November 2010
A report by
UK EMAIL RETENTION POLICIES:
Guidance on Legal Obligations for the Public and Private Sectors
Sponsored by
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
1
Contents
Executive summary 3
About this White Paper 3
The problem domain 3
There’s no guidance for handling email! 3
The essence of email – why the use of email has significant legal consequences 4
The lawyer’s perspective on email mismanagement 4
Emails and the Freedom of Information Act 4
Emails and the Data Protection Act 5
Emails as evidence – the litigation context 6
Emails as records – retention obligations that arise due to the nature of the information involved 6
Failing to manage emails properly – what are the consequences? 6
What should organisations do? 8
Let’s delete everything! 9
Legal Perspectives on the nature and character of email 10
The obligation to retain emails 10
Monitoring and retaining emails – the privacy rights issues 11
Why organisations fail to comply with their legal obligations for email retention and the potential
problems that can arise. 13
Causes of non-compliance 13
The “disconnect” point 14
Consequences of non-compliance 15
Litigation disclosure 16
Key legal philosophies- why the law requires the retention of records 18
Records keeping and regulation 18
Toughening up transparency mechanisms – the transition to heavy touch regulation 19
How the law distinguishes between a record and a “mere” document 21
Can an email be a record? 21
Ensuring an environment for records 22
Critical legal obligations for records and evidence arising under major pieces of legislation 25
Freedom of Information Act 25
The Data Protection Act 1998 26
Companies Act 2006 27
Financial Services and Markets Act 27
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
2
Equality Act 28
Bribery Act 29
Critical legal obligations for disclosure as they arise within criminal and civil litigation 30
Criminal litigation 30
Civil litigation 30
The meaning of “document” 31
Disclosure of deleted emails 31
Duty of search 32
Examples of retention laws and retention periods 34
Do emails fall within the scope of the records requirements discussed in this section? 34
Retention periods and the Freedom of Information Act 34
Public sector 35
Education 36
Police service 37
Ambulance service 37
Health 37
Private sector retention issues 38
Tax, pay and employee records 39
Private sector and regulatory frameworks 40
Cases involving the mishandling of email 41
Emails and defamation 41
Emails and data protection 41
Emails providing evidence of breaches of the Freedom of Information Act 42
Emails as evidence in matrimonial proceedings 42
The new legal framework for data security 43
Data security and the impact for email retention 43
The core functionality of an email archiving system 45
What are we driving at? 46
About the author 47
About Messaging Architects 48
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
3
Part 1
Executive summary
About this White Paper
Field Fisher Waterhouse LLP have been commissioned by Messaging Architects to provide this White
Paper as a guide to public and private sector organisations on the legal obligations for the retention
of emails.
The problem domain
The importance of email within our business and personal lives is well understood. However, what is
less clear is how the law treats email, or what should be done at an operational level within our
organisations in order to achieve compliance with the various laws and regulations that require good
systems for the management and retention of emails; many organisations have not yet “worked out”
the legal issues, or why these issues demand the adoption of email archiving technology.
There’s no guidance for handling email!
Many people who are new to the email handling problem soon feel overburdened by the complexity
of the subject matter and the absence of a unified legal framework that addresses all of the issues.
This is a problem that is encountered by people working in the public sector and in the private sector.
Unfortunately, the law is in a fragmented state, spread across hundreds of Statutes, thousands of
Statutory Instruments and countless pieces of regulatory guidance, standards for best practice and
case law. “Pulling it all together” is beyond the scope of most organisations. But, organisations are
expected to meet their legal obligations.
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
4
As far as the retention of email is concerned, the best advice that can be given is that organisations
should work to a retention and deletion policy, which assumes that there is a need to retain
information. From that point the organisation can take decisions about the “weeding out” of
information that is not required for legal purposes. Adopting an initial “delete everything” policy
should be avoided at all costs, as discussed later.
The essence of email – why the use of email has significant legal consequences
The essence of email is that it is a communications medium. When we look at email in this way it
soon becomes apparent that “traditional” legal concepts map very well to the email environment.
Thus, we can use email to libel people, to harass people, to discriminate against people and to
breach confidentialities and privacy. We can also attach files to email, making it a perfect vehicle for
committing intellectual property offences, such as breaches of copyright. Similarly, emails may
contain the kind of information that requires them to be preserved as a record, or as evidence. It
follows, therefore, that all organisations would be wise to invest time in understanding their email
use, to identify the risk areas, the mitigating actions they should take to reduce the risk of legal
problems occurring and the steps that they should take to ensure that emails are properly managed
and properly retained.
The lawyer’s perspective on email mismanagement
As a lawyer who advises on email, I am aware that some organisations are delaying dealing with the
email problem because they mistakenly believe that there are no, or minimal, legal consequences for
bad email management. This mind-set is seriously unwise; questions about the handling of email are
regularly playing out in disputes and in regulatory proceedings. I have plenty of first-hand experience
of the fact that compensation claims arising from the misuse of email are common. However, due to
the incentives that organisations face to settle cases (including a natural desire to avoid washing
their dirty linen in public) only a small fraction of these disputes are getting to court. Of course, this
should not blind the organisation to the fact that legal problems about email can arise at any time.
Emails and the Freedom of Information Act
Take the Freedom of Information Act, for example, which applies to public authorities. The general
right of access within the Act requires public authorities to give disclosure of recorded information,
whether in paper or electronic form, within a short timeframe.
Emails are subject to this legal regime and as many public authorities will attest to, people are
regularly making requests for disclosure of emails, or requests that bite on emails. In my experience,
public authorities that have not put in place the right systems and operations for the management of
email, which will include policies for records retention as well as the use of technologies, such as
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
5
email archiving solutions, will often find that the FOI regime is impossible to comply with, which will
put them in breach of the law.
This can lead to enforcement action by the Information Commissioner1, litigation before the Tribunal
and public admonishment. For example, the Information Commissioner took enforcement action
against the Department Health, due to problems with its systems for records management, which
included problems with its systems for the management of emails. This led to the issuing of a
Practice Recommendation in 2009, which required the improvement of data classification for emails
and facilities for the searching of email metadata2 .
One of the key perils for public authorities that fail to manage their records properly is being put
under Information Commissioner monitoring. Organisations that are on monitoring lists are on the
regulator’s radar and their failures will be put in the public domain. To illustrate this point, on 1st
October 2010 the Information Commissioner published a list of public authorities that are
undergoing monitoring for not responding to FOI access requests in time3. The Information
Commissioner also keeps separate monitoring lists for the police service4 and for government
departments5.
It should be kept in mind that failures under the FOIA regime can result in the withholding or
reduction of government funding to public authorities.
Emails and the Data Protection Act
Another area of the law where email misuse is being regularly and publicly sanctioned is the field of
data protection. Where email misuse constitutes a breach of the security principle in the Data
Protection Act the Information Commissioner is always ready to act. This alone should be enough to
cause organisations to get to grips with their email use, because the Information Commissioner is
now equipped with a new £500,000 financial penalty and new auditing powers.
Of course, the Data Protection Act is concerned with much more than security. Data controllers,
including public authorities, need to comply with all of the data protection principles, which combine
to demand appropriate systems and operations for the management of records. As the main thrust
of the DPA is electronic records, it will be obvious why emails are subject to this legal regime.
Consequently, data controllers need to ensure that their emails are retained properly, disposed of
properly and used properly. The information within emails needs to be accurate, kept up to date and
be sufficient for the underlying processing purpose. Due to the fact that emails respect no
1 See, for example, the June 2010 enforcement notice served on the IPCC.
http://www.ico.gov.uk/upload/documents/library/freedom_of_information/notices/ipcc_enforcement_notice.pdf 2 http://www.ico.gov.uk/upload/documents/library/freedom_of_information/notices/doh_practice_recommendation.pdf
3 http://www.ico.gov.uk/upload/documents/pressreleases/2010/ico_statement_monitored_authorities.pdf
4
http://www.ico.gov.uk/upload/documents/library/freedom_of_information/research_and_reports/police_sector_ps_moni
toring_report.pdf 5
http://www.ico.gov.uk/upload/documents/library/freedom_of_information/research_and_reports/central_government_s
ector_monitoring_report.pdf
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
6
geographical boundaries, data controllers need to ensure that emails are not used to send personal
data outside of the European Economic Area to unsafe countries.
Emails as evidence – the litigation context
Unfortunately, the scourge of litigation regularly hits public authorities. Employment-type litigation
is a particular problem in all sectors of the economy, as is litigation about accidents and health and
safety. In fact, litigation can arise over any subject matter and, as indicated above, email provides a
perfect vehicle for libels, harassment, discrimination; intellectual property rights infringements,
breach of confidence and breach of privacy. Emails can also be used to create contracts and to
breach contracts.
The key point to understand is that emails are admissible in evidence in litigation. As such, the
parties to litigation carry two burdens: once litigation commences they are under a duty to preserve
relevant documents, including emails, and they are under a duty to disclose relevant documents.
Again, these duties behove the organisation to put in place appropriate systems and operations for
the management of their emails.
Emails as records – retention obligations that arise due to the nature of the information
involved
There are literally thousands of laws and regulations that require organisations to preserve records.
For example, there are records retention obligations in the public sector (as within the Freedom of
Information Act), records retention obligations that serve corporate governance obligations and
records retention obligations for tax and financial purposes. Any organisation that uses email is
bound to face a plethora of records keeping obligations; this is unavoidable and it means there is a
legal duty to comply.
