Printer Friendly

UK email retention periods.

The purpose of this document is to give guidance on how long UK organisations should keep email records, and to suggest practical ways of keeping them that will give those records sufficient credibility, should they be produced as evidence in a court of law.

In this guide we have chosen not to highlight the explicit and onerous US email related laws, such as Sarbanes Oxley and SEC/NASD regulations that can potentially affect some UK organisations. There is already a wealth of information in the public domain that discusses the implications of US legislation. However finding similar guidance for UK legislation is not so easy, which is why this document refers exclusively to the laws of England and Wales. The laws of Northern Ireland and Scotland are similar but there will be variations to the laws and retention requirements discussed in this document.

Required retention periods

The most common question we face with email archival is:

'How long do we have to keep email records for?'

To answer this we need to establish a few facts about the law as regards email.

The laws of England and Wales (referred to as 'the Law' from this point forward) do not explicitly state that emails must be retained.

The law does however make provisions for certain documents to be retained. The admissibility of documents as evidence in criminal trials is dealt with by the Criminal Justice Act 1998. It defines a document as 'anything in which information of any description is recorded'. The medium for recording it is largely irrelevant and an email is considered to be a document. Emails have been produced as evidence in many criminal and civil cases in the UK.

When considering legal retention periods we need to look at three types of documents-

1. Those that must be retained for general legislation (accounting etc)

2. Documents required for sector-specific regulation (e.g. FSA rules)

3. Those that may support a civil or rdminpl action in the future

For general legislation and sector-specific regulation, there is normally a document retention policy in place for 'paper-based' documents that should reflect the appropriate legislation and define corresponding retention periods. An email retention policy needs to determine whether or not such paper-based documents are significantly affected or modified by email transactions, and if so the email retention policy should set appropriate retention periods. Examples of general legislation that affects most organisations are given in Section 6-Mandatory Retention Periods.

The retention of documents that may prove useful in the defence or prosecution of civil or criminal legal proceedings is more of a grey area. The law does not mandate that organisations retain records merely because it may prove useful in legal proceedings; it just assumes that they will do so. Clearly the inability to reproduce these documents when required, could adversely affect your ability to prosecute or defend an action.

In setting the retention period for documents of this nature it makes sense to follow the limitation period for the relevant legal act. There is no limitation period for criminal prosecutions but the civil action limitation periods are defined in the Limitations Act 1980. This is summarised in Section 5: Limitations Act 1980-civil action limitation periods.

When a record may be required for more than one purpose, the longest limitation or other dictating period should become the record's retention period. Where it becomes impractical for an organisation to filter email records in such a way that appropriate 'classes' of document can be applied, a default retention period may have to be set around the longest required retention period.

The Data Protection Act

The Data Protection Act can cause some confusion in relation to retention periods for emails. The fifth principle of the Act provides that 'Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes'.

This may suggest that some or all of an employee's email records are deleted when they leave. However, it may be reasonable to retain the ex-employee's email records for the purposes of defending legal claims which may be made in the future. As an example, a sexual harassment action could be brought by the ex-employee or even against them (and the organisation) up to six years after an incident occurred. The limitation period for potential actions therefore becomes the logical period for retention.

Evidential weight

In order for emails to be considered valid evidence in court, they must be considered to have 'evidential weight' such that the information presented may be considered to be an accurated and true record that has not been tampered with during its lifecycle. To give guidance as to how electronic records should be stored to provide admissibility in court and to have due evidential weight, the British Standards Institute created the Code of Practice for Legal Admissibility of Information Stored Electronically- BSI-DISC PD 0008 which has been renamed BIP 0008 in its 2004 third edition. The Code describes the means by which it may be demonstrated in a manner acceptable to a court of law that:

The contents of a specific data file created or existing within a computer system have not changed since the time of storage; and where such a data file contains a digitised image of a physical source document, the digitised image is a true facsimile of that source document.

To achieve admissibility and evidential weight, the code suggests you adopt five guiding principles, which are briefly summarised below:

Principle 1: Recognise and understand

Senior management should adopt an Information Management Policy Document and review it regularly. This document should specify what information is covered, how each type will be stored, relevant security classifications, define retention/destruction periods and state management ownership responsibilities for the information.

Principle 2: Legal issues and duty of care

It is recommended that organisations adopt an Information Security Policy with certain minimum requirements. A Disaster Recovery Plan is also recommended. Consultation with regulators, government bodies, auditors, legal advisors etc. is also recommended regarding external implications of using electronic information management systems.

