February 25, 2015

Email Retention in Exchange and SharePoint Online

12 minute read
|

Applying Email Retention Guidance

A few months ago, RecordLion welcomed a guest post from Dawn Ward, Senior Counsel at Warner Norcross and Judd, titled “What To Do About Emails”. In this post, Dawn explained the many issues and difficulties faced by companies dealing with the management and retention of email. Rather than reiterate everything she wrote, I strongly encourage everyone to read this post, as it is clearly outlines these difficulties and provides some great guidance on solving these issues, which is what I am going to focus on in this post.

In this post, I am going to demonstrate the application of Dawn’s guidance using RecordLion Information Lifecycle, Microsoft Exchange and Microsoft SharePoint in order to efficiently and effectively manage email using a well-defined document management policy rather than doing what many companies do, which is nothing, or a little better than nothing, simply applying a blanket policy to their email which does not account for the complex types of information and the enforcement of specific policies that may be required.

Moving forward, we will outline each of Dawn’s six recommendations that a company must do in order to understand, assess, and retain all pertinent email while allowing the company to defensibly destroy the rest.

1. Start with a document management policy that clearly defines what content must be retained for legal and/or business purposes.

Some organizations already have a document management policy in place, while others are still in the process of creating one, but most, if not all, organizations actually require one. This is the first and possibly most important artifact when establishing a records and information management practice. Usually, this is in the form of a spreadsheet which lists each Record Class along with their respective retention periods and justifications. Keeping this document up-to-date with the current business needs can be a tedious task that often lags behind the pace of changing business requirements. Also, the manual application of this policy by employees is simply unreasonable. In order to ease the maintenance of this policy and automate the application of this policy, we will leverage our product, RecordLion Information Lifecycle.

To address this first piece of guidance, we will create, or if you already have a plan, import our file plan into RecordLion Information Lifecycle using the easy-to-use planning features as seen in Figure 1.1.

Figure 1.1 - File Plan

F1.1

Once we have done this, it becomes very easy to make incremental modifications to the document management policy that the system is then able to automatically apply to the records and information it is managing. Another huge benefit this software provides is that it is fully self-documenting. When necessary, generating an up-to-date document of the plan is easy using the built-in reporting functionality as seen in Figure 1.2. This report can be exported in many different formats including Microsoft Excel and Adobe PDF.

Figure 1.2 - File Plan Report

F1.2

 2. Consider auto-deleting inbox, sent box and draft emails more than X (e.g., 180) days old.

Implementing this guidance in our scenario involves configuring retention policies in the Exchange Online Admin Center. Using retention policy to configure the inbox, sent, and draft folders for auto-deletion is easily done from the Compliance Management options. The first step to doing this is to define the necessary Retention Tags that Exchange uses to manage the retention of email. Simply create a new Retention Tag for the inbox, sent, or drafts folders by choosing the “applied automatically to a default folder” option and configure the policy as displayed in Figure 2.1.

Figure 2.1 - Exchange Retention Tags

F2.1

 

Once the retention tags have been defined for each of the folders, they can be added to the Default MRM Policy in the Retention Policies section as shown in Figure 2.2. This will ensure that the policy is enforced for all users that are using the Default MRM Policy which is in use by default.

Figure 2.2 - Exchange Retention Policies

F2.2

 3. Based on the document management policy, if certain email records must be retained for more than X days, store those records separately from emails subject to auto-deletion.

The third nugget of guidance could be applied in multiple ways within Exchange depending on the specific business need, but for this post, we are going to implement this guidance by applying a different policy of more than 180 days to company executives because within our organization, we require executive email to be retained for a minimum of 5 years.

To do this, we create a new retention policy in the Exchange Online Admin Center called Default Executive Policy in which we will add a “default folder” Retention Tag for the inbox as shown in Figure 3.1.

Figure 3.1 - Exchange Uniform Retention Tag

F3.1

We will then apply this new policy to each company executive’s mailbox by navigating to the Recipients option in the Admin Center, editing the appropriate user’s mailbox, choosing Mailbox Features, and then selecting the Default Executive Policy that we previously created as shown in Figure 3.2.

