E-mail systems are a vital communications tool in today’s business environment. They are a ubiquitous repository of our daily interactions with stakeholders and others – sending, receiving and storing information.
A single email account may contain a cornucopia of organisational information, personal data and other confidential information related to staff, pupils and other stakeholders. From names and email addresses to general and confidential attachments, conversations about people (yes, your opinion or an assertion about another person is their personal data), our emails contain valuable fodder for a ‘Phishers’ and Hackers as well as information potentially disclosable under a Subject Access Request or other data subject rights request.
Faced with the challenges of safeguarding against information leakage, unauthorised and unlawful access, and managing other data protection obligations in email systems, what should an organisation do?
Organisations should be aware that emails present an extremely vulnerable source of information and personal data. There are also implications for retention schedules if the data within is not properly managed. Adopting email housekeeping practices will ensure that key data protection principles – ensuring data is recorded and stored appropriately and securely while being easily retrievable when required.
Emails should be assessed by content to determine whether the information within should be subject to information and record management processes. For example, if the information:
- relates to a pupil
- relates to a staff member or other stakeholder
- forms part of the educational record
- forms part of a contract
- contains business-critical information
it should be recorded in and/or saved to the appropriate Management Information, Safeguarding or Behaviour Management system.
If the text of an email adds to the context or value of an attachment the whole document can be saved in .msg format before transferring it to the relevant electronic record. Where a hard copy record is maintained, the email and its attachment/s should be printed and placed in the record.
Occasionally, important information may be contained within emails and attachments which do not have a natural home within the organisation’s established records. In these instances, they should be saved in a central shared drive for ease of content and retention management. A central shared drive also ensures the organisation has access to the emails of previous staff members.
Once the information is transferred from the email to the relevant recording system the original email can be securely deleted.
The Benefits of Email Housekeeping
Data Protection legislation requires appropriate technical and organisational measures to be in place to protect personal data from, amongst other things, unauthorised or unlawful access. Storing personal data on a system that is widely accepted as one of the weakest links in the data security chain is an unnecessary risk in and of itself. That risk rises significantly when coupled with the human factor and busy working environments. Removing personal data and other business-critical information from emails significantly mitigates the organisation’s liability in the event of an email data breach and makes Subject Access Requests substantially more manageable.
Personal Data should be kept for no longer than necessary for the purpose for which the data was processed. To this end, all organisations should have a data retention policy governing the retention of personal and business-critical information. Adhering to a retention schedule is easier and more effective when all the relevant information is located in the appropriate record.
The Final Word
Encouraging staff to transfer information from emails to the appropriate recording systems significantly mitigates the organisation’s liability in the event of an email data breach; reduces the amount of information potentially disclosable in Subject Access Requests; ensures data retention schedules are effectively managed and reduces the amount of electronic storage required.
If you would like to know more about The Schools People: DPO Service and what we can offer your organisation, please get in touch.