Whilst individuals may request access to emails as part of a subject access request, Data Protection law only provides them with a right of access to their personal data conatined within the emails and not necessarily access to the full email. As such redactions will be made to emails, or extracts only will be provided, as specific information will not be their personal data and will be considered exempt information (such as third-party information). The Information Commissioner’s Office’s (ICO) have issued specific guidance on emails and partially or fully refusing requests.

From a processing perspective, the following guidance and considerations will be applied and followed:

When undertaking email searches

​​​​​​Requests from Patients

Patients may request access to emails that contain their personal data, including. In these cases:

  1. We will only conduct reasonable and proportionate searches, as permitted under the DUAA 2025, DPA 2018 and the UK GDPR.
  2. We will not search for correspondence between staff about their care as the content of these should be in the patients’ care records as per the Health Records Policy (IT06).
  3. For requests in relation to other correspondence (eg in relation to investigations, complaints, etc) we will only search using full name, NHS number, or hospital number.
  4. We cannot search using initials due to the high volume of results and the presence of medical and other abbreviations.
  5. We cannot search using date of birth due to the number of individuals sharing the same date.
  6. Only emails that directly identify the patient AND contain their personal data will be included in the response.
  7. We will not release emails that identify the patient, but are solely about Trust processes (eg emails between clinicians or administrative staff requesting action be taken such as booking an appointment).
  8. We will not release emails that identify the patient AND that they have sent to us, or when we have replied directly to them or they have been copied into the response, as these are already held by them.
  9. Emails that contain personal data about other individuals may be redacted or withheld if the disclosure breaches their data protection and privacy rights.

Requests from Staff

Staff may request access to emails that contain their personal data. When processing these requests:

  1. We will only conduct reasonable and proportionate searches, as permitted under the DUAA 2025, DPA 2018 and the UK GDPR.
  2. Searches will be conducted using full name, staff number, or National Insurance number (where applicable).
  3. We cannot search using initials due to the high volume of results and the presence of other abbreviations.
  4. We cannot search using date of birth due to the number of individuals sharing the same date.
  5. Only emails that directly identify the member of staff AND contain their personal data will be included in the response.
  6. We will not release emails that identify the member of staff, but are solely about Trust processes (eg rotas, annual leave requests, etc).
  7. We will not release emails that identify the member of staff AND that they have sent to us, or when we have replied directly to them or they have been copied into the response, as these are already held by them.
  8. Emails that contain personal data about other individuals may be redacted or withheld if the disclosure breaches their data protection and privacy rights.

Limitations on Searches

Due to system constraints and the need to ensure data protection for all individuals:

  1. Searches will not be conducted using partial identifiers (e.g. initials, dates of birth, etc.) or generic key words.
  2. We will not conduct blanket searches across all staff inboxes unless there is a clear and specific justification.
  3. We will not retrieve emails from archived or deleted folders unless there is a legal obligation to do so.

Exemptions – Manifestly Excessive or Unfounded Requests

Under the DUAA 2025, DPA 2018 and the UK GDPR:

  1. Requests may be refused or limited if they are deemed manifestly excessive, particularly if:

•    the volume of data requested is disproportionate to the purpose,

•    the request is repetitive or overlaps with previous requests, or

•    the effort required to retrieve the data would involve disproportionate cost or time.

In such cases, the requester will be informed of the decision and the rationale and may be offered the opportunity to narrow the scope of their request.

Providing Information

Whilst data subjects are entitled to their personal data, they are not automatically entitled to receive it in the actual document or format it was created.  Their personal data can be extracted into another document and released, as long as there is sufficient information released to make the extracts meaningful.  This approach would likely be used when extracting data from email trails or if an original document would be extensively redacted with only a small amount of personal data being released.  In these circumstances, the Trust’s Data Extract Table template should be used.