Data Protection Act 1998:
Standards and Best Practice Handbook for Government Departments
Annex C
(To be tailored for use as departmental circular)
Handling of E-Mails and Other Electronic Documents and Material
Emails
Incoming and outgoing emails are covered by the Data Protection Act 1998
(DPA) if one or other of the following criteria is met:
-
the sender or recipient is identifiable, either through their email
address or the text of the email; or
-
the text of the email contains personal data, ie facts, opinions or
intentions about identifiable living individuals
2. Under the DPA emails in personal mailboxes and deleted items boxes,
emails saved into an electronic records management systems and emails
placed on paper files that fall within the definition of a “relevant filing
system” are liable for disclosure, either in part or as a whole, in
response to a subject access request, if they contain relevant personal
data. This is subject to any third party consideration and exemptions that
might apply. Copies on back-up systems may also be liable for disclosure,
for example in exceptional circumstances relating to serious criminal
allegations.
3. Emails are potentially part of the corporate record of a department and
should be subject to the department’s records management policies and
procedures. Nothing should be put in an email that cannot be defended.
4. All staff should review incoming and outgoing emails to decide whether
they contain information about the department’s business that should be
kept as part of the corporate record or for other reasons, eg the six-year
limitation period for claims for breach of contract to be litigated. If the
decision is to retain an email it should be filed by saving it into the
departmental electronic records management system/by printing it off and
putting it on the relevant paper file. The email should then be deleted
from the personal mailbox and any “deleted items” box.
5. If an email is not required for the corporate record or other reasons it
should be deleted, either immediately or when it has ceased to be of use.
This includes those emails that may have been moved from a mailbox to a
personal or shared storage area.
Other electronic documents and material
6. The principles that apply to the handling of emails apply in general to
the handling of other electronic documents and material. In particular
electronic documents and material that form part of the corporate record
should be saved into the departmental electronic records management
system/printed off and placed on the relevant paper file. The copy of the
document or material concerned, whether it is held in a personal or shared
storage area, should then be deleted.
7. Electronic documents and material containing personal data that are
saved into an electronic records management system or printed off and
placed on paper files that form part of a relevant system, are liable for
disclosure either in part or as a whole, in response to a subject access
request. The same is true in relation to electronic documents and material
retained for whatever reason in personal or shared storage areas.
Data Protection Handbook [PDF, 710KB]
[Top]
