The URL can be used to link to this page

Home My WebLink AboutSelected Electronic CommunicationsSelected Electronic Communications - Retention, Access and Storage report #13/14-4 August 2014 Selected Electronic Communications (email and texts)– Retention, Access and Storage To request this information in an alternate format, please call (541) 330-4674 or send email to David.Givans@Deschutes.org Deschutes County, Oregon David Givans, CPA, CIA, CGMA Deschutes County Internal Auditor PO Box 6005 1300 NW Wall St, Suite 200 Bend, OR 97708-6005 (541) 330-4674 David.Givans@Deschutes.org Audit committee: Jennifer Welander, Chair - Public member Chris Earnest - Public member Gayle McConnell - Public member Michael Shadrach - Public member Anthony DeBone, County Commissioner Nancy Blankenship, County Clerk Dan Despotopulos, Fair & Expo Director Selected Electronic Communications - Retention, Access and Storage report #13/14-4 August 2014 {This page left blank} Selected Electronic Communications - Retention, Access and Storage report #13/14-4 August 2014 TABLE OF CONTENTS: HIGHLIGHTS 1. INTRODUCTION 1.1. Background on Audit …………..………………………………………...…… 1 1.2. Objectives and Scope ………………….……………………………...…… 1-2 1.3. Methodology …………………………………….…………………...……...… 2 2. BACKGROUND ………………………………………………………………… 2-5 3. FINDINGS 3.1. County and department policies on email …………………………..…… 5-8 3.2. Retention, storage and access practices for electronic communications …………………………………………… 9-16 4. MANAGEMENT RESPONSES 4.1. County Clerk’s Office ..……………………………………………….. 17-19 4.2. County Administration, Legal Counsel and Information Technology ........................................................................... 20-23 4.3. County Department ……….……………………………………………... 23 Selected Electronic Communications - Retention, Access and Storage report #13/14-4 August 2014 HIGHLIGHTS Why this audit was performed: To review retention, access and storage of selected electronic communications (emails and texting). What is recommended Recommendations included:  implementing a records management program for electronic records.  leveraging available electronic records management tools to address document management.  completing policies and procedures over electronic public records and revisiting associated Departmental policies.  providing new-hire, initial and ongoing training  adding and/or utilizing electronic record management systems to manage to the stated retention, provide access and provide appropriate destruction of records beyond their retention.  periodic monitoring for non- working email vaults  addressing texts, social media, website content and usage of personal devices in its policy for public records. Selected Electronic Communications - Retention, Access and Storage Oregon sets a high value on the management of and access to public records. As “public officials”, County employees have significant responsibilities for managing public information. This internal audit work is focused on electronic communications as a public record. In particular, the focus was on emails and texts. Some of this work touches on broader systems under record retention and record handling. It is hoped the County will assess whether other forms of public record (electronic and paper) may benefit a similar discussion from these observations and recommendations. What was found The County has started efforts to develop policies on public records for electronic records.  The County has not yet sufficiently addressed a records management plan for electronic records. A records management program ensures the orderly retention and disposition of public records to ensure the preservation of public records of value.  The County has not yet developed universal policies to address electronic public records management, directed or coordinated department efforts, or considered how best the County can address the requirements for retention and access. Some employees lack understanding of public records and retention requirements. County technology solutions may not be achieving electronic record management goals. Forty- three percent (43%) of departments appear to have some form of electronic record management system. County solutions vary significantly and many have not established systems to comply with the disposal requirements for public records. The County email vaulting solution is not working for all employees. For the interviewed staff, around eight percent (8%) did not have their email vaulting solution working. Additional analysis of vaults between July 2013 and May 2014 identified additional email vaults that were not operating. Use of other technologies in electronic communication is increasing. These would include texting, social media, website content and use of other personal portable devices. Deschutes County Internal Audit Selected Electronic Communications - Retention, Access and Storage report #13/14-4 August 2014 Page 1 of 23 1. Introduction 1.1 BACKGROUND ON AUDIT Audit Authority: The Deschutes County Audit Committee authorized the review of the retention, access and storage of selected electronic communications (emails and texting) in the Internal Audit Program Work Plan for FY 11/13. 1.2 OBJECTIVES and SCOPE Objectives: The audit objectives include: 1) Assess the sufficiency of current County and department policies regarding electronic communication retention, storage and access against standards provided by the State for local governments for access and retention of public documents. a) Evaluate current policies. b) Evaluate any policies in development. c) Assess/review any department policies. 2) Assess current retention, storage and access practices for electronic communications. (Countywide and departmental) a) Evaluate current email vaulting solutions for what they provide in regards to records retention, storage and access. b) Assess employees’ knowledge of electronic communication retention, storage and access practices within their department. c) Assess the established electronic communication practices within departments. Have departments addressed how they could access relevant records? d) Assess level and extent of training (County and departmental) on electronic communication retention, storage and access. 