Data Protection and Email
Requirements and advice for use of email accounts
- Users of University email accounts must do so in accordance with theIT User Regulations (PDF 220KB).
- University issued email accounts (including @reading.ac.uk and @henley.ac.uk) must be used for all communications connected with University business.
- Use of University email accounts for private or personal non-University matters should be avoided wherever possible.
- University email accounts must not be auto forwarded to personal/home email accounts unless exceptional circumstances apply (seek advice from IMPS@reading.ac.uk). Convenience, time saving, or to have fewer email accounts, will not generally be considered exceptional circumstances.
- Access to University email accounts will only be extended beyond employment with the University in very limited circumstances.
- Please ensure that you have adequately handed over and moved any business-critical content held within your email account prior to leaving the University. Line managers must also ensure this is undertaken as part of the Leavers Process.
- Please periodically undertake reviews of your email accounts and delete any content that is no longer required. Pay particular attention to your deleted and sent items folders, as these are often where significant volumes build up.
Why is this important?
University email accounts help to clearly identify the sender as a member of the University. Use of personal email accounts can raise concerns as to the legitimacy of the sender and the email, and make spam or spoofed contact harder to recognise and easier to spoof. Security threats posed by malicious emails, including spoofed accounts and phishing, remain a significant risk to the University and to the information we hold.
In addition to security, the University is also responsible for the governance of University information contained within email accounts. This is considerably more difficult to undertake if that information is held or stored within personal email accounts.
Some funders, clients and organisations that the University work with may also restrict the use of personal email for security or governance reasons. Accreditations and certifications the University hold, or wish to hold, may also have strict security and governance requirements.
The University have set up Multi (2) Factor Authentication for off-site access to University email accounts. This is undermined if the information this protects is also held in personal email accounts.
The terms of use of personal email accounts may prohibit use for work/business unless you have the authority to bind your organisation to the provider terms and have the consent of your organisation. Very few members of staff have the necessary delegated authority to enter into legal terms with other parties and this includes the terms of any any provider of external personal email accounts. These terms often also offer very little in way of liability or indemnity cover should a problem with that account (such as a breach) arise – this presents risks to the organisation as well asthose whose data may be affected. Security measures of your email provider, no matter how robust, will very likely not negate any issues with the terms or address matters of governance.
The University is subject to the Freedom of Information Act, meaning email correspondence can be requested and may be subject to scrutiny. Using a personal account does not take information relating to University business out of scope of the FOIA. It does mean the administration workload for all involved can increase and that the University may have to ask to view emails within your personal account, which we would prefer not to have to do. Using personal and or private communication channels can be seen as non-transparent and public authorities can be subject to criticism for doing so.
Students are advised that they must use and regularly check their University email accounts; if we are expecting students to use University accounts, staff use of personal accounts may not help with encouraging this.
In the event of data loss or unavailability of data our DTS team will be unable to help with any issues that arise with personal accounts.
In some exceptional circumstances processing of personal data that is not authorised by the University can amount to a criminal offence under the Data Protection Act, for which individuals can be held personally liable and subject to criminal sanctions.
Common issues with email
As a large organisation we send and receive a vast amount of emails every day. Whilst email is a valuable, quick and effective communication tool it is also the most commonly reported source of data protection incidents.
Mistakes involving email tend to be made in human error, when there’s a time pressure to send something out or when people are momentarily distracted. Unintended email disclosures can have negative consequences for the University and those involved. Below are the most common mistakes made along with some advice to ensure that you can avoid these, and who you must report incidences to under the University Information Security Incident Response Policy if an error should occur.
Common mistakes include:
- Sending an email to the wrong recipient. Outlook may try to predict the recipient of the email based on the first few letters of the email address.
- Attaching the wrong document or hyperlink to an email.
- Forwarding an email chain that contains confidential personal data onto a new recipient.
- Sending an email to multiple recipients using ‘To’ or ‘Cc’ fields when ‘Bcc’ would be more appropriate.
