Email related data breaches in schools: why realising the mistake after pressing send is so common

Written on 5 May, 2023

How many times have you sent an email to someone referring to an attached document, pressed send and seconds later realised you forgot to attach the document itself? It’s a painful and common occurrence.

In schools, like all other industry sectors, emails have become a non-negotiable business tool, critical to efficient functioning of business. It is second nature to use the convenience of email messaging to communicate with all key stakeholders and providers of services to the school, particularly parents and carers, local authorities and external support services. However, the ease and speed of these tools also contributes not only to many emails being sent without attachments but also some of the most significant causes of personal data breaches. The last ICO Annual Report reflects our clients’ experiences; of the 9,500 data breaches reported to the Information Commissioner in 2021/22, a massive 16.87% were due to data being emailed to the incorrect recipient.

Email data breaches that are reported to us as Data Protection Officer typically stem from human error and consist of:

emails sent to the wrong person
multiple recipients included in the ‘to’ or ‘cc’ box instead of ‘bcc’
incorrect documents attached with sensitive information relating to another individual.

Many of those that report email-related data breaches tell us that the second after they had pressed the ‘send’ button they had realised their mistake! This can cause distress and anxiety not just for the affected data subjects, but also the staff member responsible for the error.

Considering how to prevent a re-occurrence is a really important part of responding to data breaches and near-misses. However, saying “try harder not to make a mistake” isn’t particularly constructive or effective. So, what advice and action can really make a difference when it comes to email-related data breaches in schools?

Thinking fast vs thinking slow

Psychologists such as Daniel Kaherman and neuroscientists such as David Badre explain the complexity of our brains and how we operate in two thinking modes; one ‘fast’ and one ‘slow’. When our brain thinks fast it is automatic, often reacting to a situation or deadline. This is crucial for our cognitive function, helping to keep us safe and to preserve our energy for tasks where more cognitive control is needed. If you’ve ever driven to a destination and wondered how you got there, your thinking fast brain was in charge during the journey!

We also use this thinking fast ability in work, for example, when we send an email quickly. When there are dozens of emails to work through each hour, with many tasks that seem routine, it is understandable to feel pressure to work quickly. During this time, our thinking slow part of the brain is inactive. It is this part of the brain that wakes up the second that email has been sent, and tells us we have forgotten that attachment, or sent the email using CC not BCC.

So, we need to take a minute to let our slower thought process take over and allow time to think in a more considered way. Even the knowledge that you need to check in with the ‘thinking slow’ part of your brain before hitting the send button can prevent a data breach. Setting a ‘delay send’ feature on your outbound emails can really help; here’s how to do it in Office 365 and Google. The option of recalling an email can also be used with some systems, however it is not a reliable tool to remove email from the recipient’s inbox- once an email has left your own outbox there are limits to how it can be managed. There are commercial vendors offering email management systems, which either add extensions to existing email systems or offer complete email management systems using algorithms which can help to flag and stop potential errors, and for larger organisations, it can be a cost-effective way to reduce risk.

Stop – Think – Check

There are some additional simple measures that can put in place to prevent a significant proportion of data breaches:

Sending an email to the wrong recipient – this frequently happens if there are multiple people in your address book with the same or similar name, or when autofill predicts who you want to email.

Action: Double check the recipient’s full email address is correct before sending, including the exact spelling of their name. Turn off and don’t rely on autofill if it is enabled. Here’s how to do that in Office 365 and Google.

Sending to multiple recipients as ‘cc’ not ‘bcc’ – sending a message as a ‘carbon copy’ rather than ‘blind copy’ is a common but potentially serious mistake, resulting in the personal email addresses of multiple recipients being exposed.

Action: Where possible, use the school’s communication platform (i.e. ParentPay, Weduc, ClassCharts etc) to send messages rather than messaging through a school email account. If you are unable to use the school communication platform, ensure you double check ‘bcc’ is selected when it is not appropriate to share recipients email addresses with other recipients.

Attaching documents – often sensitive documents are attached to an email in error, and a serious data breach can occur if the wrong person receives sensitive data as a result.

Action: Include extra security measures by adding a password to the document – remember to send the password separately (via a different means if possible). Consider sharing documents using tools such as SharePoint or Google Drive instead of an attaching them, as extra security controls can be put in place, i.e. specifying the amount of time the recipient can view the document or removing access if a document is shared in error.

Reminders: other areas of good practice for email communications:

Post box – inbox: Avoid using your inbox as a filing cabinet – treat it as a post box for information. Delete messages as per school policy or save in an appropriate digital system if retention is needed.
Stop the email chain: Avoid ‘reply all’ if this is not needed and do not forward email chains unless you’ve checked the whole chain and it is necessary to share it.
Email etiquette: Always be professional when communicating with colleagues, parents/carers and other stakeholders – you are a representative of your school. Remember, school emails are not private and can be requested as part of a Subject Access or Freedom of Information request. Never use personal emails to communicate school related matters.
Email security: Ensure access cannot be gained to your account – be aware of your own email security, use strong passwords and multi-factor authentication and be aware of phishing emails inviting you to click on links. Email security breaches remain a high threat to all industry sectors.

Finally, we are all human, mistakes do happen and when they do, your DPO should be there to help mitigate and learn from data breaches. It is the steps taken to reduce the risk, and actions to prevent reoccurrences in the future, that show you take the security of the data you hold seriously. Continue to reinforce a positive culture of data protection compliance in your school – report your data breaches and near misses to your DPO is an important part of that culture.

Author: Jacqui Wheatcroft.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.