In response to Samantha, my point about if the communications were done on paper yet stored at the office also related to whether the Company is data controller, rather than whether such records might be captured by the DPA. Such records would be covered by the DPA (particularly since the FOIA amendments) IF they are being processed by the Company as a DC. If they are the personal property of the employee (just as I might put a personal calendar in my desk drawer) then would they be covered by DPA and SAR? I just wondered whether it was the ease of locating and accessing electronic records that was raising the question of whether the Company was the DC.

Dawn Clarke


________________________________
From: This list is for those interested in Data Protection issues [[log in to unmask]] On Behalf Of Samantha Hill [[log in to unmask]]
Sent: 25 April 2016 14:10
To: [log in to unmask]
Subject: Re: [data-protection] Access to emails

Dear All

As I mentioned earlier, we have a similar(ish) request to the one that started this conversation.  In this case, a member of the public, knowing that emails have been sent to a university email address, has made an SAR for any emails relating to themselves.

I am now rethinking our initial decision to disclose based on some of the comments here, but my understanding of most of the comments is whether or not we are the data controller of the data, and if we are not, then we do not need to disclose under the SAR process.

However, I am now wondering whether the amendments by the FOIA are what requires us to disclose?  Section 68 of the FOIA introduces the definition of "recorded information held by a public authority that doesn't fall within any of paragraphs (a) to (d)" - which these emails would - whilst section 69(1) and (2) bring in a right of access to unstructured personal data held by public authorities (a new section 9A of the DPA), the text of which does not refer to being a data controller but refers throughout to a public authority.  As the uni is a public authority, does it mean (as I think it does) that the SAR process applies in this case because of the public authority angle rather than being a data controller?

Thank you on advance for any suggestions - I do find this list very helpful for the constructive way everyone comments

Samantha

Samantha Hill
Information Disclosure and Complaints Manager
University of Portsmouth

T: 02392 843642
E: [log in to unmask]<mailto:[log in to unmask]>
W: www.port.ac.uk<http://www.port.ac.uk>

University of Portsmouth, University House, Winston Churchill Avenue, Portsmouth, PO1 2UP
[https://storage.googleapis.com/edm-email-content/email-signature.png]

On 25 April 2016 at 13:04, Clarke, Dawn <[log in to unmask]<mailto:[log in to unmask]>> wrote:
I think it is actually the SAR that is erroneous here. This is a solicitor attempting to obtain two people's private communications. Because they have been told a work email address was used they are trying to use the SAR process to obtain them from the Company. They should be obtaining a court order to compel either the sender/recipient, the Company or the ISP to disclose.

If the Company does decide to conduct a SAR process, they will also have to consider the rights and freedoms of the employee and the recipient as third parties because these are not official company communications.

And is it the electronic nature of the communication which is causing the issue? If an employee has used a company provided paper notebook (not headed) to send a note about A through the post, taken a copy and stored it in a folder in his desk marked with A's name and the title Correspondence would we entertain a SAR?

Dawn Clarke
________________________________________
From: This list is for those interested in Data Protection issues [[log in to unmask]<mailto:[log in to unmask]>] On Behalf Of Lawrence Serewicz [[log in to unmask]<mailto:[log in to unmask]>]
Sent: 25 April 2016 12:27
To: [log in to unmask]<mailto:[log in to unmask]>
Subject: Re: [data-protection] Access to emails

Phil,
For the reason that they are the data controller, which I did not make clear. Point B was actually stating the main point. In A and B they are the data controller. .

In point A, the organisation would have the information for the regulatory purpose only not for any other purpose. I would suggest it could argue against disclosure (assuming that the use was benign ie a private email that was in accordance with its acceptable use policy and therefore not caught in its normal work except for the regulatory or enforcement claim.)

I would suggest that people cannot make claims on an organisation to make them the data controller so as to attempt to obtain it through a SAR for example.

For example, Person X says "I think Jones and Smith are writing defamatory emails about me."  I will make a regulatory claim.

The regulatory claim is unfounded.  Person X says "I will make a SAR for what was captured by the regulatory claim."  Off the top of my head, I would suggest that they would not succeed in the claim.

