The board of every organisation is directly responsible for ensuring it complies with the laws and regulations relating to data security, data retention and record management.
The penalties for failing to with these regulations are severe, from reputation damage, share price damage through to criminal charges, fines and customer desertion.
Around the world, data protection and privacy legislation is increasingly important, and increasingly onerous.
Information Governance in the UK Public Sector
The UK public sector is subject to a growing range of information governance challenges. One key challenge is managing the overlap between the Data Protection Act (DPA) and the Freedom of Information Act (FOI).
Useful resources include: Data Protection Compliance in the UK
Around the world, data protection and privacy legislation is increasingly important, and increasingly onerous. New laws in this area are also emerging on a regular basis. Many of these laws overlap or contradict one another, and very few have any detailed regulatory implementation guidance or meaningful case law.
Existing legislation includes HIPAA, GLBA, SB 1386, OPPA , the Fair Credit Reporting Act (FCRA) in the US, Canada's PIPEDA, the EU's Data Protection Directive (implemented slightly differently in each EU country) and the EU Safe Harbor regulations (which enable US companies to escape prosecution under EU regulations), as well as UK legislation such as the Human Rights Act, the Regulation of Investigatory Powers Act and various telecommunications, distance selling and anti-spam measures. These all combine to make a significant compliance challenge for all organisations.
Very specific guidance exists for the UK's Data Protection Act (DPA). All UK organisations must comply with the DPA and all public sector ones with the FOIA.
This website provides comprehensive books and tools for achieving DPA Compliance.
Implementing and maintaining an ISO27001-certificated Information Security Management System is the obvious way of complying with the DPA, particularly with the 7th principle, which requires organisations to take appropriate technical and organisational steps to secure personal data.
In the UK, public sector organisations must also comply with the Freedom of Information Act (FOIA).
It is not easy for North American and international companies to identify what steps might help them meet this broad range of compliance requirements.
This is where ISO/IEC 27002 can be particularly useful. It contains international best practice on information security, and the concepts of confidentiality, integrity and availability of data, which are at the heart of ISO27002, are also contained in most information-related regulation.
In today's increasingly litigious world, preparedness for litigation is a sensible way to manage a basic business risk. Electronic documents (which include all emails) are always critical to any court case, and organisations need to take appropriate action to ensure that they can comply with court requirements for the production of evidence.
Email, Information and Records Management
Email is fundamental to organisational communication. There are potentially significant costs and risks associated with the business use of email, and this includes operational, regulatory, and litigation risk.
These risks are changing and evolving, and organisations should use best-practice frameworks to guide their response to these risks. Organisations need end-to-end email management, retention, maintenance and archiving solutions that will enable them to meet current and emerging business and regulatory requirements simultaneously.
Email solutions should merge with information and records management solutions. Apart from the general information security guidance of ISO27002, organisations can turn to the best-practice records management framework contained in ISO15489.
A more detailed specification for electronic records management is contained in Model Requirements for Management of Electronic Records ("MoReq").
Data Retention Periods
Data retention periods are an area that most companies fail to give sufficient attention.
The fact is, for most companies there is a myriad of laws and regulations which determine how long data, including email and instant messaging information, should be retained.
Of course, this whole area gets more and more complicated when you consider that some emails might contain financial or personnel information and might, therefore, have to be retained for periods different to those for ordinary emails.
The Legislation.gov.uk website gives an overview of data retention requirements for the UK. The picture is similar for most companies in their local jurisdictions and much more complicated for multinational companies, or organisations operating in more than one jurisdiction.