HHS Policy for Implementing Electronic Mail (Email) Records Management

Document #: HHS-OCIO-PIM-2020-06-005
Version #: 2.0
Last Reviewed: May 2020
Next Review: May 2023
Owner: OCIO/PIM
Approved By: Jose Arrieta, Chief Information Officer (CIO)

Table of Contents

1. Nature of Changes
2. Purpose
3. Background
4. Scope
5. Authorities
6. Policy
   • 6.1 Policy for Email Records Management
   • 6.2 Email Recordkeeping Requirements
   • 6.3 Access Requirements
   • 6.4 Disposition Requirements
7. Roles and Responsibilities
   • 7.1 HHS Secretary
   • 7.2 HHS Assistant Secretary for Administration (ASA)
   • 7.3 HHS Chief Information Officer (CIO)
   • 7.4 Agency Records Management Officer (ARO)
   • 7.5 OpDiv Chief Information Officers (CIOs)
   • 7.6 HHS Chief Information Security Officer (CISO)
   • 7.7 OpDiv Chief Information Security Officers (CISOs)
   • 7.8 OpDiv Records Management Officers (ROs)
   • 7.9 OpDiv Records Managers (RMs) and Records Liaisons (RLs)
   • 7.10 OpDiv Records Custodians (RCs)
   • 7.11 Managers and Supervisors
   • 7.12 Contracting Officers (COs) and Contracting Officer Representatives (CORs)
   • 7.13 HHS Employees, Contractors, Interns, and Fellows
   • 7.14 Freedom of Information Act (FOIA) Official
   • 7.15 Office of the General Counsel (OGC)
   • 7.16 Office of the Inspector General (OIG)
8. Information and Assistance
9. Effective Date and Implementation
10. Approval
11. Concurrence

Appendix A: Procedures

Appendix B: Standards

Appendix C: Guidance

Appendix D: Forms and Templates

Glossary and Acronyms

1. Nature of Changes

This U.S. Department of Health and Human Services (HHS) Policy for Implementing Electronic Mail (Email) Records Management, herein referred to as Policy, updates and supersedes the previous version (dated December 29, 2016), as well as the Senior Agency Official for Records Management's (SAORM's), "Notification of Email Retention Requirement" memorandum (dated October 14, 2014). The Policy was updated to align with current email records management processes, federal requirements, and National Archives and Records Administration (NARA) guidance.

2. Purpose

The purpose of this Policy is to implement the General Records Schedule (GRS) 6.1, Email Managed under a Capstone Approach and establish the principles, responsibilities, and requirements for managing HHS email records. This Policy provides the framework for email records management guidance and operating procedures. This Policy does not address the supplemental preservation requirements for records associated with litigation, investigations, and audit matters.

3. Background

GRS 6.1 provides disposition authority for agencies who implement a Capstone approach.

An agency may not implement this GRS until the agency identifies and submits a list of Capstone officials to NARA and NARA approves that list. Capstone Officials are senior officials designated by account level or by email addresses, whether the addresses are based on an individual's name, title, a group, or a specific program function. Capstone Officials include all those listed on an approved NARA form 1005 (NA-1005), Verification for Implementing GRS 6.1, and must include, when applicable:

1. The head of the agency, such as Secretary, Commissioner, Administrator, Chairman or equivalent;
2. Principal assistants to the head of the agency (second tier of management), such as Under Secretaries, Assistant Secretaries, Assistant Commissioners, and/or their equivalents; this includes officers of the Armed Forces serving in comparable position(s);
3. Deputies of all positions in categories 1 and 2, and/or their equivalent(s);
4. Staff assistants to those in categories 1 and 2, such as special assistants, confidential assistants, military assistants, and/or aides;
5. Principal management positions, such as Chief Operating Officer, Chief Information Officer, Chief Knowledge Officer, Chief Technology Officer, and Chief Financial Officer, and/or their equivalent(s);
6. Directors of significant program offices, and/or their equivalent(s);
7. Principal regional officials, such as Regional Administrators, and/or their equivalent(s);
8. Roles or positions that routinely provide advice and oversight to the agency, including those positions in categories 1 through 3 and 5 through 7, including: General Counsels, Chiefs of Staff, Inspectors General, etc.;
9. Roles and positions not represented above and filled by Presidential Appointment with Senate Confirmation (PAS positions); and
10. Additional roles and positions that predominately create permanent records related to mission critical functions or policy decisions and/or are of historical significance.

