UK EMAIL RETENTION P OLICIES - · PDF fileUK EMAIL RETENTION P OLICIES: ... or requests that bite on emails. In my experience, public authorities that have not put in place the right

November 2010

A report by

UK EMAIL RETENTION POLICIES:

Guidance on Legal Obligations for the Public and Private Sectors

Sponsored by

UK email Retention Policies. Guidance on Legal Obligations for the Public and Private Sectors.

1

Contents

Executive summary 3

About this White Paper 3

The problem domain 3

There’s no guidance for handling email! 3

The essence of email – why the use of email has significant legal consequences 4

The lawyer’s perspective on email mismanagement 4

Emails and the Freedom of Information Act 4

Emails and the Data Protection Act 5

Emails as evidence – the litigation context 6

Emails as records – retention obligations that arise due to the nature of the information involved 6

Failing to manage emails properly – what are the consequences? 6

What should organisations do? 8

Let’s delete everything! 9

Legal Perspectives on the nature and character of email 10

The obligation to retain emails 10

Monitoring and retaining emails – the privacy rights issues 11

Why organisations fail to comply with their legal obligations for email retention and the potential

problems that can arise. 13

Causes of non-compliance 13

The “disconnect” point 14

Consequences of non-compliance 15

Litigation disclosure 16

Key legal philosophies- why the law requires the retention of records 18

Records keeping and regulation 18

Toughening up transparency mechanisms – the transition to heavy touch regulation 19

How the law distinguishes between a record and a “mere” document 21

Can an email be a record? 21

Ensuring an environment for records 22

Critical legal obligations for records and evidence arising under major pieces of legislation 25

Freedom of Information Act 25

The Data Protection Act 1998 26

Companies Act 2006 27

Financial Services and Markets Act 27


2

Equality Act 28

Bribery Act 29

Critical legal obligations for disclosure as they arise within criminal and civil litigation 30

Criminal litigation 30

Civil litigation 30

The meaning of “document” 31

Disclosure of deleted emails 31

Duty of search 32

Examples of retention laws and retention periods 34

Do emails fall within the scope of the records requirements discussed in this section? 34

Retention periods and the Freedom of Information Act 34

Public sector 35

Education 36

Police service 37

Ambulance service 37

Health 37

Private sector retention issues 38

Tax, pay and employee records 39

Private sector and regulatory frameworks 40

Cases involving the mishandling of email 41

Emails and defamation 41

Emails and data protection 41

Emails providing evidence of breaches of the Freedom of Information Act 42

Emails as evidence in matrimonial proceedings 42

The new legal framework for data security 43

Data security and the impact for email retention 43

The core functionality of an email archiving system 45

What are we driving at? 46

About the author 47

About Messaging Architects 48


3

Part 1

Executive summary

About this White Paper

Field Fisher Waterhouse LLP have been commissioned by Messaging Architects to provide this White

Paper as a guide to public and private sector organisations on the legal obligations for the retention

of emails.

The problem domain

The importance of email within our business and personal lives is well understood. However, what is

less clear is how the law treats email, or what should be done at an operational level within our

organisations in order to achieve compliance with the various laws and regulations that require good

systems for the management and retention of emails; many organisations have not yet “worked out”

the legal issues, or why these issues demand the adoption of email archiving technology.

There’s no guidance for handling email!

Many people who are new to the email handling problem soon feel overburdened by the complexity

of the subject matter and the absence of a unified legal framework that addresses all of the issues.

This is a problem that is encountered by people working in the public sector and in the private sector.

Unfortunately, the law is in a fragmented state, spread across hundreds of Statutes, thousands of

Statutory Instruments and countless pieces of regulatory guidance, standards for best practice and

case law. “Pulling it all together” is beyond the scope of most organisations. But, organisations are

expected to meet their legal obligations.


4

As far as the retention of email is concerned, the best advice that can be given is that organisations

should work to a retention and deletion policy, which assumes that there is a need to retain

information. From that point the organisation can take decisions about the “weeding out” of

information that is not required for legal purposes. Adopting an initial “delete everything” policy

should be avoided at all costs, as discussed later.

The essence of email – why the use of email has significant legal consequences

The essence of email is that it is a communications medium. When we look at email in this way it

soon becomes apparent that “traditional” legal concepts map very well to the email environment.

Thus, we can use email to libel people, to harass people, to discriminate against people and to

breach confidentialities and privacy. We can also attach files to email, making it a perfect vehicle for

committing intellectual property offences, such as breaches of copyright. Similarly, emails may

contain the kind of information that requires them to be preserved as a record, or as evidence. It

follows, therefore, that all organisations would be wise to invest time in understanding their email

use, to identify the risk areas, the mitigating actions they should take to reduce the risk of legal

problems occurring and the steps that they should take to ensure that emails are properly managed

and properly retained.

The lawyer’s perspective on email mismanagement

As a lawyer who advises on email, I am aware that some organisations are delaying dealing with the

email problem because they mistakenly believe that there are no, or minimal, legal consequences for

bad email management. This mind-set is seriously unwise; questions about the handling of email are

regularly playing out in disputes and in regulatory proceedings. I have plenty of first-hand experience

of the fact that compensation claims arising from the misuse of email are common. However, due to

the incentives that organisations face to settle cases (including a natural desire to avoid washing

their dirty linen in public) only a small fraction of these disputes are getting to court. Of course, this

should not blind the organisation to the fact that legal problems about email can arise at any time.

Emails and the Freedom of Information Act

Take the Freedom of Information Act, for example, which applies to public authorities. The general

right of access within the Act requires public authorities to give disclosure of recorded information,

whether in paper or electronic form, within a short timeframe.

Emails are subject to this legal regime and as many public authorities will attest to, people are

regularly making requests for disclosure of emails, or requests that bite on emails. In my experience,

public authorities that have not put in place the right systems and operations for the management of

email, which will include policies for records retention as well as the use of technologies, such as


5

email archiving solutions, will often find that the FOI regime is impossible to comply with, which will

put them in breach of the law.

This can lead to enforcement action by the Information Commissioner1, litigation before the Tribunal

and public admonishment. For example, the Information Commissioner took enforcement action

against the Department Health, due to problems with its systems for records management, which

included problems with its systems for the management of emails. This led to the issuing of a

Practice Recommendation in 2009, which required the improvement of data classification for emails

and facilities for the searching of email metadata2 .

One of the key perils for public authorities that fail to manage their records properly is being put

under Information Commissioner monitoring. Organisations that are on monitoring lists are on the

regulator’s radar and their failures will be put in the public domain. To illustrate this point, on 1st

October 2010 the Information Commissioner published a list of public authorities that are

undergoing monitoring for not responding to FOI access requests in time3. The Information

Commissioner also keeps separate monitoring lists for the police service4 and for government

departments5.

It should be kept in mind that failures under the FOIA regime can result in the withholding or

reduction of government funding to public authorities.

Emails and the Data Protection Act

Another area of the law where email misuse is being regularly and publicly sanctioned is the field of

data protection. Where email misuse constitutes a breach of the security principle in the Data

Protection Act the Information Commissioner is always ready to act. This alone should be enough to

cause organisations to get to grips with their email use, because the Information Commissioner is

now equipped with a new £500,000 financial penalty and new auditing powers.

Of course, the Data Protection Act is concerned with much more than security. Data controllers,

including public authorities, need to comply with all of the data protection principles, which combine

to demand appropriate systems and operations for the management of records. As the main thrust

of the DPA is electronic records, it will be obvious why emails are subject to this legal regime.

Consequently, data controllers need to ensure that their emails are retained properly, disposed of

properly and used properly. The information within emails needs to be accurate, kept up to date and

be sufficient for the underlying processing purpose. Due to the fact that emails respect no

1 See, for example, the June 2010 enforcement notice served on the IPCC.

http://www.ico.gov.uk/upload/documents/library/freedom_of_information/notices/ipcc_enforcement_notice.pdf 2 http://www.ico.gov.uk/upload/documents/library/freedom_of_information/notices/doh_practice_recommendation.pdf

3 http://www.ico.gov.uk/upload/documents/pressreleases/2010/ico_statement_monitored_authorities.pdf

4

http://www.ico.gov.uk/upload/documents/library/freedom_of_information/research_and_reports/police_sector_ps_moni

toring_report.pdf 5

http://www.ico.gov.uk/upload/documents/library/freedom_of_information/research_and_reports/central_government_s

ector_monitoring_report.pdf


6

geographical boundaries, data controllers need to ensure that emails are not used to send personal

data outside of the European Economic Area to unsafe countries.

Emails as evidence – the litigation context

Unfortunately, the scourge of litigation regularly hits public authorities. Employment-type litigation

is a particular problem in all sectors of the economy, as is litigation about accidents and health and

safety. In fact, litigation can arise over any subject matter and, as indicated above, email provides a

perfect vehicle for libels, harassment, discrimination; intellectual property rights infringements,

breach of confidence and breach of privacy. Emails can also be used to create contracts and to

breach contracts.

The key point to understand is that emails are admissible in evidence in litigation. As such, the

parties to litigation carry two burdens: once litigation commences they are under a duty to preserve

relevant documents, including emails, and they are under a duty to disclose relevant documents.

Again, these duties behove the organisation to put in place appropriate systems and operations for

the management of their emails.

Emails as records – retention obligations that arise due to the nature of the information

involved

There are literally thousands of laws and regulations that require organisations to preserve records.

For example, there are records retention obligations in the public sector (as within the Freedom of

Information Act), records retention obligations that serve corporate governance obligations and

records retention obligations for tax and financial purposes. Any organisation that uses email is

bound to face a plethora of records keeping obligations; this is unavoidable and it means there is a

legal duty to comply.

