Accessibility statement

Sending personal data by email

Making a mistake when sending email is easy, but it can have serious consequences. Accidentally sending an email to the wrong recipient or using carbon copy (cc) instead of blind carbon copy (bcc) can result in unauthorised disclosure of or access to personal data or special category data. Such mistakes must be brought to the attention of the University’s Data Protection Officer immediately on identification. For guidance on reporting a data breach, see the University’s Data Breach Procedure

Before sending personal data or special category data by email, consider: 

  1. whether the content of the email should be encrypted or password protected. For guidance on determining when to encrypt or password protect data, see the University’s Information Classification and Handling Scheme. For advice on encryption, see IT Service’s guidance on Protecting Confidential Data
  2. whether you should point the recipient to the document in a secure location (e.g. the University's Google Drive service or shared filestore) instead of sending an attachment. 
  3. using the University’s secure DropOff Service, a web page that lets you easily and securely exchange files up to 32GB with University staff and students or external people.  

In the event you decide to share data via email:

  • be careful when typing in email addresses and using the autocomplete feature;
  • obtain email addresses from and/or check them against the University of York’s Directory;
  • make sure you use blind carbon copy (bcc) not carbon copy (cc) if you want to send an email to a recipient without revealing their identity to other recipients. 
  • be careful when using group email addresses. Check who is in the group and make sure you really want to send the message to all members before sending.

Finally, double-check address details before clicking send.