3) Be aware of any issues with compliance with federal and state regulations and requirements, as may be applicable. Scope: This audit work is focused on electronic communications as a record. In particular, the focus was emails and texts. Some of this work touches on broader systems under record retention and record handling. It is hoped the County will assess whether other forms of public record (electronic and paper) may benefit a similar discussion from these observations and recommendations. Therefore, the recommendations are focused on the developed objectives unless it was clear that related to a broader perspective. DESCHUTES COUNTY INTERNAL AUDIT REPORT DESCHUTES COUNTY INTERNAL AUDIT REPORT Selected Electronic Communications - Retention, Access and Storage report #13/14-4 August 2014 Page 2 of 23 Internal audit work on this project was primarily in March 2014 through June 2014. County email vault data was obtained for July 2013 and May 2014. The data available was limited to global storage data and data by archive name. Electronic communications as defined by this audit is primarily email and instant messaging (texts). It may include others if through discussions with departments those are significant. The significant laws, regulations and guidance identified for these audit objectives included ORS 192, OAR 166 and associated guidance provided by the State Archivist. The review did not address or inquire about handling of specific record retention requirements. One County department has recently moved to a separate cloud-based email system. Their email archive data (size and number) for this cloud-based solution was not requested as part of this audit since it was not deemed significant in the context of the audit objectives. 1.3 METHODOLOGY Audit procedures included:  research of public retention and access laws in Oregon  comparative analyses of email vault information obtained for July 2013 and May 2014.  interview fifty-one employees across departments and positions on this topic. Topics for discussion included awareness of public records, record retention, email archive and electronic document collaboration practices. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. (2011 Revision of Government Auditing Standards, issued by the Comptroller General of the United States.) 2. Background Oregon sets a high value on the management of and access to public records. As “public officials”, County employees have significant responsibilities for managing public information. Responsibilities for managing records include:  identifying public records and determining their retention period;  retaining records in compliance with records retention schedules; and  destroying or segregating those that are non-public records and/or those that have reached their retention period. DESCHUTES COUNTY INTERNAL AUDIT REPORT Selected Electronic Communications - Retention, Access and Storage report #13/14-4 August 2014 Page 3 of 23 Diagram 1: Record lifecycle (FEA Records Management Profile Ver. 1.0 Dec 2005) The state archivists are responsible for providing direction. The State provides a county retention guide to assist in managing public records. A “public record” is any information meeting the following criteria: a) Is prepared, owned, used or retained by a state agency or political subdivision; b) Relates to an activity, transaction or function of a state agency or political subdivision; and c) Is necessary to satisfy the fiscal, legal, administrative or historical policies, requirements or needs of the state agency or political subdivision. The diagram above is of a typical record lifecycle, with creation, retention and disposition. It highlights that generally, most of the records are not permanent. In Oregon, these permanent records are to be retained in paper or microfilm. However, there is a move to allow certain approved electronic records management systems. ORS 192.005 provides the definition of “public record” for retention and disposition. The definition does provide limited exclusions, which includes voicemail. The more global access definition of a public record is defined by ORS 192.410. “Public record” includes any writing containing information relating to the conduct of the public’s business, including but not limited to court records, mortgages, and deed records, prepared, owned, used or retained by a public body regardless of physical form or characteristics. “Writing” means handwriting, typewriting, printing, photographing and every means of recording, including letters, words, Selected Electronic Communications - Retention, Access and Storage report #13/14-4 August 2014 Page 4 of 23 TABLE 1: Information on change in vaulted County email 7/2013 to 5/2014 (excludes cloud based email solution) pictures, sounds, or symbols, or combination thereof, and all papers, maps, files, facsimiles or electronic recordings. For electronic communications, records documenting communications created or received by an agency that directly relate to an agency program or agency administration are public records. Public records are not junk email, spam, advertisements, most personal email, or daily newsletters received (to name a few). Whereas, these would not generally be considered public records for retention purposes, these could be public records under more liberal “access” definition requests if they have not been destroyed. A public record will have an associated record retention. This is the length of time to retain information to satisfy the administrative, legal, fiscal and/or historical needs of an agency. Disposition of public records is allowable once the retention has been met. The County Clerk is by statute [ORS 192.105, ORS 205.110] the County’s Records Officer with the underlying responsibilities for overseeing the record management practices at the County. Records Officers are to establish a records management program that ensures the orderly retention and disposition of all public records, and to ensure the preservation of public records of value. Records management is the field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use and disposition of records, including the processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records. The State Archivist will provide training and assistance for Records Officers [OAR 166-030-0016]. Electronic communications such as email and texts, in some instances, are viewed as public records depending on their content. Dates Number of Accounts Number of Email Items Email Storage Size (MB) July 2013 1,366 8,220,273 654,767 May 2014 1,479 10,158,447 822,238 24% 26% 10 month change increase increase As indicated in TABLE 1 above, there has been a significant amount of growth in storage of email during this period. The information technology department has not indicated any concerns with keeping up with the storage requirements. Selected Electronic Communications - Retention, Access and Storage report #13/14-4 August 2014 Page 5 of 23 There is no information on the extent of texts that might be public records. This emerging area triggers privacy concerns. There are also no County statistics available on other types of records that have been identified/retained as public records. 