The question
I am trying to find out if any legislation or guidelines have been issued that provide advice on the number of years that emails must be retained. Does it differ depending on the type of email? This is part of my research to find a suitable e-mail archive solution.
The legal verdict
Esther Smith, a partner at Thomas Eggar
There are many different retention periods that apply to electronically-stored data. They differ depending on the type of information involved and the area of work that it relates to.
In a general sense, the Data Protection Act 1998 states that personal data should not be kept longer than necessary and it should only be retained for the purposes for which it was processed. As a result, compliance will need to be judged on a case-by-case basis and requires employers to balance the personal nature of the information being held with the business needs of the company.
There are also various statutes that impose more specific retention periods. For example, Regulation nine of the Working Time Regulations 1998 states that data indicating compliance with the Regulations (for instance, opt out forms and the like) should be retained for two years from the date of creation.
Some sectors also have their own specific rules regarding document retention. For example, the Financial Services Authority, in accordance with its Conduct of Business Rules, requires records made under those rules to be retained for six years.
Additionally, it is important to consider the possibility of having to prosecute or defend a civil claim and the limitation periods involved. Employment breach of contract claims can be brought in the County Court for up to six years after the breach has occurred, which means that it makes sense to retain employment records for the same period of time, where possible.
Some bodies such as the Institute of Chartered Secretaries and Administrators have also published guidance to help with the complexities of document retention.
Esther Smith is a partner in Thomas Eggar‘s Employment Law Unit.
Adam Partington, a solicitor at Speechly Bircham
The retention of documents is subject to the provisions of the Data Protection Act 1998, which does not actually specify the length of time that emails or any other type of document or data should be kept. It is, therefore, left to each organisation to decide how long documents should be retained, although the DPA does state that personal data should not be kept for longer than “necessary”.
The Government and the Information Commissioner have issued guidance on how employers should formulate their document retention policies, however. This guidance is based on the category of information that a business holds rather than the form it takes so, for example, disciplinary records are distinguished from payroll documents.
Emails may contain numerous types of information and retention should, therefore, be based on their content. It may be helpful to establish different categories of information so that emails containing such information can be stored or destroyed as appropriate.
For example, emails relating to personnel matters may need to be treated differently from emails containing information about a company’s products. The categories used will, to some extent, depend on what your organisation does.
But both the government and the Information Commissioner recommend that employers do the following when formulating their policy:
- Consider your legal obligations and the needs of the business
- Establish and adhere to standard retention periods for different categories of information
- Ensure that information is kept securely – and destroyed securely when it no longer needs to be retained
Statutory retention periods
Some types of information are subject to statutory retention periods, however. For example, payroll and statutory sick pay records must be kept for three years after the end of the tax year to which they relate.
Other categories of information also have recommended retention periods, which are set out in the Government’s guidance but are not mandatory. The Information Commissioner’s advice recognises the need for employers to retain documents that could be relevant to future civil litigation or employment tribunal claims.
For example, the guidance suggests that organisations should consider keeping relevant employee documents for six years in order to reflect the time limit for bringing a civil claim, whilst retaining documents relating to unsuccessful job applicants for one year to cover the possibility of any subsequent employment tribunal claim.
In relation to spent disciplinary warnings, however, the ICO’s guidance suggests that employers set up a diary system to remove such warnings from individual’s records if this is a requirement of their disciplinary procedure.
So, in formulating a document retention policy, you should note the statutory periods for retention of certain categories of information. Where there are none, the Information Commissioner recommends that retention policies should be proportionate and based on a risk analysis approach (for example, taking into account time limits for bringing civil or employment tribunal claims).
Finally, it is important that a document retention policy, once formulated, is followed consistently.
Adam Partington is a solicitor at Speechly Bircham LLP.
3 Responses
SARs
Esther Smith replied:
"Under a SAR the employer is obliged to provide copies of all personal data held on that subject. This involves an obligation to make all reasonable efforts to check for relevant information and disclose it. If, as in your example, there are e-mails which are no longer in existence and not recoverable on the employer’s system cannot be disclosed, even if the employee has hard copies. If an employer were to claim that something has been destroyed without taking reasonable attempts to check backed up systems they may be said to have failed in their duty of disclosure."
Re SAR
Compliance with a SAR can take many forms and under certain circumstances the "Data Controller" (in this case the employer) can decline a request for information if the data controller considers that the information is to sensitive to be released into the public domain.
However if the employee bringing the Greivance has documentary evidence ie copies of emails that help that pesons case and then should the case go to an ET for example, the employer would find it difficult to dispute the evidence.
In my view if the evidence is there it will be found, either by hard copy or by a judge taking a decision that the evidence of the agreived is true.
Does a Subject Access Request complicate matters?
If an employee brings a grievance which is based on the behaviour of employees/Directors of the employer towards that employee over a long period of time, and submits a SAR because the employee believes there is written evidence supporting the grievance case, what would happen if an employer cannot produce email correspondence which is in the possession of the employee, claiming it has been destroyed?