Access to emails under Data Protection Act and Freedom of Information Act

Email has become the primary form of correspondence relating to University business and as such should be treated in the same way as other forms of written communication such as a letter, memo or fax.

All emails sent and received by University accounts could potentially be disclosed if a request is made under either the Freedom of Information Act or the Data Protection Act:

  • Freedom of information – all University emails are subject to the Freedom of Information Act and could be released into the public domain unless an exemption applies e.g. if it is commercially sensitive or concerns personal information;
  • Data protection – if an email contains information about an identifiable living person, that information may be disclosed to that person under the Data Protection Act.

Think before you send

It is therefore very important that thought and consideration are exercised when sending emails – you should treat an email as you would a letter. As emails could be made public or be seen by an individual to whom they relate, you must be able to justify your comments. This can include discussions with a colleague in relation to research or academic matters.

Given the quickfire nature of sending emails, it can be easy to send a message to the wrong person (someone with a similar name perhaps). So always ensure that the intended recipient’s email address is correct, especially if the message or attachment contains personal data (sensitive personal data must only be sent via encrypted email to further protect that information). Take time to consider an emotionally charged email or a message in which you disagree with another person – are your comments fair and reasonable?

And always consider if email is the most appropriate form of communication in a given situation – would a phone call or meeting be a better option if the subject is in any way sensitive?

Deleted emails

Be aware that deleted emails can be retrieved as part of a request under the Data Protection Act. This can be a laborious process so, when appropriate, the University will take a decision as to whether the retrieval of an email or emails would involve ‘disproportionate effort’ (DPA s.8(2)(a)) taking into account the right of the individual to have access to that information. 

Instant Messaging

The above principles also apply to any instant messaging services that staff may have access to for University business (e.g. Google Chat/Hangout). Such services often have the option to go 'off the record' so that chat histories are not logged but, if they are logged, they are potentially subject to disclosure under either the Data Protection Act or Freedom of Information Act.

Instant messaging should only be used for informal communications with colleagues - any discussions pertinent to the University's business should be conducted via email so that a formal record exists.

Personal email accounts

In December 2011, the Information Commissioner issued guidance clarifying that emails held in personal email accounts that relate official business are subject to the Freedom of Information Act and could be disclosed into the public domain. It should also be noted that it is a criminal offence to purposely conceal or withhold information in relation to a request made under the Freedom of Information Act.