Skip to navigation | Skip to main content | Skip to footer
Menu
Search the Staffnet siteSearch StaffNet

Information Governance Office

Using email and personal data

We must take care when using email to share personal data as it is one of the biggest causes of data protection breaches - see "Email - a guide to risk and compliance issues" for tips on how to minimise the risks. See also IT Services tips on how to use email safely.

Once you put something in an email you lose control over what the recipient does with the data, so you should send the minimum necessary data and consider carefully whether or not email is the appropriate way to communicate personal data.

Holding personal data longer than necessary is a breach of GDPR. In addition, the requirement for individual staff to search their email account very quickly at short notice (whenever we receive a data protection subject access request) places a significant burden on staff and the University. Reviewing your inbox on an ongoing basis will save time and effort later. Under GDPR the University can only retain personal data in line with the Records Retention Schedule (RRS). This sets out the maximum period that different categories of information can be retained based on the requirements of the University and applies to all records. It must be published so that individuals can see how long their personal information is kept.

Steps to help manage your inbox

  • If the information contained in the email (or attached to the email) constitutes important University information it needs to be saved in an appropriate place - usually a shared drive or in a Sharepoint site where the relevant access and permission controls are being actively managed. Emails should be saved as .msg files or print to pdf.

  • Move any emails that contain significant personal information (eg mitigating circumstances information or staff management content) into a separate email folder so that they’re easier to find and delete when no longer needed. There’s additional guidance available for managers handling staff records (see Retention of Staff Records – Guidance for Managers)
  • Avoid sending emails with attachments and instead link to the documents in Sharepoint or Onedrive. 

  • Avoid unnecessary use of email – use the telephone or Microsoft Teams chat instead; limit emails to just one subject and make the subject heading briefly describe the content of the email; limit recipients and cc's to those who actually need to know; assume that anything you write could be released under FOI and be mindful that what you say about individuals (eg your opinions about them) is subject to data protection disclosure rules.

  • In terms of reasonable personal use of email by staff, refer to the Acceptable Use of IT Facilities and Services ‐ Procedure for Staff Standard Operating Procedure.

  • Delete information within emails (or in email attachments) that contain personal data beyond the period defined in the Records Retention Schedule, as keeping it is unlawful. Advice on using the advanced search tool is provided below:  

1.  Use the Outlook advanced search tool facility by clicking on the ‘Search’ tab in Outlook. Click on ‘Search Tools’ and then ‘Advanced Find’.

2. Search for keywords that would indicate personal data (eg ‘CV’ ‘PDR’ ‘sick note’ ‘absence’ ‘disability’ ‘disciplinary’ or the names of known individuals), you can also focus searches just on attachments if need be.

3. Delete data in line with their specified retention period; the maximum retention period for most records is 6 years but check the Records Retention Schedule first.