Transmission of personal data by e-mail

Introduction

E-mail is not a safe way of sending details of or opinions about a person as they can easily be intercepted as they pass through the internet, either accidentally by others, or deliberately by hackers. Also, incorrect use of an e-mail address can result in someone receiving a message which was not intended for them. The only safe way to send personal data by such means is by using encryption techniques.

Will a disclaimer safeguard my messages?

Although they are used quite widely, a disclaimer is of doubtful legal value and may lead to a false sense of security, whilst in fact you may be breaching the General Data Protection Regulation (GDPR) by transmitting personal data without adequate protection.

Does the GDPR impose any constraints on the retention of e-mails?

By retaining/storing e-mails containing personal data you are said to be processing it and thus are required to comply with the GDPR, just as you are if you are holding a database of data about people. This applies equally to e-mails which have been printed off if they have been retained in a structured fashion. Hence, you are required to comply with the GDPR data protection principles and thus to obtain and process the data fairly and legally and to have a purpose for doing so. The data held must be only that which is sufficient for the purpose, be accurate, retained only for as long as is necessary for that purpose and kept safely. You should bear in mind that, with some exceptions,  data subjects have the right to withdraw consent where that is the legal basis of processing, access the personal data that the College processes, rectify inaccuracies in personal data that the College holds about them, be forgotten, that is their details to be removed from systems that the College uses to process their personal data, restrict the processing in certain ways, obtain a copy of their data in a commonly used electronic form and object to certain processing of their personal data by the College.

What guidance is there for use of emails?

The College has an Email Code of Practice which can be viewed here. ICT also provide guidance for email usage via the self service area.  Furthermore, if you are looking to email individuals and need to protect their email address from being viewed by other recipients the associate guidance document ‘Email invites - How to protect personal data’ will assist.

Once I have deleted e-mails containing personal data am I clear of compliance with the GDPR?

Not necessarily. Even though deleted from a live system, the e-mails will be caught if they can be recovered by, say, the systems administrator before final destruction. The data subject will still have a right of access to data held in this form.

Are there any restrictions on disclosing personal data in response to a Subject Access Request?

You do not need to respond to a direct request to you from a data subject (also known as a subject access request or SAR). There is a formal process by which a data subject must make a SAR and this must be done through the College Data Protection Team who will assess the justification for the request. By their very nature, e-mails are likely to contain personal data relating to third parties (e.g. where a member of staff has sent personal data about one or more students to the Head of Department).The GDPR prohibits the disclosure of information relating to an individual other than the data subject, unless that individual has consented to the disclosure or it is reasonable to do so without such consent being given, taking into account the confidentiality owed to that individual, any difficulty in obtaining that consent and any express refusal of consent by that individual.

Do others have a right to look at e-mails received by me or copies of those sent by me and held on my computer?

The College does not have a right to look at the contents of e-mails under the GDPR but, under the Lawful Business Practice Regulations 2000, promulgated in accordance with the Regulation of Investigatory Powers Act 2000 (RIPA), the College has a right to intercept and monitor electronic communications to detect criminal or unauthorised use of and threats to the system. As mentioned above, an individual can make a subject access request under the GDPR to see copies of any emails which are held which refer to them. Consequently they will be able to view any emails sent or received which refer to them and which are held on College servers and networks.

Using personal emails to conduct College business

The College needs to be able to effectively monitor work carried out by individuals in their professional capacity and the decisions that they have made. It also needs to ensure the integrity and security of this data and the College's compliance with the GDPR. As a result, personal email accounts should not be used for processing personal data to carry out College business. In the event that a member of staff uses their personal email account to conduct College business or to refer to individuals in the context of the College's business, they should be aware that they may be required to produce any such emails in the event of a subject access request being made in respect of those emails.