Last updated:

Email is a record

The Public Records Act 1973 defines public records as any records created or received by a public officer while doing their job, no matter the format. This includes emails, even those sent or received from private accounts, if they are part of the officer's work. These records must be managed according to PROV Standards.

 

Key steps for managing emails

Emails routinely contain critical information and evidence of actions, decisions and approvals. Email systems are designed to create, send and store electronic communications, but not to effectively manage them as records. If arrangements are not in place to ensure these records are held in a shared corporate information system capable of managing them in accordance with PROV Standards, records containing critical information will be lost.

To manage email records effectively, public offices should:

  1. Determine the best method for capturing and storing email records, with any attachments, to ensure they remain accessible and preserved for the required legal duration.
  2. Develop clear policies and procedures about which emails need to be retained in accordance with PROV requirements, and the actions staff need to take.
  3. Regularly communicate requirements to staff and incorporate them into induction and training.
  4. Periodically check that emails are being stored correctly, and staff are meeting requirements.
  5. Understand and manage risks associated with email and email systems, including consideration of system capabilities and integrity of emails when migrating from one system to another.

Public offices should also include email management in their broader information, records and data management policies. This should define:

  • Which emails need to be captured as records
  • Who is responsible for capturing records from email systems and when
  • How emails should be captured (with some actions potentially automated by the system).

Ongoing communication, training and support are critical for ensuring proper management of email records.

How to manage email records

Official business email records should be created, captured and stored in a system that can effectively manage them for the duration of their required retention period. This could be an Electronic Document and Records Management System (EDRMS) or another organisational system which can manage them in accordance with PROV Standards.

With technologies like Microsoft 365, managing emails directly has become more feasible, offering integration for various records formats. However, it is critical to ensure that retention policies, system capabilities and governance are well understood and properly applied in line with PROV Standards. See our guidance on managing records in Microsoft 365.

Therefore, email records must be created, captured and stored in context, with effective search, access and disposal capabilities.

Email records with permanent value should be retained as State Archives and transferred to PROV at the appropriate agreed time. For more information, refer to the guidelines on transferring records to PROV.

There is not one set retention period for emails. How long they are kept depends on their purpose and content, not their format. Emails documenting public office business should be treated as official records and kept for as long as needed based on the relevant business function and activity.

Emails can generally be classified into the following types:

  1. Spam/Junk Emails: Some emails are spam or unsolicited 'junk' messages. These do not relate to personal communication or legitimate business activities. They often include phishing attempts or unsolicited offers, even from reputable organisations. Security considerations must also be taken into account when managing such emails.

Spam/junk emails do not need to be kept. Manage these email types in accordance with your organisation's security policies.

  1. Personal Emails: These relate to personal matters unrelated to official business. Examples include lunch plans, family arrangements, or any private or personal matter which is unrelated to the business of the organisation. If a personal email contains work-related information, it becomes a public record.

Personal emails can be destroyed as soon as staff no longer require the email, they are not public records.

  1. Ephemeral Emails: These facilitate business activity but do not need to be retained. Examples include notices of meetings, copies or reports, staff out-of-office messages, externally received advertising and other publicly available material. Internal emails where you are not the primary recipient also fall under this category (so where the email has been sent to you as cc or bcc).

Ephemeral emails can be destroyed as part of Normal Administrative Practice (NAP).

  1. Official Business Emails: These are part of the public record and document the public office's business activities. Examples include formal approval communications, directions for important actions and business correspondence from external sources.

Official business emails must be retained for as long as is determined by the relevant Retention and Disposal Authorities (RDAs).

If the answer is 'yes' to any of the following questions, the email is an official business record and muse be managed accordingly:

TopicQuestionYes or No
Work-related Communication
  • Does this email relate to business or work?
  • Is it a formal communication between staff or with external parties relating to work?
  • Is it something I have sent or received for a business purpose?
 
Action or Approval Required
  • Does this email require action from me or others?
  • Does it approve or authorise actions or decisions?
 
Policy or Business Impact
  • Does this email signify a policy change, development or business deal?
  • Does it contain advice, guidance or formal communications that affect work inside or outside the organisation?
 
