Using Email to Transmit Personal Data
Using email to transmit personal data
Main Points
- In order to comply with the Data Protection Act 1998 the Information Commissioner’s Office recommends that the sending of personal and confidential data byemail is secured by using a trusted network or by encrypting the data.
- The status of security of emails between establishments within Somerset has changed due to some schools using their own email service.
- All emails from Somerset LA employees are encrypted through ‘Egress’.
- Replies to emails from Somerset LA employees will have the same level of security placed on them as the original email.
- The EDUC email service is part of the Somerset CC Office 365 infrastructure and is seen as ‘trusted’ by the county network.
- Schools that use their own email service are not ‘trusted’ and will need to register to receive ‘egressed’ emails.
- Schools should consider a series of questions when replying to requests for personal data.
- There has been an increase in the work with outside agencies whose email service is unsecure. If schools send personal or confidential data to agencies outside of the Somerset trusted network, then they must protect the data through encryption.
Introduction
Schools (including Governors) in Somerset have traditionally been provisioned with an email service (educ.somerset.gov.uk) that has been maintained centrally and in conjunction with the Local Authority email service (somerset.gov.uk) provided a secure communication method for the transmission of personal data.
Because of changes in school technology and administrative environmentsmany schoolsnow use their own email services.
The Global Address List now includes email addresses that have not been created within a known safe environment and some of these addresses are therefore not known to be secure.
Personal and/ confidential data should only be emailed using a service that ensures encryption.
The current situation in Somerset
All Somerset LA employees (not schools) have been provided with a method of protecting emails using a service called Egress. As the EDUC email system is now seen as a ‘trusted’ service the use of Egress is hidden to those schools. This is a change from the original deployment when to receive an ‘egressed’ email EDUC user had to subscribe to the service.
Emails that are ‘egressed’ by Somerset LA users will appear to be normal emails to schools EDUC users. Those schools that do not use the EDUC system will have to register with Egress to receive the emails.
On the next page are a series of questions that could be used to heighten the security of the transmission of personal data.
Personal data is defined by the Information Commissioners Office as:
Personal data means data which relate to a living individual who can be identified.[1]
With a further definition of sensitive data which includes ethnicity, politics, religion, health, sexual life and criminal activity.
Questions to ask when considering sending personal data by email
1.Is it a legitimate request?
If someone asks for an item of personal data, the first question that you must consider is if it is a legitimate request. If you are not sure as to its legitimacy, ask someone else at your establishment for their opinion. If you are going to refuse a request (or are going to take some time to answer) then let the requester know of your decision.
2.Is the data requested already available or in the ‘public domain’?
The information that the requester has asked for might already be available. They could ask for a list of staff, emails and job titles and this could already be on the schools’ website. If this is the case, then provide the requester with the link to this information.
3.Are there other ways of providing access to the data from secure environments within the school?
Dangers exist in the transmission of the data. Many schools have MIS systems, remote access to secure file servers or use secure storage meaning people can be given access to data without the need for transmission. An example of this could be teachers having remote access to MIS packages or using a shared mark-book spreadsheet held in a secure area. If it is reasonable and practical to allow the requester access, then these should always be used in preference to the transmission of data. Schools must be aware that if the data is downloaded onto the user’s hard drive then there are potential Data Protection breaches for which the school is responsible.
4.Having considered the above and decided that email is a viable solution can you guarantee that the email address you are sending to is secure?
The levels of security within a single school or department email provision are inevitably of the correct level of encryption. The issue arises if the email address is outside that single email provision (domain) or is sent over the internet through a network that has unknown security.
If the request has been made through an ‘Egress’ email account, then replies will also be encrypted.
If you can guarantee that the school is on the Somerset trusted network and you are using an ‘educ’account, then sending personal data is secure.
5.Are there other ways of transmitting the data?
At the moment there are two recommended ways of transmitting personal data. The first is using a service that automatically encrypts the file, and then with the provision of security methods that allow the end user to access the data. The second is the recommend method from the DfE which includes ‘zipping’ the file, creating a password and then transmitting this.
Encryption Service
Schools could buy into a service that allows the encryption of their emails. Once deployed these place a button on say the Outlook client which eases the process of automating the encryption.
The LA adopted the service from Egress (
School to School
The DfE have issued guidance on how data should be sent from school to school.[2] Known as S2S this provides secure ways in which to transmit personal data.
Instructions on how to use this service are given here:
https://www.gov.uk/school-to-school-service-how-to-transfer-information
With details on how to encrypt files using winzip on page 7 of the pdf guide to be found here:
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/360444/DfE_S2S_Guide_Schools.pdf
16/04/
[1]
[2]https://www.gov.uk/school-to-school-service-how-to-transfer-information