Issuu on Google+

Electronic Record Retention Australia Your Obligations


CONTENTS 1.

Overview....................................................................................................................1

2.

US Trends..................................................................................................................2

3.

Litigation in Australia.................................................................................................2

4.

Retention Obligations................................................................................................5

5.

Australian Standards...................................................................................................9

6.

Tips for compliance programs...................................................................................10

7.

Table of statutes.......................................................................................................11

PREPARED

FOR

REDMAP NETWORKS

BY

PHILLIP HOURIGAN

Disclaimer This publication is provided for informational purposes and is not intended as legal advice, nor should it be construed or relied upon as such. Each set of circumstances may be dierent and all cited legal authorities should be conďŹ rmed and updated.

Electronic Record Retention Australia - Your Obligations

i


ii

Ele c t r o n i c R e c o r d R e t e n t i o n A u s t r a l i a - Y o u r O b l i g a t i o n s


1.

OVERVIEW

In the course of running your business, it is likely that your organisation produces and keeps significant amounts of information. Reliance on electronically stored documents and emails is growing and the sheer volume of documents kept by an organisation often results in the need to implement and manage an effective document retention system. Factors which contribute towards the structure of an organisation’s document retention system include managing ICT spending, minimising risk and exposure, speed of access, reliability of storage, and maintaining adequate back up facilities. In addition to these commercial considerations, laws requiring certain documents to be retained and specifying minimum periods for retention, set the benchmarks for compliance. Organisations now have positive obligations under the law to ensure that their documents are adequately retained. Having an effective document retention system will help you to avoid: • fines for breaches of legislation; • legal actions that are settled simply because it is cheaper than complying with discovery requests for old emails; and • cases that are lost because of missing email records or legally inadequate archiving processes. This publication is an outline of various electronic document retention obligations that may apply to your organisation and provides some tips for compliance.

Electronic Record Retention Australia - Your Obligations

1


2.

US TRENDS

Regulatory trends in the US are often indicative of future trends in Australia. However, US laws may also be immediately relevant to Australian subsidiaries of US Securities Exchange Commission (SEC) entities and for any Australian organisations to which a US SEC entity outsources functions. With regard to the control of electronic record retention, the Sarbanes-Oxley Act of the US is particularly relevant. The Act imposes criminal penalties for knowingly destroying, altering, concealing or falsifying records with intent to obstruct or influence either a Federal investigation or a matter in bankruptcy. There is a maximum penalty of 10 years in prison. Both the SEC and the New York Stock. Exchange have mandated that the obligations imposed under the Act extend to emails and instant messaging records. Two examples of the influence these US regulations are: (1) Raymond J Financial, a financial services firm based in Florida, has recently bought 6 terabytes of storage, largely to archive the company’s email and transaction data; and (2) In December 2002, the SEC fined 5 Wall Street firms (including Morgan Stanley and Goldman Sachs Group) $A13.4 million for poor email retention. The SEC invoked its rule which requires that emails and other records be kept for 3 years in a format that cannot be overwritten or erased.

3.0 LITIGATION IN AUSTRALIA 3.1

The litigation process of discovery

Discovery is the process that follows an initiation of legal action. Before the matter can proceed to Court all parties are liable to deliver up relevant documents. Electronic records such as emails are a great source of evidence, however delivery up of emails on discovery can be very costly. There are also generally tight time frames for delivery and as a result it is vital that organisations can store and retrieve emails quickly. There are both Commonwealth and State Territory based laws which prescribe the forms of evidence. Generally to maintain their value as evidence, emails cannot be altered or manipu-