3. Findings Audit findings result from incidents of non-compliance with stated procedures and/or departures from prudent operation. The findings are, by nature, subjective. The audit disclosed certain policies, procedures and practices that could be improved. The audit was neither designed nor intended to be a detailed study of every relevant system, procedure or transaction. Accordingly, the opportunities for improvement presented in the report may not be all-inclusive of areas where improvement may be needed and does not replace efforts needed to design an effective system of internal control. A significant deficiency is defined as an internal control deficiency that could adversely affect the entity’s ability to initiate, record, process, and report financial data consistent with the assertions of management in the financial statements. The findings noted were primarily compliance and efficiency matters and would not generally be framed as or considered to be significant deficiencies. 3.1 County and department policies on electronic communications County has not sufficiently addressed retention, access and storage of electronic records. The County has not established a records management plan for electronic records. The County creates, receives and manages a significant amount of information (most of which are public records) in the performance of its services. Some of this information is in paper and some electronic. In addition, much of this information is siloed1 by individual, program and/or department. This siloing of information (by program or individual) can make it difficult for management to access information to make appropriate decisions and managing it for access and retention. The County is moving in many directions when it comes to handling of electronic records. Departments and programs establish specific solutions for coordinating and collaborating with electronic records. This was observed when departments had specific record management systems (paper and/or electronic) developed 1 Siloed/siloing are terms describing structural barriers (physical and virtual divides between individuals, departments and/or locations etc…) preventing the effective sharing of information. Uses a physical metaphor of a silo (like a grain silo) to indicate the separation of a commodity. Selected Electronic Communications - Retention, Access and Storage report #13/14-4 August 2014 Page 6 of 23 for parts of their business. However, there are other areas where there is ineffective coordination of information. This most often occurs with email, correspondence and staff work documents. Employees frequently print electronic records to file the paper and scan paper documents to store electronically. No one solution seems to provide everything required. The County’s Records Officer is to establish a records management program that ensures the orderly retention and disposition of all public records, and to ensure the preservation of public records of value. Typical duties include planning, controlling, directing, organizing, training, promoting the program, and other activities involving the life cycle of information including records scheduling, retirement, storage and destruction. ORS 192.105(2)(a) In many cases, the State Archivist recommends use of a records management system (electronic in the case of emails and electronic files, though a paper system can work). The archivist goes further to indicate it is inappropriate to have emails filed or stored on the system that received them or separate from associated program records. Once employees manage electronic and paper records in a cohesive manner (including universal indexing), there can be a significant difference in accessibility, retention and disposition. An enterprise record management system for electronic records can allow the County to establish and manage:  retention and disposition rules,  security and access controls,  digital rights management, and  information sharing In the absence of Countywide direction, many departments may fail to organize and coordinate electronic information received, such as email retained in the user’s Outlook file. Without a Countywide plan, the County may continue to struggle with properly addressing  record retention requirements,  disposal,  the use of the records,  business continuity,  security and privacy, and  appropriate staff training Many County departments are independently pursuing the planning, acquisition, installation and use of Selected Electronic Communications - Retention, Access and Storage report #13/14-4 August 2014 Page 7 of 23 electronic records management, document management, content management, and imaging systems, uniquely and independently of one another, to fulfill critical agency business needs. These efforts could represent a significant and perhaps unnecessarily redundant investment of public funds, agency personnel, and resources. It may be advantageous for County departments to pursue common, consistent, and replicable approaches now and in the future. The County has not yet implemented across departments tools/systems to handle electronic records from creation through disposition. The current email vault solution is a storage solution that perpetuates a siloed approach to email and lacks tools available under a records management solution. It is recommended for the County Clerk and County Management to implement a records management program for electronic public records consistent with the State’s requirements. Example policies have been obtained from the State Archivist and can be a good starting point for development of this plan. It is recommended the County and Departments in consultation with the County Clerk and County Legal Counsel consider how it may best leverage available electronic records management tools in a cost effective manner to address common needs for electronic document management. County and departmental policies regarding electronic communication record storage, retention and access require improvement. The County has not developed universal policies or procedures to address electronic public record management, directed or coordinated department efforts, or considered how best the County can address the requirements. This would be one aspect of developing a record management program, previously discussed. Policy discussion of handling of electronic public records is limited in the County’s “computer, email and mobile computing device use” policy (IT-1). It directs employees to review the state's public record requirements at the Secretary of State's website. County Legal Counsel and the County Clerk have started efforts to develop a County policy for general public record retention and on digital images that might be stored as permanent records in an electronic records management system. These policies still require further development and vetting with County Management. In comparison to the State guidance for policies, there were some areas identified in the drafted general