has carried out with Loughborough University of the policy of The National Archives (TNA) towards UK government email.

In this presentation he will attempt to answer three questions:

  • what proportion of an official’s email correspondence is likely to be needed as a record?
  • what proportion of an official’s email correspondence are public sector bodies likely to be able to capture into their record systems?
  • what proportion of an official’s email correspondence are public sector bodies likely to want to capture into their record systems?

On the basis of the answers to the questions above,  James will propose an answer to two further questions:

  • why has no solution to the email problem yet been found, after nearly a quarter century of its dominance of business correspondence?
  • is it likely that a solution to the email problem will be found that will be acceptable to both public sector bodies and to wider society?

The basic premise of the talk is as follows:

  • if the proportion of email correspondence that is needed as a record exceeds the proportion of correspondence that public sector bodies are capable of capturing into their records systems, then we as a records management/information governance profession have a problem that we can and will solve, because technical solutions that we identify will be welcome to our organisations;

 

  • if the proportion of email correspondence that is needed as a record exceeds the proportion of correspondence that a public sector body perceives as being in their interests to treat as records, then we have a problem that we cannot solve, because any technical solution we could come up with would be unwelcome to our organisations, and against their interests to adopt.

Solutions to the email problem

Analyticsandemail01Analyticsandemail02

When I started telling people, back in 2015,  that I had started a doctoral research project on email, my records management colleagues would typically smile, pat me on the shoulder and say  ‘great! let us know when you have found the solution’.

Two years later.  There is still no solution.  Solutions do not drop out of the sky.  Solutions emerge from people trying to fix things.  If there is a broken situation and noone tries to fix it, it stays broken.

You do not have to undertake a doctoral research project to work out that organisations are not consistently capturing business email into systems that they designate as ‘records systems’.

Yes there are potential approaches.  Not just one,  many different approaches, suitable in different circumstances, using different technologies or different ways of harnessing human input:

  • you could do what some CRM systems do and match the email addresses of external contacts with locations in your record system (when colleague sends an email to person/organisation  it is about business matter x, when they email person/organisation c it is about business matter y etc.);
  • you could set up one container in your record system to mirror each email account that you provision.  You could give each email account owner a simple means of indicating for every email they send, whether or not they want that email and the thread it is part of to be saved as a record to the mirror container for their account in the record system;
  • you could use analytics just before you run your routine deletion routine on an email account (after someone has left, or after two or three years) to rescue material which is obviously business related (and obviously not personal) from routine deletion.

We could go on and on with this list, you will have ideas of your own. We have not even mentioned machine learning yet.

But a solution for a problem is like a hammer waiting for a nail unless the problem owner wants the problem to be solved.

The problem owner for the email ‘problem’ is the organisation who owns the email accounts and the emails.

The one thing all of the above solutions have in common is that they all result in more emails being captured into record systems.   All of these solutions therefore add to storage costs,  they also add to the cost of servicing access to information requests, and, in highly politicised environments such as many central government departments, they add to the perceived risk of  being forced to disclose potentially embarrassing content.

Email is therefore a problem that the problem owner percieves a benefit from leaving unsolved.  Every conceivable solution to the problem of treating business emails as records would be more expensive, and would be perceived by the problem owner as being more risky,  than the current approach.   The current approach, if we are honest, is for organisations to make a token effort to persuade staff to save important emails as reords, who in turn make a token effort to occasionally place a few emails into a record system, whilst all the rest of the emails are routinely deleted after a designated but essentially arbitrary time period.

Where does this leave archivists and records managers?  Where does it leave records management and where does it leave record keeping?

We are also in a manner of speaking the problem owner.  The problem falls into our professional domain.

We are employed by organisations.   It is not our job to try to pursuade our organisations to do anything that is against their perceived interests (and we would not get very far if we did try).

On one hand we are in a good situation.  Organisations put us under no pressure to change our records management policy telling staff to move emails into the record system, and under no pressure to change the relationship between the email environment and our record system (which is typically a product primarily designed and configured for the capture and management of documents rather than emails).

On the other hand it puts us in a very difficult position. We go to all that trouble to develop corporate wide record systems and corporate wide records retention schedules (both labours of Hercules, demanding all of our professional skills, experience and energy) and yet we are regarded as failures because those systems and those retention schedules fail to embrace the bulk of an organisation’s business correspondence.

It is a problem that in effect we can do little about, because our organisations do not want to do anything about it.  Take any of the ideas listed above to your organisation and you will see what I mean.  Our vendor community cannot help us because our organisations do not want solutions that would result in them keeping significant volumes of email for significantly longer periods of time.

In the short term we can carry on like this.  Our organisations are happy for us to continue to try and continue to fail.  Because (and this is the paradox) our failure to capture business correspondence consistently into systems treated as record systems succeeds in reducing the cost and perceived risk of recordkeeping to our organisations.

But what about the long term?  I fear in the long term that this success-through-failure damages our professional reputation and damages the clarity and moral force of our theory and of our practice.