JISCMail - DATA-PROTECTION Archives

Also worth unpacking "access to individual's account". Different situations could require:
1) Read-only access to a subset of messages, extracted by searching for a particular term (e.g. "advert")
2) Read-only access to all messages
3) Read/write (i.e. send) access to whole mailbox.
Obviously you should go for the least intrusive one that achieves the purpose.

If you're in a position where business e-mails are being sent to an individual's named address then you're pretty much stuck sorting out the (increasingly unpleasant) legal risks of each of those :(

In future, try to move to a situation where you advertise functional e-mail addresses (e.g. [log in to unmask]). Then if messages need to be acted on before a person is expected to return to do it, you can just do the search based on that address and pull out only those messages for action. It may require some work on your e-mail system, to ensure that messages go *out* from those addresses, and by staff to ensure that they send from the right profile. But it almost eliminates the legal issues.

HTH
Andrew

--
Andrew Cormack
Chief Regulatory Adviser

T 01235 822302
Skype ancormack
Twitter @Janet_LegReg
Blog https://community.ja.net/blogs/regulatory-developments
orcid.org/0000-0002-8448-2881 


Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG

jisc.ac.uk



> -----Original Message-----
> From: This list is for those interested in Data Protection issues [mailto:data-
> [log in to unmask]] On Behalf Of Speirs, Seth
> Sent: 29 August 2017 16:21
> To: [log in to unmask]
> Subject: Accessing Staff Emails [OFFICIAL]
> 
> Our IT team have been asked to provide access to a staff member's email
> account by their line manager as they have been off on long term sick.
> 
> 
> 
> Initially they requested access to their login credentials but was persuaded
> that that was completely disproportionate.
> 
> 
> 
> Our IT team thankfully came to us for advice.
> 
> 
> 
> This is a business email address. Our Use of ICT policy allows use of the
> system for personal use, but at the same time our Monitoring at Work
> declares explicitly that email is monitored for the purposes of detecting
> unauthorised usage, preventing malware etc.
> 
> 
> 
> My first instinct is to suggest that the line manager should seek the user's
> permission as the purpose for which the line manager wants access is not
> one that we mention in our MaW policy. At the same time all staff are aware
> this is a business email system and the access is for a business purpose.
> 
> 
> 
> My manager has suggested that we set this as a general policy and circulate
> this to staff. My concern is that if this became a general policy would we then
> in fact providing a false consent in that staff would feel pressurised to do this
> if they were going off sick?
> 
> 
> 
> Sure someone has come across this issue before!
> 
> 
> 
> Seth
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Seth Speirs
> 
> Assistant Departmental Security Officer
> 
> Public Prosecution Service
> 
> 028 90264621
> 
> 
> 
> 
> 
> 
> 
> ________________________________
> 
> All archives of messages are stored permanently and are available to the
> world wide web community at large at http://www.jiscmail.ac.uk/lists/data-
> protection.html
> 
> Selected commands (the command has been filled in below in the body of
> the email if you are receiving emails in HTML format):
> 
> *	Leaving this list: send leave data-protection to
> [log in to unmask] <mailto:[log in to unmask]&BODY=LEAVE data-
> protection>
> *	Suspending emails from all JISCMail lists: send SET * NOMAIL to
> [log in to unmask] <mailto:[log in to unmask]&BODY=SET *
> NOMAIL>
> *	To receive emails from this list in text format: send SET data-
> protection NOHTML to [log in to unmask]
> <mailto:[log in to unmask]&BODY=SET data-protection NOHTML>
> *	To receive emails from this list in HTML format: send SET data-
> protection HTML to [log in to unmask]
> <mailto:[log in to unmask]&BODY=SET data-protection HTML>
> 
> All user commands can be found at
> https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html and
> are sent in the body of an otherwise blank email to [log in to unmask]
> <mailto:[log in to unmask]>
> 
> Any queries about sending or receiving messages please send to the list
> owner [log in to unmask] <mailto:data-protection-
> [log in to unmask]>
> 
> (Please send all commands to [log in to unmask]
> <mailto:[log in to unmask]>  not the list or the moderators, and all
> requests for technical help to [log in to unmask]
> <mailto:[log in to unmask]> , the general office helpline)
> 
> ________________________________

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^