Skip to content

menu

Reed Smith LLP logo
HomeAboutOur ServicesSubscribeTopicsContact
Search
Close

Technology Law Dispatch

When might a private email account become ‘public property’? Freedom of information guidance may lead to erosion of privacy for employees

By Cynthia O’Donoghue on 10 January 2012
Print:
Email this postTweet this postLike this postShare this post on LinkedIn

This post was also written by Nick Tyler.

There will always be a tension implicit in the relationship between freedom of information and data protection laws. In the United Kingdom this is usually alleviated by the fact that both are regulated by the same person/body, the Information Commissioner’s Office (ICO). However, recently published ICO guidance, aimed at public authorities under the Freedom of Information Act 2000 (FOIA), could provide an arguable basis for allowing private sector organisations to search their employees’ private email accounts for work-related communications or company business to respond to subject access requests made under the Data Protection Act 1998 (DPA) or other legitimate requests, such as e-discovery/disclosure.

The ICO guidance 1 was prompted by reports of government ministers, elected representatives and/or public sector officials using their non-work personal email accounts (e.g. Hotmail, Yahoo and Gmail) for work-related communications and official business. Concerns that this may have been done in a deliberate attempt to circumvent the FOIA regime prompted the regulator to act. The ICO guidance makes it clear that information held in such accounts and relating to official business of a public authority is “held by the authority” and/or “held by another person on behalf of the authority” and is therefore in scope of a request made under FOIA.

We wonder whether by ensuring no stone is left unturned to identify all information within the scope of FOIA requests this guidance might have some unintended consequences, by analogy, in the context of subject access requests made under the DPA.

The guidance requires public authorities that have established the existence of such information to ask the individual “to search their account for any relevant information”. A record of such action needs to be kept “to demonstrate, if required, that appropriate searches have been made in relation to a particular request”. This may arise in the course of the ICO’s investigation of a complaint under FOIA.

The guidance recommends clear policies for email/acceptable use of IT systems, and records management, in an effort to address the acknowledged “complications” arising from the onerous requirement to request “searches of private email accounts, and other private media”.

Addressing similar “complications” could lead to employers exerting their authority over their employees in attempting to either identify all personal data within the scope of a data subject access request or within the scope of a company’s legitimate business interest, such as would be required to respond to disclosure/discovery. The rationale behind the guidance could just as easily be applied, by analogy, to those occasions when the ICO deems it appropriate that such searches should extend to personal email accounts and home computers, where these have been used to process personal data for which the employer is the data controller.

Such unintended consequences inevitably raise genuine concerns about the erosion of privacy in the workplace. At this point such concerns are likely to surface in the public sector workplace, unless accepted as the inevitable price of greater openness in the public sector.

 

1 “Official information held in private email accounts”, ICO, dated 15 December 2011

Posted in Privacy & Data Protection
Tags: data protection, Data Security, e-discovery, freedom of information requests, ICO, personal email accounts, privacy, Privacy & Management, subject access requests
Photo of Cynthia O’Donoghue Cynthia O’Donoghue
Read more about Cynthia O’Donoghue
Related Posts
UK expands scope of NIS Regulations
January 23, 2023
A sigh of relief? EU-US data transfers
January 5, 2023
ICO provides an alternative to the EDPB transfer impact assessment
December 1, 2022

Subscribe to Technology Law Dispatch

Updates direct to your inbox
Subscribe by Email

Technology Law Dispatch

View Our Network of Blogs
Published by
Reed Smith LLP logo
RSS Twitter Facebook LinkedIn YouTube
Privacy Policy |Disclaimer

About Our Firm

Reed Smith represents many of the world’s leading companies in complex litigation and other high-stakes disputes, cross-border and other strategic transactions, and crucial regulatory matters.

Read More...

Topics

Archives

Copyright © 2023, Reed Smith LLP. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo