Latest Posts

Latest Comments


Data and information – your legal obligations


Posted by |

Another chapter in the email archiving story was written with the arrival of two new laws onto the UK statute book.

The Freedom of Information Act 2000 (“FOIA”) came into force on 1st January 2005 and gave the public new rights of access to recorded information held by public authorities – and email is considered part of that ‘recorded information’. Anyone can ask for a copy of an email and the deadline for response is just 20 working days from the date of receipt of the request. It’s a deadline that many public authorities are struggling to meet because their existing email applications – more and more are realizing that the only way forward is to move to an email archive facility with advanced research, retrieval and management functionality. Public Authorities are also expected to comply with a statutory code on records management that was issued under the FOIA – the s46 Code. The Code requires all public bodies to treat the records management function “as a specific corporate programme”. The Code emphasises that electronic records, including emails, should be managed with the same care accorded to manual records, and that the records management programme, “should bring together responsibilities for records in all formats, including electronic records, throughout their life cycle, from planning and creation through to ultimate disposal.”

The Data Protection Act 1998 (“DPA”) applies to the private and public sector alike and like the FOIA has asked many questions of those with a less than robust approach to ESI.

The DPA gives individuals the right, on producing evidence of their identity, to have a copy of personal data held about them. The deadline for compliance in this instance is 40 days and the retrieved information has to be further assessed to remove any third party data that shouldn’t be disclosed. Organisations recovering personal data from email records are only entitled to charge £10 so there is both a compliance and cost angle to ensuring that requested emails can be retrieved as quickly and effortlessly as possible.

The DPA also requires organisations to take appropriate technical and organisational measures to prevent unauthorized or unlawful processing of personal data, and against accidental loss or destruction of personal data. As regards email, this means that access to any email system and related storage device should be controlled and its contents kept safe – an encrypted, secure archive is the obvious solution, providing the necessary controls while also acting as an essential backup for the preservation of data should the main system fail.

Ultimately, effective email management comes down to mitigating risk. What links all of the above is that organizations are only vulnerable if they have not put in place proper procedures, frameworks and technologies. If they know what they have and where it is, and can assess, search or retrieve it easily, accurately and responsively, then compliance holds no fear. It also puts them on the front foot when it comes to those rather more everyday issues of employee discipline or dismissal or contract breaches. Without the ability to produce reliable information from emails, and build a full audit trail, an employer or plaintiff may find his position seriously undermined or weakened at any resultant Tribunal or court action.

CIOs can already make a strong case for email archiving on technical and operational grounds alone. But if there is any doubt whether a business should adopt such a discipline, then the head of legal should also make his voice heard. A centralized, consolidated, fully managed email archive is not just a ticket to efficiency and cost control – it’s a passport to best practice, lawful compliance and corporate confidence.



Post a comment

Comment submitted! Comments needs approval before being displayed.