Changes to emails across GC - December 2023

  • 12/12/2023
  • IT

Updated on 14th December: Read our Frequently Asked Questions page here.

 

In February we will be upgrading our ISO27001 certification to the latest 2022 standards that some of our stakeholders require to deliver services on their behalf.

The key changes in standards require organisations to strengthen their email controls to include email classification, data leak prevention and email encryptions controls.  

Considering this, we need to make changes to how emails and documents being sent by email are classified. The classification will determine whether an email can be sent externally or not.

These significant changes being introduced will impact every email we send. This communication details the changes coming in and what they mean for you.

The changes mean that in some instances, emails not labelled correctly will be blocked, or by trying to send personal information unencrypted will be blocked, so understanding the detail around this is important.

During testing the biggest issue identified was forgetting to add the appropriate classification to an email or forgetting to add email encryption when sending sensitive information. This is understandable as we are fundamentally changing the way you normally send emails and this does take some time to get use. This will be due to the fact the email system will be expecting additional steps to be undertaken when sending emails.

If you forget to add the correct classification or send an email that is not encrypted which has personal sensitive information contained (identified in the “Preventing data leaks” section) you will instantly receive a bounce back message from the system identifying the issue as per below:

You can see from the subject line why your message was blocked either for the incorrect classification, or no encryption was added due to personal or sensitive information being found.

The quickest way to resend the email is by clicking the warning bounce back message and double clicking the email message attachment contained within the warning message. This will reopen the email you were originally sending, and you can simply select forward and add in the names again, or reply to all (which will keep intact all the recipients), but before you resend, please correct the issue identified i.e. adding the correct classification or by adding email encryption option.   

These two fundamental changes will be in place on Monday 18th December 2023 which are:

  • Email classification changes
  • Preventing data leaks via email

Please read the following instructions on email classifications and preventing data leaks.

 

Email Classification – the changes

In line with our ISO27001 certification, all GC information must have a classification. This isn’t a new requirement and has been operational on our systems since we moved over to Office 365 in 2017. There is a sensitivity icon on the tool bar in Outlook, Word, Excel, and PowerPoint which contains a drop-down list of the classifications.

See the graphic below:

Fig 1

 

The classifications are:

  1. Internal personal and confidential - confidential and personal information for internal distribution only on a “need to know basis”.
  2. External confidential - confidential or personal information available to specified external parties, with appropriate authorisation.
  3. Public - information which is not confidential and is available to any member of the public without restriction.
  4. Internal - non confidential information available to any GC Group colleague.

When you draft a new email, it will automatically be classed as ‘internal personal and confidential’, and you can change this default classification as and when required.

Documents in Word, Excel and PowerPoint do not have a default setting, so you will need to select the appropriate classification for the document upon saving.

There will be several rules implemented during this change that links to classifications which are:

Classification Type

Rules set

Internal Personal and confidential

If sending an email with this classification, you will be unable to send to external recipients.

 

A ‘pop up’ will appear when you enter an external email address in the To/Cc/Bcc section informing you the recipient is outside of your organisation. This will be a reminder to select ‘external confidential’ or ‘public’. If the classification isn’t changed, your email will be blocked to the external recipients but not internal colleagues*. When an incorrect classification is used you will receive a system notification that your message was unable to send externally due to incorrect classification.

 

*Please note due to Winning Moves, Ekosgen and Innovate UK being on an external system - to send emails with these colleagues you must use “External Confidential” or

“Public” classifications otherwise these will be blocked for incorrect classification.   

External Confidential

You will be able to add internal and external recipients to this classification.  Ekosgen, Winning Moves and Innovate UK colleagues should be emailed using this classification.

Public

You will be able to add internal and external recipients to this classification. 

Internal

If sending an email with this classification, you will be unable to send to external recipients.

 

As above, a ‘pop up’ will appear when you enter an external email address in the To/Cc/Bcc section informing you the recipient is outside of your organisation. This will be a reminder to select ‘external confidential’ or ‘public’*.

 

Using Outlook for Web

When using Outlook for Web (on a web browser), the sensitivity label can be changed by accessing the paint brush icon at the top tool bar when you compose an email. A drop-down list will appear with the classifications.

For the Outlook app on your mobile, when composing a new email, the sensitivity label can be changed by:

  • clicking on the paint brush icon next to the subject line, then clicking on the classification label which will provide a drop-down list of classifications; or
  • clicking on the three dots at the bottom of the message then click on Edit sensitivity. Again, a list of classifications will appear. Please see Fig 2 and Fig 3 below.

Important Note: Please do not use Outlook for Web on a mobile phone or tablet device via a web browser as the sensitivity labels do not show on such devices. In this case you must download and use the outlook mobile app. Outlook for Web via a web browser should only be used on a desktop or laptop device.

Fig 2

Fig 3

 

 

Preventing data leaks via email

Every day across GC we send a significant amount of information via email. A lot of the information we process day-to-day contains personal, sensitive information.

To prevent data loss and data breaches, emails (and messages on MS Teams) should not contain personal sensitive information. We are seeing more and more personal and sensitive information being sent out on email.

This goes against our policies on data sharing and to protect colleagues, and the subjects of the data, our systems have now been configured to automatically detect emails containing certain types of personal, sensitive information. These emails will now be blocked.

Emails will be blocked where they contain the following “Sensitive Number Data”:

-           EU debit card number (this includes UK debit card numbers)

-           UK drivers licence number

-           UK electoral roll number

-           UK National Health Service number

-           UK National Insurance number (NINO)

-           UK Unique Taxpayer reference number

-           US/UK passport number

-           Credit card number

Going forwards, this information can only be sent via email if it is encrypted whether this information is being sent internally or externally.

 

How to communicate Sensitive Number Data

If you do need to communicate this type of data, please follow the following steps:

  • encrypt the email (see below); and
  • speak to your line manager/local data lead to check the policies in place and any additional requirements from certain commissioners, determining how the data can be securely transmitted.

How to encrypt an email

Outlook Email Encryption is a security feature which turns readable plain text data into a scrambled unreadable format. This enhances security and prevents others intercepting and reading emails containing sensitive material. Only the owners of the email address inserted in the email can decrypt, open, and read the email.

If you encrypt the email but then enter the wrong email address, the owner of that email address will be able to open the email. The encryption only protects the email when in transit and the email is accessible to the owners of the email addresses inserted.

Checking you always have the correct email addresses before sending continues to be an essential way of reducing data breaches.

A pop-up message (near the ‘To’ section) will appear if the email address you have inserted is an external one – please use this prompt to check you have inserted the correct address.

The option of password protecting attachments remains another effective way of reducing data breaches; if the wrong recipient receives the email, the recipient will not be able to open the attachment if they do not have the password. Please ensure the password is provided by a different means of communication, for example, over the telephone or via text.

Sending sensitive information – good practice

Emails should be encrypted if they contain any of the following:

  • Sensitive Number Data (see the list above).
  • sensitive information.
  • personal data or personal sensitive data.
  • commercial information; or
  • confidential information

When sending an encrypted message to a recipient for the first time, it is advisable to send a short (non-encrypted) message first to say you are sending an encrypted message. This will avoid the recipient thinking it is spam and give you a window to check the recipient is the right one.

  • start composing your email.
  • select the ‘Options’ tab.
  • click on the 'Encrypt’ button with the padlock and select the dropdown arrow (see Fig 4)
  • select either:
    • Encrypt-Only (this encrypts the email including the attachments to the email); or
    • Do Not Forward (this encrypts the email and attachments with the additional feature of preventing copying, forwarding, and printing of the email and certain attached file types)

The table below shows which function is activated depending on which email encryption option is selected:

Function

Encrypt

Do not forward

Protects email by encryption.

Yes

Yes

Prevents the email from being forwarded.

No

Yes

Prevents email being copied or printed.

No

Yes

Encrypts any file attached e.g., word, jpeg, pdf

Yes

Yes

Prevents forwarding, copying, and printing of certain file types which are attached (word docs, excel docs, PowerPoint docs, XPS, InfoPath)

No

Yes

 

You may get the information pop up message (set out below in Fig 5) as soon as you insert an attachment which is not a Word, Excel, or PowerPoint document. This is advising that when using the “Do not forward” encryption option, only certain file types (i.e., Word, Excel, and PowerPoint) are supported.  Tick do not show message again to prevent repeated pop ups.

When recipients open the message, those using Microsoft Outlook or outlook.com (previously known as Hotmail) can simply open the email without any further actions. The email will display a small padlock and message to say the message is encrypted (see Fig 6).

Fig 6

For those not using Outlook, recipients will receive a message stating they have been sent a protected message when they click on the email. The recipient needs to click ‘Read the message’ (Fig 7) and will then be presented with two methods to read the encrypted email:

  • the recipient will need to click on ‘Sign in with Google’ or ‘Sign in with a Yahoo ID’ (depending on which email programme they are using). This is the primary option - see Fig 8; or
  • the recipient will need to click on ‘Sign in with one time passcode’. This is mainly used for less well-known email services that cannot be used to authenticate your identity to Microsoft 365 - see Fig 8.

Fig 7

Fig 8

 

We appreciate that this level of security features on emails will inevitably mean sending certain types of email will take slightly longer day to day. As we continue to send data more regularly, and to more recipients, getting into these new ways of working will significantly improve our data security, keeping our colleagues and our clients safe.

If you have any questions on any of these changes, please read our Frequently Asked Questions in the first place. If you can find an answer to your query there, please contact IT service helpdesk on the self-service portal or ITservices@growthco.uk. The team can help with any specific issues or queries you have.

The Growth Company
Lee House,
90 Great Bridgewater Street,
Manchester,
M1 5JW
0161 228 1111
info@growthco.uk
Our Working Way
Technology & Space
People & Engagement
Health & Safety
FAQs
Latest News
Registered in England number: 2443911
VAT Registration Number: 727102071
Privacy Policy
Cookie Policy
Accessiblity Statement
Slavery and Human Trafficking Statement