Please find below some frequently asked questions and answers from Tom Penlington, MVDC’s Data Protection Officer (DPO). If you have any specific questions about any aspect of UK GDPR, please email dpo@molevalley.gov.uk.
Q: How best do we send sensitive personal data by email (both externally and internally)?
A: It is best to share sensitive personal data using Office 365s Onedrive. Using an email increases the risk of data being sent to the wrong person. This could take the form of recipients not being blind copied (Bcc) where appropriate, or the content of the email being compromised during the exchange process. Onedrive allows you to choose who the sensitive data is shared with, without it ‘leaving’ our servers. Even if the person you are sending does not have Office 365, it does not matter as they will receive a link which they can click on to open.
Q: Are there any data protection/UK GDPR sensitivities around working from home e.g. when family members are in the same room?
A: From a UK GDPR perspective, sensible measures would include:
- when working on laptops etc, ensuring the screen is pointed away from a family members and others, e.g. not facing an outside window if this faces a public space.
- if discussing personal information on the phone, ensuring third parties are not in the same room.
- For further guidance on home working see Tom’s tips on UK GDPR, put together following the Coronavirus pandemic.
Q: In light of UK GDPR, is there corporate policy around the deletion /retention of staff emails that may contain personal data?
A: It is a combination of relevant principles in the Data Protection Policy. The key ones are:
- checking there is a lawful condition allowing the processing
- not keeping inaccurate or out of date records
- and not having excessive information
There is no need to go into each email and divide them into personal and non-personal information. Where we have personal-only emails, staff may want to consider if these are in themselves excessive in respect of the (business) purpose for which they were collected.
Where there are business emails with some personal information in them you need to consider if more than one retention period applies to the information. If these conflict you should use your discretion to apply the most appropriate retention period. Please keep a note of your reasoning if the information is very sensitive.
It is important to refrain from writing personal opinions (unless necessary in connection with our core business) from your MVDC .gov address (data minimisation).
If you become aware of anything that contravenes the data protection principles or are unsure of what the most appropriate course of action is, then it’s probably worth discussing this with the relevant Information Asset Owner (relevant BMT lead) or the Data Protection Officer.