Email can be managed at an account level, at a mailbox level, in personal folder files, or other ways. GRS 6.1 applies to all email, regardless of solution (account level, at a mailbox level, in personal folder files, or other ways.) Email, in the context of this GRS, also includes any associated attachments. This GRS may apply to records affiliated with other commonly available functions of email programs such as calendars/appointments, tasks, and chat.

Agencies are expected to apply documented selection criteria to cull the email of Capstone officials (permanent accounts) to the greatest extent possible before transfer to NARA. Culling refers to the removal – or otherwise excluding from capture – of non-record, personal, or transitory messages and attachments. Culling typically includes the removal of spam, email blasts received (such as agency-wide communications), and personal materials (such as emails to family members not related to agency business). Culling may be manual, automated, or a hybrid of both. Agencies may develop their own policies and procedures for the culling of temporary Non-Capstone Officials' accounts.

4. Scope

This Policy applies to all HHS components, as well as organizations conducting business for or on behalf of HHS through contractual, grant-making, or other relationships.1 HHS Operating Divisions (OpDivs) must adopt and implement this Policy, or may create a more restrictive policy, but not one that is less restrictive or less comprehensive than this Policy.

This Policy also applies to HHS employees, contractor personnel, grant recipients, interns, and other non-government persons supporting HHS. All organizations collecting or maintaining information or using or operating information systems on behalf of the Department are also subject to the stipulations of this Policy. Compliance with this Policy must be incorporated into applicable contract, grant, or memoranda of agreement language under separate cover, as appropriate.2

5. Authorities

Authorities include:

1. Agency Records Management Responsibilities, 36 CFR, Chapter XII, Subchapter B (2011).
2. Unlawful or Accidental Removal, Defacing, Alteration, or Destruction of Records, 36 CFR, Chapter XII, Subchapter B, §§ 1230.1 – 1230.18 (2011).
3. Electronic Records Management, 36 CFR Chapter XII, Subchapter B, §§ 1236.2 – 1236.36 (2011).
4. Damage to, Alienation and Unauthorized Destruction of Records, 36 CFR Chapter XII, Subchapter B §§ 1228.100 – 1228.106 (2009).
5. Public Money, Property or Records, 18 U.S.C. § 641 (2011).
6. Concealment, Removal, or Mutilation Generally, 18 U.S.C. § 2071 (2011).
7. National Archives and Records Administration, 44 U.S.C. §§ 2101 – 2120 (2011).
8. Records Management by the Archivist of the United States and by the Administrator of General Services, 44 U.S.C. §§ 2901 – 2910 (2011).
9. Records Management by Federal Agencies, 44 U.S.C. §§ 3101 – 3107 (2011).
10. Unlawful Removal, Destruction of Records, 44 U.S.C. §§ 3106 (2011).
11. Disposal of Records, 44 U.S.C. §§ 3301 – 3324 (2011).
12. Definition of Records, 44 U.S.C. § 3301 (2011).
13. Coordination of Federal Information Policy (Paperwork Reduction Act of 1980, as amended, Paperwork Reduction Reauthorization Act of 1995, and Government Paperwork Elimination Act), 44 U.S.C. §§ 3501 – 3549 (2011).
14. The Privacy Act of 1974, 5 U.S.C. § 552a (2016).
15. Producing Documents, Electronically Stored Information, and Tangible Things, or Entering onto Land, for Inspection and Other Purposes, Federal Rules of Civil Procedures, Rule 34 (2014).
16. Delivering Government Solutions in the 21st Century – Executive Office of the President, Reform Plan and Reorganization Recommendations (2018).
17. National Archives and Records Administration (NARA) Bulletin 2010-05: Guidance on Managing Records in Cloud Computing Environments (2010).
18. NARA Bulletin 2014-02: Guidance on Managing Social Media Records (2014).
19. NARA Bulletin 2015-02: Guidance on Managing Electronic Messages (2015).
20. NARA Criteria for Successfully Managing Permanent Electronic Records, (2018).
21. NARA Guidance on Records Management Language for Contracts (2017).
22. OMB Circular A-130, Management Information as a Strategic Resource (2016).
23. OMB/NARA Directive M-12-18, Managing Government Records Directive (2012).
24. OMB M-14-16, Guidance on Managing Email (2014).
25. OMB/NARA Directive M-19-21, Transition to Electronic Records (2019).
26. "Public Law 113-187: Presidential and Federal Records Act Amendments of 2014", (128 Stat. 2003, Date: 11/26/2014).
27. Universal Electronic Records Management Requirements (2017).
28. NARA General Records Schedules (2017).
29. HHS Agency Records Control Schedules (2019).
30. General Record Schedule 6.1: Email Managed under a Capstone Approach (2017).
31. HHS Policy for Litigation Holds (2019).
32. HHS Policy for Implementing Electronic Mail (Email) Records Management (2019).
33. HHS Policy for Rules of Behavior for Use of Information and IT Resources (2019).
34. HHS Policy for Mobile Devices and Removable Media (2019).