2

Ele c t r o n i c R e c o r d R e t e n t i o n A u s t r a l i a - Y o u r O b l i g a t i o n s


lated for as long as they are retained. They must also be a complete record - having content, context and structure. This means that emails that are used as evidence must accurately reflect what was communicated, decided or done. Content is generally described as being the substance of the message, regardless of whether it is in the body of the text or an attachment to the message. Context includes all information about the circumstances in which the message is created, transmitted, maintained and used. Structure refers to the way the parts of the message relate to each other. For example, the original message and its reply must appear as a “string” or the system needs to be able to provide both a contextual and structural view. If your organisation is involved in litigation, the process of discovery is invaluable to supporting your case. Finding a document that clearly describes or explains a particular issue could be crucial to your success. The introduction of emails into the discovery process, has significantly increased the potential for organisations to readily access information that might otherwise be difficult to find1. McKemmish (1999)2 identifies 4 key elements regarding the use of digital evidence: (1)

The identification of digital evidence

This is the first step in an effective discovery process. Knowing what evidence is present, including where and how it is stored is essential to determine which processes you will employ to facilitate its recovery. In addition, you should be able to identify the type of information stored in a device and the format in which it is stored so that the appropriate technology can be used to extract it. (2)

The preservation of digital evidence

Given the likelihood of judicial scrutiny in a Court of law, it is imperative that you store your digital information in a way that allows examination of stored data in the least intrusive manner. In addition, there are circumstances where changes to data are unavoidable, but it is important that the least amount of change occurs. In situations where change is inevitable, it is essential that the nature of, and reason for the change can be explained. 3(3)

The analysis of digital evidence

The extraction, processing and interpretation of digital data is generally regarded as the main element of computing. Once extracted, digital evidence usually requires processing before people can read it. 1

Bartos, J “Off Grounds: Email – Gold in Them Thar Hills” (1999) 37 (5) LSJ40

2

McKemmish, R (1999) “What is Forensic Computing” Australian Institute of Criminology Trends and Issues No. 118

Electronic Record Retention Australia - Your Obligations

3


(4)

The presentation of digital evidence

The manner by which records are presented in a Court of law can affect the credibility of the evidence. This includes the manner of presentation, the expertise and qualifications of the presenter and the process used to produce the evidence being tendered. Having an effective document retention system will play a role in ensuring that your records are believable. For more information, you can refer to the Standards Australia handbook titled “HB 171: Guidelines for Management of IT Evidence”. 3.2

Destruction of adverse documents

Legislation in various jurisdictions makes it an offence to destroy any document that is or may be used as evidence in judicial proceeding. Organisations should not destroy documents on the basis that the record is not in their favour. The consequences for an organisation that destroys such information when it suspects that it may be subject to litigation could result in a charge of obstruction to justice. Often adverse inferences may be made during the litigation if an organisation cannot produce relevant documents. There is also the risk of reputational damage to the offending party. This was highlighted by the recent case British American Tobacco Australia Services Limited v Roxanne Joy Cowell as representing the estate of Rolah Ann McCabe [2002] VSCA 197. The case at first instance saw the Judge heavily criticise the systematic destruction of a large number of records. Although largely reversed on appeal, the decision suggests before destroying documents they should be reviewed to determine their future relevance in legal proceedings. If the records are likely to have some value as evidence, they clearly ought to be retained. You should always carefully consider the statutory retention periods for documents or a group of documents before automatically deleting them when the retention period has expired. Various statutory periods are outlined in section 2 of this publication. While reckless destruction of records will not be looked on favourably by the courts, implementing a record retention policy without taking proper precautions can be a twin edged sword. If you do have a policy for retention, then any departure from it will generally draw an adverse inference. As a result any policy you use needs to be more than an aesthetic and generally unavailable document. Record retention requires ongoing education about the policy, procedures to enforce and continuous review. As a result it is also necessary to assess the policy in light of any IT investment required to properly support the policy. 3.3

Liability

In structuring a document retention policy, you should be aware of the risk of liability posed to your organisation and its officers due to the acts or omissions of employees. In particular: (1)

4

Company

Ele c t r o n i c R e c o r d R e t e n t i o n A u s t r a l i a - Y o u r O b l i g a t i o n s


The company may be vicariously liable for the acts or omissions of an employee within the scope of the employee’s duties. (2)

Directors and officers

Directors and officers (potentially the CIO) can be personally liable for failure to implement appropriate corporate governance policies. In the US, directors are becoming personally liable for e security breaches.

