Allegations of News International executives ordering the deletion of emails – around possible phone hacking by News of the World journalists – are prompting IT professionals to question their own email and document management policies.
The last edition of the News of the World was published on Sunday, after a 158 year run, amid allegations that journalists on the paper were attempting to acquire the contact details of members of the royal family, hack the mobiles of victims of the 9/11 terrorist attacks and members of the last government.
The phone hacking scandal itself has been compounded by claims that senior figures at News International were attempting to delete incriminating internal emails that are now in the hands of the police.
As the News International drama unfolds lawyers have warned that all organsiations need to ensure their email retention policieis and practices are robust.
“Emails are treated like any other document and there is no law around how long they should be kept,” says Danvers Baillieu, a senior associate at law firm Pinsent Masons. Under normal circumstances, there is nothing stopping businesses from deleting messages, he says.
Indeed, businesses need to delete emails regularly where the personal information contained in them is no longer required so as to comply with the requirements of the data privacy laws, says Anthony Nagle, an of Counsel lawyer at Morrison & Foerster. With businesses holding a "phenomenal” amount of "live data", they should have at least a basic policy in place to deal with data retention, he says.
However, if criminal or civil proceedings are likely to take place, organisations need to take a different approach, according to the experts. Baillieu says: “If a company senses the faintest whiff of something like that, then they have to keep the documents. Otherwise the deletion of such emails could weigh against them in the eyes of a judge or jury.”
Nagle agrees: “If a [court] issue has arisen and you’re shown to have deleted your data, you’ll be asked why you did so."
For normal day-to-day operations not involving legal action, businesses need to check they have a proper email policy. “The IT or data manager in an organisation needs to get a review going on their information, and build a data retention policy,” says Nagle. “This should be reviewed on a regular basis, for example every six months.”
For a policy to be effective, emails need to be segmented. “You have to drill down into the data from a high-level starting point,” he says. “Segment the type of message if you can, or set rules to do so, and ask: Do we really need to keep this message and for how long?
“A lot of messages may be safe to delete after several years – but others, such as those to do with contractual obligations, tax or health and safety requirements, may need to be kept for longer periods. The key is not to delete data which is required by regulation.”
An issue which allegedly arose at News International, and which happens elsewhere, is how an IT manager should react when asked by another staff member (including anyone up to the chief executive) to delete specific messages, particularly if they are not being sure whether the move is safe or even ethical.
There are a number of basic steps that can be taken, according to Baillieu. “The IT manager first of all must ask for a good explanation of why data is being deleted, and it may be smart to put this question in writing in an email to demonstrate he or she has asked. Then if there any concerns, these need to be raised.”
An IT manager who is uncomfortable about particular email deletion may also be wise to approach their company data manager or controller, to get the right advice, Baillieu added.
Has anyone at your organisation asked you to delete embarrassing data for them? Vote in the ComputerworldUK poll