The underlying point, though was not the SAR, it was the role of the organisation in managing its system and how it manages those users within the law.  I fear too often people use work as if they use a social media platform.  The two are distinct. A work computer is within an employment relationship in which the employee becomes part of the organisation within that legal context.  Too often, I fear, we forget that context when looking at SARS and Personal Data and so miss the forest for the trees which leads to employees, in particular, self-deceiving themselves about what they can and cannot do at work with the belief that it is all "private".

Best,

Lawrence

Information and Records Manager
Durham County Council
Room 4/143-148
County Hall
County Durham
DH1 5UF

03000 268038



-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]<mailto:[log in to unmask]>] On Behalf Of Phil Bradshaw
Sent: 25 April 2016 11:22
To: [log in to unmask]<mailto:[log in to unmask]>
Subject: Re: Access to emails

Hi Lawrence

In your scenario why does the employer become DC in B but not A? In both cases they have processed the data for their own purposes - checking compliance with acceptable use policy.

Phil

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]<mailto:[log in to unmask]> All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]<mailto:[log in to unmask]>
  Full help Desk - please email [log in to unmask]<mailto:[log in to unmask]> describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]<mailto:[log in to unmask]>
   (all commands go to [log in to unmask]<mailto:[log in to unmask]> not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

________________________________


Help protect our environment by only printing this email if absolutely necessary. The information it contains and any files transmitted with it are confidential and are only intended for the person or organisation to whom it is addressed. It may be unlawful for you to use, share or copy the information, if you are not authorised to do so. If you receive this email by mistake, please inform the person who sent it at the above address and then delete the email from your system. Durham County Council takes reasonable precautions to ensure that its emails are virus free. However, we do not accept responsibility for any losses incurred as a result of viruses we might transmit and recommend that you should use your own virus checking procedures.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]<mailto:[log in to unmask]>
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]<mailto:[log in to unmask]>
  Full help Desk - please email [log in to unmask]<mailto:[log in to unmask]> describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]<mailto:[log in to unmask]>
   (all commands go to [log in to unmask]<mailto:[log in to unmask]> not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Internet communications are insecure, therefore City College Norwich (CCN) does not accept legal responsibility for the contents of this message. Any views or opinions presented are solely those of the author and do not necessarily represent those of CCN.

This email and any files sent with it are intended only for the named recipient and may be confidential. If you are not the named recipient please email the sender immediately then delete this message. You should not disclose the content, distribute or retain any copies of this message.

City College Norwich, Ipswich Rd., Norwich, Norfolk. NR2 2LJ.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]<mailto:[log in to unmask]>
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]<mailto:[log in to unmask]>
  Full help Desk - please email [log in to unmask]<mailto:[log in to unmask]> describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]<mailto:[log in to unmask]>
   (all commands go to [log in to unmask]<mailto:[log in to unmask]> not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

________________________________

All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html

Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):

 *   Leaving this list: send leave data-protection to [log in to unmask]<mailto:[log in to unmask]&BODY=LEAVE%20data-protection>
 *   Suspending emails from all JISCMail lists: send SET * NOMAIL to [log in to unmask]<mailto:[log in to unmask]&BODY=SET%20*%20NOMAIL>
 *   To receive emails from this list in text format: send SET data-protection NOHTML to [log in to unmask]<mailto:[log in to unmask]&BODY=SET%20data-protection%20NOHTML>
 *   To receive emails from this list in HTML format: send SET data-protection HTML to [log in to unmask]<mailto:[log in to unmask]&BODY=SET%20data-protection%20HTML>

All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an otherwise blank email to [log in to unmask]<mailto:[log in to unmask]>

Any queries about sending or receiving messages please send to the list owner [log in to unmask]<mailto:[log in to unmask]>

(Please send all commands to [log in to unmask]<mailto:[log in to unmask]> not the list or the moderators, and all requests for technical help to [log in to unmask]<mailto:[log in to unmask]>, the general office helpline)

________________________________

________________________________
Internet communications are insecure, therefore City College Norwich (CCN) does not accept legal responsibility for the contents of this message. Any views or opinions presented are solely those of the author and do not necessarily represent those of CCN.

This email and any files sent with it are intended only for the named recipient and may be confidential. If you are not the named recipient please email the sender immediately then delete this message. You should not disclose the content, distribute or retain any copies of this message.

City College Norwich, Ipswich Rd., Norwich, Norfolk. NR2 2LJ.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^