Email Retention Policy

Prepared by: Nicky K

Overview
Electronic mail and messaging services are considered a critical means to transmit information
within the organization. As such, Email Retention policy is developed to provide guidelines to
employees in regards to email retention based on two major factors namely:
1. The kind of information sent or received via email that should be retained.
2. The duration that the information should be retained.
The information managed by the organization is defined as, but not limited to, information
which is stored, sent or received through email or other messaging platforms defined by the
organization.

Purpose
The purpose of this policy is to help employees determine the kind of information sent or
received by email and the duration of their retention. All employees are expected to familiarize
themselves with the email retention areas that are covered by this organization’s policy.
This policy is developed based on standards and specific guidelines to address on the best email
retention practices that the organization value. Employees are advised to seek clarification on
specific parts of the policy from their departmental heads and line managers. Any other inquiry
or clarification can be forwarded to the information security team for action.
A breach of this policy may result in disciplinary activities deemed necessary.

Scope
This retention policy applies to:

• All electronic mail and messaging systems managed by the organization.

• All users and account holders of the organization’s electronic mail and messaging
accounts.
• All messages sent or received using email and messaging systems.
Any email that contains information in the scope of the organizations’ operations and
communication should be treated in that manner. Organization email information can be
categorized into main classifications below with recommended retention period:
 • Administrative Correspondence (5 years)
• Fiscal Correspondence (5 years)
• General Correspondence (1 year)
• Personal Correspondence (Retain until read, destroy on end of usefulness)

Policy
1. Administrative Correspondence
This correspondence defines the established organizations defined operating policy including
holidays, working hours, dress code, work place behavior and any legal issues that affects the
organization. It is in this regard that all email correspondence with sensitivity label:
Management Only shall be deemed as Administrative correspondence.
Retention of this correspondence is critical hence employees are required to address in copy
the administrative mailbox provided by the Information Technology department.
2. Fiscal Correspondence
This correspondence defines all information related to revenue and expense in the
organization. Any information sent or received in regards to this description shall be deemed
critical and must be retained as per the specified guidelines below.
Retention of this correspondence is critical hence employees are required to address in copy
the finance operations mailbox and retention will be maintained by the IT Department.
3. General Correspondence
This correspondence defines all information that relates to customer communication, inquiries,
partner communication and operational communication of the organization.
The retention of this correspondence and related information is to be done by the individual
employee. This is however specified to be retained for a stipulated period of 1 year after which
the information can be deleted.
4. Personal Correspondence
This correspondence defines a wide scope of email information such as personal email,
recommendations and review emails, product development emails, status reports emails and
subscription emails among others.
Employees are advised to read and delete the emails upon end of usefulness. This is considered
as transitory emails and should be deleted as soon as possible.
 5. Email backup copies
Backup copies of the organization’s email system are created daily. The purpose of the backup
files is for system restoration in the case of a disaster. Employees are advised against retrieval
of emails from these backup systems as they are not designed to allow such operations.
Employees are also advised to create email archives to maintain email correspondence that are
a year older and such. This is to maintain the size of mailbox to the desired limit set by the
organization.

6. General Standards

a. Approved Email systems

The organization approved email systems includes those approved and supported by the IT
department. These include the email systems in the organization’s domains and cloud systems.
Any use of other emails for example personal email accounts, to transmit organization data is
prohibited.
b. Approved email and file types
The organization requires that employees follow the stipulated official email addressing format
for communication including salutation and signature rules. Employees should also take note of
the file size allowed to be sent via email services. Any further clarification of the same should be
addressed to the IT department for assistance.

Policy compliance
Compliance Measurement

• Email systems reports and logs should be checked on weekly and monthly basis.
• Regular audits of the email systems both by internal and external auditors.
• Regular training and reminder to employees on the email retention policy and
compliance.
• Policy compliance reports should be generated on quarterly basis for tracking any
discrepancies should be addressed immediately.
Exceptions
Any exception to the email retention policy must first be addressed and approved by the IT
department. As such, legal requests should first be channeled to the IT department for action
Non-Compliance
Any employee found to have violated this email retention policy shall be subject to disciplinary
action deemed fair and as such may include termination of employment.

Related Policies
• Email use policy
• Overall security policy