Email has become the life-blood of most companies. Consequently company emails now contain a great deal of sensitive information that was once only stored on paper. There is a difference between email USAGE and email MANAGEMENT.
Companies can be exposed to claims for vicarious liability if employees do things with email that is against company policy e.g make defamatory statements or transmit offensive pictures (usually regulated by an Email USAGE Policy).
Companies also need to be able to access emails which are used by employees to conduct their ordinary business activities e.g. as proof of a business transaction or keep certain emails for certain periods of time because a law says the company do so (e.g. keep an electronic VAT invoice attached to an email for 5 years).
In order for email to be MANAGED effectively organisations need to:
- identify which emails constitute “records” which various laws require be retained,
- classify their information and implement a business classification scheme,
- use special email archiving software (if affordable) or consider using a hosted email archiving solution, and
- implement email and related policies.
Much of what is transmitted through an email system constitutes a “record” that must be kept for a minimum period of time as determined by the business itself or an Act of Parliament (or statute). There are hundreds of statutes in South Africa which prescribe recordkeeping obligations. It is therefore imperative that each company understand what laws apply to it and determine its “legal universe” i.e. determine what laws require it to keep what records. It is therefore critical that each company be able to “separate” the wheat from the chaff and identify email records.
In order for email records to be managed effectively they need to be linked to the functions, activities and decisions that they reflect. This is achieved by classifying or categorizing the emails according to a business classification scheme. This classification scheme forms the solid foundation upon which a variety of other email related policies and procedures can be built and facilitates the implementation of email retention rules and access.
There is a perception that the ECT Act makes record retention mandatory, including emails. This is not correct. The ECT Act does not make record retention mandatory; prescribe any minimum retention periods or introduce any criminal sanction for record retention non-compliance. There are several other statutes that prescribe:
- minimum retention periods,
- the form of retention (e.g. microfilm or electronic etc) and
- record retention regulatory requirements, where non-compliance may expose the organisation to various risks, including penalties or imprisonment for committing an offence.
The ECT Act permits the keeping of records in electronic form (sections 14 and 16) but provides few guidelines and various questions remain. The ECT Act merely states the general legal principle but does not provide details or guidelines on what organisations should implement in practice. The ECT Act also does not override provisions in other laws where electronic retention is specifically excluded or where requirements are prescribed. It is advisable to perform a review of regulatory requirements to ascertain which records the law requires you to retain. If the emails and their attachments qualify as business records, then they need to be retained according to the business, legal or historical value of the email.
Email Archiving Technology
Email messaging systems (such as Microsoft Outlook and Lotus Notes) were designed for transmission and receipt purposes only. Notwithstanding their “journal” functionality, they were not designed for ensuring the integrity and authenticity of email records nor for implementing retention rules. Special email archiving technologies should be considered.
Importance of Email Policies
The email archiving product, together with related policies, provides the foundation of every email archiving program. Without clearly written and widely disseminated policies and procedures, how can a company expect its employees to know what the email archiving obligations are. The policies also provide insight to employees on what management believes is important, thereby helping to establish the company’s culture and to set employee and management expectations. They also clarify in plain language what each employee’s email archiving obligations are, why the obligations exist and what will happen if the employee fails to follow any company directives. One of the primary goals of policies is to help a company avoid liability for its employees’ actions.