Of course, there has to be “point” to records retention. The point, quite simply, is that records
should be retained so that an accurate picture of events is preserved, one that is capable of being
called up, or retrieved, when the law requires. Thus, regulators such as the Health and Safety
Executive, the Financial Services Authority, the Information Commissioner and Ofcom all have
powers that enable them to demand access to records at any time.
Failing to manage emails properly – what are the consequences?
If you fail to manage emails properly there are many consequences that can follow.
If, for example, you are unable to comply with your e-discovery obligations in litigation you face the
ultimate sanction of having your case dismissed, or judgment entered against you. You can also be
faced with legal costs consequences and be ordered to pay the other side’s wasted legal costs
incurred in trying to bring you into compliance.
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
7
“As the regulator for the DPA the Information Commissioner receives many complaints about
subject access requests being refused – 28% of the 33,234 written requests for advice/complaints
received in 2009/10 concerned subject access requests.”
Under the Freedom of Information Act the ultimate sanctions are referrals to Parliament and to the
High Court. The key point to remember is that a public authority that is on the receiving end of
regulatory action under the FOIA risks very adverse publicity. A good, recent example of this point
concerns the MPs expenses scandal, which ultimately cost the Speaker of the House of Commons his
job, in part due to the perception that he had improperly resisted the access requests that had been
made.
Under the Data Protection Act a failure to comply with a subject access request can ultimately lead
to criminal prosecution. This recently happened to Liverpool City Council, which was prosecuted by
the Information Commissioner for failing to respond properly to a request. The new financial penalty
and auditing powers, mentioned earlier, also contain perils for organisations that fail to comply with
the Act. In addition, the Commissioner can serve enforcement notices, which can require data
controllers to modify their data processing operations. In this context it should be noted that the
Information Commissioner is receiving a large number of complaints about subject access requests.
In his submission to the Ministry of Justice Consultation on the Data Protection Act6 he commented
that:
An issue that should not be overlooked is the fact that it generally costs much more to deal with legal
obligations surrounding email when you do not have proper systems in place, then it does when you
do. I regularly act for organisations that have received access requests under the Freedom of
Information Act and the Data Protection Act. In a recent case the legal advice cost over £5,000
because the client required us to manually read emails to see if they had to be disclosed; I believe
that the client would not have incurred any legal costs if it had understood its obligations and put in
place technologies, such as email archiving solutions, to manage these requests. Of course, to be
added to the legal costs are the costs of additional internal resources at the client side. In litigation
the costs of managing an e-discovery exercise without adequate technologies can become
exorbitant, in some cases exceeding £20,000.
In order to conceptualise the size of the task in dealing with access requests and e-discovery in an
environment that does not have good systems and operations for the management of email it may
be helpful to consider the following points:
• The law’s concern is with the nature of the information within emails. Provided that the
information is relevant to the issue under consideration it has to be searched for and
searched through. In other words, the organisation has to find relevant information.
• The environment of email is naturally fluid and volatile. Emails will reside in personal email
folders, in portable storage devices, in backups, in servers, in web based systems and in
home systems. The legal obligations touch all of these places.
6
http://www.ico.gov.uk/upload/documents/library/data_protection/notices/response_to_moj_dpframework.p
df
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
8
If you have not managed your email, locating and searching for relevant information can be a task of
gargantuan proportions.
What should organisations do?
Organisations that appreciate the full range of legal issues involved in the use of email quickly realise
that they need to work in a systematic and methodical way. Key points to follow are:
• An acceptable usage policy is vital, so as to give the organisation better control over the
content and use of emails and to reduce the risk of emails being used to breach the law. If
you know what your emails are about and for what purposes they are being used you will be
able to make informed decisions about retention and deletion, If you can minimise the risk of
emails being used in breach of the law you will minimise the risk of disputes, with the result
that you will minimise the risk of having to engage in an e-discovery exercise.
• An email monitoring policy is vital. Again, it reduces the risk of a breach of law occurring.
• An email retention policy is vital. Organisations should not make decisions about the
retention of email based on the availability of data storage, mailbox sizes or disk space. The
retention periods should be set to legal and business long stops. For example, I am aware of
cases involving the police and educational institutions that have set blanket 90 day deletion
policies. This approach cannot be said to have considered all of the legal obligations
pertaining to the use of email.
• Technologies should be installed to manage email. An email archiving solution will provide
effective email management.
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
9
Let’s delete everything!
As just mentioned, I am aware of organisations that have set blanket deletion policies, with short
retention periods. Very often these decisions are taken because of storage constraints, or because
longer retention is harder to achieve, or more costly.
The problem with blanket deletion lies in the fact that the law frequently requires retention. Thus, if
an organisation is engaged in litigation or is required to respond to e.g. FoIA requests, the duty of
preservation of evidence can be breached with blanket deletion. Similarly, if the email contains
information that falls within a mandatory retention period that is longer than the deletion period, a
breach of law will occur, which can lead to regulatory action, including fines. In other words, the folly
within a blanket deletion policy is that emails that should be retained are not.
For these reasons my advice is to put in place systems and operations that reflect the nature and
content of the email. It is the nature and content of the emails that should determine retention and
deletion periods, not pure cost or storage considerations.
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
10
Part 2
Legal Perspectives on the nature and character of email
When lawyers consider the nature and character of email, two concepts are prominent in their
minds:
• Email is a communications medium.
• Email is a substitute for paper.
These concepts are particularly important in law. The sanctity of communications is afforded special
protection by the law; for example, it is a crime to intercept communications in the course of their
transmission without “lawful authority”7, which stems from human rights concerns, particularly the
right to privacy8. As a substitute for paper, emails have legal effect; thus, they are admissible in
evidence in court cases and they may be subject to records retention rules.
It follows that organisations need to ensure that they maintain a correct environment for emails.
Among other things, a correct environment will ensure:
• That the right balance is struck between the monitoring and retention of emails and the
privacy rights of the senders and recipients.
• That where a legal obligation to retain an email exists, the email will be retained in such a
manner so as to preserve its integrity.
• That the email is always easily retrievable and disclosable.
The obligation to retain emails
There are four key situations where an obligation to retain emails arises:
Under freedom of information law – The Freedom of Information Act, section 77, contains an offence
of altering, defacing, blocking, erasing, destroying and concealing any records held by a public
authority with the intention of preventing the disclosure of records in compliance with a Freedom of
Information Act access request or a Data Protection Act access request. This means that public
7 Regulation of Investigatory Powers Act 2000, section 1
8 European Convention on Human Rights, article 8
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
11
authorities need to put in place systems and operations to ensure the preservation of emails
following the receipt of access requests.
Under data protection law – The Data Protection Act contains a series of 8 data protection principles,
the third of which says that “personal data shall be adequate”. This obligation should be read
together with the fifth principle, which says that “personal data … shall not be kept for longer than is
necessary”. The effect of these principles is to require data controllers to retain a minimum amount
of personal data, in order to ensure that their data processing operations are conducted in
accordance with the law. Consequently, the DPA can impose obligations on data controllers to retain
emails.
Under legislation for records keeping – There are literally thousands of laws that require people and
organisations to retain records. Records keeping laws can bite on email. Records keeping laws can
apply generally, or specifically to types of organisations, or to sectors. For example, law enforcement
agencies are obliged to retain records relevant to their investigations, companies are obliged to
retain records about their business activities and employers are obliged to retain records about tax
and payroll.
Under laws and rules of procedure relating to the conduct of litigation – In civil and criminal litigation
the parties are required to retain relevant records once litigation commences; failure to do so can be
a contempt of court. Such records constitute evidence.
Monitoring and retaining emails – the privacy rights issues
Emails can be machine-generated, or people-generated. Where the emails are people-generated it is
important to understand the privacy issues involved.
Workers enjoy a right of privacy in the workplace9. However, the right to privacy is not an absolute
right. This means that in certain circumstances an employer can monitor and retain emails.
Where the email travels over a private telecommunications system (as happens in the vast majority
of business environments), the employer’s right to intercept, monitor and retain emails is described
in the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations
2000. Provided that (a) the employer makes reasonable efforts to inform the workforce of the fact
of interception, monitoring and retention and (b) the interception, monitoring and retention occurs
for legitimate business purposes, these acts will be lawful.
Monitoring and retention of emails that does not involve interception will also be lawful provided
that this is done for legitimate business purposes and Data Protection Act principles and guidance
are complied with10
.
So, what can amount to legitimate business purposes, so as to guarantee the lawfulness of
interception, monitoring and retention of emails in the business environment? The Lawful Business
Practice Regulations provide a helpful list of considerations, including:
9 See Halford v. UK [1997] ECHR 32 and subsequent cases.
10 For example, see the Information Commissioner’s Employment Practices Code, for rules on employee
monitoring
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
12
Regulatory or self-regulatory practices or procedures, which include compliance with the law.
• Establishing facts.
• Preventing or detecting crime.
• Establishing compliance with standards.
• Establishing whether there has been misuse of the system.
• Establishing whether the communications are relevant to the business.
These are very broad purposes, which will apply to non-interception cases also. Most organisations
will quickly understand that as far as email retention (etc.) is concerned, they are concerned with
two different situations: (a) situations where they are obliged to retain emails and (b) situations
where they are entitled to retain emails. An entitlement to retain emails is not the same as an
obligation to retain; where the organisation relies upon an entitlement to retain, it should be careful
to assess the privacy implications arising so as to ensure that Human Rights and Data Protection
legislation are not infringed.
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
13
Part 3
Why organisations fail to comply with their legal
obligations for email retention and the potential problems
that can arise.
