{"id":4019,"date":"2023-05-05T11:58:57","date_gmt":"2023-05-05T10:58:57","guid":{"rendered":"https:\/\/educationdatahub.org.uk\/?p=4019"},"modified":"2023-05-05T12:10:21","modified_gmt":"2023-05-05T11:10:21","slug":"email-related-data-breaches","status":"publish","type":"post","link":"https:\/\/educationdatahub.org.uk\/news\/email-related-data-breaches\/","title":{"rendered":"Email related data breaches in schools: why realising the mistake after pressing send is so common"},"content":{"rendered":"
How many times have you sent an email to someone referring to an attached document, pressed send and seconds later realised you forgot to attach the document itself? It\u2019s a painful and common occurrence.<\/p>\n
In schools, like all other industry sectors, emails have become a non-negotiable business tool, critical to efficient functioning of business. \u00a0It is second nature to use the convenience of email messaging to communicate with all key stakeholders and providers of services to the school, particularly parents and carers, local authorities and external support services.\u00a0 However, the ease and speed of these tools also contributes not only to many emails being sent without attachments but also some of the most significant causes of personal data breaches. The last ICO Annual Report<\/a> reflects our clients\u2019 experiences; of the 9,500 data breaches reported to the Information Commissioner in 2021\/22, a massive 16.87% were due to data being emailed to the incorrect recipient.<\/p>\n Email data breaches that are reported to us as Data Protection Officer typically stem from human error and consist of:<\/p>\n Many of those that report email-related data breaches tell us that the second after they had pressed the \u2018send\u2019 button they had realised their mistake! This can cause distress and anxiety not just for the affected data subjects, but also the staff member responsible for the error.<\/p>\n Considering how to prevent a re-occurrence is a really important part of responding to data breaches and near-misses. However, saying \u201ctry harder not to make a mistake\u201d isn\u2019t particularly constructive or effective. So, what advice and action can really make a difference when it comes to email-related data breaches in schools?<\/p>\n Thinking fast vs thinking slow<\/strong><\/p>\n Psychologists such as Daniel Kaherman<\/a> and neuroscientists such as David Badre<\/a> explain the complexity of our brains and how we operate in two thinking modes; one \u2018fast\u2019 and one \u2018slow\u2019.\u00a0 When our brain thinks fast it is automatic, often reacting to a situation or deadline. This is crucial for our cognitive function, helping to keep us safe and to preserve our energy for tasks where more cognitive control is needed. If you\u2019ve ever driven to a destination and wondered how you got there, your thinking fast brain was in charge during the journey!<\/p>\n We also use this thinking fast ability in work, for example, when we send an email quickly. When there are dozens of emails to work through each hour, with many tasks that seem routine, it is understandable to feel pressure to work quickly. During this time, our thinking slow part of the brain is inactive. It is this part of the brain that wakes up the second that email has been sent, and tells us we have forgotten that attachment, or sent the email using CC not BCC.<\/p>\n So, we need to take a minute to let our slower thought process take over and allow time to think in a more considered way. Even the knowledge that you need to check in with the \u2018thinking slow\u2019 part of your brain before hitting the send button can prevent a data breach. Setting a \u2018delay send\u2019 feature on your outbound emails can really help; here\u2019s how to do it in Office 365<\/a> and Google<\/a>. The option of recalling an email can also be used with some systems, however it is not a reliable tool to remove email from the recipient\u2019s inbox- once an email has left your own outbox there are limits to how it can be managed. There are commercial vendors offering email management systems, which either add extensions to existing email systems or offer complete email management systems using algorithms which can help to flag and stop potential errors, and for larger organisations, it can be a cost-effective way to reduce risk.<\/p>\n <\/strong><\/p>\n Stop \u2013 Think \u2013 Chec<\/strong>k<\/strong><\/p>\n There are some additional simple measures that can put in place to prevent a significant proportion of data breaches:<\/p>\n Action: \u00a0<\/strong>Double check the recipient\u2019s full email address is correct before sending, including the exact spelling of their name. Turn off and don\u2019t rely on autofill if it is enabled.\u00a0 Here\u2019s how to do that in Office 365<\/a> and Google<\/a>.<\/p>\n Action: \u00a0<\/strong>Where possible, use the school\u2019s communication platform (i.e. ParentPay, Weduc, ClassCharts etc) to send messages rather than messaging through a school email account.\u00a0 If you are unable to use the school communication platform, ensure you double check \u2018bcc\u2019 is selected when it is not appropriate to share recipients email addresses with other recipients.<\/p>\n Action:<\/strong>\u00a0 Include extra security measures by adding a password to the document – remember to send the password separately (via a different means if possible).\u00a0 Consider sharing documents using tools such as SharePoint or Google Drive instead of an attaching them, as extra security controls can be put in place, i.e. specifying the amount of time the recipient can view the document or removing access if a document is shared in error.<\/p>\n Reminders: other areas of good practice for email communications:<\/strong><\/p>\n Finally, we are all human, mistakes do happen and when they do, your DPO should be there to help mitigate and learn from data breaches.\u00a0 It is the steps taken to reduce the risk, and actions to prevent reoccurrences in the future, that show you take the security of the data you hold seriously.\u00a0 Continue to reinforce a positive culture of data protection compliance in your school – report your data breaches and near misses to your DPO is an important part of that culture.<\/p>\n Author: Jacqui Wheatcroft. <\/strong><\/p>\n How many times have you sent an email to someone referring to an attached document, pressed send and seconds later realised you forgot to attach the document itself? It\u2019s a painful and common occurrence. In schools, like all other industry sectors, emails have become a non-negotiable business tool, critical to efficient functioning of business. \u00a0It […]<\/p>\n","protected":false},"author":6,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[20,50,19],"_links":{"self":[{"href":"https:\/\/educationdatahub.org.uk\/wp-json\/wp\/v2\/posts\/4019"}],"collection":[{"href":"https:\/\/educationdatahub.org.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/educationdatahub.org.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/educationdatahub.org.uk\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/educationdatahub.org.uk\/wp-json\/wp\/v2\/comments?post=4019"}],"version-history":[{"count":5,"href":"https:\/\/educationdatahub.org.uk\/wp-json\/wp\/v2\/posts\/4019\/revisions"}],"predecessor-version":[{"id":4061,"href":"https:\/\/educationdatahub.org.uk\/wp-json\/wp\/v2\/posts\/4019\/revisions\/4061"}],"wp:attachment":[{"href":"https:\/\/educationdatahub.org.uk\/wp-json\/wp\/v2\/media?parent=4019"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/educationdatahub.org.uk\/wp-json\/wp\/v2\/categories?post=4019"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/educationdatahub.org.uk\/wp-json\/wp\/v2\/tags?post=4019"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
\n
\n
\n
\n
<\/h4>\n","protected":false},"excerpt":{"rendered":"