Of course, there has to be “point” to records retention. The point, quite simply, is that records

should be retained so that an accurate picture of events is preserved, one that is capable of being

called up, or retrieved, when the law requires. Thus, regulators such as the Health and Safety

Executive, the Financial Services Authority, the Information Commissioner and Ofcom all have

powers that enable them to demand access to records at any time.

Failing to manage emails properly – what are the consequences?

If you fail to manage emails properly there are many consequences that can follow.

If, for example, you are unable to comply with your e-discovery obligations in litigation you face the

ultimate sanction of having your case dismissed, or judgment entered against you. You can also be

faced with legal costs consequences and be ordered to pay the other side’s wasted legal costs

incurred in trying to bring you into compliance.


7

“As the regulator for the DPA the Information Commissioner receives many complaints about

subject access requests being refused – 28% of the 33,234 written requests for advice/complaints

received in 2009/10 concerned subject access requests.”

Under the Freedom of Information Act the ultimate sanctions are referrals to Parliament and to the

High Court. The key point to remember is that a public authority that is on the receiving end of

regulatory action under the FOIA risks very adverse publicity. A good, recent example of this point

concerns the MPs expenses scandal, which ultimately cost the Speaker of the House of Commons his

job, in part due to the perception that he had improperly resisted the access requests that had been

made.

Under the Data Protection Act a failure to comply with a subject access request can ultimately lead

to criminal prosecution. This recently happened to Liverpool City Council, which was prosecuted by

the Information Commissioner for failing to respond properly to a request. The new financial penalty

and auditing powers, mentioned earlier, also contain perils for organisations that fail to comply with

the Act. In addition, the Commissioner can serve enforcement notices, which can require data

controllers to modify their data processing operations. In this context it should be noted that the

Information Commissioner is receiving a large number of complaints about subject access requests.

In his submission to the Ministry of Justice Consultation on the Data Protection Act6 he commented

that:

An issue that should not be overlooked is the fact that it generally costs much more to deal with legal

obligations surrounding email when you do not have proper systems in place, then it does when you

do. I regularly act for organisations that have received access requests under the Freedom of

Information Act and the Data Protection Act. In a recent case the legal advice cost over £5,000

because the client required us to manually read emails to see if they had to be disclosed; I believe

that the client would not have incurred any legal costs if it had understood its obligations and put in

place technologies, such as email archiving solutions, to manage these requests. Of course, to be

added to the legal costs are the costs of additional internal resources at the client side. In litigation

the costs of managing an e-discovery exercise without adequate technologies can become

exorbitant, in some cases exceeding £20,000.

In order to conceptualise the size of the task in dealing with access requests and e-discovery in an

environment that does not have good systems and operations for the management of email it may

be helpful to consider the following points:

• The law’s concern is with the nature of the information within emails. Provided that the

information is relevant to the issue under consideration it has to be searched for and

searched through. In other words, the organisation has to find relevant information.

• The environment of email is naturally fluid and volatile. Emails will reside in personal email

folders, in portable storage devices, in backups, in servers, in web based systems and in

home systems. The legal obligations touch all of these places.

6

http://www.ico.gov.uk/upload/documents/library/data_protection/notices/response_to_moj_dpframework.p

df


8

If you have not managed your email, locating and searching for relevant information can be a task of

gargantuan proportions.

What should organisations do?

Organisations that appreciate the full range of legal issues involved in the use of email quickly realise

that they need to work in a systematic and methodical way. Key points to follow are:

• An acceptable usage policy is vital, so as to give the organisation better control over the

content and use of emails and to reduce the risk of emails being used to breach the law. If

you know what your emails are about and for what purposes they are being used you will be

able to make informed decisions about retention and deletion, If you can minimise the risk of

emails being used in breach of the law you will minimise the risk of disputes, with the result

that you will minimise the risk of having to engage in an e-discovery exercise.

• An email monitoring policy is vital. Again, it reduces the risk of a breach of law occurring.

• An email retention policy is vital. Organisations should not make decisions about the

retention of email based on the availability of data storage, mailbox sizes or disk space. The

retention periods should be set to legal and business long stops. For example, I am aware of

cases involving the police and educational institutions that have set blanket 90 day deletion

policies. This approach cannot be said to have considered all of the legal obligations

pertaining to the use of email.

• Technologies should be installed to manage email. An email archiving solution will provide

effective email management.


9

Let’s delete everything!

As just mentioned, I am aware of organisations that have set blanket deletion policies, with short

retention periods. Very often these decisions are taken because of storage constraints, or because

longer retention is harder to achieve, or more costly.

The problem with blanket deletion lies in the fact that the law frequently requires retention. Thus, if

an organisation is engaged in litigation or is required to respond to e.g. FoIA requests, the duty of

preservation of evidence can be breached with blanket deletion. Similarly, if the email contains

information that falls within a mandatory retention period that is longer than the deletion period, a

breach of law will occur, which can lead to regulatory action, including fines. In other words, the folly

within a blanket deletion policy is that emails that should be retained are not.

For these reasons my advice is to put in place systems and operations that reflect the nature and

content of the email. It is the nature and content of the emails that should determine retention and

deletion periods, not pure cost or storage considerations.


10

Part 2

Legal Perspectives on the nature and character of email

When lawyers consider the nature and character of email, two concepts are prominent in their

minds:

• Email is a communications medium.

• Email is a substitute for paper.

These concepts are particularly important in law. The sanctity of communications is afforded special

protection by the law; for example, it is a crime to intercept communications in the course of their

transmission without “lawful authority”7, which stems from human rights concerns, particularly the

right to privacy8. As a substitute for paper, emails have legal effect; thus, they are admissible in

evidence in court cases and they may be subject to records retention rules.

It follows that organisations need to ensure that they maintain a correct environment for emails.

Among other things, a correct environment will ensure:

• That the right balance is struck between the monitoring and retention of emails and the

privacy rights of the senders and recipients.

• That where a legal obligation to retain an email exists, the email will be retained in such a

manner so as to preserve its integrity.

• That the email is always easily retrievable and disclosable.

The obligation to retain emails

There are four key situations where an obligation to retain emails arises:

Under freedom of information law – The Freedom of Information Act, section 77, contains an offence

of altering, defacing, blocking, erasing, destroying and concealing any records held by a public

authority with the intention of preventing the disclosure of records in compliance with a Freedom of

Information Act access request or a Data Protection Act access request. This means that public

7 Regulation of Investigatory Powers Act 2000, section 1

8 European Convention on Human Rights, article 8


11

authorities need to put in place systems and operations to ensure the preservation of emails

following the receipt of access requests.

Under data protection law – The Data Protection Act contains a series of 8 data protection principles,

the third of which says that “personal data shall be adequate”. This obligation should be read

together with the fifth principle, which says that “personal data … shall not be kept for longer than is

necessary”. The effect of these principles is to require data controllers to retain a minimum amount

of personal data, in order to ensure that their data processing operations are conducted in

accordance with the law. Consequently, the DPA can impose obligations on data controllers to retain

emails.

Under legislation for records keeping – There are literally thousands of laws that require people and

organisations to retain records. Records keeping laws can bite on email. Records keeping laws can

apply generally, or specifically to types of organisations, or to sectors. For example, law enforcement

agencies are obliged to retain records relevant to their investigations, companies are obliged to

retain records about their business activities and employers are obliged to retain records about tax

and payroll.

Under laws and rules of procedure relating to the conduct of litigation – In civil and criminal litigation

the parties are required to retain relevant records once litigation commences; failure to do so can be

a contempt of court. Such records constitute evidence.

Monitoring and retaining emails – the privacy rights issues

Emails can be machine-generated, or people-generated. Where the emails are people-generated it is

important to understand the privacy issues involved.

Workers enjoy a right of privacy in the workplace9. However, the right to privacy is not an absolute

right. This means that in certain circumstances an employer can monitor and retain emails.

Where the email travels over a private telecommunications system (as happens in the vast majority

of business environments), the employer’s right to intercept, monitor and retain emails is described

in the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations

2000. Provided that (a) the employer makes reasonable efforts to inform the workforce of the fact

of interception, monitoring and retention and (b) the interception, monitoring and retention occurs

for legitimate business purposes, these acts will be lawful.

Monitoring and retention of emails that does not involve interception will also be lawful provided

that this is done for legitimate business purposes and Data Protection Act principles and guidance

are complied with10

.

So, what can amount to legitimate business purposes, so as to guarantee the lawfulness of

interception, monitoring and retention of emails in the business environment? The Lawful Business

Practice Regulations provide a helpful list of considerations, including:

9 See Halford v. UK [1997] ECHR 32 and subsequent cases.

10 For example, see the Information Commissioner’s Employment Practices Code, for rules on employee

monitoring


12

Regulatory or self-regulatory practices or procedures, which include compliance with the law.

• Establishing facts.

• Preventing or detecting crime.

• Establishing compliance with standards.

• Establishing whether there has been misuse of the system.

• Establishing whether the communications are relevant to the business.

These are very broad purposes, which will apply to non-interception cases also. Most organisations

will quickly understand that as far as email retention (etc.) is concerned, they are concerned with

two different situations: (a) situations where they are obliged to retain emails and (b) situations

where they are entitled to retain emails. An entitlement to retain emails is not the same as an

obligation to retain; where the organisation relies upon an entitlement to retain, it should be careful

to assess the privacy implications arising so as to ensure that Human Rights and Data Protection

legislation are not infringed.


