Email and retention periods

Email is the classic GDPR issue - it's not about the system where we store things, it's about the process and how that data is used. So ask yourself, what is the content of the email and what does it relate to?

The IRMS School Toolkit has some guidance on email: (This is from the 2016 version. The more up-to-date 2019 version is for IRMS members only, but the information hasn't changed substantially in relation to email):

Section 5 Filing Email (p19)
Attachments only
Where the main purpose of the e-mail is to transfer documents, then the documents should be saved into the appropriate place in an electronic filing system or printed out and added to a paper file. The e-mail can then be deleted.

E-mail text and attachments
Where the text of the e-mail adds to the context or value of the attached documents it may be necessary to keep the whole e-mail. The best way to do this and retain information which makes up the audit trail, is to save the e-mail in .msg format. This can be done either by clicking and dragging the e-mail into the appropriate folder in an application such as MS Outlook, or by using the “save as” function to save the e-mail in an electronic filing system.
If the e-mail needs to be re-sent it will automatically open into MS Outlook.
Where appropriate the e-mail and the attachments can be printed out to be stored on a paper file, however, a printout does not capture all the audit information which storing the e-mail in .msg format will.

E-mail text only
If the text in the body of the e-mail requires filing, the same method can be used as that outlined above. This will retain information for audit trail purposes.

Alternatively the e-mail can be saved in .html or .txt format. This will save all the text in the e-mail and a limited amount of the audit information. The e-mail can not be re-sent if it is saved in this format.
The technical details about how to undertake all of these functions are available in application Help functions.

How long to keep e-mails?
E-mail is primarily a communications tool, and e-mail applications are not designed for keeping e-mail as a record in a storage area meeting records management storage standards.
E-mail that needs to be kept should be identified by content; for example, does it form part of a pupil record? Is it part of a contract? The retention for keeping these e-mails will then correspond with the classes of records according to content in the retention schedule for schools found elsewhere in the Records Management Tool Kit for Schools. These e-mails may need to be saved into any appropriate electronic filing system or printed out and placed on paper files.

There are various considerations around email retention; even if you have an email retention policy, it could define the retention period as anything from 3 months (the shortest I've seen) to forever.

But what about if an employee has left, and their email account becomes redundant and is no longer required? Theoretically, could this be removed with all its data? Possibly, but that may depend on the circumstances of the employee leaving.  It may be that the HR team do not want the email removed as it may be part of an investigation or dispute. It also depends if any important data has been saved elsewhere.

Additionally, consequences of retaining email exist if a SAR comes in and the data subject asks for email specifically about them. That results in having to search all associated emails that may contain the details of the data subject (less any everyday business associated communications required for the role they had). Should the identified emails have other information in them about other data subjects (i.e. a report about team performance or other data subjects that would not normally be expected), you will have to identify those emails and then redact all non-related data as the requester would not normally be entitled to view them.

We've recently done this work on behalf of an organisation and it involved over 8,000 emails to review and redact. I know many schools who find that this is the problem that they have with SARs - it's the email element. Whilst data saved in other appropriate locations may still need redaction applied, the search and discovery aspects are dramatically reduced.

So we can't tell you exactly how long to keep email for - you may have some going way back that there is a legitimate reason for keeping (such as evidence of informal contracts etc). In other cases, you might the data appropriately and delete the email. The organisation mentioned earlier with a short retention schedule that deletes email after three months. - it does force users to think about whether they need to store the content of that email somewhere else. Or whether they need to store it at all. However, there has to be complete buy-in to the approach as it carries considerable risks during implementation. It requires an awful lot of time for email clean up and the converse also applies - short retention periods may mean that data that you should have kept gets deleted and then it is not available. Therefore it requires discipline.

So have a look at your use of email and ask, are you using it for communications or as a database of information? And any email policy should specify that data is stored in an appropriately secure system where the relevant people can access it. That might be a local folder, on the network, in an MIS system's communication log, or a platform such as CPOMS.
Remember to check our Records Management best practice area for further guidance.