How JustAnswer Works:
  • Ask an Expert
    Experts are full of valuable knowledge and are ready to help with any question. Credentials confirmed by a Fortune 500 verification firm.
  • Get a Professional Answer
    Via email, text message, or notification as you wait on our site. Ask follow up questions if you need to.
  • 100% Satisfaction Guarantee
    Rate the answer you receive.
Ask Ben Jones Your Own Question
Ben Jones
Ben Jones, UK Lawyer
Category: Law
Satisfied Customers: 49789
Experience:  Qualified Solicitor - Please start your question with 'For Ben Jones'
Type Your Law Question Here...
Ben Jones is online now

my employer wants to use e-mails recovered from the server

Customer Question

my employer wants to use e-mails recovered from the server as evidence against me in a disciplinary hearing. I deleted them then deleted them from my deleted items as they were private messages between me and a colleague (she is NOT complaining about them)
When the investigator recovered them she used a Management Information request form that states 30 days only for deleted items (mine are well over that) When i queried this they said that their form refers to an expectation and is not a policy.
Can they use them?
Submitted: 5 years ago.
Category: Law
Expert:  Ben Jones replied 5 years ago.
Hello, my name is Ben and it is my pleasure to be able to assist with your question today. Please let me know

What does the disciplinary hearing relate to?
Customer: replied 5 years ago.
Multiple things but for this, sexual type emails between me an a girl I was in a relationship with
Expert:  Ben Jones replied 5 years ago.
Is there actually a formal policy about this in your workplace?
Customer: replied 5 years ago.

policy says they can be retrieved and used but doesnt talk about timescales. the application form does however . it sayd deleted e mails 30 days max but when i ask they say its not a policy just "a guide" so in effect the policy around their use is sketchy i think

Expert:  Ben Jones replied 5 years ago.
Yes I agree. In terms of the applicable law, this will be governed by the Data Protection Act (DPA) as it would amount to personal data which is held by the employer, who would be considered the data controller in this case.

As a data controller, they will have to adhere to certain principles set out in the DPA. One of those principles states that "Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.". In basic English that means that once they have obtained the personal data (i.e. it is held on their servers), they should not keep it for any longer than is reasonably necessary in the circumstances.

The issue here is that the law does not give any specific retention timescales and the time limits that are considered fair will vary from one case to the next. For example, it is generally accepted that CCTV images will only be kept for around 30 days, although there is no time limit discussed in relation to emails.

That is when any relevant policies will be taken into consideration too. For example, is there a retention limit specified in a workplace policy? In your case there is but it is not entirely clear how long the retention period is as the only reference is in a form so whilst that will help, it is not a definitive answer.

As you can see it is a bit of a grey area and I would suggest you use the DPA argument as explained above, stressing that the data has been retained for longer than necessary and that its use now would go beyond what would be considered reasonable.

Please take a second to leave a positive rating as that is a very important part of our process. Your question will not close and I can continue providing further advice if necessary. Thank you
Customer: replied 5 years ago.

there is no retention limit specified at all.


I have looked at the information assurance procedures too and it covers how they deal with the evidence but they wont discuss it with me or disclose it too me.

Expert:  Ben Jones replied 5 years ago.
If there is no retention period then it comes down to what is considered reasonable in the circumstances. However as mentioned there is nothing in law that specifies time limits and to be honest only a court can make a decision on that. Sop for the time being you would need to raise the argument that under the DPA they can only retain the data for a reasonable time and in this case the length is unreasonable
Customer: replied 5 years ago.

for ben jones only


if they dont set a time limit then how can they ever say they retain for a 'reasonable time' ? they clearly havent considered or defined what is "reasonable" and therefore surely its unreasonable?


who would police this nationally? Information commissioner

Expert:  Ben Jones replied 5 years ago.
Yes the Information Commissioner would be responsible for this but they would not get involved in individual cases where you don't agree with the employer's policy. Also they cannot force the employer to act as you see fit, they are there to regulate which means that they can for example fine the employer if they feel necessary but they cannot force them to delete the data or not use it in the disciplinary.