We have someone whose first name is Gavin working in IT Services. There is also someone whose first name is Gavin who works in another institution. I sent an e-mail some time back asking “our” Gavin to do something for me. You can guess what happened – yes, I sent it to the Gavin who works at the other institution because Outlook kindly offered me a list of “Gavins” and not paying attention I clicked on the wrong one. Amazingly, he agreed to do what I asked!
That’s a light hearted illustration of the perils of e-mail. It gets more serious of course if you are e-mailing something confidential or personal. I am well through the process of drafting a new data protection policy to govern the use of mobile media and devices – it’s relatively straight forward until you try to figure out what to do about e-mail. In an ideal world we could say “don’t send confidential or personal information by e-mail” – end of story. The reality is that the convenience and speed of email means that many people do end up using it even for some confidential or personal data. There’s no point in having a policy that says “don’t” if the reality is that people are going to ignore it.
What are some of the issues? With more and more people using a variety of devices to access their e-mail, you cannot be certain how secure will be the environment used by the recipient of your e-mail. In addition, e-mail is easily misdirected by accident (as I discovered when emailing Gavin) and email accounts are sometimes monitored by people other than the recipient (e.g. a personal assistant). Some people forward their e-mail to personal accounts. Many people access their e-mail on mobile devices, which may not be fully secure, and an e-mail you sent with all that juicy confidential information may remain on the recipient’s device for some time – possibly a VERY long time. The risk is therefore not just at the time when you send the e-mail.
Bottom line – when you send an e-mail you have absolutely no idea where it might end up and you relinquish control as soon as you press “send”.
Ultimately, our policy will probably have to accept the reality that some personal and confidential information can be shared by e-mail. I’ll probably suggest that wherever possible you should avoid sending personal data by e-mail. If you must, then the policy is likely to stress the importance of taking reasonable steps to make sure that the recipient’s e-mail environment is likely to be secure.
You should certainly NEVER send bulk personal information by e-mail. For example a list of students, with their names, addresses, dates of birth etc. That’s just asking for trouble.
If you need to communicate electronically in relation to bulk personal data then there are secure ways to do this. For example, place the personal data in a secure location (e.g. on a shared folder to which only authorised people have access) and then send an e-mail to tell the recipient that the information is there.
Watch out for the new policy . . .