JISCMail - DATA-PROTECTION Archives

Where does that leave data within emails that might be released at a future date under FOI requests?

I'm also faced with organisations that will shudder at making substitutions rather than redactions ... that is going to be an interesting discussion.

I'll be honest and say I am only slightly further on this than previously, seeing pretty robust approaches on both sides.

So far I have:
1 - Where emails are from A to B and discussing C, there is case law to show that only the information relating to C is to be released
2 - A and B can have their personal data substituted for generalised information, e.g. HR A and Team Leader B
3 - The judgement involved also covers where the source of the data (where not the data subject) can be identified, and (noting Chris' comment) this could be through consent or through a balance test in the absence of consent (Personal Note: absence of consent is where consent is not asked, not were consent is refused)
4 - There is inconsistence advice from a range of sources (I only have ICO and a few LA HR legal advisors on this so far so would appreciate any other confirmations), but where individuals are acting in their professional capacity some advice would say that it is expected their PD would be included. Part of me thinks (personal opinion) this is possibly a historic approach where someone has tried to balance whether the details should be released and said yes as a policy, without making consideration on a case by case basis. Also, it may be that this advice has not been revisited since the recent case (or may not have even considered previous cases either).

The only position I can really take now is to advise that, in general, organisations should consider substitutions for class rather than the PD with respect to 3rd parties, but should take it on a case by case basis where the source of the data may need to be provided. They should seek consent in the first option, or where that is not possible / appropriate, complete a balance test. No stock policy on 'professional capacity' should be considered without further, explicit guidance from ICO and/or judgements.

Is this a fair summary?

-- 
Tony Sheppard CIPP/E
Head of Services
GDPR in Schools
 
-----Original Message-----
From: This list is for those interested in Data Protection issues <[log in to unmask]> On Behalf Of Phil Bradshaw
Sent: 06 June 2019 21:32
To: [log in to unmask]
Subject: Re: [data-protection] SAR Former employee emails

Taking Michelle's point as a good example: "In our case there are two HR employees included, and in light of the fact that they are acting in a professional capacity advising on employment matters relating to the individual, we considered whether it might be reasonable to include their details, but on balance we felt it might be better to have a consistent approach to all emails. "

Email:

From HR1

To HR2

Re: Fred

Fred is accused of stealing form the biscuit tin.

This is covered by the xyz policy and our approach in such a case is  .... and I recommend we take the following steps.  A B C

End of Email

On the face of it all you have to disclose is that you have an email from HR1 (disclosing the source) to another employee which contains "Fred is accused of stealing form the biscuit tin.". 

The rest is not PD of Fred. 

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask] All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^