GDPR - subject requests all emails

Status
Not open for further replies.

Michelle Moore

Free Member
Dec 28, 2018
3
0
I have received a subject access request from someone that recently left the company asking for copies of all emails to and from that person or mentioning their name.

I am not aware of any contentious issues that might be contained within the emails. We are a very small company and I would know.

The subject still has the laptop and mobile phone provided to him for business purposes so he already has all the emails that he sent and received. Apparently he is returning the equipment when the last payroll has been completed.

Two questions...

As I have no need to keep the vast majority of the emails to, from or mentioning the subject, if I just delete them from the server and all our PC's, I'm not storing any emails containing the subjects name. It would just save someone having to print hundreds of emails. Can I respond to the request saying there are none as I have deleted them?

If someone leaves, is it OK to keep their email address for any length of time as it is their name. I could delete the email address any any incoming mail would be routed to our catch-all email if it is better to do this.

Many thanks
 
Hi Michelle.

Firstly, if you delete the emails and the data subject believes the emails existed and subsequently complains to the ICO leading to an investigation, you would be expected to provide audit logs to prove they were deleted before the request was made. Particularly so if the emails exist on a device the person has, so they have evidence that they existed up until a particular date.
It is a criminal offence to delete data to avoid providing it in a Subject Access Request.

In terms of what you must provide, you are only lawfully required to provide information the data subject does not already have, so if they have emails on their laptop that they can still access, you could reasonably direct them to obtain the information from that device.
You may have to go through other employees emails such as between management or other staff regarding any disciplinary action or appraisals, even meeting minutes or notes about that person, so the person may not have all the emails pertaining to them on the device(s) they still have.

If the volume of emails is significant, you can ask the individual concerned if there are particular emails they are seeking to narrow down the search but they are not obliged to do this.


Once a person leaves the business, the email address no longer identifies that person, even if it contains there name, as they are no longer an employee. You can retain it if your business feels it is necessary and the person has no right to see anything sent to that mailbox after they left.

Hope this helps

Mike
 
  • Like
Reactions: Wogan May
Upvote 0

Wogan May

Free Member
Dec 25, 2018
48
10
This seems like a bit of a frivolous request. Since they already have all the emails to/from them, and can export/backup/print/download/whatever from their existing devices, the only thing to be gained are any emails that mention their name.

Which would be an absurd invasion of privacy and has already been identified as exempt from GDPR: https://thenextweb.com/eu/2018/05/03/no-gdpr-wont-let-you-read-your-bosss-emails-about-you/

The main rationale there is that such a request (for ANY emails containing a mention of their name that was not addressed to them) would contain the personal information of other data subjects (namely, their thoughts), which the subject is not entitled to. Far as I understand this is a well-established precedent.

You can also reject requests if you believe they're frivolous or vexatious. In this case, since the employee already has all the information they're entitled to (their full email history) there's no good reason to ask for it again (frivolous), and if they press the point about wanting emails that merely mention them, for no good reason, that's arguably vexatious.

Obviously I'm not a lawyer, but the spirit of GDPR is not geared to support vengeful data requests like this.
 
Last edited:
Upvote 0
@Wogan May I would love to see the "European case law clearly states that data such as emails your boss has sent about you is exempt from this" as to my knowledge, any data including personal opinions are far from exempt from the GDPR.

The privacy element is irrelevant as any data controller should be redacting the personal data of others (unless they obtain permission from them to release the information), so that the content only identifies the data subject.

The article is quite right however that if the effort would be disproportionate, you can charge a fee. You can also ask the subject to restrict their criteria, but they are not obliged to do so.

I would not like to be the data protection officer or person in charge of data protection in an organisation who has to defend such a decision to not provide a bosses emails to the ICO. This was a specific item covered in my practitioner course and in the eyes of the ICO, they absolutely are covered by GDPR!
I'd urge you to read the ICO's post on SARS which does specifically include emails
https://ico.org.uk/your-data-matters/your-right-of-access/

Not that I am dissing anyone or any person's knowledge or qualifications, personally I am not sure I would trust as gospel information provided by a "junior associate" as traditionally this means inexperienced and/or unqualified. Essentially a trainee.
 
