Email data breaches that are reported to us as Data Protection Officer typically stem from human error and consist of:<\/p>\n
- \n
- emails sent to the wrong person<\/li>\n
- multiple recipients included in the \u2018to\u2019 or \u2018cc\u2019 box instead of \u2018bcc\u2019<\/li>\n
- incorrect documents attached with sensitive information relating to another individual.<\/li>\n<\/ul>\n
Many of those that report email-related data breaches tell us that the second after they had pressed the \u2018send\u2019 button they had realised their mistake! This can cause distress and anxiety not just for the affected data subjects, but also the staff member responsible for the error.<\/p>\n
Considering how to prevent a re-occurrence is a really important part of responding to data breaches and near-misses. However, saying \u201ctry harder not to make a mistake\u201d isn\u2019t particularly constructive or effective. So, what advice and action can really make a difference when it comes to email-related data breaches in schools?<\/p>\n
Thinking fast vs thinking slow<\/strong><\/p>\n
Psychologists such as Daniel Kaherman<\/a> and neuroscientists such as David Badre<\/a> explain the complexity of our brains and how we operate in two thinking modes; one \u2018fast\u2019 and one \u2018slow\u2019.\u00a0 When our brain thinks fast it is automatic, often reacting to a situation or deadline. This is crucial for our cognitive function, helping to keep us safe and to preserve our energy for tasks where more cognitive control is needed. If you\u2019ve ever driven to a destination and wondered how you got there, your thinking fast brain was in charge during the journey!<\/p>\n
We also use this thinking fast ability in work, for example, when we send an email quickly. When there are dozens of emails to work through each hour, with many tasks that seem routine, it is understandable to feel pressure to work quickly. During this time, our thinking slow part of the brain is inactive. It is this part of the brain that wakes up the second that email has been sent, and tells us we have forgotten that attachment, or sent the email using CC not BCC.<\/p>\n
So, we need to take a minute to let our slower thought process take over and allow time to think in a more considered way. Even the knowledge that you need to check in with the \u2018thinking slow\u2019 part of your brain before hitting the send button can prevent a data breach. Setting a \u2018delay send\u2019 feature on your outbound emails can really help; here\u2019s how to do it in Office 365<\/a> and Google<\/a>. The option of recalling an email can also be used with some systems, however it is not a reliable tool to remove email from the recipient\u2019s inbox- once an email has left your own outbox there are limits to how it can be managed. There are commercial vendors offering email management systems, which either add extensions to existing email systems or offer complete email management systems using algorithms which can help to flag and stop potential errors, and for larger organisations, it can be a cost-effective way to reduce risk.<\/p>\n
![\"\"](\"https:\/\/educationdatahub.org.uk\/wp-content\/uploads\/check-emails-424x600.png\" "\\"\\"")
<\/strong><\/p>\nStop \u2013 Think \u2013 Chec<\/strong>k<\/strong><\/p>\n
There are some additional simple measures that can put in place to prevent a significant proportion of data breaches:<\/p>\n
- \n
- Sending an email to the wrong recipient \u2013 <\/strong>this frequently happens if there are multiple people in your address book with the same or similar name, or when autofill predicts who you\u00a0want to email.<\/li>\n<\/ul>\n
Action: \u00a0<\/strong>Double check the recipient\u2019s full email address is correct before sending, including the exact spelling of their name. Turn off and don\u2019t rely on autofill if it is enabled.\u00a0 Here\u2019s how to do that in Office 365<\/a> and Google<\/a>.<\/p>\n
- \n
- Sending to multiple recipients as \u2018cc\u2019 not \u2018bcc\u2019 \u2013 <\/strong>sending a message as a \u2018carbon copy\u2019 rather than \u2018blind copy\u2019 is a common but potentially serious mistake, resulting in the personal email addresses of multiple recipients being exposed.<\/li>\n<\/ul>\n
Action: \u00a0<\/strong>Where possible, use the school\u2019s communication platform (i.e. ParentPay, Weduc, ClassCharts etc) to send messages rather than messaging through a school email account.\u00a0 If you are unable to use the school communication platform, ensure you double check \u2018bcc\u2019 is selected when it is not appropriate to share recipients email addresses with other recipients.<\/p>\n
- \n
- Attaching documents \u2013 <\/strong>often sensitive documents are attached to an email in error, and a serious data breach can occur if the wrong person receives sensitive data as a result.<\/li>\n<\/ul>\n
