Introduction
On December 21, 2023, the Italian Data Protection Authority issued a provision with significant implications for employers using email applications to manage internal communications. This provision focuses on the collection and retention of metadata relating to employees’ email accounts. In this article, we will examine the impact of this provision and the compliance requirements imposed on employers to adhere to said provisions.
What are metadata?
Metadata are data that provide information about the characteristics of other information. In other words, they are descriptions or additional information that provide context or structure to the main data. Here are some examples of metadata in different contexts:
- Email Metadata: In emails, metadata includes information such as the sender, recipient, subject, date and time sent, transmission path, and other technical information that helps manage and organize emails.
- Photo Metadata: For digital photos, metadata can include the date and time of capture, camera settings, GPS coordinates of where the photo was taken, and other information about the camera and shooting conditions.
- Document Metadata: In digital documents, metadata can include information such as the document author, creation date, last modification date, document title, and other formatting and structure-related information.
- Audio/Video File Metadata: In digital audio and video files, metadata can include information such as the song title, artist, album, year of release, duration, file format, and other recording-related information.
Metadata can be useful because it allows for the organization, search, retrieval, and better understanding of the main data. It can be used for various purposes such as digital content management, information retrieval, cybersecurity, regulatory compliance, and more. However, it is also important to consider privacy and security implications when managing metadata, as it can contain sensitive or confidential information.
Impact of the Authority’s guidance on metadata collection by employers
The Authority’s provision highlighted the risk associated with the preventive and generalized collection of metadata from email applications used by employees. Such metadata includes information such as sender, recipient, subject, date, and email size. The primary concern is that some computer programs and services may collect this metadata by default, without the employer’s ability to disable this functionality or limit the period of information retention.
Required Compliance
In response to this risk, the Data Protection Authority has mandated employers to adopt certain compliance measures to ensure compliance with privacy regulations and the protection of employees’ personal data. The following are the main compliance requirements:
- Verification of Metadata Collection: Employers must diligently verify whether the computer programs and services used for email management collect metadata from employees’ accounts. This verification must be thoroughly documented to demonstrate compliance with the provisions of the provision.
- Modification of Basic Settings: In case metadata collection is confirmed, employers must be able to modify the basic settings of computer programs and services to prevent the collection of metadata or limit the retention period to a maximum of 7 days, save the possibility of extending this period by an additional 48 hours in exceptional cases.
- Labor safegards: If limiting metadata is not possible due to proven organizational or productive needs, employers must follow some safeguard procedures provided by sector regulations. This may include entering into a labour agreement with unions or obtaining authorization from the labor inspectorate. The aim is to ensure that extending the metadata retention period does not result in remote monitoring of employees’ activities.
- Employee Information: It remains essential to provide employees with correct information regarding the processing of their personal data, including the collection and retention of metadata related to email.
Practical advice for metadata collection by employers
The Data Protection Authority’s provision represents a significant step forward in protecting employees’ privacy and regulating the use of metadata by employers. It is crucial for employers to take appropriate measures to comply with the established provisions while ensuring transparency and respecting employees’ rights.
Check of metadata collection, modification of email program settings, and adherence to labor safeguard procedures are essential steps to ensure compliance and mitigate risks associated with the management of employees’ personal data.