Request
Under the Freedom of Information Act 2000, I am writing to request information relating to the University’s application of its policy regarding access to information held in an individual’s account (including but not limited to Microsoft Teams, email accounts, and shared drives), as set out in section 5 of the “Monitoring Policy”.
Specifically, I request the following:
1. Statistics
A) The total number of occasions since 18 March 2018 – when the policy was created - where access to an individual’s account was sought under sections 5.1 (with consent) and 5.2–5.3 (without consent).
B) A breakdown of these occasions by:
i) year
ii) type of individual: student, staff member, academic staff member, non-academic staff member, or other user
iii) whether with consent or not
iv) whether the access was granted or not.
2. Authorisations
A) Copies (with personal data redacted as appropriate) of written authorisations granted by the Data Protection Officer (or delegated authority) for access to an individual’s account without consent.
B) For each authorisation, the purpose stated, scope of monitoring/information access, and duration granted.
3. Procedures & Records
A) Copies of any internal guidance, procedures, or forms used by the Data Protection Officer (or delegates) when granting authorisation for access under section 5.3.
B) Any logs, registers, or records maintained of such access requests and authorisations (again, with personal data redacted as necessary).
4. Oversight & Review
A) Details of any audits, reviews, or oversight mechanisms in place to ensure compliance with the policy and data protection legislation when accessing user accounts.
If any part of this request is deemed exempt under FOIA, please provide the non-exempt portions and specify the exemption(s) relied upon for withholding information.
5. Policy prior to 18 March 2018
A) Details of any relevant policies in place on granting access to such user data from 1 January 2015 until 18 March 2018.
I would prefer the information in electronic form (PDF or Word).
Thank you for your assistance. I look forward to your response within the statutory 20 working days.
Formatted Response
RESPONSE
Information relating to the University’s application of its policy regarding access to information held in an individual’s account (including but not limited to Microsoft Teams, email accounts, and shared drives), as set out in section 5 of the “Monitoring Policy”.
- Statistics
Q1a) The total number of occasions since 18 March 2018 – when the policy was created - where access to an individual’s account was sought under sections 5.1 (with consent) and 5.2–5.3 (without consent).
A1a) From the records we hold, two occasions have been found. Please refer to the table below.
Q1b) A breakdown of these occasions by:
i) year
ii) type of individual: student, staff member, academic staff member, non-academic staff member, or other user
iii) whether with consent or not
iv) whether the access was granted or not.
A1b) Please refer to the table below.
| Incidents | 2023 | 2024 | 2025 |
|---|---|---|---|
| 1. | n/a | Staff member. With consent. Approval given (attached Monitoring email A) | 8 staff members. Without consent. Approval given (attached Monitoring email B) |
2. Authorisations
Q2a) Copies (with personal data redacted as appropriate) of written authorisations granted by the Data Protection Officer (or delegated authority) for access to an individual’s account without consent.
A2a) Please see attached monitoring emails A and B.
Q2b) For each authorisation, the purpose stated, scope of monitoring/information access, and duration granted.
A2b) Please see attached monitoring emails A and B. No further information has been found.
3. Procedures & Records
Q3a) Copies of any internal guidance, procedures, or forms used by the Data Protection Officer (or delegates) when granting authorisation for access under section 5.3.
A3a) No records found.
Q3b) Any logs, registers, or records maintained of such access requests and authorisations (again, with personal data redacted as necessary).
A3b) Other than retained emails, no records found.
4. Oversight & Review
Q4a) Details of any audits, reviews, or oversight mechanisms in place to ensure compliance with the policy and data protection legislation when accessing user accounts.
A4a) No records found.
5. Policy prior to 18 March 2018
Q5a) Details of any relevant policies in place on granting access to such user data from 1 January 2015 until 18 March 2018.
A5a) No previous version found.
If any part of this request is deemed exempt under FOIA, please provide the non-exempt portions and specify the exemption(s) relied upon for withholding information.
The only exemption applied is within the attached emails: Section 40(2) – Personal information, where we are redacting any information which may identify one or more individuals - to disclose would breach UK GDPR legislation and principles.
Detailed information on what organisations must consider when deciding to apply the Section 40(2) exemption can be found here .
Section 40(2) is an absolute exemption which does not require a public interest test.
Original Response
We refer to your FOI request dated 29 th September 2025. Please see below for our response.
Yours sincerely
The Information Assurance Team.
University of East London
4-6 University Way
London
E16 2RD
RESPONSE
Information relating to the University’s application of its policy regarding access to information held in an individual’s account (including but not limited to Microsoft Teams, email accounts, and shared drives), as set out in section 5 of the “Monitoring Policy”.
- Statistics
Q1a) The total number of occasions since 18 March 2018 – when the policy was created - where access to an individual’s account was sought under sections 5.1 (with consent) and 5.2–5.3 (without consent).
A1a) From the records we hold, two occasions have been found. Please refer to the table below.
Q1b) A breakdown of these occasions by:
i) year
ii) type of individual: student, staff member, academic staff member, non-academic staff member, or other user
iii) whether with consent or not
iv) whether the access was granted or not.
A1b) Please refer to the table below.
| Incidents | 2023 | 2024 | 2025 |
|---|---|---|---|
| 1. | n/a | Staff member. With consent. Approval given (attached Monitoring email A) | 8 staff members. Without consent. Approval given (attached Monitoring email B) |
2. Authorisations
Q2a) Copies (with personal data redacted as appropriate) of written authorisations granted by the Data Protection Officer (or delegated authority) for access to an individual’s account without consent.
A2a) Please see attached monitoring emails A and B.
Q2b) For each authorisation, the purpose stated, scope of monitoring/information access, and duration granted.
A2b) Please see attached monitoring emails A and B. No further information has been found.
3. Procedures & Records
Q3a) Copies of any internal guidance, procedures, or forms used by the Data Protection Officer (or delegates) when granting authorisation for access under section 5.3.
A3a) No records found.
Q3b) Any logs, registers, or records maintained of such access requests and authorisations (again, with personal data redacted as necessary).
A3b) Other than retained emails, no records found.
4. Oversight & Review
Q4a) Details of any audits, reviews, or oversight mechanisms in place to ensure compliance with the policy and data protection legislation when accessing user accounts.
A4a) No records found.
5. Policy prior to 18 March 2018
Q5a) Details of any relevant policies in place on granting access to such user data from 1 January 2015 until 18 March 2018.
A5a) No previous version found.
If any part of this request is deemed exempt under FOIA, please provide the non-exempt portions and specify the exemption(s) relied upon for withholding information.
The only exemption applied is within the attached emails: Section 40(2) – Personal information, where we are redacting any information which may identify one or more individuals - to disclose would breach UK GDPR legislation and principles.
Detailed information on what organisations must consider when deciding to apply the Section 40(2) exemption can be found here .
Section 40(2) is an absolute exemption which does not require a public interest test.
If you are dissatisfied with the way the University of East London has handled your request for information, you can request an internal review of this decision by contacting:
E-mail foi@uel.ac.uk
If the review does not address your concerns, you can exercise a right of appeal to the Information Commissioner at:
The Information Commissioner's Office.
Attachments
| Filename | Download |
|---|---|
| attachment-1-monitoring-email-a.pdf | Download/View |
| attachment-2-monitoring-email-b.pdf | Download/View |