Action:<\/strong>\u00a0 Include extra security measures by adding a password to the document – remember to send the password separately (via a different means if possible).\u00a0 Consider sharing documents using tools such as SharePoint or Google Drive instead of an attaching them, as extra security controls can be put in place, i.e. specifying the amount of time the recipient can view the document or removing access if a document is shared in error.<\/p>\n
Reminders: other areas of good practice for email communications:<\/strong><\/p>\n
- \n
- Post box – inbox: <\/strong>Avoid using your inbox as a filing cabinet – treat it as a post box for information. Delete messages as per school policy or save in an appropriate digital system if retention is needed.<\/li>\n
- Stop the email chain: <\/strong>Avoid \u2018reply all\u2019 if this is not needed and do not forward email chains unless you\u2019ve checked the whole chain and it is necessary to share it.<\/li>\n
- Email etiquette: <\/strong>Always be professional when communicating with colleagues, parents\/carers and other stakeholders – you are a representative of your school. Remember, school emails are not private and can be requested as part of a Subject Access or Freedom of Information request. \u00a0\u00a0Never use personal emails to communicate school related matters.<\/li>\n
- Email security: <\/strong>Ensure access cannot be gained to your account \u2013 be aware of your own email security, use strong passwords and multi-factor authentication and be aware of phishing emails inviting you to click on links. Email security breaches remain a high threat to all industry sectors.<\/li>\n<\/ul>\n
Finally, we are all human, mistakes do happen and when they do, your DPO should be there to help mitigate and learn from data breaches.\u00a0 It is the steps taken to reduce the risk, and actions to prevent reoccurrences in the future, that show you take the security of the data you hold seriously.\u00a0 Continue to reinforce a positive culture of data protection compliance in your school – report your data breaches and near misses to your DPO is an important part of that culture.<\/p>\n
Author: Jacqui Wheatcroft. <\/strong><\/p>\n
<\/h4>\n","protected":false},"excerpt":{"rendered":"
How many times have you sent an email to someone referring to an attached document, pressed send and seconds later realised you forgot to attach the document itself? It\u2019s a painful and common occurrence. In schools, like all other industry sectors, emails have become a non-negotiable business tool, critical to efficient functioning of business. \u00a0It […]<\/p>\n","protected":false},"author":6,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[20,50,19],"_links":{"self":[{"href":"https:\/\/educationdatahub.org.uk\/wp-json\/wp\/v2\/posts\/4019"}],"collection":[{"href":"https:\/\/educationdatahub.org.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/educationdatahub.org.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/educationdatahub.org.uk\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/educationdatahub.org.uk\/wp-json\/wp\/v2\/comments?post=4019"}],"version-history":[{"count":5,"href":"https:\/\/educationdatahub.org.uk\/wp-json\/wp\/v2\/posts\/4019\/revisions"}],"predecessor-version":[{"id":4061,"href":"https:\/\/educationdatahub.org.uk\/wp-json\/wp\/v2\/posts\/4019\/revisions\/4061"}],"wp:attachment":[{"href":"https:\/\/educationdatahub.org.uk\/wp-json\/wp\/v2\/media?parent=4019"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/educationdatahub.org.uk\/wp-json\/wp\/v2\/categories?post=4019"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/educationdatahub.org.uk\/wp-json\/wp\/v2\/tags?post=4019"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- Stop the email chain: <\/strong>Avoid \u2018reply all\u2019 if this is not needed and do not forward email chains unless you\u2019ve checked the whole chain and it is necessary to share it.<\/li>\n
- Post box – inbox: <\/strong>Avoid using your inbox as a filing cabinet – treat it as a post box for information. Delete messages as per school policy or save in an appropriate digital system if retention is needed.<\/li>\n
- Attaching documents \u2013 <\/strong>often sensitive documents are attached to an email in error, and a serious data breach can occur if the wrong person receives sensitive data as a result.<\/li>\n<\/ul>\n
- Sending to multiple recipients as \u2018cc\u2019 not \u2018bcc\u2019 \u2013 <\/strong>sending a message as a \u2018carbon copy\u2019 rather than \u2018blind copy\u2019 is a common but potentially serious mistake, resulting in the personal email addresses of multiple recipients being exposed.<\/li>\n<\/ul>\n
- Sending an email to the wrong recipient \u2013 <\/strong>this frequently happens if there are multiple people in your address book with the same or similar name, or when autofill predicts who you\u00a0want to email.<\/li>\n<\/ul>\n