Email and Teams messaging safety tips

If personal data has been inappropriately shared with someone who had no right to see it, they need to urgently report it as a data breach to the Information Compliance Team at @email (and copy in @email).

If in doubt as to an appropriate mechanism to use when distributing information please seek advice first, e.g. by contacting @email (obviously do not share the actual confidential information with them either).

Many thousands of emails and Teams chat messages are sent by department members every day. Some of those may contain personal and/or confidential information. It is thus key when someone is sending such a message that appropriate care is taken both in considering if email or Teams is the most appropriate means to transmit the material, and that when it is a reasonable means then only the correct information is sent, it is only shared with the right people, and the information is additionally secured if appropriate.

Note in general email is an unencrypted form of communication whereas Teams uses an encrypted connection. So Teams can be a more secure way to transmit information in some cases.

Below is a list of tips to minimise the risk of mistakes when emailing or using Teams. If a mistake does accidentally occur then one needs to quickly assess the possible data breach guidance and report the incident if a breach has occurred or you are unsure.

1. always double check who you are sending a message to - in particular do not just check the names but also check the underlying email address/username is as you expect (which in the case of some mail clients such as outlook, or in Teams, may mean you need to hover over the name to expose the further information and specific email address). In a large university, using email and Teams clients that potentially pull contact information from a university directory, it is quite possible to have multiple people with the same or similar names and so it is key to check you are going to be sending to the right person in the right unit with the right address - if unsure stop and think further or seek help, do not just send and hope!
2. double check only relevant attachments have been included and the personal and/or confidential information within them is only what is required.
3. if forwarding or replying to an email trail, review the email trail and trim out any unnecessary information as appropriate - this can be both to ensure no unintended confidential/personal information is passed on and to assist those receiving the message in understanding the relevant information and not having it lost in a lengthy chain of fully quoted messages.
4. when emailing think carefully about whether you include people in the 'to' or 'cc' field, or whether it is more appropriate to put them in the 'bcc' field. Recipient names and email addresses are personal data so if the people you are sending to do not know each other, do not need to be collectively involved in an email discussion, and should not need to know the others who are receiving the information, then put their address in the 'bcc' (blind carbon copy) field instead. In this case only you as the sender can see those addresses but all the recipients can only see people in the 'to' or 'cc' field. In Outlook the bcc field is reveal in the message window via the Options tab; in Zimbra bcc is revealed from the options menu in the message composer view.
5. if you need to email the same group of people regularly, particular if others also need to email that same group, and this need will persist for the foreseeable future, then strongly consider requesting a departmental mailing list for this purpose instead of manually maintaining the addresses via bcc or other means. If your need is a broader collaboration across the university then you may wish to discuss with the IT Team whether the departmental mailing list system is the best fit or whether you would be better requesting a mailing list on the central university sympa mailing lst system.
6. similarly if you need to chat (or have video calls but not at fixed pre-arranged times when you could schedule a recurring Teams meeting) with the same group of people regularly via Teams then rather than just starting an ad-hoc chat  or call with all relevant recipients consider whether a Teams team may be helpful; you can also then use the Teams team to hold other materials for the team and/or leverage and integrate other aspects of Office365.
7. further protect documents attached to an email by password protecting them, or creating a zip archive with an overall password. Having password protected such files it is key that you provide the password to the recipient via some other secure means of communication - i.e. you absolutely must not simply email them the password, even if sending it in a separate email or to a separate email address; that is not secure! A secure other means of communication with people in the university could be to use a Teams chat message (in which case point 1 and 2 equally apply). If attaching documents to Teams messages then since teams transmits information via an encrypted connection it may be the case that no further password protection or encryption is needed on a document; where such additional steps could be appropriate is if you expect the person receiving the document to take it out of Teams and store it elsewhere and you are not confident of the security setup for that storage and hence would like the document to have its own protection. Note though if someone has the password for a document they can also remove that password or decrypt it so you cannot ensure they store it as securely as you intend once you have passed them a copy.
8. many mail clients will auto-suggest/fill-in email addresses for you as you start typing names. This is very convenient but can lead to the wrong person with a similar name being filled in - hence point 1 about being very careful to double check the recipients are absolutely correct. Where such a feature exists it may be possible to disable the auto-suggest feature so you instead have to click into an address book search, find the right address and then choose to add it it. This will take longer but could be appropriate for some people to slow down the process and introduce more steps and natural checks before addresses are added to a message. Microsoft provide guidance on how to disable the auto-suggest feature in Outlook. Alternatively in some cases one can just change how one enters addresses - e.g. in Outlook or Zimbra you can click on the To field name to bring up the address book search and select recipients that way rather than starting to type into the field. You may still need to manually type in extra addresses not available in the global or your personal address book.
9. Some email clients have a feature which allows you to briefly delay the sending of messages when you click the send button to allow you a few seconds to halt the message if you immediately have second thoughts - this is sometimes called the 'undo' feature. Microsoft provide guidance on how to enable a sending delay in Outlook. There is an 'undo send' feature in the Modern Zimbra interface - you can enable it in the Settings -> Writing Email section. You can enable the 'undo send' feature in the Zimbra Classic Web app by going into Preferences -> Zimlets and enabling the 'Undo Send' Zimlet. It is set to a 7 seconds delay by default - this can be changed by scrolling down the main message viewing window to the zimlets section (below the folder list) towards the bottom right, clicking on the 'undo send' Zimlet and changing the delay to up to 120 seconds.

Also see the further information on

• sharing and transmitting information securely
• the annual information security awareness training (compulsory for all university staff)
• general IT security guidance
• university guidance on email management