Section 2: Best Practices in Managing Email

Is Email a record?

Yes, Email contains recorded information and, as such, falls within the definition of a ‘record’ under both Western’s University Records and Archives Policy (MAPP 1.30) and the Freedom of Information and Protection of Privacy Act (FIPPA).

What does Email being a record mean in practice?

Email is subject to the same rules that apply to all other University records. As well, under FIPPA, access to Email messages can be requested and the privacy protection provisions apply to any personal information they may contain.

Does all Email need to be kept?

No. As with any other University record, retention and disposal decisions regarding Email should be made on the basis of the information contained in the message. Some Email messages can be disposed of immediately. Others, such as those that document substantive business activities and/or related decisions, should be retained longer.

How long should an Email be kept?

There is no standard retention period for Email.  As with any other type of record, it depends on the nature of the information contained in the message. If the Email contains personal information, requires that the information be retained for at least one year after its last use by the University. However, FIPPA does permit a shorter retention period with the consent of the individual to whom the information relates.

The key point is that the personal information must have been used (i.e., acted upon or used to make a decision or evaluation), not just received. Also, the focus is on the personal information, not the Email. As long as personal information that has been used is retained somewhere for one year (e.g., copied to a network drive, printed and filed, etc), the Email itself need not be kept.

FIPPA does not specify the maximum length that records containing personal information should be kept. FIPPA also does not specify any retention periods (minimum or maximum) for records that do not contain personal information. Decisions on how long to keep Emails, as with any other record, should reflect the importance of the information contained in the message and the activity or function it supports, and should be in accordance with relevant University retention schedules. Contact Western Libraries' Records Management Services for more information.

Doesn't FIPPA require that all Email messages be kept for one year?

No. The only requirement under FIPPA is a minimum retention period of one-year after last use for personal information that is used by an institution, unless the person to which the information relates agrees to a shorter period.
The key point is that the personal information must have been used (i.e., acted upon or used to make a decision or evaluation), not just received. Also, the focus is on the personal information, not the Email. As long as personal information that has been used is retained somewhere for one year (e.g., copied to a network drive, printed and filed, etc), the Email itself need not be kept.
FIPPA does not specify any retention periods for records that do not contain personal information.

Can some Email be disposed of quickly?

Yes. Email messages containing information for your personal purposes, such as those making arrangements for social engagements or extracurricular activities, are not University records and should be disposed of as soon as possible. Similarly, work related Email messages of a transitory nature may be deleted as soon as they have served their immediate purpose. Examples of such messages include:

  • unsolicited messages, such as advertising or list-serv postings;
  • messages forwarded for information purposes only;
  • messages copied for information purposes only;
  • transmittal messages where the attachment is retained elsewhere.

What about messages soliciting feedback, providing comments or planning events?

Because of its ease of use, Email often replaces casual conversations and face-to-face discussions of various work-related issues. These often take the form of requests for comments and subsequent feedback or revisions to drafts of documents.
While many such messages may be important in the short term, their value diminishes over time and they need not be retained after the work to which they relate is complete. As a rule of thumb, Email messages used to produce a final version of a document that is subsequently maintained elsewhere in a department (electronically or in hard copy) can be deleted once that final version is produced.

Who is responsible for retaining important Email messages?

This depends on an individual’s role and responsibility for certain functions, as well as the department’s record-keeping practices. For example, if a person responsible for preparing a report solicits input via Email, that person should ensure that the relevant information is retained once the report is finalized, either by keeping it or placing it in the departmental files. In contrast, those who provided input need not keep copies of their comments unless they have their own work-related reason to keep the information.

Does Email have to be retained on the mail system or, indeed, electronically at all?

No. The focus of retention should be on the information, not the recording medium. Depending on unit or individual practice, Email messages that warrant retention can be stored electronically on the Email system itself or on a network drive (storage solely on local drives or external devices is not recommended). Email messages can also be incorporated into electronic document management systems, either in their native format or as digitized images. Finally, where appropriate, Email messages can be printed and filed with other paper documents relating to the same subject or issue.

What happens if an Email that should have been deleted some time ago still exists and becomes the subject of a formal access request under FIPPA?

Once a formal access request is received it has the effect of “freezing” all potentially responsive records. Even if the Email should have been destroyed, if it exists when the request is received it must be included within the scope of the request. Deleting any responsive records after a formal access request is received may have potentially serious repercussions for both the University and the individuals involved.

Is there any type of information that should not be communicated via Email?

Because Email is not secure it is important to use caution when sending or requesting sensitive information. This is especially true when dealing with personal information. The use of Email to send or request sensitive personal information (e.g. medical details relating to a grade appeal) is strongly discouraged.

What if I am not sure about what to do with a specific Email or a type of message?

If you have any doubts about the value of an Email message as an official record, contact Western Archives for advice. In the meantime, it is better to retain such a message than delete it and lose potentially valuable information.