13

Part 3

Why organisations fail to comply with their legal

obligations for email retention and the potential problems

that can arise.

As an advisor on email law, I frequently encounter organisations that fail to comply with their legal

obligations to retain emails. This can cause them significant problems, particularly when they are

faced with litigation, or a request for disclosure under the Freedom of Information Act or the Data

Protection Act, or a regulatory investigation.

Causes of non-compliance

There are many reasons why organisations fail to comply their legal obligations to retain emails,

prominent within which are the following:

Ignorance of the law; not aware of records keeping legal obligations

Far too many organisations are ignorant of their legal obligations for records retention, particularly

SMEs. They lack access to specialist advice, often due to lack of resources, so they never get around

to thinking about records retention. In these organisations the problem is a general one, not specific

to email.

Ignorance of the law; not aware that records keeping legal obligations apply to email

Many organisations fail to understand that emails are subject to records keeping laws, although they

appreciate that other forms of records need to be kept (such as personnel files on workers). In other

words, many otherwise legally compliant organisations have a “blind spot” when it comes to email.

Aware of the law, but not afraid

Some organisations that are aware of their legal obligations concerning the retention of email take a

decision not to invest in proper systems and operations for the management and retention of email,

because they reason that there are no consequences for non-compliance. In other words, if the law


14

will not compel them to implement measures, they will not do so voluntarily, considering it to be a

waste of resources.

This problem can be attributed to a variety of different causes. Occasionally, there is a lack of

management buy-in, in the sense that the Board of the organisation takes a conscious decision

against investment. However, this is not a common occurrence. More often, the problem is

attributable to another level of management.

Aware of the law, thinking that they have complied, but have not

Some organisations that are aware of the law think that they have complied when they have not.

This is a very common problem, attributable to many causes.

A particularly common cause is “fuzziness” about the detail of the law; while aware of the broad

issues they do not have a sufficiently precise grasp of the law, with the result that despite their best

intentions they fail to properly execute a strategy that will ensure full legal compliance. For example,

some organisations fail to properly appreciate the importance of speedy retrieval of email, so while

they keep full back-ups, the information therein is not readily accessible.

Aware of the law, but putting off compliance to another day

Another common problem is where the organisation is fully aware of the extent of its legal

obligations, decides to put off dealing with them to a later date. They want to comply, but they just

haven’t got around to it. Sometimes this is due to other, more pressing priorities getting in the way.

Sometimes this is due to being merely disorganised.

The “disconnect” point

An organisation’s failure to address its legal obligations as they pertain to the retention of email

records is often part of a wider “disconnect”; if the organisation is not managing email properly, it

can be anticipated that it will also be suffering other problems relating to the management of

electronic communications, the use of computer systems and the processing of data.

Perhaps it is more appropriate to view the management of email issue within the wider context of

the management of Information Assurance and data security. An organisation that understands the

importance of – and values – Information Assurance and data security will manage email within this

context. In other words, where the importance of information is properly understood, there will be

very clear systems in place for the use and retention of email, including the use of email archives.

The most visible symptom of a disconnected organisation is the presence of a “silo” mentality, where

business processes are seen as distinct and divisible and are placed under the ownership of distinct

and separate parts of the business. Thus, if the management of email is seen as a “purely IT” issue,

the organisation will be displaying a silo approach, which can be one of the quickest routes to legal

and operational failure. In a mature, properly-functioning organisation, the management of

information and communications issues will be dealt with holistically, by a multi-disciplinary team.

Typically, a mature organisation will vest information and communications issues in a team that


15

“Public sector requests have continued to increase to some extent (for organisations that received

between 10-200 requests and 500+ requests). 80% of organisations have received at least one request

(compared to 79% in 2008). Large public organisations remain the sector that is most likely to receive a

high volume of requests – 36% received more than 50 requests in the last year (this was also the case

in 2008), compared with 19% of small-medium organisations in the public sector.”

“It is worth emphasising that the charging regime for subject access requests was never meant to be a

means to recover costs and should not be treated this way now. Rather it is a deterrent to the frivolous

request. The cost of responding to subject access requests is a necessary cost for businesses that

process personal data as part of their commercial activities.”

consists of representatives from all across the business, such as legal, risk, security, audit, company

secretariat, finance, business heads (human resources, marketing, sales etc) and IT.

Consequences of non-compliance

Organisations that fail to put in place adequate systems for the management of email can encounter

substantial difficulties with the law, which can lead to considerable time and cost overruns as well as

legal sanctions. Typical problem situations are set out below.

Freedom of Information Act general access requests

Section 1 of the Freedom of Information Act gives people the right of access to recorded information

held by public authorities. The response time for these requests is 21 working days, but no fee is

chargeable.

General access requests involve the same issues as those arising under section 7 of the Data

Protection Act, as they also bite on email. Indeed, it should be noted that in one of the first cases

under the FOIA, Harper v. The Information Commissioner (2005) it was held that the general right of

access applies to archived, back-up and deleted data.

Data Protection Act subject access requests

Section 7 of the Data Protection Act gives data subjects the right to know information about their

personal data; particularly what elements of their data are being processed, why and by whom.

There has been considerable growth in awareness surrounding the access request. Recent evidence

published by the Information Commissioner11

shows that in the public sector the number of access

requests being made is increasing year-on-year:

These access requests must be complied with within 40 days and in return the data controller is only

entitled to a payment of £10 in most cases. The fee payable is not intended to be compensatory

however, as the Information Commissioner’s evidence shows12

:

11

http://www.ico.gov.uk/upload/documents/library/data_protection/notices/response_to_moj_dpframework.pdf 12

http://www.ico.gov.uk/upload/documents/library/data_protection/notices/response_to_moj_dpframework.pdf


16

Failure to comply with an access request is a breach of the data protection principles, which can

trigger legal action by the data subject and by the regulator, the Information Commissioner.

One of the most difficult aspects of dealing with access requests is the fact that they bite on

unstructured data, such as emails. If the data controller lacks a system for managing email, including

an email archive, the problem can become particularly acute; emails have to be tracked down,

assessed for their content and for the application of legal exemptions and obligations against

disclosure (such as duties of confidence owed to third parties) and prepared for disclosure. In an

environment of poor email management it soon becomes apparent that 40 days is not sufficient

time.

To be factored into the equation is the fact that the data subject is often highly motivated, perhaps

because they have a grievance and they are using the access power as a quasi-litigation disclosure

tool. Furthermore, the data subject, particularly where they are an ex-employee, might have

particular knowledge of emails that is lacked by the persons dealing with the access request. Thus,

the data subject is on the front foot, determined to achieve results. The scenario can soon become a

perfect storm of problems for the data controller, that can eat-up £thousands-worth of time and

resources.

Data subject access requests can quickly descend out of control, leading to regulatory intervention by

the Information Commissioner and/or litigation. Indeed, it is noteworthy that the leading case in UK

data protection law, Durant v. Financial Services Authority (2003) is a case about subject access

requests.

As far as the Information Commissioner’s Office is concerned, it should be noted that it has displayed

an appetite to take-on data controllers that fail to deal properly with subject access requests. For

example, in 2006 the ICO launched a criminal prosecution against Liverpool City Council, for their

failure to comply with an access request; Liverpool City Council pleaded guilty in December 200613

.

Litigation disclosure

If a party to civil litigation fails to give full disclosure of documents, which includes electronic

documents and metadata, it faces a variety of consequences. The most common consequence is a

financial one; the court will order the failing litigant to pay wasted legal costs that have been

incurred by the innocent party in attempting to bring the failing party to book. Additionally, the

court can bar the defaulting party from later relying upon evidence that it has failed to disclose at the

correct time; this can be highly prejudicial if the evidence is supportive of the defaulting party’s case.

Additionally, the court can strike out the defaulting party’s case, giving judgment to the innocent

party. Similar principles apply in criminal litigation.

The point to understand is that litigation in the UK adopts a “cards up” approach. A litigant who fails

to preserve relevant evidence, or who fails to disclose relevant evidence, can expect to suffer

consequences before the courts, because this kind of stance offends the fundamental principles

upon which justice is based.

13

See ICO Annual Report 2006-07, chapter 4.

http://www.ico.gov.uk/upload/documents/annual_report_2007_html/4_protecting-information.html


17

“Rule 31.4 contains a broad definition of a document. This extends to electronic documents, including e-

mail and other electronic communications, word processed documents and databases. In addition to

documents that are readily accessible from computer systems and other electronic devices and media,

the definition covers those documents that are stored on servers and back-up systems and electronic

documents that have been ‘deleted’. It also extends to additional information stored and associated

with electronic documents known as metadata.”

It should also be noted that the courts have little tolerance for arguments based upon a failure to

take essential steps to manage and retain email. This is because it has been established for over two

decades that electronic information are admissible in legal proceedings in this country and have to

be disclosed, if they are relevant. Furthermore, in England and Wales the Rules Committee for civil

litigation clarified the duty of disclosure for electronic documents in October 2005. Thus, the default

position within litigation is that parties should be able to properly manage email.

In October 2010 a new Practice Direction for litigation in England and Wales was published14

. This

reconfirms that the duty of disclosure in litigation applies to electronic documents including emails

that have been deleted:

14

http://www.justice.gov.uk/civil/procrules_fin/contents/practice_directions/pd_part31a.htm


18

Part 4

Key legal philosophies- why the law requires the retention

of records

In the previous section of this Paper the point was made that the UK courts adopt a “cards up”

approach to litigation, requiring the parties to litigation to give disclosure of relevant documents. For

these purposes documents are relevant if they assist the litigant’s case, damage the litigant’s case, or

assist the opponent’s case. This transparency mechanism is fundamental to the fair conduct of

litigation and the administration of justice.

