Tim,
As well as the DPA implications, you need to check out the Regulation of
Investigatory Powers Act (and specifically the Lawful Business Practice
Regulations) as redirecting someone's mail to a third party is an
interception within the definition of that Act. As I read it, you'd need to
have a business reason to do it that was proportionate to the potential
loss of privacy. There are other conditions as well, but from the sound of
it you've already met those. Having re-read it this morning, I also found
the OIC draft code on employee relations (section on monitoring) helpful.
Rather than cutting and pasting the URLs for the Act and Regulations, you
can find them at http://www.ja.net/CERT/JANET-CERT/regulation/
Cheers
Andrew
At 14:27 28/03/02 +0000, Trent,Tim wrote:
>I was posed a question today. One that has data protection implications
>though is covered mostly under internal policies.
>
>Background:
>
>* An employee is on long term sick leave and is incapable of granting
>any consent to anything because of the medical condition. No powers of
>attorney exist. No-one is empowered to give personal consent on behalf of
>that employee.
>* The employee's company email account is locked against other
>people's use as a matter of policy, and no "delegated powers" have been
>granted by that employee to any other person. Perhaps a sin of omission,
>perhaps on purpose.
>* Corporate policies state that email may be MONITORED. They do NOT
>state that a mailbox may be entered.
>* Private use of corporate email is neither permitted nor prohibited.
>It simply happens.
>
>Problem:
>
>The team within which the employee works wishes for access to the employee's
>email box, and wishes to set up rules such that ALL emails that come in are
>redirected to a nominated person. Policies are in place internally which
>prohibit this in all cases except by authorisation of more than one senior
>person, at least one of whom is not directly connected with that business
>unit
>
>In itself that request is reasonable, and would be totally reasonable if
>personal use of the email account were not tacitly allowed. However the
>personal use makes us consider that there are both moral and legal risks. A
>situation MIGHT be as follows:
>
>Begin awkward situation:
>An incoming email in the newly entered mailbox reveals the employee to have
>an unusual sexual predilection, and even declares undying love for that
>employee. It is sent by another employee. Research into the email audit
>trail by gossip hungry colleagues reveals a long term affair of a less than
>conventional type and a gossip trail starts. Reputations are damaged.
>End awkward situation
>
>My question is about how much if any of this is affected by Data Protection
>legislation. I have deliberately posed a personal and sexual situation here
>as an example of the "worst" outcome that I can see. Alternative ones might
>reveal things like dishonesty, alleged or real.
>
>I must say CLEARLY that the putative situations in this email do not apply
>to the situation we are considering, and that the employee on long term sick
>leave may or may not be an exercise to illustrate a point internally
>_____________________________________________________________
>Tim Trent
>Director of Database Marketing; Chief Privacy Officer EMEA
>> Gartner
>EMEA Marketing, Tamesis, The Glanty, Egham, Surrey, United Kingdom,
>TW20 9AW
>Switchboard +44 (0)1784 431 611, Direct Line +44 (0)1784 267 335, Mobile +44
>(0)7710 126 618
>Visit our home on the web: http://www.gartner.com
>
>The opinions expressed in this message are my own, and may or may not
>reflect those of my employer. They are expressed as a part of the
>discussion on the JISCMail mailing list on data protection and for no other
>purpose. They have no legal standing and are offered as part of informed
>and informal discussion. They may NOT be attributed to Gartner in any way.
>Any personal data provided is provided expressly for use of discussions on
>the JISCMail Data Protection Discussion list. Under the UK Data Protection
>Act 1998 I expressly forbid any individual or organisation to make
>commercial use of my data published either on the email list or in the
>archives of that or other lists whether this message appears or not. This
>includes messages already published in the archives.
>
>^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at : -
> www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
> (all commands go to [log in to unmask] not the list please)
>^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
--------------------------------------------------------------
Andrew Cormack
Chief Security Advisor, JANET-CERT
UKERNA, Atlas Centre, Chilton, Didcot, Oxon. OX11 0QS
Phone: 01235 822 302 E-mail: [log in to unmask]
Fax: 01235 822 398
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|