Global Relay - Electronic Communication Storage & Retrieval Overview
The ability to search for and retrieve emails and the data held in them is getting increasingly harder, with email volumes growing at a phenomenal rate. The New UK Legal RequirementsAside from specific industry regulations, there are two key UK laws that affect organisations and make the installation of an electronic communication archive & retrieval system essential, they are:
Corporate governance in the UK & Europe is also moving towards a Sarbanes-Oxley type regime. The Company Law Reform White Paper (a draft document on the future of Company law) sets out tough penalties for accounting offences, and is due to be debated by the UK Government in the near future. The European Union"Eighth Directive" is another example of pending legislation. |
    |
The Data Protection Act 1998
The revised UK Data Protection Act (DPA) became law in the UK 1998.
The DPA gives all individuals certain rights regarding information held about them. It places obligations on those who process or hold any information (data controllers) while giving rights to those who are the subject of that data (data subjects). Personal information covers both facts and opinions about the individual.
The DPA is very clear about the need for those organisations holding and processing data to keep and maintain personal data in a secure way, restricting who can access or use it. Most organisations however, have not implemented the DPA directives and have not applied a policy for management and storage of electronic communications. The DPA recommends that security standard BSI 7799 (ISO 17799) be used to manage electronic data. BSI 7799 is a British Standard code of practice for information security management.
Core to the DPA is the way in which it mandates all organisations to disclose information it might have. This key instrument of disclosure is called a “Subject Access Request”. Anyone can issue a SAR (employee, ex-employees, customers etc.) against any organisation – Public OR Private - by simply writing a letter in a format available from Data Protection Act web site, sending a cheque for £15, delivered via registered mail to the organisation. The organisation receiving the SAR legally has to give up all data requested within 20 days. Failure to comply breaks the law, seriously affecting the organisations ability to defend its self against any legal actions. The most common use of Subject Access Requests (currently) is by employees, or ex-employees making claims of unfair dismissal, sexual / racial discrimination, harassment and such like. The difficulty in trying to find relevant emails and other communications (including those containing opinions as well as facts) between different parties from historic backups (if available) over a two-year period is immense.
Very few organisations would be able to meet a request to produce ALL information held within their email system on a particular subject within 20 working days let alone 48 hours which has happened.
The UK Freedom of Information Act
The Freedom of Information Act (FOI) was passed on 30th November 2000, and became fully implemented in January 2005.
The FOI gives anyone, any agency, any group or any company, the right to compel any Public body to make available any information they might be holding on any subject they are interested in (with some obvious exceptions – National Security for example). Public authorities include central & local government, NHS organisations (including GP’s, dentists, pharmacies and opticians), schools, colleges universities, regulatory bodies such as Ofcom, parish councils and many more.
Information requested can be on any event such as:
- The process for awarding a particular contract and its commercial terms
- The area affected by a toxic spillage
- The results of testing of the local water supply
- An enquiry into suitability for a particular site as a waste dump
- Personal records
Crucially, the Act is also retrospective, so it applies to all historical data as well as that generated since it was enacted. Anyone who makes a request to a public authority for that information, must be informed whether the public authority holds that information, and if it does that information must be supplied. Public authorities are required by a range of legislation to maintain accurate and appropriate records; just deleting the records and email to avoid compliance could render the authority in breach. For legal compliance, data held in emails should be stored in a secure archive, encrypted, with quick retrieval and with all events surrounding any email, fully audited.
The Information Commissioner’s Office issues fines organisations for non-compliance with the DPA.
More recent events have created a quantum leap in the level of penalties organisations face for failing to comply with legislation. The Freedom of Information Act states that any organisation within the public sector that does not comply with FOI can be held in “contempt of court”, which could lead to a jail sentence. Deleting email so that it cannot implicate an organisation is also not acceptable, as there are many Acts of parliament in the UK ranging from revenue and tax legislation through to personnel matters that define the obligations an organisation has to maintain accurate records.
Other Industry Regulations
There are many other regulations which may apply to an organisation depending on your industry. For example, for regulated financial institutions, the UK Financial Services Commission mandates that members must retain all pertinent client records – paper and electronic – for a period of 10 years.
European Companies with US based parents or subsidiaries may also have to comply with such acts as Sarbanes-Oxley, SEC Rule 17(a)-4 & NASD Conduct Rule 3110.
Further information on exact US and UK regulatory compliance requirements is available on request.
Management Questions
Below is a list of questions management should be asking. If you cannot answer these questions satisfactorily, you may not comply with the FOI or DPAs’ legal requirements.
- Do we securely archive and audit all electronic communications both inside and outside the organisation.
- Can we quickly and securely retrieve specific communications?
- Would it take longer than 20 days to search all historic emails (up to 2 years old) to find information contained in one of them?
- Is access to all emails and other electronic communications and actions performed on audited?
- Can we search for specific information held in email attachments?
- Can we prove that the results of any search of our current systems also include emails deleted or revised by users?
- Call 0207 788 7916
- Email Info@Qualitas-IT.Com
References:
- The Freedon of Information Act 2000
- Data Protection Act 1998
- People's rights > Freedom of Information
- British Standards
- The Company Law Reform
- Sarbanes-Oxley Act of 2002
- IDC Reports
British Standards (BSI)
- BS 4783 - Storage, transportation and maintenance of media for use in data processing and information storage
- BS 7799 / ISO 17799 - Code of practice for information security management
- BS ISO 15489-1 - Information and Documentation - Records Management - Part 1: General
- BSI DISC PD 0008 - Code of practice for legal admissibility and evidential weight of information stored on electronic document management systems
- BSI DISC PD0010 - Principles of good practice for information management
- BSI DISC PD0012 - Guide to the practical implications of the Data Protection Act 1998