How long should I keep my email for?
September 16th, 2015
A large percentage of business decisions are now made completely via email, yet many organisations have no retention policy in place to protect those messages.
While those businesses may have been lucky up until now, there will likely come a time when they need to retrieve a historical email. At best, they will have to spend time searching for that critical email, but they could end being penalised financially.
However, it can be difficult to establish just how long you should be keeping your emails for. Does every email need to be kept indefinitely, or do different rules apply to each email?
Outlined below, is a brief description of the primary regulatory bodies or regulations which apply to email retention. All organisations should have a clear understanding of the ones which affect them so they can develop an effective strategy.
What are the regulatory bodies?
1. Employment Tribunals
Employers should assess different retention periods for different types of employment data as the Data Protection Act only states that “personal data should be kept for longer than necessary”. Job applications and CVs only need to be kept for a short period of time (e.g. six months). If you wish to keep a CV for future reference you must inform the applicant you are doing so. Personnel records of former employees should be kept for a maximum of six years. Employment tribunals, county court or high court claims are possible for up to 6 years after employment is terminated, so keeping records is considered acceptable on the basis that the employer is doing so to protect against legal risk. For specific documents, like PAYE records or maternity pay, the employer must assess the appropriate guidelines and determine a retention policy.
2. Court Action under the Civil Procedure Rules
Businesses could be at risk if they fail to produce evidence, which may be contained within an email, for auditing or litigation purposes. It is possible to bring a claim for a breach of contract up to six years later, so businesses need to be able to respond quickly. Furthermore, the amendment to the Civil Procedure Rules and the issuance of Practice Direction 31B, Disclosure of Electronic Document essentially mandates that businesses must be prepared for electronic discovery.
3. The Data Protection Act (DPA) 1998
Requires companies to ensure they have taken the appropriate technical steps to protect any personal data they hold from misuse, theft or damage. If a DPA request is received then an organisation has 40 days to provide a copy of this information.
4. Freedom of Information Act
Provides public access to any recorded information including emails and computer documents, held by public authorities. This includes government documents, local authorities, state schools, universities and the NHS.
5. Financial Services Act
The financial services industry is strictly regulated and requires financial organisations to store all business emails sent and received for up to 6 years. Some data must be kept indefinitely so that cases can be reviewed.
6. The Sarbanes-Oxley Act
The US passed this Act, which introduced stricter financial reporting requirements, following two financial scandals. The aim was to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise. It can also apply to UK companies if they are subsidiaries of certain US companies, and the Act places requirements to retain business critical emails. Rather than specifying how a business should store records, it defines which records should be stored and for how long.
What do you do now?
As you can see from above, there are many regulations to consider – and this is just a brief overview! There are many other specific retention periods. For example, medical examination records and registers of employees working with hazardous substances must be kept for a minimum of 40 years, under the Control of Substances Hazardous to Health Regulations 1995/3163.
All emails need to be treated differently. When deciding on your policy it is recommended that you:
- Consider legal obligations and business needs
- Establish standard retention periods for different types of information
- Ensure information is kept securely and also destroyed securely when no longer needed.
There are three typical retention policies used by most organisations. Option 1 is to Save Everything, which means all data is retained for use in any litigation matters. While this may seem the safest it will cause issues. There can be decreased performance, prolonged backup and restore processes and extended e-discovery costs – as more data stored equals more data to search through.
Option 2 is User Driven Retention, where users manage retention with predetermined tags or rules. Theoretically, this should mean that the organisation only retains what it needs to, but it depends on the users. There is a high risk of human error as users must remember and understand all retention guidelines.
The third option is to automatically archive emails, which can be carried out by an email archiving solution. It is not feasible to keep every email in a live environment. As volume increases, simple operations like search and retrieval become more time-consuming. An email archiving solution fixes retention periods for emails, which are controlled by automated processes. It provides secure storage for all users to enforce compliance and is ideal for many businesses – particularly heavily regulated industries.
How to create an information classification policy
Documents are a business asset. If an asset is lost, stolen or damaged, it becomes a risk. Both for the business and for their client. This means having control systems in place to understand these risks is critical. And having the controls to counter them is equally as important. It sounds simple. But after a […]
Why is business continuity planning so important?
We are fortunate in the UK that major incidents such as earthquakes, wildfires, flooding or terrorist attacks are rare. Yet when they do occur, we often find ourselves ill-prepared for the trials they present. In countries that regularly deal with these catastrophes, a disaster recovery plan is a standard part of a business plan. However, […]
Cyber Security Post Covid: How to protect against attacks
Businesses have done a phenomenal job to keep going throughout Covid to keep people working from home, and at the same time building in those layers of security as they go. However, as this new norm sets in, there needs to be more security in place for the post covid world. Working from […]