World-class Email & IM Archiving & Compliance Solutions
The Archiver Resources

The Message Archiver
What Can I Archive?
Why Should I Archive?
Why a Hosted Solution?
watch flash demo of drive crypt Watch Product Demo
Compliance Laws & Regulations
How Data is Captured
The Compliance Reviewer
Compliance Reviewer in Action
Security and Resilience
Disaster Recovery
IM Service Add-on
Product FAQ
Features Datasheet
Interface Screenshots
Request a 30 Day Trial
Request a Quote

Related Products

SafeStick Encrypted USB
Ziplip Email Archiving
SATA Beast (42TB SAN)
MailMarshal SMTP

Further Assistance
Request a Call Back
Request a 1 to 1 Live Demo
Register for a Webinar
Quick Enquiry Form
Discussion Forums

Laws & Regulations

 
Electronic Communication Storage & Retrieval Overview

**Global Relay retain an in-house Legal team to advise on all aspects of compliance**

The ability to search for and retrieve emails and the data held in them is getting increasingly harder, with email volumes growing at a phenomenal rate.

Asking an email administrator to locate specific data held from within emails held inside a current data store is difficult enough, requiring that Administrator to locate specific emails referencing a particular subject, contract or other fact from a year or more ago is asking them to perform the near impossible.

The usual technique administrators would employ to search and locate emails over 6 months old, would be to manually restore the server from backup tape and then manually search the mailboxes. It is estimated that this can cost an organisation up to £35,000 in time and effort costs every time such a search occurs.

The correct storage of emails for efficient retrieval requires that all emails are indexed and stored in a relational database. This allows any email, search string, or piece of data contained within an email, to be retrieved by a simple query.

A secure, stable - and most importantly – a truly scaleable email storage and retrieval system is now essential for virtually all companies.


The New UK Legal Requirements

Aside from specific industry regulations, there are two key UK laws that affect organisations and make the installation of an electronic communication archive & retrieval system essential, they are:

Corporate governance in the UK & Europe is also moving towards a Sarbanes-Oxley type regime. The Company Law Reform White Paper (a draft document on the future of Company law) sets out tough penalties for accounting offences, and is due to be debated by the UK Government in the near future. The European Union"Eighth Directive" is another example of pending legislation.

Enforcement of both the Data Protection Act and The Freedom of Information Act in the UK reside with one person;
The Information Commissioner.

These legal requirements are discussed further below.


The Data Protection Act 1998

The revised UK Data Protection Act (DPA) became law in the UK 1998.

The DPA gives all individuals certain rights regarding information held about them. It places obligations on those who process or hold any information (data controllers) while giving rights to those who are the subject of that data (data subjects). Personal information covers both facts and opinions about the individual.

The DPA is very clear about the need for those organisations holding and processing data to keep and maintain personal data in a secure way, restricting who can access or use it.

Most organisations however, have not implemented the DPA directives and have not applied a policy for management and storage of electronic communications.

The DPA recommends that security standard BSI 7799 (ISO 17799) be used to manage electronic data. BSI 7799 is a British Standard code of practice for information security management.

Core to the DPA is the way in which it mandates all organisations to disclose information it might have.

This key instrument of disclosure is called a “Subject Access Request”. Anyone can issue a SAR (employee, ex-employees, customers etc.) against any organisation – Public OR Private - by simply writing a letter in a format available from Data Protection Act web site, sending a cheque for £15, delivered via registered mail to the organisation.

The organisation receiving the SAR legally has to give up all data requested within 20 days. Failure to comply breaks the law, seriously affecting the organisations ability to defend its self against any legal actions.

The most common use of Subject Access Requests (currently) is by employees, or ex-employees making claims of unfair dismissal, sexual / racial discrimination, harassment and such like.

The difficulty in trying to find relevant emails and other communications (including those containing opinions as well as facts) between different parties from historic backups (if available) over a two-year period is immense.

Very few organisations would be able to meet a request to produce ALL information held within their email system on a particular subject within 20 working days.