Figure 3.2 - Exchange Mailbox Features

F3.2

 4. Provide the user with options so that he/she can move pertinent email into appropriate folders. The process may be accomplished by “drag and drop” into a network file with a predetermined retention duration. In some instances, users may also have the option to print and file copies of emails and attachments and place them into hardcopy files.

For this next guidance, we want to make sure that official records (non-ordinary correspondence) are moved to our Microsoft SharePoint Online environment so that these records can be more easily managed, searched, and used within our business processes. To do this effectively, records must be classified as an appropriate Record Class so that the proper retention schedule can be assigned and disposition can be handled in a defensible manner.

Rather than train users to manage the retention of individual mail items and attachments by manually assigning the appropriate retention schedule, which is error prone and unreliable, we are going to train them to simply recognize that a message or attachment is an official record and then use the RecordLion Retention Add-In for Microsoft Outlook to automatically move records to Microsoft SharePoint at the click of a button.

Records have no place in an individual user’s mailbox. By moving them to SharePoint, they will be automatically classified, assigned a retention schedule, and made available to anyone needing them.

To implement this, the first step is to define Classification Rules that RecordLion Information Lifecycle will use to automatically associate a file to a specific Record Class. Simply open the Record Classes configuration in RecordLion Information Lifecycle, choose Classification Rules for the Record Class menu, and create the necessary rules, as shown in Figure 4.1.

Figure 4.1 - Classification Rules

F4.1

 

After defining the Classification Rules, RecordLion Information Lifecycle will have enough information to automatically associate an item to a Record Class by applying the defined Classification Rules to the document’s metadata, thereby attaching the appropriate retention schedule.

Now, when a user with Microsoft Outlook recognizes that they have a record or official file in their inbox, they can choose the Retention tab from the Outlook Ribbon Bar and elect to send the message or attachments to Microsoft SharePoint and have the Record Class selection be performed automatically as in Figure 4.2.

Figure 4.2 - Microsoft Outlook Retention Add-In

F4.2

 5. Segregate those emails that are subject to a legal hold.

This fifth piece of guidance can be difficult to enforce because it usually involves training users to properly identify email that is subject to legal hold. However, since users are already moving important business records to SharePoint using the RecordLion Retention Add-in for Microsoft Outlook, it is easy to place items on legal hold using a similar process along with RecordLion Information Lifecycle’s Legal Hold functionality.

Similar to defining Classification Rules, you will define a set of Legal Holds Rules, as shown in Figure 5.1, which will be used to automatically place items on hold by applying the set of rules to the record’s metadata. When the rules are successfully evaluated for an item, RecordLion Information Lifecycle will lock the file to prevent disposition or accidental deletion.

Figure 5.1 - Legal Hold Rules

F5.1

6. The company must spend the time, upfront, to standardize the categorization of emails so that employees find it easy to file emails and are not spending more time finding places for required emails than they need to. The point here is to reduce the amount of time spent fussing with emails and at the same time reduce the risk of over-retaining emails. The solution is to create a filing system that not only is easy to use to begin with, but also provides a clear structure so that emails can be located later if needed.

With all of our previous work, the final guidance provided is easy to achieve. We already have everything in place to manage the retention of our email effectively with limited user involvement. However, we must still make it easy for users to access the information. By using Microsoft SharePoint to store our files, we will leverage Microsoft SharePoint Search, enabling users to easily find our emails and attachments as needed.

Simply navigate to Microsoft SharePoint Search, enter the appropriate search criteria, and click search. The items needed will be immediately returned and available for use as demonstrated in Figure 6.1.

Figure 6.1 - SharePoint Search

F6.1

As you can see, we were able to apply the guidance provided by Dawn to establish a well-defined, legally defensible email retention process using a real-world system composed of Microsoft Exchange, Microsoft SharePoint and RecordLion Information Lifecycle. We can be assured that any irrelevant email is purged after 180 days, our executive’s email is maintained for a minimum of 5 years, and all official records are moved from our email system to our Microsoft SharePoint platform where RecordLion Information Lifecycle is able to automatically apply the appropriate retention schedule and email easily searchable and therefore usable as needed by the business. In addition, up-to-date policy documentation can be easily generated at the push of a button should the need arise.

If you find yourself facing a similar situation and are looking for a legally defensible and effective means to manage your email along with your other records and information, please contact us. We would love to help.

Receive News Updates As Soon As They Happen