- Latest NewsUp-to-date articles giving you information on best practice and policy changes.
- Model PoliciesA comprehensive set of templates for each statutory school policy and document.
- Year PlannersPlan priorities across each term, ensuring key tasks are completed.
- Skills AuditsEvaluate your skills and knowledge, identify gaps and determine training needs.
Strategies for introducing an email management process
Many DPOs face resistance when introducing a new email retention and destruction process. Julia Sandford-Cooke suggests strategies for overcoming colleagues’ reluctance to delete their emails
Go straight to
Email is such a quick and convenient way of communicating that we tend to forget it’s just that – a method of sharing information, not a data set or educational record.
As DPO, you may have robust data retention and destruction policies, but they cannot be truly effective unless there’s also a process in place to specifically manage the storage and deletion of emails. Over 40% of education data breaches are due to email.
Legislation, such as the General Data Protection Regulation (GDPR) or the Freedom of Information Act (FOI), has highlighted the need to adopt more formal policies for email retention. But if staff don’t find this fact compelling enough to act, you can give them many other good reasons for managing their emails.
For example, the more data a school holds, the greater the risk and seriousness of a cyber attack, as many settings have found to their cost.
If you don’t know why you need it, you don’t need it
The outcome of an email exchange can have a significance beyond the sender and the recipient. For example:
- a member of staff could unintentionally commit the school to a particular action by stating it in an email message
- illegal material could be transmitted through the IT system, for which the school may be liable
- all emails held by the school are legally discoverable following a request under GDPR or FOI and may be cited as evidence in legal proceedings.
The more information you hold, useful or not, the more you have to give out when you receive a subject access request. Statistics suggest that 95% of emails disclosed during a subject access request are irrelevant.
And, of course, on a personal level, a tidy, minimalist inbox is much quicker and easier to manage, saving everyone time and stress.
But some staff are reluctant to adopt such processes. Emails can feel very personal, even in a work context, and some people don’t want colleagues to interfere with the way they manage their correspondence.
Others may appreciate the reasons for developing email retention constraints but lack the time to go through all the emails they have accumulated over the years.
The best way to manage email retention is to limit email storage sizes
The key is to stress that inboxes should not be used as filing systems. Important information should be saved somewhere, just not in inaccessible messages.
Some staff might find it difficult to accept this, and you may have to introduce a significant cultural change across your school, but there are few – if any – advantages to hoarding thousands of forgotten emails.
Staff should follow the school’s general data retention and destruction policy.
In most cases, this will clarify whether or not an email should be kept.
For example, informal correspondence between staff or external bodies confirming a meeting, or agreeing something that is not related to documents detailed in the data policy, should be deleted as soon as it has been read and noted.
However, often, staff are wary of deleting emails in case they are needed later. It’s true that there are some situations where an obligation to retain emails arises.
It is much less secure to store sensitive details in email format
The Freedom of Information Act, Section 77, contains the offence of altering, defacing, blocking, erasing, destroying and concealing any records held by a public authority with the intention of preventing the disclosure of records in compliance with a FOI access request or a GDPR access request.
However, keeping emails ‘just in case’ could put you in breach of GDPR Article 5(1)(e):
‘Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.’
This Article also states that personal data may be stored for longer periods only for archiving purposes in the public interest, or for scientific, historical research or statistical purposes.
This means you should retain only personal data that is appropriate for the function of the school, for no longer than is needed to meet your school’s legal obligations.
Consider sharing the following principles with your colleagues:
- Only send an email to the people who need to read it.
- The content of the email must be appropriate for the purposes of sending it. Don’t send emails to recipients where the content is not appropriate or where there is no beneficial need or business requirement.
- When forwarding emails, ensure that the recipients are correct, and the content is appropriate for the recipient. Make sure you check the content of older emails included in an email thread for relevance or confidential information, and delete any content that is no longer necessary or appropriate.
- If you believe you have received an email in error (for example, you think it was meant for someone with a similar name to you), contact the sender immediately to tell them. Don’t show the email to anyone else or forward it until the sender has confirmed it was sent to you in error.
- Once the sender has confirmed that it was sent to you in error, delete the email immediately from all devices and notify the DPO.
