Email user
Misuse rule goes
The former exemption of email in personal data processing connections has ended. Accordingly, as no such exemption (‘misuse rule’) exists in the General Data Protection Regulation (GDPR), it is necessary to identify a lawful basis for processing personal data in email, just as it is in all other personal data processing at the University. Any email that contains personal data is an instance of personal data processing. Naturally you can continue to use email and have an inbox for this purpose, you just have to think about how you use email.
Email policy and data protection policy
Uppsala University has drawn up guidelines for email (to be published shortly) and a data protection policy.
Personal data
‘Personal data’ means all pieces of information that can directly or indirectly identify a person, such as name, personal identity number and email address. This means that almost all information about people can be personal data, at least when several pieces of data are processed together. Personal data also include ‘sensitive personal data’ such as genetic data or health data. See further below.
To put it simply, everything you do with these personal data – collection, adaptation or whatever – is processing. When dealing with email, every email received is a personal data processing operation, as it consists of online identifiers and an email address. Moreover, the contents of an email can be personal data, if it contains a name together with other data.
Sensitive personal data
‘Sensitive personal data’ are data about:
-
racial or ethnic origin
-
political opinions
-
religious or philosophical beliefs
-
trade union membership
-
health
-
a person’s sex life or sexual orientation
-
genetic data
-
biometric data that uniquely identify a person.
As a rule, sensitive personal data may not be processed, but the GDPR allows a number of exceptions. One such exception is consent. Consent is subject to certain conditions – read more here. This does not mean that you have to obtain consent every time someone sends you an email containing sensitive personal data. If the email user volunteers their own personal data, they have consented to data processing. Having said that, Uppsala University recommends against using email to communicate sensitive personal data. You may only do this when absolutely essential. Remember that a telephone call can be a very good alternative to an email.
In this case, the green rings mark personal data and the red rings mark sensitive personal data, related to health. If some of these things were on their own, they would not be personal data, but as they occur in a context that makes it possible to interpret information about two people based on this, they become personal data.
It is important to remember that email should only be used as a carrier of information, not for storing information. If, for example, the information in the email is something you need in an official matter you are dealing with, perhaps it can be entered in the official register.
Bear in mind: You may save emails as long as you have a lawful basis and purpose for doing so, and the email is still needed. This means that you must clear out your inbox regularly and that you must not save ‘good-to-have’ messages if they are no longer needed and have no purpose or lawful basis. If you have replied to someone’s mail and helped them in some matter several years ago, the message should not be saved in your inbox.
General principles
Just because you have a lawful basis or a purpose, that does not mean you are allowed to save emails indefinitely. You must comply with fundamental principles such as data minimisation. You can read more about these principles here.
In brief, the fundamental principles are:
-
the principle of lawfulness, fairness and transparency,
-
the principle of purpose limitation,
-
the principle of data minimisation,
-
the principle of accuracy,
-
the principle of storage limitation, and
-
the principle of integrity and confidentiality.
Lawful bases
Several lawful bases apart from consent can justify the personal data processing that the email represents. The lawful bases are:
-
Consent
-
Contract
-
Legal obligation
-
Protection of vital interests
-
Necessary for the performance of a task carried out in the public interest or in the exercise of official authority
-
Balance of interests (legitimate interest). This basis, however, may not be used by public authorities in the performance of their tasks.
To learn more about the lawful bases and which of them may be appropriate, read more here.
The main bases justifying the University’s use of email are public interest (education, research), exercise of official authority, legal obligation and consent.
Rights of data subjects
Data subjects have a right to know that we process their personal data. For more information about the rights that data subjects can exercise in relation to the University.