How Long Can I Keep Former Employees’ Emails?
The Outsourced DPO read an interesting article on Lexology about how to handle the email accounts of former employees. The case in question was in Belgium and related to the former owners of a family firm being ousted by the company. The ousted, former employees complained to the Belgian supervisory authority (BDPA) that the company continued to use their email addresses despite them no longer working for the company – in fact having left the company more than 2 years previously.
The Lexology article linked to the decision notice in French which was swiftly translated thanks (again) to the most excellent online translation engine https://www.onlinedoctranslator.com/. Within a matter of seconds, the 20-page decision notice was available in English. If you are not aware of this service you should check it out as it is fabulous!
Without going into the ins and outs of the case, the BDPA decided that:
- Organisations should have a policy and procedure to set out their approach in such situations which should be made available to data subjects (employees in this case).
- Before a person leaves an organisation they should have the opportunity to sort private and professional emails and either collect or delete the private ones, much as in the same way that they are entitled to collect personal effects.
- Email accounts should be blocked at the latest as soon as an employee exits and the employee should be notified in advance of this – potentially through an IT policy.
- An auto-response should be activated prior to the account being blocked to alert people sending emails to the exiting employee that they no longer work for the organisation and should operate for a limited period of time: ideally no longer than 3 months.
- At the end of the period in which the auto-response operates the mailbox should be deleted.
The decision notice considered a valid legitimate interest in maintaining the mailbox during the auto-response period but determined that there was no legal ground to continue processing after that period of time.
The BDPA levied a fine of €15,000 on the company: likely a significant amount for an operation of 13 people.
Whilst the decision does not apply to UK data controllers, it is interesting non-the-less to consider the BDPA’s arguments. The DPP SAR Bureau handled several humungous subject access requests last year which involved reviewing literally hundreds of thousands of pages of emails and email attachments surfaced during a SAR information search. There would have been a very different outcome had an approach such as that above been applied.
So what should we make of this? Firstly do the BDPA’s suggestions seem unreasonable? Why do we retain the mailboxes and email accounts of former employees and how often do we actually review the information contained within them? Comfort blanket and never are the most likely answers. Certainly, as time progresses, the usefulness of any information in those mailboxes diminishes.
What do we make of allowing employees to review their email accounts and split emails into “personal” and “professional”? In practical terms, how long will that take? Will employees want to spend their time doing this? Will they be supervised? Are all emails likely to fit this distinction? Is it feasible to automatically or semi-automatically categorise emails into these categories in running to allow for the erasure of personal emails on departure? Does it really matter if mailboxes are deleted anyway after 3 months?
As ever, the decision of the supervisory authorities shapes the application of the law and the thinking around it. The decision notice is certainly worth a read and the basis of it used to challenge existing processes.
We will be discussing this and more in our next Lunchtime Takeaway Session where our Data Protection experts will take a look at the year ahead and tell you what you need to prioritise in 2021.
Location: Microsoft Teams
Contact Myles Dacres for a link to join: [email protected]