Email solutions are one of the communication and collaboration technologies that are being offered in the cloud and this service is referred to as “cloud email.” Typically, cloud email is bundled with office productivity tools such as word processing, spread sheets, presentations / graphics and note-taking applications.
Cloud email solutions are attractive due to the growing complexity of managing emails in-house. Cloud solutions are seen to be beneficial as cloud providers have more capacity to manage the security, archiving, backup and disaster recovery of emails. In addition, cloud email offers mobility – users have access to email, contacts and shared calendars from multiple devices anytime, anywhere.
This guidance identifies key considerations specific and unique to cloud email, which need to be addressed prior to implementation.
This guidance must be read in conjunction with the Standard on records management issued by State Records NSW. This Standard includes a range of requirements that must be addressed in cloud arrangements, see particularly minimum compliance requirements 1.7, 2.4 and 2.6.
Additionally, agencies have certain legislative requirements relating to the storage of State records, including emails, outside of NSW. Sending records for storage with, or maintenance by, service providers based outside NSW is permitted provided that an appropriate risk assessment has been done, and that records are managed in accordance with all the requirements applicable to State records. These requirements are contained in section 21(2)(c) of the State Records Act 1998 and in the General authority for transferring records out of NSW for storage with and maintenance by service providers based outside of the State (GA35).
Records and information management policies, procedures, and processes
Agencies considering cloud email implementation should take the opportunity to document and identify current issues and problem areas with managing email. It is likely that those issues will be carried over to cloud email environment. If users have poor recordkeeping practices, such as retaining items they are actioning in e-mail systems rather than capturing them in official recordkeeping systems, these issues will not necessarily be alleviated by migration to the cloud. In addition, the cloud email environment creates a plethora of additional records and information management issues.
Agencies need to consider how cloud email implementation relates to existing policies, procedures and processes for managing email. Specific areas to consider are:
- Sensitivity and confidentiality of information transmitted via email;
- Laws and legislation that might not allow the storage of email outside of NSW or outside of Australia;
- Data sovereignty to ensure that the cloud service provider is restricted from disclosing or providing access to email data to third parties, such as another government authority or private litigants;
- Process and procedure on accessing email data for servicing the GIPA Act;
- Legal discovery requests and legal holds;
- Integration or non-integration with the recordkeeping system;
- Compatibility of the cloud email solution to the existing recordkeeping system;
- Retention and deletion of email carried out by the service provider – agencies need to ensure that deleted data is permanently deleted and not discoverable;
- Provisions for recovery of accidental deletion of email data;
- De-activating and retiring a cloud email account and its email data once the employee has left;
- Current procedures and processes of managing backup & archived email data on-premise, or with another vendor;
- Vendor's process on managing backup & archived cloud email data;
- Security measures to ensure protection of cloud email data.
Cloud email may offer more functionality than the traditional on-premise email solution. Agencies should consider the impact of those functionalities to the existing recordkeeping procedures or processes. Some of the functionalities include:
- Ability to convert or save email messages in PDF format;
- Archive emails with a single click or by setting up automated rules;
- Access to cloud email using mobile devices such as laptops, tablets and mobile phones;
- Ability to send and download attachments using various mobile devices; and
- Provision of bigger storage capacity which could lead to larger volumes of unmanaged emails.
Migration of email data from on-premise to cloud
Migrating email data from on-premise infrastructure to cloud email requires careful planning and preparation. Agencies should document decisions regarding migration, including email data migration requirements and assessments of business and user impact from specific migration decisions which may affect reliability and completeness of the email data. Specific areas to consider are:
- Migration strategy, including testing before the scheduled migration;
- Size of the mailbox or email data for migration;
- Capabilities and the limitations of the cloud email system to import and export email data;
- Use of email archiving solutions;
- Process of decommissioning the on-premise infrastructure, including what metadata from the system needs to be retained; and
- Legacy email management, including its retention and disposal.
The General retention and disposal authority for source records which have been migrated (GA48) provides for the authorised disposal of State records that have been used as the input or source records for successful migrations. GA48 establishes a number of conditions which must be satisfied before source records can be destroyed. GA48 includes guidelines on documenting and preserving the essential characteristics of digital records through migration.
Agencies should establish contractual arrangements with the provider as a way to manage risks associated with using cloud email. Contracts should address a range of issues, including (but not limited to): data location, data ownership, standards used, security, access, incident reporting, business continuity and disaster recovery. Clauses regarding exit strategy / policy should be included, specifically on return of data, portability of data, and destruction of data from providers’ systems.
2016 / Updated 2020 (with links only)