Advice:
Always double check you have the correct recipient and attachments before pressing ‘send’. This is particularly important if you are working in a role that involves sensitive data, such as that relating to extenuating circumstances, mental or physical health, disability, ethnicity or misconduct. If you feel that your workloads are such that you do not have time to perform these checks please speak to your line manager. Time constraints or pressure to make deadlines should not be at the expense of risks to student or staff data so please take the time to check - it will often take far longer to mitigate the situation after the mistake is made.
Steps you can take:
- If you have a recipient that you no longer need that is popping up in your suggestion boxes when composing an email, you can delete the suggestion by clicking the 'X' to the right of the suggested name. For more details please see Microsoft support - autocomplete
- If you have sent an email in error, you should attempt a recall of the message as soon as possible. To do this, open the email in your sent items, click on file on the menu, and then 'recall or resend' to select recall. Please note that recall is not always successful and may not be honoured or actioned by the recipients email provider, so please ensure that incidents are still reported to imps@reading.ac.uk, advising that a recall has been attempted.
- If it would be helpful to you, and where appropriate to your role, you can also opt to delay the send of your emails. This allows for some time before the email leaves. If you are prone to only noticing the error when you read the email back to yourself after sending it (a common experience!) you can delay the send by between 1 minute and 120 minutes via 'Rules and Alerts'. For more details please see Microsoft support -delay send. Please ensure that you fully understand how this works before applying and test before use. If your role involves very frequent urgent communications, we would advise that you speak with your line manager before using this setting.
- When your email correspondence contains long threads or forwarded email trails containing any sensitive information, consider deleting the previous content in the thread before forwarding or replying if it is not needed, and if appropriate to do so.
To bcc or not to bcc?
When is it more appropriate to use Blind Copy, 'Bcc' than 'To' or 'Cc'?
Blind Carbon Copy or 'Bcc' enables you to send an email to multiple recipients without revealing the identity of others on a distribution list. In some instances where this reveals only student or staff email addresses it will not be a problem, depending on the context. For example, sending an email to arrange a meeting of a regular course project group that all members are involved in.
In other instances that involve the disclosure of information they would not have known about each other, or reasonably expect to be shared, 'Bcc' should be used.
Example 1- sending an email to student or staff applicants via their personal email addresses to keep in contact with them before they enrol or join. It would not be appropriate to reveal their personal email addresses to other applicants in either the 'To' or 'Cc' fields. Bcc must be used.
Example 2 - sending an email to some previous research study participants. It would not be appropriate to reveal their personal email addresses to other participants in either the 'To' or 'Cc' fields. Bcc must be used.
Information can also be disclosed by association with the context of the email. You may inadvertently disclose personal information in relation to the recipients, such as their health, wellbeing, ethnicity or socio-economic background.
Example 1 - sending an email to students that are newly registered to the Counselling Service reminding them of the Service's drop in times. By using the 'To' or 'Cc' fields recipients are then aware of who else has subscribed to the Service and may make assumptions about their health from mere association with the communication. Bcc must be used.
Example 2 - sending an email to some previous research study participants involved in a study of a sensitive nature, such as research into people in certain weight ranges or with certain medical conditions. As well as revealing email addresses, the association is likely to amount to a disclosure of personal or sensitive information. Bcc must be used.
In addition to the above, using 'To' or 'Cc' allows recipients to 'Reply all' which presents further risks to disclose additional, possibility sensitive, personal information by the recipients. Risks they would not have been subject to if the 'Bcc' function was used.
What if I cannot see the 'bcc' option?
If you only have the options of 'To' and 'CC' available, you can add 'BCC' by either a) selecting the Options tab on your composed message and clicking on 'bcc' or b) typing 'BCC' into the search bar and selecting 'BCC'.
For more details please see Microsoft support BCC
Malicious emails and security threats
Cyber crime is a significant and growing concern and the University faces threats from those that seek to access, take, or corrupt our data.
Keep Yourself Updated: Awareness is your first line of defence. Understand the tactics used in phishing attacks and train yourself to identify suspicious emails, messages, or websites.
Verify the Source: Before clicking on any links or sharing personal information, verify the sender’s identity. Be cautious even if an email or message appears to be from a familiar source.
Stay Cautious: Be wary of unsolicited emails, especially those requesting personal or financial information. Legitimate organizations rarely ask for sensitive data via email.
