The discussion diversified somewhat so here is my current understanding as a
summary:-
1. E-mail addresses are personal data as defined within the DPA;
2. ISP's have long held they are not data controllers of the web pages,
e-mails, or newsgroup content they hold.
3. A business, where they own a domain name, are the data controllers of the
domain and e-mail addresses. They generally exercise their responsibilities
by their organisational policies, and contracts with their employees. As a
result they should have an e-mail policy determining how the e-mail system
is managed and can be used - this would normally include e-mail address
termination issues.
4. Where a business does not own a domain name, and has an internet
presence, that will normally be provided by another business, often an ISP.
5. The situation at (4.) would apply to individuals contracting with ISP's.
My interpretation of the above is that a result of the situation is an ISP
is a "joint data controller" of an e-mail address within their domain, which
it contracts to another.
If that is so the contracts issued by any ISP would need to include issues
regarding the control of any given e-mail address it issues, similar in some
respects to an employers code, if any 'data controller' is to be able to
exercise their DPA obligations. That should include the issues regarding
cancellation of an account, and access to any e-mail content.
I have considering mailbox content to be a separate item here - with no ISP
responsibility - hence the content (and subject lines) should be secure -
which generally they are not. (If the ISP do exercise joint control of
e-mail content, via their contracts, as Ekin suggests, then they must also
take on liabilities if they do not have mailscanners and other mechanisms in
place to attempt to assure compliance with their contracts - Principle 7
compliance?. (Something which would generally seem to be an anathema. - To
me too - An example of attempts to achieve that type of control are amply
illustrated in China.)
I assume that the EUCHR article 10 would impact significantly at this point,
overriding the Data Protection Directive requirements, but make no comment
regarding the ISP or Employer contracts in respect of this. (Perhaps another
time.!)
If all of that is correct, it would seem sensible for some generic guidance
on the necessary content of ISP e-mail address contracts to exist.
There are of course complications where any ISP is not subject to EU law.
Ian W
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