Principle 3: Processes and procedures

Organisations should maintain a Procedures Manual for each information management system covered by the Code. Examples of relevant procedures are information capture, indexing, backup and system recovery, version control, security and protection.

Principle 4: Enabling technologies

A Systems Description Manual is recommended. It should describe how hardware, software and network elements interact. The manual should detail systems configurations, detail changes made such that the details of the system may be determined for any point during its lifecycle.

Principle 5: Monitor and audit

The code requires sufficient audit trail information to be kept to enable authenticity of stored information to be proved in court. This should include both audit trail information of the stored information and the system used. This might include the date of storage and details of movement from one storage medium to another.

4 Storage recommendations for email

Having decided how long you want to keep your email records for, there are some important storage considerations to take into account:

* Integrity of the store to maintain evidential weight in court

* Ability to find and retrieve records quickly

* Appropriate storage medium for age, volume and frequency of use

* Availability of applications to view records in the future

* Controlled deletion when retention period ends

Email archival systems--a practical solution

The storage recommendations described above can be met through the implementation of an email archival system. These systems are designed to capture email records in a structured way; typically by use of a journaling mailbox on the email server that receives a copy of all emails, both internal and external. The records are captured in real-time and fed to the archival system, then removed from the journal to minimise the storage impact on the email server's message store.

The following describes how the email storage recommendations given previously are accommodated through an email archival system:

Integrity of the store to maintain evidential weight in court

Email archival systems are designed with evidential weight in mind and have a carefully controlled store that typically allows read access to the originator of a message or to a privileged supervisor. Write or delete access is limited to administrators and any change they make to messages is recorded in an audit trail, as required by principle 5 of the Code.

Ability to find and retrieve records quickly

In order to use historical email records for evidence in court or for simple business purposes, you need to be able to find them, preferably without long painful searches through backup tapes that have to first be restored to the mail system. When an email archival system processes a new message it indexes the complete contents of both the body and the attachments, before storing the message securely as an encrypted compressed file in the archives. The index is retained in the email archival system's database, allowing the user to perform an immediate Boolean search of both the message body and its attachments using sender/recipient name, data, keywords etc.

Appropriate storage medium for age, volume and frequency of use

The store itself may be spinning disk, Write Once Read Many (WORM drive), tape, or combinations of storage media aligned with the age of the data and frequency of access. The only change the user sees is that an alternative icon replaces the symbol for an email, informing them that this record resides in the archive rather than the email server's message store. The retrieval time will be relative to the type of storage medium used. With disk based storage, retrieval time will be similar to messages stored on the email server itself.

Availability of applications to view records in the future

As the email records age, the email application will probably move through several iterations of development or could even be replaced with a competitive system. This can cause issues with reading old emails, as backwards compatibility is not always maintained by the manufacturer of the email system. To combat this, email archival systems usually allow you to maintain copies in HTML format as well. As content on the web can be very old, web browsers have a requirement to run old HTML commands.

Controlled deletion when retention period ends

When an email reaches the end of its retention period, the archival system will flag it for deletion, either performing the deletion automatically or requesting administrator confirmation first.

In addition to making records easier to find and more likely to stand up in court, email archival systems will also reduce the size of the email server's message store, helping you to avoid costly upgrades, minimising backup time and optimising performance and reliability. Many organisations implement email archival systems for this reason alone.

Harrier Zeuros Ltd
COPYRIGHT 2004 A.P. Publications Ltd.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2004, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:STORAGE
Publication:Software World
Geographic Code:4EUUK
Date:Nov 1, 2004
Previous Article:Ignorance is no defence--implications of email retention and best practice.
Next Article:Seven misconceptions about data quality.

Related Articles
Corporate asset protection of email overlooked. (Internet Focus).
Killer App: new email requirements are driving significant technology purchases. (Enterprise Applications).
Email & the Internet, Stephen Mason.
Controlling the flood: a look at email storage and management challenges. (Automated Storage Management).
New ROI analysis service.
Ignorance is no defence--implications of email retention and best practice.
Data protection and email retention policies.
CIO survey reveals companies open to huge financial loss.
IT news and products; Open Text Integrates LegalKEY Records Management with Symantec Enterprise Vault.
Email retention.

Terms of use | Copyright © 2018 Farlex, Inc. | Feedback | For webmasters