Division of General Counsel, Governance and Compliance

Data Protection Guidance for Email Correspondence

The majority of the personal data breaches that are reported at the University relate to the use of email, as it is a tool that most people use frequently and it is often used quickly. We hope that the guidance below will help to highlight and eliminate some of the risks related to personal data breaches which can arise from the use of email.

Data Protection Email Guidance

This email guidance should help to make you aware of areas where breaches are likely to occur when using email, and to help mitigate some of the risk. Areas covered include:

  • Use of auto-complete
  • Replying to and forwarding of email chains
  • Use of 'reply all'
  • Appropriate use of 'cc' and 'bcc'
  • Copying and pasting email content
  • Use of email mailing lists
  • Contacting current and past students
  • Emails and subject access requests
Personal Data Breaches and Email

A personal data breach is defined as a 'breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed'. Examples of breaches arising from emails include the following:

  • Sending an email containing personal data to unintended/incorrect recipients, either internal or external
  • Attaching an incorrect document containing personal data
  • Copying recipients on an email that contains personal data who do not need or should not have access to the data
  • Sending a group email where all recipients are cc (copied) rather than bcc (blind copied) to large groups and/or when the individuals would not necessarily be known to each other.

Should you become aware of a breach, this should be reported immediately to the Information Management team by using the data breach reporting form or via dpo@sussex.ac.uk.

It is important that you notify the Information Management team as soon as you become aware of the breach, as we may be able to take steps to mitigate the impact of the breach. 

Seek guidance from the Information Management team if necessary with regard to attempting to recall emails – as this is not always possible (particularly if the email address is external) and is not always necessary, dependent on the nature of the breach. The Information Management team will also reply to each breach report and confirm if data subjects should be contacted about a breach.

Data Protection Principles

Under Data Protection legislation, there are a number of principles in relation to processing personal data; these should always be considered in relation to use of email where personal data is involved. These principles state that personal data shall be:

  • processed lawfully, fairly and in a transparent manner (‘lawfulness, fairness and transparency’);
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’);
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
  • accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’); and
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).