Document management: electronic developments

Courts and regulatory bodies are beginning to recognise the value of electronic documents in litigation and investigations, making it increasingly important for organisations to take control of all of their documents.

In law, “document” means far more than a piece of paper containing information. It includes anything on which information of any description is recorded – for example, tape recordings, videos, any kind of electronic document (including deleted information and metadata) and other softcopy material. A vast number of documents will, therefore, exist within an organisation on its servers, individual computers, laptops, printers, modern photocopiers, PDAs, exchange servers, back up tapes and various other media.

It is estimated that 36 billion e-mails will have been sent each day in 2005. E-mail and other electronically generated information now comprise the vast majority of all documents produced (many of them never printed). Therefore, traditional paper based document management systems are unlikely to be effective.

Disclosure obligations in disputes

Few businesses choose to engage in commercial disputes. At times, however, it is unavoidable, and in large organisations disputes will require active and ongoing management. Various things influence the time and cost incurred in disputes, but the organisation’s approach to document management is likely to be a major factor. Commercial disputes can be document-heavy affairs, where parties can seek wide-ranging disclosure from their opponents. A party in litigation is required to conduct a reasonable search of its documents. What is reasonable will depend upon the particular dispute: the number of documents involved, the nature and complexity of the proceedings, the ease and expense of retrieving any particular document, and the significance of any document that is likely to be located during the search.

Searches for electronic documents are becoming increasingly common in litigation. The Civil Procedure Rules of the English Courts have recently been amended to address specific issues of electronic disclosure: parties in litigation should now discuss issues relating to searches for, and the preservation of, documents at an early stage, and will be expected to identify searches that have been carried out for electronic documents during the disclosure stage. These searches can be time-consuming and can involve IT consultants taking forensic copies of servers, laptops and other media in search of material that must then be reviewed by the lawyers. Searches are often limited to directly accessible data, but in some disputes a party may be required to extend the investigation to metadata (which is not usually visible when printed but can normally be viewed on-screen), temporary or automatic back-up files that allow recovery after computer malfunction, back-up data and material deleted but still recoverable. This can add substantially to the volume of material to be considered by the lawyers.

Disclosure is not confined to litigation: many regulatory authorities have wide-ranging powers to require production of documents; individuals can exercise rights of disclosure relating to personal data under the Data Protection Act 1998; and public authorities and their agents can be required to disclose information under the Freedom of Information Act 2000.

A cradle to grave policy

The costs associated with disclosure of documents in litigation or otherwise can be extensive and potentially irrecoverable, so organisations need to be in full control of the exercise. To be in a position to do so requires control of their creation, use, retention and destruction: a “cradle to grave” document management policy.

An effective policy should:

• not hinder the efficient flow of information to and from decision-makers.
• reduce the generation and flow of otiose information, so as to avoid wasting resources.
• be tailored to reflect the nature and circumstances of the organisation, taking into account industry standards, the legislative and regulatory environment the organisation operates in, and the organisation’s own structure and geographical reach.
• be applied throughout the organisation consistently from top to bottom.
• not be so complicated that it will interfere with the day-to-day operation of the organisation’s business (and therefore not be followed).
• operate in a way as to maintain rights of legal professional privilege or litigation privilege on which the organisation may need to rely.
• ensure confidential information is appropriately treated.

Creating documents

The starting point is to control the creation of documents. This means creating a culture in all parts of the organisation under which, as far as possible, everyone capable of creating a document of any significance knows what the purpose of the document is, who should create it, and whether it should be created as a document at all.

These fundamental protections should be supported by some basic rules, such as:

• confining the content to facts – avoiding giving opinions.
• avoiding slang, ironic or emotional language and personal criticism.
• avoiding casual and/or unnecessary criticism of the company’s policies, procedures and acts.
• circulating the document only to those who need to see it.
• never using e-mail where oral communication will do – the e-mail is a permanent record.
• when e-mailing, never using “reply to all” without careful consideration of all the addressees.
• never allowing inaccuracies to go uncorrected – it is very difficult to explain in proceedings several years later that something was incorrect that was not rectified at the time.

More stringent standards will be required for risk areas, such as those parts of the business where review and comment on an organisation is likely to be made. Legal matters, audit, risk management and compliance will all be risk areas. Additional measures may include:

• restricting the creation of documents.
• adopting a system of marking or classification to identify the provenance of documents.
• using closed or secure IT systems that cannot be accessed by other parts of the organisation.
• marking documents “privileged and confidential” where appropriate.
• ensuring that general commercial communications are not mixed up with legal, audit, compliance or other risk communications within single documents or, as far as possible, within files.
• consulting the organisation’s in-house lawyers before creating any potentially prejudicial documents.
• referring to the organisation’s lawyers whenever litigation is reasonably in prospect or an internal investigation is being considered.

Organisations should also prepare communications protocols in advance that can be implemented immediately at times of crisis. Under such a protocol, the circulation of documents should be more tightly controlled and overseen: for example, by appointing a specific committee through which all communications must pass. The committee should include at least one lawyer, which should maximise the prospect of gaining the protection of legal professional privilege (in particular litigation privilege) in relation to communications with the committee.