6. Policy

6.1. Policy for Email Records Management

6.1.1. Email

6.1.1.1. Email is a digital message distributed from a sending party to one or more recipients via internet or intranet communication platforms. Items sent from a government-issued mailbox may be considered a federal record. HHS employees must refer to the HHS Policy for Records Management to attain measures on how to declare and manage a federal record.

6.1.1.2. Implementation of the Capstone approach

6.1.1.2.1. The Department adopted the Capstone approach (GRS 6.1). Under the Capstone approach, HHS manages the disposition of email records (email messages, attachments, calendar appointments, tasks, and chat) based on the role of the email account user rather than the content of each email record.

(a) Email Records of Capstone Officials –

Agencies identify the accounts of individuals who, by virtue of their work, office, or position, are likely to create or receive permanently valuable federal records. Capstone Officials are generally the top-level senior officials of an agency, but may also be other key decision makers at lower levels of the agency. These permanent email records will be transferred to NARA.

(b) Email Records of Non-Capstone Officials –

1. Emails of all other officials, staff, and contractors that are not designated Capstone Officials are considered temporary and disposed after 7 years.
2. EEmails of support and/or administrative positions carrying out routine and/or administrative duties are considered temporary and disposed after 3 years.

6.1.1.2.2. The Capstone Official verification process requires OpDivs to submit a NA-1005 to the HHS Records Management Officer (ARO). The HHS ARO will review and forward to NARA to receive approval prior to implementation of any items of this GRS.

6.1.1.2.3. The verification process for identifying Capstone Officials is located in the record description of GRS 6.1. The section defines the ten categories of Senior Officials provided in the definition of Capstone (permanent) accounts in item 010 of the GRS. These definitions acknowledge that different OpDivs often have different titles for similar positions which are meant to assist OpDivs in properly identifying Senior Officials within their OpDivs that correlate to each category.

6.1.1.3. Email records are captured and managed according to user role using the following retention approach:

6.1.1.3.1. Email Records of Designated Capstone Officials. Email records (email messages and attachments, calendar appointments, and tasks) from designated Capstone Official's email accounts must be retained as permanent. These email records will be accessioned to NARA according to the NA-1005 list of roles. Each OpDiv RO will maintain an official list of Capstone Officials' email accounts and will forward a copy of the list to the HHS ARO annually.

6.1.1.3.2. Email Records Captured from Email Accounts Not Designated as Capstone Officials. Email records (email messages and attachments, appointments, tasks, and chat) of all other account holders will be retained as temporary according to GRS 6.1, Sections 011 or 012.3 (NOTE: Precludes records under preservation obligation, such as litigation hold).

