OnePlus 5T review: Hands-on
I have been having dealings with a local authority department. Last November I asked them to search their email archives for any reference to myself. You can do this under the Data
Protection Act 1998. I discovered today that the Data Protection Officer (who is also a
senior manager in the department, someone with a strong interest in not finding anything) had stopped work on it almost as soon as he had started ('I know about your case and I
judged you wouldn't want the search anymore'). I told him I did want it, and he said he could only reliably go back one month from today. This is because (he says) deleted emails are only kept for one month on something called a tombstone file. Anything incriminating
will, of course, have been deleted in November.
Relevant facts: 1. They use Microsoft Outlook 2. There is some sort of monitoring software
in place - this was stated recently in the local press (staff were caught misusing the
internet) 3. To narrow the search I gave the authority a small list of names; I'm only
interested in emails to and from these people 4. It is against authority practice to name
members of the public in emails.
So ignoring the ethics of the local authority department, some questions:
1. I thought emails had to be kept for 5 years. Am I wrong?
2. I am following this up with the overall head of data protection. He is very helpful but not an IT expert. What sort of questions should I be asking him to relay to the authority's IT people?
3. The DP officer (the first one) says that even if he could retrieve deleted emails, the search for my name could only be done by loading the emails to their original senders' mailboxes and trusting them to do the search themselves. Surely this can't be right?
1. I'm not aware of any requirement to keep emails for 5 years, or any specific time. The Data Protection Officer is, I believe, responsible for archiving the organisation's records (paper or electronic) for a reasonable amount of time. What is reasonable is dependent on the type of information that is held within the data.
2. Ask him what their policy is for retaining paper correspondence with members of the public, and whether their electronic systems have the same criteria applied.
3. I don't see how or why this is your problem. Assuming you have a legitimate interest in retrieving those records, the ease (or otherwise) of their retrieval is not your concern, other than they have a right to charge a reasonable administration fee to retrieve the information.
There are many ways to setup Outlook in a corporate environment, and many ways to access archived data. If it is a matter of inconvenience, then they should have considered that when setting up their systems.
If it is a matter of lack of trust in particular members of staff, then they will have to use trusted people with Administrator rights who can access the mailboxes and retrieve the information that you require.
As a general point, it might be thought to be held unreasonable to ask for any personal information 'held' about you, if the information is not actually 'held', i.e. it has been destroyed.
The was a thread somewhere amongst this lot which I found extremely interesting & in this case i'm sure you will to. But alas I can't find it, but hopefully I can point you in the right direction.
There's a place on the internet all about data protection, I believe it to be a goverment web site.
Once you have found this website, may'be someone could post the link. There are links at the top of the page, There is a logo far left, it's the second link to the right. If you click it, it gives you the ability to search for the policies on everyone who has registered. Here you will find the policies of the organisation in question including who long they keep such records.
Hope you find this helpful, sorry for not be able to offer you the correct link, but a search on say google should find you the site
Data Protection Registrar site - click here
This thread is now locked and can not be replied to.