Your way through the legal maze

Conflicting regulations concerning the storage of personal and commercial information can present a challenge for the data storage team. Arif Mohamed looks at the legal aspects of information retention

If you deal with personal and financial data, you may be familiar with the apparent contradiction that various data laws create. On the one hand, personal data can only be collected and used for the purpose it was originally collected for, and must be disposed of if it is surplus to requirements. But on the other hand, commercial and financial data must be retained to protect the organisation or its customers, usually for the purpose of law enforcement.

Managing data can be tricky, and in some cases organisations have found themselves in situations where they have been required to produce information which they have, as a matter of policy, destroyed.

Lee Richards, network manager at housing provider Twin Valley Homes, said, "This is an issue simply because you have data protection and human rights laws on one hand, and things like the Regulation of Investigatory Powers (RIP) Act on the other, where companies are under pressure to keep records for a certain number of years. It will come to a point where you will have to pull up information that has been destroyed."

According to Richards, a core issue that organisations face is the way that employees often include personal information in their business e-mails, even when negotiating contracts, for example. This might mean that an e-mail comes under more than one data law - for example, laws that govern commercial and financial data, as well as data protection legislation.

It is challenging to ensure that all employees adhere to a policy that requires them to keep their business e-mails strictly business all the time, said Richards. "How can you differentiate between business and personal information? You cannot separate them effectively unless you have two e-mail addresses, but how do you monitor that?"

Another issue is that e-mails could be forwarded unchecked outside the organisation, making it hard to guarantee to the relevant body that an e-mail has been destroyed completely. "If people forward an e-mail it becomes harder to control. One click of a button could create multiple issues," Richards said.

The onus often falls on IT staff to outline and enforce the e-mail and web policies and advise the organisation and HR department, said Richards.

Kiran Sandford, partner and IT law expert at law firm Mishcon de Reya, said it is essential for organisations to ensure that staff keep personal information out of their business e-mails if they want to survive the various data laws.

"You should be very careful about what you put in your e-mail and who you send it to, particularly commercially sensitive information. If you have a requirement to keep e-mails, you should have a list of all the people you sent them to," she said.

"E-mails can become evidence in court, and are required to be kept for certain periods by laws like the Companies Act, as they could include commercial records and contracts."

The UK Data Protection Act 1998, on the other hand, only applies to personal data for living individuals and not commercial data, but the act will apply to any organisations that hold information on members of the public.

The act contains eight principles of data protection, including that all data must be accurate and where necessary up to date, and that it is kept secure and for no longer than is necessary.

Sandford said that there are cases where personal information must be kept along with commercial information, such as for tax reasons, and in these cases, organisations must ensure the amount of personal data is not excessive.

Contracts are also a tricky area, and Sandford said that there are statutory requirements to keep most contracts for six years. She advised organisations to think about the length of time records and documents need to be maintained on an individual basis.

Phil Higgins, CEO of secure networking supplier Brookcourt Solutions, said that some of the firm's customers, such as investment banks and mortgage companies, are required to keep transactional data for 25 years or more. The data often includes personal information such as age, address and marital status, he said.

"Data shredding techniques are relatively simple, but pulling out the personal data is extremely difficult. We are often asked by banks about how best to achieve this.

"You could have a policy to lock down users and portable devices, but socially it turns us into drones. We live in a mobile environment and use mobile data devices. We work harder and longer hours," he added.

Nigel Horncastle, a data management expert and a consultant at systems integrator Morse, said that many organisations are turning to electronic content management systems to ensure they comply with the range of data laws. The Data Protection Act made a lot of organisations look for the first time at the issue of holding and disclosing information, he said.

Also, in 1999, public sector bodies were required to adopt document management systems that adhered to The National Archives specifications, which "set a benchmark for functionality".

Laws like the Markets in Financial Instruments Directive (Mifid) are creating another boom in the demand for document management, said Horncastle, as the financial services sector is required to retain and store more and more data. "For example, brokers have to keep pre-trade data for a year and the actual trade data itself for five to seven years for litigation purposes. This used to be about two years. Tick data was never kept in the past. This is very much driven by consumer protection."

Meanwhile, organisations must live with the "double-edged sword" of data storage and data disposal, said Horncastle. "There are some cases where people have destroyed data that is then required. What is more, if you retain information that should have been destroyed you have to disclose it - it is a juggling act to a degree."

In situations like this, firms that offer computer forensics and electronic disclosure services can help by extracting or reassembling documents, or testing document archival processes.

Computer forensics analyses and reviews documents held on a large range of media such as storage tapes, laptops, USB keys, PCs and servers, and can even read documents that have been overwritten multiple times.

Andrew Szczech, electronic evidence consultant at computer forensics firm Kroll Ontrack, said there are services available that can help companies ensure they store their documents in a way that would make forensic examination as painless as possible.

"These kinds of review exercises can be quite costly, so some of our users are looking to put more focus on the internal document management process," he said.

"If their on-going record management procedures are in order it can make the process simpler - though it will never be simple - and this particularly benefits organisations that know they will be subject to litigation," said Szczech.

With the introduction of more and more data laws, there has been a shift in the way that organisations store and back up their information, he said.

Ten years ago, the IT department may have driven these policies based around particular technologies or disaster recovery - perhaps the need to have monthly rotating back-ups of all of the organisation's data.

Legislation has made the situation significantly more complicated, said Szczech, and he advised organisations to plan their storage carefully.

"When you are putting your policies in place, make sure you have all the relevant parties in place and you are involving third-party suppliers, in-house counsel and third-party law firms, as well as key end-users, the auditing department and business sponsors.

"Think about the legal aspect of storage," said Szczech.

Storage Decisions 2007 conference >>

Read more on storage >>

Twin Valley Homes website >>

FSA: the Markets in Financial Services Directive >>

The Data Protection Act >>

The Regulation of Investigatory Powers >>

Comment on this article: [email protected]

Read more on IT risk management