6.1.1.4. Non-Record Emails. HHS employees may delete "non-record" emails not containing any information documenting HHS actions or activities. Non-records include: non-business related, personal, broadcast messages (e.g., HHS messages to all staff) and advertisements. (NOTE: Precludes records under preservation obligation, such as litigation hold). HHS employees are to contact the OpDiv Records Management Officer for questions regarding non-records.

6.1.1.5 Transitory Email Records. Transitory email records are records of short-term (180 days or less) interest and are not required to meet legal or fiscal obligations, or to initiate, sustain, evaluate, or provide evidence of decision-making. Transitory email records may be deleted when no longer needed for business use. (NOTE: Precludes records under preservation obligation, such as litigation hold).

6.1.1.6. Search and Auditing of System. System-wide email searches may be conducted by OpDiv designated IT personnel with the approval of the General Counsel or Chief Information Officer as part of an internal or external investigation or in response to an access request as needed.

6.1.1.7. Unlawful or Accidental Removal or Destruction of Records. Employees must not remove federal records from the agency's custody without proper authorization. Records must not be destroyed except under the provisions of NARA-approved agency records control schedules or the General Records Schedules issued by NARA. The unauthorized removal, concealment, falsification, mutilation, and/or disposition of official records is prohibited by law and is subject to penalty. The penalties for the unlawful or accidental removal, defacing, alteration, or destruction of Federal records or the attempt to do so, include a fine, imprisonment, or both (18 U.S.C. §§ 641 and 2071).4

The Secretary of HHS shall promptly notify the Archivist of the United States of any actual or threatened unlawful removal or destruction of records in their custody, by mail at National Archives and Records Administration; Office of the Chief Records Officer (AC); 8601 Adelphi Road; College Park, MD 20740-6001, or by email at [email protected].

The report must include:

• A complete description of the records with volume and dates if known;
• The office maintaining the records;
• A statement of the exact circumstances surrounding the removal, defacing, alteration, or destruction of records;
• A statement of the safeguards established to prevent further loss of documentation; and
• When appropriate, details of the actions taken to salvage, retrieve, or reconstruct the records.

The report must be submitted or approved by the individual authorized to sign records schedules (HHS Records Management Officer).

Departing HHS officials must not remove records from HHS custody.

6.1.2. Use of Unauthorized External Information Systems to Conduct Department Business. Transmission of HHS information via personal email is prohibited. In the interest of both protecting HHS employee's personal privacy and increasing transparency for the public, HHS employees assigned an HHS provided computer, email or online storage account must use those government provided resources for conducting any and all official business. In the event HHS authorizes the use of personal email accounts, such as in emergency situations when federal accounts are not accessible or when an employee is initially contacted through a personal account, HHS employees must ensure that all federal records sent or received on personal email systems are captured and managed in accordance with agency recordkeeping practices. A complete copy of these records must be forwarded to the employee's official HHS email account no later than 20 days after the original creation or transmission of the record.

6.2. Email Recordkeeping Requirements

6.2.1. OpDivs must have automated systems in place that produce, manage, and preserve email records in an acceptable electronic format until disposition can be executed. Additionally, systems must support the implementation of agency policies and provide access to email records throughout their lifecycle. (NOTE: Precludes records with preservation obligation, such as litigation hold).

6.3. Access Requirements

6.3.1. Email records must remain usable and retrievable throughout their lifecycle. Access supports an agency's ability to carry out its business functions. Access must address internal agency needs and accommodate responses to requests for information.

6.3.2. Email records must be maintained in a system that preserves their content, context and structure, protects against their unauthorized loss or destruction, and ensures that they remain discoverable, retrievable, and usable for the period specified in their retention schedule.

6.4. Disposition Requirements

6.4.1. OpDivs must use GRS 6.1, Email Managed under a Capstone Approach, as appropriate. If an OpDiv is not using GRS 6.1, that OpDiv must have a NARA-approved schedule in place to carry out the disposition of permanent and temporary email records.

