Data Protection and Email
As a large organisation we send and receive a vast amount of emails every day. Whilst email is a valuable, quick and effective communication tool it is also the most commonly reported source of data protection mistakes.
Usually, mistakes tend to be made in human error when there’s a time pressure to send something out or when people are momentarily distracted. Unintended email disclosures can have negative consequences for the University and those involved. Below are the most common mistakes made, some advice to ensure that you can avoid these, and who you must report incidences to under the University Information Security Incident Response Policy (PDF 210KB) if an error should occur.
- Sending an email to the wrong recipient. Outlook may try to predict the recipient of the email based on the first few letters of the email address.
- Attaching the wrong document or hyperlink to an email.
- Forwarding an email chain that contains confidential personal data onto a new recipient.
- Sending an email to multiple recipients using ‘To’ or ‘Cc’ fields when ‘Bcc’ would be more appropriate.
Always ensure you have the correct recipient, and if applicable, the correct attachment before pressing ‘send’. This is particularly important if you are working in a role that involves sensitive data, such as that relating to extenuating circumstances, mental or physical health, disability, ethnicity or misconduct. If you feel that your workloads are such that you do not have time to perform these checks please speak to your line manager. Time constraints or pressure to make deadlines should not be at the expense of risks to student or staff data so please take the time to check; it will take longer to mitigate the situation after the mistake is made.
To BCC or not to BCC?
When is it more appropriate to use Blind Copy, 'Bcc' than 'To' or 'Cc'?
Blind Carbon Copy or 'Bcc' enables you to send an email to multiple recipients without revealing the identity of others on a distribution list. In some instances where this reveals only student email addresses it will not be a problem.
For example, sending an email to arrange a meeting of a regular course project group that all members are involved in.
In other instances that involve the disclosure of information they would not have known about each other, or reasonably expect to be shared, 'Bcc' should be used.
Example 1- sending an email to student applicants via their personal email addresses to keep in contact with them before they enrol. It would not be appropriate to reveal their personal email addresses to other applicants in either the 'To' or 'Cc' fields. Bcc must be used.
Example 2 - sending an email to some previous research study participants. It would not be appropriate to reveal their personal email addresses to other participants in either the 'To' or 'Cc' fields. Bcc must be used.
Information can also be disclosed by association with the context of the email. You may inadvertently disclose personal information in relation to the recipients, such as their health, wellbeing, ethnicity or socio-economic background.
Example 1 - sending an email to students that are newly registered to the Counselling Service reminding them of the Service's drop in times. By using the 'To' or 'Cc' fields recipients are then aware of who else has subscribed to the Service and may make assumptions about their health from mere association with the communication. Bcc must be used.
Example 2 - sending an email to some previous research study participants involved in a study of a sensitive nature, such as research into people in certain weight ranges or with certain medical conditions. As well as revealing email addresses, the association is likely to amount to a breach of far more. Bcc must be used.
In addition to the above, using 'To' or 'Cc' allows recipients to 'Reply all' which presents further risks to disclose additional, possibility sensitive, personal information by the recipients. Risks they would not have been subject to if the 'Bcc' function was used.
When mistakes happen
If you do send an email or attachment in error to the wrong recipient apologise to the unintended recipient ask them to delete the email and attachments, including all copies held, and not to further share or disseminate.
Any incident involving an unauthorised disclosure of personal data MUST be reported to IMPS in line with the Information Security Incident Response Policy (PDF 210KB), on the Information Security Incident Reporting Form (Word 1.1MB). This must be done immediately. IMPS will then contact you with further advice. Do not delay reporting incidents to the IMPS team; further details can be sent on later if needed.
What you can do?
Double check email recipients. Be wary of ‘auto filled’ names within your email account. Double check the field recipients are in is appropriate to the context – ‘cc’ or ‘bcc’?
Double check attachments and hyperlinks - have you picked up the right one?
Complete the three mandatory IMPS modules (Data Protection, Information Security and Freedom of Information).
In the event of a breach you will be asked to retake the data protection course. If in doubt please, contact the IMPS department for advice.
What to do if you receive something in error
Let the sender know that you have received something in error, explaining in general terms what it is (for example; the attachment is wrong, not the intended recipient). Let the sender know you have deleted and not further disseminated the email or attachment(s). If the sender is a member of staff remind them to complete the information security incident form and submit to IMPS immediately.
Data Subject Access Requests
Data Protection law entitles everyone to submit requests to organisations to access their personal information that the organisation is processing, which may extend to personal data within emails.
Retention consideration for emails
Email can be a great tool for keeping track of your work communications. The creation of folders to organise your emails by subject or timeframe can really help with keeping organised. However email does make it very easy to generate vast amounts of correspondence every year.
The University does not have an automated system for deleting emails. Responsibility for your email account sits with you. To ensure you are managing your emails effectively some things to consider are:
- purging deleted, sent and calendar items more regularly and filing emails you intend to keep in a manner that you can easily review and purge at set intervals by, for example, data range, category, for action or for information.
- use of personal email accounts for the storing of student or staff records that have long retention periods should be avoided. Consider whether the emails need to be retained and if so, whether they should be added to a centrally managed student or staff file.
Access to other users accounts.
Any requests to access the personal account of another individual should be made using the 'Data Access Request' form located on the IT Services Help page, accessible here.
If a member of staff is due to leave the University it will be the line manager's responsibility to ensure that all business critical work is transferred, or emails redirected, prior to them leaving the organisation as part of the handover process. Please do not assume that access to a personal account will be given retrospectively after they have left!
Any enquiries please contact email@example.com or 0118 378 8981