Storage and deletion
Store in the right place
Information containing personal data may be stored in approved and designated IT systems (link), on F: (home directory) or G: (shared), and temporarily on removable storage media such as USB sticks.
However, if the information contains sensitive personal data or personal data meriting extra protection, it must be protected more than other types of personal data. Such data may therefore not be stored in Box or OneDrive. And if it is necessary to store them temporarily on removable storage media, it must be encrypted.
Access to information containing personal data should in principle be individual and limited to those who need the personal data to perform their work. This applies in particular to sensitive personal data and personal data meriting extra protection.
Access can be technically restricted at the individual or group level. But don't forget to update the access when someone leaves the university, changes department, or otherwise no longer needs access to the personal data.
Deletion at the appropriate time
A common misconception is that it is important to delete personal data when it is no longer needed for the purpose of the processing. However, the university is obliged under the archiving legislation to preserve a large part of the information processed at the university in order to meet, among other things, the needs of research and the public's right to transparency in public activities. Information is also one of the most important resources of higher education, and there is a need in higher education to ensure access to information.
The fact that personal data may need to be kept longer than necessary for the purpose of the processing does not contradict the principle of storage minimisation according to GDPR. This is because personal data may be retained for longer than normal if it is necessary to meet the requirements of archiving legislation. Such processing for archiving purposes is also not incompatible with the original purpose of the processing and no specific legal basis for the processing is required.
Thus, GDPR does not impose concrete requirements on when personal data should be deleted. This is determined by archiving legislation. On the other hand, GDPR requires that personal data is actually deleted when this is required. For the university's employees, this means that the information processed must be saved and deleted in accordance with the university's rules and guidelines for processing information..
Each employee is responsible for ensuring that information containing personal data in emails, web forms, and personal storage spaces, such as F: or Box, is stored in the right place and deleted when required.
Unit managers are responsible for personal data stored on shared storage areas, such as G: or Box.
The storage and deletion of personal data in university systems is the responsibility of each system owner.