Although much information is personal information (or personally identifiable), some information is not personal information. That you arrange lunch with a colleague via email, information that the address of an event has changed or statistical information are examples of information that is not personal.
It is not personal information either – and therefore not subject to the data protection rules – if the information is ‘fully anonymised’. This means that in the case of data where the name and address have been replaced by a code, it is still personal information if the code can be traced back to the original personal information. Information that is encrypted also still counts as personal information as long as there is someone who can make the information readable and identify the persons in question. These types of partial anonymisation are called ‘pseudonymisation’, and they are still subject to the rules.
As a general rule, you as an employee have three options after having completed the case processing/when you no longer need to use personal information:
- Anonymise the personal information
- Delete personal information if there is no longer a legitimate purpose and there is no record-keeping obligation
- Archive personal information in ESDH (Acadre) or the Danish National Archives. This option can only be used if there is a record-keeping obligation. We must not use Acadre as a ‘rubbish bin’ where we put things when we do not otherwise know what to do with them.