public record policy requiring further development, which includes addressing : Selected Electronic Communications - Retention, Access and Storage report #13/14-4 August 2014 Page 8 of 23  record management for emails,  prohibition to discriminate,  prohibition in forwarding emails to non-county systems,  county’s right to alter, modify, reroute or block delivery of email messages,  prohibition of use of external email accounts to perform County business,  guidance on retention of emails and texts,  guidance on holding emails longer than stated retention,  enforcement mechanisms for policy, and  solutions/tools to help employees comply with policy. The Oregon State Archives Division is responsible for providing guidance to local governments on statutory requirements. Under Oregon's public records law there are significant requirements over retention of public records and the public's access to records. These requirements for retention extend to many electronic communications (email, texts and internet social media communications). The State's "Email Policy Manual for Local Government” provides guidance on what should be included in a policy as well as a policy template. http://sos.oregon.gov/archives/Documents/recordsmgmt/train/erm/emailman806.pdf A number of departments have developed more specific departmental policies to address some of public record topics but do not cover all of the expected topics. However, most departments struggle with addressing retention under the County retention schedule. In the absence of additional policies and procedures, the County is leaving employees and departments without sufficient guidance to implement and enforce the State's requirements. It is recommended for the County to complete the development of policies and procedures over electronic public records. These should address the areas in the draft policy requiring further development as well as methods to assess, monitor and enforce the policies and procedures. It is recommended for current Departmental policies to be revisited and modified to be consistent with the revised Countywide policies and procedures for electronic public records. Selected Electronic Communications - Retention, Access and Storage report #13/14-4 August 2014 Page 9 of 23 3.2 Retention, storage and access practices for electronic communications Table 2: Interview data on understanding of public records. Some employees lack understanding of public records and retention requirements. In order to better understand employee awareness of public record retention, access and storage issues, in-person interviews with fifty-one employees were conducted. These spanned departments and staffing levels. The following observations came from interview topics, which included their departmental information systems, use of technology, operational environment, understanding of retention requirements, archiving practices, training received, use of email tools, and use of cellular phones for County business. In the analyses below, areas that may be of concern are highlighted. Do you understand public records as a broad or narrow definition? From research on this topic and discussions with County legal counsel, public records should be considered a fairly encompassing (or broad) definition. Some employees were confused by the term “public record”. This topic covers electronic and paper public records. Percent of Interviewed Average years employed Category Management Supervisor Staff TOTAL Management Supervisor Staff Broad 100% 95% 86% 92% 14 15 10 Narrow 5% 9% 6% 16 15 No idea 5% 2% 24 A small number of staff and supervisors had “no idea” or a “narrow” perspective as to public records. As indicated, six percent (6%) of those interviewed did not think public records were broadly defined. Two percent (2%) did not have an idea what a public record was. These two categories of response were more concentrated with staff (as opposed to supervisors or managers) and were on average with staff with a longer work history with the County. Selected Electronic Communications - Retention, Access and Storage report #13/14-4 August 2014 Page 10 of 23 Table 3: Interview data on understanding of retention. Table 4: Interview data on understanding of length of retention. Do you know which records (paper or electronic) you must retain as part of your job? Percent of Interviewed Category descriptions Category Management Supervisor Staff Total “Yes-indeterminate” responses indicated they thought they indicated they understood retention and they saved everything indiscriminately. “Selective”, was for the majority respondents with some understanding for specific areas but lacked a more global perspective of retention. Yes-indeterminate 57% 27% 9% 24% Yes 14% 18% 0% 10% Selective 14% 45% 68% 51% No 14% 9% 23% 16% Answers other than “Yes” indicated some misunderstanding of what retention requires. Ninety-one percent (91%) could benefit from additional information/direction on this topic. Do you know how long to retain records (paper or electronic) and when they can be destroyed? Percent of Interviewed Category descriptions Category Management Supervisor Staff Total “Yes-indeterminate” responses indicated they retained everything forever. “Selective”, was for those respondents with some understanding for specific areas but lacked additional Yes-indeterminate 14% 2% Yes 29% 59% 45% 49% Selective 14% 18% 10% No 43% 23% 55% 39% Fifty-one percent (51%) lacked sufficient understanding as to how long they needed to retain public records. A number of employees interviewed had incorrect practices that they take without regard to retention category, including:  retaining everything forever,  deleting all sent mail,  deleting all mail once addressed regardless of content, and  retaining deleted mail until there were storage concerns. Selected Electronic Communications - Retention, Access and Storage report #13/14-4 August 2014 Page 11 of 23 Table 5: Interview data on understanding of Department retentions. Table 6: Assessment of risk of deleting public records (email) Are you familiar with the record retention schedule for your department? Percent of Interviewed Category Management Supervisor Staff Total No 71% 32% 64% 51% Some 0% 9% 5% 6% Yes 29% 59% 32% 43% Fifty-one percent (51%) were not familiar with their department’s record retention schedule. Records retention schedules address both paper and electronic records. Is there a risk of deleting email public records? Employees interviewed were asked about the email records they deleted. Based upon their responses, it was assessed whether there was a risk of email documents being deleted that may have needed to be retained. Percent of Interviewed Category Management Supervisor Staff Total No 86% 77% 41% 63% Possibly 14% 23% 59% 37% As indicated above, thirty-seven percent (37%) appear