I can't pretend that email management is easy. The average mail server holds such a diverse collection of communications, from vital records to messages that are at best valueless and at worst the kind no employer wants on their network. Different types of communication need different treatment.
I often point out to proponents of the slash-and-burn approach that it is difficult to run any organisation successfully without records. Without good records, it is difficult for managers to monitor performance and business volumes, or for individuals to manage their own work. Knowledge transfer becomes awkward, and some organisations have to "reinvent the wheel" repeatedly as staff come and go.
Many records that previously existed in paper files will now be almost exclusively held in email accounts. Public bodies should be aware that the s46 Code made under the Freedom of Information Act 2000 requires them to keep adequate records of their day-to-day business.
Email is often the only piece of written evidence available. Without this vital evidence, it is difficult to defend court actions, even with right on your side. Conversely, it is hard to take court action with any certainty of winning. People have a right to sue for many years after an event giving rise to a claim, and the fact that a writ is not issued immediately will not necessarily mean that it will never arrive. Those who delete potential evidence too quickly may regret it later.
So if your organisation anticipates litigation, it has a duty under court rules to preserve relevant documents, including emails. Those that appear to have deleted vital evidence may often have their claim or defence struck out. At worst, the deletion can be held to be contempt of court or perverting the course of justice.
Industry regulators may also require email records to be kept. For example, the Financial Service Authority (FSA) requires regulated organisations to retain records of their dealings. The body has wide-ranging powers to inspect and take action against organisations that fail to comply.
There is no general obligation to keep emails in case a request is made under the Freedom of Information Act, but once a request has been made for particular emails, public authorities should avoid destroying them. It is a criminal offence to destroy emails for the purpose of preventing their release under the act. But just to make matters annoying, the Data Protection Act 1998 also states that personal data, including that processed in email, should not be kept for longer than necessary.
Sadly there is no easy "one-size-fits-all" solution, but the following guidance should help:
- If you are subject to specific set industry regulations, you will need to seek advice from your regulator or other specialist adviser.
- As a general rule, you will need to keep all email information while it is in current use, and then for at least six years, as this is the period of time within which most claims can be brought. This period (called the limitation period) varies from action to action (for example, actions in relation to deeds will have a 12-year limitation period), so you should consider any special circumstances.
- Do not discount the practical needs of your organisation. You should consult with the various business areas and find out what their requirements are.
- Personal data in emails can usually be retained for as long as the email itself, if one of the reasons for retention as discussed above, applies.
- Tamzin Matthew is a partner in law firm Blake Lapthorn Tarlo Lyons, and specialises in IT law. She can be contacted at Tamzin.Matthew@bllaw.co.uk or on 01865 254262.
.png&h=140&w=231&c=1&s=0)
.png&h=140&w=231&c=1&s=0)
.png&h=140&w=231&c=1&s=0)
.png&w=120&c=1&s=0)
EDUtech AU
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Integrate Expo 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
iTnews Benchmark Security Awards 2025
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
