products

Email Compliance

Email retention business issues

Email systems have grown to include much more than the simple notes that were first envisaged. As relevant for government agencies, global corporations and small businesses, an organization's email system and associated backup files now constitute a critical hub of information. Today, email and other forms of electronic communication are used to convey and store a wide range of material including:
  • Contracts
  • Financial data
  • Staff records
  • Legal advice
  • Intellectual property
Very often, information is never printed out, and exists only in electronic format.

Management responsibilities – Protecting reputation

The effects of damaging emails to the reputation of an organisation are well documented. Less widely understood, but equally risky, is the fact that users in most organizations are able to freely delete emails. This means that newly received emails can be deleted or modified and resaved prior to the nightly back-up run, with the effect that official records can not be relied upon to reflect actual communications.

In your organisation, when it comes to meeting data retention requirements, who determines the correct retention duration for each email? Do you even apply data retention policies to email? What safeguards exist for averting premature deletion? Is everybody who makes storage and retention decisions adequately trained? Can you keep up with the hundreds, thousands or millions of emails passing through your organisation every day?

Responsible management have a duty to be able to investigate the facts of any potential wrong doing and either make suitable amends quickly or defend wrongful claims rigorously. Archiving systems which allow data to be added or removed arbitrarily, or without clear audit controls, obstruct the process of getting to the facts and risk compounding what might already be a serious problem.

Use of email in court proceedings

Electronic information is potentially admissible before courts of law, although evidential weight is called into play. Email that is centrally managed and stored in a way that cannot be tampered with improves its evidential weight. This increases an organisation's chances of being able to use email evidence offensively in litigation rather than being limited to having email used against it.

Recent high profile fraud cases such as at Enron have hinged upon proving who knew what, when, and have required the forensic investigation of email history. More day-to-day court proceedings concerning harassment, contract law etc. can also hinge on email evidence, which can be used by or against the organisation. In these circumstances it is in the organisation's interest to be able to present a complete and accurate record of email discussions which is tamper-evident and easily searched by those with authority to do so. Critically, if you can then prove that 'email can't be shredded' you can not only show that an email was sent, but also that it wasn't.

Data protection issues

As part of a data protection risk assessment, you should have identified your email system(s) as a place where you store personal data. You are permitted to keep this personal data for as long as your organisation deems appropriate - which usually means until the organisation feels that there is no further risk from its content, or until mandatory retention periods have expired. This addresses the Act's mandate not to keep personal data 'longer than necessary'.

But, you may not keep email in an archive that is not properly secure, allows access to unauthorised users, or fails to audit any access. This effectively rules out all current mail server platforms, and almost all email archiving tools. You must remove personal data from mail servers as soon as practicable, and secure the data elsewhere.

For example, with respect to the UK 1998 Data Protection Act (see www.dataprotection.gov.uk ) the Information Commissioner provides guidance that an organization that operates an email system falls within the definition of a data controller if the emails are stored within its system. The subjects of the emails - the 'Data Subjects' - have the right to access information about the storage and access to their personal data and to request accurate copies of information held on them. This includes email correspondence or documents held on a mail server.

IT Issues

IT Departments are finding the performance of email systems increasingly stretched as data retention requirements continue to grow. With email availability now mission critical, technical teams are also finding increasing time taken up with email management and administration tasks including:

  • Off-line archiving
  • Storage optimization
  • Disaster recovery
  • Retrieving specific mail files
  • Dealing with storage overheads inherent in PST files and managing user quotas
  • Migration between email platforms
  • Involvement in HR and investigatory matters

Email archiving solutions which appear helpful for addressing the needs of growing mail stores are often not appropriate for the email retention and search requirements of the wider organisation.

For more information please e-mail marketing@mis-cds.com or call 01622 723456

Recommend this page »

back to toptop