As far as electronic documents are concerned, the courts make no distinction between them and

their paper counterparts. Indeed, lawmakers around the globe have been engaged in building out

this principle15

.

Records keeping and regulation

A requirement for records keeping is one of the core tools of regulation. Other tools of regulation

include licensing, registration, inspections and sanctions.

The whole point of regulations for records keeping is to ensure that the regulated entity keeps and

preserves a complete evidential record of its regulated activities. Of course, the purpose of retention

goes further than this; records will be deliverable to the regulator (or some other person) on

demand, within a fixed timeframe (usually short).

The idea within this retention-disclosure obligation is to cure one of the classic failures of regulation,

namely that the regulator knows less about the regulated entity than the regulated entity itself. In

other words, there is a knowledge imbalance that is addressed by the retention-disclosure obligation.

Of course, out of this flows a fundamental power shift; because knowledge is power, the disclosure

of information to the regulator causes a shift in the power relationship; knowledge flows from the

regulated entity to the regulator, with the result that power shifts from the regulated entity to the

regulator.

15

See, for example, the Electronic Signatures Directive 99/93/EC.


19

When records keeping is viewed in this way, the importance of records keeping becomes much

easier to understand; records keeping coupled with disclosure is one of the mechanisms by which

society ensures that its behavioural standards are observed and respected. Records keeping and

disclosure provides a check against bad behaviours and abuses, whether these are anti-competitive

behaviour, abuse of the consumer, financial crime or data insecurity (etc).

Of course, to ensure that the retention-obligation is respected, it will be expected that a failure to

retain-disclose will be met with sanctions. A very recent example of this is provided by the Financial

Services Authority v. Goldman Sachs case16

, September 2010, where the FSA fined Goldmans

£17,500,000 for weaknesses in controls resulting in a failure to provide the FSA with information. In

the field of data protection, the Information Commissioner has a new power to fine data controllers

up to £500,000 for breaches of the data protection principles; this power applies to the subject

access regime within section 7 of the DPA, meaning that the Commissioner will be legally entitled to

fine controllers who fail to deliver up sufficient information.

Toughening up transparency mechanisms – the transition to heavy touch regulation

It is vital that organisations operating in regulated environments understand where the issue of

records keeping sits within the continuum of regulation. It is vital also that they understand what is

actually happening in regulation.

Regarding the latter issue, we are witnessing fundamental shifts in attitudes towards regulation,

which can be termed the shift from “light touch” to “heavy touch”. This shift is seismic and it is

attributable to four linked phenomena:

• The US corporate governance scandals at the beginning of the Millennium, particularly

WorldCom and Enron. These scandals led directly to corporate governance law reform in the

United States, most notably the introduction of the Sarbanes Oxley Act, which contains

tough transparency mechanisms that bite on corporate email, requiring email preservation

and delivery-up.

• The data insecurity scandals of recent years. In the UK these scandals led to the

commencement of the Data Handling Review and new rules on Information Assurance,

which require government departments and public authorities to put in place appropriate

systems to manage email.

• The banking crisis of 2008-2009. This is leading to a process of global, harmonised law-

making, with greater disclosure obligations for regulated entities, which will bite on email.

• The BP Deepwater Horizon drilling disaster of 2010.

The connectors between these high profile events were bad risk assessments within the regulated

entities coupled with weak regulation and in the aftermath of all of these events the disclosure of

emails became an issue17

. As public confidence in regulatory systems has dropped, lawmakers have

16

http://www.fsa.gov.uk/pages/Library/Communication/PR/2010/141.shtml 17

A feature of the Enron case was the shredding of emails by their auditors, Arthur Andersen; the official

inquiries into the loss of the HMRC focused heavily on email evidence, as did the inquiries into the banking

crisis and Deepwater Horizon.


20

reacted and we have now arrived at a point where heightened scrutiny of regulated entities coupled

with tougher sanctioning of failure are now perceived to be the hallmarks of good regulation.

Regarding the former issue, where the issue of records keeping sits within the continuum of

regulation, we are seeing new law-making that requires better records keeping, serving the wider

transparency agenda. A good example of this point is provided by the new Citizens Rights Directive

2009, which comes into effect on 25th May 2011. This Directive regulates the electronic

communications sector (telecommunications companies and Internet Service Providers) and it

requires them to keep records of security breaches, which have to be delivered up to regulators on

demand. Another example, again from the data protection field, is contained within the Coroners

and Justice Act 2009, which amended the DPA, to introduce a tougher “information notice” power

and a new “assessment notice” power. These powers operate so as to give the Information

Commissioner greater visibility into data controllers’ organisations; they will allow the Information

Commissioner to call for the delivery up of email.


21

Part 5

How the law distinguishes between a record and a “mere”

document

The law’s prolific use of – and reliance upon – records, implies that a record has a special character,

something that distinguishes it from a “mere” document. In the case of R v. Iqbal18

the Court of

Appeal was required to consider the meaning of “records” for the purpose of a criminal case, holding

that:

• A book or a file into which information is deliberately put in order that it may be available to

others on another day is a record.

• A record is a history of events in a form that is not evanescent.

• A record is something that a historian would regard as an original or primary source.

• A record is a compilation of facts supplied by those with direct knowledge, which is

preserved in writing or some other permanent form so that it will not be evanescent and

which will serve as an original source or memorial of those facts and thus be evidence of

them.

This approach to the meaning of “records” makes it clear that the essential characteristics of records

are their authenticity, their integrity and their reliability. Consequently, where the law requires a

record to be kept, this imposes an obligation on the records keeper to ensure an environment that

can satisfy others of the record’s authenticity, integrity and reliability.

Can an email be a record?

In light of the definition of record in the Iqbal case it must be concluded that emails are capable of

being records, or part of records, as a matter of law. What matters is whether the content of the

email, or how it has been used, has legal significance, judged by reference to the legal question

under analysis.

18

[1990] 3 ALL ER 787


22

For example, assume that a Freedom of Information Act request has been received which is

concerned with the question whether the public authority has had any dealings with Mr X. If an

email has been sent to Mr X, it will be record of that fact of dealing and its content will be

immaterial. In this example it is the fact that the email exists that is important.

If we modify the example, so that the question is whether the public authority has had any dealings

with Mr X about the supply of widgets, an email sent to Mr X that discusses widgets will be a record

of that fact. In this example it is the content within the email that is important, not the mere fact

that the email exists.

So, an email can be a record in many different circumstances. If an email operates as an electronic

invoice, it will have to be retained to comply with rules on booking keeping. If an email records a

complaint about an accident, it will be wise to preserve it for the duration of the limitation period for

the bringing of personal injury claims (3 years). If employment law litigation is commenced all of the

emails relating to the substance of the case should be preserved. Even self-posted emails can be

records, if the fact of self-posting, or the content of the email is legally significant.

Ensuring an environment for records

For paper documents there are a variety of tests that can be applied to assess the document’s

authenticity, integrity and reliability, so as to dismiss any suggestion or fear that the document is a

forgery, or not otherwise authentic. One such test might be to submit a document’s signature to

analysis by a handwriting expert.

Electronic records can also be subjected to tests, but because electronic records are merely

assemblies of binary code, it is essential to establish the baselines for authenticity, integrity and

reliability.

Baselines for authenticity, integrity and reliability of electronic records.

The baselines for establishing whether an electronic record has been held in a correct environment

are contained in standards for best practice; in the case of Ward v. Ritz Hotel [1992] the Court of

Appeal confirmed the primacy of standards for best practice on questions of a technical nature.

There are many standards for best practice for records keeping. Examples include ISO 15489

Information and Documentation – Records Management, the European Commission’s Model

Requirements for the Management of Electronic Records (MoReq), ISO/TR 15801 Electronic Imaging

– Information Stored Electronically – Recommendations for Trustworthiness and Reliability and The

National Archives’ Management, Appraisal and Preservation of Electronic Records.

While these standards are couched in different shades of language, when read together they reveal

that the environment of an electronic record will require an analysis of (1) the technologies that are

used for storage and processing of the record, (2) the processes of records capture, (3) the processes

for content protection, (4) the processes for access and retrieval of records and (5) the processes for

monitoring and audit. If the environment fails to address all of these benchmarks, there will be

uncertainty about the record’s status, which might result in a conclusion that its authenticity,


23

integrity and reliability cannot be assured. More particularly, the benchmarks for an appropriate

environment are as follows:

Technologies

The technologies that are used for storage and processing of the record must satisfy the following

requirements:

• Robustness: The technology must display a low susceptibility to physical damage.

• Longevity: The technology must prevent records degradation during the information

lifecycle.

• Obsolescence: The technology must be based on established, proven platforms.

• Scalability: The technology must scale to meet the organisation’s requirements.

• Open standards: The technology must take advantage of as many open standards as

possible. For example, it may be desirable to store archives in standards such as XML rather

than in a database format that requires a proprietary viewer.

• Cost: The technology must reduce the cost of records keeping by as much as possible.

• Security: The technology must provide robust security.

Records capture

The processes of records capture must satisfy the following requirements:

• Wide capture: The technology must capture as many different file types as possible.

• Complete capture: The technology must capture every new record.

• Classification: The technology must allow records to be classified.

• Metadata: The technology must create or support metadata.

• Unique identifiers: The technology must allocate unique identifiers to each unique record.

Content protection

The processes for content protection must satisfy the following requirements:

• Protection against data loss or damage due to system failure: The technology must display

features that go to protect the data from corruption caused by software or hardware failure.

