Could saving emails cost you?
Under the Data Protection Act 1998, the fifth principle of retention stated that ‘personal data kept for any purpose(s) shall not be kept for longer than is necessary’. When the GDPR came into force in May 2018, one of its seven key principles, that of ‘storage limitation’ made clear that organisations must not hold on to any personal or identifying information for any longer than is required.
The difficulty is that there is no statutory retention for emails; it is dependent on the contents of the email as to how long it needs to be held. Therefore, it is up to the individual school or academy trust to decide a suitable retention period to work to and document it accordingly.
With the increase of individuals exercising their ‘Right of Access’ to their personal data, the difficulties organisations face where emails are concerned has become more apparent than ever. In an ideal world, we would all regularly check old emails and delete those no longer needed, but time pressures mean that this sort of housekeeping slips to the bottom of the priority list. So the likelihood of storing personal information on pupils and employees which we shouldn’t is extremely high, and this can cause a significant amount of work. One school business manager we work with had to dedicate 16 hours to simply checking and reporting the content of emails when a Subject Access Request was received, and more time was spent by other members of the team searching their own email inboxes to forward any emails containing information relating to the case.
The habit of holding onto things ‘just in case’ is one of the hardest habits to break, and clearing out can be daunting but once it becomes routine practice, it’s a much more manageable task. In light of this, many schools and organisations are opting to implement an automatic retention system that deletes all emails passing a set threshold date. This is great for meeting the principle of storage limitation but could lead to emails that are needed being deleted if not suitably stored.
When emails need to be retained for longer than such a system allows, it is necessary to have a process consistent across the organisation in place. For example, if you have sent an email to Payroll regarding a special payment and need to keep a copy for an audit trail, either print a copy of the email sent to file away or save it centrally on your network. This should be the version you actually sent and not in draft form (so it has the time and date stamp) as you may need this for audit purposes.
Housekeeping will still need to be conducted on any that you have saved or printed so they can be destroyed once they are no longer required, but the amount you would need to go through would be significantly reduced. We recommend having a specific file in place for emails containing personal information, so you can find and delete them quickly when appropriate.
If you do not have automatic retention in place, the same considerations should be made; Encourage all individuals to follow the process and to conduct regular housekeeping on their emails to ensure they are only retaining information they really do need.
Remember, if you're struggling to ensure your school or academy is data protection compliant, we are here to help.
Find out more about our data protection services by clicking here.