Out-Law Analysis | 24 Apr 2020 | 3:12 pm | 6 min. read
Knowing what data a business has, where and how it is held, and protecting the integrity of that data, is critical for businesses of all types. Businesses have a number of obligations in respect of the data they hold, from obligations under data protection legislation to regulatory obligations and agreements with contractual counterparties.
In addition, knowing your data and being able to swiftly preserve, collect and review it is critical if a dispute arises or the business is the subject of an investigation. Like many other aspects of commercial life, the impact of the Covid-19 pandemic makes this more challenging but there are steps businesses can take to minimise the risks.
Businesses should, for example:
Businesses should assume that they will be expected to have rigorous procedures in place to capture and store data regardless of how it is created and where it is located, provided that it is within their control
Even businesses with sophisticated disaster planning in place have been heavily impacted by the extent of the restrictions imposed in light of the pandemic and the speed with which they came into effect. Many businesses' disaster plans had not fully considered the impact of almost their entire global workforce being forced to work from home, with offices effectively out-of-bounds, and the resultant strain on their computer infrastructure. This pressure has been exacerbated by internet service providers, mobile data networks and established collaboration platforms themselves struggling to support the increased demands upon them.
The consequence in some instances is that employees, as they strive to keep the business running, have deviated from standard working practices, including using personal devices and accounts as well as new products and platforms which may not be centralised. An example is Zoom, a cloud based, cheap and user-friendly collaboration tool, which has been one of the most popular video-conferencing tools used during the current disruption.
This is particularly important given the considerations that arise when collating data from third party software. Zoom is an apt example. Epiq, one of the UK's leading electronic discovery providers, makes the point that the ability to collect video and chat data depends upon whether Zoom's free or paid-for service was used, with collection being more straightforward where a paid-for account is used. Also, where a paid-for account is used, it is possible for the account owner or administrator to choose how long such data is stored for. If the default settings have been left unchanged, chat data is typically stored for two years and can be archived for up to 10 years.
This emphasises both the importance of making choices about whether and how a tool is used upfront, and of detailed knowledge of what data has been captured, and where and how it is saved.
Leaving aside the privacy, transparency and data security concerns expressed in some quarters about Zoom and certain other products, businesses need to understand what tools their workforce may be using to communicate internally, with clients and with other third parties, and what, if any, data is created when using those tools.
From a litigation perspective, it must be remembered that the definition of a "document", to which obligations of preservation and ultimately of disclosure to the other side may apply, is extremely wide, encompassing anything on which information is stored and therefore including not just email but instant messages, voicemails and meeting recordings, to name a few examples. Disclosure obligations in English High Court litigation also extend not only to documents which are currently in an organisation's possession, but also to documents held by third parties, potentially including service providers, over which the organisation is considered to have "control" on the basis that they have a right of access.
If businesses justifiably wish to avoid potentially disclosable records being created in some sensitive circumstances, they should ensure that their employees have available to them, and are encouraged to use, effective channels of non-recorded communication. Their ability to do so will of course be subject to any statutory or regulatory record-keeping obligations.
On the other hand, where data is being generated and stored, businesses need to be aware of this and put processes in place to capture that data and, if necessary, bring it back into their centralised document storage systems.
If a business is unable to quickly and effectively preserve and collate the data over which it has possession or control and which is relevant to a dispute, when one arises, that may have a range of consequences. These may include: making it more difficult to assess the merits of a dispute and form an effective litigation strategy; increasing the costs of the disclosure process; breach of the business' obligations under court rules; being unable to establish key evidential points; and/or the court drawing adverse inferences from the absence of a relevant document when analysing the evidence. The integrity of a business' documentary record is of course also of vital importance in the context of an investigation.
Ensuring data is captured by, or repatriated back into, centralised systems also has the important benefit of ensuring it is subject to whatever data retention periods and processes the organisation has put in place in respect of its data.
Some of the steps involved may be as simple as recognising that personal devices are now being used in circumstances where they were not previously, and taking steps to allow these to connect to central systems while putting in place a suitable BYOD policy, or ensuring that hard copy notebooks used while working at home are brought back to the office when normal working arrangements resume.
Even with more novel tools, with the right expertise it is possible to assess what data will be created and manage the risks accordingly. Clear guidance should be given to staff about the use of such tools and, where necessary, external input brought in to assist with data capture. Such input is likely to be essential in the event of a potential dispute or investigation, where expertise will be needed in collecting and processing new forms of data.
The courts, regulators and law enforcement may show pragmatism where there are difficulties with assessing what relevant data exists, and/or retrieving that data, in respect of the period immediately following the imposition of Covid-19-related restrictions. These are unprecedented times and there is likely to be a level of understanding of the speed with which organisations have had to scale up agile working while managing multiple other priorities and risks. However, organisations will still need to be able to demonstrate a 'best efforts' approach - the pandemic will not provide a blanket excuse for non-compliance.
Businesses should assume that they will be expected to have rigorous procedures in place to capture and store data regardless of how it is created and where it is located, provided that it is within their control. It would therefore be sensible to take early steps to ensure a policy regarding use of conferencing platforms, for example, so that data can be retained and accessed in the future.
Alex Keep and Fiona Henderson are specialist e-data advisers at Pinsent Masons, the law firm behind Out-Law.
16 Mar 2020