6.4.2. OpDivs must identify appropriate retention periods for email records and implemented systems and policies to support the disposition as specified in an approved records schedule.

7. Roles and Responsibilities

7.1. HHS Secretary

The responsibilities of the HHS Secretary include, but are not limited to, the following:

1. Notifying the Archivist of the United States of any actual, impending, or threatened unlawful removal, defacing, alteration, corruption, deletion, erasure, or other destruction of records in the custody of the agency.

7.2. HHS Assistant Secretary for Administration (ASA)

The responsibilities of the HHS Assistant Secretary for Administration (ASA) include, but are not limited to, the following:

1. Serving as the Senior Agency Official for Records Management (SAORM). Delegates oversight responsibility for the Department-wide records management program to the Chief Information Officer (CIO).
2. Has direct responsibility for ensuring that the Department efficiently and appropriately complies with all applicable records management statutes, regulations, NARA Policy, and Presidential Directives.
3. At the Assistant Secretary level or equivalent, has direct responsibility for ensuring that the Department efficiently and appropriately complies with all applicable records management statutes, regulations, and policies.

7.3. HHS Chief Information Officer (CIO)

The responsibilities of the HHS CIO include, but are not limited to, the following:

1. Appointing the HHS Records Management Officer to guide and coordinate the HHS Records Management Program. The HHS Records Management Officer collaborates with HHS OpDivs and NARA to execute the HHS Records Management Program in accordance with this instruction.
2. Integrating records management procedures and activities into HHS Chief Information Officer (CIO) policy and planning.
3. Reviewing and making recommendations on requests for funding and acquisition of electronic recordkeeping systems in accordance with information technology capital planning, and investment control procedures.
4. Overseeing the Department-wide records management program.

7.4. Agency Records Management Officer (ARO)

The responsibilities of the HHS ARO include, but are not limited to, the following:

1. Serving as the Department's representative with NARA, other federal agencies, and external organizations on matters pertaining to records management.
2. Providing leadership and guidance to ensure uniformity in records management activities throughout the Department.
3. Conducting periodic compliance evaluations of records management programs.
4. Developing policies, standards, and procedures for records management.
5. Ensuring all HHS employees, including senior officials and contractors are aware of their programmatic and individual records management responsibilities.
6. Coordinating records management issues with other federal and regulatory agencies, including NARA, OMB, GSA, GAO, and OPM.
7. Providing records management expertise and participating in the review and development of proposed electronic records management systems.
8. Coordinating the development and implementation of the HHS records program.
9. Providing guidance and operational support for the implementation of litigation holds and other types of legally required holds on records and other documentary materials.
10. Completing requirements for a NARA certificate of Federal Records Management Training. New incumbents must obtain the certificate within one year of assuming the position of Departmental ARO.
11. Coordinating with OpDiv ROs to receive a copy of the official list of Capstone Officials' email accounts.

7.5. OpDiv Chief Information Officers (CIOs)

The responsibilities of the OpDiv Chief Information Officers (CIOs) or OpDiv designated authority include, but are not limited to, the following:

1. Designating OpDiv ROs to oversee the records management program. Recommend designation of Records Managers (RMs) to support the OpDiv ROs in the implementation of recordkeeping requirements for major programmatic and administrative records.
2. Ensuring the OpDiv ROs and RMs have adequate skills, training, resources, time, and appropriate authority to execute duties assigned.
3. Ensuring the implementation of a records management program within their areas of responsibility to accomplish the objectives identified in federal regulations and HHS policies and procedures.
4. Ensuring OpDiv ROs incorporate records management principles and policies in all phases of the EPLC process.
5. Ensuring proper recordkeeping of Authorization to Operate (ATO) approved systems.
6. Requesting funds for records storage costs.
7. Ensuring OpDiv ROs are adequately trained and remain current on email policies and procedures.

7.6. HHS Chief Information Security Officer (CISO)

The responsibilities of the HHS Chief Information Security Officer (CISO) include, but are not limited to, the following:

1. Ensuring HHS oversight and compliance with Federal Information Security Management Act (FISMA) to include the development and maintenance of the overall security of HHS IT systems and system inventory.
2. Using information from the System Inventory in the various reporting and oversight requirements.

7.7. OpDiv Chief Information Security Officers (CISOs)

The responsibilities of the OpDiv Chief Information Security Officers (CISOs) include, but are not limited to, the following:

1. Ensuring the technical security of the OpDiv electronic data records according to HHS and OpDiv standards.

7.8. OpDiv Records Management Officers (ROs)

The responsibilities of the OpDiv Records Management Officers (ROs) include, but are not limited to, the following:

1. Serving as the primary contacts responsible for overseeing the OpDiv's records management program and ensure the OpDiv has up-to-date records management guidelines.
2. Coordinating the development of OpDiv records schedules with the National Archives and Records Administration (NARA).
3. Ensuring that recordkeeping requirements are established, implemented, and periodically updated for all offices.
4. Ensuring that HHS employees and contractors complete the annual records management training.

7.9. OpDiv Records Managers (RMs) and Records Liaisons (RLs)

The responsibilities of the OpDiv Records Managers (RMs) and Record Liaisons (RLs) include, but are not limited to, the following:

1. Coordinating modifications to the office file plans and agency records schedules.
2. Assisting HHS OpDiv RO with implementing the agency records management program in their work areas.
3. Managing prompt disposal of temporary records stored in Federal Record Centers and the timely transfer of permanent records to NARA.
4. Identifying and periodically update recordkeeping requirements for program and administrative records.

7.10. OpDiv Records Custodians (RCs)

The responsibilities of the OpDiv Records Custodians (RCs) include, but are not limited to, the following:

1. Recordkeeping within a particular program.
2. Ensuring office records are accurately listed and detailed in the office file plan.
3. Ensuring proper disposition of office records.
4. Cooperating with the Records Manager/Records Liaison and the OpDiv Records Management Officer in periodic evaluations of office records.

7.11. Managers and Supervisors

The responsibilities of Managers and Supervisors include, but are not limited to, the following:

1. Ensuring federal employees, contractors, interns, and fellows are aware of and adhere to HHS records management policies.
2. Ensuring federal employees, contractors, interns, and fellows complete initial and annual records management training.
3. Ensuring a departing employee's record materials, including email records, have been reviewed prior to the employee's departure.
4. Ensuring a departing employee complies with policies and procedures regarding preservation, transfer, and deleting of records.
5. When notified that an employee, contractor, intern, or fellow is transferring or leaving the Department, consult with departing employees to follow litigation records management procedures.

7.12. Contracting Officers (COs) and Contracting Officer Representatives (CORs)

The responsibilities of Contracting Officers and Contracting Officer Representatives include, but are not limited to, the following:

1. Inserting a records management clause in contracts ensuring contractors are aware of and adhere to HHS records management policies.
2. Ensuring contractors complete initial and annual records management training.
3. Ensuring a departing contractor's record materials, including email records, have been reviewed prior to the contractor's departure.
4. Ensuring a departing contractor complies with policies and procedures regarding preservation, transfer, and deleting of records.
5. When notified that a contractor is transferring or leaving the Department, consult with departing contractors to follow litigation records management procedures.

7.13. HHS Employees, Contractors, Interns, and Fellows

The responsibilities of all HHS employees, contractors, interns, and fellows include, but are not limited to, the following:

1. Identifying federal records that were used to conduct agency business.
2. Coordinating with Records Managers and Records Liaisons regarding all aspects of records management.
3. Organizing files for efficient and effective retrieval.
4. Completing annual records management training.
5. If transferring or leaving the Department, consult with supervisor and office records staff and follow records management procedures.
6. Providing copies of responsive federal records to the appropriate Freedom of Information Act Official when requested by the public.

