Email: the legal obligation to manage information, its security and to protect personal information

As our information society progresses into the 21st Century, so the dependency of business on electronic communication has increased exponentially. Within a short period of time, most companies have advanced from not using e-mail for business purposes (and indeed, in certain instances prohibiting its use) to accepting and embracing the enormous advantages that electronic communications hold.

In doing so, many organisations are now floundering in their management of proliferation of information and its security. In most companies e-mail is unstructured, where there are policies management and staff are typically not well trained in their obligations in terms of the policies and as a result, e-mail is poorly managed.

The failure to properly manage e-mail and its security, in most cases, leads to companies not complying with applicable and relevant law.

This article is not intended as an exhaustive exposition of the law but merely highlights the more obvious areas of non-compliance.

The new Companies Act expressly provides that documents, accounts, books, writing, records or other information that a company is required to keep in terms of the Act or other public regulation of information must be in written form or a manner that allows the information to be converted into written form within a reasonable time. It also requires that company records be retained for a minimum period of seven years.

In addition to the statutory requirements, in many circumstances a failure by the company to manage and maintain its information (in whatever medium) commensurate with the requirements of the business, will constitute a violation of the governance of information and information technology principles enunciated in Chapter 5 of the King Report on Governance for South Africa 2009.

In terms of the Electronic Communications and Transactions Act, in particular, Chapter 3 which deals with Facilitating Electronic Transactions, regard must be had in dealing with e-mail to the provisions which deal with “Original”, “Admissibility and evidential weight of data messages”, “Retention” and “Production of document or information”. The common thread that runs through all of these provisions is that records must be managed and retained in a manner that ensures the integrity of the information is not compromised. Failure to retain records in compliance with these provisions will constitute a breach of the organisations legal obligations.

Fundamental to the protection of personal information is the stipulation in the Constitution that everyone has a right to privacy and to not have the privacy of their communications infringed. We have already seen provisions of the National Credit Act and the Consumer Protection Act expressly requiring the confidentiality or privacy of personal information. The former expressly provides that credit grantors are in certain circumstances obliged to use electronic communication in certain communications to credit receivers.

The legislative instrument which provides as a general law of application the protection of personal information contemplated in the Constitution, is currently before Parliament in the form of the Protection of Personal Information Bill. It is the intent of Parliament that this Bill will be promulgated during 2011. The Bill, once enacted, will have a far-reaching effect on the management, security and protection of personal information.

In addition to providing a framework that is aimed to protect personal information, it is submitted, that it will also significantly influence the security of information which may not fall within the definition of personal information.

One of the most significant features of the Bill is the condition (governing the lawful processing of personal information) that, for the first time in South African law, expressly requires that parties responsible for the processing of personal information must take appropriate, reasonable technical and organisational measures to prevent the loss, damage to or unauthorised destruction of personal information as well as the prevention of unlawful access to or processing of personal information. In doing so, parties processing information must have due regard for Generally Accepted Information Security Practices and Procedures and where applicable, specific industry or professional rules and regulations.

In South Africa, the ISO27000 series of standards, two of which are reflected in SANS27001 and SANS27002 as South African standards, provide guidance for the implementation of information security organisational structures and information security controls which may be appropriate to organisations. These are supplemented by standards which may be applicable to a particular industry.

The imperative to formulate policies and procedure to improve the use of e-mail for business purposes and provide adequate structure to allow its control is self-evident. These should also include clear distinctions between personal and business use.

One of the issues that needs to be considered in structuring the use of electronic communication for business purposes is the rapid and in most cases unstructured and ill-considered adoption of SMS and social networking for the purpose of business communication.

Unlike e-mail where e-mail servers are controlled within the company (or by a third party under the company's control) in the case of SMS and social networking sites this is not true. Accordingly, the necessary management of these forms of communication may prove far more difficult. Nonetheless, where this where these forms of communication are accepted for business purposes accepted they must be appropriately managed.

There are technologies available in the South African market, which (provided they are used in terms of processes which support ensuring the accuracy and integrity of the information) assist in ensuring that companies can discharge their legal responsibilities. In effect, these technologies allow that e-mails and the attachments to the e-mails are “locked” on communication of the e-mail communication to or from the company's e-mail server. These technologies assist in providing the forensic proof that the record has retained its integrity.

In conclusion, in order to adhere to applicable legal obligations, the use of e-mail as a business communication deserves far more considered attention. E-mail policies and procedures need to be considered in light of the growing recognition both in our legislation and as a business imperative.

To support the organisation's legal compliance obligation, appropriate technologies need to be implemented. Critically, unless the implementation of appropriate technologies and development of policy and procedural frameworks is supported by the proper training of persons responsible for the governance, management and use of company information, legal compliance will remain an elusive dream.

* The author of this article is Mark Heyink, Information Attorney and Information Security Consultant.

For more information, please contact mark@heyink.co.za or sales@condyn.net.