× Search rightsnet
Search options

Where

Benefit

Jurisdiction

Jurisdiction

From

to

Forum Home  →  Discussion  →  Access to justice and advice sector issues  →  Thread

Sending personal and sensitive data via email

NAI
forum member

Unclaimed Benefits Campaign, Middlesbrough CAB

Send message

Total Posts: 131

Joined: 12 January 2015

I would like to know what other advisers think about the use of email as a medium for personal and sensitive data.

My experience is that government departments appear to be indifferent to security requirements arising from GDPR and, practically regarding the administrative processes involved and data volumes. Guidance from the ICO indicates that encryption is preferable. Citizens Advice nationally recommends that sensitive data in email be in an encrypted attachment and that the password is communicated to the recipient by another means (than email).

See:

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/encryption/whats-new-under-the-gdpr/

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/security/encryption/

DWP & HMRC

We have raised the issue of sending information in encrypted form to the DWP and HMRC (e.g., complaints that they would prefer to receive by email) and the lack of a mechanism (independent of email) to give a password to decrypt the information. Our partnership manager indicated that this was not a problem for other organisations. The DWP and HMRC would not send such information by email to recipients outside the secure government domain.

HMCTS

Then recently we raised the matter of HMCTS expecting clients to obtain their own medical records using GDPR and sending them to the tribunal.  I asked for this to be considered by my local Tribunal User Group since we cannot bear the costs for clients, particularly those we do not represent (see below).

1. I understand that the tribunal no longer seeks permission from appellants to obtain their medical records and then seeks them from their General Practitioners.
2. Instead, direction is issued asking appellants to obtain the records which should be provided free of charge to them by their GP…
3. I understand that this is a new policy within HMCTS [said] to comply with GDPR. We believe that there is nothing in the GDPR regulations or the Data Protection Act 2018 that precludes HMCTS continuing to seek medical records in the same way as it did in the past.
4. Unfortunately, most appellants do not have the resources to post these sensitive documents to the tribunal. In addition, as a charity, we do not (as with many other charities) have the resources to provide such a service.
5. In addition, we have very limited capacity within Citizens Advice to provide representation in appeals in general. This is because of lack of funding for such work, particularly since the ending of legal aid for first-tier tribunal appeals by the Legal Aid, Sentencing and Punishment of Offenders Act 2012. The irony is that posting medical records to the tribunal would have been a disbursement for which costs could have been reclaimed under legal aid.
6. We believe that the costs should be met in full by HMCTS or the original system be employed and that this should be escalated with HMCTS if local resolution is not possible.
7. An alternative suggestion and temporary workaround may be for us to direct appellants to hand in medical records at the local tribunal venue (in our case Middlesbrough Magistrates’ Court Building) to the tribunal clerk and obtain a receipt from him/her, assuming that this is acceptable.

Unfortunately, the response from HMCTS at the user group highlights the encryption issue again. The response in the minutes was:

The Directions Notice will usually state that the Appellant/Representative shall inform the Tribunal Service within 28 days if they experience any problems obtaining GP records.
It is also the responsibility of the Representative to extract any third-party information which may be included within the records before they are submitted to the Tribunal.
A discussion took place regarding representatives scanning and emailing GP records to the Tribunal if this would be an easier option. This is a process which some representatives already follow and is accepted by the Tribunal Service.

Clearly the overhead of scanning and sending multiple emails (because the data may well be too large for a single email) in unencrypted form is difficult practically and insecure.

HOME OFFICE

I then discovered that much personal sensitive and personal data is exchanged with the Home Office as a matter of routine.

CONCLUSION

As part of the “Digital by default” agenda, I believe that government departments need to provide mechanisms to facilitate transferring data electronically at scale and securely.

Daphne, would you be prepared to highlight this issue?

[ Edited: 6 Sep 2019 at 08:47 am by NAI ]
John Birks
forum member

Welfare Rights and Debt Advice - Stockport Council

Send message

Total Posts: 1064

Joined: 16 June 2010

NAI
forum member

Unclaimed Benefits Campaign, Middlesbrough CAB

Send message

Total Posts: 131

Joined: 12 January 2015

John Birks - 06 September 2019 08:49 AM

What they say on the move from GSX.

https://www.gov.uk/guidance/securing-government-email#how-to-secure-email

This guidance is for public sector organisations only. Data exchanged within government departments is secure. Once outside it is not.