As an advisor on email law, I frequently encounter organisations that fail to comply with their legal
obligations to retain emails. This can cause them significant problems, particularly when they are
faced with litigation, or a request for disclosure under the Freedom of Information Act or the Data
Protection Act, or a regulatory investigation.
Causes of non-compliance
There are many reasons why organisations fail to comply their legal obligations to retain emails,
prominent within which are the following:
Ignorance of the law; not aware of records keeping legal obligations
Far too many organisations are ignorant of their legal obligations for records retention, particularly
SMEs. They lack access to specialist advice, often due to lack of resources, so they never get around
to thinking about records retention. In these organisations the problem is a general one, not specific
to email.
Ignorance of the law; not aware that records keeping legal obligations apply to email
Many organisations fail to understand that emails are subject to records keeping laws, although they
appreciate that other forms of records need to be kept (such as personnel files on workers). In other
words, many otherwise legally compliant organisations have a “blind spot” when it comes to email.
Aware of the law, but not afraid
Some organisations that are aware of their legal obligations concerning the retention of email take a
decision not to invest in proper systems and operations for the management and retention of email,
because they reason that there are no consequences for non-compliance. In other words, if the law
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
14
will not compel them to implement measures, they will not do so voluntarily, considering it to be a
waste of resources.
This problem can be attributed to a variety of different causes. Occasionally, there is a lack of
management buy-in, in the sense that the Board of the organisation takes a conscious decision
against investment. However, this is not a common occurrence. More often, the problem is
attributable to another level of management.
Aware of the law, thinking that they have complied, but have not
Some organisations that are aware of the law think that they have complied when they have not.
This is a very common problem, attributable to many causes.
A particularly common cause is “fuzziness” about the detail of the law; while aware of the broad
issues they do not have a sufficiently precise grasp of the law, with the result that despite their best
intentions they fail to properly execute a strategy that will ensure full legal compliance. For example,
some organisations fail to properly appreciate the importance of speedy retrieval of email, so while
they keep full back-ups, the information therein is not readily accessible.
Aware of the law, but putting off compliance to another day
Another common problem is where the organisation is fully aware of the extent of its legal
obligations, decides to put off dealing with them to a later date. They want to comply, but they just
haven’t got around to it. Sometimes this is due to other, more pressing priorities getting in the way.
Sometimes this is due to being merely disorganised.
The “disconnect” point
An organisation’s failure to address its legal obligations as they pertain to the retention of email
records is often part of a wider “disconnect”; if the organisation is not managing email properly, it
can be anticipated that it will also be suffering other problems relating to the management of
electronic communications, the use of computer systems and the processing of data.
Perhaps it is more appropriate to view the management of email issue within the wider context of
the management of Information Assurance and data security. An organisation that understands the
importance of – and values – Information Assurance and data security will manage email within this
context. In other words, where the importance of information is properly understood, there will be
very clear systems in place for the use and retention of email, including the use of email archives.
The most visible symptom of a disconnected organisation is the presence of a “silo” mentality, where
business processes are seen as distinct and divisible and are placed under the ownership of distinct
and separate parts of the business. Thus, if the management of email is seen as a “purely IT” issue,
the organisation will be displaying a silo approach, which can be one of the quickest routes to legal
and operational failure. In a mature, properly-functioning organisation, the management of
information and communications issues will be dealt with holistically, by a multi-disciplinary team.
Typically, a mature organisation will vest information and communications issues in a team that
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
15
“Public sector requests have continued to increase to some extent (for organisations that received
between 10-200 requests and 500+ requests). 80% of organisations have received at least one request
(compared to 79% in 2008). Large public organisations remain the sector that is most likely to receive a
high volume of requests – 36% received more than 50 requests in the last year (this was also the case
in 2008), compared with 19% of small-medium organisations in the public sector.”
“It is worth emphasising that the charging regime for subject access requests was never meant to be a
means to recover costs and should not be treated this way now. Rather it is a deterrent to the frivolous
request. The cost of responding to subject access requests is a necessary cost for businesses that
process personal data as part of their commercial activities.”
consists of representatives from all across the business, such as legal, risk, security, audit, company
secretariat, finance, business heads (human resources, marketing, sales etc) and IT.
Consequences of non-compliance
Organisations that fail to put in place adequate systems for the management of email can encounter
substantial difficulties with the law, which can lead to considerable time and cost overruns as well as
legal sanctions. Typical problem situations are set out below.
Freedom of Information Act general access requests
Section 1 of the Freedom of Information Act gives people the right of access to recorded information
held by public authorities. The response time for these requests is 21 working days, but no fee is
chargeable.
General access requests involve the same issues as those arising under section 7 of the Data
Protection Act, as they also bite on email. Indeed, it should be noted that in one of the first cases
under the FOIA, Harper v. The Information Commissioner (2005) it was held that the general right of
access applies to archived, back-up and deleted data.
Data Protection Act subject access requests
Section 7 of the Data Protection Act gives data subjects the right to know information about their
personal data; particularly what elements of their data are being processed, why and by whom.
There has been considerable growth in awareness surrounding the access request. Recent evidence
published by the Information Commissioner11
shows that in the public sector the number of access
requests being made is increasing year-on-year:
These access requests must be complied with within 40 days and in return the data controller is only
entitled to a payment of £10 in most cases. The fee payable is not intended to be compensatory
however, as the Information Commissioner’s evidence shows12
:
11
http://www.ico.gov.uk/upload/documents/library/data_protection/notices/response_to_moj_dpframework.pdf 12
http://www.ico.gov.uk/upload/documents/library/data_protection/notices/response_to_moj_dpframework.pdf
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
16
Failure to comply with an access request is a breach of the data protection principles, which can
trigger legal action by the data subject and by the regulator, the Information Commissioner.
One of the most difficult aspects of dealing with access requests is the fact that they bite on
unstructured data, such as emails. If the data controller lacks a system for managing email, including
an email archive, the problem can become particularly acute; emails have to be tracked down,
assessed for their content and for the application of legal exemptions and obligations against
disclosure (such as duties of confidence owed to third parties) and prepared for disclosure. In an
environment of poor email management it soon becomes apparent that 40 days is not sufficient
time.
To be factored into the equation is the fact that the data subject is often highly motivated, perhaps
because they have a grievance and they are using the access power as a quasi-litigation disclosure
tool. Furthermore, the data subject, particularly where they are an ex-employee, might have
particular knowledge of emails that is lacked by the persons dealing with the access request. Thus,
the data subject is on the front foot, determined to achieve results. The scenario can soon become a
perfect storm of problems for the data controller, that can eat-up £thousands-worth of time and
resources.
Data subject access requests can quickly descend out of control, leading to regulatory intervention by
the Information Commissioner and/or litigation. Indeed, it is noteworthy that the leading case in UK
data protection law, Durant v. Financial Services Authority (2003) is a case about subject access
requests.
As far as the Information Commissioner’s Office is concerned, it should be noted that it has displayed
an appetite to take-on data controllers that fail to deal properly with subject access requests. For
example, in 2006 the ICO launched a criminal prosecution against Liverpool City Council, for their
failure to comply with an access request; Liverpool City Council pleaded guilty in December 200613
.
Litigation disclosure
If a party to civil litigation fails to give full disclosure of documents, which includes electronic
documents and metadata, it faces a variety of consequences. The most common consequence is a
financial one; the court will order the failing litigant to pay wasted legal costs that have been
incurred by the innocent party in attempting to bring the failing party to book. Additionally, the
court can bar the defaulting party from later relying upon evidence that it has failed to disclose at the
correct time; this can be highly prejudicial if the evidence is supportive of the defaulting party’s case.
Additionally, the court can strike out the defaulting party’s case, giving judgment to the innocent
party. Similar principles apply in criminal litigation.
The point to understand is that litigation in the UK adopts a “cards up” approach. A litigant who fails
to preserve relevant evidence, or who fails to disclose relevant evidence, can expect to suffer
consequences before the courts, because this kind of stance offends the fundamental principles
upon which justice is based.
13
See ICO Annual Report 2006-07, chapter 4.
http://www.ico.gov.uk/upload/documents/annual_report_2007_html/4_protecting-information.html
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
17
“Rule 31.4 contains a broad definition of a document. This extends to electronic documents, including e-
mail and other electronic communications, word processed documents and databases. In addition to
documents that are readily accessible from computer systems and other electronic devices and media,
the definition covers those documents that are stored on servers and back-up systems and electronic
documents that have been ‘deleted’. It also extends to additional information stored and associated
with electronic documents known as metadata.”
It should also be noted that the courts have little tolerance for arguments based upon a failure to
take essential steps to manage and retain email. This is because it has been established for over two
decades that electronic information are admissible in legal proceedings in this country and have to
be disclosed, if they are relevant. Furthermore, in England and Wales the Rules Committee for civil
litigation clarified the duty of disclosure for electronic documents in October 2005. Thus, the default
position within litigation is that parties should be able to properly manage email.
In October 2010 a new Practice Direction for litigation in England and Wales was published14
. This
reconfirms that the duty of disclosure in litigation applies to electronic documents including emails
that have been deleted:
14
http://www.justice.gov.uk/civil/procrules_fin/contents/practice_directions/pd_part31a.htm
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
18
Part 4
Key legal philosophies- why the law requires the retention
of records
In the previous section of this Paper the point was made that the UK courts adopt a “cards up”
approach to litigation, requiring the parties to litigation to give disclosure of relevant documents. For
these purposes documents are relevant if they assist the litigant’s case, damage the litigant’s case, or
assist the opponent’s case. This transparency mechanism is fundamental to the fair conduct of
litigation and the administration of justice.