4.

RETENTION OBLIGATIONS

4.1

Statutory Periods

Various State and Commonwealth legislation impose minimum periods on organisations to retain their documents. The length of time that you are required to hold a document, before destroying it, will generally depend on the nature of the document and its content. This section outlines the main statutory periods that may be relevant to your organisation. 4.2

Private Records

Currently, there is no general statutory obligation which requires organisations to maintain their records. Instead, there are various Acts which apply differently to certain types of records. You should seek specific advice from a qualified professional to determine the particular needs of your organisation. Some general statutory periods that apply to private organisations are: (1)

Tax requirements

The Income Tax Assessment Act requires the retention of records that explain an organisation’s transactions and other acts that are relevant to the Act. This obligation is for a period of 5 years from the tax year in relation to which the information relates. In relation to the Goods and Services Tax you must keep records if you: (a) tion;

make a taxable supply or importation, or make a creditable acquisition or importa-

(b)

make a GST free or input taxed supply;

(c)

are entitled to transitional input tax credits for sales tax;

(d)

liable for wine equalisation tax; or

(e)

make a taxable supply or importation of a luxury car.

Electronic Record Retention Australia - Your Obligations

5


There is an obligation to keep records that record and explain transactions and other acts that are relevant to the above issues for 5 years. If you make elections or estimates under the GST law, you must keep records for 5 years after they are made, or cease to have effect. There are similar requirements for capital gains tax, fringe benefits tax and payroll tax. (2)

Corporations Act requirements

The Corporations Act requires a company to keep financial records that correctly record and explain its transactions and financial performance; and which would enable true and fair financial statements to be prepared and audited for 7 years. Financial records includes invoices, receipts, cheques, orders and other documents which evidence the recording of money. This will also include working papers that are needed to explain the methods by which financial statements are prepared and adjustments to financial statements. The Corporations Act specifically allows for electronic storage, provided that the records are available and can be converted into a hard copy within a reasonable time. Companies must take all reasonable precautions for guarding against damage, destruction or falsification of any book or part of a book that it is required to keep or prepare under the Act. In this context “book or part of a book” includes electronic communication and recordings. Electronic records must also be available for inspection. There are severe fines and/or prison terms for conduct that results in the concealment, destruction, mutilation or falsification of any securities of the company or any books that relate to the affairs of the company. If electronic records are recorded or stored in an ineligible form, it will be a contravention of the Corporations Act. Following the collapse of One-Tel, HIH and more recently the trouble that ANZ have been involved in, there are now compelling corporate governance reasons for organisations to take the issue of electronic record retention seriously. The desire to have impeccable records of all emails becomes especially relevant when things turn bad. As discussed in section 3 above, whoever has the best evidence will clearly be in a stronger position in relation to any litigation proceedings and accurate and accessible electronic records are vital to the overall business of any organisation. (3)

Workplace Relations

While generally there is no specific requirement to retain email records under the various legislation impacting upon Workplace Relations, it is prudent to do so from a Risk Management and compliance perspective. Retention of appropriate evidence and records, whether in hard copy or electronic format, will often be necessary to establish compliance with statutory obligations such as:

6

Ele c t r o n i c R e c o r d R e t e n t i o n A u s t r a l i a - Y o u r O b l i g a t i o n s


(a)

workers compensation and rehabilitation;

(b)

equal opportunity and sexual harassment;

(c)

unfair dismissal;

(d)

employment and independent contracts;

(e)

applicable awards and enterprise agreements; and

(f)

remuneration, benefit and entitlements obligations.