In the reference you give it states:

“This guidance applies to all email domains that public sector organisations run on the internet. You should follow this guidance if you’re in a role responsible for making sure your organisation exchanges email securely with other public sector organisations.”

This means that sending information that is not encrypted can be intercepted before it reaches a secure domain. Hence the ICO’s guidance. It could be intercepted and the sender is responsible for any data breach.

This is why DWP, HMRC and HMCTS do not send personal and sensitive information to outside organisations by email.

As an example, if you make a complaint on behalf of a client to DWP, they will never respond by email. They will always, in my experience, phone or send a letter.

Peter Turville
forum member

Welfare rights worker - Oxford Community Work Agency

Send message

Total Posts: 1659

Joined: 18 June 2010

Our experience is that DWP, HMCTS, councils (HB etc) will not accept encrypted emails. They either reply to say they cannot open it or do not reply at all. We raised this issue with HMCTS and they said it ‘was all to difficult’ due to the range of encryption software use by different organisations, linking up the original email with the password email etc. Similar response from LA’s.

The practical choice appears to be email without encryption, snail mail or by hand where possible.

Mike Hughes
forum member

Senior welfare rights officer - Salford City Council Welfare Rights Service

Send message

Total Posts: 3138

Joined: 17 June 2010

This debate is really a reflection on the fact that most organisations are 10 to 20 years behind where the issues are. The idea that encrypted email somehow protects anything to any great degree is as naïve as the idea that somehow snail mail is better. Nothing is safe. Nothing is safer. Encryption doesn’t prevent interception and interception itself isn’t perhaps even the biggest issue. Chances are that the confidential data which is useful to someone else has already been stolen in some other context. I strongly recommend subscribing to Bruce Schneiers Cryptogram.  https://www.schneier.com/blog/archives/2019/05/protecting_your_2.html

The question is really about who is trying to protect what from whom. It’s a bit like health and safety. Some people think that risk management is about managing risk down to zero when it’s really about managing it down to acceptable, understandable levels. There’s no consensus on this which is why there are so many encryption policies and so much of a mess. Essentially we need to get to a point where we and clients better understand the risks and make a conscious choice to accept them and then we crack on using whatever we agree to use.

To illustrate the ludicrous misunderstood nature of the discussion. A certain hospital won’t send me evidence by email unless its encrypted. Our work systems will not work with their encryption without making security compromises they’re not likely to make. Evidence posted by snail mail and sent by special delivery. Never arrived. The discussion needs to be a bit more sophisticated.

Va1der
forum member

Welfare Rights Officer with SWAMP Glasgow

Send message

Total Posts: 706

Joined: 7 May 2019

I’m sure most of us will have experiences of gross breaches of data protection. Post ends up at the wrong address, and is opened. Private and public bodies alike regularly fail to accurately confirm if it is the client they are speaking to over the phone, or fail to confirm the presence of a mandate.

I agree with Mike that the discussion needs more sophistication, but at present we have to live with current legislation. Quite frankly I am unclear on the extent of liability with email communications, and currently only discuss client’s issues via email if they have mentioned it themselves prior. And, making it explicitly clear to the client that email may not constitute a secure method of communication. Most clients don’t have an issue with it, precisely because they don’t necessarily trust other means of communication, and email is both faster and more reliable.

On the practical side of things I’d go by something like this: Risk of breach x Consequence of breach - Practicality = chosen option
Now we just have to quantify those measures…

One of the reason for stricter policies with email is because the risk factor is nearly impossible to assess (the best encryption is null and void if the client misplaces the key). However, guidance could be based on statistics instead, demonstrating which media is more often the source of breaches, my guess is it won’t be email.

Mike Hughes
forum member

Senior welfare rights officer - Salford City Council Welfare Rights Service

Send message

Total Posts: 3138

Joined: 17 June 2010

Totally agree. Email is as secure a means of communication as you can get and encrypted email might add reassurance but it doesn’t necessarily add security.

Gareth Morgan
forum member

CEO, Ferret, Cardiff

Send message

Total Posts: 1995

Joined: 16 June 2010

It’s incredibly hard to intercept a complete email during transmission.  Security on sent emails retained, and received emails, is where the risks really are.

NAI
forum member

Unclaimed Benefits Campaign, Middlesbrough CAB

Send message

Total Posts: 131

Joined: 12 January 2015

Our preferred method and that recommended by Citizens Advice nationally is to encrypt a word document and send that as an attachment. Anyone opening it is then prompted for a password. I understand the issue of some organisations not accepting encrypted attachments.

