GDPR: Clearing out old emails and files
14 Mar 2018
Keeping on top of the files and information you hold
The University has to prepare for the new General Data Protection Regulation (GDPR) coming in on 25 May 2018 and as part of this we must be able to demonstrate that we are compliant and only keeping the information we need.
To get ready we are reminding staff that everyone is responsible for the University files or documents they store either on their computer, email, shared areas or as a physical copy in their office, labs or even at home.
Later this year you will have to declare that you hold no person identifying information (PII)* other than that which has been stored and recorded according to the Records Retention Schedule.
What do I need to do?
There are things that you can start doing now to get ready for the new law coming in:
1. Check your desks and cupboards for physical copies of information containing PII
Shred any personal, duplicate or obsolete information, especially anything containing PII*. Unless there’s a legitimate reason for keeping PII, such as that we’ve been given consent to use it for a particular purpose (e.g. lists of external email addresses used for marketing/events) then we shouldn’t keep it.
You can find out how long different types of records should be kept from the Records Retention Schedule.
2. Check Outlook for emails containing information as described above
You should delete all emails which contain PII outside of the period defined in the Records Retention Schedule as this is unlawful. Going forward it is advisable that you move any emails which contain PII in a separate folder so that they’re easier to find. If you find information that you do need to keep, move them to appropriate storage such as a shared drive or Sharepoint.
Remember most HR information should not be retained locally (See Retention of Staff Records – Guidance for Managers) but if there is something that needs to be kept privately this should be moved to a shared folder and password protected or for the time being kept on a P drive and deleted as soon as it is no longer required.
3. Check the shared drive, your P and C drives
Delete files containing information as described above. NB You should not be using your C drive in any circumstances as this is susceptible to theft and not automatically backed up like a network drive.
*What is Person Identifying Information (PII)?
PII is any information relating to an identified or identifiable person – this could include reference to their name, identification number, location/address, or other factors relating to their identity.
For example this could be:
- a list of contact addresses eg for marketing or events purposes ;
- candidates CVs or application information;
- electronic identifiers (such as IP addresses)
- special category information (including HR records concerning race, gender, union membership etc)
- correspondence with staff relating to HR matters.
The’ To/From’ addresses and signatures in emails will generally not be considered to be PII.
If you’re not sure if something is classed as PII contact your Information Governance Guardian.
- What is GDPR?
- How long should different records be kept?
- Find your local Information Governance Guardian
- Email the central Information Governance office