Handling email

General precautions

  • You should in principal always endeavour to avoid sending sensitive and/or confidential personal data in emails.
  • You should at the same time deal with emails with this kind of content immediately – either by filing them or by deleting them when they have been read.
  • You should avoid copying sensitive and/or confidential personal data from systems such as STADS, PeopleXS and WorkZone in order to email it.

 

What is permissible?

You are allowed to send and save so-called neutral mails in your inbox.

Neutral mails are defined as mails which include no personal information other than the names of employees referred to in connection with their professional role in a case or project. General or concrete anonymised guides, meeting minutes, course material, general projects, etc.

If necessary, you can email sensitive and/or confidential personal data internally at AU.

  • The Danish Data Protection Agency's guidelines state that an email system may hold sensitive and/or confidential data, provided that access to this personal data is restricted to authorised persons and the email system requires a password-based login.
  • Similarly, you can send emails containing unencrypted sensitive and/or confidential personal data, as long as this takes place in a closed network.
  • AU's email system meets the above requirements, thus internal emailing of sensitive and/or confidential personal data to other persons at AU is permissible. Internal email addresses are basically ones ending in au.dk.

Emails containing sensitive and/or confidential personal data must be deleted within 30 days at the latest. 

  • According the Danish Data Protection Agency, emails with sensitive personal data must be deleted no later than 30 days after receiving the email / sending the email. Emails with general personal data must be deleted when there is no longer a legitimate purpose of storing the data.
  • If you are the sender of an email containing sensitive and/or confidential personal data, you must delete this email in the 'Sent mail' folder and then also delete it in the recycle bin. If you are the recipient of an email containing sensitive and/or confidential personal data, you must delete this email in your inbox and then also in the recycle bin.

Finally, remember to use a secure form of communication if you need to send sensitive and/or confidential personal data to recipients outside AU.

  • If you need to send sensitive and/or confidential personal data to external recipients, i.e. recipients outside AU, you must use a secure form of communication, e.g.:

What is not permissible?

  • You must not email sensitive and/or confidential personal data outside the closed network (AU's network).
  • You must never encourage students, staff or anyone else to email sensitive and/or confidential personal data. The data in question includes Danish civil registration (CPR) numbers, medical reports and applications. You should instead recommend that they send the data securely, e.g. using secure mail.
  • If you nevertheless receive sensitive and/or confidential personal data via normal email, it is important that you do not simply reply to the email including the full original text in your email. Before replying you must ensure that sensitive and/or confidential data has been removed from the email.

Email signature for emails containing personal data

If you send an email containing personal data, you must insert the following text as standard in your email signature.  

“Please note that this email contains personal data. You must ensure that this data cannot be accessed by anyone else without good reason, and that it is deleted immediately when it is no longer required in relation to the purpose for which it was sent.”

 

Concerning unsolicited applications in particular

If an employer (you) receives an interesting unsolicited application that you wish to save because there are no vacant positions at the time in question, the employer must inform the applicant of how long the application will be retained, and for which purpose.

The application should be retained for no longer than six months. This may be notified in response to an unsolicited application, or via a policy on the company's website which presents general information on how the company handles unsolicited applications. AU does not currently have a policy on its website for the handling of unsolicited applications.