Establishing the right culture is easier said than done. It requires constant reinforcement through training, and through management leading by example at all levels. The procedures should be clearly and succinctly set out in the organisation’s risk management manual, and any breaches should be treated as disciplinary matters. To some extent technology can help (using automated pop-up reminders on computers, for example), but these devices can lose their effect quickly. Therefore, any automated procedures to support a document management policy may need to be regularly reviewed and refreshed.

Control

Once a document exists, it is a question of controlling its use and circulation. Electronic documents are by far the most problematic. They might be stored on a wide variety of electronic media, many of which may not be caught by traditional document management procedures. Putting printed-out e-mails in a master file is not enough on its own (and may be unpopular or unworkable for businesses that adopt flexible working procedures, like home-working or hot-desking, where the creation of paper files may be discouraged).

Automated deletion of unarchived e-mails will go some way to controlling e-documents and will discipline users into adhering to archiving systems. With other e-documents, there are various document management software programmes that can employ a variety of security measures. Routine use of access restriction and password protection within these programmes will also help. Of course, the relationship between a document management system and an organisation’s IT systems and architecture needs careful consideration, with input from IT personnel.

Specific measures should also be taken with high-risk documents. Legal documents should always be kept wholly separate from commercial documents and, where appropriate, clearly marked as privileged, so as to avoid any chance of inadvertent disclosure. Similar practices should also be adopted for confidential information and any material that a company is under any legal obligation to retain.

From a practical perspective, the spreading of (electronic and hard copy) documents relating to a particular project across offices, jurisdictions and media is likely to lead to potentially costly disclosure in subsequent litigation or regulatory investigations, due to the potential scope of searches that may be required. A document management system that retains all documents in a small number of central sources could have a profound impact on the cost of disclosure in subsequent litigation or investigations if a party can access and retrieve with reasonable certainty all or almost all of the potentially relevant documents from those sources.

Retention and destruction

Most businesses will already be operating some form of document retention and destruction programme. Many of them are paper-oriented and overlook the storage of documents on IT systems. It is essential to involve IT staff in order to understand the potential sources of documents and what steps might be taken to ensure that, when documents are due for destruction, all the electronic versions are also removed from a company’s main IT system and any back-up systems.

The document retention policy must ensure that the organisation complies with its legal obligations to retain or destroy specific documents. Under the Companies Act 1985 and other legislation, for example, companies are required to keep certain documents for certain periods – in some cases, for as long as the company exists. Under the Data Protection Act, in contrast, relevant data must not be retained longer than is necessary.

There will be many categories of documents that fall outside any specific legal obligations. In these cases, retention periods tend to be based on the relevant legal limitation periods, which can vary from one year (in the case of, for example, defamation) to fifteen years. But it is not always easy to work out from when the limitation period starts to run, and the date of creation of the document may have no bearing on the limitation periods for actions to which the document relates. In contract law, for example, the limitation period is six years from the breach of contract or when the right to claim arises (12 years if the document is a deed). Limitation periods for actions based in tort can in some cases run from when the damage occurs, which can be much later than the event leading to the damage. With some actions – particularly those involving duties of trustees – there are no limitation periods. Careful analysis is needed before any potentially significant material is destroyed. Some documents will undoubtedly need to be retained for long periods and perhaps indefinitely (for example, documents of title and other legal instruments that the organisation would rely on to establish its rights against others). But it may be possible to destroy background material much earlier.

Factors to take into account include:

• the contract or project value, and the risks associated with the specific contract or project.
• the quantity of documents involved and the cost of retention.
• the likely cost of retrieving, searching and disclosing the documents.
• the potential value of the documents in relation to other contracts or projects.
• the possibility of proving or disproving facts in proceedings in some other way.
• industry standards.
• whether destruction would jeopardise insurance cover, or whether cover makes retention unnecessary.

When litigation is threatened

In recent years, document retention and destruction policies have been the subject of scrutiny and judicial comment in proceedings in Australia, the US and England.

As a general rule, the key question is whether material has been destroyed before litigation has been anticipated or commenced, and as part of a systematic and consistently applied procedure. If so, it is unlikely that in subsequent litigation a court would find that there had been a contempt of court or an attempt to pervert the course of justice, but it is possible for adverse inferences to be drawn when documents that might be relevant in proceedings turn out to have been destroyed.

If the destruction of documents (or failure to comply with orders for disclosure) has occurred after the commencement of litigation, in England the court might penalise a party by making cost awards against it. Also, individual parties (and their advisers) may be held in contempt of court. The sanction of striking out a party’s case is also available but would only be appropriate if the prejudice caused to the other party was such that it would be unsafe to proceed with a trial.

Provided that measures are put in place for the immediate suspension of any document destruction policy if litigation or regulatory proceedings or investigations are anticipated or commenced, an organisation that applies a document destruction policy in good faith is unlikely to be substantially disadvantaged as a result of destroying documents – and the advantages may well significantly outweigh any possible disadvantages.