• Protection against overwrite: The technology must display features that prevent the

accidental or deliberate overwriting of records.

• Protection against delete: The technology must display features that prevent the accidental

or deliberate deletion of records otherwise than in accordance with a predefined schedule.

• Safe delete: The technology must enable the complete and irreversible deletion of records.

Access and retrieval

The processes for access and retrieval of records must satisfy the following requirements:

• Complete access and retrieval: The technology must allow access and retrieval of all records.

• Speed of retrieval: The technology must facilitate quick access and retrieval of records.

• Protection against unauthorised access and retrieval: The technology must facilitate controls

and limitations over access and retrieval.


24

• Search: The technology must facilitate full searches, covering metadata, content and

attachments.

Monitoring and audit

The processes for monitoring and audit must satisfy the following requirements:

• Complete monitoring and audit: The technology must facilitate full monitoring and auditing.

It should show when emails entered the archive, when they were accessed and used, when

they were modified, when they were deleted and by whom, including any attempts. It

should also be able to provide proof that the system itself was working properly at all times.


25

Part 6

Critical legal obligations for records and evidence arising

under major pieces of legislation

Freedom of Information Act

The Freedom of Information Act was introduced to give people a right of access to recorded

information held by public authorities.

The general right of access consists of two rights. Firstly, the requester is entitled to be told whether

or not the public authority holds information of the description specified in the request. Second, if

the public authority does hold such information, the requester is entitled to have that information

communicated to them. However, there are a series of exemptions that apply, some of which are

absolute and some of which are qualified; where a qualified exemption exists, the key issue is

whether the public interest in withholding disclosure outweighs the public interest in giving

disclosure.

As discussed in Part 2 of this White Paper the FOIA throws up much the same compliance challenges

as the Data Protection Act. However, as far as records retention is concerned, there is an additional

overlay; section 46 of the Act requires public authorities to comply with a Code of Practice on records

management issued by the Lord Chancellor19

. The compliance goals within the Code include:

• Putting in place organisational measures to support records management.

• The creation of a records management policy.

• The implementation of a records management system.

• Systems for the storage and maintenance of records.

• Systems to ensure the security of records.

• Systems to ensure that records are fully accessible.

• Systems governing the disposal of records.

• Systems to support monitoring and reporting on records management.

19

http://www.justice.gov.uk/guidance/docs/foi-section-46-code-of-practice.pdf


26

“Identify and make appropriate connections to related policies, such as those dealing with email,

information security and data protection.”

“…trivial emails should be deleted after being read …”

“… if the authority is operating electronically, for example using email for internal and external

communications or creating documents through word processing software, it is good practice to hold

the resulting records electronically …”

As regards email, notable parts of the Code provide as follows:

The Data Protection Act 1998

The Data Protection Act gives effect to the UK’s obligations under the Data Protection Directive 1995

and the Data Protection Convention 1981. The Act regulates the processing of personal data by data

controllers. For these purposes personal data are information that relate to identifiable living

individuals.

Emails containing personal data that are processed by data controllers are regulated by the Act. In

broad terms, the Act requires data controllers to comply with the data protection principles, which

provide as follows:

• The processing of personal should be fair, lawful and legitimate.

• Personal data shall be obtained for specified and lawful purposes.

• Personal data shall be adequate, relevant and not excessive.

• Personal data shall be accurate and kept up to date.

• Personal data shall not be kept for longer than is necessary.

• Personal data shall be processed in accordance with the rights of the data subject.

• Personal data shall be kept safe, secure and confidential.

• Personal data shall not be transferred to a country that fails to provide adequate protections.

Achieving compliance and evidencing compliance

Data controllers need to put in place programmes to achieve compliance and mechanisms to prove

that they have achieved compliance. Indeed, on the second point it should be noted that European

and UK domestic data protection law are both under review; in the context of these reviews a new

“accountability” principle has been proposed, which will require data controllers to put in place a

compliance programme and to evidence how compliance has been achieved.

As far as emails are concerned, the critical compliance issues for the data controller are as follows:

• Acceptable Use Policy: The controller needs to be clear about the purposes for which email

are to be used, including whether workers are allowed to use email for personal purposes.

• Monitoring of email: If email use is to be monitored, this should be explained to users,

setting out the reasons for monitoring.


27

• Retention policy: A retention policy for email needs to be set and communicated throughout

the organisation.

• Email archiving: A system for email archiving should be created. This will facilitate

compliance with subject access requests made under section 7 of the DPA and Information

Commissioner access requests (information notices and assessment notices).

Companies Act 2006

The Companies Act 2006 regulates all companies registered in the UK. It provides a plethora of

records keeping obligations. These include:

• 10 years retention periods for records of meetings and resolutions.

• 3 years to 6 years retention periods for company accounts.

• Adequate accounting records must be kept, which are sufficient to give a true and fair view

of the company’s assets, liabilities, financial position and profit and loss.

• Failure to keep adequate accounting records is a criminal offence, for which directors can be

held personally liable and imprisoned.

• Directors must not approve company accounts unless they are satisfied that they give a true

and fair view.

• Directors can be held personally liable for inaccuracies in the accounts, if they cause the

company to suffer loss.

• Auditors are prevented from signing-off accounts if they are unsure of the directors’ degree

of compliance with their records keeping obligations.

The Companies Act has only tangential connection with email20

, but where the company’s accounting

and financial records are contained within email, or are reliant upon email (for example, in the

context of ecommerce transactions), the need to put in place appropriate systems for the retention

of email becomes part of corporate governance. This can also apply where company information is

contained within a spread sheet that is attached to an email.

Financial Services and Markets Act

One of the three pillars of the regulatory system for financial services is the Financial Services and

Markets Act 2000, which established the Financial Services Authority. The FSA addresses the

regulatory objectives of the FSMA and various European Directives within the FSA Handbook. This

contains a plethora of obligations that bite on email, including the following:

• The Senior Management Arrangements, Systems and Controls Rules (SYSC) within the

Handbook include an information management rule that should facilitate the identification,

measurement and control of risk by the firm’s Board. These arrangements encompass the

use of email systems and the retention of email records.

20

However, note that the Companies (Registrar, Languages and Trading Disclosures) Regulations 2006 requires

the inclusion of business information in emails.


28

“A firm must take reasonable steps to record relevant telephone conversations, and keep a copy of

relevant electronic communications made with, sent from or received on equipment:

(1) Provided by the firm to an employee or contractor; or

(2) The use of which by an employee or contractor has been sanctioned or permitted by the firm;

to enable that employee or contractor to carry out any of the activities referred to in 11.8.1”

• SYSC also contains a general records retention rule, which requires firms to retain records for

as long as is relevant for the purposes for which they were made.

• For the purpose of preventing market abuse, the Conduct of Business Sourcebook (COBS)

requires firms to keep records of electronic communications, including emails. These need

to be retained for a minimum of 6 months, in a medium that allows the FSA ready access.

Regarding the last point, the retention of emails COBS 11.8.5 says:

The activities referred to in COBS 11.8.1 are:

• Receiving client orders.

• Executing client orders.

• Arranging for client orders to be executed.

• Carrying out transactions on behalf of the firm, or another person in the firm's group, which

are part of the firm's trading activities or the trading activities of another person in the firm's

group.

• Executing orders that result from decisions by the firm to deal on behalf of its client.

• Placing orders with other entities for execution that result from decisions by the firm to deal

on behalf of its client.

It should be noted that the obligation to retain emails extends to emails sent by portable equipment.

It is also worth mentioning here the Payment Card Industry’s Data Security Standard, which requires

merchants who take card payments to protect “cardholder data” within the “cardholder data

environment”. The cardholder data environment will cover emails, PST files and archives, if these

contain cardholder data. The issues within PCI DSS are primarily about security, retention and

deletion of cardholder data, which by extension require good systems and operations for the

management of email if email contains cardholder data. An email archive, which provides a

structured, managed environment for email, will facilitate compliance with PCI DSS, if email forms

part of the cardholder data environment.

Equality Act

The Equality Act 2010 unifies rules on equality in one piece of legislation. It affects both the public

and private sector. In terms of the public sector, it imposes duties of equality in the provision of

public services and also requires public authorities to consider equality issues during strategic

developments.


29

The Act will clearly impact on the use and retention of emails. Public authorities and private sector

organisations should review the extent to which email can take a part in the development of strategy

and in committing equality offences, ensuring that they retain email that evidences legal compliance

and prohibit email use that can be discriminatory.

Bribery Act

The Bribery Act 2010 creates new criminal offences of bribery. These include the offences of

committing bribery, being bribed and preventing bribery. These offences can be committed through

the use of email. Again, organisations should review the extent to which email can take a part in

committing bribery offences, ensuring that they retain email that evidences legal compliance and

prohibit email use that can be criminal.


30

Part 7

Critical legal obligations for disclosure as they arise within

criminal and civil litigation

In litigation duties of disclosure apply. These duties attach to electronic documents, including email.

The parties to litigation need to ensure that they are able to give adequate disclosure, but where

they lack adequate systems for the management of email, which includes for search and retrieval,

the disclosure process can be problematic for them.

Criminal litigation

In criminal cases the prosecution’s duty to give disclosure is fundamental to a fair trial. In the case of

R v. H & C [2004] the House of Lords said “fairness ordinarily requires that any material held by the

prosecution which weakens its case or strengthens that of the defendant, if not relied on as part of

its formal case against the defendant, should be disclosed to the defence.” The right to a fair trial

also covers the investigatory process; the investigator should pursue all reasonable lines of enquiry

and should secure and preserve relevant evidence.