Upvote 0

Wogan May

Free Member
Dec 25, 2018
48
10
@Mike Kilby PC.dp I'm busy looking that up myself, actually. To date I've only considered GDPR in the context of B2C applications, where users might want to export/purge their data when cancelling a subscription. Employer/employee stuff is no doubt more complicated.

On that ICO link you shared, it does point out the following:

An organisation may refuse your subject access request if your data includes information about another individual, except where:
  • the other individual has agreed to the disclosure, or
  • it is reasonable to provide you with this information without the other individual’s consent.

Plus, far as I know, there have been Confidentiality rules in EU law for ages, centered on the "reasonable expectation of privacy" and GDPR wouldn't have undone that. If they did, it would open up an absolute shitstorm of frivolous requests - any disgruntled employee could make the employer's life hell with repeated requests.

So the way I understand it, if I send an email to a colleague and mention someone who later resigns, the only way they get to see what I said about them is if I consent to the disclosure, or if the information is of such a nature that automatic disclosure is warranted (civil/criminal liability?).

But it doesn't look nearly as clear cut as "everyone gets what they ask for and every case is defended to the ICO". If that were indeed the case, there would be no reason to use work email at all - everything you send could someday be requested just because you mentioned a colleague.
 
Upvote 0

Wogan May

Free Member
Dec 25, 2018
48
10
@Mike Kilby PC.dp I'm about to leave for the weekend, just wanted to link this in. From the actual text of the GDPR itself: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32016R0679

Article 15 ("Right of access by the data subject"), paragraph 3:

The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

That's what enables the right to do subject access requests. Crucial, though, is paragraph 4:

The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.

That's where all the confusion is going to come from. GDPR can't be used to defeat privacy or get malicious access to data you're not entitled to. It can't be used to hammer a small organization with repeated access requests that require lots of resource allocation. Everything I've seen here suggests that GDPR fairly balances the rights of individuals and organizations when it comes to this stuff.

It's gonna take another couple years of cases though before we know for sure where we stand, though!
 
Upvote 0

Newchodge

Business Member
Nov 8, 2012
16,212
4,576
Newcastle
Obviously I'm not a lawyer

Very obviously if you give rubbish advice like this. The data subject is entitled to receive all personal information held about them. Discussions about the individual that take plave without their knowledge are NOT exempt.
 
Upvote 0
Let me try to make this as simple as possible;
  1. If it is a company supplied system, any data held within it is subject to the GDPR if it identifies or relates to an individual living person, regardless of who wrote it or why.
  2. You are lawfully bound by Article 15 to supply everything, no exceptions, but;
  3. If data can identify another person (paragraph 4), you must redact it so that it does not identify that person, if you cannot get the permission of the person to release the information unredacted.
Check out the recitals that go along with Article 15 at https://gdpr-info.eu/recitals/no-63/
Particularly point 6 "However, the result of those considerations should not be a refusal to provide all information to the data subject"


The supply of such information was part of the Data Protection Act 1998, the only reason people are now worried about it is because they know about it. The vast majority of businesses barely understood their DPA obligations and the GDPR has just "woken them up".

Also, when looking at Data Protection in the workplace, don't forget to consider the hidden gem, the Data Protection Act 2018 which adds more conditions over the GDPR, such as all employment references now being exempt from Subject Access.
 
Upvote 0

Wogan May

Free Member
Dec 25, 2018
48
10
Particularly point 6 "However, the result of those considerations should not be a refusal to provide all information to the data subject"

Which is directly preceded by point 5, which says:

That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software.

That's the point I keep coming back to. If the result of a subject access request is that somebody else's privacy is infringed, then it's an adverse affect. I agree 100% with you on the point that irrelevant information would need to be redacted and that there could be a huge time/money cost associated to that, but in no way does GDPR allow an ex-employee to infringe the privacy of their former employer through a simple request.

If the answer is in fact point 6, like you said, that every request results in all information being provided, then there is no point to item 5, or to privacy in general. That's what I can't reconcile here: How could GDPR uphold privacy while also providing a mechanism to completely subvert that?
 
Upvote 0

Wogan May

Free Member
Dec 25, 2018
48
10
Very obviously if you give rubbish advice like this. The data subject is entitled to receive all personal information held about them.

