Electronic Record Retention Australia - Your Obligations

Document Sample
Electronic Record Retention Australia - Your Obligations Powered By Docstoc
					October 2004




Electronic Record Retention
Australia - Your Obligations



Redmap Networks Pty Ltd
ACN 082 956 036




Contact
Phillip Hourigan
Partner
Deacons
175 Eagle Street, Brisbane QLD 4000
Telephone:     +61 (0)7 3309 6888
Website:       www.deacons.com.au
Contents
1.     Overview ...................................................................................................... 1
2.     US Trends .................................................................................................... 2
3.     Litigation in Australia.................................................................................... 3
4.     Retention Obligations .................................................................................. 6
5.     Australian Standards ................................................................................. 14
6.     Tips for compliance programs ................................................................... 15
7.     Table of statutes ........................................................................................ 16
8.     Disclaimer .................................................................................................. 17




PAH/DEACONS WHITE PAPER_FINAL04                           Electronic Record Retention – Your Obligations
Electronic Record Retention – Your Obligations


1.     Overview

       In the course of running your business, it is likely that your organisation
       produces and keeps significant amounts of information. Reliance on
       electronically stored documents and emails is growing and the sheer
       volume of documents kept by an organisation often results in the need to
       implement and manage an effective document retention system.

       Factors which contribute towards the structure of an organisation’s
       document retention system include managing ICT spending, minimising
       risk and exposure, speed of access, reliability of storage, and maintaining
       adequate back-up facilities.

       In addition to these commercial considerations, laws requiring certain
       documents to be retained and specifying minimum periods for retention,
       set the benchmarks for compliance. Organisations now have positive
       obligations under the law to ensure that their documents are adequately
       retained.

       Having an effective document retention system will help you to avoid:

       •      fines for breaches of legislation;

       •      legal actions that are settled simply because it is cheaper than
              complying with discovery requests for old emails; and

       •      cases that are lost because of missing email records or legally
              inadequate archiving processes.

       This publication is an outline of various electronic document retention
       obligations that may apply to your organisation and provides some tips
       for compliance.




PAH/DEACONS WHITE PAPER_FINAL04            Electronic Record Retention – Your Obligations   1
2.     US Trends

       Regulatory trends in the US are often indicative of future trends in
       Australia. However, US laws may also be immediately relevant to
       Australian subsidiaries of US Securities Exchange Commission (SEC)
       entities and for any Australian organisations to which a US SEC entity
       outsources functions.

       With regard to the control of electronic record retention, the Sarbanes-
       Oxley Act of the US is particularly relevant.

       The Act imposes criminal penalties for knowingly destroying, altering,
       concealing or falsifying records with intent to obstruct or influence either a
       Federal investigation or a matter in bankruptcy. There is a maximum
       penalty of 10 years in prison.

       Both the SEC and the New York Stock. Exchange have mandated that the
       obligations imposed under the Act extend to emails and instant
       messaging records.

       Two examples of the influence these US regulations are:

       (1)    Raymond J Financial, a financial services firm based in Florida,
              has recently bought 6 terabytes of storage, largely to archive the
              company’s email and transaction data; and

       (2)    In December 2002, the SEC fined 5 Wall Street firms (including
              Morgan Stanley and Goldman Sachs Group) $A13.4 million for
              poor email retention. The SEC invoked its rule which requires that
              emails and other records be kept for 3 years in a format that
              cannot be overwritten or erased.




PAH/DEACONS WHITE PAPER_FINAL04            Electronic Record Retention – Your Obligations   2
3.     Litigation in Australia

3.1    The litigation process of discovery

       Discovery is the process that follows an initiation of legal action. Before
       the matter can proceed to Court all parties are liable to deliver up relevant
       documents. Electronic records such as emails are a great source of
       evidence, however delivery up of emails on discovery can be very costly.

       There are also generally tight time frames for delivery and as a result it is
       vital that organisations can store and retrieve emails quickly.

       There are both Commonwealth and State Territory based laws which
       prescribe the forms of evidence. Generally to maintain their value as
       evidence, emails cannot be altered or manipulated for as long as they are
       retained. They must also be a complete record - having content,
       context and structure. This means that emails that are used as
       evidence must accurately reflect what was communicated, decided or
       done.