- If you think you have sent an email to the wrong person, if possible recall the email, then contact the recipients informing them of the error and asking them to delete it immediately. Then notify the DPO.
- There is no need to print out emails.
The best way to manage email retention is to limit email storage sizes. It’s unlikely that anyone needs more than 2GB storage space. Once this limit is reached, emails cannot be sent or received.
Many schools enforce this policy by using an automatic email deletion system in which, for example, all emails are automatically deleted six months after receipt.
Remove the fear of the unknown and replace it with the facts from people who have done it
Even if you have such a system, you should make it clear that every individual is responsible for managing their own mailbox and the data held in it.
Staff need to assess and store all emails in line with the school’s data retention policy. If certain emails are required for business-critical or other operational purposes, they should be stored in the shared secure cloud storage system.
Emails deleted from an inbox can be accessible from the cloud for a short period, or put in a ‘recycle bin’ for a few weeks before being permanently deleted.
As DPO, talk to your IT colleagues about technical ways of reducing the chances of a data breach. Here are some examples.
- Turn off the address autocompletion functionality, so that senders have to type in all email addresses. This reduces the chances of the email going to the wrong person, which is a common type of data breach.
- Include a warning message, for example: ‘You’re sending this email externally. Is that what you intended?’
- Put a 30-second delay on sending an email. In most cases, people realise they have sent an email to the wrong person immediately after they press ‘Send’. A slight delay allows the email to be cancelled.
- Devices used to store emails must meet the IT security requirements associated with the device type. These devices must not be shared in a manner that allows unauthorised access to academy emails. This could mean deciding whether staff can access emails on their phones, for example.
- IT should also be able to identify whether staff are inappropriately saving files to their desktop or other personal storage area. Occasional random audits may help to change this behaviour.
- Develop a checklist for when staff leave the school, including confirming that any important content has been reviewed and moved or deleted, managing any new emails after the person has left, and the eventual deactivation of email accounts.
So, as the DPO responsible for imposing this potentially painful change, where do you start?
First, you need to remove the fear of the unknown and replace it with the facts from people who have done it. If those people are senior managers, you can create influential allies. You could even start with those who are reluctant but who want to set a good example as a leader.
Tell them what you want them to do and explain why. Encourage discussion and take their concerns on board. Emphasise that a robust email retention process will improve efficiency: without it, the school will struggle to show compliance, struggle if there’s a serious data breach and have to sift through several thousand emails for a significant subject access request.
Getting busy senior managers to try out the process first also helps to keep it simple enough for everyone to follow.
Encourage the managers to inform the rest of the staff that they are going to adopt the process first. In most cases, they will report that it wasn’t as bad as they expected! When they can say that their inbox is much easier to manage, and that a subject access request took two hours instead of two weeks, objections from other staff normally melt away.
‘I need the email for audit trail purposes.’
If the email contains correspondence on contracts or purchases, or correspondence pertinent to quality assurance processes or delivery of projects, review it and file the email or its content in line with the school’s data retention policy.
‘I want to keep this email because it has a useful attachment.’
If an attachment is important, it should be stored somewhere that everyone who needs to can access it (for example, on the shared document storage system) in line with the data retention and destruction policy. If someone else hasn’t already saved it there, do so and then delete the email.
‘This email is too important to delete.’
If it’s important, more than one person needs to see it. If only you can see it, it can’t be that important.
‘I might need this email just in case…’
If you don’t know why you need it, you don’t need it. And remember that you are in breach of GDPR if an email kept after its initial purpose identifies data subjects.
‘This email contains confidential information that I don’t want to share.’
The online file storage system should include secure files relating to pupils and staff, which can only be accessed by relevant people. It is much less secure to store sensitive details in email format.
‘My job means I need to have a bigger inbox than my colleagues.’
While some schools allow certain roles to have a larger email storage capacity, consider whether this is really necessary. A limit of 2GB should be enough for everyone. If a collague really thinks their role is an exception, tell them to present their justification to the headteacher / CEO / CFO.
With thanks to Dai Durbridge of Browne Jacobson, and participants in his DPO Continuous Development Programme masterclass, for sharing their tips and experiences.
Last Updated:01 Dec 2021