to be at a greater risk for not retaining email records. This risk was greatest with staff. This also extended to treatment of sent email. As indicated in the background of the report, public officials have significant responsibilities as to the management of public records. This includes knowing when and how to dispose of records meeting retention requirements. The County does not provide consistent training on these topics and has not included this in the new hire orientation. Twenty-five percent (25%) of staff indicate little or no training on electronic records. Most indicated some level of training had been received. A number of staff indicated confusion over information provided on email retention. In the absence of providing a consistent training on this topic, staff may not receive appropriate resources for managing their public records (either in paper or electronic form). Selected Electronic Communications - Retention, Access and Storage report #13/14-4 August 2014 Page 12 of 23 In addition, a significant number of non-County staff have County email accounts. It appears there may be around 13% of County email accounts belong to non-County personnel. Those appear to be for valid County purposes for other local government staff working with the County, volunteers, and vendors. Each of these email accounts being used may be creating potential public records. It is not clear the extent there has been training provided to these non-County staff on public records and retention rules for these email accounts. It is recommended the County provide sufficient new-hire, initial and ongoing training on County policies and procedures regarding public records, retention categories and County management of public records to adhere to County and State requirements.  It is recommended this training apply to all County staff and non-County staff using County systems unless management has developed procedures to exempt them.  It is recommended for Departments to provide retention specific guidance to staff for frequently encountered areas of retention. County technology solutions may not be achieving electronic record management goals. Forty-three percent (43%) of departments appear to have some form of electronic record management system. These solutions were primarily for a core business function of a department but not all functions of the department. County solutions vary significantly and many have not established systems to comply with the disposal requirements for public records. Many departments maintain duplicate paper files. It is not clear electronic records are being identified with retention categories and how staff are complying with destruction of all copies of electronic records at the end of their retention. The County has provided computerized email storage tools that do not effectively address record management and retention. The current technology only provides a storage solution.  The County has provided an email vaulting solution to help users stay within the email storage provided. This solution does not distinguish the proper record retention length of the email records. Many users are not aware the system is not meeting those types of requirements. Users have default time spans for retention that are not consistent with the type of records. For most users there is a default of 10 years set for retention, but it can be shorter. County IT is quick to point out this system is not a records management system. In addition, there has not been consistent and clear communication on what the email vaulting solutions would accomplish and what they will not. With a Selected Electronic Communications - Retention, Access and Storage report #13/14-4 August 2014 Page 13 of 23 solution with a predetermined storage life, it is not clear how the destruction process will occur and whether staff will be able to retain records.  One County department utilizes a cloud email solution that also does not distinguish the appropriate record retention. Additionally, all records are being retained for an indefinite period. This system may be an electronic records system; however, the administrative components fail to address retention or record destruction components.  In addition, each of these systems provides time frames for holding records where the recipient can no longer delete records. This allows more records to be retained than are public records. An electronic records management solution, from the State Archivist’s perspective, is a recordkeeping system that captures, maintains and provides access to electronic records as evidence over time and allows for disposition according to records retention schedules. The State Archivist recommends for state electronic records management systems to be DoD 5015.2-STD certified. The use of electronic records management systems can help:  when automating a business process that necessitates the records to be collected, organized, and categorized to facilitate their retrieval, use, disposition, and preservation.  managing records from desktop applications where the electronic version of the record will be the official copy.  maintaining electronic mail in an electronic format for recordkeeping purposes.  facilitating the transfer of permanent electronic mail records to the Archives Division. The County systems identified as potential “electronic records management systems” were not fully assessed for this standard. In the absence of an effective electronic record system, the County may have a more difficult time meeting its record management responsibilities. Proper information governance provides for getting rid of information that no longer has any value to the organization or maintaining information that will continue to have value to the organization beyond the applicable retention period. Electronic records systems, with capabilities recommended by the State Archivist, can provide efficiencies in consistently automating the retention process. The County’s solutions do not have a records management component for addressing retention and destruction. There do appear to be solutions available. The Oregon Records Management Solution (ORMS) is the first statewide electronic records management solution. It is the result of a unique public- private partnership between the Oregon Secretary of State Archives Division, Chaves Consulting, Inc. (CCI) and Arikkan, Inc. to implement the first statewide electronic records management solution of its kind in the Selected Electronic Communications - Retention, Access and Storage report #13/14-4 August 2014 Page 14 of 23 country. Many employees are retaining all electronic records with no identification of retention. It is unclear how these electronic records can be appropriately destroyed without addressing their retention category. The additional records can make it