       Content is generally described as being the substance of the message,
       regardless of whether it is in the body of the text or an attachment to the
       message. Context includes all information about the circumstances in
       which the message is created, transmitted, maintained and used.
       Structure refers to the way the parts of the message relate to each other.
       For example, the original message and its reply must appear as a “string”
       or the system needs to be able to provide both a contextual and structural
       view.

       If your organisation is involved in litigation, the process of discovery is
       invaluable to supporting your case. Finding a document that clearly
       describes or explains a particular issue could be crucial to your success.
       The introduction of emails into the discovery process, has significantly
       increased the potential for organisations to readily access information




PAH/DEACONS WHITE PAPER_FINAL04           Electronic Record Retention – Your Obligations   3
        that might otherwise be difficult to find1. McKemmish (1999)2 identifies
        4 key elements regarding the use of digital evidence:

       (1)     The identification of digital evidence

               This is the first step in an effective discovery process. Knowing
               what evidence is present, including where and how it is stored is
               essential to determine which processes you will employ to
               facilitate its recovery. In addition, you should be able to identify
               the type of information stored in a device and the format in which it
               is stored so that the appropriate technology can be used to extract
               it.

       (2)     The preservation of digital evidence

               Given the likelihood of judicial scrutiny in a Court of law, it is
               imperative that you store your digital information in a way that
               allows examination of stored data in the least intrusive manner. In
               addition, there are circumstances where changes to data are
               unavoidable, but it is important that the least amount of change
               occurs. In situations where change is inevitable, it is essential that
               the nature of, and reason for the change can be explained.

       (3)     The analysis of digital evidence

               The extraction, processing and interpretation of digital data is
               generally regarded as the main element of computing. Once
               extracted, digital evidence usually requires processing before
               people can read it.

       (4)     The presentation of digital evidence

               The manner by which records are presented in a Court of law can
               affect the credibility of the evidence. This includes the manner of
               presentation, the expertise and qualifications of the presenter and
               the process used to produce the evidence being tendered. Having
               an effective document retention system will play a role in ensuring
               that your records are believable.

       For more information, you can refer to the Standards Australia handbook
       titled “HB-171: Guidelines for Management of IT Evidence”.




1
 Bartos, J “Off Grounds: Email – Gold in Them Thar Hills” (1999) 37 (5) LSJ40
2
 McKemmish, R (1999) “What is Forensic Computing” Australian Institute of Criminology
Trends and Issues No. 118



PAH/DEACONS WHITE PAPER_FINAL04            Electronic Record Retention – Your Obligations   4
3.2    Destruction of adverse documents

       Legislation in various jurisdictions makes it an offence to destroy any
       document that is or may be used as evidence in judicial proceeding.

       Organisations should not destroy documents on the basis that the record
       is not in their favour. The consequences for an organisation that destroys
       such information when it suspects that it may be subject to litigation could
       result in a charge of obstruction to justice.

       Often adverse inferences may be made during the litigation if an
       organisation cannot produce relevant documents. There is also the risk
       of reputational damage to the offending party. This was highlighted by the
       recent case British American Tobacco Australia Services Limited v
       Roxanne Joy Cowell as representing the estate of Rolah Ann McCabe
       [2002] VSCA 197. The case at first instance saw the Judge heavily
       criticise the systematic destruction of a large number of records. Although
       largely reversed on appeal, the decision suggests before destroying
       documents they should be reviewed to determine their future relevance in
       legal proceedings. If the records are likely to have some value as
       evidence, they clearly ought to be retained.

       You should always carefully consider the statutory retention periods for
       documents or a group of documents before automatically deleting them
       when the retention period has expired. Various statutory periods are
       outlined in section 2 of this publication.

       While reckless destruction of records will not be looked on favourably by
       the courts, implementing a record retention policy without taking proper
       precautions can be a twin-edged sword. If you do have a policy for
       retention, then any departure from it will generally draw an adverse
       inference. As a result any policy you use needs to be more than an
       aesthetic and generally unavailable document. Record retention requires
       ongoing education about the policy, procedures to enforce and continuous
       review. As a result it is also necessary to assess the policy in light of any
       IT investment required to properly support the policy.


PAH/DEACONS WHITE PAPER_FINAL04             Electronic Record Retention – Your Obligations   5
3.3    Liability

       In structuring a document retention policy, you should be aware of the risk
       of liability posed to your organisation and its officers due to the acts or
       omissions of employees. In particular:

       (1)    Company

              The company may be vicariously liable for the acts or omissions of
              an employee within the scope of the employee’s duties.

