Most Popular Resources

Email retention policies

Please note the Law may have changed since the publication of article.

Solicitor, Simon Halberstam assists clients to draw up policies and provides a few pointers in this overview.

DOs!

This is a very complex subject covering various categories of information and various divisions of a company. Different retention rules will apply depending on the area in question.

A company must create a clear matrix which clearly identifies the various categories of emails and data and sets out a precise retention policy for each category.

Relevant categories might include personnel, premises, contracts and product safety.

A data retention officer (often the same person as the Data Protection Officer) will usually “own” this function and will be tasked with ensuring company-wide compliance with the policy.

The policy must set email retention periods for each category of data. Each retention period should be set with relevant legal issues and limitation periods in mind.

Whist policies vary greatly, certain types of provision are fairly standard. These include:

  • Retain originals of all emails likely to have evidential value in current or future legal proceedings;
  • Ensure that the policy takes account of Data Protection Act issues, particularly Principle 5 which states “Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.”

Things You Should Not Do!

Do not be inconsistent in policing/enforcing the policy. This can lead to allegations of discriminatory treatment in the context of unfair dismissal claims and also enable insurers to allege negligence, possibly vitiating you insurance cover.

Do not infringe the law! There is a tangled web of potentially relevant laws, including the Human Rights Act, the Data Protection Act and the Regulation of Investigatory Powers Act. Lawyers can help to clarify the interaction of these different statutes and reflect this in the policy document. Principle 5 of the Data Protection Act 1998 deserves particular attention.

For example, if CVs are received by way of email in relation to applications for a job vacancy, delete emails from unsuccessful candidates soon after the vacancy has been filled. It may be worth retaining them for a short period just in case any unsuccessful candidate alleges discriminatory treatment in the selection process.

When in doubt, do not destroy the original! If in doubt, err on the side of caution and retain original emails. The likelihood of getting into trouble for excessively long retention is usually outweighed by the prospect of destroying potentially key evidence.

© This article is copyright Simon Halberstam 2008 and should not be construed as legal advice or opinion in any specific facts or circumstances. the contents are intended for generic information purposes only. You are urged to contact a suitably qualified lawyer for specific advice.