You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
Struggling to find the right info online. I know it's not actually data protection but it's that sort of area.
If an individual at an organisation wishes to delegate email access to an assistant, and he does this via the tool (Outlook in this case) is there anything of which to be aware with regards legality? I'm not sure there is - if someone external emails the individual at the organisation, there's no reason it has to be private to that individual, is there? It's the organisation's business and therefore the delegated assistant can access it, given permission?
It's fairly routine to delegate access to email at certain levels, going by the principle that the company can read any of your emails as it's their property can't see what the issue would be.
I wouldn't have issue with that (as a data protection lawyer) as long as the assistant was told not to read anything obviously private relating to a third party and to use their common sense. Document that you've given the assistant appropriate guidance.
I wouldn’t have issue with that (as a data protection lawyer)
How are we supposed to debate a topic if the second reply is a clear, concise answer from a qualified source?
No wonder the bloody forum is dying
I trust Mrs Molgrips, Mr Molgrips. 😉
A more logical way of doing it would be for all staff to have thier own email, but then have a shared mail box accesible by department, so you'd have me@myco.co.uk and then a team box like marketing@myco.co.uk which is accesible to all marleting personell.
How are we supposed to debate a topic if the second reply is a clear, concise answer from a qualified source?
No wonder the bloody forum is dying
Why would you take the word of a qualified person? Surely you/I/anybody knows better? It's the internet ffs. Or simply just read the first post and weigh in at the end.
I would think it depends on the organisation. Certainly in mine delegate access is disabled by group policy and a specific request has to be made to grant another person delegate access to your own email.
I would think it depends on the organisation.
Definitely. I work in insurance so people send in all kinds of time critical information so we have to have delegate access otherwise stuff would get missed when we're out of office etc.
Further, insurance is highly regulated and I've never had anyone suggest dpa is an issue when it comes to delegated access.
Thanks for this.
In this case there is no specific policy, so I wanted to make sure (as far as possible) that this doesn't break any blanket rules. I cannot think where it would.
A more logical way of doing it would be for all staff to have thier own email, but then have a shared mail box accesible by department, so you’d have me@myco.co.uk and then a team box like marketing@myco.co.uk which is accesible to all marleting personell.
Yeah this is what most companies I've worked for do.
2 different situations though, one is normally manager and pa other is team work. Which is it?
If an external customer usually deals with a specific person and that person is away so email is delegated, under GDPR the company simply has to inform the customer that it has been delegated and will be dealt with by someone else (just had exactly this from my accountant). So long as you tell them what is happening, before you actually address the email contents, then you should be covered.
So given email is basically a postcard and can be read anywhere between A and B (unless it's encrypted but even then not all gateways use TLS and once it's gone beyond your trusted MTA ....why would anyone care ? Genuine question.
under GDPR the company simply has to inform the customer that it has been delegated
Not it strictly true depending on the lawful basis under which the data is being processed...
Or you could just set up rules in Outlook to forward mails or not forward mails matching certain criteria to the assistant.
Just remember that GDPR only refers to personal data. If there is no personal data in the email then there should be no issue. I'm sure that someone will jump up and point out that an email address is personal data under GDPR, but if that is going to be a problem then we cannot use email. In any case the companies privacy statement should cover all of this. Any email sent to a company for processing, may be addressed to s specific individual but can be processed by a different person.
A long privacy statement to read and tick a box to accept isn't going to be enough though. Has to be simple and clear on an opt in basis, which could mean ticking a lot of boxes.
If you contact the company, an individual replies and you reply to them, it's the company you are dealing with. To be clear there should be an initial response or signature in email replies which makes it clear how their data is being processed and stored. As said, it's personal data only, but everything is opt in. Not sure how that works if you send personal information in an email unsolicited and the company is then storing the email without having asked permission to store it.
There's also what happens if you contact Fred personally who's a friend you know, but his boss can read his emails. Do you have to be told this is possible? Fred however doesn't need to be told his boss is reading his emails, so long as it's in the company policy saying his emails are company property.