I need help with Data Privacy
1. How can I ensure that I am storing, processing or communicating information in a proper way?
- Do not form new personal data registers or take extracts (electronic or paper) from the existing personal data registers and data systems if it is not necessary for fulfilling your work tasks.
- However, if you need to create new registers or retrieve data extracts (e.g. lists of persons, contact information, documentation related recruitment and performance appraisal, meeting logs, responsibility charts etc.), consider if you need to include personal data – delete personal data that you don’t need in your tasks from all documents.
- To the extent you need to create personal data registers or data extracts for fulfilling your work tasks, you need to ensure that you keep such registers up to date, keep them protected with limited access and delete the data when you no longer need it for fulfilling the tasks and purpose in question.
- A good practice is to check, update and clean up your personal files at least once a year. It is recommended to do the first clean-up by 25 May but at least by the end of 2018.
- Guidelines for handling and deletion cover also emails and attachments which include personal data and are organized and/or archived in a systematic way.
- Deletion of paper archives with personal data in a scope (systematically filed based on some search criteria) is to be done annually, based on the company retention times and retention guidelines.
- Also paper archives are to be checked, updated and cleaned up at least once a year. It is recommended to do the first clean-up by 25 May but at least by the end of this year.
- Ensure that you have a justified reason for processing the personal data and that your actions do not cause any surprising negative effects to the individuals whose personal data is concerned.
- A best practice solution is to always consider whether you would be comfortable if these actions were performed on your data.
- Before sending or otherwise sharing personal data with colleagues, consider if the respective colleagues have a justified reason, relating to their work tasks, to see such personal data.
- Never share any data relating to person’ health, family, salary or other benefits unless you are certain that the person has given his/her consent for this, or you are authorized to do so.
- Before sending or otherwise sharing personal data outside of Stora Enso, remember to verify whether you need to protect the email and/or documents attached.
- As a rule, do no not store personal files on company issued devices, any personal cloud folder or drive that is provided by Stora Enso. A user’s privacy cannot be guaranteed unless these rules are followed.
2. What should I think of when I handle information concerning colleagues?
- Be ethical in the way you handle information concerning colleagues. Don’t engage in any communication that may intimidates, embarrasses or injures the dignity of another person or company, or that is perceived as hostile on the basis of nationality, gender, sexual orientation, religious belief or disability (physical or mental), including specifically, without limitation, pornography, racism and Nazism.
3. Where can find more guidance?
- If you need more guidance, visit Stora Ensos’ Data Privacy WeShare site https://weshare.storaenso.com/sites/DataPrivacy/SitePages/Home.aspx. There you will find more practical guidelines on how to take data privacy account in the data systems and registers in Stora Enso. If you need a reminder on the basic principles of data privacy, please recomplete Stora Enso’s privacy training.