There is nothing about email per se that takes it out of the definition of a record in FIPPA, although the content of any particular email may be subject to an exclusion or exemption. As the Information and Privacy Commissioner/Ontario (IPC) has noted, “ it is not in contention that email correspondence can constitute “records” under the Act”. Deleted and archived emails may also be accessed (IPC Order MO-1726). However, the content of any particular email may be subject to an exclusion or exemption.
FIPPA will apply to records that came into the custody or under the control of hospitals after January 1, 2007. FIPPA defines a record as any record of information however recorded, whether in printed form, on film, by electronic means or otherwise, and includes,
- correspondence, a memorandum, a book, a plan, a map, a drawing, a diagram, a pictorial or graphic work, a photograph, a film, a microfilm, a sound recording, a videotape, a machine readable record, any other documentary material, regardless of physical form or characteristics, and any copy thereof, and
- subject to the regulations, any record that is capable of being produced from a machine readable record under the control of an institution by means of computer hardware and software or any other information storage equipment and technical expertise normally used by the institution.
Under the regulations, an institution does not have to produce a record from a machine readable record if the process of doing so would unreasonably interfere with its operations.
The IPC established criteria for determining whether records are under the control of an institution, which will be reviewed in the next BLG FOI-ables Bulletin along with recent case in this issue.
Hospitals that have not already implemented an email policy should do so. The policy should include:
- the purposes for which the email system may be used including the extent of use for personal purposes;
- the types of information which should not be communicated via email;
- email protocol (such as identifying recipients who need to act on the email, covering one topic per email, using clear and explicit subject lines, and who is to retain email between sender and recipient);
- hospital access to, monitoring and auditing of email;
- the application of the hospital’s record retention policy to email; and
- consequences of breaches of the email policy.
The following tips were assembled with reference to the IPC’s materials on the management and protection of email and electronic mail systems and after consultation with PSTG Consulting (www.pstgconsulting.com), which assists organizations with records management:
- restrict personal use of the email system to incidental, limited use;
- monitor email for compliance with policies (acceptable use, privacy, confidentiality) and as required for system maintenance, management and security;
- give notice of monitoring and caution that the system should not be used for private communications;
- apply existing record management systems and classifications to email;
- review records retention policy and determine how it applies to emails;
- ensure that emails are organized so as to permit their efficient search and retrieval including retaining transmission and receipt data with the text;
- ensure emails carry a notice that they are intended only for the named recipient and a number to call if received by someone else;
- discourage the retention of duplicate messages, for example for ease of reference; and
- enforce compliance with email and related policies.