As far as electronic documents are concerned, the courts make no distinction between them and
their paper counterparts. Indeed, lawmakers around the globe have been engaged in building out
this principle15
.
Records keeping and regulation
A requirement for records keeping is one of the core tools of regulation. Other tools of regulation
include licensing, registration, inspections and sanctions.
The whole point of regulations for records keeping is to ensure that the regulated entity keeps and
preserves a complete evidential record of its regulated activities. Of course, the purpose of retention
goes further than this; records will be deliverable to the regulator (or some other person) on
demand, within a fixed timeframe (usually short).
The idea within this retention-disclosure obligation is to cure one of the classic failures of regulation,
namely that the regulator knows less about the regulated entity than the regulated entity itself. In
other words, there is a knowledge imbalance that is addressed by the retention-disclosure obligation.
Of course, out of this flows a fundamental power shift; because knowledge is power, the disclosure
of information to the regulator causes a shift in the power relationship; knowledge flows from the
regulated entity to the regulator, with the result that power shifts from the regulated entity to the
regulator.
15
See, for example, the Electronic Signatures Directive 99/93/EC.
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
19
When records keeping is viewed in this way, the importance of records keeping becomes much
easier to understand; records keeping coupled with disclosure is one of the mechanisms by which
society ensures that its behavioural standards are observed and respected. Records keeping and
disclosure provides a check against bad behaviours and abuses, whether these are anti-competitive
behaviour, abuse of the consumer, financial crime or data insecurity (etc).
Of course, to ensure that the retention-obligation is respected, it will be expected that a failure to
retain-disclose will be met with sanctions. A very recent example of this is provided by the Financial
Services Authority v. Goldman Sachs case16
, September 2010, where the FSA fined Goldmans
£17,500,000 for weaknesses in controls resulting in a failure to provide the FSA with information. In
the field of data protection, the Information Commissioner has a new power to fine data controllers
up to £500,000 for breaches of the data protection principles; this power applies to the subject
access regime within section 7 of the DPA, meaning that the Commissioner will be legally entitled to
fine controllers who fail to deliver up sufficient information.
Toughening up transparency mechanisms – the transition to heavy touch regulation
It is vital that organisations operating in regulated environments understand where the issue of
records keeping sits within the continuum of regulation. It is vital also that they understand what is
actually happening in regulation.
Regarding the latter issue, we are witnessing fundamental shifts in attitudes towards regulation,
which can be termed the shift from “light touch” to “heavy touch”. This shift is seismic and it is
attributable to four linked phenomena:
• The US corporate governance scandals at the beginning of the Millennium, particularly
WorldCom and Enron. These scandals led directly to corporate governance law reform in the
United States, most notably the introduction of the Sarbanes Oxley Act, which contains
tough transparency mechanisms that bite on corporate email, requiring email preservation
and delivery-up.
• The data insecurity scandals of recent years. In the UK these scandals led to the
commencement of the Data Handling Review and new rules on Information Assurance,
which require government departments and public authorities to put in place appropriate
systems to manage email.
• The banking crisis of 2008-2009. This is leading to a process of global, harmonised law-
making, with greater disclosure obligations for regulated entities, which will bite on email.
• The BP Deepwater Horizon drilling disaster of 2010.
The connectors between these high profile events were bad risk assessments within the regulated
entities coupled with weak regulation and in the aftermath of all of these events the disclosure of
emails became an issue17
. As public confidence in regulatory systems has dropped, lawmakers have
16
http://www.fsa.gov.uk/pages/Library/Communication/PR/2010/141.shtml 17
A feature of the Enron case was the shredding of emails by their auditors, Arthur Andersen; the official
inquiries into the loss of the HMRC focused heavily on email evidence, as did the inquiries into the banking
crisis and Deepwater Horizon.
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
20
reacted and we have now arrived at a point where heightened scrutiny of regulated entities coupled
with tougher sanctioning of failure are now perceived to be the hallmarks of good regulation.
Regarding the former issue, where the issue of records keeping sits within the continuum of
regulation, we are seeing new law-making that requires better records keeping, serving the wider
transparency agenda. A good example of this point is provided by the new Citizens Rights Directive
2009, which comes into effect on 25th May 2011. This Directive regulates the electronic
communications sector (telecommunications companies and Internet Service Providers) and it
requires them to keep records of security breaches, which have to be delivered up to regulators on
demand. Another example, again from the data protection field, is contained within the Coroners
and Justice Act 2009, which amended the DPA, to introduce a tougher “information notice” power
and a new “assessment notice” power. These powers operate so as to give the Information
Commissioner greater visibility into data controllers’ organisations; they will allow the Information
Commissioner to call for the delivery up of email.
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
21
Part 5
How the law distinguishes between a record and a “mere”
document
The law’s prolific use of – and reliance upon – records, implies that a record has a special character,
something that distinguishes it from a “mere” document. In the case of R v. Iqbal18
the Court of
Appeal was required to consider the meaning of “records” for the purpose of a criminal case, holding
that:
• A book or a file into which information is deliberately put in order that it may be available to
others on another day is a record.
• A record is a history of events in a form that is not evanescent.
• A record is something that a historian would regard as an original or primary source.
• A record is a compilation of facts supplied by those with direct knowledge, which is
preserved in writing or some other permanent form so that it will not be evanescent and
which will serve as an original source or memorial of those facts and thus be evidence of
them.
This approach to the meaning of “records” makes it clear that the essential characteristics of records
are their authenticity, their integrity and their reliability. Consequently, where the law requires a
record to be kept, this imposes an obligation on the records keeper to ensure an environment that
can satisfy others of the record’s authenticity, integrity and reliability.
Can an email be a record?
In light of the definition of record in the Iqbal case it must be concluded that emails are capable of
being records, or part of records, as a matter of law. What matters is whether the content of the
email, or how it has been used, has legal significance, judged by reference to the legal question
under analysis.
18
[1990] 3 ALL ER 787
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
22
For example, assume that a Freedom of Information Act request has been received which is
concerned with the question whether the public authority has had any dealings with Mr X. If an
email has been sent to Mr X, it will be record of that fact of dealing and its content will be
immaterial. In this example it is the fact that the email exists that is important.
If we modify the example, so that the question is whether the public authority has had any dealings
with Mr X about the supply of widgets, an email sent to Mr X that discusses widgets will be a record
of that fact. In this example it is the content within the email that is important, not the mere fact
that the email exists.
So, an email can be a record in many different circumstances. If an email operates as an electronic
invoice, it will have to be retained to comply with rules on booking keeping. If an email records a
complaint about an accident, it will be wise to preserve it for the duration of the limitation period for
the bringing of personal injury claims (3 years). If employment law litigation is commenced all of the
emails relating to the substance of the case should be preserved. Even self-posted emails can be
records, if the fact of self-posting, or the content of the email is legally significant.
Ensuring an environment for records
For paper documents there are a variety of tests that can be applied to assess the document’s
authenticity, integrity and reliability, so as to dismiss any suggestion or fear that the document is a
forgery, or not otherwise authentic. One such test might be to submit a document’s signature to
analysis by a handwriting expert.
Electronic records can also be subjected to tests, but because electronic records are merely
assemblies of binary code, it is essential to establish the baselines for authenticity, integrity and
reliability.
Baselines for authenticity, integrity and reliability of electronic records.
The baselines for establishing whether an electronic record has been held in a correct environment
are contained in standards for best practice; in the case of Ward v. Ritz Hotel [1992] the Court of
Appeal confirmed the primacy of standards for best practice on questions of a technical nature.
There are many standards for best practice for records keeping. Examples include ISO 15489
Information and Documentation – Records Management, the European Commission’s Model
Requirements for the Management of Electronic Records (MoReq), ISO/TR 15801 Electronic Imaging
– Information Stored Electronically – Recommendations for Trustworthiness and Reliability and The
National Archives’ Management, Appraisal and Preservation of Electronic Records.
While these standards are couched in different shades of language, when read together they reveal
that the environment of an electronic record will require an analysis of (1) the technologies that are
used for storage and processing of the record, (2) the processes of records capture, (3) the processes
for content protection, (4) the processes for access and retrieval of records and (5) the processes for
monitoring and audit. If the environment fails to address all of these benchmarks, there will be
uncertainty about the record’s status, which might result in a conclusion that its authenticity,
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
23
integrity and reliability cannot be assured. More particularly, the benchmarks for an appropriate
environment are as follows:
Technologies
The technologies that are used for storage and processing of the record must satisfy the following
requirements:
• Robustness: The technology must display a low susceptibility to physical damage.
• Longevity: The technology must prevent records degradation during the information
lifecycle.
• Obsolescence: The technology must be based on established, proven platforms.
• Scalability: The technology must scale to meet the organisation’s requirements.
• Open standards: The technology must take advantage of as many open standards as
possible. For example, it may be desirable to store archives in standards such as XML rather
than in a database format that requires a proprietary viewer.
• Cost: The technology must reduce the cost of records keeping by as much as possible.
• Security: The technology must provide robust security.
Records capture
The processes of records capture must satisfy the following requirements:
• Wide capture: The technology must capture as many different file types as possible.
• Complete capture: The technology must capture every new record.
• Classification: The technology must allow records to be classified.
• Metadata: The technology must create or support metadata.
• Unique identifiers: The technology must allocate unique identifiers to each unique record.
Content protection
The processes for content protection must satisfy the following requirements:
• Protection against data loss or damage due to system failure: The technology must display
features that go to protect the data from corruption caused by software or hardware failure.
• Protection against overwrite: The technology must display features that prevent the
accidental or deliberate overwriting of records.
