Peter Drucker
The laws that relate to the use of email as evidence are not only complicated but also depend on the sector in which you work (public or private) and where your business is located. For example, in the UK public sector, the Freedom of Information Act plays an important role. In the USA, many businesses and public bodies are regulated by the Sarbanes-Oxley Act.
This chapter provides a brief overview of:
The KPMG survey ‘e-Disclosure: The 21st Century Legal Challenge’ found that 95 per cent of respondents regarded business email as an important source of digital evidence. The free-flow nature of email can make it hard to control who sees what and hence how to reduce the risk of breaches of security and compliance.
From my discussions with clients, the primary concerns for most business email users are:
Never put anything in an email that you would not be able to defend in a court of law.
The key UK acts regulating most business (and indeed non-business) use of email are outlined in this section, along with their key implications and dos and don’ts.
This protects your right to protect personal data about yourself; this includes your email address. It also covers, for example, personal information contained in your CV when applying for a job, information relating to sick leave, and a mortgage application. In 2010, fines of up to £500,000 were introduced by the Information Commissioner for breaches of security and confidentiality.
The key implication is that you must ensure you destroy emails which contain private information once the incident to which they relate is closed, unless it is needed for a valid reason. When emailing personal data check that your email is secure.
This covers the unauthorised access and use of a computer with the intent to commit a crime.
The key implication is that you must not circulate emails which could be deemed to be a breach of any of the laws of the land. For example, under the Equal Opportunities Commission 2006 guidelines, lewd, racist or pornographic emails can now be regarded as evidence of sexual harassment by a person, even if that person has not seen them but knows of their existence.
This allows public bodies to intercept and monitor data flows if their use is suspected to cause a major national security breach, disorder (strike), anti-competitive practices, etc. For example, in 2007 Tesco and Asda were ordered to hand over millions of emails in an anti-competitive investigation.
However, the Human Rights Act 1998 and European Convention on Human Rights can also protect you if you feel the monitoring is unjustified. This was demonstrated by the case of Lynette Copland who successfully took the UK government to court after Carmarthenshire College monitored her internet usage and telephone calls. She won €3,000 plus damages.
The key implication is that you should be aware that your computer could be seized by the police and your emails used as evidence. However, make sure you have a watertight case for monitoring individuals and tell them if doing so.
This protects your right to enjoy a working environment which does not breach and violate your privacy and does not subject you to abuse and discrimination.
The key implication is that emails which are considered a breach of your human rights can be used as evidence, even if you have not seen them but know that they exist.
Under this act, anyone is entitled to request to see information from a public body (local council, police health authority, etc.) on a subject which interests them. The 2009 MPs’ expenses scandal was mainly sparked by FOI requests. Clever use of the FOI Act can enable you to gain competitive information during a public sector tendering exercise.
The key implication is that emails can and often are provided as evidence. On the one hand, you must retain emails if required to provide them, and on the other you must be able to demonstrate you have destroyed emails which contain data which should not be retained.
Many of the first-tier best practices to enable you to stay the right side of the law have been spelt out in Parts 2 to 4. Here is a synthesis of the essential top-level tips to help you reduce the risks of email evidence being used against you and your business.
Do
Don’t
One of the basic ways to ensure everyone is properly informed about the behaviour deemed acceptable to your specific business is to have an internal business specific Acceptable Usage Policy (AUP).
Benchmark your AUP at www.brilliant-email.com.
It is not sufficient to simply write the policy. You also need to ensure that:
Failure to ensure that everyone is aware of and signed up to the policy can be costly. In 2004 Royal Bank of Scotland lost a case of unfair dismissal against an employee for sending pornographic emails. The employee won because she demonstrated she had not been fully aware of the bank’s process for grading emails as offensive.
Acceptance and awareness can be achieved through distributing the policy, having employees sign to indicate formal acceptance, providing prompts each time people log on to their computer, and providing a comprehensive education policy.
Understanding the law as applied to email is a minefield. Five excellent sources of further information are:
Emails are frequently used as evidence in litigation. A breach of compliance and security can be very costly to you and your business.
3.16.79.65