The board of every organisation is directly responsible for ensuring it complies with the laws and regulations relating to data security, data retention and record management.
The penalties for failing to with these regulations are severe, from reputation damage, share price damage through to criminal charges, fines and customer desertion.
Around the world, data protection and privacy legislation is increasingly important, and increasingly onerous. This page will give you a quick introduction to the data protection challenge you face.
Information Governance in the UK Public Sector
The UK public sector is subject to a growing range of information governance challenges. One key challenge is managing the overlap between the Data Protection Act (DPA) and the Freedom of Information Act (FOI).
Read the Data Protection vs Freedom of Information for handy, practical guidance of tackling these issues.
Other useful resources include:
- The Information Governance Toolkit: Data Protection, Caldicott, Confidentiality
- Data Protection Compliance in the UK
- ISO27799 – Health Infomatics & Information Security in the Health Sector
Existing legislation includes HIPAA, GLBA, SB 1386, OPPA , the Fair Credit Reporting Act (FCRA) in the US, Canada’s PIPEDA, the EU’s Data Protection Directive (implemented slightly differently in each EU country) and the EU Safe Harbor regulations (which enable US companies to escape prosecution under EU regulations), as well as UK legislation such as the Human Rights Act, the Regulation of Investigatory Powers Act and various telecommunications, distance selling and anti-spam measures. These all combine to make a significant compliance challenge for all organisations.
Very specific guidance exists for the UK’s Data Protection Act (DPA). All UK organisations must comply with the DPA and all public sector ones with the FOIA.
Implementing and maintaining an ISO27001-certificated Information Security Management System is the obvious way of complying with the DPA, particularly with the 7th principle, which requires organisations to take appropriate technical and organisational steps to secure personal data.
In the UK, public sector organisations must also comply with the Freedom of Information Act (FOIA).
It is not easy for North American and international companies to identify what steps might help them meet this broad range of compliance requirements.
This is where ISO/IEC 27002 can be particularly useful. It contains international best practice on information security, and the concepts of confidentiality, integrity and availability of data, which are at the heart of ISO27002, are also contained in most information-related regulation.
In today’s increasingly litigious world, preparedness for litigation is a sensible way to manage a basic business risk. Electronic documents (which include all emails) are always critical to any court case, and organisations need to take appropriate action to ensure that they can comply with court requirements for the production of evidence.
Best practice in this field is contained in BIP 008, the “Code of Practice for Legal Admissibility and Evidential Weight of Information Stored Electronically”.
Email, Information and Records Management
Email is fundamental to organisational communication. There are potentially significant costs and risks associated with the business use of email, and this includes operational, regulatory, and litigation risk.
These risks are changing and evolving, and organisations should use best-practice frameworks to guide their response to these risks. Organisations need end-to-end email management, retention, maintenance and archiving solutions that will enable them to meet current and emerging business and regulatory requirements simultaneously.
Email solutions should merge with information and records management solutions. Apart from the general information security guidance of ISO27002, organisations can turn to the best-practice records management framework contained in ISO15489.
A more detailed specification for electronic records management is contained in Model Requirements for Management of Electronic Records (“MoReq”).
Data Retention Periods
Data retention periods are an area that most companies fail to give sufficient attention.
The fact is, for most companies there is a myriad of laws and regulations which determine how long data, including email and instant messaging information, should be retained.
Of course, this whole area gets more and more complicated when you consider that some emails might contain financial or personnel information and might, therefore, have to be retained for periods different to those for ordinary emails.