       (2)    Directors and officers

              Directors and officers (potentially the CIO) can be personally liable
              for failure to implement appropriate corporate governance policies.
              In the US, directors are becoming personally liable for e-security
              breaches.


4.     Retention Obligations

4.1    Statutory Periods

       Various State and Commonwealth legislation impose minimum periods on
       organisations to retain their documents. The length of time that you are
       required to hold a document, before destroying it, will generally depend on
       the nature of the document and its content.

       This section outlines the main statutory periods that may be relevant to
       your organisation.

4.2    Private Records

       Currently, there is no general statutory obligation which requires
       organisations to maintain their records. Instead, there are various Acts
       which apply differently to certain types of records. You should seek
       specific advice from a qualified professional to determine the particular
       needs of your organisation.

       Some general statutory periods that apply to private organisations are:

       (1)    Tax requirements

              The Income Tax Assessment Act requires the retention of records
              that explain an organisation’s transactions and other acts that are



PAH/DEACONS WHITE PAPER_FINAL04          Electronic Record Retention – Your Obligations   6
              relevant to the Act. This obligation is for a period of 5 years from
              the tax year in relation to which the information relates.

              In relation to the Goods and Services Tax you must keep records if
              you:

              (a)    make a taxable supply or importation, or make a creditable
                     acquisition or importation;

              (b)    make a GST-free or input taxed supply;

              (c)    are entitled to transitional input tax credits for sales tax;

              (d)    liable for wine equalisation tax; or

              (e)    make a taxable supply or importation of a luxury car.

              There is an obligation to keep records that record and explain
              transactions and other acts that are relevant to the above issues
              for 5 years.

              If you make elections or estimates under the GST law, you must
              keep records for 5 years after they are made, or cease to have
              effect.

              There are similar requirements for capital gains tax, fringe benefits
              tax and payroll tax.

       (2)    Corporations Act requirements

              The Corporations Act requires a company to keep financial
              records that correctly record and explain its transactions and
              financial performance; and which would enable true and fair
              financial statements to be prepared and audited for 7 years.

              Financial records includes invoices, receipts, cheques, orders and
              other documents which evidence the recording of money. This will
              also include working papers that are needed to explain the




PAH/DEACONS WHITE PAPER_FINAL04           Electronic Record Retention – Your Obligations   7
              methods by which financial statements are prepared and
              adjustments to financial statements.

              The Corporations Act specifically allows for electronic storage,
              provided that the records are available and can be converted into a
              hard copy within a reasonable time.

              Companies must take all reasonable precautions for guarding
              against damage, destruction or falsification of any book or part of
              a book that it is required to keep or prepare under the Act. In this
              context “book or part of a book” includes electronic communication
              and recordings.

              Electronic records must also be available for inspection. There are
              severe fines and/or prison terms for conduct that results in the
              concealment, destruction, mutilation or falsification of any
              securities of the company or any books that relate to the affairs of
              the company.

              If electronic records are recorded or stored in an ineligible form, it
              will be a contravention of the Corporations Act.

              Following the collapse of One-Tel, HIH and more recently the
              trouble that ANZ have been involved in, there are now compelling
              corporate governance reasons for organisations to take the issue
              of electronic record retention seriously. The desire to have
              impeccable records of all emails becomes especially relevant
              when things turn bad. As discussed in section 3 above, whoever
              has the best evidence will clearly be in a stronger position in
              relation to any litigation proceedings and accurate and accessible
              electronic records are vital to the overall business of any
              organisation.




PAH/DEACONS WHITE PAPER_FINAL04           Electronic Record Retention – Your Obligations   8
       (3)    Workplace Relations

              While generally there is no specific requirement to retain email
              records under the various legislation impacting upon Workplace
              Relations, it is prudent to do so from a Risk Management and
              compliance perspective.

              Retention of appropriate evidence and records, whether in hard
              copy or electronic format, will often be necessary to establish
              compliance with statutory obligations such as:

              (a)    workers compensation and rehabilitation;

              (b)    equal opportunity and sexual harassment;

              (c)    unfair dismissal;

              (d)    employment and independent contracts;

              (e)    applicable awards and enterprise agreements; and

              (f)    remuneration, benefit and entitlements obligations.

             From a Risk Management and compliance perspective, it is
             generally advisable to retain all records for at least 7 years.

             Relevant legislation also imposes obligations with respect to the
             retention of certain records such as time and wages records and
             employee registers for defined periods (generally 6 years). While
             these records are commonly kept in hard copy, in some cases they
             may also be stored in electronic format.