Does FIPPA apply to Email?

Yes, FIPPA applies to Emails. They are considered records under the Act and are subject to the same provisions, exemptions and exclusions as any other type of record. As long as the information in the Email does not fall into one of the exclusions outlined in the Act, this means that:

  • Emails containing personal information (e.g., academic information, medical information, SIN, financial information, home address, etc.) must be protected and dealt with in accordance with FIPPA
  • Emails are subject to access requests under FIPPA.

With respect to access requests, it is important to remember that when Western’s Information and Privacy Office has issued notice of an access request, existing Email records related to that request must not be deleted. If the content of an Email falls within a particular exclusion (e.g., employment-related, research- related, or teaching materials) the access and privacy provisions in FIPPA will not apply. However, there are various University policies that may apply, including:   

Faculty and staff should be aware of the requirements under these policies.

What should I do if I receive an Email with personal information not intended for me or personal information that I do not need to receive?

Treat the information with the same care that you would a paper record to ensure that the information is not accessible to anyone who should not see it. In some cases, it may be preferable to create a paper record by printing the Email, then deleting the electronic version. 

Should I send Emails containing personal information?

Email is an inherently insecure medium and is best viewed as no more confidential than post cards. Human error is most often the cause of privacy breaches involving Email (for example, sending materials to the wrong recipients or attaching material inadvertently to an Email). If the information is particularly sensitive (e.g. financial information relating to a student account, medical information relating to a student appeal), consider whether other means of providing the information can be used. However, if Email transmission is necessary, there are ways to protect privacy:

  • Limit the amount of personally identifiable information to only that which is necessary
  • Limit the distribution of your Email to only those recipients who need to know
  • Ensure that the Email has been addressed correctly
  • Carefully review the documentation you are attaching to ensure that you are only including necessary information
  • Consider encrypting the Email or password protecting attachments (contact WTS, your local IT support group, or consult the Cybersmart website).

Is it okay for students to see the Email addresses of other students in their class?

The @uwo.ca Email address is not considered personal information. In the case of faculty and staff, it is considered business information. In the case of students, the University considers the @uwo.ca Email as the official means of communication and publicly viewable, although students may request not to be listed with their name and Email address together in the student directory. When students need to participate with other students in their class via Email or Owl in order to fulfill course requirements, they should expect to share contact information. When communicating with large groups through Email, there are ways of concealing the list of Email addresses such as an entire class. Contact WTS or your local IT support group for information.

Should I use Gmail/ Hotmail or other providers to conduct University business?

The University provides Email accounts to all faculty, staff and students to be used in conjunction with their duties or activities at the University. This centrally administered Email account is considered your official University Email address and is the address the University will use in communicating with you. The University’s Email policy does not prevent you from using another provider, including forwarding your UWO Email account to another account. However, you should be aware of the following concerns:

  • The non-UWO service may not be as secure. Servers located in foreign jurisdictions are subject to the laws of those jurisdictions.
  • The Email may be viewed, modified or otherwise compromised in transit to the non- UWO server.

Should I respond to students who contact me from a Gmail/ Hotmail or other account?

It is recommended that at the beginning of a course, students be reminded to use their @uwo.ca accounts. If a student corresponds by Email from another service provider, you can advise the student that you will send responses only to the @uwo.ca address. Use your judgment whether to reply to the non-UWO account or whether to advise the student to use his or her @uwo.ca address when corresponding with you. Factors to consider include:

  • Whether you are satisfied as to the student’s identity (i.e., the writer is who he or she claims to be)
  • Whether you would prefer to ensure the integrity of the record of the correspondence by having it contained fully within the UWO system, and
  • Whether Email transmission is appropriate in light of the privacy or sensitivity of the information.

Can I access the Email of a faculty or staff member who is on vacation/extended leave/no longer with the University?

Although it is not generally permitted, such Email access may be granted in very limited cases. Contact the WTS CISO (its-ciso@uwo.ca) for details. Faculty or staff members who require regular shared accessibility may wish to consider:

  • Using shared drives;
  • Using shared Email folders;
  • Creating an Email address specific to a function rather than an individual Faculty/ staff member. 

Contact WTS, or your local IT support group for details.

I'd like to encrypt/password protect my Email. How can I do this?

Contact WTS, your local IT support group, or consult the Cybersmart website.

Does the University read my Email?

The University does not monitor individual Email accounts. However, centrally-administered Email accounts provided on University servers are institutional property and the University reserves the right to access Email records in accordance with Policy 1.20, Computing Resources Security and Email Policy 1.45.

Can I access my UWO Email upon leaving the university?

If you graduated after 2015, you will retain the @uwo address and be able to access your Email after leaving the university.  If you graduated prior to 2015, you will need to apply for Western's Alumni's Email for Life program.  To find out more information about Email for Life click here, and for any further questions, contact WTS


Published on  and maintained in Cascade CMS.