Sharing and transmitting information securely

For various processes or operational activities there may be a need to share information with others or transmit it to them.

When sharing confidential information it is essential that:

  • You are clear that it is appropriate to share this information
  • Only the intended recipients receive the information.

If personal data has been inappropriately shared with someone who had no right to see it, they need to urgently report it as a data breach to the Information Compliance Team at @email (and copy in @email).

If in doubt as to an appropriate mechanism to use when distributing information please seek advice first, e.g. by contacting @email (obviously do not share the actual confidential information with them either).

Key guidance

In particular, note the following:

  • Please consider carefully if it is appropriate to share information via email, and in particular via mailing lists where senders may not be aware of all of the recipients of the message
  • If you manage mailing lists for sharing internal information, then Oxford email addresses only should be used on the list (eg, not Gmail addresses)
  • Mailing list membership should be reviewed on at least an annual basis to ensure it is up to date
  • If you share information as password protected attachments to email, then you must provide the password via some other means (e.g. via phone using a number you know is correct and/or have found on an official listing such as their university contact pages, or via a Teams message)
  • If you use a file sharing service such as Onedrive or Nextcloud to share confidential material, then you must restrict the material to specific users (i.e. it is not acceptable to place confidential material on such services without authenticated/password login being required to access the material). [Note to restrict by username is generally best, but only possible if they have a maths IT account, and only if they have first/previously logged in to the nextcloud system]
  • If you are sending a confidential attachment to a colleague, please ensure that the email header states that the email is confidential
  • If using 'reply all' then take additional care to review the list of all recipients of your reply
  • If you quote a previous email trail in a reply or forward, carefully review the content being forward to ensure only that appropriate to the ongoing recipients is included
  • Using external media, e.g. a USB pen disk, will most often be a means of last resort, and in such a case the material on the media must be encrypted (either by password protecting zip or office document files, or by using media that is itself encrypted)

Also see the information on data protection/GDPR and the university pages on data privacy and GDPR.

Detailed guidance

Typical standard systems facilitating information sharing

For operations within the department within a team or area of operations this may take the form of a file share suitably restricted to those individuals. For individuals or teams that need to share information with a wider set of people in the department this may more likely take the form of content made securely available via the departmental website (e.g. authentication restricted pages and file share listings).

Some operations though will not sit well within the above mechanisms, e.g. one-off or occasional needs to share/transmit information or where the group of people that one needs to share information changes even though it is a recurring type of process (e.g. student applications, vacancy information). In some cases there will be dedicated central university systems that support these activities in general and have built-in mechanisms for enabling access to relevant people.

Where the standard types of systems as indicated above are not entirely suitable then further consideration is needed. Consideration should be given both to the means of sharing/transmission and the appropriateness of that means for the sharing of this information/the process being undertaken.

Transmission via email (including via mailing lists)

When circulating information via email it is key that only the intended recipients receive the information. If email is inadvertently sent to an unintended recipient, then depending on the content of the email, a data breach may have occurred.

When sending email to specific individuals good practice thus requires that you carefully check the individual email addresses you select as recipients, and depending on the mail client used check not just the name but the underlying email address associated with that name in your mail client is correct.

In the case of a reply think carefully before using 'reply all' and also check when replying that addresses others entered are correct and appropriate. Also if replying or forwarding then think carefully about quoting back the previous chain of emails. You should review that content as not all of it may be appropriate for the audience of the reply.

When sending to distribution lists maintained in your email client personal address book the names of the individual recipients may be even less visible at the point/moment of use. You should thus periodically review the addresses you set in any distribution list in your mail client. How frequently you review would depend on the nature of the use of the list and the likelihood that the membership changes, which in turn may be influenced by some natural academic cycle.

When sending to mailing lists, whether they are hosted on the department mailing list server, university mailing list server, or elsewhere, then the names of individual recipients are again not visible to you. Only use a mailing list when you are confident you understand the purpose of the list, that that aligns with the purpose you have and hence the membership is expected to be the relevant people for the message, and that the list membership is well maintained (either via automated processes such as in the case of the members-announce related lists or by the relevant list owner having in place robust manual processes to manage the list).

