Samantha,
I think you are ok with this approach with the relevant DPA caveats, which are broadly speaking covered by proportionate and reasonable, but some of it will depend on the privacy notice staff have been given.
If they are not aware that their emails can be searched, even though it is in the law, then they may not have designated some as personal or private. If your organisation has a privacy notice that covers email, then the searching will be easier as private and confidential i.e. not work related can be excluded. You then have the secondary issues of work related but still personal data i.e. (grievances, sickness absence, medical issues) which may not have been marked private or confidential depending on the privacy notice.
If there is a clear search criteria that can be verified, so as to avoid or reduce the fear of a fishing trip (i.e. searching the SAR I found that you were doing X or Y), then you can help the data subject understand the nature of the process. Again, this is covered by the law on computer since what you write by email is owned by the organisation unless you clearly and consistently mark it as private or personal. This is why people never write books at work as the organisation technically owns any output created during work time.
In many ways, the SAR process is becoming like a e-discovery (US) process (which is related to but importantly different from e-disclosure (UK) check with Alison North on the RM list for the full history of the differences between the US and UK legal approaches.
You may want to look at options such as Cryoserver http://www.cryoserver.com/ I attended one of their webinars. It offers all the functionality that you described.
I have not tested the product, but it was impressive what I saw. I am certain there are other providers out there, but it is worth a look, especially if you have more SARs or other email related issues such as cyberbullying and grievances that can transpire through email.
As an aside, I would suggest that once a system is proposed and implemented, staff finally understand why they need to make sure they only make professional comments in their emails.
Best,
Lawrence
-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Samantha Hill
Sent: 07 March 2016 14:55
To: [log in to unmask]
Subject: SAR protocols
I am returning to data protection work after having been diverted on to other matters recently, so am only just coming back to this list. Apologies, therefore, for my first email back asking a question but hopefully I'll be able to contribute to discussions as well soon.
Could I ask for brief details of how colleagues deal with SARs in their institutions? We currently ask members of staff to search through their own email accounts for any emails they might have about the data subject requesting their own data (with appropriate reminders that they have to provide everything they find) which has worked until recently when we have a) started to receive more and larger SARs and b) at least two have been run in conjunction with a staff grievance and the members of staff contacted to search for emails have been very reluctant to engage with the SAR process as the grievance process has been very wearing. Staff say they do not have the time to search properly and with the age old problem of people not managing their emails properly I am receiving very large, unfiltered returns the majority of which is not personal data.
In order to make the experience better for everyone involved, I am looking, for the future, at accessing individual staff email accounts centrally myself - with the prior agreement of the individual staff members - to search for emails directly in their own email accounts. However, I am aware that I will need to consult widely before this is a possibility. It would be helpful to me to know how others deal with SARs so I can consider
i) any issues colleagues have come across in searching for emails in this way and,
ii) other - possibly better - ways of doing it.
If its easier to contact me directly please do so either on [log in to unmask] or on my direct number of 02392 843642. I'll be more than happy to collate responses and pass on this information to others if you would find it helpful.
Samantha
Samantha Hill
Information Disclosure and Complaints Manager University of Portsmouth
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
________________________________
Help protect our environment by only printing this email if absolutely necessary. The information it contains and any files transmitted with it are confidential and are only intended for the person or organisation to whom it is addressed. It may be unlawful for you to use, share or copy the information, if you are not authorised to do so. If you receive this email by mistake, please inform the person who sent it at the above address and then delete the email from your system. Durham County Council takes reasonable precautions to ensure that its emails are virus free. However, we do not accept responsibility for any losses incurred as a result of viruses we might transmit and recommend that you should use your own virus checking procedures.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|