Navigation * Home / Solutions / Email Archiving & Compliance / Data protection issues

Email Archiving & Data Protection Issues

Data Protection has been an increasingly hot topic over recent years, particularly in Europe where legislation has tightened up the responsibilities of 'Data Controllers' and given significant powers to 'Data Subjects'.

It is imperative that you capture, store and access emails compliantly with this legislation. As part of your DP risk assessment you should have identified email as a place where you store personal data. You are permitted to keep this personal data as long as your organisation deems appropriate - which usually means until the organisation feels that there is no further risk from its content, or until mandatory retention periods have expired. This addresses the Act's mandate not to keep personal data 'longer than necessary'.

But.... you are forbidden to keep email in an archive that is not properly secure, allows access to unauthorised users, or fails to audit any access. This effectively rules out all current mailserver platforms, and almost all email archiving tools. You must remove personal data from mailservers as soon as practicable, and secure the data elsewhere.

For example, with respect to the UK 1998 Data Protection Act (see www.dataprotection.gov.uk) the Information Commissioner provides guidance that an organisation that operates an email system falls within the definition of a data controller if the emails are stored within its system. The subjects of the emails - the 'Data Subjects' - have the right to access information about the storage and access to their personal data and to request accurate copies of information held on them. This includes email correspondence or documents held on a mail server.

The implications of this for email retention are significant, though complex: At any time, any employee, ex-employee, customer etc. has the right to request a copy of all emails held by your organisation relating to their personal information ("containing information about identifiable living individuals"), and you MUST deliver them up within a short period of time.

The UK Compliance advice notes that "a 'deleted' email may still constitute personal data if it can be retrieved, albeit with some difficulty, by the data controller". That means you have no option but to deliver up the email, even if you have to trawl through endless back-up tapes of multiple email servers.

The DPA requires you to store personal data contained in email in a way that makes it easy to search for personal data across the entire email history. If you're relying on archiving or back-up tapes, complying with a request to deliver up all emails containing personal data for a named individual can be a lengthy and expensive process.

Remember - data protection legislation often does not permit you to retain personal data for 'longer than is necessary'. This provision is in conflict with many business requirements, and careful consideration must be paid to this issue when developing your retention policy. Related to this, human rights legislation can consider excessive or inconsistent monitoring of employee email as an infringement of privacy in the workplace. Similarly many Unions and related groups can see excessive ability to monitor email as an infringement of privacy. To manage these issues it is key that any ability to store email, and then audit email usage, is secure, controlled, monitored and managed in a manner which makes it an acceptable practice.

If you would like to contact a member of our consultancy team today please either telephone or email;

Tel: +44 (0) 1622 618 752
Email: consultancy@bii-compliance.com