It seems that the OIC broadly concurs with Alastair's view. I have (just this moment) received advice from Peter Bloomfield on this matter, which states - "There are several, possibly conflicting, issues raised here. Firstly, employees have a right to privacy (under Section 7(4) of the Act) and personal emails, for example, should not be looked at without good cause. Secondly, those making a subject access request have a right of access to their data, including emails between third parties about them. Also of relevance is Section 7(3) of the Act, which allows data controllers to get reasonable information from data subjects to enable them to trace an individual's personal data. Balancing these issues suggests that where a subject access request is received and either the data subject indicates that, or the institution knows that, some personal data might be held in emails, rather than trawling through the personal data of many third parties (which is often technically difficult and time-consuming) the data subject should be asked to narrow down the search criteria to a level the institution considers reasonable: for example, emails sent between specified individuals and perhaps even only those sent on or around specific dates. The exact criteria depends on the size of system and ease of searching for references to an individual. If the data controller is to go any further than searching on email title (e.g. looking for references to the subject within the text of the emails) then, if such a general search is not technically easy to accomplish the detail the data subject provides to inform any search must be very high. Even given the above considerations, however, institutions should ensure that employees and other email users are aware that the contents of their emails might be disclosed in certain circumstances, even if they do not give their consent" Andrew Okey Lancaster University ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at : - www.jiscmail.ac.uk/user-manual/summary-user-commands.htm (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^