I've just spent the last hour reading ICO guidance on this, and it's not "rubbish" to point out that there is a lot of context that needs to be considered on a request like this. It's not just a straight "if email contains word 'Cyndy' then export" request - every single item needs to be considered in terms of the right to privacy that other affected subjects have.

This is how complicated it can get (one of the examples):

Emails written by a lawyer to their client about their client’s matter all contain references to the lawyer’s name and place of work, which will be the lawyer’s personal data. However, the content of the emails are not about the individual lawyer, but about the client’s instructions. The content of the email is not, therefore, personal data where it concerns legal advice about the client’s legal query.

If a complaint was then made about the lawyer’s performance or advice and the emails were then used to investigate this, the legal advice given in them would become personal data.

Link: https://ico.org.uk/for-organisation...sonal-data/what-is-the-meaning-of-relates-to/

More to the point - the simple question of "what is personal data" goes on forever, including gems like:

  • Information must ‘relate to’ the identifiable individual to be personal data.
  • This means that it does more than simply identifying them – it must concern the individual in some way.
  • To decide whether or not data relates to an individual, you may need to consider:
    • the content of the data – is it directly about the individual or their activities?;
    • the purpose you will process the data for; and
    • the results of or effects on the individual from processing the data.
  • Data can reference an identifiable individual and not be personal data about that individual, as the information does not relate to them.

Link: https://ico.org.uk/for-organisation...n-gdpr/key-definitions/what-is-personal-data/

Finally, if I were any sort of actual lawyer I'd be charging for this. Clearly forum posts are not legal advice.
 
Last edited:
Upvote 0
I've just spent the last hour reading ICO guidance on this, and it's not "rubbish" to point out that there is a lot of context that needs to be considered on a request like this. It's not just a straight "if email contains word 'Cyndy' then export" request - every single item needs to be considered in terms of the right to privacy that other affected subjects have

Indeed, There is far more to the entire data protection subject that simply reading a single paragraph of legislation out of context, or googling it and finding just one interpretation, which is not always the correct interpretation.

if I were any sort of actual lawyer I'd be charging for this. Clearly forum posts are not legal advice.

I do charge, but I also feel that those who cannot afford to engage a professional shouldn't be left out, hence why I participate in forums like this.

Forum posts are most definitely not and will never replace proper legal advice. Where I can offer an opinion, I will, but I would always recommend that anyone who is in any doubt, consults with someone like myself in a professional capacity, or a relevant legal professional like @Newchodge who are specialists in their own respective area, and can perhaps understand the intricacies of legislation specific to their market better than I can.
 
Upvote 0

paulears

Free Member
Jan 7, 2015
5,011
1,378
Suffolk - UK
A side question. In the case of emails - if I'm understanding this correctly, I have a right to read anyone else's email that mentions me? Is this correct? Sounds like a real invasion of privacy? How would anyone involved in say, disciplinary cases, keep their defence or attack details private? Surely the content of emails is like letters and printed material, private? It's not data is it? It's plain language text - does that count as data? This also seems to mean that an employer would have to read employees emails - something also quite tricky to justify.
 
Upvote 0
You have a right to make a subject access request to your employer to see any information held that is about you.

It is not an invasion of privacy because your employer would have to redact the personal information of any other individuals referenced in the emails.

In the case of disciplinaries or similar, an employer can refuse in grounds that “provision would prejudice formal proceedings” however a tribunal or court could overrule this.

There is no such thing as private in the context of an employer/ employer relationship. If it’s private it’s personal and should not be done in company systems or in company time.

Ther defininittion of personal data is “any data both written or electronic which alone, or in combination with other data you may have, or could reasonably obtain in the future, identifies or related to and identified individual living person”

There is a rider that it must be in a structured filing system, so anything that is organised by some attribute (such as email address) or searchable easily (like emails) is data under the law.

I am sure that most employers now should have IT policies which should state that they may be monitored, er go can be read.

I can’t remember off the top of my head, but I am sure there is an ICO enforcement action against a company for not supplying emails as part of a SAR when they could have reasonably done so.
 
