The use of business email has grown exponentially over a relatively short period of time, bringing with it the huge advantages of worldwide, cost-effective, easy and near-instantaneous communication. But as all those involved in the management of IT systems know, the growth in email usage has brought its own challenges.

Email archiving - UK law & regulations FREE WHITEPAPER (PDF 160KB)

There are two key UK laws (now in force) that affect organisations and make the installation of an email archive system essential, they are:

• The Data Protection Act (applies to both public and private sector entities) and
• The Freedom of Information Act (applies to public sector entities)

The Data Protection Act became law in 1998. The Act is very clear about the need to keep and maintain personal data in a secure way, restricting who can access or use it, however most organisations have not taken the DPA directives and applied a clear policy for IT systems management of emails. This is because the DPA does not implicitly state that emails need to be held in a separate system to allow for security and audited access. The Act does recommend that security standard BSI 7799 (ISO 17799) be used to manage electronic data but this is just a recommendation not a mandate (and does not cover retrieval or levels of email audit).

Core to the Data Protection Act is the way in which it compels organisations to disclose information it might have. This key instrument of disclosure is called a “Subject Access Request”. Anyone can issue a SAR (employee and ex-employees) against any organisation by simply writing a letter in a format available from Data Protection Act web site, sending a cheque for £15, delivered via registered mail to the organisation. The organisation receiving the SAR legally has to give up all data requested, with 40 days. Failure to comply breaks the law, seriously affecting the organisations ability to defend its self against any legal actions.

Worthy of note is that the most common use of Subject Access Requests (currently) is by employees, or ex-employees making claims of unfair dismissal, sexual / racial discrimination, harassment, or constructive dismissal. Just imagine the difficulty in trying to find relevant emails between different parties from historic PST files, over a two-year period.

As a result of the lack of government guidelines for IT systems management, only a few organisations have taken the decision to ensure that emails are correctly archived, indexed and recoverable, but times are changing.

The reality is that for legal compliance, data held in emails should be stored in a secure archive, with quick retrieval and with all events surrounding any email, audited.

The Information Commissioner’s Office is now handing out fines to organisations for non-compliance with the DPA (ignorance is no excuse). To date these fines have not been large in size but are becoming more commonplace. More recent events have created a quantum leap in the level of penalties organisations face for failing to comply with legislation. The Freedom of Information Act (in force from January 2005) states that any organisation within the public sector that does not comply with FOI can be held in “contempt of court”, which could lead to a jail sentence.

In the United States and Europe, executives and employees of companies are now being sent to jail for acting in breach of Sarbanes-Oxley (SOX), mainly for deleting emails when they should have retained.

Enforcement of both the Data Protection Act and The Freedom of Information Act reside with one person, The Information Commissioner.

Briefly, FOI gives anyone (or agency, or group, or company) the right to compel a government organisation to make available any information they might be holding on a subject they are interested in. This could be information on any event such as:

• The process for awarding a particular contract and its commercial terms or
• The area affected by a toxic spillage
• The results of testing of the local water supply or
• An enquiry into suitability for a particular site as a brown waste dump

There are very few reasons why an organisation can lawfully avoid a FOI request, for instance Non-Disclosure agreements between parties where one is subject to FOI cannot be invoked as a reason for not providing the information.

Deleting email so that it cannot implicate an organisation is also not acceptable, as there are many Acts of parliament in the UK ranging from revenue and tax legislation through to personnel matters that define the obligations an organisation has to maintain accurate records.

Information held in emails needs to be secure, indexed, retrievable and once in your care its life cycle needs to be audited, this is just good practice. This aside, the legal framework just got stronger and looks like it will get stronger still.

How to choose an email archive – 10 point check list

• Exchange, GroupWise, Notes; the archive you choose needs to be accredited by these vendors.

  To ensure correct integration with your email server the archive solution you choose should have certification by your email server vendor, some do and some don’t.

• Does it scale? What proof of scalability?

  Most archives work on day 1, but the system will be collecting and indexing millions of messages over time. The database builds, meta-data for searching grows and the problems will start to manifest. Some archive suppliers have been through this experience and understand what it takes to scale over time, but many have not in this fledgling market. Anybody can propose low-cost entry level hardware, storage and database licensing, but who bears the real cost in 6-12 months when the system keeps failing?

• Is the archive performance proven over time?

  Ask what is the largest and smallest system they have installed? What is the longest time they have had an email archive in operation for? And what is the largest message volume they have archived?

• Can your system work within the user client?

  User acceptance of the archive and therefore zero user retraining is critical. Any archive solution must allow users to search and retrieve archived email all from within their standard email desktop be it Outlook, Notes or GroupWise. In the Exchange and Notes area this facility is usually referred to as “stubbing”.

• Does the system handle Legal Discovery correctly?

  Some vendors call basic content search Legal Discovery, this is not good enough, talk to your legal counsel or call us if in doubt. All archive solutions allow a basic content search across the whole archive from an administration login; do not confuse this facility with Legal Discovery, irrespective of the solution provider’s claims. The ability to reduce the initial content search and then have legal counsel, the personnel department or an industry regulator perform the necessary Legal Discovery actions should be a major consideration when investing in an email archive.

• Unlimited user mailbox?

  Explosive storage growth, users demanding that their mailbox limits be removed, constantly expanding backup windows; sound familiar? Address and resolve all of these problems by implementing the right email archive, and provide your users with an “unlimited mailbox” capability.

• Storage systems independence.

  The archive you choose will probably out last your existing storage systems, without forcing you to adopt new technology.

• Can the system archive Instant Messaging and proprietary email systems?

  Your archive needs to be flexible enough to handle instant messaging. The right email archive can be used in conjunction with IM security solutions to archive, index and store IM conversations, providing the same searchable trail that you get from archived email. Some organisations use proprietary messaging systems as well, so an adaptable email archive should be flexible enough to cope.

• Can you transfer the archive to a different email server solution, seamlessly?

  The archived data will often need to be stored through two or even three changes to an email infrastructure. This could be upgrades from the same vendor or a complete change. Select the right archive solution from day one and you will retain the investment made and still have access to all the old messages. Check support for multiple email systems is in place today, as we all know to our cost that software companies sell futures.

• Check reference sites.

  Don’t take the salesman’s word for it, check out at least 4 references of customers using the archive and make sure that they are different sizes, using different infrastructure, with different volumes. One site should have extremely high volumes. Test IM archiving too.

Views: 2577