Cabinet Office Homepage
Last updated: 23 November 2008
Issue
Emails, both incoming and outgoing, are covered by the Data Protection Act 1998 (DPA) if one or other of the following criteria is met:
2. There is the question as to whether, for the purposes of locating personal data on computer systems in response to a subject access request, individual members of staff should search their own emails (and documents and files) or whether such a search may legitimately be conducted centrally on behalf of the data controller without the employee’s consent.
3. There is also the question of whether emails that include personal data but which have been deleted on a computer system, continue to be personal data within the meaning of the DPA. In this respect there are two situations to be recognised. The first is where the deletion of an email consigns it to a storage area within the system that is in practice used as a repository of information, which may on occasion be accessed to retrieve information. The second is where the deletion of an email consigns it to an area of the system memory which can only be accessed with great difficulty. This is quite common with modern computer systems, which means that whilst a user may do all they reasonably can to delete an item it is not wholly removed from the system memory.
Standards
4. Departments need to ensure that staff:
Recommended best practice
5. Departments should inform their staff that emails may be monitored, perhaps by displaying on personal computers an automatic message when staff log onto the network which states that communications may be monitored and recorded to ensure the effective operation of the system and for other lawful purposes. Departments in general should also consider the possibility of making it a requirement to give consent to the monitoring of emails as a term and condition of employment. Departments should additionally consider the possibility of including a reference on the standard format of an email to the effect that emails sent or received by the department may be monitored for lawful purposes.
6. Emails are potentially part of the corporate record of a department and should be subject to a department’s records management policies and procedures. All staff should be required to review incoming and outgoing emails to decide whether they should be kept for the corporate record or for other reasons. If an email needs to be retained it should be saved into the departmental electronic records management system or, in the absence of such a system, printed off and put on the relevant paper file. The email should then be deleted from the personal mailbox and any “deleted items” box. If an email is not required for the corporate record or other reasons it should be deleted, either immediately or when it has ceased to be of use. This includes any emails that have been moved from a mailbox to a personal or shared storage area.
7. Retention periods should be assigned to both electronic records and paper files in consultation with the department’s records manager and set out in disposal schedules or similar documents.
8. An example of the guidance on the handling of emails (and other electronic documents and material) that departments may wish to issue to their staff is at Annex C.
9. Departments need to take account of the situation where the deletion of an email consigns it to a storage area within the system and also where deletion consigns it to an area of the system memory that could be accessed. Where deleted emails can be searched for personal data and that information can be retrieved without undue difficulty or disruption to a department’s IT system a search should be made. Where deleted emails cannot be searched for personal data without exceptional difficulty, for example necessitating the shut-down of a department’s IT system, the data subject should be informed that it is possible that personal data is held in the form of deleted emails which are no longer available in the data controller’s “live” system; that the data controller’s policy is to retrieve such data only in exceptional circumstances (such as serious criminal allegations); and that it is not possible to search the “non-live” system without expending disproportionate time and resources. Although the Information Commissioner has indicated in her guidance that she would approve this approach, it should be recognised that this may be open to challenge by a data subject and departments need to be prepared to defend adopting such an approach.
10. It would be prudent for departments to seek advice from specialists as to how emails on a departmental IT system could be permanently deleted and destroyed in such a way that they would no longer fall within the definition of “processing” in the DPA.
11. Departments should consider the benefit of automatic deletion of emails after a reasonable length of time, eg 90 days. A departmental policy of automatically deleting- emails after a set period would be defensible under the DPA. It would be for users to ensure that they moved those emails of a non-ephemeral nature to an appropriate folder within the set period. The DPA specifically requires that personal data should not be kept for longer than is necessary.
12. The overall approach applies equally to back-up or archive data. These also should be assigned retention periods as outlined above.
Data Protection Handbook [PDF, 710KB]
[Top]