7.14. Freedom of Information Act (FOIA) Official:

The responsibilities of the Freedom of Information Act (FOIA) Official include, but are not limited to, the following:

1. Reviewing responsive federal records provided by HHS employees, contractors, interns, and fellows for release to the public under the FOIA.

7.15. Office of the General Counsel (OGC)

The responsibilities of the Office of the General Counsel (OGC) include, but are not limited to, the following:

1. Reviewing disposition schedules for official records for legal sufficiency and provides instructions for implementing litigation holds required to comply with legal requirements.

7.16. Office of Inspector General (OIG)

The responsibilities of the Office of Inspector General (OIG) include, but are not limited to, the following:

1. Assisting in investigating the unauthorized removal of records or the actual and potential threats to records (e.g., removal, alteration, or deliberate or accidental destruction).

7.17. IT Infrastructure and Operations and System Managers

The responsibilities of IT Infrastructure and Operations and System Managers include, but are not limited to, the following:

1. Working with the OpDiv RO to establish and update records schedules for electronic system.
2. Ensuring that all phases of the EPLC process comply with HHS Records Management principles and policies.
3. Ensuring that information systems intended to carry out electronic records management align with NARA's and HHS's requirements for records stored in an electronic recordkeeping system.
4. Ensuring proper recordkeeping of Authorization to Operate (ATO) approved systems.
5. Maintaining electronic information systems in accordance with approved records schedules and NARA requirements.
6. Working with the OpDiv ROs to transfer permanent systems to the National Archives in accordance with approved records schedules and NARA requirements.
7. Ensuring that social media content containing official records are maintained in accordance with HHS recordkeeping requirements.

8. Information and Assistance

HHS Privacy Information Management (PIM) is responsible for the development and management of this Policy. Questions, comments, suggestions, and requests for information about this Policy should be directed to [email protected].

9. Effective Date and Implementation

The effective date of this Policy is the date on which the Policy is approved. This Policy must be reviewed, at a minimum, every three (3) years from the approval date.

The HHS CIO has the authority to grant a one (1) year extension of this Policy. To archive this Policy, approval must be granted, in writing, by the HHS CIO.

10. Approval

/S/

________________________________________________

Jose Arrieta, Chief Information Officer (CIO)
May 28, 2020

11. Concurrence

/S/

________________________________________________

Scott Rowell, Assistant Secretary for Administration (ASA)
June 4, 2020

Appendix A: Procedures

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

No additional procedural steps are required to implement this Policy.

Appendix B: Standards

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

No additional standards are required to implement this Policy.

Appendix C: Guidance

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

No additional guidance is required to implement this Policy.

Appendix D: Forms and Templates

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

No forms or templates are associated with the Policy.

Glossary and Acronyms

Definitions:

