At SDU, we take good care of the information we process as part of our work, and you are therefore encouraged to follow the ‘clean desk’ principles. Unauthorised persons must not gain access to information of a protective nature, so be sure to clean up (both physically and electronically), lock your computer when you leave it and do not leave valuables (phone, iPad, papers, etc.) in your office so that unauthorised persons can easily steal them. In addition, only process personal information for as long as it is necessary for your work, cf. the principle of storage limitation.
Below you will find more information on how to specifically clean up your email. If you are in doubt as to how to process information in Outlook, you can always contact your local GDPR and information security coordinator.
Here you will find a number of relevant guidelines (all in Danish): Daglig mailhåndtering (Daily email management) and Tildel politik (Assign Policy).
Processing of personal information in Outlook
As a general rule, you can process/store both emails with general and sensitive personal information in Outlook. However, be aware of special deletion deadlines for emails with sensitive information (see ‘How long can I keep information in Outlook?’). Also be aware of emails that are otherwise of a protective nature (e.g. trade secrets, confidential information in connection with case processing etc.). As a general rule, they must be deleted or moved to another approved system (Acadre, OneDrive or SharePoint) as soon as possible after the case has been processed.
Generally, email correspondence with colleagues about the day’s lunch, joint work on a note without confidential information and the like can be stored in Outlook. However, it is recommended that you follow the ‘clean desk’ principles.
As a general rule, you may store emails with both general, confidential and sensitive personal information in Outlook as long as you have a valid purpose for storing them (e.g. when processing an application). However, sensitive and confidential information must be deleted or moved to e.g. Acadre (in case of a record-keeping obligation) within a maximum of 30 days.
Keep in mind that just moving emails from Outlook to another approved system (such as Acadre, Onedrive or SharePoint) is not enough just to avoid having emails in Outlook . If you no longer have a purpose for processing these emails, they must be deleted or registered.
It can be difficult to completely get to grips with the clean-up in Outlook, but below you will find some tips and tricks on how to tackle it.
1) Monthly/weekly/semi-annual deletion hour/deletion day: Simply, reserve time in your calendar for cleaning up your documents and Outlook. If you frequently process sensitive personal information, these deletion hours/days may have to occur more frequently (because sensitive personal information may only be stored in Outlook for a maximum of 30 days). If, on the other hand, you only process general personal information in your email, the frequency can be lower.
2) The search function in Outlook: You can use the search function in Outlook to search for emails to be deleted. You can, for example, search for the following words: ill, fever, leave of absence, maternity/paternity leave, civil registration number, etc.
3) Assign policy: The moment an email arrives and you become aware that it contains sensitive or confidential personal information, you can press ‘Delete after 30 days’ under ‘Retention policy’ in the email itself. Then the email will be automatically deleted after 30 days and you do not have to worry about having to clean up at a later time. However, be aware of any obligation to keep records.