Out-Law / Your Daily Need-To-Know

The implications of Covid-19 for e-data governance

Out-Law Analysis | 24 Apr 2020 | 3:12 pm | 6 min. read

Businesses navigating the challenges of remote working in light of the Covid-19 outbreak should not overlook the importance of good data governance and retention policies and processes.

Knowing what data a business has, where and how it is held, and protecting the integrity of that data, is critical for businesses of all types. Businesses have a number of obligations in respect of the data they hold, from obligations under data protection legislation to regulatory obligations and agreements with contractual counterparties.

In addition, knowing your data and being able to swiftly preserve, collect and review it is critical if a dispute arises or the business is the subject of an investigation. Like many other aspects of commercial life, the impact of the Covid-19 pandemic makes this more challenging but there are steps businesses can take to minimise the risks.

Overview of practical steps

Businesses should, for example:

  • understand what data is generated by the various platforms and tools available to remote workers, and how this is stored, taking expert advice if necessary;
  • issue employees and other workers with clear but realistic policies and guidance as to the remote working tools they are permitted, and not permitted, to use, and as to how they should ensure data is appropriately captured by the organisation's centralised systems when using those tools which are permitted. Revisit data protection policies and practices, including in relation to 'Bring Your Own Device' (BYOD) to account for the potential use of personal devices for work purposes, to ensure they are fit for purpose. Consideration should also be given to how to monitor compliance with data-related policies in a way that is not overly intrusive;
  • ensure robust engagement terms are in place with those providers whose use the business has approved, including around the return of data;
  • audit where tools and platforms have deviated from those authorised for use by the business, and update policies and processes accordingly. This could be done by means of an electronic questionnaire sent to all employees asking what systems they have used, what documents they have and where they are;
  • seek expert input on the preservation, retrieval, collation and review of data generated through the use of newer, or less standard, tools such as Microsoft Teams or Zoom. This should ideally be sought on a proactive basis, before any dispute or investigation arises, but will certainly be essential as soon as it becomes apparent that, for example, a dispute may arise to which data created through the use of such tools might be relevant.
Businesses should assume that they will be expected to have rigorous procedures in place to capture and store data regardless of how it is created and where it is located, provided that it is within their control

Impact of Covid-19 on working practices

Even businesses with sophisticated disaster planning in place have been heavily impacted by the extent of the restrictions imposed in light of the pandemic and the speed with which they came into effect. Many businesses' disaster plans had not fully considered the impact of almost their entire global workforce being forced to work from home, with offices effectively out-of-bounds, and the resultant strain on their computer infrastructure. This pressure has been exacerbated by internet service providers, mobile data networks and established collaboration platforms themselves struggling to support the increased demands upon them.

The consequence in some instances is that employees, as they strive to keep the business running, have deviated from standard working practices, including using personal devices and accounts as well as new products and platforms which may not be centralised. An example is Zoom, a cloud based, cheap and user-friendly collaboration tool, which has been one of the most popular video-conferencing tools used during the current disruption. 

This is particularly important given the considerations that arise when collating data from third party software. Zoom is an apt example. Epiq, one of the UK's leading electronic discovery providers, makes the point that the ability to collect video and chat data depends upon whether Zoom's free or paid-for service was used, with collection being more straightforward where a paid-for account is used. Also, where a paid-for account is used, it is possible for the account owner or administrator to choose how long such data is stored for. If the default settings have been left unchanged, chat data is typically stored for two years and can be archived for up to 10 years. 

The importance of knowing your data

This emphasises both the importance of making choices about whether and how a tool is used upfront, and of detailed knowledge of what data has been captured, and where and how it is saved.

Leaving aside the privacy, transparency and data security concerns expressed in some quarters about Zoom and certain other products, businesses need to understand what tools their workforce may be using to communicate internally, with clients and with other third parties, and what, if any, data is created when using those tools.

From a litigation perspective, it must be remembered that the definition of a "document", to which obligations of preservation and ultimately of disclosure to the other side may apply, is extremely wide, encompassing anything on which information is stored and therefore including not just email but instant messages, voicemails and meeting recordings, to name a few examples. Disclosure obligations in English High Court litigation also extend not only to documents which are currently in an organisation's possession, but also to documents held by third parties, potentially including service providers, over which the organisation is considered to have "control" on the basis that they have a right of access.

If businesses justifiably wish to avoid potentially disclosable records being created in some sensitive circumstances, they should ensure that their employees have available to them, and are encouraged to use, effective channels of non-recorded communication. Their ability to do so will of course be subject to any statutory or regulatory record-keeping obligations.

On the other hand, where data is being generated and stored, businesses need to be aware of this and put processes in place to capture that data and, if necessary, bring it back into their centralised document storage systems.

If a business is unable to quickly and effectively preserve and collate the data over which it has possession or control and which is relevant to a dispute, when one arises, that may have a range of consequences. These may include: making it more difficult to assess the merits of a dispute and form an effective litigation strategy; increasing the costs of the disclosure process; breach of the business' obligations under court rules; being unable to establish key evidential points; and/or the court drawing adverse inferences from the absence of a relevant document when analysing the evidence. The integrity of a business' documentary record is of course also of vital importance in the context of an investigation. 

Ensuring data is captured by, or repatriated back into, centralised systems also has the important benefit of ensuring it is subject to whatever data retention periods and processes the organisation has put in place in respect of its data.

Guidance

Some of the steps involved may be as simple as recognising that personal devices are now being used in circumstances where they were not previously, and taking steps to allow these to connect to central systems while putting in place a suitable BYOD policy, or ensuring that hard copy notebooks used while working at home are brought back to the office when normal working arrangements resume. 

Even with more novel tools, with the right expertise it is possible to assess what data will be created and manage the risks accordingly. Clear guidance should be given to staff about the use of such tools and, where necessary, external input brought in to assist with data capture. Such input is likely to be essential in the event of a potential dispute or investigation, where expertise will be needed in collecting and processing new forms of data. 

The courts, regulators and law enforcement may show pragmatism where there are difficulties with assessing what relevant data exists, and/or retrieving that data, in respect of the period immediately following the imposition of Covid-19-related restrictions. These are unprecedented times and there is likely to be a level of understanding of the speed with which organisations have had to scale up agile working while managing multiple other priorities and risks. However, organisations will still need to be able to demonstrate a 'best efforts' approach - the pandemic will not provide a blanket excuse for non-compliance. 

Businesses should assume that they will be expected to have rigorous procedures in place to capture and store data regardless of how it is created and where it is located, provided that it is within their control. It would therefore be sensible to take early steps to ensure a policy regarding use of conferencing platforms, for example, so that data can be retained and accessed in the future.

Alex Keep and Fiona Henderson are specialist e-data advisers at Pinsent Masons, the law firm behind Out-Law.