OOPS!

We have someone whose first name is Gavin working in IT Services. There is also someone whose first name is Gavin who works in another institution. I sent an e-mail some time back asking “our” Gavin to do something for me. You can guess what happened – yes, I sent it to the Gavin who works at the other institution because Outlook kindly offered me a list of “Gavins” and not paying attention I clicked on the wrong one. Amazingly, he agreed to do what I asked!

That’s a light hearted illustration of the perils of e-mail. It gets more serious of course if you are e-mailing something confidential or personal. I am well through the process of drafting a new data protection policy to govern the use of mobile media and devices – it’s relatively straight forward until you try to figure out what to do about e-mail. In an ideal world we could say “don’t send confidential or personal information by e-mail” – end of story. The reality is that the convenience and speed of email means that many people do end up using it even for some confidential or personal data. There’s no point in having a policy that says “don’t” if the reality is that people are going to ignore it.

What are some of the issues? With more and more people using a variety of devices to access their e-mail, you cannot be certain how secure will be the environment used by the recipient of your e-mail. In addition, e-mail is easily misdirected by accident (as I discovered when emailing Gavin) and email accounts are sometimes monitored by people other than the recipient (e.g. a personal assistant). Some people forward their e-mail to personal accounts. Many people access their e-mail on mobile devices, which may not be fully secure, and an e-mail you sent with all that juicy confidential information may remain on the recipient’s device for some time – possibly a VERY long time. The risk is therefore not just at the time when you send the e-mail.

Bottom line – when you send an e-mail you have absolutely no idea where it might end up and you relinquish control as soon as you press “send”.

Ultimately, our policy will probably have to accept the reality that some personal and confidential information can be shared by e-mail. I’ll probably suggest that wherever possible you should avoid sending personal data by e-mail. If you must, then the policy is likely to stress the importance of taking reasonable steps to make sure that the recipient’s e-mail environment is likely to be secure.

You should certainly NEVER send bulk personal information by e-mail. For example a list of students, with their names, addresses, dates of birth etc. That’s just asking for trouble.

If you need to communicate electronically in relation to bulk personal data then there are secure ways to do this. For example, place the personal data in a secure location (e.g. on a shared folder to which only authorised people have access) and then send an e-mail to tell the recipient that the information is there.

Watch out for the new policy . . .

Advertisements

2 thoughts on “OOPS!

  1. Which would be a fine suggestion if there was an easy way to set up a shared folder for the people who need it right now, but the current reality is that we need to jump through hoops and delays before we can get such a facility set up. There is currently no faster way of getting data to where it needs to be than via email, and until that changes and we get a simple, immediate solution to file sharing, email delivery of personal data will continue to be used by everyone.

    • Hi Duncan, yes I appreciate that and this was why it was difficult to consider how best to word the policy in practical terms. Our implementation of SharePoint I am sure will help greatly, and we will also look at the potential of encryption. Whatever we do, our legal obligations (personal and corporate) don’t go away and if we are using email for sensitive personal data we must be able to demonstrate all reasonable steps have been taken to protect that data.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s