Security and Access
Summary
Email is not secure. Consider if email is the most appropriate format for your message and follow these tips to ensure you keep your emails confidential and secure:
Encrypt emails being sent externally which contain personal or confidential information. IS provide free encryption.
Remember attachments can also be encrypted or password protected.
Send internal links rather than attachments
Double check that you have selected the correct recipient
Don’t send very long email trails/conversations
Secure your portable/mobile device if using it/them to access email
Keep email records on in the appropriate shared network area (these can be restricted in a number of ways)
Content
Security
Email is NOT a secure medium! It is the electronic equivalent of sending a postcard and sending personal, sensitive or confidential information via email is a high-risk practice. Assess whether email is the appropriate medium (would a telephone conversation or sharing information on SharePoint be better?) and if you do have to send sensitive information externally via email it should always be encrypted.
It can be very easy to send an email to the wrong recipient, especially with the ‘auto-complete’ function of Outlook. Always check before hitting send, spending a few extra seconds to make sure you are sending the email to the right person can stop a potential data breach in its tracks.
Additionally there are risks attached to sending long email conversations, where there is a greater risk of confidential information being ‘buried’ in the trail, and sending attachments. Bear in mind that emails are also stored on various servers belonging to various internet service providers en route to their destination/s.
If you are accessing your University email account on your mobile/smart phone and don’t have the necessary security precautions in place (passwords etc. as per Information Services guidance) your email account is potentially vulnerable to thieves and anyone else who may have access to your phone. If you are keeping sensitive or personal information in your email account for ‘safety’ and accessing it this way you are at risk of breaching both legislation and University policy. IS provide a variety of ways to securely access the University network e.g. VPN, Virtual Desktop, etc.
Access
Although we need to keep emails secure we also need to consider who needs access to them as they are business records, not personal ones. Keeping information and records in your University email account means that they are effectively being kept in a personal storage area. Records which are evidence of decisions or University business must be kept in a shared network area like SharePoint or the S: Drive where at least one other person has access. There have been occasions where someone has left the University and important records which were kept in their University email account have been lost. If the information is someone’s personal data, sensitive or confidential information it must be kept in an appropriately secured folder in the department’s SharePoint site / S: Drive with access given to the necessary staff members. Not ensuring that the appropriate colleagues have access to information is risky for the University.
Page last updated 28 March 2019