University home > University Secretary's … > Data Protection > Access to emails via Data Prote…

Access to emails via Data Protection Act and Freedom of Information Act

Email has become the primary form of correspondence relating to University business and as such should be treated in the same way as other forms of written communication such as a letter, memo or fax.

All emails sent and received by University accounts could potentially be disclosed if a request is made under either the Freedom of Information Act or the Data Protection Act:

Freedom of Information – all University emails are subject to the Freedom of Information Act and could be released into the public domain unless an exemption applies e.g. if it is commercially sensitive or concerns personal information;
Data Protection – if an email contains information about an identifiable living person, that information may be disclosed to that person under the Data Protection Act.

Think before you send

It is therefore very important that thought and consideration are exercised when sending emails – you should treat an email as you would a letter. As emails could be made public or be seen by an individual to whom they relate, you must be able to justify your comments. This can include discussions with a colleague in relation to research or academic matters.

Given the quickfire nature of sending emails, it can be easy to send a message to the wrong person (someone with a similar name perhaps). So always ensure that the intended recipient’s email address is correct, especially if the message or attachment contains personal data (sensitive personal data must only be sent via encrypted email to further protect that information). Take time to consider an emotionally charged email or a message in which you disagree with another person – are your comments fair and reasonable?

And always consider if email is the most appropriate form of communication in a given situation – would a phone call or meeting be a better option if the subject is in any way sensitive?

Retention

The University’s guidelines on records retention gives a number of minimum retention periods in relation to information (including emails) held by the University. Emails should be filed as a hard copy or kept electronically, but rarely both so University storage space is not used unnecessarily.

JISC infoNet gives further detailed advice on the retention of HE records.

It is also helpful to have regular email clearouts so you are not retaining a large amount of emails unnecessarily.

Deleted emails

Be aware that deleted emails can be retrieved as part of a request under the Data Protection Act. This can be a laborious process so, when appropriate, the University will take a decision as to whether the retrieval of an email or emails would involve ‘disproportionate effort’ (DPA s.8(2)(a)) taking into account the right of the individual to have access to that information.

Personal email accounts

In December 2011, the Information Commissioner issued guidance clarifying that emails held in personal email accounts that relate official business are subject to the Freedom of Information Act and could be disclosed into the public domain. It should also be noted that it is a criminal offence to conceal or withhold information in relation to a request made under the Freedom of Information Act.