Upvote 0

Alan

Free Member
Aug 16, 2011
6,956
1,920
It is not an invasion of privacy because your employer would have to redact the personal information of any other individuals referenced in the emails.

I think this is the key point, the employee could see the email, but the sender & receivers would be deleted and all text not relevant to them would be deleted.

So they may get
From: *****
To: *****
************
******** ********** by the way Fred Jones isn't pulling his weight maybe put him under review ******** ********** ************

From: *******
To *******
*********** ***************** ******* * by the way just start disciplinary process on Fred Jones ****** ******* ********

Obviously this will involve a lot of manual review .............
 
Upvote 0
That is the correct interpretation Alan.

ecommence84, yes it might be a lot of hard work, but I don't believe Michelle ever said that this was someone being awkward or bloody minded.

She is not aware of any issues, which she believes she would be, but the person may have other reasons for wanting them.

The employee might feel that they were unfairly dismissed, or felt like they had no choice but to leave. They might have been asking for a pay rise and not got one. We simply don't know the circumstances of the employee's departure, so it's not really productive to draw conclusions based on the lack of knowledge.

All we can do is inform Michelle of what the correct legal interpretation of the GDPR is in her scenario.
 
Upvote 0
This means that it does more than simply identifying them – it must concern the individual in some way.
So an email sent to or from someone isn't personal information relating to them just because it was addressed to them/sent by them, say if it is about an order shipped from China and they were receiving it to make them aware. In other words they have no right to request all emails sent/received only those where they were in part the subject of the email.
 
Upvote 0

Wogan May

Free Member
Dec 25, 2018
48
10
Somewhat tangential: Email is a mess.

Not only would a SAR require lots of redaction, but the way people use email itself is inefficient. People start threads that build up enormous reply, forward, reply-all, cc, and bcc chains, each message containing the entire history of that thread of the conversation.

Content that needs to be redacted from the first email in the thread would also need to be redacted in all messages that contain the initial content - you'll be removing the same references from hundreds of messages at a go.

Honestly, this is all a fantastic argument for not using email at all, and rather using an internal group chat tool like Slack for business communication.
 
Upvote 0
So an email sent to or from someone isn't personal information relating to them just because it was addressed to them/sent by them
@obscure an email identifies at least two individual people, the person who sent it and the person who received it, so it is personal data.
If the employee was fired because the delivery was late, they may want to take the matter to a tribunal and obtain copies of those emails to prove that they placed the order in good time and it was not their fault.

Honestly, this is all a fantastic argument for not using email at all, and rather using an internal group chat tool like Slack for business communication.
@Wogan May unfortunately if internal group chat is used, this is also personal data because they generally identify who is sending a message. I have actually had a case of a client with an employee who was being frankly obnoxious via Skype for Business with another employee. The complaint made an SAR to request the chat logs to demonstrate inappropriate advances towards them at a tribunal.

Even things like this forum are personal data. My replies here are my opinions or views, as are yours. In theory, any one os us could make an SAR to UK Business Forums and expect them to pull out of their system, every post we ever made, of course redacting any other identifiers of other people.

As I have said before, these are nothing new, we've had this in the Data Protection Act 1998, it's just that people are now more aware of it through the hype that was generated over GDPR.
The only data that is exempt from GDPR is data that is purely your personal affairs.
 
Upvote 0

Alan

Free Member
Aug 16, 2011
6,956
1,920
Even things like this forum are personal data. My replies here are my opinions or views, as are yours. In theory, any one os us could make an SAR to UK Business Forums and expect them to pull out of their system, every post we ever made, of course redacting any other identifiers of other people.

Minor point - I think that would only apply to private messages - as the public posts are - well - public - so you already have access.

But I guess you are saying that I could ask UKBF to give me all private messages where I have been mentioned by other forum members privately, perhaps taking the rise out of my dyslexic responses or lack of understanding of split infinitives ... what fun ... but perhaps that is frivolous and thus chargeable ?
 
Upvote 0
Status
Not open for further replies.

Subscribe to our newsletters


Real community whatever your business.
Sign up to our full membership View Documentation

About us

  • Our community has been around for many years and pride ourselves on offering unbiased, critical discussion among people of all different backgrounds. We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu