Text and Instant Messages

Employees of state government agencies, local government agencies, and state-supported institutions of higher education in North Carolina have a duty to manage public records in accordance with state law and guidance from the Department of Natural and Cultural Resources (DNCR). North Carolina General Statutes Chapter 132 defines public records as any “documentary material, regardless of physical form or characteristics, made or received…in connection with the transaction of public business.”

Digital communications sent and received by public employees, during the course of business, are public records. As such, they must be managed in accordance with North Carolina public records law. This is true for business conducted on a state agency device or a personal device. Due to the design and implementation of most digital communications platforms, there are certain challenges associated with managing records created or received on them. This guidance provides guidance on the management of text and instant messages in accordance with applicable records retention and disposition schedules.

In addition to message content (which can include pictures, video, and other non-text media or attachments), a text or IM contains contextual information known as metadata. The metadata for a digital message may include time stamps, sender and recipient information, and format data. Any attachments and metadata associated with messages should also be managed and retained to help ensure the authenticity of the digital record.

Establishing a Digital Messaging Policy

DNCR encourages agencies to implement policies to govern how text and instant messaging tools should be used by employees to conduct public business. The policy should address the records management responsibilities associated with such communications as well.

Questions to consider when developing a digital messaging policy:

• How is text/instant messaging currently used in the office? Do employees use workplace-issued devices or personal ones? What applications or platforms?
• Are there any needs specific to the office that text/instant messaging helps to address, such as administrative purposes or communication with other departments/third parties?
• Are employees informed of how to manage digital communications in accordance with public records law?
• Are text/instant messages being stored and retained by the office? If not, can existing practices be adapted, or is a new method needed?
• How can office policy address the legal implications of e-discovery regarding the use of texting/instant messaging?

A digital messaging policy can help employees be mindful of keeping personal and work-related messages separate. All digital communications created and received in the transaction of public business, including those on private devices, can be disclosed under NC public records law. Any work-related texts or IMs sent from a personal device must still be retained in accordance with G.S. § 132. To better ensure appropriate management and retention, digital communications on private devices should be transferred to agency-issued devices or accounts. Your agency policy should provide guidance to employees on how to transfer texts, images, videos, IM conversation, or any other content captured via mobile devices. State agencies should also consult policies issued by the North Carolina Department of Information Technology (NCDIT) concerning the use of mobile devices by state employees.

Employees may have the option of downloading agency-approved messaging applications onto their personal phones and can conduct all communications related to public business using only those tools. For state agencies consolidated by NCDIT, employees are encouraged to use Microsoft Teams for their communications as Teams data is preserved and maintained by NCDIT. For non-consolidated agencies, consult with your IT department to determine how the data produced by such tools are handled.

Managing Text and Instant Messages as Public Records

As the custodians of records produced by its employees, agencies are responsible for the proper management of digital communications so that they can be procured in response to a records request or litigation.

However, various factors can make it challenging to manage digital communications. In addition to how quickly technologies can change, messaging systems and platforms often are not designed with ease of organization, access, retrieval, or transfer in mind. Due to the record’s digital nature, metadata and attachments should be maintained along with messages to ensure the record’s authenticity. The use of third-party systems also complicates ownership, access, and control of content. Without taking specific actions to retain digital communications, agencies run the risk of not being able to procure or even access those records when needed.

Depending on the technologies used, an agency may need to transfer texts or IMs from the originating device or account to a platform that is better equipped for records management. Often conversations can be retained all at once to show the exchange from start to finish. Such transfers could be achieved by:

• Exporting messages (when supported by the application or by using a third-party tool)
• Forwarding messages to a workplace-provided e-mail address or IM account
• Transferring messages via a hardware connection

When messages are transferred to other locations or media, employees must make sure to include all data associated with the original message, including the sender and the recipient of the message, the time and date of the message, and other information that allows the message to be specifically identified. Note that printing a copy of digital messages may result in certain metadata being lost.

Agencies are still responsible for any electronic messages on accounts managed or hosted by third parties. Agencies and employees should not rely on service providers to provide records created by text/IM. Service providers may keep their own records of text and instant messages, but they are not automatically obligated to provide a copy of those records to government entities. Agencies who provide employees with work issued devices should be mindful of these issues and seek to address them in their contracts and or Service Level Agreements with service providers to ensure they can obtain copies of their public records. Following is model contract language for agencies and local governments for obtaining copies of public records from service providers on employer issued mobile devices:

Service provider agrees to allow agency to collect all text messages from its electronic messaging system. Service provider agrees that agency has right to access all data, regardless of who created the content and for what purpose. Service provider will provide text messages by [specific procedures] according to the following timeline: [timeline]. The following positions within the agency are authorized to make such a request to [whom within the service provider].

Retention of Digital Messages

Public employees are responsible for complying with the records retention and disposition schedules issued by DNCR via the State Archives of North Carolina. These schedules dictate how long public records should be kept and whether they are to be retained in office permanently, destroyed, or transferred to the custody of the State Archives. There are specific retention schedules for state agencies, local government agencies, and state-supported institutions of higher education to follow.

The retention schedules are format-neutral and may not explicitly mention text or instant messaging. Instead, employees will need to identify the purpose of the communication when determining the most appropriate record series on their agency’s schedule. Most digital messages may be considered general correspondence or communications. However, if the text/IMs in question have a more specific purpose that is identified elsewhere in the schedule, they may fall under a different record series instead.

Records Management Analysts at the State Archives are available to assist with the interpretation of retention schedules and answer questions about records management. Contact recordsmanagement@dncr.nc.gov to be connected to an analyst.

Device Security

All employees who use messaging devices for public business should treat them as potential avenues for information theft and protect them as they would any point of access to secure information. Security risks can be mitigated by taking preventative measures such as:

• Utilizing secure passwords and locking devices when not in use. Protect devices physically by not lending them to strangers or leaving them unattended.
• Being wary of unknown numbers. Do not open messages or attachments from unknown sources.
• Avoiding unsecure connections and networks. Unsecured connections such as public WIFI networks and Bluetooth® may pose security risks. Consider disabling Bluetooth® when outside of the workplace and using an agency-provided Virtual Private Network (VPN). Download only from trusted sources.
• Backing up data. Devices with hard drives usually contain software that allows a user to safely preserve copies of data. Applications may also offer backup options.
• Enabling remote wipe controls. These allow for the remote erasure of data in the event that a device is lost, stolen, or compromised.

State employees should comply with statewide policies issued by NCDIT. Local agency employees are encouraged to follow these guidelines as best practice.

Conclusion

All communications, regardless of format, regarding government business results in the creation of public records as defined by G.S. § 132. Public employees are responsible for properly maintaining these records in accordance with public records law.

Employees should be made aware of the records management and security concerns associated with any text and instant messaging services they may use to conduct business. DNCR encourages agencies to implement internal policies regarding employee use and retention of text and instant messaging.