From a Risk Management and compliance perspective, it is generally advisable to retain all records for at least 7 years. Relevant legislation also imposes obligations with respect to the retention of certain records such as time and wages records and employee registers for defined periods (generally 6 years). While these records are commonly kept in hard copy, in some cases they may also be stored in electronic format. (4)

Privacy Act

The Privacy Act imposes obligations on certain organisations that collect, use or store personal information about individuals. Generally, the Privacy Act requires those organisations to inform individuals as to how their personal information will be used and the security measures taken to protect that information. All personal information held must also be accurate, complete and up to date. Information that is no longer of use to the organisation must be destroyed and cannot be kept indefinitely (provided that any minimum retention periods are also met). Importantly, the Act gives individuals rights to access their personal information on request. This means that if your organisation comes under the application of Privacy Act, your electronic security measures and the way you use personal information will necessarily be exposed to the public. You should implement a system where your electronic records are secure, yet readily accessible for up-dating or inspection. The penalties for failure to comply with the principles outlined in the Privacy Act include fines. The Privacy Commissioner may also use the media to shame organisations that have failed to comply, which may potentially result in significant reputational damage. (5)

Other Minimum Retention Periods

In the context of general overall good corporate it may not be sufficient to systematically destroy all records after a defined period of time. To achieve an holistic organisational policy, you should identify the information and content of records and extend your retention periods as necessary.

Electronic Record Retention Australia - Your Obligations

7


Some other minimum retention periods are:

Subject Minimum Retention Simple contracts 6 years after discharge Deeds

12 years after discharge

Land contracts

12 years after discharge

Product liability At least 10 years Patent deeds

20 years

Trade marks

Life of trade mark plus 6 years

Copyright

50 years after author’s death

4.3

Public Records

(1)

Dealing with Commonwealth Departments

The Electronic Transactions Act commenced on 15 March 2000, creating a general regulatory regime for using electronic communications in transactions. It facilitated electronic commerce by removing existing legal impediments that may have prevented a person using electronic communications in the past. The Act gives business and community groups the option to use electronic communications when dealing with government agencies. With the exception of legal proceedings, the Electronic Transactions Act provides that certain commonwealth law requirements can be met electronically. These 4 requirements are: (a)

the requirement to give information in writing;

(b)

the requirement to provide a signature;

(c)

the requirement to produce a document; and

(d)

the requirement to record information or retain a written document.

(2)

Digital Records and Archiving

Digital records created by Australian government agencies in the course of their business activities are commonwealth records subject to the provisions of the Archives Act 1983. They need to be managed in the same way as other records. Government agencies need to exercise the same amount of accountability and reliability in relation to their electronic records as they would for other types of records. Digital records includes a wide range of record types in relation to electronic messages from communication systems. The new legal requirements cover anything from emails to SMS (short 8

Ele c t r o n i c R e c o r d R e t e n t i o n A u s t r a l i a - Y o u r O b l i g a t i o n s


messaging services), instant messaging, EMS (enhanced messaging services) and EDI (electronic data interchange). In particular: (a) Australian Government agencies should develop an integrated and comprehensive framework for digital record keeping; (b) senior management commitment to digital records as corporate assets is essential to the success of the digital record keeping framework; (c) a digital record keeping framework must ensure compliance with all relevant legislative requirements; (d) the digital record keeping framework will include policies, procedures and guidelines that set agencies approach to digital record keeping; (e) responsibility for digital record keeping should be assigned to staff with appropriate skills, knowledge and experience; (f)

agencies should design and implement systems with record keeping capability;

(g)

records creators should be educated in their digital record keeping responsibility; and

(h) the digital record keeping framework should cover records that are owned by the Australian Government but created by out source providers. These guidelines will apply to all digital records created by Australian Government agencies as evidence of business activities.

5.

