JISCMail - DATA-PROTECTION Archives

Lewis, Chris G. on 23 June 2005 at 14:40 said:-

> 	>Is there such a thing as requiring consent to respond 
> to a SAR? 
> 
> 	>Ian W
> 
> 	Yes, in that the question was not whether they needed 
> consent to respond at all, but whether they need consent from 
> the third party to provide (in response to the SAR) the third 
> party's emails disclosed in full and without the third 
> party's name being redacted. To which the answer is yes, 
> unless, as the "third party" is an employee, you can imply 
> that an employee has impliedly consented to such disclosures 
> as part of their job and employment.

For the disclosure but not the search then?

Simon Macaulay on 23 June 2005 at 14:47 said:-

> Hi ian,
> I would have thought a policy is necessary if you are about 
> to search their accounts instead of them volunteering up the 
> emails themselves. This would cover the employer against a 
> breach of the Human rights Act where employees who 'expect' a 
> right to privacy will claim a breach of HRA if they were 
> never aware that their emails could be searched.  That's my 
> reading of the need for a policy.

So a right to privacy within employment exists.  

Would the same type of policy enable management searches of e-mail for
business purposes?

What about automated searches?

> 
> Also... surely consent is needed before disclosing the 
> personal data of a third party where it is caught up in the 
> area of information requested by the subject?  I know there 
> is no absolute directive to have consent before releasing 
> data but no-one in their right minds is going to risk this 
> scenario unless they want a posse of disgruntled third party 
> employees serving law suits.  Unless of course it's in 
> extraordinary circumstances... or perhaps as your inferring 
> Ian, someone who is an employee and therefore it's possible 
> to consider it 'reasonable' to disclose their PD without 
> consent? Simon.

No argument that redaction may be necessary, but I do not believe a policy
statement regarding searching e-mails is necessary for a SAR search to be
conducted.  

Policy statements of that type seem to fulfil fairness requirements. If an
employer has neglected to have brought such a policy statement into
existence, they have/are being unfair to their employees as the legislative
need to conduct a search may still arise; but that could also be indicating
management may not themselves search the e-mails.

Ian W

> -----Original Message-----
> From: This list is for those interested in Data Protection 
> issues [mailto:[log in to unmask]] On Behalf Of 
> Simon Macaulay
> Sent: 23 June 2005 14:47
> To: [log in to unmask]
> Subject: Re: Internal staff SAR
> 
> 
> Hi ian,
> I would have thought a policy is necessary if you are about 
> to search their accounts instead of them volunteering up the 
> emails themselves. This would cover the employer against a 
> breach of the Human rights Act where employees who 'expect' a 
> right to privacy will claim a breach of HRA if they were 
> never aware that their emails could be searched.  That's my 
> reading of the need for a policy.
> 
> Also... surely consent is needed before disclosing the 
> personal data of a third party where it is caught up in the 
> area of information requested by the subject?  I know there 
> is no absolute directive to have consent before releasing 
> data but no-one in their right minds is going to risk this 
> scenario unless they want a posse of disgruntled third party 
> employees serving law suits.  Unless of course it's in 
> extraordinary circumstances... or perhaps as your inferring 
> Ian, someone who is an employee and therefore it's possible 
> to consider it 'reasonable' to disclose their PD without 
> consent? Simon.
> 
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>        All archives of messages are stored permanently and are
>       available to the world wide web community at large at
>       http://www.jiscmail.ac.uk/lists/data-protection.html
>       If you wish to leave this list please send the command
>        leave data-protection to [log in to unmask]
>             All user commands can be found at : -
>         http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving message please send to 
> the list owner
>               [log in to unmask]
>   (all commands go to [log in to unmask] not the list please)
>    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
      If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
        http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
              [log in to unmask]
  (all commands go to [log in to unmask] not the list please)
   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^