The discussion diversified somewhat so here is my current understanding as a summary:- 1. E-mail addresses are personal data as defined within the DPA; 2. ISP's have long held they are not data controllers of the web pages, e-mails, or newsgroup content they hold. 3. A business, where they own a domain name, are the data controllers of the domain and e-mail addresses. They generally exercise their responsibilities by their organisational policies, and contracts with their employees. As a result they should have an e-mail policy determining how the e-mail system is managed and can be used - this would normally include e-mail address termination issues. 4. Where a business does not own a domain name, and has an internet presence, that will normally be provided by another business, often an ISP. 5. The situation at (4.) would apply to individuals contracting with ISP's. My interpretation of the above is that a result of the situation is an ISP is a "joint data controller" of an e-mail address within their domain, which it contracts to another. If that is so the contracts issued by any ISP would need to include issues regarding the control of any given e-mail address it issues, similar in some respects to an employers code, if any 'data controller' is to be able to exercise their DPA obligations. That should include the issues regarding cancellation of an account, and access to any e-mail content. I have considering mailbox content to be a separate item here - with no ISP responsibility - hence the content (and subject lines) should be secure - which generally they are not. (If the ISP do exercise joint control of e-mail content, via their contracts, as Ekin suggests, then they must also take on liabilities if they do not have mailscanners and other mechanisms in place to attempt to assure compliance with their contracts - Principle 7 compliance?. (Something which would generally seem to be an anathema. - To me too - An example of attempts to achieve that type of control are amply illustrated in China.) I assume that the EUCHR article 10 would impact significantly at this point, overriding the Data Protection Directive requirements, but make no comment regarding the ISP or Employer contracts in respect of this. (Perhaps another time.!) If all of that is correct, it would seem sensible for some generic guidance on the necessary content of ISP e-mail address contracts to exist. There are of course complications where any ISP is not subject to EU law. Ian W ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at : - www.jiscmail.ac.uk/user-manual/summary-user-commands.htm (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^