Email archiving could break Data Protection Act

Archive software prioritises employer liability over the individual's right to privacy
Written by Wendy McAuliffe, Contributor on

Company directors will be breaking the Data Protection Act if they choose to automatically archive staff email at the point of sending, in order to protect themselves from regulations in the Regulation of Investigatory Powers Act

Failure to store email is a potential go to jail card for directors under RIPA, which makes it a legal requirement for companies to keep all electronic communications for the life of the document. Directors must be able to supply law enforcers with email data on request, or risk facing charges of contempt or perverting the course of justice.

Software manufacturer IXOS has developed an archive system that enables employers to save all staff emails at the point at which they are sent, in order to prevent them from being altered or deleted before a record copy is taken. "The system will make it quite possible for a user to open an email that has already been archived, rather than looking at the original copy," said Peter Roberts at IXOS.

The Office of the Information Commissioner -- formerly the Office of the Data Commissioner -- argues that this blanket saving of emails is in breach of the Data Protection Act. "Information on individuals should not be kept for longer then necessary and should not be of an excessive amount -- companies archiving emails in this way would need to justify their reason for doing so," said Iain Bourne, strategic policy manager for the Commissioner. "Companies keeping everything for the purposes of liability are taking a disproportionate approach -- it's corporate paranoia and there are data protection rules that they have to obey."

Professor Lars Davies at the University of London however argues directors should prioritise the liability issue over data protection principles when deciding what archive system to use. "Just because you archive doesn't mean you have to read the data stored," he said.

Those in favour of data protection are concerned that archive technology is making the rules rather than following them. "There is a tendency that once technology allows one to store huge amounts of information indefinitely, regardless of whether it is proportionate or necessary, companies will do so just because they can," said Bourne.

Cyberliberty advocate Yaman Akdeniz points out that automated archive systems balance everything in favour of the employer. "RIPA doesn't justify a great intrusion into the personal lives of employees -- archiving policies and practices are likely to be challenged by the Human Rights Act in the future."

In defence of IXOS software, Davies argues that the Internet is the biggest archive in the world, but does not explain the impact that this has upon an individual's personal data. As Akdeniz points out, "the Internet is a public archive, that does not store sensitive data on individuals, whereas in a company archive every message sent and received is recorded."

Last week at the launch of the National High Tech Crime Unit (NHTCU), Roger Gaspar, director general of the National Criminal Investigation Service (NCIS) said that British police would be pushing for new powers to store logs of every email passing through the UK for up to five years.

Take me to ZDNet's Net Crime Special

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the ZDNet News forum.

Let the editors know what you think in the Mailroom. And read other letters.

Editorial standards