Use of personal email accounts to conduct business by government officials has become an increasingly controversial topic, particularly in the US, where the behavior has been linked to both willful and inadvertent circumnavigation of public recordkeeping legislation and transparency policies. Recent rulings seek to clarify the role of personal email in government accountability, but the issue remains largely one of information management policy enforcement within organizations themselves.
Policy and awareness must come before technology
Politicians' use of personal email and other communications accounts while conducting government business has increasingly come under public scrutiny due to the existence of legislation such as the US's Managing Government Records Directive, which sets rules for the electronic management of all government email and other official records. Additional legislative mechanisms, such as the Freedom of Information Act (FOIA), deem that this information needs to be managed and maintained so that it can be retrieved and produced for the public if requested. Government entities have invested sizable technological and financial resources into ensuring systems are in place to capture official government email data for long-term management. But without individuals' compliance to policy, these systems are of little use.
The California Supreme Court recently sought to clarify the role of personal email, by ruling in March 2017 that any government official's personal communications pertaining to government business may be subject to disclosure under the California Public Records Acts (CPRA). While this ruling provides a clear victory for transparency, it does not in any way address the architectural challenges that come with managing communications scattered across personal devices and accounts. Just because a personal email is subject to disclosure does not mean that it is easily accessible, or even easily known to exist. The problem – one of using personal devices and accounts to conduct business – is much more easily addressed at the behavioral source, before the email is ever written or sent.
In theory, this should be a simple matter of information management policy: politicians should be trained to use only their official government email account for any official business. But in reality it is also an ethical quandary; government officials – particularly high-ranking ones – often have personal lives and contacts that are tightly interwoven with their careers and roles. Regulations push for transparency in a democratic system of government, yet the politicians that conduct government business are themselves citizens endowed with certain rights to personal privacy. Many communications fall into a "grey area" of neither purely business nor purely social nature. Thus, any solution to address the problem needs to go beyond technology and address the issues of awareness and education among those responsible for using technology in the course of their daily work.
As is the case with most security-related risks, most use of personal email in government is not necessarily malicious; it is often due to habit, convenience, conventions, and ambiguity of rules. Therefore, information management strategy at both the government and departmental levels needs to put a premium on clear, carefully architected policy that makes the functional distinction between business and personal communications simple to understand and simple to comply with. With this comes the need for ongoing training and awareness programs in order to minimize ignorance as a factor in noncompliance.
Of course, this isn't to say that technology can't play a buttressing role in good policy. For government agencies in particular, which largely deal with email communications to and from other government entities with standardized domain names, nongovernment email can be singled out for additional oversight using the auto-classification capabilities that are available with many email archiving, records management, and compliance software products that are already in use to meet legal requirements. Within these software environments, settings may be adjusted so that common nongovernment domains that are likely to belong to personal accounts (such as @gmail.com or @yahoo.com) can be flagged for additional attention, review, or records policies, and ensure that they do not go unnoticed. By detecting the usage and frequency of these nongovernment accounts, problematic patterns can be detected sooner rather than later, so that training and intervention programs can be adjusted accordingly.
2017 ICT Enterprise Insights in the Government Industry, IT0007-000917 (November 2016)
2017 Trends to Watch: Government, IT0007-000918 (November 2016)
Paige Bartley, Senior Analyst, Information Management