Think Before You Click: Avoid clicking on suspicious links or downloading attachments from unknown sources. Hover over links to see the actual URL before clicking.
Use Strong, Unique Passwords: Create strong passwords using a combination of letters, numbers, and symbols. Avoid using the same password for multiple accounts.
Enable Multi-Factor Authentication (MFA): Set up MFA for an extra layer of security by requiring a second form of verification, such as a code in an Authenticator app, in addition to your password. This makes it significantly harder for attackers to access your accounts. More information can be found on the MFA Guidance page.
Keep Software Updated: Regularly update your operating system and applications. Cybercriminals often exploit known vulnerabilities in outdated software.Use Apps Anywhere to make sure you are using the most up to date version of software with the latest security patches.
Report Suspicious Activity: If you receive an email or message that seems suspicious, report it to us. Your vigilance could help protect others from falling victim to the same attack.
Do Not Engage with Senders of suspected malicious emails. As tempting as it may be to let them them know you think they are malicious, do not reply.
More information and advice can be found on the DTS Cyber Security pages.
When email mistakes happen - what should you do?
If you send an email or attachment in error to the wrong recipient apologise to the unintended recipient ask them to delete the email and attachments, including all copies held, and not to further share or disseminate.
Any incident involving an unauthorised disclosure, loss or compromise of personal or sensitive data MUST be reported to IMPS in line with the Information Security Incident Response Policy and procedures. This must be done as soon as possible. IMPS will then contact you with further advice. Do not delay reporting incidents to the IMPS team. If you cannot complete the form in full do not delay reporting by email or phone - further details can be sent on later if needed.
What you can do to avoid them?
- Double check email recipients. Be wary of ‘auto filled’ names within your email account. Double check the field recipients are in is appropriate to the context – ‘cc’ or ‘bcc’?
- Double check attachments and hyperlinks - have you picked up the right one?
- If you work with template documents, work from a clean blank template each time - do not overwrite previous completed documents containing personal or sensitive information.
- Complete the three mandatory IMPS modules (Data Protection, Information Security and Freedom of Information). You are required to complete a short annual refresher course each year. If you are unsure if you, or your direct reports, are up to date with their training you can check by accessing UoRLearn and selecting 'My Learning'. Any outstanding courses should display here. Check you have the filter selected for all statuses (completed, pending, in progress).
The annual refresher course is titled:
Information Protection and Security Annual Training
Line managers can view outstanding training for their reporting staff within their UoRLearn manager view by clicking ‘My Team’ on the menu in the top left corner of the screen
In the event of a incident being reported you may be asked to retake the data protection course. If in doubt please, contact the IMPS department for advice.
What to do if you receive something in error
Let the sender know that you have received something in error, explaining in general terms what it is (for example; the attachment is wrong, not the intended recipient). Let the sender know you have deleted and not further disseminated the email or attachment(s). If the sender is a member of staff remind them to complete the information security incident form and submit to IMPS immediately.
Retention of emails
Email can be a great tool for keeping track of your work communications. The creation of folders to organise your emails by subject or timeframe can really help with keeping organised. However email does make it very easy to generate vast amounts of correspondence every year.
The University does not have an automated system for deleting emails. Responsibility for your email account sits with you. To ensure you are managing your emails effectively some things to consider are:
- purging deleted, sent and calendar items more regularly and filing emails you intend to keep in a manner that you can easily review and purge at set intervals by, for example, data range, category, for action or for information.
- use of personal email accounts for the storing of records, such as staff or student files, that have long retention periods should be avoided. Consider whether the emails need to be retained and if so, whether they should be added to a centrally managed or department storage location.
Access to other users accounts
Any requests to access the personal account of another individual should be made using the 'Data Access Request' form located on the DTS Services Help and Support pages.
If a member of staff is due to leave the University it will be the line manager's responsibility to ensure that all business critical work is transferred, or emails redirected, prior to them leaving the organisation as part of the handover process. Please do not assume that access to a personal account will be given retrospectively after they have left.
Any enquiries please contact imps@reading.ac.uk or 0118 378 8981