Email Information Classification

To deliver Council services effectively, personal and sensitive information may need to be exchanged via e-mail with our public and private sector partners.

Examples include sharing citizen’s information with GPs and hospitals, the police, probationary service, housing associations and care homes. It is important to ensure that information transmitted between organisations is done so safely and securely, balancing reputational risk and legal implications of fines, particularly in the case of personal information. On 25 May 2018 the General Data Protection Regulations, (GDPR) and Data Protection Act 2018 came into force across the United Kingdom. This new legislation requires the Council to process personal information safely and securely. The penalties for failing to do so are substantial. Previously the Information Commissioner could issue a fine of up to £500,000 for a data breach, but under GDPR the Council can now be fined up to €20 million. 

The UK Government Secure Extranet (GSX) is a secure computer wide area network (WAN) that allows officials at local public-sector organisations to interact and share data privately and securely with central government departments, such as the National Health Service, the Criminal Justice Extranet and the Police National Network. 

In November 2017 the cabinet office issued a statement advising that all organisations using GSX email must stop using it by (when this service is planned to be decommissioned). The Council has implemented alternative secure methods of sending email using its standard email address “@eastdunbarton.gov.uk”.

There are three levels of government classification for the handling of information dividing data into three categories; OFFICIAL, SECRET and TOP SECRET.

However, for councils and many other public sector bodies only one classification is likely to apply, OFFICIAL. Within this broad category the Council has identified that some information should be handled with particular care. The Council defines this content as “OFFICIAL-SENSITIVE.”

Therefore, all Council email correspondence will be classified as either:

“OFFICIAL”
“OFFICIAL SENSITIVE”

Each Council employee now has the responsibility to set the correct classification for their email correspondence. All emails containing sensitive information must be classified as OFFICIAL-SENSITIVE and sent securely. The following questions should be considered when deciding if an email should be marked as OFFICIAL SENSITIVE.

Does the correspondence being sent contain:-

• Large amounts of information about any living identifiable person?
• Information that can identify a lot of people?
• Information about anyone’s racial/ ethnic origins, political opinions, religious/ philosophical beliefs, trade union membership, genetic/ biometric data, health or sex life or sexual orientation?
• Information about any illegal activities or allegations of illegal activity?
  Financial information?
• Legal advice or correspondence with the Council’s internal or external legal advisors?
• Any information which would harm the Council if released to the public?

Where the answer to any of these questions is ‘yes’, the information should be marked as “OFFICIAL SENSITIVE.”