JISCMail - DATA-PROTECTION Archives

Hi, as a data subject my heart says - yes communicate with my by email, it's quicker and more convenient than post and really, who wants to intercept/scan my emails (apart from the NSA, MI5 and Google of course!)?  Professionally though, I have my corporate security manager saying email isn't secure in transit without encryption.

 As others have said there is a balance, based on risk, but it must be our decision/our risk not the data subjects. I don’t subscribe to the view that we should try and transfer the risk to the data subject by getting them to agree that they accept it. The DPA squarely places the responsibility on the data controller to take appropriate organisational and technical measures having regard... etc. Ultimately, I imagine, the ICO, or if someone sues for damages over a breach, the courts, will look to the majority expert opinion on what is appropriate at any given time in any given circumstance. Those of us who are not security experts therefore ignore our own information security colleagues and the majority external opinion at our peril. If relevant experts don’t believe that sending unencrypted email provides appropriate security for say, SPD, then our organisations take a significant risk of being in breach of P7 for doing that, regardless of what the customer/patient demands that we do.

The NHS Confidentiality Policy (April 2013) says emails containing patient data that are sent off the NHS England network/NHS Mail must be encrypted and emails to patients can be sent unencrypted with informed patient consent only if they contain non-identifiable information and no confidential information.

Chris

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^