InfoSec / Cyber

computer keyboard with a white envelope on a pink key on the keyboard

Emails – good practice and minimising the risk of a data breach

 By changing the culture of email use within an organisation will not only benefit the organisation towards GDPR compliance and beyond, it will also save a significant amount of time by reducing staff workload and hopefully support staff wellbeing too.

Did you know that if you could reduce email use by 30 minutes per person, per day, this would equate to 97.5 hours saved per person in a 39 week school year? Imagine a school with 100 staff – now that’s 9,750 hours saved in people’s time.

Have you ever thought about how data can multiply via email and become difficult to manage and increase the risk of a data breach? For example, all school staff are sent an attachment and then staff download the attachment, saving it to their own electronic folder, or transferring to a subfolder, or even print. It now starts to become easier to visualise how that one attachment can multiply and be stored in multiple folders, by multiple people, and even printed and taken home. Not to mention the impact on time.

What can I do now to mitigate risk?

Identify and document how email is used in you school

Identifying how email is used throughout the school and list all uses, for both teaching staff and business administration. Are bulletins sent as attachments, how is student information circulated internally and externally? What type of communications come in to your school via email? What can be changed? 

Exploiting your management information system (MIS) for student data

Is your MIS used to its full potential i.e. enter once and use many times? This is one of the most secure and efficient ways of maintaining and communicating student data. Nearly all student data (excluding some safeguarding files) should be stored this way. Staff can then access all the data pertaining to a child without the need to send emails/paper files.

Think before sending the email 

  • Does it need to be sent? Does it contain personal data? Are emails encrypted? Is it an external request for data – is it required for lawful processing– can it be encrypted? How is the request verified as genuine? Why is the request being made and data being sent?
  • Try to avoid sending attachments but instead save the document to an electronic filing system and give access via a link to the document.  If using Office365 make use of the compliance manager:
  • Any emails you need to keep with a document ‘save as’ to an electronic file location with the related document(s). 
  • Avoid the use of ‘cc’ unless it is essential that people are copied in.  Remember, if you are ‘cc’d in to an email it is normally for information only, so you are not normally expected to reply. 

Email disclaimer

  • Update the schools email disclaimer to ensure it is UK GDPR compliant. 

Encrypted email and secure documents storage

If not already investigate moving to encrypted email and secure document management systems. 

Action Plan

  • Use the above to develop a data protection compliant communication action plan and then communicate this to all staff. This can then be listed in a table and will give you a good starting base for actions required. 
  • Produce guides and procedure for staff.

A fully comprehensive guide to ‘good practice for managing email’ can be obtained on the website:
Information Management Toolkit for Schools (P17-20).