The recent case of Ocado v McKeeve highlights the importance of maintaining proper data retention policies so employees have a clear understanding of the procedures they need to follow.
Search orders and disclosure in litigation should always be borne in mind. Here, Deborah Ruff, Head of International Arbitration, Charles Golsong, Counsel, and Charlotte Stewart-Jones, Associate, at Pillsbury Winthrop Shaw Pittman LLP, explains more.
What are search orders?
Search orders are a form of injunction. Akin to measures available in criminal proceedings, they require a defendant to legal proceedings to allow the claimant’s representatives to enter (unannounced and usually at dawn) the defendant’s premises and search for, copy and seize documents and other materials.
What is disclosure?
Disclosure requires parties to make available to each other evidence which either supports or undermines the parties’ cases. Each party makes requests of the other which must then (subject to limited grounds whereby documents or parts thereof can be withheld from disclosure) disclose the documents, even where these are harmful to its case.
Failure to comply with search orders and/or disclosure can lead to sanctions, including contempt of court, a finding of which can result in a prison sentence.
What happened in Ocado v McKeeve?
A co-founder of Ocado, Mr Faiman, left the business in 2010. Mr Faiman subsequently incorporated Project Today Holdings Limited, which was intended to compete with Ocado.
Mr Faiman had been in contact with a senior employee of Ocado, Mr Hillary, while engaged in discussions with Waitrose and Marks & Spencer. Ocado had a pre-existing relationship with the former and was engaged in negotiations with the latter. Mr Hillary subsequently resigned from Ocado and accepted a role with Today. He was placed on gardening leave by Ocado a week after he resigned but remained an employee of Ocado.
Ocado obtained a search order in support of proceedings against Today, Mr Faiman, and Mr Hillary concerning allegations that Mr Hillary had provided confidential information to Today and/or had been working for Today while still employed by Ocado.
Shortly after the search order was served on Mr Faiman, he contacted his solicitor, Mr McKeeve. Mr McKeeve spoke to his client briefly and to the supervising solicitor. Following that conversation, Mr McKeeve sent a message saying “burn it” to Today’s IT manager on an application called 3CX. Mr McKeeve followed up this message with a phone call to Today’s IT manager to confirm that he wanted him to delete the 3CX application. The IT manager carried out this instruction and the 3CX application and its contents were irretrievably destroyed.
Although he had not seen the search order and was not a respondent to it, Mr McKeeve was nevertheless found to be in contempt of court. As a result of his intervention, the 3CX application had been irretrievably destroyed. Finding that his act had not been inspired by a conspiracy, the judge considered that Mr McKeeve’s actions were a “spontaneous act of colossal stupidity”, and the judge found that Mr McKeeve knew that the purpose of the search order was to require a search of the application to be carried out and that his intention had been to prevent it being searched. He thus interfered with the due administration of justice.
A judge will decide on the potential sanction later this year, which may include a custodial sentence.
Ensuring compliance with data obligations
This case demonstrates the importance of having effective data procedures in place. Human judgement can be impaired in stressful situations, and, in the absence of clear guidance, individuals may react improperly, which can have serious repercussions for the organisations and individuals involved. To mitigate this risk, organisations should have clear data retention policies which address how employees should manage data held by the organisation from creation until disposal. Employees should be given training to ensure they are familiar with the policies and have a clear understanding of what action must (and must not) be taken.
Data retention policies can assist organisations to comply with their legal and regulatory obligations, which may include the following:
Litigation
The Civil Procedure Rules require a person who knows that it is or may become party to proceedings to take reasonable steps to preserve documents in its control that may be relevant to any issue in the proceedings (paragraph 3.1 of Practice Direction 51U).
Regulatory requirements
Organisations and persons operating in regulated professions are likely to be subject to additional obligations to preserve data and will need to ensure compliance with those requirements.
Data protection
The retained version of the General Data Protection Regulations and the Data Protection Act 2018 impose legal obligations on data controllers. Data retention policies can help organisations demonstrate compliance with principles of data minimisation and storage limitation (although additional data protection policies, including an appropriate policy document will be required to ensure full compliance with the GDPR and DPA).
The Companies Act 2006:
The Companies Act 2006 requires companies to keep certain records, including minutes of all meetings of directors, which must be kept for at least 10 years from the date of the meeting (section 248).
The Act also requires companies to keep records of resolutions passed by members of the company, minutes of general meetings and records of decisions by a sole member, which must be retained for a period of at least 10 years from the date of the resolution, meeting or decision (sections 355 and 357), as well as accounting records (section 386) and copies of instruments creating or amending charges (section 859P).
Tax
Companies are required to keep adequate records to comply with tax requirements and to provide documents or information requested by HMRC.
Data retention best practice
Data retention policies can also assist organisations with general efficiency and good practice by ensuring relevant data is properly retained and therefore available when needed and that unnecessary and irrelevant data is not retained unnecessarily. Data retention policies should be reviewed and, if necessary, amended to reflect changes in circumstances and potential risks and compliance should be monitored.