Another common method of sharing information is by email. By necessity the TO, FROM, DATE and SUBJECT fields of an email are transmitted in plain text and may be accessed by any unintended recipient or third-party who intercepts the communication. Without additional encryption methods in place the email body and any attachments will also be accessible to any unintended recipient or third-party who intercepts the communication.
A common type of personal data disclosure occurs when an email is sent to an incorrect recipient. Data controllers should be aware that encryption will only provide protection to personal data send by email if the incorrect recipient does not have the means to decrypt the data (eg does not have the decryption key).
Personal data can also be at risk if an individual gains unauthorised access to the email server or online account storing emails which have been read or waiting to be read. The choice of password securing the server or email account is similarly important when considering the security requirements of the email system.
Some types of encrypted email solutions can be complex to set up and require the sender and recipient to have compatible systems for the encryption and decryption process. This can cause problems when a data controller intends to send encrypted email between organisations, to members of the public, or to anyone who has not previously been contacted.
Other systems are available which rely on the sender uploading encrypted data to a web application and using ordinary email to notify the recipient that a message is available (See ‘Sharing information online’ below).
There are efforts to design and implement a secure email protocol however there is still currently no universally-adopted method for sending email securely.
Some sectors have developed their own secure email systems, such as CJSM for criminal justice practitioners and NHSmail for sharing patient data. These solutions may be available to organisations working in these sectors and as a result should be used where possible, for as long as they continue to be supported. It is however important to recognise any residual risks with such systems and have appropriate policies in place to ensure correct usage. For example, systems may permit communication with external addresses in an unsecure and unencrypted manner. Sending a communication to the incorrect recipient may still remain a possibility.
Surrey County Council was served with a civil monetary penalty of £120,000 after three data breaches that involved misdirected emails:
- a member of staff emailed a file containing the sensitive personal data of 241 individuals to the wrong email address. As the file was neither encrypted nor password protected, every recipient of the email could access the data. Subsequently, the Council was unable to confirm whether the recipients had destroyed the data or not;
- personal data was emailed to over 100 recipients on the Council’s newsletter mailing list; and
- the children’s services department sent sensitive personal data to an incorrect internal group address.
North Somerset Council was served with a civil monetary penalty of £60,000 after five emails, two of which contained details of a child’s serious case review, were sent to the wrong NHS employee.
A council employee selected the wrong email address during the creation of a personal distribution list. The data itself was not encrypted, and thus was able to be viewed by the unintended recipient.
Following the receipt of the data, the council employee was informed of the error by the recipient, yet the information was emailed to this individual on several further occasions. After an internal investigation the recipient confirmed the emails had been destroyed.
The ICO also found that the Council had not delivered appropriate data protection training to relevant staff, and recommended that the Council adopt a more secure means of sending information electronically such as using encryption.