more difficult to locate appropriate records and defer the cost of their identification and destruction (for non-permanent records) to the future. Failing to address retention may lead to public records being destroyed that should have been retained and records retained that should be destroyed. In the case of litigation, failure to retain records may result in large damage awards or sanctions. It is recommended the County consider adding and/or utilizing electronic record management systems to manage retention, provide access and provide appropriate destruction of records beyond their retention. It is recommended for IT to assist in vetting and supporting any electronic records management systems contemplated. It is recommended for the County to address the State Archivist recommendations for electronic records management systems. To the extent a system is in place, it is recommended management develop an approach to meeting document management objectives. Some employees have non-working email vaults. For the interviewed staff, around eight percent (8%) did not have their email vaulting solution working. Additional analysis of email vaults between July 2013 and May 2014 identified additional non-working email vaults. A working email vault is required to provide for adequate storage of emails. Adequate storage is necessary for holding electronic records deemed to be public records. For staff without a working email vault, this meant they could not hold as many emails and the possibility that they would need to move or delete emails to make room for more. Without sufficient training, staff were not aware of what to expect from a working email vaulting solution. Sometimes this resulted in the staff coming up with other ways to manage their storage. This could lead to deleting records before their required retention had been reached. The IT department has not been tasked with monitoring the activity of the vaults. Some vaults were either Selected Electronic Communications - Retention, Access and Storage report #13/14-4 August 2014 Page 15 of 23 erroneously turned off or were never activated. It is recommended for the IT department to periodically monitor for non-working email vaults. This may be accomplished by monitoring the email vault statistics for no activity or inactivity. Graph 1: Use of technology for those interviewed. The use of other technologies is increasing. During the interviews, the nature and types of devices was assessed. If you had looked at this topic 10 years ago, the composition would have likely been more skewed towards use of County cellphones (perhaps even pagers) than today. Today, staff often will use their personal cellphones for county business. Of those using personal cellphones, some will use texting. Only a couple of staff used personal tablet devices to read County email. Most of those interviewed about texts indicated very little of it would rise to the level of a public record. Many of those had not considered the ramifications for when these texts rise to the level of a public record. Selected Electronic Communications - Retention, Access and Storage report #13/14-4 August 2014 Page 16 of 23 What has been noticed is the rise in texts among the younger generations. Much like the penetration of email into organizations, texting could well become more widely used in business (in content and significance). Many County customers are seeking to communicate with our service providers by text. In addition, website and social media provide many opportunities for information to be presented. Some of this information may be a public record. The difficulty with social media information is its dynamic nature. It is always changing and therefore I could necessitate a changing public record over time. Understanding the content allowed and whose responsibility for capturing the public record can be important. In the absence of clear policies and procedures, it will be difficult to assure that texts, social media, website content, are properly retained as potential public records. Using a mix of personal devices can also make it more difficult. A number of department staff had a healthy separation of business and personal device usage that probably encourages proper treatment of records created from these devices. It is recommended for the County to address texts, social media, website content and usage of personal devices in its policy for public records. As noted previously, some of this work County Legal Counsel has commenced. Note: Staff for the State Archivist Division indicated one possible solution for texts is to include a County email address in the discussion thread, thereby creating an associated email history for any text conversations that can more easily be retained as the public record. Selected Electronic Communications - Retention, Access and Storage report #13/14-4 August 2014 Page 17 of 23 4. Management Responses – County Clerk’s Office, Nancy Blankenship, County Clerk August 21, 2014 TO: David Givans, County Internal Auditor FROM: Nancy Blankenship, Deschutes County Clerk RE: Selected Electronic Communications (email and tests) – Retention, Access and Storage Audit #1314-4 This is in response to the above mentioned audit’s findings and recommendations related to the Deschutes County Clerk’s office. I agree with all the recommendations of the audit. As a records manager, I fully support implementing records management systems following state requirements and guidelines. Record Management systems, focusing on retention, access and disposition, can range in complexity and flexibility in structure. 3.1 County and department policies on electronic communications It is recommended for the County Clerk and County Management to implement a records management program for public records consistent with the State’s requirements. ► Record management programs offer accessible storage; search and retrieval; retention and disposition outside the creating program. To implement a records management program for the County’s electronic communications, and other emerging technologies, a committee(s) should be formed to first, plan the approach and create and implement policies. At a minimum, this step should involve administration, legal, IT and clerk. The next step, research and implementation, would include: ● identify and evaluate currently used record management systems within departments, Selected Electronic Communications - Retention, Access and Storage report #13/14-4 August 2014 Page 18 of 23 Management responses – (continued) ● evaluate potential solution(s), ● test and implement solution(s), and ● develop initial and ongoing staff training, adding modules for increased levels of responsibility. Using a systematic roll out, including a testing component, may be of benefit. Utilizing common solutions may offer cost