ChatterBank3 mins ago
E-Mail Privacy
I am told that including people and their E-Mail address as cc's on E Mail
is a breach of the law on privacy under Data Protection legislation.
Is this true?
is a breach of the law on privacy under Data Protection legislation.
Is this true?
Answers
Best Answer
No best answer has yet been selected by rich47. Once a best answer has been selected, it will be shown here.
For more on marking an answer as the "Best Answer", please visit our FAQ.http:// tinyurl .com/gu rvf2eis a link to a Guardian article which suggests an offence is committed if consent has not been given.
I think that you'll find a difference between acting as an individual and as a data holder within an organisation.
If an person within an organisation were to send out an email containing private information, but cc'd to others who have no right to access that information, a data breach would be involved, with regard to that information. Similarly, if the content of the email was not private, but the cc'd email addresses were used by a receiving organisation to compile a mailing list for marketing purposes, then a data breach has probably been committed.
Whereas if you personally were to send out an email containing cc'd email addresses, you would probably not be in breach of the DPA, as you don't have a Data Controller registered under the Act.
If an person within an organisation were to send out an email containing private information, but cc'd to others who have no right to access that information, a data breach would be involved, with regard to that information. Similarly, if the content of the email was not private, but the cc'd email addresses were used by a receiving organisation to compile a mailing list for marketing purposes, then a data breach has probably been committed.
Whereas if you personally were to send out an email containing cc'd email addresses, you would probably not be in breach of the DPA, as you don't have a Data Controller registered under the Act.
Yes, twix has got it exactly right. I got the impression that the question asked by rich was from the perspective of an individual.
“It is a breach and an HIV clinic was fined for sending an e-mail out with hundreds of folk cc'd rather than bcc'd.”
“If that is the case I am not sure then why email providers include this facility- could they be deemed to be complicit in an unlawful act?”
“The facility is there because its perfectly possible to use it legally.”
The difference is, Corby, that the HIV clinic was almost certainly defined as a “Data Controller” under the Data Protection Act (DPA), whereas you or I (as individuals) would not be. I have possession of quite a number of names, addresses, phone numbers, dates of birth and e-mail addresses of my friends, relatives and acquaintances. But that does not make me a “data controller” and thus be bound by the DPA to handle them as it decrees. When somebody gives you their details you do not suddenly become a “data controller” and it is only data controllers, as defined by the Act, who are subject to its provisions. As an individual there is nothing to stop you from cc’ing an e-Mail to other people and including their e-Mail details.
There is a lot of rubbish spoken under the umbrella of the Data Protection Act, much of it by companies who quote it completely inappropriately, often ignorantly and falsely when dealing with their customers and others. But individuals also seem to think its powers extend far wider than they really do.
“It is a breach and an HIV clinic was fined for sending an e-mail out with hundreds of folk cc'd rather than bcc'd.”
“If that is the case I am not sure then why email providers include this facility- could they be deemed to be complicit in an unlawful act?”
“The facility is there because its perfectly possible to use it legally.”
The difference is, Corby, that the HIV clinic was almost certainly defined as a “Data Controller” under the Data Protection Act (DPA), whereas you or I (as individuals) would not be. I have possession of quite a number of names, addresses, phone numbers, dates of birth and e-mail addresses of my friends, relatives and acquaintances. But that does not make me a “data controller” and thus be bound by the DPA to handle them as it decrees. When somebody gives you their details you do not suddenly become a “data controller” and it is only data controllers, as defined by the Act, who are subject to its provisions. As an individual there is nothing to stop you from cc’ing an e-Mail to other people and including their e-Mail details.
There is a lot of rubbish spoken under the umbrella of the Data Protection Act, much of it by companies who quote it completely inappropriately, often ignorantly and falsely when dealing with their customers and others. But individuals also seem to think its powers extend far wider than they really do.
-- answer removed --
The Data Protection Act says,
"Domestic purposes.
Personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes) are exempt from the data protection principles and the provisions of Parts II and III."
I suppose it depends on the definition of "recreational purposes" as to how what level of data
you can store.
"Domestic purposes.
Personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes) are exempt from the data protection principles and the provisions of Parts II and III."
