Skip to content

menu

Reed Smith LLP logo
HomeAboutOur ServicesSubscribeTopicsContact
Search
Close

Technology Law Dispatch

When might a private email account become ‘public property’? Freedom of information guidance may lead to erosion of privacy for employees

By Cynthia O’Donoghue on 10 January 2012
Print:
Email this postLike this postShare this post on LinkedIn

This post was also written by Nick Tyler.

There will always be a tension implicit in the relationship between freedom of information and data protection laws. In the United Kingdom this is usually alleviated by the fact that both are regulated by the same person/body, the Information Commissioner’s Office (ICO). However, recently published ICO guidance, aimed at public authorities under the Freedom of Information Act 2000 (FOIA), could provide an arguable basis for allowing private sector organisations to search their employees’ private email accounts for work-related communications or company business to respond to subject access requests made under the Data Protection Act 1998 (DPA) or other legitimate requests, such as e-discovery/disclosure.

The ICO guidance 1 was prompted by reports of government ministers, elected representatives and/or public sector officials using their non-work personal email accounts (e.g. Hotmail, Yahoo and Gmail) for work-related communications and official business. Concerns that this may have been done in a deliberate attempt to circumvent the FOIA regime prompted the regulator to act. The ICO guidance makes it clear that information held in such accounts and relating to official business of a public authority is “held by the authority” and/or “held by another person on behalf of the authority” and is therefore in scope of a request made under FOIA.

We wonder whether by ensuring no stone is left unturned to identify all information within the scope of FOIA requests this guidance might have some unintended consequences, by analogy, in the context of subject access requests made under the DPA.

The guidance requires public authorities that have established the existence of such information to ask the individual “to search their account for any relevant information”. A record of such action needs to be kept “to demonstrate, if required, that appropriate searches have been made in relation to a particular request”. This may arise in the course of the ICO’s investigation of a complaint under FOIA.

The guidance recommends clear policies for email/acceptable use of IT systems, and records management, in an effort to address the acknowledged “complications” arising from the onerous requirement to request “searches of private email accounts, and other private media”.

Addressing similar “complications” could lead to employers exerting their authority over their employees in attempting to either identify all personal data within the scope of a data subject access request or within the scope of a company’s legitimate business interest, such as would be required to respond to disclosure/discovery. The rationale behind the guidance could just as easily be applied, by analogy, to those occasions when the ICO deems it appropriate that such searches should extend to personal email accounts and home computers, where these have been used to process personal data for which the employer is the data controller.

Such unintended consequences inevitably raise genuine concerns about the erosion of privacy in the workplace. At this point such concerns are likely to surface in the public sector workplace, unless accepted as the inevitable price of greater openness in the public sector.

 

1 “Official information held in private email accounts”, ICO, dated 15 December 2011

Posted in Privacy & Data Protection
Tags: data protection, Data Security, e-discovery, freedom of information requests, ICO, personal email accounts, privacy, Privacy & Management, subject access requests
Photo of Cynthia O’Donoghue Cynthia O’Donoghue
Read more about Cynthia O’Donoghue
Related Posts
Navigating global privacy and AI regulations: Key insights for multinational organizations
June 6, 2025
European Data Protection Board guidance on safeguarding personal data in AI technologies
May 1, 2025
Direct marketing ad profiling: Recent fines
April 14, 2025

Subscribe to Technology Law Dispatch

Updates direct to your inbox
Subscribe by Email

Technology Law Dispatch

View Our Network of Blogs
Published by
Reed Smith LLP logo
RSS Facebook LinkedIn YouTube
Privacy Policy |Disclaimer

About Our Firm

At Reed Smith, everything we do is to apply our global experience in law to drive progress for our clients, for ourselves and for our communities. We are focused on outcomes, are highly collaborative and have deep industry insight. When combined with our local market knowledge and innovative mindset, this allows us to anticipate and address the needs of our clients and help them achieve their goals.

Our team of 3,000 people (including more than 1,700 lawyers) operate across 31 offices in the United States, Europe, the Middle East and Asia.

Read More...

Topics

Archives

Copyright © 2025, Reed Smith LLP. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo