On April 23, staff at RUC received an email with a six page order to erase all sensitive data from emails over 30 days old. The task must be terminated by May 25, when the new rules on sensitive data come into force. However, RUC’s new rules for erasing old emails are impossible to practice, seeing as staff would have to either keep all sensitive data, thereby breaking the rules, or erase them all and lose information that ought to be kept.
When the new rules come into force, staff will no longer be allowed to keep information related to a specific person for more than 30 days. The rules encompass anything that may identify a specific person, from name and address to shoe size and hair colour. According to the email, RUC has decided that each employee is best placed to assess for him/herself which emails should be erased and which ones should be kept for a number of different reasons. Instructions are attached as well so that the staff may acquaint itself further with the rules and their scope.
Only it is entirely far-fetched to assume that an employee will be able to through all his or her emails with such short notice, say many members of staff who disapprove of the order. The VIP representatives have expressed concern in an email addressed to all the Heads of Departments. Amongst other matters, the shop stewards point out that the unsurmountable task of going through and assessing the huge amounts of text in such short time jeopardizes the legal security. Also, the VIP representatives express fears that the inmense erasing of emails will incur an information loss.
»What I find problematic is that we are being faced with a downright impossible task. There are a number of data that we need to keep due to the right of information, and because there is always a risk of students filing complaints and of investigations of misconduct. This means that there is a lot of information that we have to keep, and at the same time lots of data that we need to erase. These are complicated legal matters, so we might very well get it wrong,« says Kristine Niss, professor (MSO) at Department of Science and Environment and workers’ union representative for the department’s scientific staff.
Employees at RUC have received two administrative instructions concerning how to put their house in order. According to the guidelines, there are three types of material in the employees’ electronic inboxes: data that should be kept, data that should be erased, and data that may constitute gray areas under certain circumstances. The different categories may make it cumbersome for staff to go through their emails in a sound manner. Technical and legal guidelines do not suffice as means of making staff grasp the message and take the task seriously.
Jeppe Dyre, Doctor of Science at Department of Science and Environment, believe the task to be impossible in the light of the fact that many employees receive around a hundred emails a day:
»It is unsurmountable to erase that many data. I believe RUC should await to see what other universities do in Denmark and abroad. The people I have spoken to at other universities were flabbergasted to hear that old emails must be erased. They say it must be a mistake.«
University Director Peter Lauritzen who is currently in Singapore informs the present publication by email that he is fully aware that the task is time consuming and laced with red tape:
»We know that the task may be a large one for some. Fortunately, not everyone has the same amount and the same type of stored emails. However, the most important thing is to get started. We understand that everyone will probably not be done with the task as early as May 25.« And he adds:
»Roskilde University does its best to live up to all aspects of the new rules, and we try to ensure compliance by offering the employees guidelines and guidance for the members of staff who may encounter special difficulties relating to the content of their email. We must remember that the whole idea of protecting the individual persons’ data is an important consideration for a research institution.«
The staff do indeed understand the wish to oblige with the new rules.
»Fair enough that they want to comply with the rules. The problem is that there is no way to do this in a matter of one month. An enormous task like this one requires forewarning,« says shop steward Hanne Jørndrup.
And what is really worrying are the consecuences in case of non-compliance:
»Some employees are worried about the personal responsibility and whether it may be used against employees, for instance during rounds of layoffs. This fear may very well be unfounded, but it is nonetheless one that several members of staff hold. No thought has been given to how the order would be received.«
The order stems from RUC’s legal interpretation of the new data protection rules that enter into forth on May 25. Actually, the rules have existed since 2000, but now they will be interpreted and enforced far more strictly. In the worst case, a breach of the rules may cause huge fines from the European Union, and an institution the size of RUC might have to pay amounts around 16 million DKK.