If you are a list owner it is your responsibility to ensure that you appropriately maintain the set of addresses subscribed to such a list. In particular lists for business internal to the university should only contain internal university email addresses. This typically ensures one can easily understand the underlying names of the list members, and that if they leave the university then their email address ultimately expires providing a limit on the period over which they will continue to receive messages if they have inadvertently not been explicitly removed from the list when they first ceased to have a need for the information. Even so it is important that list owners periodically review the membership of a list and remove all addresses no longer relevant. How frequently and when to review the list membership should be considered in the context of the level of private/sensitive/confidential business managed via the list, the cycles of any processes and the likely frequency with which people change roles and should no longer have access to the list information.

More generally the nature of the information being distributed should be considered. Depending on the level of privacy/sensitivity/confidentially of the information it may be appropriate to take further steps so the information cannot be read by the wrong person if they inadvertently receive it or actively intercept it.
In many cases it may be sufficient to password protect the information in an attachment to the email, and then provide the recipient with that password via a different means of communication (i.e. do not just email the password in a separate email, it needs to be communicated via another means such as the phone using a number you know is correct and/or have found on an official listing such as their university contact pages, or via a Teams message). In such a case it is important to use a strong password (e.g. not a dictionary word, 12 or more characters or a passphrase, use of a mix of upper/lower case letters, numbers and symbols) as otherwise someone could use a standard brute force password cracker to access the information circumventing the password security measure.

Cloud based file sharing

Another approach where the individual is internal to the university or department, particularly useful for larger files unsuitable for sending as an email attachment, may be to use a university file sharing service such as Onedrive or the department Nextcloud system (please ask @email if you would like some initial guidance on how to use it and/or setting permissions appropriately). When using such systems one can also set an expiry date on the file such that it automatically disappears from the service in due course for added security.

Where possible one should only use these methods for private/sensitive/confidential material when combined with explicitly setting which usernames/accounts can then access the files. That ensures the person must use their department or university account to connect to that service to retrieve the information. Note to restrict by username on the maths nextcloud system is only possible if the recipients have maths IT account, and only if they have first/previously logged in to the nextcloud system (so you may need to ask them to login to the nextcloud system first before you can then securely setup the sharing).

If the person does not have a suitable account for use with the service then you must set a password for the file sharing instead. In this case the password must be communicated to the people via a different mechanism (i.e. you must not send them a link via email and also the password (and putting the password in a separate email is similarly not secure and hence not acceptable)).

When using such services it not acceptable to not set which usernames/accounts or specific passwords can access the information and then send a link to the files via email as the only protection of the files is that the link is not known in general, and by sharing that link inadvertently with the wrong person it is practically no different to having inadvertently sent the information via email directly to the wrong person (or that email being intercepted by someone other than the intended recipient).

External media (e.g. USB pen disk)

In the vast majority of situations one of the above methods will be far more appropriate that taking data off managed systems, placing it on external media, and transmitting that media to an intended recipient. In some cases though that may be the most practical solution or perhaps the only method the recipient will accept. In such situations there is a risk that the media is intercepted or lost and hence precautions must be taken to ensure only the intended recipient can use the media/read the files on the media.

Where the media is to be given to the recipient the most practical option is to use standard media on which one places encrypted files, e.g. password protected zip files or password protected office or PDF documents.

Another approach is to use special encrypted media. Cheaper options will tend to use software on the media or installed on the reading device to provide the encryption. This dependence on such software can introduce interoperability problems or explotation of weaknesses in the particular software version for that media. More expensive devices have hardware encryption and so are locked and unlocked independent of the machine that is then used to read/write data, e.g. iStorage 256-bit datAshur PRO USB 3.0 secure encrypted flash drive (other similar products are available).

Native/hardware encrypted media is more likely to come into its own in very special and specific circumstances when there is a requirement to store data at rest on cold storage in an encrypted format. This might be a requirement of a medical or industrial research data provider, or perhaps as part of some other highly sensitive and confidential infrequent process. In such a case one may need more capacity than a typical USB pen disk, a suitable product could be a iStorage diskAshur Pro2-SSD.

You are strongly encouraged to seek advice before deciding to use media for transmission of data, or encrypted media for storage of data.

Other options or seeking further guidance

Where a process regularly requires the distribution of such confidential/private/sensitive material then as well as the methods indicated above there may be other suitable solutions, such as password protected web pages, the university's Sharepoint  Online system etc. If considering using Sharepoint then you may wish to first attend an IT Services training course on Sharepoint use, and in particular setting the permissions on a site appropriately.

If in doubt as to an appropriate mechanism to use when distributing information please seek advice first, e.g. by contacting @email (obviously do not share the actual confidential information with them either).


Please contact us with feedback and comments about this page. Last updated on 30 Nov 2023 11:21.