Data breaches – Reminder on good email practice

The Council’s Corporate Leadership Team recently considered a report on data breaches or near misses across the organisation. 

We all have responsibilities to ensure the security of the data we hold and therefore I felt it appropriate to share some details of this report and some important reminders about how we can all keep our data safe, particularly in regards to data being sent by email.

Whenever a data breach is reported we carry out an assessment on whether the breach is serious enough to warrant a referral to the Information Commissioners Office – but generally if the breach is reported quickly and steps taken to minimize the harm this will not be necessary.

In general most data breaches have not been due to malicious intent, rather they have been down to simple – albeit avoidable – mistakes.

The majority of the incidents were due to emails being incorrectly addressed and therefore going to the wrong person.  The root causes of this are being addressed through our Data Protection Essentials training – but in the meantime we would offer the following advice

1. Before you press send double or even triple check the email addresses you are sending the email to, including in the CC and BC sections, and be careful if using auto-complete, as it can be easy to send emails to the wrong person with a similar name.
2. If you are sending confidential information to an email for the first time then consider sending an initial email checking that the email address is correct.
3. If forwarding an email, ensure that the information included in that email – including further down in the email chain – is suitable for all those who are now receiving the email.
4. Double check attachments before you send them to ensure you are attaching the right one.

We’ve also had instances of paper copies of information being shared with the wrong people.  If you’re sending information through the post please ensure that you’ve not accidentally included anything you shouldn’t have - for example, ensure you have not picked additional sheets up from the printer or photocopier – and double check to ensure that the information in the envelope matches with the address on the front.

If you suspect you’ve accidentally sent confidential information to the wrong person you should try to recall the message through Outlook, or if the recipient has already opened it then send them an email requesting they delete the previous message.  Then let the Information Governance Officer know so that they are aware of any potential data breach

Further support and advice is available by contacting Paul Kesterton, Information Governance Officer on ext. 2241.  You should also ensure that you – and any staff for whom you have line management responsibilities – have completed the relevant iLearn training course on Data Protection.