Reduce Business Risk with Mail Manager

 

Do you know your obligations?

 

The Data Protection Act 1998

The revised UK Data Protection Act (DPA) became law in the UK 1998. Core to the DPA is the way in which it mandates all organisations to disclose information it might have.

 

This key instrument of disclosure is called a "Subject Access Request". Anyone can issue a SAR (employee, ex-employees, customers etc.) against any organisation - Public OR Private - by simply writing a letter in a format available from Data Protection Act web site, sending a cheque for £15, delivered via registered mail to the organisation.

 

The organisation receiving the SAR legally has to give up all data requested within 20 days. Failure to comply breaks the law , seriously affecting the organisations ability to defend its self against any legal actions.

 

The most common use of Subject Access Requests (currently) is by employees, or ex-employees making claims of unfair dismissal, sexual / racial discrimination, harassment and such like.

 

The difficulty in trying to find relevant emails and other communications (including those containing opinions as well as facts) between different parties from historic backups (if available) over a two-year period is immense.

 

Very few organisations would be able to meet a request to produce ALL information held within their email system on a particular subject within 20 working days.

 

Federal Rules of Civil Procedure

 

Rule 34(b)(2)(A) states that "The party to whom the request is directed must respond in writing within 30 days after being served. A shorter or longer time may be stipulated to under Rule 29 or be ordered by the court."

 

As stipulated by Rule 26(a)(1)(C) and Rule 26(a)(1)(D), parties must make the initial disclosure at or within 14 days after they meet to set a discovery plan, unless a different time is set by stipulation or court order.

 

Sarbanes-Oxley

 

The Act impacts non-US firms that have operations in the United States.

 

Because email is increasingly used to transmit and store records that are subject to retention under Sarbanes-Oxley, it is critical that any organisations that is, or will be, governed by the Act implement a data retention strategy that can adequately meet these requirements.

 

The ultimate Impact of the Act

 

Because email is commonly used to communicate internally and externally in the vast majority of organisations covered by Sarbanes-Oxley, and because these communications often contain information about business transactions and business decisions, email must be retained in order for a covered organisation to comply with the provisions of the Act. However the "grey area" is with regard to the full scope of messages that must be retained, since the Act clearly specifies the consequences for non-compliance, but it does not explicitly state what must be retained in order to comply with the Act.

 

Clearly, email is the communication medium of choice for a growing proportion of business records that are subject to retention under Sarbanes-Oxley. Any organisation that wishes to comply with the Act must, therefore, implement a data retention capability that will permit them to demonstrate compliance with the Act.

 

The Sarbanes-Oxley provision of mandatory document retention forces businesses to keep records readily for review for a period of up to five years. The penalty for knowingly and willfully violating this provision imposes fines and a maximum sentence of 10 years in prison, or both.

 

SOURCE: The impact of Sarbanes-Oxley on Data Retention, FrontBridge Technologies / Osterman Research Inc. 2005