• GRS 6.1: Capstone Approach - An approach to managing email where agencies must identify those email accounts most likely to contain records that should be preserved as permanent. Agencies will determine Capstone accounts based on their business needs. They should identify the accounts of individuals who, by virtue of their work, office, or position, are likely to create or receive permanently valuable Federal records. Capstone Officials will generally be the top-level senior officials of an agency, but may also be other key decision makers at lower levels of the agency.
• Capstone Official - Senior officials designated by account level or by email or by email addresses, whether the addresses are based on an individual's name, title, a group, or a specific program function.
• Non-Capstone Official – All other officials, staff, and contractors that are not designated Capstone Officials.
• Accession - The process of transferring physical and legal custody of permanent records from federal agencies to NARA.
• Control and Custody of Records – HHS records and materials are the property of the Federal government, not the property of individual employees or contractors acting as an agent for the government, and may not be removed from the Department without proper authority. All employees and contractors must maintain records and non-record documentary materials separately from one another.
• Culling – The act of removing or deleting material prior to disposition. This may include deleting non-record email [e.g., email blast (such as agency-wide communications), spam, and personal email (records belonging to an individual and not related to agency business)], and transitory email records (records of short-term interest or that have minimal documentary or evidentiary value).
• Electronic Mail (Email) – A digital message distributed from a sending party to one or more recipients via internet or intranet communication platforms.
• Electronic Messages - Any form of electronic communication record. This includes email; instant, text, and chat messaging; and social networking.
• Electronic Mail (Email) System – A computer application used to create, receive, and transmit messages and other documents. Excluded from this definition are file transfer utilities (software that transmit files between users but does not retain any transmission data), data systems used to collect and process data that have been organized into data files or databases on either personal computers or mainframe computers, and word processing documents not transmitted on an email system. (36 CFR 1236.2)
• Electronic Records – Any information that is recorded in a form that only a computer can process and that satisfies the definition of a federal record in 44 U.S.C. 3301. Electronic records include numeric, graphic and text information, which may be recorded on any medium capable of being read by a computer and which satisfies the definition of a record. This includes, but is not limited to, magnetic media, such as tapes and disks, and optical disks. Unless otherwise noted, these requirements apply to all electronic records systems, whether on microcomputers, minicomputers, or mainframe computers, regardless of storage media, in network or stand-alone configurations.
• Electronic Recordkeeping System – An electronic system in which records are collected, organized and categorized to facilitate their preservation, retrieval, use and disposition.
• Hold – An agency's temporary suspension of disposition action(s) and notification to its employees to retain records and other documentary materials in the agency's possession, custody or control, typically because of litigation (including administrative cases), audit, or investigative needs. Under a Hold, documentary materials, regardless of record status, format, and of physical location, are required to be retained and not destroyed or otherwise disposed of for as long as a Hold is in place.
• Information System – A computer system designed to collect, process, store, and disseminate information.
• Information Technology (IT) - "IT" is defined as any services, equipment, or interconnected system(s) or subsystem(s) of equipment, that are used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the agency.
• Policy - A policy is a set principles, rules, and guidelines formulated or adopted by an organization to reach its long-term goals.
• Preservation In-Place – Protects and secures electronically stored information (ESI) from accidental deletion prior to collection. (NOTE: This is usually in reference to a litigation hold).

Acronyms:

• ARO – Agency Records Management Officer
• ASA – Assistant Secretary for Administration
• CFR – Code of Federal Regulations
• CIO – Chief Information Officer
• CISO – Chief Information Security Officer
• CO – Contracting Officer
• COR – Contracting Officer Representative
• FISMA – Federal Information Security Management Act
• FOIA – Freedom of Information Act
• GAO – Government Accountability Office
• GRS – General Records Schedule
• GSA – General Services Administration
• IT – Information Technology
• NARA – National Archives and Records Administration
• OCIO – Office of the Chief Information Officer
• OGC – Office of General Counsel
• OIG – Office of Inspector General
• OMB – Office of Management and Budget
• OpDiv – Operating Division
• OPM – Office of Personnel Management
• PAS – Presidential Appointment with Senate Confirmation
• PIM – Privacy Information Management
• RC – Records Custodian
• RL – Records Liaison
• RM – Records Manager
• RO – Records Management Officer
• SAORM – Senior Agency Official for Records Management
• StaffDiv – Staff Division
• U.S.C. – United States Code

• 1. HHS components include OpDivs and Staff Divisions ("StaffDivs"). For the purposes of this policy, references to "OpDivs" also include StaffDivs.
• 2. For further information, please see: HHS OCIO. (2017, June 26). HHS Security and Privacy Language for Information and Information Technology Procurements, Version 2.0. Available at: https://intranet.hhs.gov/sites/default/files/s3fs-public/s3fs-public/2019-06/security-privacy-language_1.pdf.
• 3. General Records Schedule 6.1: Email Managed under a Capstone Approach, Item 011 (2017). Available at: https://www.archives.gov/files/records-mgmt/grs/grs06-1.pdf; see also lbid, Item 012.
• 4. Public Money, Property or Records, 18 U.S.C. § 641 (2011). Available at: https://www.law.cornell.edu/uscode/text/18/641; see also Concealment, Removal, or Mutilation Generally, 18 U.S.C. § 2071 (2011). Available at: https://www.law.cornell.edu/uscode/text/18/2071.