The investigator’s duties apply also to information that they generate during the course of the

investigation. Naturally, this extends to email. The retention period is the duration of the case,

which extends to cover the time for appeals against conviction or sentence. The Crown Prosecution

Service’s Disclosure Manual specifically states that emails should be recorded, retained and revealed

in the same way as other relevant material.

Civil litigation

The disclosure regime in civil litigation focuses on documents. The purpose of disclosure is to

confirm whether documents do exist, or have existed. After the disclosure exercise has been

performed the inspection exercise will take place. In other words, inspection is the process by which

documents are actually delivered up.


31

“Where the issue is whether a party received an email it will be appropriate for a search

to be undertaken of an email account. If emails have been deleted it may even be

appropriate to expect a party to obtain expert assistance to see if any record can be

traced on the hard drive. However, in a straightforward case it would be rarely

appropriate to expect a party to go through the time and expense of attempting to

retrieve emails deleted from the system. The court may make an order requiring

disclosure of electronic information containing specified words or strings and thus define

the extent of an electronic search.”

The disclosure and inspection regime is governed by the Civil Procedure Rules. Rule 1, which is called

the overriding objective, requires cases to be dealt with justly. Among other things, the court is

required to ensure that the case does not get out of hand, which includes in terms of cost and

expense. This means that the disclosure and inspection exercise should be proportionate to both the

issues under analysis and the money at stake.

The meaning of “document”

The meaning of document is dealt with by Rule 31.4, which says that a document “means anything in

which information of any description is recorded”. In October 2005 a new Practice Direction was

issued, which clarified that the meaning of document extends to “electronic documents, including

email and other electronic communications”. The Practice Direction then went on to confirm that

the meaning of document extents to “documents that are stored in servers and back-up systems and

electronic documents that have been deleted.” Finally, the Practice Direction confirmed that the

meaning of document “also extends to additional information stored and associated with electronic

documents known as metadata.”

Of course, the meaning of document extends to cover all of the electronic information within an

email management tool, such as diary and calendar entries and notes. These documents are all

disclosable, if they are relevant to the litigation, and will be subject to the duty of preservation. All of

the discussion here applies equally to these documents.

Disclosure of deleted emails

Regarding the obligation to give disclosure of deleted data, the reasoning was set out in an earlier

report of the Commercial Court, The Creswell Report, which said that a “deleted document may not

be necessarily destroyed as it may continue to exist in the form of residual data.” The Creswell

Report said the following about the disclosure obligations as they apply to email:

From this passage we establish that in “straightforward” cases the court will not order the disclosure

of deleted emails. This makes perfect sense, because in straightforward cases the court will not be

assisted by the retrieval of deleted email. For example, if the original issue at the heart of the case

was whether an email contained particular words or phrases, there might be other ways of proving


32

1. “Electronic Documents should be managed efficiently in order to minimise the cost

incurred;

2. Technology should be used in order to ensure that document management activities are

undertaken efficiently and effectively;

3. Disclosure should be given in a manner which gives effect to the overriding objective;

4. Electronic Documents should generally be made available for inspection in a form which

allows the party receiving the documents the same ability to access, search, review and

display the documents as the party giving disclosure; and

5. Disclosure of Electronic Documents which are of no relevance to the proceedings may place

an excessive burden in time and cost on the party to whom disclosure is given.”

that it did, perhaps through the oral testimony of people who read the email. In this example, the

issue is a straightforward one and the deleted email will not be necessary.

But the starting point is that deleted emails are disclosable. That is the position that litigants need to

address first. The Creswell Report’s observations about the disclosure of deleted emails in

straightforward cases should not be taken to mean that the civil litigation system is “rewarding”

organisations that are haphazard with emails, or who implement blanket deletion policies. The

“General Principles” for e-discovery as contained in the current version of the Practice Direction put

the Creswell Report’s comments in their proper context:

As can be seen the law expects litigants to manage their electronic documents properly, with

appropriate technologies. The whole point of disclosure is to serve the overriding objective within

litigation, which is to do justice. A straightforward case will include one where the deleted emails are

of no relevance, but where the deleted emails are of relevance and are required to do justice, the

disclosure obligation will bite.

Duty of search

Litigants are under a duty to conduct a reasonable search for documents, including emails. The Civil

Procedure Rules identify the following factors as being relevant to the reasonableness of a search:

“The factors that may be relevant in deciding the reasonableness of a search for Electronic Documents

include (but are not limited to) the following:

1. The number of documents involved;

2. The nature and complexity of the proceedings;

3. The ease and expense of retrieval of any particular document. This includes:

a) The accessibility of Electronic Documents including e-mail communications on computer

systems, servers, back-up systems and other electronic devices or media that may contain

such documents taking into account alterations or developments in hardware or software

systems used by the disclosing party and/or available to enable access to such documents;


33

“It may be reasonable to search some or all of the parties’ electronic storage systems. In some

circumstances, it may be reasonable to search for electronic documents by means of keyword

searches (agreed as far as possible between the parties) even where a full review of each and

every document would be unreasonable. There may be other forms of electronic search that

may be appropriate in particular circumstances.”

b) The location of relevant Electronic Documents, data, computer systems, servers, back-up

systems and other electronic devices or media that may contain such documents;

c) The likelihood of locating relevant data;

d) The cost of recovering any Electronic Documents;

e) The cost of disclosing and providing inspection of any relevant Electronic Documents; and

f) The likelihood that Electronic Documents will be materially altered in the course of recovery,

disclosure or inspection;

4. The availability of documents or contents of documents from other sources; and

5. The significance of any document which is likely to be located during the search.”

As regards the duty of search as it applies to electronic documents, the Practice Direction says:

The essence of the rules on search is that the court will decide questions of reasonableness and the

extent of the search that is required on a case-by-case basis. However, it is clearly established within

the Practice Direction that “the primary source of disclosure of Electronic Documents is normally

reasonably accessible data”, which acts as the baseline in most cases. If a litigant considers that

further disclosure is required beyond that which is reasonably accessible it “must demonstrate that

the relevance and materiality justify the cost and burden of retrieving and producing it.” If evidence

produced supports a more detailed search, the court will make the relevant orders, so as to bring

into scope deleted data.

Of course, what is “normally reasonably accessible” is an objective question: a litigant cannot hide

behind their bad systems and operations to excuse delivering up email. Email itself is normally

reasonably accessible and so it must be searched, for example by key word. However, if the litigant

does not manage its email properly so as to make the search more burdensome for itself, that is a

problem that the litigant will have to bear. Consequently, it is clear that the installation of an email

archive is in the self-interest of the litigant, because it makes the search so much easier to perform.


34

Part 8

Examples of retention laws and retention periods

There are literally thousands of obligations for records keeping that apply across the public and

private sectors. Many are found in legislation, but many more are based around principles of

limitation for the bringing of court proceedings. In the public sector the principal custodian of

responsibility for retention periods is The National Archives.

Do emails fall within the scope of the records requirements discussed in this section?

As discussed in Part 4 the question whether an email can be a record so as to fall within the scope of

the retention periods discussed below depends upon the content of the email and whether the

content, or how the email has been used, has legal significance; this is judged by reference to the

legal question under analysis and it can very often be exceptionally difficult for the organisation to

work out whether an email should be retained or deleted. For example, if an email provides the only

accounting record it should be retained as an accounting record, but, of course, if the email merely

contains a duplicate of other information it may not have to be retained for the purpose of

accounting records keeping.

Thus the question of retention/deletion is fact sensitive. For this reason we advise organisations to

put in place policies for the use of email, which should be aligned with records management policies

and technologies for email management.

The danger for the organisation lies in formulating a deletion policy that is built in isolation of

knowledge about how its email system is used, because that could result in the deletion of materials

that should be retained (whether as part of a record, or for the purposes of litigation, or for some

other purpose).

Retention periods and the Freedom of Information Act

The critical issue to understand with regard to the Freedom of Information Act is that it does not set

any retention periods for documents. Instead, what it requires is for the public authority to put in


35

place a records management policy that gives effect to all of its legal obligations, as they arise under

records management law, under regulation, under litigation, under contract or under some other

legal duty. The general access request itself then bites on recorded information.

Connected to this point is the fact that it is a criminal offence under the Act for a public authority to

delete or destroy information in order to avoid the application of the general access request.

Consequently, public authorities need to look beyond the Freedom of Information Act to understand

their records keeping obligations and the retention periods that apply.

Public sector

The National Archives has published guidance on retention periods for government departments,

agencies and public authorities. All of the guidance applies to electronic documents, including email.

Interesting retention periods to note include the following:

• Accounting records: Petty cash records shall be kept for 2 years from the end of the financial

year in which they are created21

.

• Freedom of Information Act: Case file records detailing the FOIA request, including the

consideration of possible exemptions and dealing with subsequent appeals; 3 years after the

date of creation22

.

• Projects records: Project Initiation Documents; 10 years after completion of project, but for

major projects 25 years23

.

• Information management records: Correspondence and documents relating to the

compilation of disposal schedules; 10 years24

.

• Complaints records: Investigations into complaints that form part of the case record; 10

years25

.

• Press and public relations: Correspondence with the media; 7 years26

.

• Contractual records: Reports from contractors delivered for the purposes of contract

operation and monitoring; 2 years from the end of the contract27

.

• Health and safety: Records about exposure of persons to hazardous substances in the

workplace; 40 years28

.

These are just illustrations of records keeping obligations. In order to understand the totality of the

obligations the organisation needs to review The National Archives guidance and apply it to its email

use. If the email touches upon the subject matter of the records retention period (whether as a

result of its content, or the purpose for which it has been used), then the retention obligation will be

engaged. The public authority then needs to exercise caution in the development of its records

management policy and procedures.