• Protection against delete: The technology must display features that prevent the accidental
or deliberate deletion of records otherwise than in accordance with a predefined schedule.
• Safe delete: The technology must enable the complete and irreversible deletion of records.
Access and retrieval
The processes for access and retrieval of records must satisfy the following requirements:
• Complete access and retrieval: The technology must allow access and retrieval of all records.
• Speed of retrieval: The technology must facilitate quick access and retrieval of records.
• Protection against unauthorised access and retrieval: The technology must facilitate controls
and limitations over access and retrieval.
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
24
• Search: The technology must facilitate full searches, covering metadata, content and
attachments.
Monitoring and audit
The processes for monitoring and audit must satisfy the following requirements:
• Complete monitoring and audit: The technology must facilitate full monitoring and auditing.
It should show when emails entered the archive, when they were accessed and used, when
they were modified, when they were deleted and by whom, including any attempts. It
should also be able to provide proof that the system itself was working properly at all times.
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
25
Part 6
Critical legal obligations for records and evidence arising
under major pieces of legislation
Freedom of Information Act
The Freedom of Information Act was introduced to give people a right of access to recorded
information held by public authorities.
The general right of access consists of two rights. Firstly, the requester is entitled to be told whether
or not the public authority holds information of the description specified in the request. Second, if
the public authority does hold such information, the requester is entitled to have that information
communicated to them. However, there are a series of exemptions that apply, some of which are
absolute and some of which are qualified; where a qualified exemption exists, the key issue is
whether the public interest in withholding disclosure outweighs the public interest in giving
disclosure.
As discussed in Part 2 of this White Paper the FOIA throws up much the same compliance challenges
as the Data Protection Act. However, as far as records retention is concerned, there is an additional
overlay; section 46 of the Act requires public authorities to comply with a Code of Practice on records
management issued by the Lord Chancellor19
. The compliance goals within the Code include:
• Putting in place organisational measures to support records management.
• The creation of a records management policy.
• The implementation of a records management system.
• Systems for the storage and maintenance of records.
• Systems to ensure the security of records.
• Systems to ensure that records are fully accessible.
• Systems governing the disposal of records.
• Systems to support monitoring and reporting on records management.
19
http://www.justice.gov.uk/guidance/docs/foi-section-46-code-of-practice.pdf
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
26
“Identify and make appropriate connections to related policies, such as those dealing with email,
information security and data protection.”
“…trivial emails should be deleted after being read …”
“… if the authority is operating electronically, for example using email for internal and external
communications or creating documents through word processing software, it is good practice to hold
the resulting records electronically …”
As regards email, notable parts of the Code provide as follows:
The Data Protection Act 1998
The Data Protection Act gives effect to the UK’s obligations under the Data Protection Directive 1995
and the Data Protection Convention 1981. The Act regulates the processing of personal data by data
controllers. For these purposes personal data are information that relate to identifiable living
individuals.
Emails containing personal data that are processed by data controllers are regulated by the Act. In
broad terms, the Act requires data controllers to comply with the data protection principles, which
provide as follows:
• The processing of personal should be fair, lawful and legitimate.
• Personal data shall be obtained for specified and lawful purposes.
• Personal data shall be adequate, relevant and not excessive.
• Personal data shall be accurate and kept up to date.
• Personal data shall not be kept for longer than is necessary.
• Personal data shall be processed in accordance with the rights of the data subject.
• Personal data shall be kept safe, secure and confidential.
• Personal data shall not be transferred to a country that fails to provide adequate protections.
Achieving compliance and evidencing compliance
Data controllers need to put in place programmes to achieve compliance and mechanisms to prove
that they have achieved compliance. Indeed, on the second point it should be noted that European
and UK domestic data protection law are both under review; in the context of these reviews a new
“accountability” principle has been proposed, which will require data controllers to put in place a
compliance programme and to evidence how compliance has been achieved.
As far as emails are concerned, the critical compliance issues for the data controller are as follows:
• Acceptable Use Policy: The controller needs to be clear about the purposes for which email
are to be used, including whether workers are allowed to use email for personal purposes.
• Monitoring of email: If email use is to be monitored, this should be explained to users,
setting out the reasons for monitoring.
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
27
• Retention policy: A retention policy for email needs to be set and communicated throughout
the organisation.
• Email archiving: A system for email archiving should be created. This will facilitate
compliance with subject access requests made under section 7 of the DPA and Information
Commissioner access requests (information notices and assessment notices).
Companies Act 2006
The Companies Act 2006 regulates all companies registered in the UK. It provides a plethora of
records keeping obligations. These include:
• 10 years retention periods for records of meetings and resolutions.
• 3 years to 6 years retention periods for company accounts.
• Adequate accounting records must be kept, which are sufficient to give a true and fair view
of the company’s assets, liabilities, financial position and profit and loss.
• Failure to keep adequate accounting records is a criminal offence, for which directors can be
held personally liable and imprisoned.
• Directors must not approve company accounts unless they are satisfied that they give a true
and fair view.
• Directors can be held personally liable for inaccuracies in the accounts, if they cause the
company to suffer loss.
• Auditors are prevented from signing-off accounts if they are unsure of the directors’ degree
of compliance with their records keeping obligations.
The Companies Act has only tangential connection with email20
, but where the company’s accounting
and financial records are contained within email, or are reliant upon email (for example, in the
context of ecommerce transactions), the need to put in place appropriate systems for the retention
of email becomes part of corporate governance. This can also apply where company information is
contained within a spread sheet that is attached to an email.
Financial Services and Markets Act
One of the three pillars of the regulatory system for financial services is the Financial Services and
Markets Act 2000, which established the Financial Services Authority. The FSA addresses the
regulatory objectives of the FSMA and various European Directives within the FSA Handbook. This
contains a plethora of obligations that bite on email, including the following:
• The Senior Management Arrangements, Systems and Controls Rules (SYSC) within the
Handbook include an information management rule that should facilitate the identification,
measurement and control of risk by the firm’s Board. These arrangements encompass the
use of email systems and the retention of email records.
20
However, note that the Companies (Registrar, Languages and Trading Disclosures) Regulations 2006 requires
the inclusion of business information in emails.
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
28
“A firm must take reasonable steps to record relevant telephone conversations, and keep a copy of
relevant electronic communications made with, sent from or received on equipment:
(1) Provided by the firm to an employee or contractor; or
(2) The use of which by an employee or contractor has been sanctioned or permitted by the firm;
to enable that employee or contractor to carry out any of the activities referred to in 11.8.1”
• SYSC also contains a general records retention rule, which requires firms to retain records for
as long as is relevant for the purposes for which they were made.
• For the purpose of preventing market abuse, the Conduct of Business Sourcebook (COBS)
requires firms to keep records of electronic communications, including emails. These need
to be retained for a minimum of 6 months, in a medium that allows the FSA ready access.
Regarding the last point, the retention of emails COBS 11.8.5 says:
The activities referred to in COBS 11.8.1 are:
• Receiving client orders.
• Executing client orders.
• Arranging for client orders to be executed.
• Carrying out transactions on behalf of the firm, or another person in the firm's group, which
are part of the firm's trading activities or the trading activities of another person in the firm's
group.
• Executing orders that result from decisions by the firm to deal on behalf of its client.
• Placing orders with other entities for execution that result from decisions by the firm to deal
on behalf of its client.
It should be noted that the obligation to retain emails extends to emails sent by portable equipment.
It is also worth mentioning here the Payment Card Industry’s Data Security Standard, which requires
merchants who take card payments to protect “cardholder data” within the “cardholder data
environment”. The cardholder data environment will cover emails, PST files and archives, if these
contain cardholder data. The issues within PCI DSS are primarily about security, retention and
deletion of cardholder data, which by extension require good systems and operations for the
management of email if email contains cardholder data. An email archive, which provides a
structured, managed environment for email, will facilitate compliance with PCI DSS, if email forms
part of the cardholder data environment.
Equality Act
The Equality Act 2010 unifies rules on equality in one piece of legislation. It affects both the public
and private sector. In terms of the public sector, it imposes duties of equality in the provision of
public services and also requires public authorities to consider equality issues during strategic
developments.
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
29
The Act will clearly impact on the use and retention of emails. Public authorities and private sector
organisations should review the extent to which email can take a part in the development of strategy
and in committing equality offences, ensuring that they retain email that evidences legal compliance
and prohibit email use that can be discriminatory.
Bribery Act
The Bribery Act 2010 creates new criminal offences of bribery. These include the offences of
committing bribery, being bribed and preventing bribery. These offences can be committed through
the use of email. Again, organisations should review the extent to which email can take a part in
committing bribery offences, ensuring that they retain email that evidences legal compliance and
prohibit email use that can be criminal.
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
30
Part 7
Critical legal obligations for disclosure as they arise within
criminal and civil litigation
In litigation duties of disclosure apply. These duties attach to electronic documents, including email.
The parties to litigation need to ensure that they are able to give adequate disclosure, but where
they lack adequate systems for the management of email, which includes for search and retrieval,
the disclosure process can be problematic for them.
Criminal litigation
In criminal cases the prosecution’s duty to give disclosure is fundamental to a fair trial. In the case of
R v. H & C [2004] the House of Lords said “fairness ordinarily requires that any material held by the
prosecution which weakens its case or strengthens that of the defendant, if not relied on as part of
its formal case against the defendant, should be disclosed to the defence.” The right to a fair trial
also covers the investigatory process; the investigator should pursue all reasonable lines of enquiry
and should secure and preserve relevant evidence.