       (4)    Privacy Act

              The Privacy Act imposes obligations on certain organisations that
              collect, use or store personal information about individuals.




PAH/DEACONS WHITE PAPER_FINAL04           Electronic Record Retention – Your Obligations   9
              Generally, the Privacy Act requires those organisations to inform
              individuals as to how their personal information will be used and
              the security measures taken to protect that information. All
              personal information held must also be accurate, complete and up
              to date. Information that is no longer of use to the organisation
              must be destroyed and cannot be kept indefinitely (provided that
              any minimum retention periods are also met).

              Importantly, the Act gives individuals rights to access their
              personal information on request.

              This means that if your organisation comes under the application
              of Privacy Act, your electronic security measures and the way you
              use personal information will necessarily be exposed to the public.
              You should implement a system where your electronic records are
              secure, yet readily accessible for up-dating or inspection.

              The penalties for failure to comply with the principles outlined in
              the Privacy Act include fines. The Privacy Commissioner may
              also use the media to shame organisations that have failed to
              comply, which may potentially result in significant reputational
              damage.

       (5)    Other Minimum Retention Periods

              In the context of general overall good corporate it may not be
              sufficient to systematically destroy all records after a defined
              period of time. To achieve an holistic organisational policy, you
              should identify the information and content of records and extend
              your retention periods as necessary.




PAH/DEACONS WHITE PAPER_FINAL04           Electronic Record Retention – Your Obligations   10
               Some other minimum retention periods are:


       Subject                                  Minimum Retention

       Simple contracts                         6 years after discharge

       Deeds                                    12 years after discharge

       Land contracts                           12 years after discharge

       Product liability                        At least 10 years

       Patent deeds                             20 years

       Trade marks                              Life of trade mark plus 6 years

       Copyright                                50 years after author’s death

4.3    Public Records

       (1)     Dealing with Commonwealth Departments

               The Electronic Transactions Act commenced on 15 March 2000,
               creating a general regulatory regime for using electronic
               communications in transactions. It facilitated electronic commerce
               by removing existing legal impediments that may have prevented a
               person using electronic communications in the past. The Act gives
               business and community groups the option to use electronic
               communications when dealing with government agencies.

               With the exception of legal proceedings, the Electronic
               Transactions Act provides that certain commonwealth law
               requirements can be met electronically. These 4 requirements
               are:

               (a)     the requirement to give information in writing;

               (b)     the requirement to provide a signature;



PAH/DEACONS WHITE PAPER_FINAL04            Electronic Record Retention – Your Obligations   11
              (c)    the requirement to produce a document; and

              (d)    the requirement to record information or retain a written
                     document.

       (2)    Digital Records and Archiving

              Digital records created by Australian government agencies in the
              course of their business activities are commonwealth records
              subject to the provisions of the Archives Act 1983. They need to
              be managed in the same way as other records. Government
              agencies need to exercise the same amount of accountability and
              reliability in relation to their electronic records as they would for
              other types of records.

              Digital records includes a wide range of record types in relation to
              electronic messages from communication systems. The new legal
              requirements cover anything from emails to SMS (short messaging
              services), instant messaging, EMS (enhanced messaging
              services) and EDI (electronic data interchange).




PAH/DEACONS WHITE PAPER_FINAL04            Electronic Record Retention – Your Obligations   12
              In particular:

              (a)     Australian Government agencies should develop an
                      integrated and comprehensive framework for digital record
                      keeping;

              (b)     senior management commitment to digital records as
                      corporate assets is essential to the success of the digital
                      record keeping framework;

              (c)     a digital record keeping framework must ensure compliance
                      with all relevant legislative requirements;

              (d)     the digital record keeping framework will include policies,
                      procedures and guidelines that set agencies approach to
                      digital record keeping;

              (e)     responsibility for digital record keeping should be assigned
                      to staff with appropriate skills, knowledge and experience;

              (f)     agencies should design and implement systems with record
                      keeping capability;

              (g)     records creators should be educated in their digital record
                      keeping responsibility; and

              (h)     the digital record keeping framework should cover records
                      that are owned by the Australian Government but created
                      by out-source providers.

              These guidelines will apply to all digital records created by
              Australian Government agencies as evidence of business
              activities.