AUSTRALIAN STANDARDS

The following standards are also relevant in relation to electronic document retention: • ISO/IEC 17799:2000 – Information technology – Code of Practice for information security management; • AS/NZS 7799.2:2000 (previously known as 4444.2) – Information security management – Specification for information security management systems, which is now superseded by AS/NZS 7799.2:2003 – Information security management – Specification for information security management systems; • ISO/IEC TR 13335-1 through 4 – Information technology – Guidelines for the management of IT security – Parts 1 through 4. (1)

ISO/IEC 17799:2000 Electronic Record Retention Australia - Your Obligations

9


This standard is predominantly concerned with the security of electronic information. It also recommends ways to prevent loss, modification or misuse of user data in application systems and also to protect the confidentiality, authenticity and integrity of information. (2)

AS/NZS 7799.2:2003

This standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System (ISMS) within the context of the organisation’s overall business risk. It provides that an ISMS is designed to ensure adequate and proportionate security controls that adequately protect information assets and give confidence to customers and other interested parties. According to Standards Australia this can be translated into maintaining and improving competitive edge, cash flow, profitability, legal compliance and commercial image. The standard is generic and so it is possible to consider exclusion of particular sections. Conformity to the standard can still be maintained if the exclusions do not affect the organisation’s ability, and/or responsibility, to provide information security that meets the security requirements determined by risk assessment and applicable regulatory requirements. (3)

ISO/IEC TR 13335-1 through 4

Part 4 of this Standard provides guidance on the selection of safeguards, taking into account business needs and security concerns.

6.

TIPS FOR COMPLIANCE PROGRAMS

As a summary based on the above discussion, some tips you may consider for electronic document retention by your organisation are: (1) Organisations are generally expected to maintain the accessibility, accuracy and security of their electronic records; (2) The content, context and structure of emails are relevant in discovery proceedings. Keeping emails in their original form with minimal tampering or alteration will add to the credibility of electronic evidence; (3) Know how and where your electronic records are stored and have set procedures for retrieval; (4) Implement a document retention system or policy – educate and train your staff in the use of the system;

10

Ele c t r o n i c R e c o r d R e t e n t i o n A u s t r a l i a - Y o u r O b l i g a t i o n s


(5) Do not destroy documents that could potentially be relevant to future litigation. Where possible, review documents before they are destroyed; (6) Avoid deviating from your document retention system. However, to do this you will need to ensure that your system accounts for the necessary precautions. Seek professional assistance; (7) Be aware of the minimum statutory retention periods that apply to your organisation and control the destruction of documents accordingly; (8) Your organisation and its officers could be responsible for the acts or omissions of employees. Implement regular training and review to ensure employee awareness of your organisation’s obligations; (9) Find out if your organisation comes under the Privacy Act. If so, ensure that all the privacy principals are met; and (10) Consider and comply with any Australian Standards that may apply to your organisation’s retention of documents.

7.

TABLE OF STATUTES

7.1

The following table lists the various legislation requiring retention of emails.

Legislation name – Commonwealth Electronic Transaction Act 1999 Evidence Act 1995 Freedom of Information Act 1982 Archives Act 1983 Income Tax Assessment Act 1997 A New Tax System (Goods and Services Tax) Act 1999 A New Tax System (Fringe Benefits) Act 1999 Corporations Act 2001 Privacy Act 1988 Workplace Relations Act 1996

Electronic Record Retention Australia - Your Obligations

11


ATLANTA

BRISBANE

SYDNEY

2905 Shawnee Industrial Way Suite 300, Suwanee, GA 30024, USA T + 1 678 730 0370 F + 1 678 730 0371

Suite 1, 54 Vernon Tce Teneriffe, Brisbane 4006 QLD, Australia T +61 7 3257 3399 F +61 7 3257 1752

Level 7, 99 Mount Street North Sydney 2060 NSW, Australia T +61 2 8904 9288 F +61 2 8904 9388

www.redmap.net


Electronic Record Retention in Australia - your obligations