savings, increase efficiencies between departments for electronic communications and other records, and simplify public records requests. It is recommended the County and Departments in consultation with the County Clerk and County Legal Counsel consider how it may best leverage available electronic records management tools in a cost effective manner to address common needs for electronic document management. ► As mentioned above, this recommendation is addressed during the second step. There may be multiple solutions depending on department size and need; however, there are advantages to using common solutions to gain efficiencies. This aspect of the effort may take multiple years to complete. It is recommended for the County to complete the development of policies and procedures over electronic public records. These should address the areas in the draft policy requiring further development as well as methods to assess, monitor and enforce the policies and procedures. ► Policy, as an initial component of the planning and development process, would guide the solution search and procedure development. It is recommended for current Departmental policies to be revisited and modified to be consistent with the revised Countywide policies and procedures for electronic public records. ► As mentioned above, current department policies and systems should be reviewed. In addition to gleaming department needs from their current policies, the process would allow departments to prepare f or possible amendments to conform to Countywide policies. 3.2 Retention, storage and access practices for electronic communications It is recommended the County provide sufficient new-hire, initial and ongoing training on County policies and procedures regarding public records, retention categories and County management of public records to adhere to County and State requirements. ● It is recommended this training apply to all County staff and non-County staff using County systems unless management has developed procedures to exempt them. ● It is recommended for Departments to provide retention specific guidance to staff for frequently Selected Electronic Communications - Retention, Access and Storage report #13/14-4 August 2014 Page 19 of 23 Management responses – (continued) encountered areas of retention. ► Staff training covering the basics from what a public record is to requirements for retention, storage, search, retrieval, access and disposition should be provided initially and regularly. Although all staff should understand they receive, create and use public records every day, different levels of training would benefit those with various levels of responsibility within the record’s life cycle. Resources are available to assist with this through the Clerk’s office, State Archives and various associations specializing in records management. A benefit of this exercise is providing education and training for the management of all public records. It is recommended the County consider adding and/or utilizing electronic record management systems to manage to the stated retention, provide access and provide appropriate destruction of records beyond their retention. It is recommended for IT to assist in vetting and supporting any electronic records management systems contemplated. ► IT would be an essential partner to vet and support any solution considered. A best practice seeks solutions that provide continuous retention activities for both current and “to be developed” electronic management systems. Solutions would include modules to meet state requirements and guidelines for retention, access and disposition. It is recommended for the County to address the State Archivist recommendations for electronic records management systems. To the extent a system is in place, it is recommended management develop an approach to meeting document management objectives. ► Recommendation should be met during the solution evaluation and implementation step mentioned previously. It is recommended for the IT department to periodically monitor the email vault statistics to look for no activity or inactivity. ► Good practice. It is recommended for the County to address texts, social media, website content and usage of personal devices in its policy for public records. ► The above mentioned electronic communications are public records that should be addressed in the Countywide policies. As use increases, capturing content would be a vital component of County policies and procedures. Selected Electronic Communications - Retention, Access and Storage report #13/14-4 August 2014 Page 20 of 23 Management responses – (continued) County Administration, Legal Counsel, and Information Technology – Tom Anderson, County Administrator This memo serves as a joint management response from the County Administrator's Office, Legal Counsel, and Information Technology Department to the Selected Electronic Communications (email and texts) - Retention, Access, and Storage Audit ( # 1314-4 ). General Comments The audit begins with a discussion of e-mail and text electronic communications, but the subsequent findings and recommendations appear to extend to public records more broadly, including the identification, storage, retention and destruction of records whether paper or electronic. Public records administration is an important and very complex topic. In fact, the Secretary of State's administrative rules pertaining to the retention schedule for counties and special districts cover over 60 pages and more than 500 categories of records. The County has long had procedures and protocols governing paper records, and on an ad hoc basis has applied public records law to the management of e-mail. It is acknowledged however that email records management, along with certain aspects of paper records management, has not been formalized into a clear and consistent public records policy. Therefore, while management is committed to implementing the recommendations contained in this Selected Electronic Communications - Retention, Access and Storage report #13/14-4 August 2014 Page 21 of 23 Management responses – (continued) report, it is important to acknowledge that full implementation is a major undertaking that will take time and a sizable commitment of resources, both in terms of staff time and County funds. In addition, successful implementation of the audit recommendations will include clearer guidance to staff through the development of a County policy and training, along with departments evaluating and determining the best solutions that are fiscally responsible and meet their operational needs. Management Response to Audit Recommendations 3.1 It is recommended for the County Clerk and County Management to implement a records management program for electronic public records consistent with the State's