I think we come down to the spirit and letter of the law.

It is incumbent of a Data Controller to have policies which direct its staff
to abide by national and international laws.  This is implicit, not
explicit, in trading and living in a country and is part of consenting to be
governed, which we do daily in a civilised society.

Creating a policy which seeks to circumvent the law creates oddities.
Worldcom may have had such a policy for its accounting, for example.  I
speak from a position of no knowledge about Worldcom's internal affairs
here, but am using it as an example of how an "irregular" set of procedures
can create a world-wide set of repercussions.

The current business climate is wholly against "unusual" policies, and
governmental or quasi governmental organisations cannot afford them, since
public accountability here creates even more interesting reputations.

All of which is a long winded way of saying "create good policies, and do
not waste time trying to overcome legislation with poor ones"

_____________________________________________________________
Tim Trent
Chief Privacy Officer EMEA
> Gartner
EMEA Marketing, Tamesis,  The Glanty,  Egham,  Surrey,  United Kingdom,
TW20 9AW
Switchboard +44 (0)1784 431 611, Direct Line +44 (0)1784 267 335, Mobile +44
(0)7710 126 618
Visit our home on the web:  http://www.gartner.com

The opinions expressed in this message are my own, and may or may not
reflect those of my employer.  They are expressed as a part of the
discussion on the JISCMail mailing list on data protection and for no other
purpose.  They have no legal standing and are offered as part of informed
and informal discussion.  They may NOT be attributed to Gartner in any way.
Any personal data provided is provided expressly for use of discussions on
the JISCMail Data Protection Discussion list.  Under the UK Data Protection
Act 1998 I expressly forbid any individual or organisation to make
commercial use of my data published either on the email list or in the
archives of that or other lists whether this message appears or not.  This
includes messages already published in the archives.


-----Original Message-----
From: Ian Welton [mailto:[log in to unmask]]
Sent: 30 July 2002 09:20
To: [log in to unmask]
Subject: Re: SARs and e-mail Archives


Reading through the thread on this subject, is it then acceptable to
formulate an organisations (In deference to Charles earlier comment this
includes systems and people) e-mail I.T. strategy to make it difficult to
find personal data contained within emails, when a subject access request is
received; as opposed to formulating a strategy which supports and enables
such requests?  Looking at Google groups and similar e-mail/newsgroup
archives, the technology certainly already exists (Although I do consider
that material is retained excessively).

Would such a stance also apply to other parts of the I.T. strategy, and
would the OIC then apply similar advice?

How does an organisation following a strategy of that (non-compliant) type
justify that it is abiding (or trying to abide) by the legislation?


Ian W

-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]]On Behalf Of Okey, Andrew
Sent: 26 July 2002 16:14
To: [log in to unmask]
Subject: Re: On going SARring


It seems that the OIC broadly concurs with Alastair's view. I have (just
this
moment) received advice from Peter Bloomfield on this matter, which states -

"There are several, possibly conflicting, issues raised here. Firstly,
employees have a right to privacy (under Section 7(4) of the Act) and
personal
emails, for example, should not be looked at without good cause. Secondly,
those making a subject access request have a right of access to their data,
including emails between third parties about them. Also of relevance is
Section
7(3) of the Act, which allows data controllers to get reasonable information
from data subjects to enable them to trace an individual's personal data.

Balancing these issues suggests that where a subject access request is
received
and either the data subject indicates that, or the institution knows that,
some
personal data might be held in emails, rather than trawling through the
personal data of many third parties (which is often technically difficult
and
time-consuming) the data subject should be asked to narrow down the search
criteria to a level the institution considers reasonable: for example,
emails
sent between specified individuals and perhaps even only those sent on or
around specific dates. The exact criteria depends on the size of system and
ease of searching for references to an individual. If the data controller is
to
go any further than searching on email title (e.g. looking for references to
the subject within the text of the emails) then, if such a general search is
not technically easy to accomplish the detail the data subject provides to
inform any search must be very high.

Even given the above considerations, however, institutions should ensure
that
employees and other email users are aware that the contents of their emails
might be disclosed in certain circumstances, even if they do not give their
consent"

Andrew Okey
Lancaster University

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
      If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
    www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
  (all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
      If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
    www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
  (all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
      If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
    www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
  (all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^