21

http://www.nationalarchives.gov.uk/documents/sched_accounting.pdf 22

http://www.nationalarchives.gov.uk/documents/foi_sched_retention.pdf 23

http://www.nationalarchives.gov.uk/documents/sched_projects.pdf 24

http://www.nationalarchives.gov.uk/documents/sched_info_management.pdf 25

http://www.nationalarchives.gov.uk/documents/sched_complaints.pdf 26

http://www.nationalarchives.gov.uk/documents/sched_press.pdf 27

http://www.nationalarchives.gov.uk/documents/sched_contractual.pdf 28

http://www.nationalarchives.gov.uk/documents/sched_health_safety.pdf


36

“Activities include: identifying requirements for new/revised strategy; undertaking research;

developing strategy proposals; consulting on strategy proposals; reviewing and revising

strategy proposals in the light of comments received; drafting strategy documents; consulting

on strategy documents; reviewing draft strategy documents in the light of comments

received; producing final strategy documents; submitting final strategy documents for formal

endorsement; formally endorsing strategy documents; disseminating strategy documents;

reviewing strategy.”

Of course, if the public authority is involved in litigation, the duty of preservation of evidence and the

duty of disclosure will apply, as it applies to any litigant and if the subject matter of the litigations

demands, these duties will apply to email.

Education

JISC, the Joint Information Systems Committee, which is funded by the UK’s Higher Education and

Further Education Funding Council, has published a detailed records retention framework for Higher

Education and Further Education Institutions29

. This identifies over 850 different categories of data

for which retention periods are set. The retention periods fall within the following categories:

• Corporate management.

• Corporate resources.

• Corporate relations.

• Related companies.

• Commercial services.

• Corporate services.

• Student services.

• Business units.

Users of the JISC framework will find that it is densely packed with information. However, the word

“email” is not used once, despite there being over 850 retention obligations. Instead, the framework

is based around “activities”. It therefore follows that if the activity that is regulated extends to email,

then the retention obligation will extend to email.

To illustrate the point, consider the example of “Commercial Services Strategies” and the institution’s

activities involved in developing its strategies in this area. The framework advises that working

documents relating to the following activities should be retained for 1 year after the issuing of the

strategy:

The expansive nature of the activities that fall within this retention obligation is such that it will

clearly capture emails, if emails were used to consult on strategy, or if emails were used for the

29

http://www.jiscinfonet.ac.uk/partnerships/records-retention-he/hei-rrs-pla


37

“Records documenting the conduct of the business of a committee: correspondence and

other records relating to the preparation of committee business or to actions to be taken (or

not taken) as a result of committee decisions.”

delivery of comments upon strategy etc. It is therefore only natural to conclude that it is highly likely

that this retention period will extend to email.

When the totality of the JISC framework is considered, there is only one sustainable conclusion for

educational institutions; their email system is bound to be subject to retention obligations, so as to

render a blanket, short deletion policy fundamentally unacceptable.

Another example within the framework concerns the work of non-statutory committees in

educational institutions, where there is a 6 year retention period for activities involved in

administering the work of these committees. The records that need to be kept are:

Clearly, the use of the word correspondence covers email, so as to give rise to a 6 year retention

period for emails that document the work of non-statutory committees.

Police service

The Association of Chief Police Officers has published guidance on the retention of records on the

Police National Computer30

. This forms part of the Code of Practice for the Management of Police

Information. Once a record is created on the PNC, it will be retained until the person’s 100th

birthday, and then deleted.

Where a record is part of a case file, which can include an email, these will be subject to a minimum

retention period of 6 years under the Police and Criminal Evidence Act31

. The retention period will be

extended where there is a criminal prosecution and conviction, to cover the period during which an

appeal can be brought, or for the duration of the sentence, whichever is longer.

Ambulance service

The Ambulance Services follows the retention rules of the NHS32

. See below.

Health

The NHS has published a Code of Practice for the Retention of Records Management33

. The

information in the table below is extracted from the NHS website34

.

30

http://www.acpo.police.uk/asp/policies/Data/Retention%20of%20Records06.pdf 31

http://www.southyorkshire.police.uk/foi/publicationscheme/policiesandprocedures/active/292007 32

http://www.worcestershirehealth.nhs.uk/EXTRANET_Library/npfit_prog_board/agendas/2005_6/06_sep/wictp_a_0509_07g.doc


38

Again, when considering whether an email needs to be retained, the critical issue is the content of

the email and the purpose for which the email is used. If the email constitutes secondary evidence

(i.e., there is a more appropriate primary source of evidence), then the email itself may not have to

be retained.

It is also important to bear in mind that IT systems may not be able to identify the character or

purpose of any particular email at the point of creation. This creates a dilemma for the organisation,

because it needs to avoid falling into the trap of encouraging “user defined” retention and deletion,

whereby the email user themselves are responsible for making decisions on these issues. The way

around this dilemma is to understand the purpose for which email is to be used and then define a

retention/deletion policy based around that purpose which is supported by an email archiving

solution.

• GP records: Until 10 years after the patient's death or after the patient has permanently left

the country, unless the patient remains within the European Union. (Exceptions are patients

serving in the armed forces or serving a prison sentence, when the records must not be

destroyed.)

• GP records relating to children and young people (including paediatric and vaccination

records) - until the patient's 25th birthday, or 26th birthday if an entry was made when the

young person was 17; or 10 years after the patient's death, if sooner.

• Dental records: 11 years for adults. For children, 11 years or until the patient is 25 years old,

whichever is the longer.

• Ophthalmic (eye) records: 11 years for adults. For children, 11 years or until the patient is 25

years old, whichever is the longer.

• Children and young people (all types of records relating to children and young people) -

retain until the patient's 25th birthday, or 26th if the young person was 17 at conclusion of

treatment; or eight years after death if sooner.

• Immunisation and vaccination records: For children and young people, retain until the

patient's 25th birthday or 26th if the young person was 17 at conclusion of treatment. For

adults, retain until 10 years after conclusion of treatment.

• Maternity records: 25 years after last birth.

• Records relating to persons receiving treatment for a mental disorder within the meaning of

the Mental Health Act 1983 - 20 years after the date of last contact between the patient and

any healthcare provider, or eight years after the patient's death if sooner.

The National Archives has also published guidance on records retention in the health service35

.

Private sector retention issues

The private sector also faces retention obligations. In addition to the Data Protection Act and

litigation issues, the following example issues should be noted, all of which can bite on email.

33

http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/DH_4131747 34

http://www.nhs.uk/chq/Pages/1889.aspx?CategoryID=68&SubCategoryID=160

http://www.eastlondon.nhs.uk/uploads/documents/recordretentionschedulesnew.pdf 35

http://www.nationalarchives.gov.uk/documents/sched_public.pdf


39

Tax, pay and employee records

Companies that are required to deliver a tax return must keep relevant records for six years following

the end of the tax period to which the return relates36

. The records which must be kept are those

that are “needed to enable it to deliver a correct and complete return for the period”.

• VAT records must be kept for six years37

.

• Wages and salary records must be kept for six years after the end of the tax period to which

they apply.38

• “PAYE” income tax records must be kept for three years following the end of the financial

year to which they relate39

.

• National Insurance Contributions records must be kept for three years following the end of

the tax year to which they relate40

.

• Statutory Maternity Pay (“SMP”) records must be kept for three years following the end of

the tax year in which the benefit was paid.41

• Statutory Sick Pay (“SSP”) records must be kept for three years following the end of the tax

year in which the benefit was paid.42

There are many employee records that should be kept as a matter of good practice, but for which

there are no defined statutory retention periods. This absence of statutory rules leaves companies

with a dilemma that many have solved by reference to the limitation periods for the commencement

of legal proceedings contained in the Limitation Act 1980. The Chartered Institute of Personnel and

Development (“CIPD”) has considered the Limitation Act in making the following recommendations

on retention periods:

• Actuarial valuation reports: Permanent retention.

• Application forms and interview notes (for unsuccessful candidates): One year retention.

• Assessments under Health and Safety Regulations and records of consultations with safety

representatives and committees: Permanent retention.

• Inland Revenue approvals: Permanent retention.

• Money purchase details: Six years retention commencing after transfer or value taken.

• Parental leave: Five years retention from the date of birth/adoption of the child, or 18 years

retention if the child receives a disability allowance.

• Pension scheme investment policies: 12 years retention commencing from the ending of any

benefit payable under the policy.

• Pensioners’ records: 12 years retention from the date that benefits cease to be paid.

• Personnel files and training records (including disciplinary records and working time records):

Six years retention commencing from the date of termination of employment.

• Redundancy details, calculations of payments, refunds, notification to the Secretary of State:

Six years retention commencing from the date of redundancy.

36

Finance Act 1998, Schedule 18, Part III, para. 21. 37

VAT Act 1994, Schedule 11, para. 6. 38

Taxes Management Act 1970, section 12B. 39

The Income Tax (Pay As You Earn) Regulations 2003, Regulation 97(8). 40

The Social Security (Contributions) Regulations 2001, Schedule 4, paras. 7(15) & 26(6). 41

The Statutory Pay (General) Regulations 1986, Regulation 26. 42

The Statutory Sick Pay (General) Regulations 1982, Regulation 13.


40

• Senior executives’ records: Permanent retention as historical records.

• Time cards: Two years retention, commencing from the date of last audit.

• Trade union agreements: 10 years retention commencing from the date when the

agreements cease to have effect.

