Jump to content
Home
Forum
Articles
About Us
Tapestry

GDPR Email Encryption


chatterton
 Share

Recommended Posts

Hi

My understanding of the GDPR is that any information that is shared has to be done so securely.  So what about emails.  We occasionally send queries to funding about children which may include their name and DOB - personal data.  So I believe we could only do this if we send it encrypted. Does anyone have any easy solutions to encrypting emails? We use a Google email account and so far I am struggling to understand how to encrypt. Can anyone offer any advice?

 

With thanks

 

 

Link to comment
Share on other sites

As far as I know Gmail encrypt emails between servers- I'm not sure if that would be classed as secure enough. Our LA has used egress to send secure emails but I think it costs to send.

Also the last lot they sent no one could open so we got them in pdf format via email!!

Link to comment
Share on other sites

Thanks. Some of our LA also use egress but yes if we wanted to use it other than to reply we would have to pay £80 a year.  My understanding is the same about Google that it is encrypted during transit but like you I'm not sure it's enough.

Link to comment
Share on other sites

We use egress [LA account]  for sensitive info - and to be fair we only really send sensitive info to and from LA anyway.  We can send via Egress but only to the County/LA addresses free of charge.

If a parent chooses to email us things, I think that is there responsibility, and I would just read/print then delete.

Link to comment
Share on other sites

2 minutes ago, Mouseketeer said:

I have no idea where to start with encryption, And what about things that go awol in the post?

Good point- and this happens all the time with us as we have no post box.  Even the LA seem to forget this despite us forever reminding them.o.O

  • Like 1
Link to comment
Share on other sites

Your email will usually be encrypted during transit, meaning that if someone intercepts it while it is being sent from your computer, between email servers, or being delivered to the recipient, it will be secure. Once delivered to the recipient, it will be available to anyone with access to that email mailbox. It might be good to think about a few things before sending emails containing personal information, such as:

  • ensure you have the correct email address (it is very easy to accidentally send to the wrong person by, for example, typing hotmail.com rather than hotmail.co.uk)
  • make sure the recipient is expecting the email, will be available to receive it and than no-one else will have access to the email account at that time
  • confirm safe receipt with the recipient
  • rather than typing personal information into the email, put in into a document that you can password protect and attach to the email. Or you could upload your password protected document to a cloud service such as googledrive, onedrive or dropbox, the provide a link to the document in your email. Of course, you will need to tell the recipient the password to access the file(s), which you should not do via email.

There are a number of solutions available for end-to-end encryption, ensuring that only the intended recipient can access emails that you send to them, but these do come at a cost. Many agencies that we work with will have something in place, such as the NHS, local education authorities and social services. So it is worth an assessment of what personal information you might to want send that won't already be captured by these and whether the steps above might be adequate before investing.

I hope that's helpful :-)

  • Like 4
  • Thanks 3
Link to comment
Share on other sites

Thanks for the info Tim, I use onedrive and was trying to figure out if there’s a way to let staff access one file that has paperwork they might want to work on from home so it’s saved in onedrive rather than on their own pc/laptop )or even better have a file each that only me and them can view) but I always worry that if I do that share thing I might be sharing my whole life history and they could see every file I have on OD :$

Email encryption- so am I right in thing if another agency that sends me things now that I need a password to open if I send them something back they will need a password to open it without me having done anything? I think I need encryption for dummies

Edited by Mouseketeer
  • Like 1
  • Sad 1
Link to comment
Share on other sites

1 minute ago, louby loo said:

Thank you Tim.

Mousekeeper - where do I get a copy of Encryption for Dummies please?   I'm with you about the sharing :/  and if I'm honest I really haven't a clue what 'one drive' actually is :o

Urm - this?

  • Like 1
  • Haha 2
Link to comment
Share on other sites

11 minutes ago, louby loo said:

Thank you Tim.

Mousekeeper - where do I get a copy of Encryption for Dummies please?   I'm with you about the sharing :/  and if I'm honest I really haven't a clue what 'one drive' actually is :o

 

 

It’s a cloud type thingy like dropbox 🤔 

11 minutes ago, Rebecca said:

Urm - this?

🤣 will I understand it though? Instruction manuals are something to ‘go to’ when it’s already broke :-/ 

Link to comment
Share on other sites

14 hours ago, louby loo said:

......and I don't really understand dropbox either :/

It's funny how commonly I hear this. The best way I've found to explain dropbox & one drive is: Think of your files on your computer, dropbox and one drive is the same sorta thing as that but instead the files are on a big set of computers with secure methods of accessing the files to ensure that you only see what is yours. You are essentially putting all of your files with everyone else but only you can see yours and they can see theirs etc. Of course, that is hugely simplified and the systems are much more complicated. 

Personally I'd advise against storing any sensitive data 'in the cloud' ( one drive, dropbox, google drive, etc ). Although the files are secure and only you can access them, if someone was to get your password through guessing, staff leaving knowing the password, phishing, etc you'd have all your files ( the ones stored on one drive / dropbox ) being able to be access. If you'd like to use one of these cloud solutions then I highly suggest activated 2fa ( 2 factor authentication ). You can find the relevant steps for Google Drive, Dropbox, OneDrive.

