Email as evidence


The only thing we know about the future is that it is going to be different.

Peter Drucker

The laws that relate to the use of email as evidence are not only complicated but also depend on the sector in which you work (public or private) and where your business is located. For example, in the UK public sector, the Freedom of Information Act plays an important role. In the USA, many businesses and public bodies are regulated by the Sarbanes-Oxley Act.

This chapter provides a brief overview of:

  • the top five acts that apply to most UK email users
  • key implications for your use of email
  • tips to stay the right side of the law
  • sources of more detailed information on email and the law.

The KPMG survey ‘e-Disclosure: The 21st Century Legal Challenge’ found that 95 per cent of respondents regarded business email as an important source of digital evidence. The free-flow nature of email can make it hard to control who sees what and hence how to reduce the risk of breaches of security and compliance.

From my discussions with clients, the primary concerns for most business email users are:

  • How to manage data leakage and breach of copyright through forwarded emails.
  • How to ensure emails are properly stored (in case they are needed as evidence).
  • The best way to ensure all concerned understand and comply with the law?

Figure

Never put anything in an email that you would not be able to defend in a court of law.

Top five acts regulating the use of email in the UK

The key UK acts regulating most business (and indeed non-business) use of email are outlined in this section, along with their key implications and dos and don’ts.

Data Protection Act 1988

This protects your right to protect personal data about yourself; this includes your email address. It also covers, for example, personal information contained in your CV when applying for a job, information relating to sick leave, and a mortgage application. In 2010, fines of up to £500,000 were introduced by the Information Commissioner for breaches of security and confidentiality.

The key implication is that you must ensure you destroy emails which contain private information once the incident to which they relate is closed, unless it is needed for a valid reason. When emailing personal data check that your email is secure.

Computer Misuse Usage Act 1990

This covers the unauthorised access and use of a computer with the intent to commit a crime.

The key implication is that you must not circulate emails which could be deemed to be a breach of any of the laws of the land. For example, under the Equal Opportunities Commission 2006 guidelines, lewd, racist or pornographic emails can now be regarded as evidence of sexual harassment by a person, even if that person has not seen them but knows of their existence.

Regulation Investigatory Power Act 2000

This allows public bodies to intercept and monitor data flows if their use is suspected to cause a major national security breach, disorder (strike), anti-competitive practices, etc. For example, in 2007 Tesco and Asda were ordered to hand over millions of emails in an anti-competitive investigation.

However, the Human Rights Act 1998 and European Convention on Human Rights can also protect you if you feel the monitoring is unjustified. This was demonstrated by the case of Lynette Copland who successfully took the UK government to court after Carmarthenshire College monitored her internet usage and telephone calls. She won €3,000 plus damages.

The key implication is that you should be aware that your computer could be seized by the police and your emails used as evidence. However, make sure you have a watertight case for monitoring individuals and tell them if doing so.

Human Rights Act 1998

This protects your right to enjoy a working environment which does not breach and violate your privacy and does not subject you to abuse and discrimination.

The key implication is that emails which are considered a breach of your human rights can be used as evidence, even if you have not seen them but know that they exist.

Freedom of Information Act 2000 (FOIA)

Under this act, anyone is entitled to request to see information from a public body (local council, police health authority, etc.) on a subject which interests them. The 2009 MPs’ expenses scandal was mainly sparked by FOI requests. Clever use of the FOI Act can enable you to gain competitive information during a public sector tendering exercise.

The key implication is that emails can and often are provided as evidence. On the one hand, you must retain emails if required to provide them, and on the other you must be able to demonstrate you have destroyed emails which contain data which should not be retained.

How can I stay within the law?

Many of the first-tier best practices to enable you to stay the right side of the law have been spelt out in Parts 2 to 4. Here is a synthesis of the essential top-level tips to help you reduce the risks of email evidence being used against you and your business.

Figure

Do

  • Review your email before sending to ensure that it does not contain any information which might cause embarrassment to you or your business.
  • Keep to facts rather than opinions. When you do include the latter, preface by attributing it to yourself rather than your business (for example, ‘In my personal opinion …).
  • When emailing personal information take care that your email is secure.
  • Check that you are sending your email to the right person (i.e. the right John Smith).
  • When forwarding an email, be certain that you are not sending copyright protected information without the original sender’s permission.
  • If you are in international business check what laws regulate your use of email, especially if you are registered in the USA.
  • When sending emails which contain highly sensitive competitive information to a public body, add a line which limits content from being disclosed without your knowledge in an FOIA enquiry.
  • Make sure key emails are properly archived and can be easily searched and retrieved if necessary.

Don’t

  • Include content in an email that you could not defend in court.
  • Include any material that might be regarded as racist, abusive, defamatory, pornographic, etc.
  • Send jokes – these can be misinterpreted and could be regarded as a contravention of the Human Rights Act.
  • Forward emails to non-business email addresses without consent from your business as this can cause a security breach and data leakage.
  • Retain emails containing personal information for longer than necessary.
  • Attempt to circumvent your business’s Acceptable Usage Policy (AUP) and especially the limits of transmission of attachments (see below for more on this).

Acceptable usage policy (AUP)

One of the basic ways to ensure everyone is properly informed about the behaviour deemed acceptable to your specific business is to have an internal business specific Acceptable Usage Policy (AUP).

Figure

Benchmark your AUP at www.brilliant-email.com.

It is not sufficient to simply write the policy. You also need to ensure that:

  • staff are fully aware and have formally accepted your business’s Acceptable Usage Policy (AUP).
  • it is kept up to date to reflect changes in technology and legislation.

Failure to ensure that everyone is aware of and signed up to the policy can be costly. In 2004 Royal Bank of Scotland lost a case of unfair dismissal against an employee for sending pornographic emails. The employee won because she demonstrated she had not been fully aware of the bank’s process for grading emails as offensive.

Acceptance and awareness can be achieved through distributing the policy, having employees sign to indicate formal acceptance, providing prompts each time people log on to their computer, and providing a comprehensive education policy.

Useful sources of further information

Understanding the law as applied to email is a minefield. Five excellent sources of further information are:

  1. www.ico.gov.uk – the UK Information Commissioners Office
  2. www.is4profit.com – a free information website for small businesses
  3. www.mimecast.com – for white papers
  4. www.sophos.com – for white papers
  5. www.out-law.com – for case histories.

Figure

Emails are frequently used as evidence in litigation. A breach of compliance and security can be very costly to you and your business.

  • Check that you understand the basic principles of the key five UK acts and any others specific to you and your business.
  • Think before hitting ‘Send’ and ask yourself these three questions:
  1. To what extent might this email contravene the current legislation?
  2. Have I taken sufficient measures to limit a breach of confidentiality and security?
  3. If the email was used as evidence, what might be the cost to me (and my business) if the case went against me?
  • Ensure your Acceptable Usage Policy is current, understood and accepted across the whole organisation, from receptionists to the CEO.
  • While you require a clear email retention and destruction policy, you also need to be certain that the policy can be implemented. This generally means using appropriate technology to archive and destroy emails automatically.
  • If in doubt about the legitimacy of an email, consult with legal experts before sending it.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.16.79.65