The board of every organisation is directly responsible for ensuring it complies with the laws and regulations relating to data security, data retention and record management.
The penalties for failing to with these regulations are severe, from reputation damage, share price damage through to criminal charges, fines and customer desertion.
Around the world, data protection and privacy legislation is increasingly important, and increasingly onerous. This page will give you a quick introduction to the data protection challenge you face.
On this page:
Information Governance in the UK Public Sector
The UK public sector is subject to a growing range of information governance challenges. One key challenge is managing the overlap between the Data Protection Act (DPA) and the Freedom of Information Act (FOI).
Read the Data Protection vs Freedom of Information for handy, practical guidance of tackling these issues.
Other useful resources include:
Around the world, data protection and privacy legislation is increasingly important, and increasingly onerous. New laws in this area are also emerging on a regular basis. Many of these laws overlap or contradict one another, and very few have any detailed regulatory implementation guidance or meaningful case law.
Existing legislation, including: HIPAA, GLBA , SB 1386 , OPPA , the Fair Credit Reporting Act (FCRA) in the US, Canada's PIPEDA , the EU's Data Protection Directive (implemented slightly differently in each EU country) - and the EU Safe Harbor regulations (which enable US companies to escape prosecution under EU regulations) - as well as UK legislation such as the Human Rights Act, the Regulation of Investigatory Powers Act and various telecommunications, distance selling and anti-spam measures, all combine to make a significant compliance challenge for all organizations.
Very specific guidance exists for the UK's Data Protection Act ("DPA"). All UK organizations must comply with the DPA and all public sector ones with the FOIA.
This website provides comprehensive books and tools for achieving DPA Compliance.
Implementing and maintaining an ISO27001-certificated Information Security Management System is the obvious way of complying with DPA, particularly with the 7th principle, which requires organizations to take appropriate technical and organizational steps to secure personal data.
In the UK, public sector organizations must also comply with the Freedom of
Information Act (FOIA).
It is not easy for North American and international companies to identify what steps might help them meet this broad range of compliance requirements.
This is where ISO/IEC 27002 can be particularly useful. It contains international best practice on information security, and the concepts of confidentiality, integrity and availability of data, which are at the heart of ISO 27002, are also contained in most information-related regulation.
In today's increasingly litigious world, preparedness for litigation is a sensible way to manage a basic business risk. Electronic documents (which include all emails) are always critical to any court case, and organizations need to take appropriate action to ensure that they can comply with court requirements for the production of evidence.
Best practice in this field is contained in BIP 008, the "Code of Practice for Legal Admissibility and Evidential Weight of Information Stored Electronically".
Email, Information and Records Management
Email is fundamental to organizational communication. There are potentially significant costs and risks associated with the business use of email, and this includes operational, regulatory, and litigation risk.
These risks are changing and evolving and organizations should use best-practice frameworks to guide their response to these risks. Organizations need end-to-end email management, retention, maintenance and archiving solutions that will enable them to simultaneously meet current and emerging business and regulatory requirements.
Email solutions should merge with information and records management solutions. Apart from the general information security guidance of ISO 27002, organizations can turn to the best-practice records management framework contained in ISO 15489.
A more detailed specification for electronic records management is contained in Model Requirements for Management of Electronic Records ("MoReq").
Data Retention Periods
Data retention periods are an area that most companies fail to give sufficient attention.
The fact is, for most companies, there is a myriad of laws and regulations that determine how long data should be retained - and data includes email and instant messaging information.
Of course, this whole area gets more and more complicated when you consider that some emails might contain financial or personnel information and might, therefore, have to be retained for periods different to those for ordinary emails.
The Data Retention website gives an overview of data retention requirements for the UK and emerging issues. The picture is similar for most companies in their local jurisdictions and much more complicated for multinational companies, or organizations operating in more than one jurisdiction.