The UK Freedom of Information Act

The Freedom of Information Act (FOI) was passed on 30th November 2000, and became fully implemented in January 2005.

The FOI gives anyone, any agency, any group or any company, the right to compel any Public body to make available any information they might be holding on any subject they are interested in (with some obvious exceptions – National Security for example).

Public authorities include central & local government, NHS organisations (including GP’s, dentists, pharmacies and opticians), schools, colleges universities, regulatory bodies such as Ofcom, parish councils and many more.

Information requested can be on any event such as:

  • The process for awarding a particular contract and its commercial terms
  • The area affected by a toxic spillage
  • The results of testing of the local water supply
  • An enquiry into suitability for a particular site as a waste dump
  • Personal records

Crucially, the Act is also retrospective, so it applies to all historical data as well as that generated since it was enacted.

Anyone who makes a request to a public authority for that information, must be informed whether the public authority holds that information, and if it does that information must be supplied. Public authorities are required by a range of legislation to maintain accurate and appropriate records; just deleting the records and email to avoid compliance could render the authority in breach.

For legal compliance, data held in emails should be stored in a secure archive, encrypted, with quick retrieval and with all events surrounding any email, fully audited.

The Information Commissioner’s Office issues fines organisations for non-compliance with the DPA.

More recent events have created a quantum leap in the level of penalties organisations face for failing to comply with legislation. The Freedom of Information Act states that any organisation within the public sector that does not comply with FOI can be held in “contempt of court”, which could lead to a jail sentence.

Deleting email so that it cannot implicate an organisation is also not acceptable, as there are many Acts of parliament in the UK ranging from revenue and tax legislation through to personnel matters that define the obligations an organisation has to maintain accurate records.


Other Industry Regulations

There are many other regulations which may apply to an organisation depending on your industry. For example, for regulated financial institutions, the UK Financial Services Commission mandates that members must retain all pertinent client records – paper and electronic – for a period of 10 years.

European Companies with US based parents or subsidiaries may also have to comply with such acts as Sarbanes-Oxley, SEC Rule 17(a)-4 & NASD Conduct Rule 3110.

Further information on exact US and UK regulatory compliance requirements is available on request.


Management Questions

Below is a list of questions management should be asking. If you cannot answer these questions satisfactorily, you may not comply with the FOI or DPAs’ legal requirements.

  • Do we securely archive and audit all electronic communications both inside and outside the organisation.
  • Can we quickly and securely retrieve specific communications?
  • Would it take longer than 20 days to search all historic emails (up to 2 years old) to find information contained in one of them?
  • Is access to all emails and other electronic communications and actions performed on audited?
  • Can we search for specific information held in email attachments?
  • Can we prove that the results of any search of our current systems also include emails deleted or revised by users?

More Information


References:

  • The Freedon of Information Act 2000 - http://www.opsi.gov.uk/acts/acts2000/00036--a.htm#1
  • Data Protection Act 1998 - http://www.opsi.gov.uk/acts/acts1998/19980029.htm
  • People's rights > Freedom of Information - http://www.dca.gov.uk/foi/codemanrec.htm
  • British Standards - http://www.bsi-global.com/British_Standards/index.xalter
  • The Company Law Reform - http://www.dti.gov.uk/cld/WhitePaper.htm
  • Sarbanes-Oxley Act of 2002 - http://www.sec.gov/divisions/corpfin/faqs/soxact2002.htm
  • IDC Reports - http://www.idc.com/

British Standards (BSI)

  • BS 4783 - Storage, transportation and maintenance of media for use in data processing and information storage
  • BS 7799 / ISO 17799 - Code of practice for information security management
  • BS ISO 15489-1 - Information and Documentation - Records Management - Part 1: General
  • BSI DISC PD 0008 - Code of practice for legal admissibility and evidential weight of information stored on electronic document management systems
  • BSI DISC PD0010 - Principles of good practice for information management
  • BSI DISC PD0012 - Guide to the practical implications of the Data Protection Act 1998

 

More Information

 

 


| Copyright Softek © 1994 - 2008 |