I think we come down to the spirit and letter of the law. It is incumbent of a Data Controller to have policies which direct its staff to abide by national and international laws. This is implicit, not explicit, in trading and living in a country and is part of consenting to be governed, which we do daily in a civilised society. Creating a policy which seeks to circumvent the law creates oddities. Worldcom may have had such a policy for its accounting, for example. I speak from a position of no knowledge about Worldcom's internal affairs here, but am using it as an example of how an "irregular" set of procedures can create a world-wide set of repercussions. The current business climate is wholly against "unusual" policies, and governmental or quasi governmental organisations cannot afford them, since public accountability here creates even more interesting reputations. All of which is a long winded way of saying "create good policies, and do not waste time trying to overcome legislation with poor ones" _____________________________________________________________ Tim Trent Chief Privacy Officer EMEA > Gartner EMEA Marketing, Tamesis, The Glanty, Egham, Surrey, United Kingdom, TW20 9AW Switchboard +44 (0)1784 431 611, Direct Line +44 (0)1784 267 335, Mobile +44 (0)7710 126 618 Visit our home on the web: http://www.gartner.com The opinions expressed in this message are my own, and may or may not reflect those of my employer. They are expressed as a part of the discussion on the JISCMail mailing list on data protection and for no other purpose. They have no legal standing and are offered as part of informed and informal discussion. They may NOT be attributed to Gartner in any way. Any personal data provided is provided expressly for use of discussions on the JISCMail Data Protection Discussion list. Under the UK Data Protection Act 1998 I expressly forbid any individual or organisation to make commercial use of my data published either on the email list or in the archives of that or other lists whether this message appears or not. This includes messages already published in the archives. -----Original Message----- From: Ian Welton [mailto:[log in to unmask]] Sent: 30 July 2002 09:20 To: [log in to unmask] Subject: Re: SARs and e-mail Archives Reading through the thread on this subject, is it then acceptable to formulate an organisations (In deference to Charles earlier comment this includes systems and people) e-mail I.T. strategy to make it difficult to find personal data contained within emails, when a subject access request is received; as opposed to formulating a strategy which supports and enables such requests? Looking at Google groups and similar e-mail/newsgroup archives, the technology certainly already exists (Although I do consider that material is retained excessively). Would such a stance also apply to other parts of the I.T. strategy, and would the OIC then apply similar advice? How does an organisation following a strategy of that (non-compliant) type justify that it is abiding (or trying to abide) by the legislation? Ian W -----Original Message----- From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]]On Behalf Of Okey, Andrew Sent: 26 July 2002 16:14 To: [log in to unmask] Subject: Re: On going SARring It seems that the OIC broadly concurs with Alastair's view. I have (just this moment) received advice from Peter Bloomfield on this matter, which states - "There are several, possibly conflicting, issues raised here. Firstly, employees have a right to privacy (under Section 7(4) of the Act) and personal emails, for example, should not be looked at without good cause. Secondly, those making a subject access request have a right of access to their data, including emails between third parties about them. Also of relevance is Section 7(3) of the Act, which allows data controllers to get reasonable information from data subjects to enable them to trace an individual's personal data. Balancing these issues suggests that where a subject access request is received and either the data subject indicates that, or the institution knows that, some personal data might be held in emails, rather than trawling through the personal data of many third parties (which is often technically difficult and time-consuming) the data subject should be asked to narrow down the search criteria to a level the institution considers reasonable: for example, emails sent between specified individuals and perhaps even only those sent on or around specific dates. The exact criteria depends on the size of system and ease of searching for references to an individual. If the data controller is to go any further than searching on email title (e.g. looking for references to the subject within the text of the emails) then, if such a general search is not technically easy to accomplish the detail the data subject provides to inform any search must be very high. Even given the above considerations, however, institutions should ensure that employees and other email users are aware that the contents of their emails might be disclosed in certain circumstances, even if they do not give their consent" Andrew Okey Lancaster University ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at : - www.jiscmail.ac.uk/user-manual/summary-user-commands.htm (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at : - www.jiscmail.ac.uk/user-manual/summary-user-commands.htm (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at : - www.jiscmail.ac.uk/user-manual/summary-user-commands.htm (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^