I also agree that in risk terms there are greater risks in handling and storage of data and with the comments here about organisations not being up to date.

Despite HMCTS finding it too hard, seriously suggesting that medical information could be sent in an un-encrypted form would exacerbate any data breach.

The real issue for us is that a data breach lands at the sender’s door with possible fines or penalties.

Digital by default can’t be just a website or app. The processes have to facilitate this securely.

Jon (CANY)
forum member

Welfare benefits - Craven CAB, North Yorkshire

Send message

Total Posts: 1362

Joined: 16 June 2010

NAI - 06 September 2019 03:15 PM

Our preferred method and that recommended by Citizens Advice nationally is to encrypt a word document and send that as an attachment. Anyone opening it is then prompted for a password. I understand the issue of some organisations not accepting encrypted attachments.

In one place our national organisation recommends encrypted attachments, but in another they suggest that “secure email” is preferred to encryption, and link us to info on cabnet email accounts.

We would have trouble with an encrypted Word doc, as we’ve mainly moved entirely off Windows. Many of our clients won’t have Office installed either.

NAI
forum member

Unclaimed Benefits Campaign, Middlesbrough CAB

Send message

Total Posts: 131

Joined: 12 January 2015

Jon (CHDCA) - 06 September 2019 04:28 PM
NAI - 06 September 2019 03:15 PM

Our preferred method and that recommended by Citizens Advice nationally is to encrypt a word document and send that as an attachment. Anyone opening it is then prompted for a password. I understand the issue of some organisations not accepting encrypted attachments.

In one place our national organisation recommends encrypted attachments, but in another they suggest that “secure email” is preferred to encryption, and link us to info on cabnet email accounts.

We would have trouble with an encrypted Word doc, as we’ve mainly moved entirely off Windows. Many of our clients won’t have Office installed either.

Cabnet email accounts are only secure when an email is sent to another cabnet recipient. Anyone without a cabnet email address and there is no encryption.

djd
forum member

Ipswich & District Citizens Advice Bureau

Send message

Total Posts: 11

Joined: 8 October 2010

Protonmail at each end is about as secure as it gets for free and doesn’t require attachments. Your mail is encrypted using your password, so if you forget your password you can’t even read any of your own inbox contents. Convincing the recipient to get themselves a free account might be difficult though.

Mike Hughes
forum member

Senior welfare rights officer - Salford City Council Welfare Rights Service

Send message

Total Posts: 3138

Joined: 17 June 2010

djd - 07 September 2019 09:30 PM

Protonmail at each end is about as secure as it gets for free and doesn’t require attachments. Your mail is encrypted using your password, so if you forget your password you can’t even read any of your own inbox contents. Convincing the recipient to get themselves a free account might be difficult though.

As already stated, encryption in general and encrypted email in particular, is not an answer/solution.

Daphne
Administrator

rightsnet writer / editor

Send message

Total Posts: 3537

Joined: 14 March 2014

Written answer from Friday which gives the DWP’s policy for emailing third party advice agencies -

We have a list of Trusted Partners who are deemed to have the appropriate security in place to allow us to exchange information with. If an organisation does not meet the criteria to be on the trusted partner list, we have an option to use software to encrypt e-mail between us and the third party which will then allow us to exchange data securely. Currently we communicate with 1100 external recipients via this method from 450 organisations. If the external agency cannot support either of the above then we would not be able to exchange information securely via email and would need to agree an alternative method with them.

djd
forum member

Ipswich & District Citizens Advice Bureau

Send message

Total Posts: 11

Joined: 8 October 2010

Mike Hughes - 07 September 2019 11:26 PM
djd - 07 September 2019 09:30 PM

Protonmail at each end is about as secure as it gets for free and doesn’t require attachments. Your mail is encrypted using your password, so if you forget your password you can’t even read any of your own inbox contents. Convincing the recipient to get themselves a free account might be difficult though.

As already stated, encryption in general and encrypted email in particular, is not an answer/solution.

The lack of security is the people at either end.

Mike Hughes
forum member

Senior welfare rights officer - Salford City Council Welfare Rights Service

Send message

Total Posts: 3138

Joined: 17 June 2010

The biggest risk to security is indeed people which leads into the wider point that unencrypted email is no less safe than the post. That’s the issue which needs sorting.

Mike Hughes
forum member

Senior welfare rights officer - Salford City Council Welfare Rights Service

Send message

Total Posts: 3138

Joined: 17 June 2010