Navigation * Home / Consultancy / The law and legislative compliance

The law and legislative compliance

Probably the most significant business issue driving organisations towards a more thorough and mature e-mail retention strategy is the need for compliance with regulatory and legal retention requirements.

At its simplest level - various pieces of legislation require many documents to be kept for specific lengths of time, and this can include e-mail. In the worst case scenario - failing to comply with this will lead to major fines or prison sentences.

Precisely how long documents need to be kept for is a complex issue since it varies by country, industry, type of document, whether it is a regulated area etc. Furthermore, different pieces of legislation often require the same document to be kept for different lengths of time.

Defining the retention policy required for different documents in your organisation is a serious issue, requiring legal advice.

Example of e-mail retention requirements throughout a company;

Though the e-mail retention requirements of a company will vary according to its own requirements (country, product or service sold, statutory and legal retention periods, likelihood of legal action being taken etc.) it can be useful to demonstrate how critical appropriate e-mail retention can be these days through a theoretical example (adapted from an example developed by Stephen Mason).

In our example company -

• The accounts department has put in place an online claims process for mileage and expenses. Employees download the claim form from the intranet, and gain approvals for it by e-mail, and submit it for processing as an e-mail attachment.

• The accounts department frequently sends invoices by e-mail and subsequent queries and payment issues are resolved by e-mail.

• The HR department requires that overtime forms are submitted via e-mail, together with any supporting information

• Documentary records relating to the concept, design and testing of a new product are developed and managed primarily via e-mail.

In this scenario, UK law could require you to retain all -

• Internal e-mails for mileage and expenses for 6 years.
• Invoices sent out of the company for a minimum of 7 years.
• Overtime claims for 3 years.
• Document relating to current products for up to 10 years from the date of supply.
• Documents relating to the product in development for a period exceeding 10 years to cover product liability.
• Documents relating to contracts entered into by exchange of e-mails for a minimum of 6 years and after the contract is terminated.

Retention policy decisions

Once you have established what period of time different types of e-mail documents need to be retained for in your organisation, you have to work out:

• How to insure that the retention occurs consistently.
• How to retrieve documents in a cost and time effective manner when they are required.

In theory it is possible to make sure that every employee knows the retention period for each type of document and either files them manually, or manually flags their content, so that an automated system can file them according to metadata. In practice it is usually more viable to basically keep everything, and put in place tools to extract data when it is required. Naturally this increases the requirement for digital storage media to hold this e-mail repository within the organisation. However, the costs of this do not tend to be an issue compared to the costs incurred in trying extracts legacy data from difficult to search back-ups, or the possible fines and legal costs associated with failing to comply with legislation appropriately.

Net abuse and HR issues

E-mailing of inappropriate or illegal content

• 27% of Fortune 500 companies have fought harassment claims concerning e-mail (IDC)
• 42% of staff are unaware that actions such as e-mail harassment of fellow employees could land their employer in court. (DataSec)
• There have been numerous high profile dismissals concerning sending inappropriate or illegal content by e-mail. HP recently dismissed 15 staff and suspended more than 100 on full pay pending an investigation into the misuse of its corporate e-mail system to circulate pornographic material.
• To deal effectively with a case of e-mail abuse, a company requires the ability to rapidly and easily investigate, and prove, what offence was committed when by whom, be it for internal disciplinary proceedings, or as evidence in an industrial tribunal or court case.

----------------------------------------------------------------------------------------------------

Employee productivity

Social e-mail use steals company time. While most companies do not wish to entirely ban personal e-mail use, they do need to be able to manage it, and keep it to reasonable levels. This is best achieved through the combination of clear guidelines on acceptable use for employees, and an auditable e-mail repository which can be used both as a forensic to where cases of abuse are suspected, and as a deterrent. (Also see the Data Protection Policy section re: the Data Protection implications of storing personal e-mail).