Email Retention, Archiving & Mailbox Responsibility Terms
Chill CIC (domain: chilluk.org)
Effective date: 1 September 2021
1) Purpose and scope
These Terms set out the responsibilities of individuals using an @chilluk.org email account for the saving, retention, and archiving of emails. They apply to all directors, staff, contractors, and volunteers (“Users”).
Because email may contain personal data, Users must comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).
2) Ownership and responsibility
- Each User is solely responsible for the proper saving, management, and archiving of their own mailbox, including sent and received emails.
- Chill CIC provides the @chilluk.org address, but does not accept liability for any loss of data, missed archiving, or failure by a User to store emails in line with these Terms.
- Users have no expectation of privacy in their Chill CIC mailbox beyond what is required by law. Access may be monitored or delegated if legally or operationally required.
3) User responsibilities
Each User must:
- Ensure all business-related emails they send or receive through @chilluk.org are properly saved and, where necessary, archived in an approved location (e.g., cloud storage, case folder, or designated archive tool).
- Delete transitory or unnecessary emails when no longer required.
- Avoid forwarding work emails to personal accounts or third-party systems.
- Maintain their inbox so records are retrievable for business or legal purposes.
- Respond promptly to any request for information, deletion, or preservation (e.g., Subject Access Request, legal hold).
- Each User is responsible for the proper management of all contacts within their mailbox (including the inbox, sent items, and subfolders). This includes ensuring that personal data contained in contact records, address books, or distribution lists is accurate, kept up to date, and deleted when no longer required, in line with UK GDPR and these Terms.
Failure to do so may be considered a breach of both these Terms and UK data protection law.
4) Chill CIC’s role
Chill CIC will:
- Provide Users with an @chilluk.org email address and guidance on data protection compliance.
- Issue periodic instructions on retention, deletion, and archiving standards.
- Reserve the right to access mailboxes for legal, operational, or compliance reasons.
Chill CIC is the data controller for personal data processed via its domain but does not undertake the day-to-day responsibility for saving or archiving individual mailboxes.
5) Data protection and retention
- Under the UK GDPR and DPA 2018, personal data (including in emails) must not be kept longer than necessary.
- Users must apply the storage limitation principle by deleting or archiving emails according to the guidance provided.
- No email should remain in a mailbox longer than 2 years from the date sent or received.
6) Legal holds & investigations
Where litigation, an investigation, or a data subject request is received, Chill CIC may issue a legal hold. Users must preserve all relevant emails and suspend deletion until instructed otherwise.
7) Security
Users are responsible for:
- Protecting mailbox access (e.g., strong passwords, MFA).
- Ensuring archived data is stored securely and not exported to unauthorised systems.
- Reporting suspected breaches or loss of access immediately.
8) Off-boarding
When a User leaves Chill CIC, they must:
- Ensure all business-related emails are archived or transferred to a designated repository.
- Understand that their mailbox may be closed after departure, with no guarantee of continued access.
9) Enforcement
Breach of these Terms may result in disciplinary or contractual action, and where applicable, reporting to the ICO.
10) Changes to these Terms
Chill CIC may update these Terms to reflect law, guidance or technical changes. Material changes will be communicated to Users.
11) Legal note
This policy is provided for compliance and governance. It does not replace legal advice. For specific cases, consult a solicitor.
Appendix — Email Retention & Archiving Schedule
Responsibility: Each individual User of an @chilluk.org mailbox is responsible for ensuring compliance with the below retention standards. Chill CIC provides the address but does not take responsibility for archiving, saving, or long-term storage of messages.
Contact data responsibility: Each User is responsible for reviewing and maintaining all saved contacts within their mailbox. Outdated or unnecessary contacts must be deleted, and personal data must not be retained beyond what is necessary for business purposes.
General principle
- No email should be kept longer than 2 years from the date sent or received.
- Users must regularly review their inbox, folders, and archives to ensure compliance.
- Where an email must be retained for business or legal reasons, it should be moved to an approved archive location (not left indefinitely in the live mailbox).
Retention periods
| Category | Examples | Maximum retention | User action |
|---|---|---|---|
| Routine correspondence | Meeting invites, updates, newsletters, informal notes | Delete within 12 months | Delete once no longer needed |
| General business communications | Project updates, client enquiries, standard admin | Keep max 2 years | Archive or delete at 2-year mark |
| Contracts & agreements (and related emails) | Negotiation, signed terms, variations | Keep max 2 years unless separately filed in official records | Move copies to shared folder/approved archive |
| Finance & accounting support | Invoice emails, receipts, PO confirmations | Keep max 2 years | Export or file with finance system, then delete |
| HR communications | Recruitment, employment, volunteer admin | Keep max 2 years | File in HR system if required, then delete |
| Sensitive personal data | Medical, safeguarding, personal circumstances | Delete as soon as processed; never exceed 2 years | Store only where legally required and in secure archive |
| Leaver/role closure | Departing staff mailboxes | Mailbox closed immediately; all emails reviewed & archived within 1 month, then mailbox deleted | User (before leaving) must file/archive required emails |
Additional rules
- Legal hold: If a User is informed that certain emails must be preserved (e.g., investigation, SAR, litigation), the 2-year limit is temporarily suspended until the hold is lifted.
- Personal copies prohibited: Users may not create personal, unencrypted archives (e.g., PST exports on a home device).
- Shared responsibility: If more than one person uses a shared mailbox, the nominated mailbox owner is accountable for ensuring compliance.
Enforcement
Failure by Users to manage their inbox in line with these retention rules may:
- Breach UK GDPR storage limitation principle.
- Expose Chill CIC to regulatory or legal risk.
- Lead to disciplinary or contractual action.
