Guide 1 - E-mail

Transmission of personal data by e-mail

Guide 1 - E mail

1. Introduction

E-mail is not a safe way of sending details of or opinions about a person as they can easily be intercepted as they pass through the internet, either accidentally by others, or deliberately by hackers. Also, incorrect use of an e.mail address can result in someone receiving a message which was not intended for them. The only safe way to send personal data by such means is by using encryption techniques, unless the data subject has given their informed consent to an unencrypted transmission.

2. Will a disclaimer safeguard my messages?

Although they are used quite widely, a disclaimer is of doubtful legal value and may lead to a false sense of security, whilst in fact you may be breaching the DP Act by transmitting personal data without adequate protection.

3. Does the Data Protection Act impose any constraints on the retention of e-mails?

By retaining/storing e-mails containing personal data you are said to be processing it and thus are required to comply with the Act, just as you are if you are holding a database of data about people. From October 2001 this applies equally to e-mails which have been printed off if they have been retained in a structured fashion. Hence, you are required to comply with the 8 Data Protection Principles and thus to obtain and process the data fairly and legally and to have a purpose for doing so. The data held must be only that which is sufficient for the purpose, be accurate, retained only for as long as is necessary for that purpose and kept safely. You should bear in mind that, with a few exceptions, the Data Subject has a right to know what data is held about them and for what purpose, a right to prevent such processing if it is likely to cause substantial damage or distress and a right to prevent processing for the purposes of direct marketing.

4. Do I need to register the fact that I am holding e-mails containing personal data?

If you are retaining that personal data for a purpose then you should register that purpose with your Departmental/Divisional Data Protection Co-ordinator. If you cannot justify that purpose to the subject(s) of that data you should not be retaining it. If, however, you are just holding a mass of e-mails, the personal data on which being solely the identifiers of the sender, this need not be registered unless you intend to process it by reference to a particular sender in order to find out something about that person. Whether registerable or not, however, you should review your holding regularly and delete those e-mails for which you have no purpose in retaining. By retaining them you run the risk of being accused by a Data Subject of processing for a purpose not disclosed to them.

5. Once I Have deleted e-mails containing personal data am I clear of compliance with the Data Protection Act?

Not necessarily. Even though deleted from a live system, the e-mails will be caught if they can be recovered by, say, the systems administrator before final destruction. The Data Subject will still have a right of access to data held in this form.

6. Are There any restrictions on disclosing personal data in response to a Subject Access Request?

You do not need to respond to a direct request to you from a Data Subject. There is a formal procedure by which a Data Subject must make an SAR and this must be done through the College Data Protection Officer who has to assess the justification for the request. By their very nature, e-mails are likely to contain personal data relating to third parties (eg. where a member of staff has sent personal data about one or more students to the Head of Department).The Act prohibits the disclosure of information relating to an individual other than the Data Subject, unless that individual has consented to the disclosure or it is reasonable to do so without such consent being given, taking into account the confidentiality owed to that individual, any difficulty in obtaining that consent and any express refusal of consent by that individual.

7. Do others have a right to look at e-mails received by me or copies of those sent by me and held on my computer?

The College does not have a right to look at the contents of e-mails under the Data Protection Act 1998 but, under the Lawful Business Practice Regulations 2000, promulgated in accordance with the Regulation Of Investigatory Powers Act 2000 (RIPA), the College has a right to intercept and monitor electronic communications to detect criminal or unauthorised use of and threats to the system . As mentioned above, an individual can make a subject access request under the Data Protection Act to see copies of any emails which are held which refer to them. Consequently they will be able to view any emails sent or received which refer to them and which are held on College servers and networks.

8. Using personal emails to conduct College business

The College needs to be able to effectively monitor work carried out by individuals in their professional capacity and the decisions that they have made. It also needs to ensure the integrity and security of this data and the College's compliance with the DPA. As a result, personal email accounts should not be used for processing personal data to carry out College business. In the event that a member of staff uses their personal email account to conduct College business or to refer to individuals in the context of the College's business, they should be aware that they may be required to produce any such emails in the event of a subject access request being made in respect of those emails.