requirements. Response: We support this recommendation. Although decentralized, a records management program exists and is available to departments. However, to address this recommendation, Management supports formalizing a records management program through the development of a County policy (currently, the County relies on the Oregon Revised Statutes and Oregon Administrative Rules to provide guidance to employees) and training. It is recommended the County and Departments in consultation with the County Clerk and County Legal Counsel consider how it may best leverage available electronic records management tools in a cost effective manner to address common needs for electronic document management. Response: We support this recommendation. The following electronic records management tools are available to departments: Laserfiche, Adobe Acrobat, and email vaulting. In addition, many departments use specific software to store and manage electronic records. For example, Health Services Department client records are maintained in an Electronic Health Record (EHR) software system. The County Clerk's Office and Information Technology Department are available as internal consultants to departments requesting advice and guidance on electronic records management tools. County Legal Counsel is available for legal advice related to public records and retention. It is recommended for the County to complete the development of policies and procedures over electronic public records. These should address the areas in the draft policy requiring further development as well as methods to assess, monitor and enforce the policies and procedures. Response: We agree with this recommendation. Management is committed to working with the County Clerk to write a County policy addressing the retention of electronic public records. It is recommended for current departmental policies to be revisited and modified to be consistent with the revised Countywide policies and procedures for electronic public records. Response: We agree with this recommendation. Once a Countywide electronic records retention policy is adopted, a Selected Electronic Communications - Retention, Access and Storage report #13/14-4 August 2014 Page 22 of 23 Management responses – (continued) departmental policy on this same issue may be more restrictive, but not less restrictive than the County policy. Departments will need to review any department policy on electronic public records to ensure compliance with the County policy. 3.2 It is recommended the County provide sufficient new-hire, initial, and ongoing training on County policies and procedures regarding public records, retention categories and County management of public records to adhere to County and State requirements. Response: We agree with this recommendation. After a policy is developed and adopted, Management is committed to providing training to employees and selected volunteer staff (advisory commissions, committees, interns, etc.). In addition, the County Clerk's Office is an ongoing resource available to departments for guidance on retention schedules and business processes to effectively manage electronic records. It is recommended the County consider adding and/or utilizing electronic record management systems to manage to the state retention, provide access and provide appropriate destruction of records beyond their retention. It is recommended for IT to assist in vetting and supporting any electronic records management systems contemplated. Response: We agree with this recommendation. Currently, Laserfiche, Adobe Acrobat, and email vaulting are tools available to departments. Departments will need to determine if an electronic record management system best meets their business needs. Staff from lT have assisted and will continue to assist departments in this analysis, if requested. It is recommended for the County to address the State Archivist recommendations for electronic records management systems. To the extent a system is in place, it is recommended management develop an approach to meeting document management objectives. Response: We agree with this recommendation. Laserfiche meets the State Archivist recommendations for electronic records management systems. For departments wishing to implement an electronic records management system, lT and County Clerk's Office will recommend that the system meet the State Archivist recommendations. This requirement will also be contained in the County policy related to electronic records. It is recommended for the IT department to periodically monitor for non-working email vaults. Response: We agree with this recommendation. However, an upgrade to the County's email system (Outlook) scheduled for January/February 2015 will address this concern. With the upgrade, the email vault will be fully integrated into Outlook and not require vaulting to be activated. Selected Electronic Communications - Retention, Access and Storage report #13/14-4 August 2014 Page 23 of 23 Management responses – (continued) Fair & Expo Department, Dan Despotopulos, Fair & Expo Director It is recommended for the County to address texts, social media, website content and usage of personal devices in its policy for public records. Response: We agree with this recommendation. Each of these categories of electronic records will be evaluated on a case-by-case basis and addressed in a County policy (either an electronic records policy or a social media policy). c: David Doyle, Legal Counsel Nancy Blankenship, County Clerk Jeff Sageser, Deputy County Clerk Erik Kropp, Deputy County Administrator Joe Sadony, IT Director For the following: It is recommended for the County to complete the development of policies and procedures over electronic public records. These should address the areas in the draft policy requiring further development as well as methods to assess, monitor and enforce the policies and procedures. It is recommended for current Departmental policies to be revisited and modified to be consistent with the revised Countywide policies and procedures for electronic public records. It is recommended the County provide sufficient new-hire, initial and ongoing training on County policies and procedures regarding public records, retention categories and County management of public records to adhere to County and State requirements. • It is recommended this training apply to all County staff and non-County staff using County systems unless management has developed procedures to exempt them. • It is recommended for Departments to provide retention specific guidance to staff for frequently encountered areas of retention. I strongly feel the above recommendations are needed. {End of Report} Please take a survey on this report by clicking on the attached link: https://www.surveymonkey.com/s/Selected-Electronic-Communications