Recordkeeping and Continuity 
  • If I left this job would my successor need this information to continue the matter?
  • Is this communication something that may be reviewed or audited later?
 

Risks and issues

Emails that are official business records should be accessible to authorised staff, allowing them to retrieve relevant messages regardless of who sent or received them. If emails are stored in the email system, they are typically only accessible by the sender and recipient(s). However, even the sender or recipient may have difficulty finding a specific email over time due to the high volume of messages and the limited search functionality.

Email backups are inadequate as a preservation method. Retrieving individual records from backup environments is typically time-consuming and costly, particularly if detailed metadata has not been retained with them.

Alternative access methods should also be considered, as users may access emails via personal phones or internet browsers. These methods introduce security risks that must be managed appropriately.

Additionally, if email management is part of a service or subscription provided, public offices must ensure that when a service provider contract ends, public records are still managed securely, and access is maintained until the records are either transferred or destroyed.

Refer to PROVs Enterprise Mobility Policy and Cloud Services Policy for more information.

To ensure emails remain reliable records they must not be altered unless authorised, as any changes could compromise their authenticity as evidence. Many email systems allow modifications after messages have been sent or received, which can pose a risk in disputes where proving the original content is crucial.

To prevent unauthorised changes, it is important to use systems that maintain email integrity and make alterations detectable. Strong policies, oversight and security measures should be in place to protect the integrity of these records.

Proper classification is essential for managing emails and records effectively. It ensures emails are stored and linked with related documents across different formats, helping to create a complete record of events related to a specific subject, client or project. Without classification, emails can become disorganised and scattered, making it difficult to find all relevant information when needed.

To keep records secure and accessible, email classification should follow security and legal requirements, such as Protective Markings, for the Victorian government and the relevant RDA.

As technology changes, some file formats may become outdated, making old emails unreadable. This is a major risk for long-term records, especially those with permanent value. While some emails may only need to ne kept for a few years, others must remain accessible for a substantial period of time or even permanently (in which case they must be transferred to PROV at the appropriate agreed time).

The Victorian Electronic Records Strategy (VERS) provides a technical solution for this issue by defining approved formats for long-term preservation. The MIME (.eml) format is the approved format for email records.

When transferring emails between systems, it is essential to ensure they remain complete and unaltered as official records. Risks include data loss, broken email chains and difficulties in retrieving accurate records, which can be problematic in legal cases. audits or investigations. Reliable backup solutions should be in place to ensure emails can be recovered within set timeframes, avoiding costly recovery efforts.

Migration challenges, such as incompatible formats, broken links to external records, encrypted emails that require user input, and reliance on users to categorise emails can impact record integrity. A well-planned migration strategy is necessary to maintain data accuracy, preserve records and ensure accessibility. For further details, refer to the Migration topic page.

Technology considerations

Technologies supporting businesses are increasingly shifting towards subscription-based models, providing a range of application tools for managing business records. Microsoft 365 is widely used across many organisations. As a cloud-based service with web applications, if offers various tools, including those for managing emails. As a result, email management requires careful alignment with records management standards and policies to ensure compliance, security and proper retention of email records.

Our Microsoft 365 topic page provides a good introduction and comprehensive guide to managing records in M365.

If choosing to use generative Artificial Intelligence (AI) tools to manage emails containing public records, it is essential to consider the implications of AI integration and ensure compliance with Victorian Public Sector (VPS) guidelines and the PROV AI Technologies and Recordkeeping Policy. Where possible, the use of AI should be disclosed to maintain transparency and accountability.

As AI technologies continue to evolve, so do their capabilities and the associated regulatory frameworks. It is important to ensure that AI-driven decision-making processes and transparent and explainable. This includes providing clear documentation on how AI systems manage records and data. For more detailed information, refer to our Artificial Intelligence topic page.

Material in the Public Record Office Victoria archival collection contains words and descriptions that reflect attitudes and government policies at different times which may be insensitive and upsetting

Aboriginal and Torres Strait Islander Peoples should be aware the collection and website may contain images, voices and names of deceased persons.

PROV provides advice to researchers wishing to access, publish or re-use records about Aboriginal Peoples

Learn more