JISCMail - DATA-PROTECTION Archives

[log in to unmask] on 24 June 2005 at 09:51 said:-

Without wishing to sour the milk I believe there are some particularly
interesting privacy issues here so...
 
> In deciding whether to reveal the identity of a member of 
> staff, you should 
> consider the following:
> 
> 1) If the e-mails are for work purposes, or the e-mail system 
> should only be 
> used for work purposes, the staff member should not be 
> classed as a third 
> party and the identity should be revealed unless there is a 
> danger of physical 
> harm to the person;

This would mean that e-mail could not be considered private in the sense of
individual privacy in the workplace. As any personal information entering
the work environment could be open to inspection by the simple expedience of
creating a rumour sufficient to generate a SAR. 

A pity some managers actually manage through such mechanisms.  Oh well,
dependent upon how SAR material is secured, and who sees the collated
material, so much for the levels of protection for sensitive data in the
workplace.

If open access to the SAR response material is restricted to staff collating
it, it would become doubly unfortunate if workplace computer/work monitoring
created private circumstances allowing some to view such collated material
without others knowledge.

> 2) If the e-mails were of a private nature (eg personal 
> opinion as opposed to 
> comments about their work), and such use of the system is 
> allowed, there may 
> be a case for withholding the name and any part of the e-mail 
> that would 
> identify them but only where it is reasonable in the 
> circumstances to do so;

Would this mean consideration of the DPA exceptions when looking at personal
e-mails, which could, provided ALL of the possible exceptions were
impersonally considered partly ameliorate the point made above.?

How would the s.36 domestic purposes exemption in respect of personal life
fit in here? Who would determine personal life matters?

Albeit s.36 would not provide an exemption from s.7, would it only be
possible to apply it to work processing if personal e-mails were allowed at
work
or would it be applicable anyway?
 
> 3) A right to privacy in the workplace does exist but it does 
> not extend to 
> using the organisation's equipment and software to denegrate 
> others (assuming 
> this is the nature of the comments and the reason the DS 
> wants the e-mails;
> 
> 4) The DS may already know the identities of the staff 
> members, so it may be 
> pointless trying to withhold them.

Whilst agreeing a right of privacy exists. I do not believe that right can
be limited only by rules set within an organisation without reference to,
consideration of, and inclusion of that right, otherwise in fact no right
exists at all.

If only good opinions were contained within all the e-mails in question how
would that change in any way item 3) above and any SAR received?

Although obvious it is worth mentioning that the discussion relates only to
the DPA and hence personal information, so there would be a need to accept
that instant messaging, audio recordings, video phone recordings and so on
would fall into the same categories, even though the originators purpose and
intent for the communication may have been only transitory, whilst retention
periods, being held for different purposes, and used for others, are rather
less so.

Ian W

> -----Original Message-----
> From: This list is for those interested in Data Protection 
> issues [mailto:[log in to unmask]] On Behalf Of 
> [log in to unmask]
> Sent: 24 June 2005 09:51
> To: [log in to unmask]
> Subject: Re: Internal staff SAR
> 
> 
> In deciding whether to reveal the identity of a member of 
> staff, you should 
> consider the following:
> 
> 1) If the e-mails are for work purposes, or the e-mail system 
> should only be 
> used for work purposes, the staff member should not be 
> classed as a third 
> party and the identity should be revealed unless there is a 
> danger of physical 
> harm to the person;
> 
> 2) If the e-mails were of a private nature (eg personal 
> opinion as opposed to 
> comments about their work), and such use of the system is 
> allowed, there may 
> be a case for withholding the name and any part of the e-mail 
> that would 
> identify them but only where it is reasonable in the 
> circumstances to do so;
> 
> 3) A right to privacy in the workplace does exist but it does 
> not extend to 
> using the organisation's equipment and software to denegrate 
> others (assuming 
> this is the nature of the comments and the reason the DS 
> wants the e-mails;
> 
> 4) The DS may already know the identities of the staff 
> members, so it may be 
> pointless trying to withhold them.
> 
> Ian B
> -----------
> 
> In a message dated 23/06/05 11:11:44 GMT Daylight Time, 
> [log in to unmask] 
> writes:
> 
> 
> > can anyone give advice on how to deal with a scenario where 
> a mem of 
> > staff wants to see the emails of certain other staff which 
> have him as 
> > the focus of their emails?
> > 
> > Unfortunately we do not have a monitoring or similar policy which 
> > states we will search email accounts after receiving a SAR 
> or an FOI 
> > request (not for want of trying) and the approach of our HR 
> branch is 
> > to simply ask the staff mentioned if they have such emails and to 
> > disclose if they do.
> > 
> > This leads me to the old chestnut of, are they 3rd parties, and do 
> > they have to be asked for consent before there emails are 
> disclosed in 
> > full without their names redacted?  This is the approach we 
> are taking 
> > but I would appreciate any guidance or clarification from 
> anyone who 
> > has been in a similar situation.
> 
> --------
> 
> Ian Buckland
> Managing Director
> Keep IT Legal Ltd
> 
> Please Note: The information given above does not replace or 
> negate the need 
> for proper legal advice and/or representation. It is 
> essential that you do not 
> rely upon any advice given without contacting your solicitor. 
>  If you need 
> further explanation of any points raised please contact Keep 
> I.T. Legal Ltd at 
> the address below:
> 
> 55 Curbar Curve
> Inkersall, Chesterfield
> Derbyshire  S43 3HP 
> (Reg 3822335)
> Tel: 01246 473999 
> Fax: 01246 470742
> E-mail: [log in to unmask]
> Website: www.keepitlegal.co.uk
> 
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>        All archives of messages are stored permanently and are
>       available to the world wide web community at large at
>       http://www.jiscmail.ac.uk/lists/data-protection.html
>       If you wish to leave this list please send the command
>        leave data-protection to [log in to unmask]
>             All user commands can be found at : -
>         http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving message please send to 
> the list owner
>               [log in to unmask]
>   (all commands go to [log in to unmask] not the list please)
>    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
      If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
        http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
              [log in to unmask]
  (all commands go to [log in to unmask] not the list please)
   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^