On 29/04/2018 at 18:24, chatterton said:

Hi

My understanding of the GDPR is that any information that is shared has to be done so securely.  So what about emails.  We occasionally send queries to funding about children which may include their name and DOB - personal data.  So I believe we could only do this if we send it encrypted. Does anyone have any easy solutions to encrypting emails? We use a Google email account and so far I am struggling to understand how to encrypt. Can anyone offer any advice?

With thanks

There are many ways of securing your data being sent over email, you're best bet would be to Zip up your files using 7Zip or WinRaR. This allows you to put a password on the .zip file you send, most people can open zip files. If you then where to provide your LA with the password for the zip via other means then you'll have a relatively secure way of sending files.

As for actual text being sent via email. Most email providers, google, outlook, etc provide a basic layer of encryption doing transit. Google have a great Document explaining how the encryption works and how to check for it. Your LA SHOULD be following all of the standards in place for running an email server. You can use the google guide to see if emails from your LA are encrypted. If you find they are not using the base layer of encryption then I'd suggest taking it up with them personally to see how they will go about resolving the issue. 

I hope this helps :D, If anyone has any more questions then feel free to direct them towards me.

Edited by Sparklers17
  • Like 1
Link to comment
Share on other sites

Hi Sparklers17, welcome to the forum.

I think the use of a cloud service (GoogleDrive, DropBox, OneDrive, etc.) is a matter for people to decide for themselves. Many small settings will have a single computer, with little backup and anti-virus protection, or computers that may be accessible to unauthorised people (e.g. in a pack-away setting), so using cloud storage may actually be a far more secure solution than storing files locally. Two factor authentication is good practice to help to further secure information.

For those trying desperately to understand, two factor authentication is using something else in addition to just a password to access your files. This maybe something like biometric authentication (e.g. fingerprint or face recognition), or more simply a text to a mobile phone when you login with a code that can only be used once and expires after a short time - as the text is sent to a specific phone, even if someone finds out your password, they would also need access to your phone.

As for email, ZIP files do provide a good way to password protect a number of files in a batch, although most of the applications that people will be using (e.g. Word, Excel, Acrobat) also have the ability to password protect individual documents directly without the need to use an additional application. As I mentioned yesterday, consideration needs to be given as to how passwords are communicated to the recipient.

As far as encryption is concerned, whilst email should be encrypted during transit, it is normally unencrypted in the recipient's mailbox. It is therefore accessible to anyone with access to the computer where the email is received (a clear screen policy and always locking the computer when walking away is good practice). If a sender is using an additional method of encryption, you will normally be required to register and login to a third-party encrypted email system, so you will know about it. This system may also allow you to send encrypted emails back, but this will depend on the individual solution and configuration. You should not assume that because you have received an encrypted email from, for example, your LA, that anything you send back will also be encrypted.

Hopefully we are not getting too technical and helping to inform people to make their choices :-)

  • Like 2
Link to comment
Share on other sites

6 minutes ago, Tim said:

Hi Sparklers17, welcome to the forum.

I think the use of a cloud service (GoogleDrive, DropBox, OneDrive, etc.) is a matter for people to decide for themselves. Many small settings will have a single computer, with little backup and anti-virus protection, or computers that may be accessible to unauthorised people (e.g. in a pack-away setting), so using cloud storage may actually be a far more secure solution than storing files locally. Two factor authentication is good practice to help to further secure information.

For those trying desperately to understand, two factor authentication is using something else in addition to just a password to access your files. This maybe something like biometric authentication (e.g. fingerprint or face recognition), or more simply a text to a mobile phone when you login with a code that can only be used once and expires after a short time - as the text is sent to a specific phone, even if someone finds out your password, they would also need access to your phone.

As for email, ZIP files do provide a good way to password protect a number of files in a batch, although most of the applications that people will be using (e.g. Word, Excel, Acrobat) also have the ability to password protect individual documents directly without the need to use an additional application. As I mentioned yesterday, consideration needs to be given as to how passwords are communicated to the recipient.

As far as encryption is concerned, whilst email should be encrypted during transit, it is normally unencrypted in the recipient's mailbox. It is therefore accessible to anyone with access to the computer where the email is received (a clear screen policy and always locking the computer when walking away is good practice). If a sender is using an additional method of encryption, you will normally be required to register and login to a third-party encrypted email system, so you will know about it. This system may also allow you to send encrypted emails back, but this will depend on the individual solution and configuration. You should not assume that because you have received an encrypted email from, for example, your LA, that anything you send back will also be encrypted.

Hopefully we are not getting too technical and helping to inform people to make their choices :-)

Thanks Tim, that's really clear!

Link to comment
Share on other sites

  • 2 weeks later...

We use Outlooks for our email and I've just recently found out that if we add (encrypt) in the subject line before adding the subject it will encrypt the whole email.  The recipient has to sign in to view the email.  I'm not sure if that's been specifically set up for our account or it's generic.....but thought I'd share anyway.

  • Like 2
Link to comment
Share on other sites

On ‎14‎/‎05‎/‎2018 at 15:37, Mouseketeer said:

that sounds very sensible I doubt BT have anything that useful with their emails, i'll send myself something and try it :-)

edit - that will be a no then :-(

Ahhhhh that's a shame. :-(

  • Like 1
Link to comment
Share on other sites

 Share

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue. (Privacy Policy)