Using email to transmit personal data

advertisement

Using email to transmit personal data

Main Points

By law schools must ensure that the sending of personal and confidential data by email is secure by using a trusted network or by encrypting the data.

The status of security of emails between establishments within Somerset has changed due to some schools using their own email service.

All emails from Somerset LA employees are encrypted through ‘Egress’.

Replies to emails from Somerset LA employees will have the same level of security placed on them as the original email.

The EDUC email service is seen as ‘trusted’ by the county network. This is a change from the original deployment of Egress.

Schools that use their own email service are not ‘trusted’ and will need to register to receive ‘egressed’ emails.

Schools should consider a series of questions when replying to requests for personal data.

If schools send personal or confidential data to agencies outside of the Somerset trusted network, then they must protect the data through encryption. This includes emails sent to Governors personal email boxes.

Introduction

Schools (including Governors) in Somerset have traditionally been provisioned with an email service (educ.somerset.gov.uk) that has been maintained centrally and in conjunction with the

Local Authority email service (somerset.gov.uk) provided a secure communication method for the transmission of personal data.

Because of changes in school technology and administrative environments many schools now use their own email services.

The default position is now that the sending of personal data through email, even from

Somerset ‘EDUC’ accounts to other accounts can no longer be a guarantee as having the necessary security for the transfer of personal or confidential data.

The Global Address List now includes email addresses that have not been created within a known safe environment and these addresses are therefore not known to be secure.

Personal and/ confidential data should only be emailed using a service that ensures encryption and/or password security.

13/04/2020 1 igover@somerset.gov.uk

Using email to transmit personal data

The current situation in Somerset (November 2015)

All Somerset LA employees (not schools) have been provided with a method of protecting emails using a service called Egress. As the EDUC email system is now seen as a ‘trusted’ service the use of Egress is hidden to schools. This is a change from the original deployment when to receive an ‘egressed’ email EDUC users had to subscribe to the service.

At this point in time, emails that are ‘egressed’ by Somerset LA users will appear to be normal emails to schools EDUC users. Those schools that do not use the EDUC system will have to register with egress to receive the emails.

Because the original deployment led people to register an account, some are still using this facility, including the ‘free’ credits that enable them to send a limited number of encrypted emails.

On the next page are a series of questions that could be used to heighten the security of the transmission of personal data.

Personal data is seen by the Information Commissioners Office as:

Personal data means data which relate to a living individual who can be identified.

1

With a further definition of sensitive data which includes ethnicity, politics, religion, health, sexual life and criminal activity.

1 http://ico.org.uk/for_organisations/data_protection/the_guide/key_definitions#personal-data

13/04/2020 2 igover@somerset.gov.uk

Using email to transmit personal data

Questions to ask when considering sending personal data by email

1. Is it a legitimate request?

If someone asks for an item of personal data, the first question that you must consider is if it is a legitimate request. If you are not sure as to its legitimacy, ask someone else at your establishment for their opinion. If you are going to refuse a request (or are going to take some time to answer) then let the requester know of your decision. Many requests will fall under the Subject Access Request or

Freedom of Information procedures of the school.

2. Is the data requested already available or in the ‘public domain’?

The information that the requester has asked for might already be available.

They could ask for a list of staff, emails and job titles and this could already be on the schools website. If this is the case then provide the requester with the link to this information.

3. Are there other ways of providing access to the data from secure environments within the school?

Dangers exist in the transmission of the data. Many schools have MIS systems, remote access to secure file servers or use secure storage such as the Somerset

Learning Platform meaning people can be given access to data without the need for transmission. An example of this could be teachers having remote access to

MIS packages or using a shared markbook spreadsheet held in a secure area.

If it is reasonable and practical to allow the requester access then these should always be used in preference to the transmission of data. Schools must be aware that if the data is downloaded onto the user ’s hard drive then there are potential

Data Protection breeches for which the school is responsible.

4. Having considered the above and decided that email is a viable solution can you guarantee that the email address you are sending to is secure?

The levels of security within a single email provision are inevitably of the correct level of encryption. The issue arises if the email address is outside that single email provision (domain) or is sent over the internet through a network that has unknown security.

If the request has been made through an ‘egress’ email account then replies will also be encrypted

If you can guarantee that the school is on the Somerset trusted network and you are using an ‘educ’ account, then sending personal data is secure.

13/04/2020 3 igover@somerset.gov.uk

Using email to transmit personal data

5. Are there other ways of transmitting the data?

At the moment there are two recommended ways of transmitting personal data. The first is using a service that automatically encrypts the file, and then with the provision of security methods that allow the end user to access the data. The second is the recommend method from the DfE which includes ‘zipping’ the file, creating a password and then transmitting this.

Encryption Service

Schools could buy into a service that allows the encryption of their emails. Once deployed these place a button on say the Outlook client which eases the process of automating the encryption.

The LA adopted the service from Egress ( http://www.egress.com/ ).

School to School

The DfE have issued guidance on how data should be sent from school to school.

2 Known as S2S this provides secure ways in which to transmit personal data.

Instructions on how to use this service are given here: https://www.gov.uk/school-to-school-service-how-to-transfer-information

With details on how to encrypt files using winzip on page 7 of the pdf guide to be found here: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/3

60444/DfE_S2S_Guide_Schools.pdf

2 https://www.gov.uk/school-to-school-service-how-to-transfer-information

13/04/2020 4 igover@somerset.gov.uk

Download