Data Protection has become an increasingly hot topic in recent years, particularly in EU states where legislation has tightened up responsibilities of 'Data Controllers' and given significant powers to 'Data Subjects'.
European organizations (as well as those from outside of Europe operating in the region) are required by law to protect personally identifiable data.
As part of a data protection risk assessment, you should have identified your email system(s) as a place where you store personal data. You are permitted to keep this personal data for as long as your organization deems appropriate - which usually means until the organization feels that there is no further risk from its content, or until mandatory retention periods have expired. This addresses the Act's mandate not to keep personal data 'longer than necessary'.
But.... you are forbidden to keep email in an archive that is not properly secure, allows access to unauthorized users, or fails to audit any access. This effectively rules out all current mail server platforms, and almost all email archiving tools. You must remove personal data from mail servers as soon as practicable, and secure the data elsewhere.
For example, with respect to the UK 1998 Data Protection Act (see www.dataprotection.gov.uk) the Information Commissioner provides guidance that an organization that operates an email system falls within the definition of a data controller if the emails are stored within its system. The subjects of the emails - the 'Data Subjects' - have the right to access information about the storage and access to their personal data and to request accurate copies of information held on them. This includes email correspondence or documents held on a mail server.
The implications of this for email retention are significant, though complex: At any time, any employee, ex-employee, customer etc. has the right to request a copy of emails held by your organization relating to their personal information ("containing information about identifiable living individuals"), and you MUST deliver them up within a short period of time.
The UK Compliance advice notes that "a 'deleted' email may still constitute personal data if it can be retrieved, albeit with some difficulty, by the data controller". That means you have no option but to deliver up the email, even if you have to trawl through endless back-up tapes of multiple email servers.
The DPA requires you to store personal data contained in email in a way that makes it easy to search for personal data across the entire email history. If you're relying on archiving or back-up tapes, complying with a request to deliver up emails containing personal data for a named individual can be a lengthy and expensive process.
Remember - data protection legislation often does not permit you to retain personal data for 'longer than is necessary'. This provision is in conflict with many business requirements, and careful consideration must be paid to this issue when developing your retention policy. Related to this, human rights legislation can consider excessive or inconsistent monitoring of employee email as an infringement of privacy in the workplace. Similarly many Unions and related groups can see excessive ability to monitor email as an infringement of privacy. To manage these issues it is key that any ability to store email, and then audit email usage, is secure, controlled, monitored and managed in a manner which makes it an acceptable practice.
Data protection outside of Europe
Some jurisdictions, most notably the US, do not encompass European-style data protection laws. None the less, safeguards for confidential and private material remain important, with organizations ignoring confidentiality obligations at their peril. The use of email back-up tapes should be restricted to disaster recovery purposes only, not as a basis for un-audited search and retrieval tasks.