Transferring information safely
Emails can be intercepted, and the contents accessed by unintended recipients or third parties. There are many points of vulnerability when an email is written, sent, received, or stored that mean unauthorised individuals may be able to view its contents.
If data is not handled safely and securely the risks to individuals include identity theft or individuals falling victim to scams. There are also risks to the wider reputation of the MND Association which could result in investigation and fines by the Information Commissioners Office.
Read our guidance on data breaches and how to report a near miss:
What kinds of information do we process?
Personal Data is data that identifies a living person or can be used in conjunction with other data to identify a person.
For example, a list containing the names and email addresses for those who might receive a branch or group newsletter would be personal data.
Sensitive data includes information related to health which could put the individual at greater risk if disclosed or used inappropriately.
For example, the notes created following the visit to an individual with MND by an Association visitor would be sensitive data.
Please minimise these risks by:
Avoid transferring personal or sensitive data via email
We ask that neither personal nor sensitive data is sent via email. The recipients, the text in the body of an email and all attachments can be accessed by unintended recipients or third parties should your email be intercepted.
Please use other more secure means if you need to share personal or sensitive information with others as part of your role as a volunteer with the MND Association. This may be via the telephone, or the methods below.
Make use of our digital systems that enhance security
If you are receiving a referral to the Association for a person with/affected by MND please use our online form.
You can also use the volunteer portal for some tasks that involve the transfer of information such as updating notes from a visit to a person with or affected by MND if you are a support volunteer or producing lists of individuals you may need to contact.
Password protect all attachments
If there are no alternative more secure methods of transferring personal information and email has been identified as the only possible way any personal data that needs to be shared should be added as an attachment and should be encrypted with a password.
Passwords should be communicated separately, either via phone or another email. Sensitive data should not be transferred in this way at any time.
Not using names in an email
Please use record IDs in emails and avoid using any other identifiable information.
Keeping your data secure
There are many ways individuals can try to gain unauthorised access to email servers and or online accounts through cyber-attacks such as phishing (using deceptive emails to gather personal information) or brute force attacks (using computational power to automatically guess passwords).
It is important to take steps to keep accounts where personal information exists safe and secure.
Please take steps to keep your data secure:
Have a strong password
We recommend thinking of three random words you can remember then adding a number and special character such as punctuation at the end.
Use multi-factor authentication
Multi factor authentication or two factor authentication is a tool that mitigates against password theft and brute force cyber-attacks.
Implementing this means access to your account will have extra security beyond your password as an external device (commonly a smart phone) or online service will be used to verify that the person looking to gain access is legitimate.
Turn on two-factor authentication for email:
- Gmail (opens in a new tab)
- Yahoo (opens in a new tab)
- Outlook (opens in a new tab)
- AOL (opens in a new tab)
Turn on two-factor authentication for social media
Changing password regularly
Monitor login history regularly
Most email providers have the option to allow you to see where in the world your account has been accessed from and when. If you are using Google's Gmail, this is as simple as logging in and scrolling to the bottom of the page.
There it will indicate the time and the IP address of the last activity on your email account. If you click on the activity monitor, you can find even more information about where your email account was accessed from.
Remove emails and contacts after they have been dealt with
Delete emails that have been actioned regularly so that contact information and personal data isn't kept. This also reduces the number of messages in your inbox, making it easier to see when any new ones arrive.
We recommend you also ensure that contacts are removed from your address book if they are no longer needed so hackers can’t get at this information even if the email has been deleted.
While email is an efficient and timely way to reach people, it is very important that we take care in how we use email to communicate. We have a number of legal obligations to protect someone's personal information under The General Data Protection Regulation (GDPR). This includes email addresses and personal information which may be contained within an email.
We recognise that volunteers often share a computer at home with their family. It is important to have a separate email address for Association emails, which is password protected and not accessible to family and friends.
While personal information may be included in the body of an email, it is important to adhere to the following guidance.
Please follow these guidelines:
Only include necessary information about individuals
When composing and sending an email that includes information about an individual, please ensure only the necessary information is included.
Do not include any names, personal or sensitive information in the subject line
When sharing personal information such as an individuals name, address, or any other sensitive information, please ensure this is not included in the subject line and is only referenced within the body of the email.
Doing this helps to protect the persons information and ensures it is only accessible by viewing the email in full.
Ensure email content is clear and factually correct
It is important to make sure the content of the email is clear and easy to understand. This mitigates the risk of misunderstandings and ensures the communication is not misunderstood by the recipient. The language used should be non-judgemental and objective throughout.
It is also important the information is factually accurate. Please refrain from using your own opinions and aim to include only factual information. It is fine to include a professional opinion should this be needed to validate the information within the email.
Use the BCC (blind copy) option when emailing to groups of people to protect individual’s email addresses
By placing recipients in the BCC field, you can help protect them against receiving unnecessary replies from anyone using the 'Reply All' feature. This feature also hides the email addresses of recipients to protect their privacy.