Control of email (and other electronic media) as Records - 4.2.4


As a company, we identify email (and other electronic media) as records.
Unfortunately, our Master Record List didn't. Minor n/c from our registrar biggie. Easy enough to correct.
What I am struggling with is retention period. Our email server is via Office 365. All users 'manage' their own email accounts and we allow them the freedom to keep or delete as needed. As a general rule, for liability purposes, we don't want to keep records too long. But we don't want to restrict and have to police 100 email accounts.
Has/does anyone else face this issue? And how are you managing?

Mike C
Re: 4.2.4 - Control of Records-emails

We use a passport drive on each desktop, strictly for email backup. Active email is controlled thru ACT software. For Office outlook, the pst backup simply goes to the passport drive. There really should not be a retention problem as far as space goes, nor any extra work involved. To purposefully limit retention would actually require a bit more effort.


Just like with all electronic records, emails are part of the network backup program. Anything that has ever come in or out of email has been recorded. A user might delete emails from their .pst, but they are still there in the backup files where they can be retrieved if necessary.


We are using Microsoft Office 365 and they are our email server. If we delete an email, it remains in the Recycle Bin. If we empty the Recycle Bin, the MSO 365 server retains them for 31 days and then they are gone permanently.
As MSO 365 is somewhat new, I wonder who else is using it and how they manage it.


Trusted Information Resource
An interesting problem. I've always just dealt with it in manners similar to [hogheavenfarm] and [JodiB].

Can the MSO 365 server setting be tweaked by a knowledgeable person to either extend the retention time or dump the contents to a known archive location?


Registered is.
I am sure we can have our 'settings' adjusted on the server. But those are emails already disposed of.
I don't want to mandate a cumbersome policy within my organization that people won't follow and I don't want to open ourselves to unnecessary scrutiny by retaining things we don't need to retain...certainly a pickle...

Mark Meer

Trusted Information Resource
Because of the "4.2.4" in the thread title, I'm assuming this relates to ISO quality system requirements?

As such, I'd suggest that the question to ask yourself is: what emails are quality system records? Most email traffic, I would imagine, is probably outside this scope.

Examples of emails that would constitute quality system records might be any correspondences regarding:
- Feedback & complaints (i.e. correspondences to/from customers)
- Orders & distribution
- Regulatory correspondences to do with post-market vigilance
- Any decisions or data not otherwise documented via established process data-collection methods (e.g. forms)

Mark Meer

Trusted Information Resource
Previously, we had a system like you describe (individuals maintain their own emails, and the whole system is subject to regular backups).

But in a recent audit, we realized how much of a nightmare this can become if you need to dig up a particular email record in a timely manner. As such, we are now planning a repository of "quality system emails", and when emails are sent/received that meet the definition of a quality system record, they are exported to PDF and dumped in the repository.

This has the advantage that:
a) the emails relevant to the quality system are separated from the others; qnd
b) the emails (as records) are available to all individuals in the department.


We use GoldMine CRM software. Any relevant emails are imported into it for retention. The rest are either archived with server backups or deleted at user discretion.

The problem with "the cloud" is that you really have no direct control of your files. There's no reason you can't back them up, as suggested above, and keep them in-house. Email files take up very little room on a drive (depending on any attachments, of course).


We have ID'ed email and other electronic media as records, so the horse is already out of the barn. Yes we can change it, but then/c is already written...
Top Bottom