I suppose it depends on the definition of "recreational purposes" as to how what level of data
you can store.
it sounds as tho you should be registered under the DPA NJ
For the HIV clinic - the data controller will be the Hospital's erm Data controller. Here is the one for my local
http:// www.cmf t.nhs.u k/media /170767 /data%2 0protec tion%20 policy. pdf
snf you eill find the guilty party at para 2.4
They arent very good
here is me screwing them over an inquiry in 2015
https:/ /ico.or g.uk/me dia/act ion-wev e-taken /decisi on-noti ces/201 5/10432 48/fs_5 0561958 .pdf
[ and yes I am registered under the DPA ]
For the HIV clinic - the data controller will be the Hospital's erm Data controller. Here is the one for my local
http://
snf you eill find the guilty party at para 2.4
They arent very good
here is me screwing them over an inquiry in 2015
https:/
[ and yes I am registered under the DPA ]
-- answer removed --
yeah he (NJ) has explained but I dont think his explanation is ... kosher
the ICO advice on emails is here
https:/ /ico.or g.uk/fo r-organ isation s/guide -to-dat a-prote ction/e ncrypti on/scen arios/s ending- persona l-data- by-emai l/
which I suggest you dont wade thro unless it is raining outside
the ICO advice on emails is here
https:/
which I suggest you dont wade thro unless it is raining outside
“yeah he (NJ) has explained but I dont think his explanation is ... kosher “
My information may not conform to the Jewish dietary laws, Peter, but as Corby has explained, the DPA, Part IV, section 36 says exactly what he has stated.
I assumed (as I said earlier) that this question was asked from a “personal individual” perspective. I think most people know that companies and organisations holding sensitive personal data have to comply with the DPA. The link that you provided gives guidance to “Data Controllers” who represent organisations that clearly are subject to the Act.
Of course any dispute over the definition of “…for the purposes of that individual’s personal, family or household affairs (including recreational purposes)” would have to be determined by a court. But generally, in the absence of any dispute, normal e-Mail communications between family, friends and acquaintances would not be subject to the DPA and there would be nothing to prevent a sender including the e-Mail details of all the people to whom the message was sent. As has been said, it’s not particularly wise practice in some circumstances, but it’s not illegal.
My information may not conform to the Jewish dietary laws, Peter, but as Corby has explained, the DPA, Part IV, section 36 says exactly what he has stated.
I assumed (as I said earlier) that this question was asked from a “personal individual” perspective. I think most people know that companies and organisations holding sensitive personal data have to comply with the DPA. The link that you provided gives guidance to “Data Controllers” who represent organisations that clearly are subject to the Act.
Of course any dispute over the definition of “…for the purposes of that individual’s personal, family or household affairs (including recreational purposes)” would have to be determined by a court. But generally, in the absence of any dispute, normal e-Mail communications between family, friends and acquaintances would not be subject to the DPA and there would be nothing to prevent a sender including the e-Mail details of all the people to whom the message was sent. As has been said, it’s not particularly wise practice in some circumstances, but it’s not illegal.
“I was asking as a club secretary who regularly E-Mails to members.
Does that make it clearer?”
Yes it does and my earlier answers are not appropriate.
First of all, you may be required to register with the Information Commissioner’s Office. It is unlikely, especially if you are a small “Not for Profit” organisation. There is an assessment questionnaire here which makes the decision for you:
https:/ /ico.or g.uk/fo r-organ isation s/regis ter/sel f-asses sment/
However, processing or holding data as secretary of a club obviously moves away from “…the purposes of that individual’s personal, family or household affairs (including recreational purposes)”. So even if you do not have to register you must still comply with the Data Protection Principles since you hold “sensitive personal data” of living individuals. E-mail addresses are included in this (since, by themselves or together with other data, they can be used to identify living individuals). You must keep this data safe and obviously distributing it in the form of an e-Mail distribution list does not keep it safe. So I believe the ”Bcc” option mentioned by others should be employed.
Does that make it clearer?”
Yes it does and my earlier answers are not appropriate.
First of all, you may be required to register with the Information Commissioner’s Office. It is unlikely, especially if you are a small “Not for Profit” organisation. There is an assessment questionnaire here which makes the decision for you:
https:/
However, processing or holding data as secretary of a club obviously moves away from “…the purposes of that individual’s personal, family or household affairs (including recreational purposes)”. So even if you do not have to register you must still comply with the Data Protection Principles since you hold “sensitive personal data” of living individuals. E-mail addresses are included in this (since, by themselves or together with other data, they can be used to identify living individuals). You must keep this data safe and obviously distributing it in the form of an e-Mail distribution list does not keep it safe. So I believe the ”Bcc” option mentioned by others should be employed.