Email Archiving Data Protection Laws

Data protection issues

Today there are many different issues and regulations relating to data storage and protection. It can be confusing for businesses and organisations to know which data protection issues affect their email system. What regulations apply and under what circumstances? The answer is simple: if your organisation collects personal information in the U.K., you are required to keep it secure and accessible. However, acting on that answer can be complicated. 

Emails are a common source of personal information, including: employment records, health information, and financial data. Because your emails might contain such sensitive information, your organisation is required by the U.K.’s Data Protection Act (DPA) to store them securely.

The Data Protection Act: In 1998, Parliament passed the Data Protection Act, which brought Britain’s data security laws into line with the European Union’s Data Protection Directive. The DPA describes the proper collection and usage of personal data. It specifies that personal data shall not be transferred to a country or territory outside the European Economic Area unless it ensures an adequate level of protection in the processing of personal data.

Data Security: The DPA forbids your organisation to keep email in an archive that is not properly secure, allows access to unauthorized users, or fails to audit any access. It requires you to keep your data secure in a number of different ways. Organisations must ensure that:

  • Only authorised people have access to the data, so you must guard against access by unauthorised employees as well as people outside your organisation.
  • Personal data cannot be accidentally or purposefully lost, destroyed, or altered.
  • If personal data is lost, destroyed, or altered, it can be recovered.

These principles can have far-reaching implications. If you have numerous employees or other stakeholders who access the system from home, you must put in place appropriate security measures for remote access. If a third party collects personal information on your behalf, you must ensure that they have adequate security and storage measures in place.

The requirements of the DPA effectively rule out all current mail server platforms, and almost all email archiving tools. The regulations require you to remove personal data from mail servers as soon as practicable and to secure the data elsewhere.

Data Access: The DPA also has numerous provisions regarding the proper storing and accessibility of personal data, which includes email correspondence or documents held on a mail server:

  • Personal data should be retained only for specific lawful purposes and should be accurate
  • Personal data must be stored, but no longer than necessary
  • The subjects of emails, the “Data Subjects,” have the right to access information about the storage and access to their personal data and to request accurate copies
  • Deleted email constitutes personal data if it can be retrieved, even if the retrieval creates some difficulty

The DPA’s requirement that you retain email for no longer than necessary may be in conflict with other rules governing your organization which specify mandatory retention periods. You must establish a policy that permits you to keep this data for as long as your organisation deems appropriate – which usually means until you feel that there is no further risk from its content, or until mandatory retention periods have expired.

The DPA also stipulates that any time, any employee, ex-employee, customer, etc. has the right to request a copy of emails held by your organization relating to their personal information (“containing information about identifiable living individuals”), and you MUST deliver them up within a short period of time. Can your current IT infrastructure meet this requirement?

Furthermore, you must store email in such a way that makes it easy to search for personal data across the entire email history. If you’re relying on archiving or back-up tapes, complying with a request to deliver up emails containing personal data for a named individual can be a lengthy and expensive process.

Also note that the DPA considers a deleted email to constitute personal data if it can be retrieved, albeit with some difficulty. Therefore, you must deliver up the email, even if you have to trawl through endless back-up tapes of multiple email servers.

The right email archiving solution can help you comply with the provisions of the DPA, avoiding regulatory and legal difficulties. And, it can save you countless hours of searching for information. Learn more about the Cryoserver email archiving solution today!