1. Text messages are considered records
If an organisation uses text messaging or any other instantaneous, non-sequential electronic communication mechanism to conduct business, e.g. social media, these communications are considered records under the Public Records Act 2005. As such, they must be managed accordingly.
2. Core guidance
Organisations constantly balance the concerns of providing practical guidance with the needs of employees to use the best electronic messaging and communication systems and devices available to conduct business. Many text messages and other communications will be facilitative, transitory, or of short-term value. Simply preventing people using electronic messaging and other communication systems to conduct official business is disproportionate, hard to enforce, and does not acknowledge the various ways employees communicate.
An organisation is best able to evaluate what solutions will suit its needs when it has established:
the messaging and communications technologies being used
the proportion of staff using those messaging and communications technologies and how often
the kind of content that is commonly included in text messages and communications
the overall risk profile
how staff currently handle text messages and communications
who owns the devices handling the text messages and communications
the privacy and security risks.
An organisation should consider adopting a mixture of in-house and outsourced technical or “low-tech” procedural solutions to records management, and tailoring those solutions to fit individual needs. Consult with information technology and telecommunications staff and providers to determine which approach best suits an organisation’s needs.
3. Technical and compliance issues
An organisation may face technical issues when managing text messages and other communications. These issues include:
capability of electronic messaging and communications systems and devices to create a record and metadata
capture of complete information and records, including usable and sufficient metadata
verification of user identity
exposure to viruses and spyware
lack of a string of text messages and other communications that help keep the message in context
use of non-government software and hardware
incompatibility of different electronic messaging and communications programs
digital preservation of information and records that have long-term value.
An organisation must also be aware of compliance issues when managing text messages and other communications. These issues include:
mandatory requirements under the Public Records Act 2005
obligations and considerations under the Privacy Act 2020
official information requests and evidence discovery
accessibility requirements under the Contract and Commercial Law Act 2017
4. Procedural and technical approaches
The two approaches outlined below offer organisations different yet complementary means of dealing with issues related to managing text messages and other communications.
Procedural approach: focuses on ensuring that adequate information and records are created through non-technical (sometimes manual) methods.
Technical approach: focuses on identifying products or service providers that can create adequate information and records from software and technologies that produce text messaging. and other communications.
4.1 Procedural approaches
A procedural “low-tech” approach to identifying, managing and capturing text messages and other communications can include developing policies and procedures, introducing reviews, and training staff.
Develop policies and procedures: addresses some of the management issues noted. One example is how to identify text messages and other communications that are not facilitative, that are transitory, or that have short-term value, and knowing what to do with these messages and communications.
Introduce regular reviews: ensures policies and processes are kept up to date with changes in technology.
Train staff: ensures staff are trained in simple and practical methods of capturing text messages and other communications in official information and records systems. One example is making a file note of the content.
4.2 Technical approaches
Technical solutions available for the management of text messages and other communications can include installing new software and technologies, configuring text messaging and communications technologies, and using third-party services.
Install mobile device management software: integrates with official networks and systems to centrally configure, manage and secure applicable text message/communications-capable devices.
Use virtualisation technologies: lets users work in virtual environments through virtualisation or “thin client” solutions.
Configure technologies: allows for easy and automated capture of electronic messages, other communications, and metadata.
Use a system that allows for export of messages and communications: ensures that text messages and other communications, including metadata, can be exported from the system in which they were originally created.
Use third-party services: captures messages, and other communications, such as a service that captures all email, chat, text messages, and other communications created through organisational systems.
4.3 Factors to consider in selecting technical solutions
Nature of solution
Is the solution built into the messaging or communications product, or is it an add-on?
If the solution considered is not in-house - that is, provided by an external service provider - what guarantees about long-term access can the service provider offer?
What format or formats can the communication be generated in or converted into?
Can the solution interface with existing information and records management systems? Is so, does that interface (method or program) have any restrictions?
Does the capture of the text message or other communication occur automatically, or does it have to be activated manually?
Does the capture have rules? If so, and the capture is automatic, how flexible are those rules?
Can the capture mechanism be tailored to capture conversational threads?
Can users bypass the capture?
What level of metadata can the solution capture?
How customisable is the metadata set?
How automated is the metadata collection?
How secure (tamper-proof) is the metadata set?
Does the solution allow for both manual entry of metadata and automated capture of some elements?
Security and legal compliance
What security measures can be applied to the solution?
What, if any, form of identity verification is offered?
Does the solution comply with relevant legislative and policy requirements?
Will the solution enable the organisation to comply with relevant legislative and policy requirements?
Last modified on 02 December 2020