PAH/DEACONS WHITE PAPER_FINAL04             Electronic Record Retention – Your Obligations   13
5.     Australian Standards

       The following standards are also relevant in relation to electronic
       document retention:

       •     ISO/IEC 17799:2000 – Information technology – Code of Practice for
             information security management;

       •     AS/NZS 7799.2:2000 (previously known as 4444.2) – Information
             security management – Specification for information security
             management systems, which is now superseded by AS/NZS
             7799.2:2003 – Information security management – Specification for
             information security management systems;

       •     ISO/IEC TR 13335-1 through 4 – Information technology – Guidelines
             for the management of IT security – Parts 1 through 4.

       (1)      ISO/IEC 17799:2000

                This standard is predominantly concerned with the security of
                electronic information. It also recommends ways to prevent loss,
                modification or misuse of user data in application systems and also
                to protect the confidentiality, authenticity and integrity of
                information.

       (2)      AS/NZS 7799.2:2003

                This standard specifies the requirements for establishing,
                implementing, operating, monitoring, reviewing, maintaining and
                improving a documented Information Security Management
                System (ISMS) within the context of the organisation’s overall
                business risk.

                It provides that an ISMS is designed to ensure adequate and
                proportionate security controls that adequately protect information
                assets and give confidence to customers and other interested
                parties. According to Standards Australia this can be translated



PAH/DEACONS WHITE PAPER_FINAL04              Electronic Record Retention – Your Obligations   14
              into maintaining and improving competitive edge, cash flow,
              profitability, legal compliance and commercial image.

              The standard is generic and so it is possible to consider exclusion
              of particular sections. Conformity to the standard can still be
              maintained if the exclusions do not affect the organisation’s ability,
              and/or responsibility, to provide information security that meets the
              security requirements determined by risk assessment and
              applicable regulatory requirements.

       (3)    ISO/IEC TR 13335-1 through 4

              Part 4 of this Standard provides guidance on the selection of
              safeguards, taking into account business needs and security
              concerns.


6.     Tips for compliance programs

       As a summary based on the above discussion, some tips you may
       consider for electronic document retention by your organisation are:

       (1)    Organisations are generally expected to maintain the accessibility,
              accuracy and security of their electronic records;

       (2)    The content, context and structure of emails are relevant in
              discovery proceedings. Keeping emails in their original form with
              minimal tampering or alteration will add to the credibility of
              electronic evidence;

       (3)    Know how and where your electronic records are stored and have
              set procedures for retrieval;

       (4)    Implement a document retention system or policy – educate and
              train your staff in the use of the system;

       (5)    Do not destroy documents that could potentially be relevant to
              future litigation. Where possible, review documents before they
              are destroyed;

       (6)    Avoid deviating from your document retention system. However,
              to do this you will need to ensure that your system accounts for the
              necessary precautions. Seek professional assistance;



PAH/DEACONS WHITE PAPER_FINAL04           Electronic Record Retention – Your Obligations   15
       (7)    Be aware of the minimum statutory retention periods that apply to
              your organisation and control the destruction of documents
              accordingly;

       (8)    Your organisation and its officers could be responsible for the acts
              or omissions of employees. Implement regular training and review
              to ensure employee awareness of your organisation’s obligations;

       (9)    Find out if your organisation comes under the Privacy Act. If so,
              ensure that all the privacy principals are met; and

       (10)   Consider and comply with any Australian Standards that may
              apply to your organisation’s retention of documents.


7.     Table of statutes

7.1    The following table lists the various legislation requiring retention of
       emails.

                          Legislation name – Commonwealth

       Electronic Transaction Act 1999

       Evidence Act 1995

       Freedom of Information Act 1982

       Archives Act 1983

       Income Tax Assessment Act 1997

       A New Tax System (Goods and Services Tax) Act 1999

       A New Tax System (Fringe Benefits) Act 1999

       Corporations Act 2001

       Privacy Act 1988

       Workplace Relations Act 1996




PAH/DEACONS WHITE PAPER_FINAL04            Electronic Record Retention – Your Obligations   16
8.     Disclaimer

       This publication is provided for informational purposes and is not intended
       as legal advice, nor should it be construed or relied upon as such. Each
       set of circumstances may be different and all cited legal authorities should
       be confirmed and updated.




PAH/DEACONS WHITE PAPER_FINAL04           Electronic Record Retention – Your Obligations   17

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:236
posted:3/28/2010
language:English
pages:19
Description: Electronic Record Retention Australia - Your Obligations