1.1 Are companies allowed to keep everything?
Yes, as long as there is a business justification and you can demonstrate you have carried out a formal process to decide what to keep and how long to keep it for.
1.2 Are companies allowed to keep email sent TO the company?
Yes; emails sent to the company may result in risk or liability to the company and therefore may be retained, even if their content is not business-related. The private email sent by Claire Swire to an employee of Norton Rose is a good example of a ‘personal’ email that had a huge impact on the business, and illustrates the fact that personal as well as business email sent to a company’s email domain can carry risk and liability and therefore can be retained.
(Background: in 2000 Claire Swire sent her then boyfriend Bradley Chaite, an employee at Norton Rose, a personal email containing sexual references. Chaite passed the email around his colleagues, they sent it to people outside the organisation, and Norton Rose suffered substantial reputational damage as a direct result. This is a perfect case illustrating that an organisation should regard EVERY email sent to and from its mail domain as a potential liability and have a clear policy of preserving ALL email)
1.3 How long are companies allowed to keep email?
The company should carry out a risk analysis and decide an appropriate retention period. Seven years is often selected, as contract disputes are time-expired after this time. If contracts are being made or altered via email, then email should be kept until the liability expires. Longer retention periods are needed for those regulated industries mandated to keep records for longer periods. Pension advice given via email should, for example, be retained for up to 100 years. It is perfectly acceptable for an organisation to keep all its email for the longest mandated retention period even if ALL email doesn’t need to be preserved for that length of time.
1.4 Can companies keep and read private email?
Yes, because private email sent to a company’s email domain belongs to the company and not the individual at that company email address. The Norton Rose and many others demonstrate the risk any company faces from ‘private’ email therefore the company has a right to mitigate that risk by preserving, making searchable, and retrieving and reading any and all email entering or leaving its email domain.
1.5 Do companies need to tell employees if they’re reading private email?
All employees should be informed that there is no such thing as ‘private’ email, that all systems are owned by the company, and that all traffic is regarded as business communication moving to and from the company’s official email domain.
1.6 Is this regarded as ‘monitoring’ under the DPA? Is it ‘interception’ under the Act?
Monitoring is described in the ‘Monitoring at Work’ guidelines under the DPA as the interception of email. Interception means ‘stop in transit’; Cryoserver simply provides an audit copy of all email and does not prevent the passage of email traffic. Cryoserver is not, for example, a system that monitors email for suspicious content and flags that email as suspicious. Cryoserver is more analogous to a disaster recovery system, in that information is recorded and may be reviewed at a later date.
1.7 Can email be kept after an employee has left the company?
Yes; business communications belong to the company, not the employee. In the same way that business letters written by the ex-employee in the course of his/her duties are obviously not deleted when the person leaves, the same applies to email. Vicarious liability means that the company can face litigation resulting from something an employee has written in an email, therefore the company should preserve such writings – often for a period of seven years to protect the company against most litigation actions.
1.8 Does all email need to be delivered up in response to a SAR?
The Act says that all personal data pertaining to the Data Subject must be delivered up. Personal data can be defined as anything that personally identifies the Data Subject. Email containing that Data Subject’s name, and any information about them can be classed as documents that should be delivered up. On the face of it this would mean every email sent and received by that Data Subject during the time of their employment, which might total 50,000 documents over a lengthy period of employment. Also included should be any mention of the Data Subject in any email sent between other individuals at the company, such as ‘Fred won’t be in today, he’s got a cold’.
Many companies refuse to hand over any emails, and defend this on two grounds:
- Email is always sent between two parties, therefore any email will have someone else’s personal data in it in the ‘to’ or ‘from’ fields. Companies are not required to redact documents to expunge mentions of other persons’ personal data, therefore any document mentioning another person is not required to be handed over under the Act.
- The other obvious defence is that of proportionality; companies will say that the cost of providing perhaps 50,000 emails to a Data Subject under a Subject Access Request is disproportionate.
1.9 Does all email pertaining to that person need to be deleted if requested by the Data Subject?
No; the company will always be able to justify retention on the grounds that they may need to produce them at a later date for a variety of reasons (as evidence in court or Tribunal, to a regulator, or for dispute resolution). The company must be able to demonstrate that the data is held securely, that it cannot be accessed except by authorised investigators, and that and access is audited. The company will always be able to point to vicarious liability issues if the Data Subject argues that these were ‘personal’ emails – whether personal use was permitted by the organisation or not. The only exception might be where a company has allowed personal use of the company email system and provided guarantees to employees that personal email will not be retained.
1.10 Who should have access to Cryoserver, and what security measures apply to those people?
The company should set out its policy in terms of who has access. Examples might be: HR officer, Compliance Officer, Data Protection Officer, and each should be trained in the formal process required to access personal data.
1.11 Do employees have to agree to the use of Cryoserver?
No, Cryoserver is not doing anything new – emails are already retained by the company on email servers and on back-up tapes. Cryoserver simply ensures that ALL email is captured, and is very easily searchable. Cryoserver increases employees’ protection by ensuring that no email can be examined without leaving an audit trail.
Introduction of Cryoserver into an organisation is always a good opportunity to remind employees of their duties and responsibilities when it comes to email, and many customers introduce an automatic tagline on the bottom of all emails underlining the fact that all email is retained in a forensic environment. This often has the effect of decreasing misuse, and increasing productivity.
1.12 Should we use disclaimers on the bottom of all emails, and if so what should they say?
They have very little effect, and should not be relied upon. In addition, relatively few of the problems with email can be obviated by use of a disclaimer.
1.13 What about web-based email – are you allowed to keep that too?
It depends – many companies allow personal use of e.g. Hotmail accounts during working hours in the workplace as a means of providing private communication for workers. If the company gives an undertaking to employees that such use is regarded as private, then on the face of it the company should not monitor such communication. On the other hand the company has a duty of care to employees in regard to e.g. ensuring a culture of racism and sexism does not become established in the workplace. Companies may use this to justify monitoring of web-based email communications.
1.14 Is Instant Messaging private?
No, the same rules apply. Email, instant messaging, web-based communications, even faxing and the phone are all communications systems that use the company’s systems and therefore the company has a liability for misuse that allows it to monitor such use.
1.15 Can searching be done automatically on a schedule rather than pick on particular people?
Yes, a standard search can be set up and run, but the system requires the searcher to log in and activate the search so that there is full accountability.
1.16 Can searching be done pro-actively to scan for potential problems?
Yes, a standard search should be run at least every month that looks across the entire repository looking for racist and sexist keywords. It is essential that the search is run across all email accounts rather than picking on a particular person or group of individuals.
1.17 What about a global company that keeps emails all over the world – where should the emails be kept legally?
We would look at all the locations the company has established email servers and advise accordingly. The Data Protection Act is very specific when it refers to the exportation of personal data to countries that have a lower standard of Data Protection, so care needs to be taken with regard to this.
1.18 With the CDR, who is regarded as the Data Controller?
The company’s own Data Controller remains the responsible person; the CDR is simply the offsite repository where the data is kept. It’s also important to note that the CDR operator is unable to see any data; they have only administrative access to the system and all data is encrypted for further protection.
1.19 If I send an email about my ill grandmother to another person, what is the company’s justification under the DPA for keeping this email?
The company has an absolute right to examine any email sent to or from its own domain name.
1.20 If personal email should be deleted, how do you justify keeping it?
The concept of personal email is flawed – there is no such thing as ‘personal email’, because it will always carry some potential liability for the company (e.g. Norton Rose) and therefore should be retained and preserved securely. However, problems arise if companies have said to employees that they can use the company email for private use AND that such emails will be deleted immediately.