UEA staff send thousands of emails every day, both inside and outside the University. Mistakes are easy to make, and when things go wrong, a personal data breach has almost certainly occurred.
Simple errors, such as sending to the wrong person, retaining an unrelated email thread at the bottom of a message, or including the wrong attachment may often seem trivial but can have serious consequences: for the people whose personal data has been inadvertently disclosed, for the sender, and for the University as a whole.
We've listed some email management tools and tips below, but the most important actions that everyone can take before sending an email are also the most obvious:
1. Ask yourself, is email the most appropriate way to share this personal information? It might be the quickest, but is it the safest? Can you use OneDrive or a department file share instead? Consider whether you have the right to share the information, whether it needs to be seen by all recipients, and remember that email is not considered a secure means of communication unless further steps are taken to protect message (and attachment) contents.
2. If you really need to send the email, check whom you're sending it to. And then check again.
3. Be careful not to include too much information. Forwarding an email thread to someone new? Check if the previous messages contain personal or sensitive information the new recipient isn't entitled to see. Sending an attachment? Make sure you send as little data as possible, and anonymise and/or encrypt as necessary.
4. Don't reuse old emails as templates - it's only too easy to retain the original personal data when sending on to someone else. Create new templates if necessary.
It's easy to fire off emails when you're in a rush, and several mistakes have occurred when the sender was distracted, multi-tasking, or working to a tight deadline.
Always take 5 seconds to make a final check of the To, CC and BCC lines.
A warning about To and CC: You should also consider whether recipients really need to know who else your email has been sent to. If you're sending a message to a number of unconnected people, or it contains sensitive information, you may need to hide the recipients, using BCC rather than To or CC. Organisations have been fined for getting this wrong.
Firstly, only use Outlook when accessing UEA email, even when away from your desk. Use the recommended software, don't set up auto-forwarding to another account, and you'll help the University's IT team keep emails secure - as well as ensuring you see all the functionality designed to reduce the risk of email errors.
Encryption, or password protection should always be considered if the message is sensitive, and may be required if it contains Confidential or Secret data. You can:
- Encrypt the message itself (N.B. only encrypts transmission, for emails leaving UEA)
- Protect the attachment. You can protect Office documents, PDFs (with Acrobat Pro, and with free tools available to all UEA staff), and create encrypted files.
Remember that you must share the password by some other means - e.g. by phone - and not in the email itself.
Setting a sending delay. This holds a message in your outbox for a short period, so if you realise within that time that you haven't checked the address, or have made a mistake, you can correct it before any harm has occurred.
Following a serious data breach in June 2017, the University has been looking at a number of ways to reduce the risk of email-related mistakes. We have focused on training (mandatory for all staff) as an important way of raising awareness, and have also taken a number of technical measures to help avoid sending emails to the wrong people. Staff have been notified of these changes via the weekly bulletin. Search staff news on the portal to find out more.
We know that some of the changes will require staff to work in different ways, and may take time to get used to, but we will continue to review and improve the University's email service wherever possible, and communicate these changes via the portal and weekly bulletins.