The investigator’s duties apply also to information that they generate during the course of the
investigation. Naturally, this extends to email. The retention period is the duration of the case,
which extends to cover the time for appeals against conviction or sentence. The Crown Prosecution
Service’s Disclosure Manual specifically states that emails should be recorded, retained and revealed
in the same way as other relevant material.
Civil litigation
The disclosure regime in civil litigation focuses on documents. The purpose of disclosure is to
confirm whether documents do exist, or have existed. After the disclosure exercise has been
performed the inspection exercise will take place. In other words, inspection is the process by which
documents are actually delivered up.
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
31
“Where the issue is whether a party received an email it will be appropriate for a search
to be undertaken of an email account. If emails have been deleted it may even be
appropriate to expect a party to obtain expert assistance to see if any record can be
traced on the hard drive. However, in a straightforward case it would be rarely
appropriate to expect a party to go through the time and expense of attempting to
retrieve emails deleted from the system. The court may make an order requiring
disclosure of electronic information containing specified words or strings and thus define
the extent of an electronic search.”
The disclosure and inspection regime is governed by the Civil Procedure Rules. Rule 1, which is called
the overriding objective, requires cases to be dealt with justly. Among other things, the court is
required to ensure that the case does not get out of hand, which includes in terms of cost and
expense. This means that the disclosure and inspection exercise should be proportionate to both the
issues under analysis and the money at stake.
The meaning of “document”
The meaning of document is dealt with by Rule 31.4, which says that a document “means anything in
which information of any description is recorded”. In October 2005 a new Practice Direction was
issued, which clarified that the meaning of document extends to “electronic documents, including
email and other electronic communications”. The Practice Direction then went on to confirm that
the meaning of document extents to “documents that are stored in servers and back-up systems and
electronic documents that have been deleted.” Finally, the Practice Direction confirmed that the
meaning of document “also extends to additional information stored and associated with electronic
documents known as metadata.”
Of course, the meaning of document extends to cover all of the electronic information within an
email management tool, such as diary and calendar entries and notes. These documents are all
disclosable, if they are relevant to the litigation, and will be subject to the duty of preservation. All of
the discussion here applies equally to these documents.
Disclosure of deleted emails
Regarding the obligation to give disclosure of deleted data, the reasoning was set out in an earlier
report of the Commercial Court, The Creswell Report, which said that a “deleted document may not
be necessarily destroyed as it may continue to exist in the form of residual data.” The Creswell
Report said the following about the disclosure obligations as they apply to email:
From this passage we establish that in “straightforward” cases the court will not order the disclosure
of deleted emails. This makes perfect sense, because in straightforward cases the court will not be
assisted by the retrieval of deleted email. For example, if the original issue at the heart of the case
was whether an email contained particular words or phrases, there might be other ways of proving
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
32
1. “Electronic Documents should be managed efficiently in order to minimise the cost
incurred;
2. Technology should be used in order to ensure that document management activities are
undertaken efficiently and effectively;
3. Disclosure should be given in a manner which gives effect to the overriding objective;
4. Electronic Documents should generally be made available for inspection in a form which
allows the party receiving the documents the same ability to access, search, review and
display the documents as the party giving disclosure; and
5. Disclosure of Electronic Documents which are of no relevance to the proceedings may place
an excessive burden in time and cost on the party to whom disclosure is given.”
that it did, perhaps through the oral testimony of people who read the email. In this example, the
issue is a straightforward one and the deleted email will not be necessary.
But the starting point is that deleted emails are disclosable. That is the position that litigants need to
address first. The Creswell Report’s observations about the disclosure of deleted emails in
straightforward cases should not be taken to mean that the civil litigation system is “rewarding”
organisations that are haphazard with emails, or who implement blanket deletion policies. The
“General Principles” for e-discovery as contained in the current version of the Practice Direction put
the Creswell Report’s comments in their proper context:
As can be seen the law expects litigants to manage their electronic documents properly, with
appropriate technologies. The whole point of disclosure is to serve the overriding objective within
litigation, which is to do justice. A straightforward case will include one where the deleted emails are
of no relevance, but where the deleted emails are of relevance and are required to do justice, the
disclosure obligation will bite.
Duty of search
Litigants are under a duty to conduct a reasonable search for documents, including emails. The Civil
Procedure Rules identify the following factors as being relevant to the reasonableness of a search:
“The factors that may be relevant in deciding the reasonableness of a search for Electronic Documents
include (but are not limited to) the following:
1. The number of documents involved;
2. The nature and complexity of the proceedings;
3. The ease and expense of retrieval of any particular document. This includes:
a) The accessibility of Electronic Documents including e-mail communications on computer
systems, servers, back-up systems and other electronic devices or media that may contain
such documents taking into account alterations or developments in hardware or software
systems used by the disclosing party and/or available to enable access to such documents;
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
33
“It may be reasonable to search some or all of the parties’ electronic storage systems. In some
circumstances, it may be reasonable to search for electronic documents by means of keyword
searches (agreed as far as possible between the parties) even where a full review of each and
every document would be unreasonable. There may be other forms of electronic search that
may be appropriate in particular circumstances.”
b) The location of relevant Electronic Documents, data, computer systems, servers, back-up
systems and other electronic devices or media that may contain such documents;
c) The likelihood of locating relevant data;
d) The cost of recovering any Electronic Documents;
e) The cost of disclosing and providing inspection of any relevant Electronic Documents; and
f) The likelihood that Electronic Documents will be materially altered in the course of recovery,
disclosure or inspection;
4. The availability of documents or contents of documents from other sources; and
5. The significance of any document which is likely to be located during the search.”
As regards the duty of search as it applies to electronic documents, the Practice Direction says:
The essence of the rules on search is that the court will decide questions of reasonableness and the
extent of the search that is required on a case-by-case basis. However, it is clearly established within
the Practice Direction that “the primary source of disclosure of Electronic Documents is normally
reasonably accessible data”, which acts as the baseline in most cases. If a litigant considers that
further disclosure is required beyond that which is reasonably accessible it “must demonstrate that
the relevance and materiality justify the cost and burden of retrieving and producing it.” If evidence
produced supports a more detailed search, the court will make the relevant orders, so as to bring
into scope deleted data.
Of course, what is “normally reasonably accessible” is an objective question: a litigant cannot hide
behind their bad systems and operations to excuse delivering up email. Email itself is normally
reasonably accessible and so it must be searched, for example by key word. However, if the litigant
does not manage its email properly so as to make the search more burdensome for itself, that is a
problem that the litigant will have to bear. Consequently, it is clear that the installation of an email
archive is in the self-interest of the litigant, because it makes the search so much easier to perform.
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
34
Part 8
Examples of retention laws and retention periods
There are literally thousands of obligations for records keeping that apply across the public and
private sectors. Many are found in legislation, but many more are based around principles of
limitation for the bringing of court proceedings. In the public sector the principal custodian of
responsibility for retention periods is The National Archives.
Do emails fall within the scope of the records requirements discussed in this section?
As discussed in Part 4 the question whether an email can be a record so as to fall within the scope of
the retention periods discussed below depends upon the content of the email and whether the
content, or how the email has been used, has legal significance; this is judged by reference to the
legal question under analysis and it can very often be exceptionally difficult for the organisation to
work out whether an email should be retained or deleted. For example, if an email provides the only
accounting record it should be retained as an accounting record, but, of course, if the email merely
contains a duplicate of other information it may not have to be retained for the purpose of
accounting records keeping.
Thus the question of retention/deletion is fact sensitive. For this reason we advise organisations to
put in place policies for the use of email, which should be aligned with records management policies
and technologies for email management.
The danger for the organisation lies in formulating a deletion policy that is built in isolation of
knowledge about how its email system is used, because that could result in the deletion of materials
that should be retained (whether as part of a record, or for the purposes of litigation, or for some
other purpose).
Retention periods and the Freedom of Information Act
The critical issue to understand with regard to the Freedom of Information Act is that it does not set
any retention periods for documents. Instead, what it requires is for the public authority to put in
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
35
place a records management policy that gives effect to all of its legal obligations, as they arise under
records management law, under regulation, under litigation, under contract or under some other
legal duty. The general access request itself then bites on recorded information.
Connected to this point is the fact that it is a criminal offence under the Act for a public authority to
delete or destroy information in order to avoid the application of the general access request.
Consequently, public authorities need to look beyond the Freedom of Information Act to understand
their records keeping obligations and the retention periods that apply.
Public sector
The National Archives has published guidance on retention periods for government departments,
agencies and public authorities. All of the guidance applies to electronic documents, including email.
Interesting retention periods to note include the following:
• Accounting records: Petty cash records shall be kept for 2 years from the end of the financial
year in which they are created21
.
• Freedom of Information Act: Case file records detailing the FOIA request, including the
consideration of possible exemptions and dealing with subsequent appeals; 3 years after the
date of creation22
.
• Projects records: Project Initiation Documents; 10 years after completion of project, but for
major projects 25 years23
.
• Information management records: Correspondence and documents relating to the
compilation of disposal schedules; 10 years24
.
• Complaints records: Investigations into complaints that form part of the case record; 10
years25
.
• Press and public relations: Correspondence with the media; 7 years26
.
• Contractual records: Reports from contractors delivered for the purposes of contract
operation and monitoring; 2 years from the end of the contract27
.
• Health and safety: Records about exposure of persons to hazardous substances in the
workplace; 40 years28
.
These are just illustrations of records keeping obligations. In order to understand the totality of the
obligations the organisation needs to review The National Archives guidance and apply it to its email
use. If the email touches upon the subject matter of the records retention period (whether as a
result of its content, or the purpose for which it has been used), then the retention obligation will be
engaged. The public authority then needs to exercise caution in the development of its records
management policy and procedures.
