The Email Procedures (in downloadable pdf below) need to be followed by all staff, including Visiting Lecturers and External Examiners. Students are also encouraged to email any highly restricted information as password protected attachments. This includes any information about their race, ethnic origin, health (including mental health), political or religious beliefs, trade union membership, passport number, or sexual orientation or scans of identification documents. The recommended method of password protecting attachments is available here Encrypting and Decrypting files and folders using 7-Zip, or if that does not work for the sender / recipient then use this method.
The Email Procedures regarding Data Protection document states:
- What content is appropriate to be sent by email
- How to classify the content (ordinary, restricted or highly restricted information) – the Information Classification Table
- What security needs to be applied to the content
- When and how to password protect attachments
- How to manage passwords
- What checks need to be carried out before pressing ‘send’
- What to do if you send restricted or highly restricted information to the wrong person
N.B. Restricted information must be classified as highly restricted when it covers 30 or more individuals and is being emailed or transferred by an external hard-drive / USB etc.
Quick Glance Guide of How to Email…
Ordinary information. This is information which is unlikely to identify an individual, is in the public domain or would be unlikely to have a negative impact on the rights and interests of individuals or the interests of the university. This content can be in the body of an email containing the data subject’s name. No particular controls, other than common sense, apply to ordinary information. However ordinary information should be treated as restricted or highly restricted when combined with information from either of those categories.
Restricted information. This is information which if disclosed to unauthorised recipients could have a negative impact on the rights and interests of individuals or the interests of the University and would likely be a data breach under the GDPR or a breach of commercial confidentiality. N.B. ‘Restricted information’ must be classified as ‘highly restricted’ when it covers 30 or more individuals and is being emailed or transferred by an external hard-drive / USB etc. Do not put the data subject’s name in the email subject line. It is up to your professional judgement of the context of the personal data in the email whether you should use the methods described for ‘highly restricted information’. Please refer to the footnotes of the Information Classification Table and then ask your line manager / Data Protection Task Group member if you are unsure.
Highly restricted information. This applies to information which if disclosed to unauthorised recipients would be likely to result in serious damage to the rights and interests of individuals or of the interests of the University would very likely be a data breach under the GDPR or a breach of commercial confidentiality.
- If the recipient can access this directly from MyNewman / iTrent / Moodle / S-drive folder etc. they must.
- If the content is personal data do not use the data subject’s name in subject line.
- If the content is personal data you have two options:
- If you choose to use the data subject’s name in the email, this content must be in a password protected attachment (with the password sent in a separate email).
- If you choose to only use the data subject’s student ID / staff iTrent number, this information could be included in the body of an email.
4. Where the content relates to non-personal data (e.g. it is commercially sensitive) the information must be attached as a password protected document.