How to ensure compliance with the Privacy Guarantor's guidelines for managing e-mail 'metadata'? “Simple”, by printing the emails and deleting them from the server.
This advice, although paradoxical, is the focus of the privacy guarantor's latest indications on the preservation of employee email metadata, which is creating some confusion in Italian companies, and consequently, in Service Providers that offer Cloud services.
Let's see together what the new guidelines would entail, the consequences that would result from them and the first steps backwards on the part of the authority.
What are the new guidelines of the guarantor for metadata? And what about their impact?
The Privacy Guarantor, on February 6, published a measure in which it provides an indication intended to have a disruptive effect on corporate e-mail systems: employers can keep for a maximum period of 7 days (extendable to a maximum of 48 hours) employee email metadata, except for some cases related to special agreements.
This measure sets very restrictive limits for the electronic management of workers, especially in cloud mode, which have different consequences.
In fact, the point is that the Guarantor's directive refers to metadata, that is, to “sensitive” information in support of the e-mails, such as sender and recipient, date and time of sending, IP address of the sender and the transmission server, etc. All data that the Guarantor considers to be subject to confidentiality, and therefore not to be kept longer than a certain amount of time, which must be kept to a minimum.
The reason? In summary, the collection and storage of the accompanying information relating to e-mails would not fall within the definition of a 'work tool', which defines 'any tool used by the worker to perform work performance'.
In practice, the Guarantor, with this measure, considers that e-mails are a work tool for only seven days.
A motivation that has generated a heated debate and that risks creating managerial and organizational problems. Without metadata, it is practically impossible to index and organize e-mails: these tell us the date, time, sender, recipient, subject and size of the messages, in short, all the information useful for tracing an e-mail.
If, within a week, all identifying information were removed, the emails would completely lose their context. How could a company handle legal disputes, rebuild projects, or simply maintain daily operations if its memory were limited to just seven days?
The guarantor is open to listening
For all these reasons, the Guarantor preferred to meet companies and us Service Providers in two main ways.
The first consists of a public consultation relating precisely to the terms of storage of the metadata of the workers' e-mail services accounts. Thanks to this method, all employers, both public and private, together with data protection experts and other interested parties, are invited to contribute by sending comments, comments, information and proposals to the Guarantor.
The second, on the other hand, establishes that”defer the effectiveness of the address document”. This means that until the opinions have been collected, for a maximum of 90 days, employers and Cloud & Service Providers where the corporate emails are located will not have to make changes to the retention policies.
Even if today the problem has not been solved and seems to be a step backwards compared to the rest of Europe, the Guarantor, with these two steps, shows that he wants to leave room for listening to shared solutions and for dialogue.