21
http://www.nationalarchives.gov.uk/documents/sched_accounting.pdf 22
http://www.nationalarchives.gov.uk/documents/foi_sched_retention.pdf 23
http://www.nationalarchives.gov.uk/documents/sched_projects.pdf 24
http://www.nationalarchives.gov.uk/documents/sched_info_management.pdf 25
http://www.nationalarchives.gov.uk/documents/sched_complaints.pdf 26
http://www.nationalarchives.gov.uk/documents/sched_press.pdf 27
http://www.nationalarchives.gov.uk/documents/sched_contractual.pdf 28
http://www.nationalarchives.gov.uk/documents/sched_health_safety.pdf
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
36
“Activities include: identifying requirements for new/revised strategy; undertaking research;
developing strategy proposals; consulting on strategy proposals; reviewing and revising
strategy proposals in the light of comments received; drafting strategy documents; consulting
on strategy documents; reviewing draft strategy documents in the light of comments
received; producing final strategy documents; submitting final strategy documents for formal
endorsement; formally endorsing strategy documents; disseminating strategy documents;
reviewing strategy.”
Of course, if the public authority is involved in litigation, the duty of preservation of evidence and the
duty of disclosure will apply, as it applies to any litigant and if the subject matter of the litigations
demands, these duties will apply to email.
Education
JISC, the Joint Information Systems Committee, which is funded by the UK’s Higher Education and
Further Education Funding Council, has published a detailed records retention framework for Higher
Education and Further Education Institutions29
. This identifies over 850 different categories of data
for which retention periods are set. The retention periods fall within the following categories:
• Corporate management.
• Corporate resources.
• Corporate relations.
• Related companies.
• Commercial services.
• Corporate services.
• Student services.
• Business units.
Users of the JISC framework will find that it is densely packed with information. However, the word
“email” is not used once, despite there being over 850 retention obligations. Instead, the framework
is based around “activities”. It therefore follows that if the activity that is regulated extends to email,
then the retention obligation will extend to email.
To illustrate the point, consider the example of “Commercial Services Strategies” and the institution’s
activities involved in developing its strategies in this area. The framework advises that working
documents relating to the following activities should be retained for 1 year after the issuing of the
strategy:
The expansive nature of the activities that fall within this retention obligation is such that it will
clearly capture emails, if emails were used to consult on strategy, or if emails were used for the
29
http://www.jiscinfonet.ac.uk/partnerships/records-retention-he/hei-rrs-pla
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
37
“Records documenting the conduct of the business of a committee: correspondence and
other records relating to the preparation of committee business or to actions to be taken (or
not taken) as a result of committee decisions.”
delivery of comments upon strategy etc. It is therefore only natural to conclude that it is highly likely
that this retention period will extend to email.
When the totality of the JISC framework is considered, there is only one sustainable conclusion for
educational institutions; their email system is bound to be subject to retention obligations, so as to
render a blanket, short deletion policy fundamentally unacceptable.
Another example within the framework concerns the work of non-statutory committees in
educational institutions, where there is a 6 year retention period for activities involved in
administering the work of these committees. The records that need to be kept are:
Clearly, the use of the word correspondence covers email, so as to give rise to a 6 year retention
period for emails that document the work of non-statutory committees.
Police service
The Association of Chief Police Officers has published guidance on the retention of records on the
Police National Computer30
. This forms part of the Code of Practice for the Management of Police
Information. Once a record is created on the PNC, it will be retained until the person’s 100th
birthday, and then deleted.
Where a record is part of a case file, which can include an email, these will be subject to a minimum
retention period of 6 years under the Police and Criminal Evidence Act31
. The retention period will be
extended where there is a criminal prosecution and conviction, to cover the period during which an
appeal can be brought, or for the duration of the sentence, whichever is longer.
Ambulance service
The Ambulance Services follows the retention rules of the NHS32
. See below.
Health
The NHS has published a Code of Practice for the Retention of Records Management33
. The
information in the table below is extracted from the NHS website34
.
30
http://www.acpo.police.uk/asp/policies/Data/Retention%20of%20Records06.pdf 31
http://www.southyorkshire.police.uk/foi/publicationscheme/policiesandprocedures/active/292007 32
http://www.worcestershirehealth.nhs.uk/EXTRANET_Library/npfit_prog_board/agendas/2005_6/06_sep/wictp_a_0509_07g.doc
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
38
Again, when considering whether an email needs to be retained, the critical issue is the content of
the email and the purpose for which the email is used. If the email constitutes secondary evidence
(i.e., there is a more appropriate primary source of evidence), then the email itself may not have to
be retained.
It is also important to bear in mind that IT systems may not be able to identify the character or
purpose of any particular email at the point of creation. This creates a dilemma for the organisation,
because it needs to avoid falling into the trap of encouraging “user defined” retention and deletion,
whereby the email user themselves are responsible for making decisions on these issues. The way
around this dilemma is to understand the purpose for which email is to be used and then define a
retention/deletion policy based around that purpose which is supported by an email archiving
solution.
• GP records: Until 10 years after the patient's death or after the patient has permanently left
the country, unless the patient remains within the European Union. (Exceptions are patients
serving in the armed forces or serving a prison sentence, when the records must not be
destroyed.)
• GP records relating to children and young people (including paediatric and vaccination
records) - until the patient's 25th birthday, or 26th birthday if an entry was made when the
young person was 17; or 10 years after the patient's death, if sooner.
• Dental records: 11 years for adults. For children, 11 years or until the patient is 25 years old,
whichever is the longer.
• Ophthalmic (eye) records: 11 years for adults. For children, 11 years or until the patient is 25
years old, whichever is the longer.
• Children and young people (all types of records relating to children and young people) -
retain until the patient's 25th birthday, or 26th if the young person was 17 at conclusion of
treatment; or eight years after death if sooner.
• Immunisation and vaccination records: For children and young people, retain until the
patient's 25th birthday or 26th if the young person was 17 at conclusion of treatment. For
adults, retain until 10 years after conclusion of treatment.
• Maternity records: 25 years after last birth.
• Records relating to persons receiving treatment for a mental disorder within the meaning of
the Mental Health Act 1983 - 20 years after the date of last contact between the patient and
any healthcare provider, or eight years after the patient's death if sooner.
The National Archives has also published guidance on records retention in the health service35
.
Private sector retention issues
The private sector also faces retention obligations. In addition to the Data Protection Act and
litigation issues, the following example issues should be noted, all of which can bite on email.
33
http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/DH_4131747 34
http://www.nhs.uk/chq/Pages/1889.aspx?CategoryID=68&SubCategoryID=160
http://www.eastlondon.nhs.uk/uploads/documents/recordretentionschedulesnew.pdf 35
http://www.nationalarchives.gov.uk/documents/sched_public.pdf
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
39
Tax, pay and employee records
Companies that are required to deliver a tax return must keep relevant records for six years following
the end of the tax period to which the return relates36
. The records which must be kept are those
that are “needed to enable it to deliver a correct and complete return for the period”.
• VAT records must be kept for six years37
.
• Wages and salary records must be kept for six years after the end of the tax period to which
they apply.38
• “PAYE” income tax records must be kept for three years following the end of the financial
year to which they relate39
.
• National Insurance Contributions records must be kept for three years following the end of
the tax year to which they relate40
.
• Statutory Maternity Pay (“SMP”) records must be kept for three years following the end of
the tax year in which the benefit was paid.41
• Statutory Sick Pay (“SSP”) records must be kept for three years following the end of the tax
year in which the benefit was paid.42
There are many employee records that should be kept as a matter of good practice, but for which
there are no defined statutory retention periods. This absence of statutory rules leaves companies
with a dilemma that many have solved by reference to the limitation periods for the commencement
of legal proceedings contained in the Limitation Act 1980. The Chartered Institute of Personnel and
Development (“CIPD”) has considered the Limitation Act in making the following recommendations
on retention periods:
• Actuarial valuation reports: Permanent retention.
• Application forms and interview notes (for unsuccessful candidates): One year retention.
• Assessments under Health and Safety Regulations and records of consultations with safety
representatives and committees: Permanent retention.
• Inland Revenue approvals: Permanent retention.
• Money purchase details: Six years retention commencing after transfer or value taken.
• Parental leave: Five years retention from the date of birth/adoption of the child, or 18 years
retention if the child receives a disability allowance.
• Pension scheme investment policies: 12 years retention commencing from the ending of any
benefit payable under the policy.
• Pensioners’ records: 12 years retention from the date that benefits cease to be paid.
• Personnel files and training records (including disciplinary records and working time records):
Six years retention commencing from the date of termination of employment.
• Redundancy details, calculations of payments, refunds, notification to the Secretary of State:
Six years retention commencing from the date of redundancy.
36
Finance Act 1998, Schedule 18, Part III, para. 21. 37
VAT Act 1994, Schedule 11, para. 6. 38
Taxes Management Act 1970, section 12B. 39
The Income Tax (Pay As You Earn) Regulations 2003, Regulation 97(8). 40
The Social Security (Contributions) Regulations 2001, Schedule 4, paras. 7(15) & 26(6). 41
The Statutory Pay (General) Regulations 1986, Regulation 26. 42
The Statutory Sick Pay (General) Regulations 1982, Regulation 13.
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
40
• Senior executives’ records: Permanent retention as historical records.
• Time cards: Two years retention, commencing from the date of last audit.
• Trade union agreements: 10 years retention commencing from the date when the
agreements cease to have effect.
• Trust deeds and rules: Permanent retention.