• Trust deeds and rules: Permanent retention.

• Trustees’ minute books: Permanent retention.

• Works council minutes: Permanent retention.

Private sector and regulatory frameworks

The private sector should also seek to identify all of the regulatory frameworks that apply to its

operations, as these will contain retention and disclosure obligations that can bite on email.

• Health and Safety Executive: Section 20 of the Health and Safety at Work Act gives the HSE

the right to enter and inspect premises for the purpose of carrying into effect any of their

relevant statutory provisions. This power gives them the right to inspect and take copies of

documents, including email, and interview members of staff. HSE can call for the delivery-up

of documents if they are not readily available, which obviously extends to email.

• Financial Services: The FSA has considerable powers under the Financial Services and

Markets Act to carry out investigations, which includes the power to require the production

of documents and to require persons to take part in interviews.

• Office of Fair Trading: The OFT has powers to investigate suspected infringements of

competition law. These powers enable them to obtain documents and information from

businesses suspected of committing an infringement. Failure to co-operate with an

investigation, including obstructing an investigation or hiding, destroying or falsifying

documents is a criminal offence punishable

It is beyond the scope of this White Paper to identify all of the regulatory regimes that apply in the

private sector. The best advice that can be given is that private bodies should identify their relevant

regulatory frameworks, as these are bound to contain retention and disclosure obligations that bite

on.


41

Part 9

Cases involving the mishandling of email

Emails and defamation

As a communication medium, email provides a perfect vehicle for committing libels. For example, in

the case of Gentoo Group Ltd v. Hanratty [2008] the claimant, who was a social landlord, sued for

compensation for defamation, following an email campaign that the defendant conducted against it.

Emails and data protection

As a communication medium, email also provides a perfect vehicle for breaching security and

personal data rights. The Information Commissioner has enforced the security principle within the

Data Protection Act against controllers who have mistakenly sent emails containing personal data to

the wrong people.

In January 2008 the Information Commissioner took regulatory enforcement action against Carphone

Warehouse, for breach of the security principle within the Data Protection Act. Carphone

Warehouse mistakenly emailed customer data to the wrong people. The Information Commissioner

ordered Carphone Warehouse to implement appropriate technical measures to prevent the

mistaken sending of data by email.

In April 2009 the Information Commissioner took regulatory enforcement action against Manchester

University, for breach of the security principle within the Data Protection Act. An employee at

Manchester University mistakenly sent a spread sheet containing personal data on 1700 students to

400 recipients. The Information Commissioner ordered Manchester University to train its staff on

the correct use of email and data sharing.

In February 2010 the Information Commissioner took regulatory enforcement action against

Redstone Mortgages, for breach of the security principle within the Data Protection Act. In error

data relating to 15,333 mortgage customers was emailed to a member of the public. The data was

not encrypted, or password protected. The Information Commissioner ordered that all emails and


42

reports containing personal data, the loss of which could cause damage and/or distress, must be

password protected before being sent outside of the data controller’s network.

Emails providing evidence of breaches of the Freedom of Information Act

In January 2010 the “Climate Change Data Scandal” dominated international news reporting. At the

heart of this story was the allegation that scientists at the University of East Anglia had withheld

information about climate change that should have been disclosed in response to a Freedom of

Information Act general access request. The scandal was exposed by a person who stole emails that

revealed concerted efforts to delete email data43

.

Emails as evidence in matrimonial proceedings

Emails regularly appear as evidence in matrimonial proceedings. However, in April 2010, in the case

of Tchenguiz v Imerman, the Court of Appeal stressed the importance of respecting privacy in emails.

43

http://www.timesonline.co.uk/tol/news/environment/article7004936.ece


43

Part 10

The new legal framework for data security

Since 2007 the UK has been engaged in building a new legal framework for data security. The

catalyst to this work was a series of high profile cases about security breaches and data loss

throughout 2006, 2007 and 2008. One of the most prominent examples concerned Her Majesty’s

Revenue and Customs, which revealed in November 2007 that it has lost two data disks containing

an entire copy of the child benefit database. This event is considered by many to have damaged the

public’s trust in the government of the day.

The new legal framework for security includes legislative changes to the Data Protection Act, new

government policies and new regulatory guidance. When these areas of the law are read together

with decisions in regulatory enforcement cases and standards for best practice, it is clear that

organisations need to put in place systems and operations to ensure the security and confidentiality

of email. Among other things they should:

• Create an Acceptable Use Policy governing how email can be used and for what purposes.

• Assess the use of email, to understand the risk issues involved. For example, is the email

system being used to move sensitive or confidential information?

• Assess whether the users of email understand their duties and obligations.

• Assess whether the use of email can be restricted.

• Monitor the use of email.

An organisation that fails to control the use of email embeds a significant risk of operational failure

into its daily activities. In the event of failure there can be considerable negative consequences,

including damage to brand and reputation, litigation brought by effected parties and regulatory

investigations. In the context of regulatory investigations, as previously mentioned the Information

Commissioner now has the power to fine data controllers up to £500,000 for data security failures.

Data security and the impact for email retention

An organisation that appreciates security risks as they apply to email will want to put in place

systems and operations to contain and mitigate risks. One of the critical steps is to ensure a safe and


44

secure environment for the retention of email. Such an environment will look very similar to the one

described earlier for records keeping.


45

Part 11

The core functionality of an email archiving system

A lawyer will look for the following key functionality within an email archiving tool:

• Full search. All data within the email archive, including metadata, should be searchable. The

system should be capable of searching calendar items, notes, contacts, any items altered

within the mailbox or any items added to folders that did not originate as incoming (internal

or external) email. An inability to access such items would not enable full search/disclosure

and would therefore not be acceptable for compliance or litigation purposes.

• Targeted search. The archive should support fully targeted searches, allowing searches to be

performed by key words and phrases, date ranges and file types. The message fields, body

and attachments should be searchable, to enable searches to be conducted against body

content, attachment content, sender and recipient identities.

• Schedule search. The archive should support scheduled services, to enable periodic, regular

searching.

• Customisable tags: It should be possible to apply customisable tags to files. For example,

the user might want to mark a file as privileged from disclosure.

• De-duplication: The system should allow for data de-duplication, enabling the weeding out

of duplicate files.

• Legal hold: It should be possible to place files on legal hold, to prevent deletion.

• Export and production: The system should enable the export and production of attachment

documents in their original file format. Emails should be in a readable format that does not

require additional systems such as a compatible mail system.

• Audit trail: The system should be capable of producing audit trail evidence of its use

including when any email has been accessed and by whom.

• Non deletion: It must be possible to guarantee that mail cannot be deleted from the email

system before it is archived.

• Case access: For confidentiality it must be possible to set up case specific super-user access

so that they can only search the mailboxes of specific users or groups that are relevant to

their eDiscovery exercise.

Of course, these features should build upon the requirements for best practice in records keeping.


46

What are we driving at?

So why is this important to lawyers? The key point to remember is that the disclosure or discovery

exercise is required by law to deliver the quality and quantity of information that is prescribed by the

law, whether this be under litigation principles or regulatory principles, or otherwise. Thus, the

lawyer needs to see certain minimum features in an email archiving tool, otherwise the necessary

“guarantee” of legal compliance cannot be provided.


47

Part 12

About the author

Stewart Room is a partner in the Privacy and Information Law Group at Field Fisher Waterhouse LLP.

He is dual qualified as a barrister and a solicitor holding full Higher Court Rights of Audience, with

over 18 years’ experience as a litigator and advocate.

Stewart has considerable expertise and reputation in data protection and data security matters, He is

ranked as a Leading Individual for data protection by Chambers UK. Legal 500 2009 says that

Stewart’s “data protection and privacy prowess is recognised as being at the forefront of the field”.

Legal 500 2010 says “Stewart Room ‘has carved out a niche in data security’ and ‘has unparalleled

depth of knowledge’.”

In 2008 Stewart was named as the Financial Times Legal Innovator of the Year, for his work with IT

companies on Privacy Enhancing Technologies.

Stewart has contributed to various publications and has written three books on information law,

namely Data Protection and Compliance in Context (2006), Email: Law, Practice and Compliance

(2008) and Butterworths Data Security Law & Practice (2009). He was also the legal expert on the

Channel 4 Dispatches document ‘The Data Theft Scandal’, which exposed security failings in the

Indian call centre industry. He is a regular speaker at industry conferences on data protection and

data security, including the British Bankers Association annual data protection conference, InfoSec

and RSA Conference.

He is also the President of the National Association of Data Protection Officers and a Director of

Cyber Security Challenge UK.

Contact Stewart at:

Email: [email protected]

Telephone: +44 (0)20 7861 4850


48

Part 13

About Messaging Architects

Messaging Architects is a global builder of infrastructure for business email with over 3000 public and

private sector customers in over 40 countries.

Their M+Archive solution provides policy based email archiving and eDiscovery for Groupwise and

Exchange systems for enterprises and public bodies ranging in size from a few hundred to tens of

thousands of users, comprehensively addressing the requirements of regulatory compliance and

providing guided navigation for advanced search, legal hold and analysis of archived items.

Their solutions have been positioned in Gartner’s Magic Quadrant reports and frequently examined

by industry analysts such as Aberdeen Group and Osterman Research.

For more information, visit www.messagingarchitects.com

Contact the UK office at:

Email: [email protected]

Telephone: +44 (0)845 9000 153.

© 2010 by Messaging Architects UK Ltd & Field Fisher Waterhouse LLP. All rights reserved. No part of this document may be distributed, reproduced or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of Messaging Architects UK Ltd.