There’s no easy answer – The Data Protection Act’s deliberately woolly. Rather than define a period of time, it states that email must be kept for “no longer than is absolutely necessary”.
And different industries have very different ideas about what that means.
Many sectors operate Best Practice guidelines with penalties for non-compliance. There are books cataloguing recommended retention periods, going up to a mind-boggling 80-years plus for correspondence relating to pension policies. However, self-regulation is only as good as enforcement by the Self-Police.
With data being generated continually and an annual increase of 43% year on year, the volume of email and spiralling cost of mail server storage space, small wonder some organisations resort to extreme “cleanse and delete” measures. Proponents justify the policy because it sidesteps both additional costs and culpability from retaining “the wrong email”. If you have no records they can’t be used against you.
Global business doesn’t work in a vacuum, and just because you can’t rustle up correspondence doesn’t mean it never existed. Pennsylvania State Government Executive branch allows each employee to decide which email to save/delete from their mailbox and the entire agency email system. This violates State email retention policy, prejudicing Pennsylvania’s Right to Know Law (Freedom of Information request equivalent). It also has bizarre consequences. Deleting all electronic information generated by one individual effectively makes them disappear, which is what happened to Tom Corbett, an ex-employee.
An efficient email management and archive solution could satisfy both prevailing legislation and current policy. Combining a tamper-evident copy of every email received by the mail server with super-fast, user-friendly search screens, empowering every employee to delete the contents of their mailbox without fearing the consequences.