• Trustees’ minute books: Permanent retention.
• Works council minutes: Permanent retention.
Private sector and regulatory frameworks
The private sector should also seek to identify all of the regulatory frameworks that apply to its
operations, as these will contain retention and disclosure obligations that can bite on email.
• Health and Safety Executive: Section 20 of the Health and Safety at Work Act gives the HSE
the right to enter and inspect premises for the purpose of carrying into effect any of their
relevant statutory provisions. This power gives them the right to inspect and take copies of
documents, including email, and interview members of staff. HSE can call for the delivery-up
of documents if they are not readily available, which obviously extends to email.
• Financial Services: The FSA has considerable powers under the Financial Services and
Markets Act to carry out investigations, which includes the power to require the production
of documents and to require persons to take part in interviews.
• Office of Fair Trading: The OFT has powers to investigate suspected infringements of
competition law. These powers enable them to obtain documents and information from
businesses suspected of committing an infringement. Failure to co-operate with an
investigation, including obstructing an investigation or hiding, destroying or falsifying
documents is a criminal offence punishable
It is beyond the scope of this White Paper to identify all of the regulatory regimes that apply in the
private sector. The best advice that can be given is that private bodies should identify their relevant
regulatory frameworks, as these are bound to contain retention and disclosure obligations that bite
on.
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
41
Part 9
Cases involving the mishandling of email
Emails and defamation
As a communication medium, email provides a perfect vehicle for committing libels. For example, in
the case of Gentoo Group Ltd v. Hanratty [2008] the claimant, who was a social landlord, sued for
compensation for defamation, following an email campaign that the defendant conducted against it.
Emails and data protection
As a communication medium, email also provides a perfect vehicle for breaching security and
personal data rights. The Information Commissioner has enforced the security principle within the
Data Protection Act against controllers who have mistakenly sent emails containing personal data to
the wrong people.
In January 2008 the Information Commissioner took regulatory enforcement action against Carphone
Warehouse, for breach of the security principle within the Data Protection Act. Carphone
Warehouse mistakenly emailed customer data to the wrong people. The Information Commissioner
ordered Carphone Warehouse to implement appropriate technical measures to prevent the
mistaken sending of data by email.
In April 2009 the Information Commissioner took regulatory enforcement action against Manchester
University, for breach of the security principle within the Data Protection Act. An employee at
Manchester University mistakenly sent a spread sheet containing personal data on 1700 students to
400 recipients. The Information Commissioner ordered Manchester University to train its staff on
the correct use of email and data sharing.
In February 2010 the Information Commissioner took regulatory enforcement action against
Redstone Mortgages, for breach of the security principle within the Data Protection Act. In error
data relating to 15,333 mortgage customers was emailed to a member of the public. The data was
not encrypted, or password protected. The Information Commissioner ordered that all emails and
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
42
reports containing personal data, the loss of which could cause damage and/or distress, must be
password protected before being sent outside of the data controller’s network.
Emails providing evidence of breaches of the Freedom of Information Act
In January 2010 the “Climate Change Data Scandal” dominated international news reporting. At the
heart of this story was the allegation that scientists at the University of East Anglia had withheld
information about climate change that should have been disclosed in response to a Freedom of
Information Act general access request. The scandal was exposed by a person who stole emails that
revealed concerted efforts to delete email data43
.
Emails as evidence in matrimonial proceedings
Emails regularly appear as evidence in matrimonial proceedings. However, in April 2010, in the case
of Tchenguiz v Imerman, the Court of Appeal stressed the importance of respecting privacy in emails.
43
http://www.timesonline.co.uk/tol/news/environment/article7004936.ece
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
43
Part 10
The new legal framework for data security
Since 2007 the UK has been engaged in building a new legal framework for data security. The
catalyst to this work was a series of high profile cases about security breaches and data loss
throughout 2006, 2007 and 2008. One of the most prominent examples concerned Her Majesty’s
Revenue and Customs, which revealed in November 2007 that it has lost two data disks containing
an entire copy of the child benefit database. This event is considered by many to have damaged the
public’s trust in the government of the day.
The new legal framework for security includes legislative changes to the Data Protection Act, new
government policies and new regulatory guidance. When these areas of the law are read together
with decisions in regulatory enforcement cases and standards for best practice, it is clear that
organisations need to put in place systems and operations to ensure the security and confidentiality
of email. Among other things they should:
• Create an Acceptable Use Policy governing how email can be used and for what purposes.
• Assess the use of email, to understand the risk issues involved. For example, is the email
system being used to move sensitive or confidential information?
• Assess whether the users of email understand their duties and obligations.
• Assess whether the use of email can be restricted.
• Monitor the use of email.
An organisation that fails to control the use of email embeds a significant risk of operational failure
into its daily activities. In the event of failure there can be considerable negative consequences,
including damage to brand and reputation, litigation brought by effected parties and regulatory
investigations. In the context of regulatory investigations, as previously mentioned the Information
Commissioner now has the power to fine data controllers up to £500,000 for data security failures.
Data security and the impact for email retention
An organisation that appreciates security risks as they apply to email will want to put in place
systems and operations to contain and mitigate risks. One of the critical steps is to ensure a safe and
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
44
secure environment for the retention of email. Such an environment will look very similar to the one
described earlier for records keeping.
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
45
Part 11
The core functionality of an email archiving system
A lawyer will look for the following key functionality within an email archiving tool:
• Full search. All data within the email archive, including metadata, should be searchable. The
system should be capable of searching calendar items, notes, contacts, any items altered
within the mailbox or any items added to folders that did not originate as incoming (internal
or external) email. An inability to access such items would not enable full search/disclosure
and would therefore not be acceptable for compliance or litigation purposes.
• Targeted search. The archive should support fully targeted searches, allowing searches to be
performed by key words and phrases, date ranges and file types. The message fields, body
and attachments should be searchable, to enable searches to be conducted against body
content, attachment content, sender and recipient identities.
• Schedule search. The archive should support scheduled services, to enable periodic, regular
searching.
• Customisable tags: It should be possible to apply customisable tags to files. For example,
the user might want to mark a file as privileged from disclosure.
• De-duplication: The system should allow for data de-duplication, enabling the weeding out
of duplicate files.
• Legal hold: It should be possible to place files on legal hold, to prevent deletion.
• Export and production: The system should enable the export and production of attachment
documents in their original file format. Emails should be in a readable format that does not
require additional systems such as a compatible mail system.
• Audit trail: The system should be capable of producing audit trail evidence of its use
including when any email has been accessed and by whom.
• Non deletion: It must be possible to guarantee that mail cannot be deleted from the email
system before it is archived.
• Case access: For confidentiality it must be possible to set up case specific super-user access
so that they can only search the mailboxes of specific users or groups that are relevant to
their eDiscovery exercise.
Of course, these features should build upon the requirements for best practice in records keeping.
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
46
What are we driving at?
So why is this important to lawyers? The key point to remember is that the disclosure or discovery
exercise is required by law to deliver the quality and quantity of information that is prescribed by the
law, whether this be under litigation principles or regulatory principles, or otherwise. Thus, the
lawyer needs to see certain minimum features in an email archiving tool, otherwise the necessary
“guarantee” of legal compliance cannot be provided.
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
47
Part 12
About the author
Stewart Room is a partner in the Privacy and Information Law Group at Field Fisher Waterhouse LLP.
He is dual qualified as a barrister and a solicitor holding full Higher Court Rights of Audience, with
over 18 years’ experience as a litigator and advocate.
Stewart has considerable expertise and reputation in data protection and data security matters, He is
ranked as a Leading Individual for data protection by Chambers UK. Legal 500 2009 says that
Stewart’s “data protection and privacy prowess is recognised as being at the forefront of the field”.
Legal 500 2010 says “Stewart Room ‘has carved out a niche in data security’ and ‘has unparalleled
depth of knowledge’.”
In 2008 Stewart was named as the Financial Times Legal Innovator of the Year, for his work with IT
companies on Privacy Enhancing Technologies.
Stewart has contributed to various publications and has written three books on information law,
namely Data Protection and Compliance in Context (2006), Email: Law, Practice and Compliance
(2008) and Butterworths Data Security Law & Practice (2009). He was also the legal expert on the
Channel 4 Dispatches document ‘The Data Theft Scandal’, which exposed security failings in the
Indian call centre industry. He is a regular speaker at industry conferences on data protection and
data security, including the British Bankers Association annual data protection conference, InfoSec
and RSA Conference.
He is also the President of the National Association of Data Protection Officers and a Director of
Cyber Security Challenge UK.
Contact Stewart at:
Email: [email protected]
Telephone: +44 (0)20 7861 4850
UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.
48
Part 13
About Messaging Architects
Messaging Architects is a global builder of infrastructure for business email with over 3000 public and
private sector customers in over 40 countries.
Their M+Archive solution provides policy based email archiving and eDiscovery for Groupwise and
Exchange systems for enterprises and public bodies ranging in size from a few hundred to tens of
thousands of users, comprehensively addressing the requirements of regulatory compliance and
providing guided navigation for advanced search, legal hold and analysis of archived items.
Their solutions have been positioned in Gartner’s Magic Quadrant reports and frequently examined
by industry analysts such as Aberdeen Group and Osterman Research.
For more information, visit www.messagingarchitects.com
Contact the UK office at:
Email: [email protected]
Telephone: +44 (0)845 9000 153.
© 2010 by Messaging Architects UK Ltd & Field Fisher Waterhouse LLP. All rights reserved. No part of this document may be distributed, reproduced or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of Messaging Architects UK Ltd.