For many office workers, e-mail features as much in their working lives as an inter-office memo. But many people are unaware of the data protection issues this technology has created

The use of electronic mail has grown at an astonishing rate in the last few years. Many professionals are now intensive users of the technology, and many would feel unable to function effectively without ready e-mail access.

What is not so readily appreciated, however, is that electronic mail gives rise to a large number of issues with regard to the Data Protection Act 1998. This legislation imposes a discipline on creators and recipients of electronic mail that is at odds with the relaxed, informal style so often associated with the technology.

The British Standards Institution (BSI) has, in conjunction with the Office of Data Protection and information experts, developed an e-mail policy document that takes into account the 1998 Data Protection Act and its implications.

Inappropriate usage of e-mail has led to a number of legal cases in recent years. The guidance given in the BSI's e-mail policy document offers a reasonably pragmatic way to reduce the risk of infringement of the law while not imposing an excessively rigid system on users.

Protection principles

Where they contain personal information, or where the individual senders and recipients are identifiable, then e-mails are subject to the data protection legislation. Personal information contained in e-mails should be treated in the same way as printed materials regarding data protection in general and the Data Protection principles in particular, as any other material being managed.

Personal information contained in e-mails should be capable of passing the same tests as that in any other material regarding fair and lawful processing. The First Principle of the 1998 Act. includes a requirement for individuals to be told of the identity of the data controller and the purposes for which his or her data is intended. It may not, however, be necessary to inform an individual when it is obvious what processing is going to take place.

E-mails are sent and received for particular purposes which are connected to an organisation's business: for example, sales and purchases, marketing, customer enquiries, personnel management, or general administration. It should, therefore, be possible for these purposes to be specified in terms of the Act; and further, for material to be processed only in relation to such purposes. Messages outside the scope of these purposes should be avoided.

As with any other processed data, the content of e-mail must properly reflect the amount and nature of information needed to transact business effectively - no more; no less. This includes retaining messages where it is important to do so for the integrity of the operation and the personal data.

Accurate and up-to-date

As with any other processed data, the content of e-mails must be accurate and up-to-date. As much care must be taken over the reliability and accuracy of information when communicating via e-mail as with any other communication. The semi-formal and transient qualities that are associated with e-mails should not lure users into regarding their content, particularly in terms of accuracy and currency, as unimportant.

It is a relatively easy matter to retain and archive e-mail messages; simply choosing not to discard messages will create an archive of sorts. Just as it is important to keep messages that contribute to an operation, so it is important to discard those which are of no further use; this includes removing any copies that are also stored on computer and paper copies as well.

The rights accorded to data subjects apply as much to e-mail as they do to any other processed data. Specifically, there is the right for the recipient to be informed of processing. Furthermore, the data subject is entitled to be told the identity of the data controller, the purposes for which data is processed and any further information which is necessary to make the processing fair.

Security of data

Attention to security is a fundamental aspect of data protection management and e-mail is no exception. E-mail messages are vulnerable to security breaches both during transmission and afterwards if they are stored by both the sender and the recipient. E-mail messages can be intercepted, read, lost, redirected or even altered by a third party. When they have been sent they will reside, at least for some time, within a system which itself warrants security.

All around the world

By its very nature, e-mail is capable of being networked around the world, at a speed that places it ahead of most alternative communication. Almost all nations around the world can be reached. It is therefore important to ensure that personal data is not transmitted in contravention of the Eighth Principle [of the 1998 Act?] to destinations that do not have adequate arrangements for data protection.

The potential for misuse or error in managing e-mail information is very real given the nature of the medium. There is, therefore, a need for an informed and systematic approach to e-mail use and management. A codification of policy and practice, matched by appropriate supervision and management is thus needed if responsible (and legal) use of e-mail is to be ensured.

  • Ian Brewer, programme manager, BSI-DISC

Read more on E-commerce technology