Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

New guide: e-mail subject to data protection law [2000] PLBIRp 10; (2000) 52 Privacy Laws and Business International Report 17

New guide: e-mail subject to data protection law

SENDING ELECTRONIC MAIL falls under the UK data protection law when messages include personal information, or where the sender or the recipient of the message are identifiable. Also, the monitoring of employees' e-mail can be unlawful if not conducted in compliance with data protection principles.

The UK Data Protection Act 1998 will bring all data processing, which specifically includes processing other than by reference to the data subject, under the law for the first time. This means the Act applies not only to email including personal data in the address or the content of the message, but also to e-mails from which individuals may be identified. However, existing processing other than by reference to the data subject is exempt until 23rd October 2001.

New guidance published by the British Standards Institution/DISC on how to develop an e-mail policy suggests that many people use e-mail inappropriately, and organisations should adopt clear guidelines on e-mail use and management. The guidance, developed in co-operation with the Office of the Data Protection Registrar (ODPR), advises that personal information in e-mails should be treated the same way as other personal data within an organisation. This means complying with all the data protection principles.

SUBJECT ACCESS TO E-MAIL

Organisations must be prepared to provide subject access to e-mail records should it be requested. This poses the question of for how long e-mail messages should be stored. The ODPR is likely to publish further guidance on subject access to back-up data later.

The authors of the BSI report, Professor Charles Oppenheimer and Dr J. Eric Davies, recommend that organisations use notices at the end of e-mail messages indicating what is done with the messages and the rights of data subjects. These warnings or disclaimers are already used by a number of companies. They generally specify the extent of responsibility the organisation is willing to take about e-mail accuracy or completeness.

SECURITY IS A NECESSITY

Complying with the security principle of the Act may require using an encryption technique and a back-up system. Organisations should be able to maintain the confidentiality of e-mails received or sent. This requires preventing unauthorised access, destruction or alteration of the data.

Further considerations include transferring data outside the European Union. It is suggested that no personal data should be included in e-mails without explicit consent, unless the employer is certain that no one outside the EEA can gain access to the data, or that the data is completely innocuous.

WORKERS MAY OBJECT TO MONITORING

The monitoring of employees' e-mail is subject to data protection principles. Employers should inform their staff if they conduct such monitoring. They must also state the purpose of monitoring, and whether data will be passed to third parties. While it is not unlawful to monitor employees' e-mail, any covert monitoring is likely to breach the first data protection principle of fair processing.

Employees have the right to object to monitoring of their e-mail if it causes them distress or damage. However, employers may justify monitoring if crime is suspected.

Other aspects of e-mail use that are addressed in the guide include mass electronic mailing, staff training and awareness, and e-mail management regimes.

Also included is a fictional case study of developing a company e-mail policy statement. Such a policy might, for example, give guidance on copying and forwarding messages within an organisation, and making a distinction between private and confidential messages.

The guidance was published at the end of January. It is available from the

British Standards Institution,

389 Chiswick High Road, London

W4 4AL, Tel: + 44 (0)208 996 9000,

Fax: + 44 (0) 208 996 7400,

Internet: http://www.bsi.org.uk/disc.

The guide is free for subscribers to the DISC Guides on Data Protection. It is also available

to buy separately for £35.