Security of personal data in e-mail
Below follows a description of what you should bear in mind when you process personal data in e-mail. The description is intended only as a guide and is not exhaustive. It is every organisation's responsibility to ensure a level of security that is appropriate in relation to the risk that the processing in e-mail entails.
The purpose of the General Data Protection Regulation is to protect people's personal privacy. Processing of personal data must thus be done in a manner that ensures appropriate security. This applies to all types of personal data processing, including that done via e-mail. The requirement regarding security measures cannot be ignored even with the data subject's consent.
The risks with e-mail
When e-mail is handled there is always a risk that people other than the intended recipient may read the message. In many cases it is impossible to securely identify a recipient solely on the basis of a given e-mail address. There are also security flaws in the communication protocols on which e-mail systems are based. When an e-mail is sent between e-mail servers over the Internet, it often passes through other servers on the way. If the information in the e-mail is unprotected, there is nothing to prevent copies of the information being saved at each of these servers. This naturally makes it difficult to ensure that unauthorised people do not read the saved information, particularly when e-mail is accessible via open networks like Internet or is synchronised with mobile devices such as laptops, tablets and mobile phones.
Today's e-mail programs also contain functions that increase the risk of e-mails being misdirected. It might be that names and e-mail addresses are filled in automatically or e-mailing lists that mean that the e-mail risks being unintentionally send to the wrong recipients or to considerably more recipients than the sender intended.
There are also risks with "internal" e-mail
Technological development in recent years has meant that it has become increasingly more difficult to talk about "internal" e-mail. The belief that e-mails sent within an organisation are not transmitted over open networks is in most cases incorrect. If there are functions for web-mail, for example, this means in almost all cases that e-mail is made accessible via an open network. This is also true when e-mail, without passing through a virtual private network, can be fetched to external e-mail clients, for example via POP or IMAP. The same applies if certain services, for example anti-virus functions or spam filter, are provided by an external supplier. If all or some parts of the operation, administration or maintenance of the e-mail system are sourced from an external party, a data processor, further questions arise as to how that processor logs in to the e-mail system. Functions for remote administration are often used over open networks.
Increased use of and synchronisation with mobile devices also make it more difficult to talk about "internal" handling of e-mail since they are often used outside one's own organisation's premises and networks.
A data controller has responsibilities
It is the data controller who is responsible for ensuring appropriate security when personal data is processed in e-mail. The data processor must also be able to demonstrate that the e-mail processing is carried out in accordance with the General Data Protection Regulation.
The data processor may only process personal data in accordance with the data controller's instructions and is obliged to take the security measures that the controller demands and provides instructions for regarding the handling in e-mail.
As an individual employee, you must follow the instructions that your employer gives you. You shouldn't need to make your own assessments or take your own decisions concerning how to handle personal data in e-mail.
What must the data controller do?
An assessment of different types of risk and their impact should be made as a basis for ensuring security measures regarding e-mail. As data controllers you should therefore ask yourselves the following questions:
- What is the risk profile? That is to say, what events might affect the personal data during the course of e-mail processing?
- How great is the risk that different threats will actually become a reality?
- What are the consequences if a threat should become a reality?
- What measures can be taken to reduce the risks of the processing?
Assessment of appropriate security
As data processors you must implement appropriate technical and organisational measures to ensure that the processing in e-mail satisfies the General Data Protection Regulation's requirements. This means that you have to ensure a level of security that is appropriate in relation to the risk that the processing in e-mail entails. A risk and vulnerability analysis thus needs to be made on the basis of the circumstances in the individual case.
The assessment of what security measures are needed is among other things dependent on what data is processed. E-mail in principle always involves processing of personal data. The e-mail address in itself generally constitutes personal data and any information in the e-mail that can be linked to a specific person is also personal data.
The General Data Protection Regulation states that processing of sensitive personal data and personal data that is sensitive from the point of view of privacy require stronger protection. This is because processing of such data can involve considerable risk to the fundamental rights and freedoms that every citizen has.
Overall, this type of data is to be protected in such a way that unauthorised people cannot read the information, which may in practice mean that sensitive data and data that is particularly sensitive from a privacy point of view must be protected by encryption in such a way that only the intended recipient can read it. Some e-mail systems have functions for encrypting e-mails between users within the same e-mail domain, but normally special encryption keys or software are needed to encrypt e-mail.
To be able to create an appropriate level of security for personal data in e-mail, you must make an overall assessment and take the following into account:
- The nature of processing
- The scope of the processing
- The context
- The purpose of the processing
- How sensitive the personal data that is processed is
- The risks that exist in the e-mail environment
- The technical possibilities available in the market
- The cost of implementing the security measures
The data controller must design appropriate work methods and documents for e-mail
As data controllers you have a responsibility to be compliant with the General Data Protection Regulation. It is thus important that you document your assessments in one or more work documents.
As data controllers you should also design appropriate procedures and clear instructions to ensure that anyone who has access to personal data within the organisation knows how it should be handled. A documented policy and clearly defined procedures reduce the risk of contravening the Regulation and make day-to-day e-mail handling easier.
The instructions should be so clear that there are no doubts on what types of personal data a person may or may not send by email and under what circumstances. Any references to confidentiality-flagged information, protective interests or sensitive data should be clarified in order to avoid doubt about what is referred to. Procedures are needed to be able to deal with incoming e-mail that contains privacy-sensitive personal data since e-mail systems are not normally designed to handle that type of personal data.
For a policy to continue to be effective over time, it is also appropriate to have procedures to ensure that it is complied with and respected.
Checklist for the data controller
In summary, as data controllers you should:
- conduct a risk and vulnerability analysis regarding how personal data in e-mail is processed
- define the risk profile for e-mail handling. If the risk is considered to be high, you may need to make an impact assessment
- Introduce appropriate security measures for processing of personal data in e-mail
- establish a policy for security management
- draw up rules and procedures
- continuously inform and train personnel with regard to handling personal data in e-mail
- follow up adherence to and respect for rules and procedures
- test security regularly.
What applies specifically for authorities?
The new Administrative Procedure Act states that authorities are to ensure that contact with individuals is to be simple and easy. This also applies to contact via e-mail. The General Data Protection Regulation, however, also applies to authorities, which means that the processing of personal data must be protected. It is up to the individual data controller, that is to say the authority in this case, to ensure that the processing of personal data in e-mail is carried out in a manner that ensures appropriate security.
What applies specifically for care providers?
Care providers must apply the General Data Protection Regulation and the Patient Data Act, which is complementary to the Regulation, also applies.
Both private and public care providers are subject to the National Board of Health and Welfare's regulations and general guidelines concerning patient records and processing of personal data within health and medical care (HSLF-FS 20016:40). The National Board of Health and Welfare's regulations state that patient data may be transmitted over open networks if it can be done so that no unauthorised person can read the information and that access to patient data is preceded by strong authentication. This also applies to e-mail and means in practice a requirement that the patient data in an e-mail be encrypted in such a way that only the intended recipient can read it. A care provider can however under special circumstances and after a need and risk analysis decide that reminders and appointments for care and treatment can be sent by SMS or unprotected e-mail.
About the information on this page
If the information in English is different from the Swedish version of this page, the Swedish version applies.