In this day and age, it is trite to say that businesses and other organisations receive email. However, what are the legal implications of forwarding emails received by an organisation to personal email addresses?

As a case in point, elected members of local authorities like to have e-mails relating to their business as members of Councils to be forwarded either manually or automatically to an external e-mail address. Where the forwarding of e-mail communications takes place to members of a local authority, a number of legal issues arise out of the operation of the Data Protection Act 1998. An application of data protection law gives rise to a series of issues, including the legal consequences of automatically and manually forwarding e-mail communications.

E-mail Communications  & Data Protection Act

It may well be that both ordinary personal data and sensitive personal data is passed by way of e-mail during the course of the authority’s daily business. Should it be decided to forward e-mail correspondence automatically from the authority’s infrastructure to the e-mail address of a member, two main implications follow, both of which relate to personal data:

1. There is a duty imposed on the authority as the data controller.
2. There is a duty imposed upon the individual member for personal data either (a) as the data controller or (b) as the data processor, or both.

Consideration must also be given to the security arrangements that should be in place to protect the personal data in accordance with the  Seventh Data Protection Principle.

Personal data

The provisions of the Data Protection Act only apply to personal data, which is defined in section 1(1) as:

“personal data” means data which relate to a living individual who can be identified –
from those data, or
from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

Personal data includes data relating to members of the public and employees of the authority. To this extent, the provisions of The Employment Practices Data Protection Code Part 2: Employment Records (November 2011) also applies to local authorities. Should elected members be in receipt of personal data about employees, the data must be controlled in accordance with the guidance set out in this Code.

Use of personal Data

The Act requires a data controller to determine how data is used. A data controller is defined in section 1(1):
“data controller” means, subject to subsection (4) a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed;
It is for the data controller (in this case, the authority), to decide (1) the purpose, and (2) the way in which personal data is processed. If e-mail correspondence is to be sent to external mailboxes, the authority is determining the way in which personal data is processed, and therefore it remains responsible for any personal data included in any e-mails forwarded in such a way.

Processing of Personal Data

The Data Protection Act also covers the processing of data, which is defined in section 1(1):
“processing” in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including-

1. organisation, adaptation or alteration of the information or data
2. retrieval, consultation or use of the information or data
3. disclosure of the information or data by transmission, dissemination or otherwise making available or
4. alignment, combination, blocking, erasure or destruction of the information or data.

This definition is very wide. It includes storage and transmission of data, the opening of a file from within a computer, or the receipt and opening of an e-mail containing personal data. It also includes the storage of the data on a computer hard drive or any portable memory device. As a result, all personal data, whether on a laptop computer, mobile telephone or any other mobile device, are subject to the provisions of the Data Protection Act. The authority is also responsible for the data, on whatever platform it is held.

Personal Data forwarded by an Authority

The definition of processing means that if personal data is sent to or stored on a device other than in the control of the authority, the following obligations must be complied with:

1. The data subject must be informed of that fact.
2. The authority must ensure that the Information Commissioner is notified.
3. The authority must ensure that the recipient of the data has appropriate security measures in place to protect the data.

Sensitive Personal Data

The definition of sensitive personal data is set out in section 2, and means personal data consisting of information as to –

1. the racial or ethnic origin of the data subject,
2. his political opinions,
3. his religious beliefs or other beliefs of a similar nature,
4. whether he is a member of a trade union,
5. his physical or mental health or condition,
6. his sexual life,
7. the commission or alleged commission by him of any offence, or
8. any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

The conditions for the processing of this type of personal data are set out in Schedule 3 of the Data Protection Act. Should e-mail correspondence containing sensitive personal information be forwarded automatically to elected members, each member will be required to deal with such data in accordance with the provisions of the Data Protection Act.

Data Protection Principles

The are 7 principles set out in the Data Protection Act which govern processing of personal data. The processing of personal data will only be regarded as fair where all of these principles have been complied with. For the purposes of compliance with the First Principle, at least one of the conditions in Schedule 2 of the Act are met. Those conditions relevant to local authorities include:

1. The data subject has given consent to the processing.
2. The processing is necessary for compliance with any legal obligations to which the data controller is subject, other than imposed by contract.
3. The processing is necessary in order to protect the vital interests of the data subject.
4. The processing is necessary for the exercise of any other functions of a public nature exercised in the public interest by any person.

Care should also be given to the provisions of the Seventh Principle, which are relatively important, but are often neglected:

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

The interpretation provisions relating to this Principle indicate a level of security must be implemented, taking into account the state of technological development and the cost of implementing measures. The level of security, in accordance with Schedule 1, Part II, paragraph 9, is to be appropriate to:

the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and the nature of the data to be processed.

In Closing

All local authorities process personal data and sensitive personal data in the course of business. Such data will include data relating to members of the public and employees. By the nature of the relationship between an elected member and the authority, is it usual for such data to be disseminated by the authority to members in the normal course of events. The processing of personal data and sensitive personal data is covered by the provisions of the Act, and authorities are required to undertake their legal duties by processing data in accordance with the principles laid down in Act.