Text messages and other communications

1. Text messages are considered records

If an organisation uses text messaging or any other instantaneous, non-sequential electronic communication mechanism to conduct business, e.g. social media, these communications are considered records under the Public Records Act 2005. As such, they must be managed accordingly.

2. Core guidance

Organisations constantly balance the concerns of providing practical guidance with the needs of employees to use the best electronic messaging and communication systems and devices available to conduct business. Many text messages and other communications will be facilitative, transitory, or of short-term value. Simply preventing people using electronic messaging and other communication systems to conduct official business is disproportionate, hard to enforce, and does not acknowledge the various ways employees communicate.

An organisation is best able to evaluate what solutions will suit its needs when it has established:

• the messaging and communications technologies being used

• the proportion of staff using those messaging and communications technologies and how often

• the kind of content that is commonly included in text messages and communications

• the overall risk profile

• how staff currently handle text messages and communications

• who owns the devices handling the text messages and communications

• the privacy and security risks.

An organisation should consider adopting a mixture of in-house and outsourced technical or “low-tech” procedural solutions to records management, and tailoring those solutions to fit individual needs. Consult with information technology and telecommunications staff and providers to determine which approach best suits an organisation’s needs.

3. Technical and compliance issues

An organisation may face technical issues when managing text messages and other communications. These issues include:

• capability of electronic messaging and communications systems and devices to create a record and metadata

• capture of complete information and records, including usable and sufficient metadata

• verification of user identity

• exposure to viruses and spyware

• lack of a string of text messages and other communications that help keep the message in context

• use of non-government software and hardware

• incompatibility of different electronic messaging and communications programs

• digital preservation of information and records that have long-term value.

An organisation must also be aware of compliance issues when managing text messages and other communications. These issues include:

• mandatory requirements under the Public Records Act 2005

• obligations and considerations under the Privacy Act 2020

• official information requests and evidence discovery

• accessibility requirements under the Contract and Commercial Law Act 2017

• security considerations.

4. Procedural and technical approaches

The two approaches outlined below offer organisations different yet complementary means of dealing with issues related to managing text messages and other communications.

• Procedural approach: focuses on ensuring that adequate information and records are created through non-technical (sometimes manual) methods.

• Technical approach: focuses on identifying products or service providers that can create adequate information and records from software and technologies that produce text messaging. and other communications.

4.1 Procedural approaches

A procedural “low-tech” approach to identifying, managing and capturing text messages and other communications can include developing policies and procedures, introducing reviews, and training staff.

• Develop policies and procedures: addresses some of the management issues noted. One example is how to identify text messages and other communications that are not facilitative, that are transitory, or that have short-term value, and knowing what to do with these messages and communications.

• Introduce regular reviews: ensures policies and processes are kept up to date with changes in technology.

• Train staff: ensures staff are trained in simple and practical methods of capturing text messages and other communications in official information and records systems. One example is making a file note of the content.

4.2 Technical approaches

Technical solutions available for the management of text messages and other communications can include installing new software and technologies, configuring text messaging and communications technologies, and using third-party services.

• Install mobile device management software: integrates with official networks and systems to centrally configure, manage and secure applicable text message/communications-capable devices.

• Use virtualisation technologies: lets users work in virtual environments through virtualisation or “thin client” solutions.

• Configure technologies: allows for easy and automated capture of electronic messages, other communications, and metadata.

• Use a system that allows for export of messages and communications: ensures that text messages and other communications, including metadata, can be exported from the system in which they were originally created.

• Use third-party services: captures messages, and other communications, such as a service that captures all email, chat, text messages, and other communications created through organisational systems.

4.3 Factors to consider in selecting technical solutions

Nature of solution

• Is the solution built into the messaging or communications product, or is it an add-on?

• If the solution considered is not in-house - that is, provided by an external service provider - what guarantees about long-term access can the service provider offer?

• What format or formats can the communication be generated in or converted into?

• Can the solution interface with existing information and records management systems? Is so, does that interface (method or program) have any restrictions?

Capture method

• Does the capture of the text message or other communication occur automatically, or does it have to be activated manually?

• Does the capture have rules? If so, and the capture is automatic, how flexible are those rules?

• Can the capture mechanism be tailored to capture conversational threads?

• Can users bypass the capture?

Metadata

• What level of metadata can the solution capture?

• How customisable is the metadata set?

• How automated is the metadata collection?

• How secure (tamper-proof) is the metadata set?

• Does the solution allow for both manual entry of metadata and automated capture of some elements?

Security and legal compliance

• What security measures can be applied to the solution?

• What, if any, form of identity verification is offered?

• Does the solution comply with relevant legislative and policy requirements?

• Will the solution enable the organisation to comply with relevant legislative and policy requirements?