2.1 Does filtering spam prior to Cryoserver affect compliance?
Yes. If you use a system that filters email and either prevents or diverts the passage of emails it considers spam/virus, then it becomes difficult for a company facing litigation to prove that it has a full, forensic record. The purest most ‘forensic’ approach is to set up Cryoserver to capture raw SMTP as it enters the premises BEFORE it gets to you mail server. However, most customers weigh up the balance between absolute forensic compliance and spam avalanches and decide to filter spam/viruses before they get to the mail server and Cryoserver.
2.2 If an organisation has outsourced all email, does this affect compliance?
No, but it depends on the standards of your outsourcer. They need to be able to demonstrate to a regulator or a court that they have appropriate data policies that they apply to customer’s data. It is also worth pointing out that the company is still fully liable for any errors or omissions by the outsourcer; the responsibility is on the company to ensure that the outsourcer is managing data compliantly.
2.3 Does keeping data for longer than mandated retention periods have legal implications or any other exposure?
Mandated retention periods are almost invariably ‘minimum recommended retention periods’ and therefore a ‘deletion point’ is not defined – you can keep it as long as you want. Exceptions are the Data Protection Act 1998, in which ‘Principle 5’ says personal data may not be kept ‘longer than necessary’, but does not define what this time might be. Companies are therefore required to decide for themselves as part of a formal procedure what their retention period for various types of personal data should be.